Sysmon

Sysmon is an official Microsoft app for monitoring the system's status and events. With it, you can keep detailed control of system events, such as process creation, network connections, file creation and deletion, etc.

The program is installed via command line. To install it, you'll need to open CMD.exe as an administrator on the path where you've installed the program. After that, enter the command sysmon -i to install it.

From there, go to the Windows Event Viewer. Then go to the path Applications and Services Logs/Microsoft/Windows/Sysmon/Operational. There, you can see all the events occurring on the system. The process events that the program is capable of recording are as follows:

1 ProcessCreate - Creation process

2 FileCreateTime - Time of file creation

3 NetworkConnect - Network connection detected

4 Changed service status of Sysmon (cannot be filtered)

5 ProcessTerminate - Process terminated

6 DriverLoad - Loaded driver

7 ImageLoad - Image uploaded -

8 CreateRemoteThread - CreateRemoteThread detected

9 RawAccessRead - RawAccessRead detected

10 ProcessAccess - Process accessed

11 FileCreate - File created

12 RegistryEvent - Registry object added or deleted

13 RegistryEvent - Registry value set

14 RegistryEvent - Changed name of the registry object

15 FileCreateStreamHash - Created file stream

16 Changed Sysmon settings (cannot be filtered)

17 PipeEvent - Named pipeline created

18 PipeEvent - Connected to named pipeline

19 WmiEvent - WMI filter

20 WmiEvent - WMI consumer

21 WmiEvent - WMI consumer filter

22 DNSQuery - DNS queried

23 FileDelete - Deleted archived files

24 ClipboardChange - New content added to the clipboard

25 ProcessTampering - Process image changed

26 FileDeleteDetected - Recorded file deleted