Event ID 4

Sysmon service state changed (Sysmon started or stopped)

Source:

Microsoft-Windows-Sysmon

Category:

Sysmon service state changed

Sysmon service state changed:
    UtcTime: %1!s!
    State: %2!s!
    Version: %3!s!
    SchemaVersion: %4!s!

The service state change event reports the state of the Sysmon service (started or stopped).

LEFT/RIGHT arrow keys for navigation