really? i have to use procman and associated utilities often and they really pale in comparison with linux and even moreso other unix utils (like dtrace)
Well, true, but I'm not in a position to understand what that means. I remember talks about dtrace in Linux way back when and something about how "it's not the same thing, you have to add support in all of userspace which is not there" or something like that.
dtrace is more comparable to ETW in windows land. Procmon is more for quick and dirty analysis. Maybe there are other *nix tools that are more appropriate, but I look forward to trying this one out.
yes. I work with ancient and opaque tools that dont have good debugging / reporting facilities. Often we have to jump into procmon or whatever see why the heck the thing is stuck. something like strace is native and everywhere and you can sus out easily - hey this proc is trying to open this thing over and over.
procmon is cool, but i have found it limited when the program isnt doing anything 'obvious', and also that i have to download it and run it from the web is a problem when debugging on client systems.
really? One of the things I miss when using linux is resmon. I have not found anything that has even remotely the same functionality. For example seeing which process is using which files.
This can trace all processes on the host while strace traces one PID and its descendants. And bpf tracing does not stop processes at each syscall, so they run without slowdowns.
They have one of the largest Linux user base out there in Azure. They have their own distro. My favorite Linux memory forensics tool (AVML) is made by them. Sysmon for Linux uses eBPF which makes it a tad-bit more powerful than auditd,etc..
This project is from 2020 [1]. The title should actually be updated to reflect that.
Also we would have really go full circle if they used GPLv3 as the license :)
The sysinternals guys (Mark Russinovich and Bryce Cogswell) and code, at least most of it, existed independently of microsoft for many years. It was great. So great MS bought it and brought it and them inside. Russinovich is CTO of Azure now or something. So sysinternals is now random MS hires but I like to think it's still not really a microsoft product, just owned and mantained by them.
I was a windows user till XP came out and I've missed sysinternals tools. I'm going to enjoy this on my newer kernel machines. Seems to require some pretty cutting edge features.
Tangent: Mark Russinovich (Jun 20, 2025): “I had the thrill of a lifetime, hosting dinner for Bill Gates, Linus Torvalds and David Cutler. Linus had never met Bill, and Dave had never met Linus.“
It was truly great for Windows, no doubt about that.
Now, is it great for Linux? Absolutely not. These tools existed to vaguely resemble the capabilities we have had on *nix for decades and I'm not sure what kind of value could they bring back to Linux... like, really, what? A different, Microsoft-style optics to look at processes?
