Sysmon Event ID 11

Source

11: FileCreate

This is an event from Sysmon.

On this page

Description of this event
Field level details
Examples

File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.

Free Security Log Resources by Randy

Description Fields in 11

Log Name
Source
Date
Event ID
Task Category
Level
Keywords
User
Computer
Description
UtcTime
ProcessGuid
ProcessId
Image
TargetFilename
CreationUtcTime

Supercharger Enterprise

Load Balancing for Windows Event Collection

Examples of 11

File created:
UtcTime: 2017-05-13 19:44:55.313
ProcessGuid: {a23eae89-6237-5917-0000-0010300e6601}
ProcessId: 19200
Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4b00-0\AxImp.exe CreationUtcTime: 2017-05-13 19:44:55.313

Event XML:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>11</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>11</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-05-13T19:44:55.314125100Z" />
<EventRecordID>734181</EventRecordID>
<Correlation />
<Execution ProcessID="2848" ThreadID="3520" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2017-05-13 19:44:55.313</Data>
<Data Name="ProcessGuid">{A23EAE89-6237-5917-0000-0010300E6601}</Data>
<Data Name="ProcessId">19200</Data>
<Data Name="Image">C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe</Data>
<Data Name="TargetFilename">C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\4b00-0\AxImp.exe</Data>
<Data Name="CreationUtcTime">2017-05-13 19:44:55.313</Data>
</EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 11

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

March 2025 Patch Tuesday	"Patch Tuesday - Eight Zero Days " - sponsored by Supercharger

Home

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.