Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,132 questions
Structure of process GUIDs used in Sysmon ETW events
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 79%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
Dave McCormack
11
Reputation points
Back in July 2018, Matt Graeber figured out the structure of the process GUID used in Sysmon events and published a PowerShell script to decode them. Since then however it seems that the structure has changed.
If mmmmmmmm-tttt-tttt-cccc-ccccwwwwwwww is a process GUID then:
mmmmmmmm - This is as Matt described, i.e. the upper 32 bits of the machine GUID.
tttt-tttt - This is also as Matt described, i.e. the process creation time expressed in seconds since the Unix epoch.
cccc-cccc - This seems to be just a monotonic counter of processes created since the Sysmon driver started.
wwwwwwww - I have no idea what this represents.
I think it would be very useful if Sysmon settled upon a final structure for process GUIDs and then published this. This would make it much easier for your customers to correlate events collected using Sysmon with events collected using other sources. Is there any possibility of such a standardisation happening?
Also, given that the PID and process creation time (PCT) are essentially unique per machine, why not just form the Sysmon process GUID by taking the 64 bits of the PCT, followed by the 32 bits of the PID, followed by the first 32 bits of the machine GUID?
Sysinternals