Sysmon Event ID 7
7: Image loaded
This is an event from
Sysmon.
On this page
The image loaded event logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the –l option. It indicates the process in which the module is loaded, hashes and signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading. This event should be configured carefully, as monitoring all image load events will generate a large number of events.
Free Security Log Resources by Randy
- Log Name
- Source
- Date
- Event ID
- Task Category
- Level
- Keywords
- User
- Computer
- Description
- UtcTime
- ProcessGuid
- ProcessId
- Image
- ImageLoaded
- FileVersion
- Description
- Product
- Company
- Hashes
- Signed
- Signature
- SignatureStatus
Supercharger Free Edition
Image loaded:
UtcTime: 2017-04-28 22:45:16.662
ProcessGuid: {a23eae89-c5fa-5903-0000-0010bf439000}
ProcessId: 12536
Image: C:\Windows\System32\notepad.exe
ImageLoaded: C:\Windows\System32\ole32.dll
Hashes: SHA1=B2A2BBCFB69B1F0982C4B82055DAD9BAE4384E4B
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid
Event XML:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2017-04-28T22:45:16.663226600Z" />
<EventRecordID>16636</EventRecordID>
<Correlation />
<Execution ProcessID="3216" ThreadID="3964" />
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>rfsH.lab.local</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UtcTime">2017-04-28 22:45:16.662</Data>
<Data Name="ProcessGuid">{A23EAE89-C5FA-5903-0000-0010BF439000}</Data>
<Data Name="ProcessId">12536</Data>
<Data Name="Image">C:\Windows\System32\notepad.exe</Data>
<Data Name="ImageLoaded">C:\Windows\System32\ole32.dll</Data>
<Data Name="Hashes">SHA1=B2A2BBCFB69B1F0982C4B82055DAD9BAE4384E4B</Data>
<Data Name="Signed">true</Data>
<Data Name="Signature">Microsoft Windows</Data>
<Data Name="SignatureStatus">Valid</Data>
</EventData>
</Event>
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection