What are the Sysmon64, and Autoruns64 Resources / Requirements?

Robert Barker 1 Reputation point
2021-09-16T14:50:51.267+00:00

Good afternoon,

I am trying to convince my company to have Autoruns64, and Sysmon64 used on our network to improve our logging, and understanding of whats happening in our systems. However I need information on the Requirements, and Resources that these programs will be utilizing when running. I can not find any Microsoft documentation contain this information, and I doubt my personal screenshots of a lab usage of their CPU, Memory, and Storage, will be sufficient of its as a resource. Do you have any sources that shows these requirements or a able to provide me with this information?

Very Respectfully,
Barker Robert P.

Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,084 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Mihaiuc 716 Reputation points
    2021-09-30T17:45:03.33+00:00

    If Windows (8.1 client, 2012 Server) runs then it's assumed that the tools also run. Related to Sysmon, it's lightweight as it doesn't perform heavyweight operations in the filter drivers, but it's a matter of measuring impact for your specific use case.

    The tools are designed to be as lightweight as possible, self-sufficient (single executable) and non detrimental to the machines they run on.

    TLDR - the same requirements as Windows itself.

    0 comments
  2. Dolmatov 86 Reputation points
    2021-10-01T04:46:55.133+00:00

    From the manual:

    Autoruns works on Windows XP and higher, including 64-bit Windows.

    0 comments
  3. Frânçois 21 Reputation points
    2021-10-06T16:17:28.82+00:00

    Regarding Sysmon deployment with log forwarding setup to your SIEM, you also have to take into consideration whether your SIEM can support (storage + license) ingesting the log volume generated by Sysmon. Some event types are very noisy than others. Choosing to enable certain event types depends upon the UseCases you are looking to implement.
    I recommend you to deploy Sysmon first in a test instance with all softwares installed like on a normal workstation in your environment and start tuning your Sysmon configuration to adjust your log volume.
    Log flooding is a serious issue if you have a sloppy configuration. Also, I have seen people use separate configuration for Servers. So, you need to keep this in mind too.
    Always ask yourself first what UseCases you are wishing to implement by deploying Sysmon and verify whether your Sysmon can satisfy the log requirement of your UseCases.

    0 comments