Sysmon Event ID 4
4: Sysmon service state changed
This is an event from
Sysmon.
On this page
The service state change event reports the state of the Sysmon service (started or stopped).
Free Security Log Resources by Randy
- Log Name
- Source
- Logged
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- OpCode
- Description
- UtcTime
- State
- Version
- SchemaVersion
Supercharger Free Edition
Supercharger's built-in Xpath filters leave the noise behind.
Free.
Sysmon service state changed:
UtcTime: 2024-04-28 22:52:20.883
State: Stopped
Version: 15.14
SchemaVersion: 4.9
Event XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>4</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>4</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:52:20.883759300Z" />
<EventRecordID>16761</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3220" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2014-04-28 22:52:20.883</Data>
<Data Name="State">Stopped</Data>
<Data Name="Version">15.14</Data>
<Data Name="SchemaVersion">4.90</Data>
</EventData>
</Event>
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection