Sysmon Event ID 7

Source

7: Image loaded

This is an event from Sysmon.

On this page

Description of this event
Field level details
Examples

The image loaded event logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the –l option. It indicates the process in which the module is loaded, hashes and signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading. This event should be configured carefully, as monitoring all image load events will generate a large number of events.

Free Security Log Resources by Randy

Description Fields in 7

Log Name
Source
Date
Event ID
Task Category
Level
Keywords
User
Computer
Description
UtcTime
ProcessGuid
ProcessId
Image
ImageLoaded
FileVersion
Description
Product
Company
Hashes
Signed
Signature
SignatureStatus

Supercharger Free Edition

Centrally manage WEC subscriptions.

Free.

Examples of 7

Image loaded:
UtcTime: 2017-04-28 22:45:16.662
ProcessGuid: {a23eae89-c5fa-5903-0000-0010bf439000}
ProcessId: 12536
Image: C:\Windows\System32\notepad.exe
ImageLoaded: C:\Windows\System32\ole32.dll
Hashes: SHA1=B2A2BBCFB69B1F0982C4B82055DAD9BAE4384E4B
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid

Event XML:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:45:16.663226600Z" />
<EventRecordID>16636</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3964" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2017-04-28 22:45:16.662</Data>
<Data Name="ProcessGuid">{A23EAE89-C5FA-5903-0000-0010BF439000}</Data>
<Data Name="ProcessId">12536</Data>
<Data Name="Image">C:\Windows\System32\notepad.exe</Data>
<Data Name="ImageLoaded">C:\Windows\System32\ole32.dll</Data>
<Data Name="Hashes">SHA1=B2A2BBCFB69B1F0982C4B82055DAD9BAE4384E4B</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Microsoft Windows</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 7

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

October 2025 Patch Tuesday	"Patch Tuesday - 172 Updates Today and 6 Zero-Days! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.