Sysmon Archives

Winsage

June 8, 2026

Meet the hidden Windows 11 tool that reveals what Task Manager misses

Microsoft has integrated Sysmon into Windows 11 through a system update, allowing it to operate in the background and log activities in the Windows Event Log. Indicators of suspicious processes include the absence of icons or descriptions, incorrect parent processes, spelling errors in names, unsigned executable files, packed executables, suspicious DLLs or services, open TCP/IP endpoints, and unusual URLs or character strings. To install Sysmon, users must access the Control Panel, enable Sysmon, and restart their PC. Activation requires running a command in the Command Prompt. Sysmon logs can be viewed in the Event Viewer under Microsoft > Windows > Sysmon > Operational. Users can filter events using an XML configuration file. After analysis, suspicious processes should be scanned with antivirus software, and files can be uploaded to VirusTotal for further examination. Sysmon continuously logs events, while Process Monitor captures snapshots of running processes, and both tools are available for free from Microsoft.

Winsage

May 11, 2026

Rustinel: Open-source endpoint detection for Windows and Linux

Open-source endpoint detection tools have typically been divided between Windows and Linux, with Windows solutions focused on Sysmon and Linux solutions on eBPF or auditd. Rustinel is a Rust-based endpoint agent that consolidates these efforts by gathering telemetry from both operating systems using ETW on Windows and eBPF on Linux, normalizing the data into a unified model. It evaluates the information against Sigma rules, YARA signatures, and atomic indicators of compromise, storing alerts in ECS-compatible NDJSON format for integration with SIEM or log-analysis platforms. Rustinel supports a range of events on Windows, including process creation, network activity, and PowerShell executions, while Linux support currently includes process, network, file, and DNS telemetry. It operates in user mode on both platforms, requiring specific conditions for installation. Unlike commercial EDR solutions that use kernel drivers, Rustinel's user-mode design prioritizes simplicity and stability, although it acknowledges limitations in tamper resistance and visibility. The agent utilizes three detection engines: Sigma for behavioral matching, YARA for scanning executables, and an IOC engine for deterministic checks. While it leverages existing content familiar to defenders, it has coverage gaps for certain advanced threats. Rustinel is available on GitHub under the Apache 2.0 license.

Winsage

May 8, 2026

Microsoft CTO confesses that 30-year-old code from the mid-90s still forms the bedrock of Windows 11 — ancient Win32 API still the backbone, but CTO says it’s ‘more relevant than ever in 2026’

Mark Russinovich, the Chief Technical Officer of Microsoft Azure, revealed that Windows 11 relies on a significant amount of legacy code from the 1990s, particularly the Win32 framework. He acknowledged the challenges posed by this legacy software while noting its continued relevance as we approach 2026. Russinovich reflected on past attempts to update the Windows API, such as WinRT, which did not meet expectations. He also highlighted that Win32 has been crucial in developing tools like Sysmon and ZoomIt, created in 1996, which remain relevant in the context of Windows 11 and PowerToys.

Winsage

May 7, 2026

Windows 11 still runs on code from the 1990s, Microsoft admits

Windows 11 relies on the Win32 API, a legacy system dating back to Windows 95, for core functionalities like right-clicking and launching applications. Microsoft’s Chief Technology Officer, Mark Russinovich, noted that the continued relevance of Win32 was unexpected, as few anticipated it would still be a primary interface in 2026. Despite attempts to modernize the Windows API with initiatives like WinRT, Win32 remains integral to many Windows operations. The separation between Win32 applications and web technologies has complicated the transition to a new API framework. Additionally, tools from Microsoft's past, such as Sysinternals, Sysmon, and ZoomIt, continue to play important roles in Windows management.

Winsage

May 7, 2026

Microsoft admits Windows 11 is still built on 90s-era Win32, and no one saw it coming

Users engage with the Win32 API when right-clicking files or launching desktop applications in Windows 11, a technology that has persisted since Windows 95. Microsoft’s Chief Technology Officer, Mark Russinovich, noted that the longevity of Win32 was unexpected, as it was not part of the company's original vision for the future. Despite attempts to replace Win32 over the past two decades, many users still have more Win32 applications than modern alternatives. Microsoft has introduced several frameworks to replace Win32, including MFC, WinForms, WPF, WinRT, and UWP, but none have fully succeeded. Developers have shown a preference for RAM-intensive web applications over native ones due to concerns about the stability of Microsoft's frameworks. Microsoft has introduced WebView2 to embed web technologies in desktop applications, leading to increased memory usage. In response to user needs, Microsoft is shifting back to native applications with WinUI 3, aiming to modernize Windows 11 while retaining access to Win32 infrastructure. The company is gradually replacing legacy Win32 UI elements with WinUI 3 components, improving performance and user experience.

Winsage

March 29, 2026

Microsoft quietly shipped 9 meaningful Windows 11 improvements this year, and they actually make the OS feel more polished

Microsoft has released a series of quality updates for Windows 11 in the first quarter of 2026, introducing several new features: - Cross-device resume allows users to resume Android apps directly on Windows 11 via the Taskbar. - Windows MIDI Services now support MIDI 0 and 2.0, including WinMM and WinRT MIDI 1.0 support. - Windows Hello Enhanced Sign-in Security now supports external fingerprint readers. - A new "Device info" card in the Settings app displays key hardware specifications. - Quick Machine Recovery is now enabled by default for Windows 11 Pro. - A new network speed test feature can be accessed via the Taskbar. - Camera settings enhancements allow management of pan and tilt controls. - Sysmon is now a native feature in Windows 11, providing advanced monitoring capabilities. - Windows 11 supports WebP images as wallpapers.

Winsage

March 12, 2026

Windows 11 KB5079473 & KB5078883 cumulative updates released

Microsoft has released cumulative updates KB5079473 and KB5078883 for Windows 11 versions 25H2, 24H2, and 23H2 as part of the March 2026 Patch Tuesday. These updates address security vulnerabilities, fix bugs, and introduce new features. Users can install the updates via Start > Settings > Windows Update or manually from the Microsoft Update Catalog. The build numbers will change to 26200.8037 for 25H2, 26100.8037 for 24H2, and 22631.6783 for 23H2. Key enhancements include improved device targeting data for Secure Boot certificates, better reliability in File Explorer searches, and various new features such as a curated selection of emojis, a new backup and restore experience, automatic activation of Quick Machine Recovery, a built-in network speed test on the taskbar, and the ability to set WebP images as desktop backgrounds. Additionally, improvements have been made to the Windows Update settings page and the reliability of waking from sleep. No new issues have been reported with this month's updates.

Winsage

March 11, 2026

I tested Windows 11 March 2026 Updates: Everything new, improved, and fixed

Microsoft has rolled out the March 2026 Patch Tuesday update for Windows 11 (KB5079473, Build 26200.8037) and Windows 10, focusing on enhancements and functional upgrades. The update applies to Windows 11 versions 25H2 and 24H2, introducing new features, security enhancements, system fixes, and reliability improvements. Key features include: - Support for Emoji 16.0, allowing users to insert new emojis through the Emoji panel. - Windows Backup restore adapted for organizational use, enabling restoration of user settings and applications during sign-in. - Quick Machine Recovery (QMR) enabled by default on more Windows 11 Pro PCs. - A Bing-powered Internet speed test tool accessible from the taskbar. - Sysmon included as a native component for system activity monitoring. - Support for WebP images as desktop wallpapers. - Remote Server Administration Tools (RSAT) supported on Windows 11 Arm64 devices. - Minor enhancements in Accounts and Camera settings. The update also includes reliability and stability improvements, such as enhanced responsiveness of the Windows Update settings page, improved sign-in screen reliability, and better performance for the Windows printing service. It lays groundwork for Secure Boot certificate updates and addresses BitLocker reliability issues. Additionally, internal AI components have been updated, and a servicing stack update (SSU) has been released to enhance Windows Update infrastructure reliability. Microsoft is also expanding the updated Start menu and battery icons to more devices and warns users about the importance of updating Secure Boot certificates before their expiration in June 2026.

Winsage

March 11, 2026

Microsoft Releases March 2026 Patch Tuesday Updates

Microsoft has released the March 2026 Patch Tuesday update, KB5079473, for all supported versions of Windows 11 (25H2 and 24H2). Key changes include: - A Network Speed Test Tool in the Taskbar for measuring Ethernet, Wi-Fi, and cellular performance. - New pan and tilt options for supported cameras in the Settings menu. - Built-in System Monitor (Sysmon) available as an optional feature; users should uninstall previous versions before enabling it. - Remote Server Administration Tools (RSAT) support for Windows 11 Arm64 devices. - Quick Machine Recovery tool enabled for Windows Professional devices not domain-joined or enrolled in enterprise management. - Ability to use .webp image files for desktop backgrounds. - Introduction of new emojis from Emoji 16.0, including a face with bags under the eyes and a fingerprint. - BitLocker improvements for device responsiveness after entering a recovery key. - Enhanced reliability of search functions in File Explorer. Additionally, Microsoft is publishing patch notes for the upcoming version 26H1, which is currently available to Windows Insiders on the Canary Channel but not yet public. The KB5079466 patch for version 26H1 includes features already seen in earlier Windows 11 versions.

Winsage

March 6, 2026

Windows 11’s March 2026 update is packing 9 new upgrades you’ll actually notice

On March 10, 2026, Microsoft will release a Patch Tuesday update for Windows 11, introducing several new features and enhancements. Key updates include a network speed test feature accessible from the Taskbar, updated camera controls for pan and tilt settings, a new settings page for Widgets, support for WebP images as wallpapers, Quick Machine Recovery for Windows 11 Pro, refreshed dialogs in the Settings app, and changes in File Explorer allowing "Extract All" for non-ZIP archives. Additional updates include the introduction of Emoji version 16, a magnifier icon in Task Manager for the Windows Search process, and expanded RSAT support for ARM64 devices. Users are advised to be cautious during installation due to potential errors.