Sysmon Event ID 11


11: FileCreate

This is an event from Sysmon.

On this page

File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.

Free Security Log Resources by Randy

Description Fields in 11

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • UtcTime
  • ProcessGuid
  • ProcessId
  • Image
  • TargetFilename
  • CreationUtcTime

Supercharger Free Edition

Your entire Windows Event Collection environment on a single pane of glass.



Examples of 11

File created:
UtcTime: 2017-05-13 19:44:55.313
ProcessGuid: {a23eae89-6237-5917-0000-0010300e6601}
ProcessId: 19200
Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4b00-0\AxImp.exe CreationUtcTime: 2017-05-13 19:44:55.313


Event XML:
 <Event xmlns="">

        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
        <TimeCreated SystemTime="2017-05-13T19:44:55.314125100Z" />
        <Correlation />
        <Execution ProcessID="2848" ThreadID="3520" />
        <Security UserID="S-1-5-18" />
        <Data Name="UtcTime">2017-05-13 19:44:55.313</Data>
        <Data Name="ProcessGuid">{A23EAE89-6237-5917-0000-0010300E6601}</Data>
        <Data Name="ProcessId">19200</Data>
        <Data Name="Image">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Data>
        <Data Name="TargetFilename">C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4b00-0\AxImp.exe</Data>
        <Data Name="CreationUtcTime">2017-05-13 19:44:55.313</Data>


Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources