SuterDEV

Troubleshooting – Monitor File Access with SysMon

,

I want to monitor what files are created, deleted, etc. on a local drive for troubleshooting. Sysmon by SysInternals should be able to do it. So let’s give it a go.

Config

First we need a config file. This one monitores file delete/create. There are loads more options to choose from.

<Sysmon schemaversion="4.82">
  <!-- Capture all hashes -->
  <HashAlgorithms>*</HashAlgorithms>
  <EventFiltering>
    <DriverLoad onmatch="exclude"/>
    <ProcessTerminate onmatch="exclude" />
    <!-- File Monitoring -->
    <FileCreate onmatch="include">
        <Image condition="contains all">C:\Windows\System32</Image>
        <Image condition="contains all">C:\Program Files</Image>
        <Image condition="contains all">C:\ProgramData</Image>
    </FileCreate>
    <FileDeleteDetected onmatch="exclude">
        <Image condition="contains all">C:\Windows\System32</Image>
        <Image condition="contains all">C:\Program Files</Image>
        <Image condition="contains all">C:\ProgramData</Image>
    </FileDeleteDetected>
  </EventFiltering>
</Sysmon>

Install

Let’s install this sucker.

sysmon64 -i config.xml -accepteula

Test

I wanna see what the impact on the system is with sysmon. So wo run this powershell script before and after setting up sysmon to see, if the execution time changes:

$testPath = "C:\ProgramData\sysmon_test"
$start = Get-Date

New-Item -Type Directory -Path $testPath -ErrorAction SilentlyContinue

for($i=1; $i -le 5000; $i++){
    $hash = (get-filehash -Algorithm MD5 -InputStream ([IO.MemoryStream]::new([Text.Encoding]::UTF8.GetBytes($i)))).hash
    Set-Content -Path "$testPath\$i.txt" -Value "$hash"
}

$createEnd = Get-Date

Get-ChildItem -path $testPath | % {
    $_ | Remove-Item
}

$deleteEnd = Get-Date

Write-Host "Creation Time: $((New-TimeSpan -start $start -end $createEnd).TotalMilliseconds)ms"
Write-Host "Deletion Time: $((New-TimeSpan -start $createEnd -end $deleteEnd).TotalMilliseconds)ms"

Which gives me this outputs befor installation. I ran it a few times just to see what the mean time is. It seems to be around 15s for creation, and 4.5-5.5s for deletion.

PS > .\test.ps1
Creation Time: 15471.711ms
Deletion Time: 4825.9114ms
PS > .\test.ps1
Creation Time: 14303.6011ms
Deletion Time: 5553.9302ms
PS > .\test.ps1
Creation Time: 15097.3149ms
Deletion Time: 5093.7729ms

After installing sysmon it looks like this:

PS > .\test.ps1
Creation Time: 16780.5627ms
Deletion Time: 6666.9271ms
PS > .\test.ps1
Creation Time: 16084.4533ms
Deletion Time: 6127.315ms
PS > .\test.ps1
Creation Time: 16033.5373ms
Deletion Time: 6952.0175ms

Conclusion:
There seems to be a performance impact. 5000 Creates/Deletes will cost you about 1-2 Seconds more of your time. Which isn’t bad.

Viewing Logs

Look here in your Event Logs: Applications and Services Logs/Microsoft/Windows/Sysmon/Operational

Uninstall

This is easy:

sysmon64 -u

Leave a Reply

Your email address will not be published. Required fields are marked *