Sysmon Event ID 16

Source

16: Sysmon config state changed

This is an event from Sysmon.

On this page

Description of this event
Field level details
Examples

Sysmon config state changed. This event may or may not include a hash. A hash will depend on whether Sysmon was called with a configuration XML file or if it was just used via configuration settings on the command line. If a configuration XML was specified then the hash of the file will be logged so that you can detect if anyone reconfigures Sysmon with an unauthorized configuration file which will produce a different hash.

Free Security Log Resources by Randy

Description Fields in 16

Log Name
Source
Date
Event ID
Task Category
Level
Keywords
User
Computer
Description
UtcTime
Configuration
ConfigurationFileHash

Setup PowerShell Audit Log Forwarding in 4 Minutes

Examples of 16

Sysmon config state changed:
UtcTime: 2017-04-28 21:24:31.661
Configuration: sysmon64 -i -h sha256 -l -n
ConfigurationFileHash:

Event XML: (without configuration XML; config specified via cmd line)

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>16</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>16</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T21:24:31.661858200Z" />
<EventRecordID>1</EventRecordID>
<Correlation />
<Execution ProcessID="32420" ThreadID="24524" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-21-311908031-1195731464-1505490484-1605" />
</System>
<EventData>
<Data Name="UtcTime">2017-04-28 21:24:31.661</Data>
<Data Name="Configuration">sysmon64 -i -h sha256 -l -n</Data>
<Data Name="ConfigurationFileHash">
</Data>
</EventData>
</Event>

Event XML: (with user specified configuration XML)

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>16</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>16</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T21:24:31.661858200Z" />
<EventRecordID>1</EventRecordID>
<Correlation />
<Execution ProcessID="32420" ThreadID="24524" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-21-311908031-1195731464-1505490484-1605" />
</System>
<EventData>
<Data Name="UtcTime">2017-04-28 21:24:31.661</Data>
<Data Name="Configuration">config.xml</Data>
<Data Name="ConfigurationFileHash">SHA1=MM93VR46DP26CC35JZ5AD4AI29DP9JL99JM43JF9</Data>
</EventData>
</Event>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 16

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

July 2024 Patch Tuesday	"Patch Tuesday - Four Zero Days " - sponsored by Supercharger for Windows Event Collection

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.