Sysmon Event ID 7


7: Image loaded

This is an event from Sysmon.

On this page

The image loaded event logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the –l option. It indicates the process in which the module is loaded, hashes and signature information. The signature is created asynchronously for performance reasons and indicates if the file was removed after loading. This event should be configured carefully, as monitoring all image load events will generate a large number of events.

Free Security Log Resources by Randy

Description Fields in 7

  • Log Name
  • Source
  • Date
  • Event ID
  • Task Category
  • Level
  • Keywords
  • User
  • Computer
  • Description
  • UtcTime
  • ProcessGuid
  • ProcessId
  • Image
  • ImageLoaded
  • FileVersion
  • Description
  • Product
  • Company
  • Hashes
  • Signed
  • Signature
  • SignatureStatus

Setup PowerShell Audit Log Forwarding in 4 Minutes


Examples of 7

Image loaded:
UtcTime: 2017-04-28 22:45:16.662
ProcessGuid: {a23eae89-c5fa-5903-0000-0010bf439000}
ProcessId: 12536
Image: C:\Windows\System32\notepad.exe
ImageLoaded: C:\Windows\System32\ole32.dll
Hashes: SHA1=B2A2BBCFB69B1F0982C4B82055DAD9BAE4384E4B
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid


Event XML:
 <Event xmlns="">
        <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
        <TimeCreated SystemTime="2017-04-28T22:45:16.663226600Z" />
        <Correlation />
        <Execution ProcessID="3216" ThreadID="3964" />
        <Security UserID="S-1-5-18" />
        <Data Name="UtcTime">2017-04-28 22:45:16.662</Data>
        <Data Name="ProcessGuid">{A23EAE89-C5FA-5903-0000-0010BF439000}</Data>
        <Data Name="ProcessId">12536</Data>
        <Data Name="Image">C:\Windows\System32\notepad.exe</Data>
        <Data Name="ImageLoaded">C:\Windows\System32\ole32.dll</Data>
        <Data Name="Hashes">SHA1=B2A2BBCFB69B1F0982C4B82055DAD9BAE4384E4B</Data>
        <Data Name="Signed">true</Data>
        <Data Name="Signature">Microsoft Windows</Data>
        <Data Name="SignatureStatus">Valid</Data>

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources