Event ID 4
Sysmon service state changed (Sysmon started or stopped)Source:
Microsoft-Windows-Sysmon
Category:
Sysmon service state changed
Sysmon service state changed:
UtcTime: %1!s!
State: %2!s!
Version: %3!s!
SchemaVersion: %4!s!The service state change event reports the state of the Sysmon service (started or stopped).
Auditing:
Always
This event is logged when Sysmon is started or stopped and includes the version of Sysmon as well as the configuration. This event is always logged.
Volume:
Low
LEFT/RIGHT arrow keys for navigation
Back to List