Skip to content

Add ARM64 (Sysmon64a.exe) binary coverage to Windows install chapter#49

Merged
darkoperator merged 1 commit into
trustedsec:masterfrom
einlamye:guide-pr1-arm64-sysmon64a
Jun 30, 2026
Merged

Add ARM64 (Sysmon64a.exe) binary coverage to Windows install chapter#49
darkoperator merged 1 commit into
trustedsec:masterfrom
einlamye:guide-pr1-arm64-sysmon64a

Conversation

@einlamye

Copy link
Copy Markdown
Contributor

Microsoft's Sysmon download now ships three command-line binaries, not two. The Windows
install chapter only documented Sysmon.exe and Sysmon64.exe, omitting the ARM64 build
Sysmon64a.exe. This updates the chapter so ARM64 Windows hosts are covered.

Changes

  • chapters/install_windows.md
    • "two command line versions" → "three", and added a **Sysmon64a.exe** - ARM64 (64-bit ARM) version. bullet.
    • Added a dedicated "ARM64 Process" subsection (matching the existing "Process for x86" and "x64 Process" sections): explains Sysmon64a.exe is the native ARM64 build for Windows on ARM (Snapdragon PCs, Surface Pro X, ARM64 VMs), why the native binary is required (the SysmonDrv kernel driver must match the OS architecture and cannot load under x64 emulation), that the install flow/driver/service/event-log/config schema are otherwise identical to x64, and a Sysmon64a.exe -i --accepteula -c <config> example.
    • Main-service Name note: (default Sysmon or Sysmon64)(default Sysmon, Sysmon64, or Sysmon64a).
    • Best-practice WMI version filter now also matches c:\Windows\Sysmon64a.exe.

@darkoperator darkoperator merged commit 557dbd5 into trustedsec:master Jun 30, 2026
2 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants