Skip to content
Follow
Windows

How to Install or Uninstall Built-in Sysmon on Windows 11

Richard
Written by
Richard
Feb 4, 2026 Updated Apr 1, 2026 3 min read
How to Install or Uninstall Built-in Sysmon on Windows 11
⚡ Quick Answer

Install Sysmon by opening Windows Terminal as administrator, enabling the Sysmon feature, and then running “Sysmon -i”. Uninstall it by disabling the Sysmon feature in Terminal and restarting your PC when prompted. You need administrator rights for both actions.

What is Sysmon?

Sysmon is a helpful Windows tool that keeps an eye on what’s going on inside your computer, logging important events like when new programs start or when your computer connects to the internet.

Why use Sysmon? It gives you a detailed view of your system’s activity. This helps you find security threats and troubleshoot problems.

What happens when you install it? Sysmon starts logging system events automatically. You can then review these logs to get a clear picture of your computer’s activity.

Good news! Newer versions of Windows 11 (such as build 26220 and later) already include Sysmon, so you won’t need to download any extra software.

Important: Before you start, though, remember this: you must be signed in as an Administrator to install or uninstall Sysmon. ⚙️

Option 1Install or Uninstall Sysmon Using Windows Settings

  1. Open Settings by pressing ⊞ Win+I.
  2. Click System from the left menu, then select Optional features on the right.
  3. Click More Windows Features near the top.
  4. In the new window, find Sysmon in the list.
  5. To install, check the box next to Sysmon. To uninstall, uncheck the box .
  6. Click OK.
  7. Depending on your choice:
    • If installing, click Close.
    • If uninstalling, click Restart now to finish the removal.

You can easily add or remove Sysmon right from Windows 11’s Settings menu, which is a straightforward way to manage this useful tool without needing complicated commands.

Optional features Windows 11 tile

Optional features Windows 11 link
Optional features Windows 11 link

Optional features sysmom selection
Optional features sysmom selection

Finish Installing Sysmon via Command Line

  1. Open Windows Terminal (Admin) (Admin). ⚙️ Choose either PowerShell or Command Prompt.
  2. Type or paste the command below, then press Enter:

    Sysmon -i
  3. After it finishes, you can close the Terminal and Settings.

Option 2Install Sysmon Using Command Line Only

  1. Open Windows Terminal (Admin) ⚙️ and pick PowerShell or Command Prompt.
  2. Run one of these commands to turn on the Sysmon feature:
    • PowerShell: Enable-WindowsOptionalFeature -Online -FeatureName Sysmon
    • Command Prompt: DISM /Online /Enable-Feature /FeatureName:"Sysmon"
  3. Next, run this command to install Sysmon itself:

    Sysmon -i
  4. Close the Terminal when done.

Option 3Uninstall Sysmon Using Command Line

  1. Open Windows Terminal (Admin) ⚙️ and pick PowerShell or Command Prompt.
  2. Run one of these commands to turn off (uninstall) Sysmon:
    • PowerShell: Disable-WindowsOptionalFeature -Online -FeatureName Sysmon
    • Command Prompt: DISM /Online /Disable-Feature /FeatureName:"Sysmon"
  3. When asked, type Y and press Enter to restart your PC and finish uninstalling.

Summary

  • What Sysmon Does: Tracks and logs important system activities to help spot security problems.
  • Admin Rights Needed: You must be signed in as an administrator to add or remove Sysmon. ⚙️
  • Easy Installation Options: Use Settings or Command Line tools like Windows Terminal.
  • Restart May Be Required: Removing Sysmon usually needs a reboot to complete.
  • Built into Windows 11: No need to download anything extra on newer Windows 11 versions.

Sysmon on Windows 11 helps you track and log what your computer is doing, which is great for spotting security issues, and you can install it easily using Windows Settings or the command line.

Is Sysmon included in 🪟 Windows 11?

Sysmon, or System Monitor, is an optional Windows feature for Windows 11 and Windows Server 2025. When you turn it on, it stays active even after restarts, watching and recording system activity in the Windows Event Log.

Is Microsoft rolling out native Sysmon monitoring in 🪟 Windows 11?

Microsoft has started integrating System Monitor (Sysmon) directly into Windows 11. This is a significant change in how advanced system telemetry and threat detection can be implemented across Windows systems.

How do I set up Sysmon on Windows?

In Event Viewer, navigate to Applications and Services Logs > Microsoft > Windows > Sysmon > Operational. Look for Sysmon events like Process Create, Network Connect, or File Create. If you see these events, it confirms that built-in Sysmon is enabled and actively using its configuration.

Was this guide helpful?

Tags: #Windows 11
Was this helpful?
Richard

About the Author

Richard

Tech Writer, IT Professional

Richard, a writer for Geek Rewind, is a tech enthusiast who loves breaking down complex IT topics into simple, easy-to-understand ideas. With years of hands-on experience in system administration and enterprise IT operations, he’s developed a knack for offering practical tips and solutions. Richard aims to make technology more accessible and actionable. He's deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions.

2647 articles → Twitter

📚 Related Tutorials

How to Turn On or Off Let Windows Manage Default Printer in Windows 11
Windows How to Turn On or Off Let Windows Manage Default Printer in Windows 11
How to Open Windows Terminal as Admin Automatically
Windows How to Open Windows Terminal as Admin Automatically
How to Open Windows Terminal as Admin Automatically
Windows How to Open Windows Terminal as Admin Automatically
How to Disable Command Prompt in Windows 11
Windows How to Disable Command Prompt in Windows 11

No comments yet — be the first to share your thoughts!

Leave a Comment

Your email address will not be published. Required fields are marked *

Exit mobile version