Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,218 questions
How to Configure Sysmon to Log the Parent Process Hash in Process Creation Events
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 33%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJR%3C/text%3E%3C/svg%3E)
José Raeiro
0
Reputation points
I am using Sysmon to monitor process creation in my Windows environment. Currently, process creation events (Event ID 1) log detailed information about the parent process, such as the full path (ParentImage) and command line (ParentCommandLine). However, I would like to configure Sysmon to also log the hash of the executable file of the parent process.
I understand that Sysmon does not directly log the hash of the parent process in process creation events. Is there any configuration or method that allows obtaining this information directly in Sysmon logs? Or would it be necessary to correlate events from other IDs to retrieve the parent process hash?
Sysinternals
Sign in to answer