Microsoft actually does something useful, adds Sysmon to Windows
(2026/02/04)
- Reference: 1770212008
- News link: https://www.theregister.co.uk/2026/02/04/microsoft_adds_sysmon_to_windows/
- Source link:
There is good news for administrators: Microsoft has delivered on its promise to build Sysmon functionality into Windows.
The [1]functionality arrived in the Dev and Beta Windows Insider channels this week in builds 26300.7733 and 26220.7752, respectively. It allows administrators to capture system events via custom configuration files, filter for specific events, and write them to the standard Windows event log for pickup by third-party applications, including security tools.
Microsoft spends billions on AI, converts just 3.3% of Copilot Chat users [2]READ MORE
Sysmon, part of the Sysinternals toolset, has long been useful for monitoring Windows' internals. Mark Russinovich, Microsoft technical fellow and co-founder of Winternals, from whence Sysinternals (and Sysmon) sprang, [3]said : "It helps in detecting credential theft, uncovering stealthy lateral movement, and powering forensic investigations.
"Its granular diagnostic data feeds security information and event management (SIEM) pipelines and enables defenders to spot advanced attacks."
But deployment has been painful for administrators, managing potentially thousands of endpoints across an enterprise that need to be kept. Russinovich noted "a lack of official customer support for Sysmon in production environments."
[4]
Having it built in (though disabled by default) is therefore welcome, a respite from Microsoft's relentless AI integrations across its portfolio.
[5]
[6]
Enabling it requires some work with PowerShell, which shouldn't trouble Sysmon-savvy users. Microsoft notes that any existing Sysmon installation must be uninstalled first before the built-in version can be enabled.
[7]Old Windows quirks help punch through new admin defenses
[8]Windows is testing a new, wider Run dialog box. Here's how to try it
[9]Microsoft euthanizes ancient deployment toolkit
[10]Microsoft Task Manager now tasking PCs with running multiple copies of itself
After a month of patches that [11]Microsoft would rather forget , Sysmon's arrival is a genuinely positive update.
Rather than [12]adding font effects to Notepad and more AI , or turning Paint into a Photoshop knockoff, Microsoft is delivering a tool that actually makes administrators' lives easier - perhaps a sign it's taking user needs more seriously than shareholder demands.
Who are we kidding? ®
Get our [13]Tech Resources
[1] https://blogs.windows.com/windows-insider/2026/02/03/announcing-windows-11-insider-preview-build-26300-7733-dev-channel/
[2] https://www.theregister.com/2026/02/02/microsoft_ai_spend_copilot/
[3] https://techcommunity.microsoft.com/blog/Windows-ITPro-blog/native-sysmon-functionality-coming-to-windows/4468112
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYN7NxdzBnmiQlgA9oKkygAAAdA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYN7NxdzBnmiQlgA9oKkygAAAdA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYN7NxdzBnmiQlgA9oKkygAAAdA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2026/01/28/google_windows_admin_exploit/
[8] https://www.theregister.com/2025/12/23/windows_is_testing_new_run_dialog_box/
[9] https://www.theregister.com/2026/01/12/microsoft_deployment_platform/
[10] https://www.theregister.com/2025/10/31/microsoft_has_managed_to_break/
[11] https://www.theregister.com/2026/02/02/microsoft_quality_control/
[12] https://www.theregister.com/2026/01/22/microsoft_notepad_update/
[13] https://whitepapers.theregister.com/
The [1]functionality arrived in the Dev and Beta Windows Insider channels this week in builds 26300.7733 and 26220.7752, respectively. It allows administrators to capture system events via custom configuration files, filter for specific events, and write them to the standard Windows event log for pickup by third-party applications, including security tools.
Microsoft spends billions on AI, converts just 3.3% of Copilot Chat users [2]READ MORE
Sysmon, part of the Sysinternals toolset, has long been useful for monitoring Windows' internals. Mark Russinovich, Microsoft technical fellow and co-founder of Winternals, from whence Sysinternals (and Sysmon) sprang, [3]said : "It helps in detecting credential theft, uncovering stealthy lateral movement, and powering forensic investigations.
"Its granular diagnostic data feeds security information and event management (SIEM) pipelines and enables defenders to spot advanced attacks."
But deployment has been painful for administrators, managing potentially thousands of endpoints across an enterprise that need to be kept. Russinovich noted "a lack of official customer support for Sysmon in production environments."
[4]
Having it built in (though disabled by default) is therefore welcome, a respite from Microsoft's relentless AI integrations across its portfolio.
[5]
[6]
Enabling it requires some work with PowerShell, which shouldn't trouble Sysmon-savvy users. Microsoft notes that any existing Sysmon installation must be uninstalled first before the built-in version can be enabled.
[7]Old Windows quirks help punch through new admin defenses
[8]Windows is testing a new, wider Run dialog box. Here's how to try it
[9]Microsoft euthanizes ancient deployment toolkit
[10]Microsoft Task Manager now tasking PCs with running multiple copies of itself
After a month of patches that [11]Microsoft would rather forget , Sysmon's arrival is a genuinely positive update.
Rather than [12]adding font effects to Notepad and more AI , or turning Paint into a Photoshop knockoff, Microsoft is delivering a tool that actually makes administrators' lives easier - perhaps a sign it's taking user needs more seriously than shareholder demands.
Who are we kidding? ®
Get our [13]Tech Resources
[1] https://blogs.windows.com/windows-insider/2026/02/03/announcing-windows-11-insider-preview-build-26300-7733-dev-channel/
[2] https://www.theregister.com/2026/02/02/microsoft_ai_spend_copilot/
[3] https://techcommunity.microsoft.com/blog/Windows-ITPro-blog/native-sysmon-functionality-coming-to-windows/4468112
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aYN7NxdzBnmiQlgA9oKkygAAAdA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aYN7NxdzBnmiQlgA9oKkygAAAdA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/oses&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aYN7NxdzBnmiQlgA9oKkygAAAdA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2026/01/28/google_windows_admin_exploit/
[8] https://www.theregister.com/2025/12/23/windows_is_testing_new_run_dialog_box/
[9] https://www.theregister.com/2026/01/12/microsoft_deployment_platform/
[10] https://www.theregister.com/2025/10/31/microsoft_has_managed_to_break/
[11] https://www.theregister.com/2026/02/02/microsoft_quality_control/
[12] https://www.theregister.com/2026/01/22/microsoft_notepad_update/
[13] https://whitepapers.theregister.com/
Another thing MS should have done earlier...
With Server 2025 and Windows 11 24h2/25h2 FINALLY native NVME... Notable speedup on all machines I've activated it so far. Why didn't they to this with the release version of Windows 11? **sigh** [1]Microsoft Server 2025 announcement. [2]Various Windows 11 news on that ...
In short: "NVMe native instead of scsi activate Windows 11.cmd"
:: For 25h2
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides /v 735209102 /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides /v 1853569164 /t REG_DWORD /d 1 /f
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides /v 156965516 /t REG_DWORD /d 1 /f
:: For 24h2 and Server 2025
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides /v 1176759950 /t REG_DWORD /d 1 /f
:: To have them active in save boot:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{75416E63-5912-4DFA-AE8F-3EFACCAFFB14}" /ve /d "Storage Disks" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{75416E63-5912-4DFA-AE8F-3EFACCAFFB14}" /ve /d "Storage Disks" /f
Test your backup and restore after that. Backup recommended before doing that change.
[1] https://techcommunity.microsoft.com/blog/windowsservernewsandbestpractices/announcing-native-nvme-in-windows-server-2025-ushering-in-a-new-era-of-storage-p/4477353
[2] https://duckduckgo.com/?ia=web&origin=funnel_home_website&t=h_&q=NVME+native+Windows+11&chip-select=search