Device drivers, Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 11

CPU Changed Boot Warning Nightmare

Leave a comment

This morning I noticed external audio wasn’t working on my Flo6 desktop. I quickly went down a rabbit hole with audio drivers and such. Along the way, through a series of a half-dozen reboots, I noticed the fTPM “CPU changed” message kept popping up. At first, it was mildly annoying. But when it kept repeating I found myself stuck in a “CPU Changed” boot warning nightmare. How to escape?

Note on an AMD mobo fTPM is a firmware Trusted Platform Module, which resides inside a Platform Security Processor on the mobo. It provides the same functions as a discrete hardware TPM. It’s been bugging me lately, as I will relate…

Ending the “CPU Changed” Boot Warning Nightmare

Interestingly, the fTPM “CPU changed” message can appear even when the CPU has not been replaced. It shows up when the firmware detects a mismatch between the stored fTPM data and the state reported by the Platform Security Processor. This mismatch can happen during normal use. It can also happen after a firmware stall or a power loss. The message is confusing because it suggests a hardware change. In most cases, nothing is wrong with the CPU. The system is only trying to protect the integrity of the TPM state.

To say that Flo6 shows this message more often than other systems is an understatement. It happens a lot, and the reason is simple. Flo6 has a sensitive trust chain. It depends on the Platform Security Processor (PSP), the Embedded Controller (EC), and the BIOS staying in sync. If any part of that chain resets at the wrong time, the fTPM state can fall out of alignment. When that happens, the firmware cannot confirm that the stored TPM data belongs to the current system state. It then shows the prompt and waits for user input.

What Makes Flo6 My Problem Child?

This message appears most often after a forced shutdown. It can also appear after a firmware stall or a long power loss. If the system loses power while the PSP is active, the fTPM state may not save cleanly. On the next boot, the firmware sees the mismatch and stops to ask for confirmation. This is a safety feature. It prevents the system from using TPM data that may not match the current hardware state.

Flo6 also shows the message after a failed warm boot. A warm boot will not fully reset the PSP. If the PSP is left in a partially updated state, the next boot may not match the stored fTPM data. The firmware then shows the prompt again. This is why the message sometimes appears after a simple restart. The system is not failing. It is only trying to confirm the trust state.

Responding to “CPU Changed” with Yes

Choosing Y tells the firmware to restore the stored fTPM state. Choosing N tells it to discard the stored state. On Flo6, Y is usually the correct choice. It keeps the system stable and avoids repeated prompts. N is only valid when the CPU has changed. If the CPU has not changed, N can cause more trust state mismatches. It can also trigger BitLocker recovery if BitLocker is enabled.

The “CPU changed” message does not mean the CPU is faulty. It does not mean the BIOS is corrupted. Nor is the system unsafe. It only means the firmware wants to confirm the TPM state before it continues. Flo6 is more sensitive to this check because of the way its firmware handles power loss and warm boots.

That’s why I’m getting ready to swap the ASRock B550 Extreme4 mobo for an MSI MAG Tomahawk model. I read that its UEFI is more stable, robust, and less prone to fTPM mismatches. Here in Windows-World, an escape from the frying pan can lead into the fire. Fingers crossed that the upcoming rebuild ends this nightmare.

Facebooklinkedin
Facebooklinkedin
Device drivers, Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 11

AMD Gets New Chipset Driver

Leave a comment

Here I go again. I read this morning on Neowin that AMD had dropped a new version of its chipset drivers, including the B550 in my Flo6 and RyzenOfc desktops. Time for an upgrade! I found what I needed at the Chipset Driver Release Notes 8.01.20.513 page (a 62.5MB download named amd_chipset_software_8.01.20.513.exe). After applying that file, AMD gets new chipset driver upon reboot. What happened on my ASRock system was a little more vexing…and complicated. Let me explain…

After AMD Gets New Chipset Driver, Comes a Reboot

The UEFI on my ASRock B550 Extreme4 motherboard is a little tetchy. Whenever the firmware or drivers get touched (updated or replaced), it tends to hang on a black screen after a reboot intended to flush out old stuff and bring in new. Sure enough, that’s what happened after the AMD chipset installer fired off a restart with my express permission.

I had to do a deep cold start to bring the motherboard back to life. That meant:
1. Hold the power button down until the system turns off
2. Turn off the PSU
3. Hold the power button down another 10-15 seconds to discharge any capacative devices
4. Turn off, then unplug the power cord from the PSU
5. Wait 2-5 minutes for everything to turn itself completely off
6. Plug the PSU back in, turn on its power switch
7. Use the front power switch to start the PC back up
Fortunately, that worked and the unit came back to life.

Checking the Install

I’m learning to make doubly-darned sure that an update actually gets applied, thanks to some recent misadventures with Secure Boot. I visited Device Manager and made sure no yellow triangle warnings popped up, nor did anything appear under the always-annoying “Other Devices” heading.

At Copilot’s urging, I also checked the install dates for all of my AMD drivers. Copilot also confirmed that those dates matched the latest ones in the afore-linked release note (and hence, should be current).

I used this handy PowerShell one-liner to elicit the data shown in the next screencap:

Get-WmiObject Win32_PnPSignedDriver |   Where-Object { $_.DeviceName -like “*AMD*” } |  Select-Object DeviceName, DriverVersion, DriverDate

Here’s the resulting output:

After checking these against the release notes, reported dates = current dates.

It looks like the chipset update got properly applied. Copilot tells me other UEFIs will reboot after a chipset update without the 7-step polka the ASRock board needed. I wish I had another AMD system around here to verify that claim. But here in Windows-World we don’t always get what we want. Good enough for now, I guess!

Facebooklinkedin
Facebooklinkedin
Uncategorized

Secure Boot Recovery Means New Media

1 Comment

Here at Chez Tittel, I’ve been on something of a Secure Boot tear lately. Late last week, it dawned on me that this might require a change in recovery media, too. I checked: it does. Indeed, MS spells out the notion that secure boot recovery means new media in a couple of MS Learn Documents:

Basically, this boils down to the following data points, all of which determine whether or not recovery media will work properly after enabling Secure Boot:

  • Recovery media must use MS-signed UEFI bootloaders
  • Bootloaders signed with a certificate trusted in db
  • Bootloaders signed with the old 2011 CA blocked in dbx
  • Updated WinRE images (incl. new recovery media) signed with the 2023 CA

What Secure Boot Recovery Means New Media Comes Down to…

Simply put: once a PC has secure boot enabled and reports the presence of CA 2023, it needs matching secure boot media for recovery and repair. Older media won’t work because it lacks the new CA 2023 certificate. Bootloaders will fail, and/or WinRE won’t run. This will provoke a “Secure Boot violation” error or “invalid certificate” message in the bootloader. Sounds bad, eh?

The fix is easy, as long as you’ve turned Secure Boot on, and have installed the CA 2023 certificate (Garlin’s scripts at ElevenForum do this job nicely). With all these pieces in place, your current runtime meets the afore-stated requirements. Then, you can use Windows built in “Create a recovery drive” feature to build new recovery media to match this new state. Done!

Here in Windows-World when things change the supporting infrastructure must change to follow suit. Today that means generating fresh, new recovery media to match Flo6’s “secure boot on, CA 2023 installed” state. Takes only a few minutes, but means that future recovery efforts are far more likely to succeed. Good-oh!

Facebooklinkedin
Facebooklinkedin
AI, Insider stuff, Recent Activity, WED Blog, Windows 11

Copilot Amazon Differ on TB5 NVMe Availability

Leave a comment

I’m prepping for an AskWoody  story about RAID 1 setups on Windows 11. It had me popping open my half-dozen or so NVMe enclosures yesterday to see what I had at my disposal. Among my inventory, I found two identical NVMes (ideal for a RAID 1 test). I also found a Crucial T705 1TB PCIe x5 drive, which isn’t suited for any of my enclosures. It really needs Thunderbolt 5 or USB4 v2.0 to exceed the 40 Gbps speed limit that TB4/USB4 imposes. Imagine my surprise when Copilot said no such enclosures were available, while Amazon showed me at least half-a-dozen products for sale right now. Hence my claim that Copilot, Amazon differ on TB5 NVMe availability.

If Copilot Amazon Differ on TB5 NVMe Availability, Try Evidence

I work with Copilot near daily, especially on understanding and fixing Windows problems, issues and misconfigurations. Warnings about AI hallucinations are always worth remembering with Copilot. Why? Because it has repeatedly shown itself to be wrong or — as in this case — misinformed.  I reproduce Copilot’s response to my correction in which I provide the simple Amazon search that showed me 6-plus TB5 capable NVMe enclosures for sale at US$190 and up.

One big problem I see with AI information is that it includes no shades of grey. If Copilot and other AI interfaces could include confidence levels or probability of correctness, that might help. But no: Copilot, Google AI, Grok and so forth put forward their information as gospel truth. There’s a huge gap between Copilot’s initial flat statement that no TB5 NVMe enclosures are available, and its later correction to “TB5 NVMe enclosures exist, but most are early‑generation products whose real‑world performance is currently limited by host support and certification status.” Big difference!

As Always, Proceed with AI Cautiously

I don’t use or act on AI provided info unless and until I can confirm it through at least one (preferably, two or more) reliable public sources. This little “No it’s not; Well, yes it is…kinda/sorta” encounter demonstrates pretty well why that’s so. Indeed, for testing purposes I plan to buy one of the very enclosures Copilot told me yesterday didn’t exist. Today, it’s a different story!

Isn’t that just the way things go here in Windows-World sometimes? But at least, I’m going to be able to see if TB5/PCIe x5 Gen5 technology lives up to its billing when the Acasis enclosure shows up. If things work as reported, I’ll have an external USB drive that’s as fast as the internal drive on my production desktop.

Facebooklinkedin
Facebooklinkedin
Uncategorized

Secure Boot Report Card Perfected

1 Comment

On February 4th, I recounted the Secure Boot status of my local fleet, along with machines possessing CA 2023 secure boot certificates. At that time, I had 3 of 11 PCs with no CA 2023 secure boot certs. One also couldn’t enter UEFI with Secure Boot enabled. My secure boot report card is now perfected. All 11 machines have secure boot enabled AND CA 2023 certs in their credentials stores.

How Did I Get Secure Boot Report Card Perfected?

Short answer: time, effort and (in one case) a hardware purchase. Now for a somewhat longer answer. Both holdout machines with SB enabled, but no CA 2023 present were two ThinkPads. First, the X380 Yoga, a 2018 vintage 7th-gen Intel-based laptop. Second was X12Hybrid, a 2020 vintage 10th-gen Intel based tablet.

The same fix worked for both machines. The inestimable long-time member at ElevenForum.com named @Garlin has a terrific thread. It’s entitled garlin’s PowerShell scripts for updating Secure Boot CA 2023. It includes a script named Check_UEFI-CA2023.ps1. If you run that script it not only tells you if the CA 2023 cert is present or absent. If CA 2023 is absent, it also provides two commands to put it in place. That worked for both of my ThinkPad holdouts.

Note: The lead-in graphic for this story shows the following:
1. Invocation and output from the Check script just mentioned.
2. Execution of the reg edit and scheduled task to add CA 2023.
3. Final check string to show CA 2023 is present in the SecureBoot UEFI db (database).

The Third Holdout Proves a Bit Trickier

The old NVIDIA GeForce RTX 1070Ti installed in the upstairs ASRock B550/AMD Ryzen 5 5800X desktop named “RyzenOfc” wouldn’t enter UEFI with Secure Boot enabled. Turns out the firmware on its older GPU just couldn’t coordinate with TPM changes. I bought a Gigabyte RTX 5060 because it was compact enough to fit the smallish RyzenOfc Antec A-201 case. That got me back into UEFI where I could install the default keys and get secure boot working properly.

After that, the same Garlin script cited above also got CA 2023 into the credentials store on RyzenOfc. It’s taken a good chunk of the last two weeks, and cost me a chunk of change — I also bought a new mouse and keyboard that skips USB enumeration issues and Fn key gotchas in getting to UEFI, plus the GPU — to finish this journey.

Just for grins I checked CA 2023 status on the ThinkPad P16 Gen 3 that showed up on Monday. It didn’t have the new certs, either, so I fixed it with commands from the Garlin check script, too. All good!

But at last, all my machines are Secure Boot enabled with the CA 2023 certificate installed in that environment. What a long, strange trip that turned into. I’m glad it’s over, and I learned a LOT along the way. I also heartily recommend the Garlin scripts to anybody facing uncertainty or issues in getting CA 2023 Secure Boot certs onto their PCs. Great stuff!

Facebooklinkedin
Facebooklinkedin
Hardware Reviews, Insider stuff, Recent Activity, WED Blog

P16 Gen3 Firmware Update Hangs

Leave a comment

Imagine my excitement when I got a brand-new Lenovo ThinkPad P16 Gen 3 Mobile Workstation delivered to the door yesterday.  It’s an absolute beast of a machine (more on that below), huge and powerful. As part of my usual intake routine, I apply all pending updates. Alas, one of them — the P16 Gen3 firmware update — hangs during its install. I have to take drastic measures to finish things up. Let me explain…

If P16 Gen3 Firmware Update Hangs, Then?

The system wouldn’t reboot after the UEFI itself got updated. It was stuck, unable to go forward or go back. So I exercised the nuclear option when it comes to laptops lost in limbo.  I unplugged the battery and waited for it to drain completely, as evidenced by the power button and ESC key lights that stayed on late into the night last night.

The update completed successfully after that: I’m now running N4FET47W (1.28) dated 1/23/2025. But it took some doing to get there. Lenovo Vantage downloaded the update but was unable to install it. I also tried Lenovo System Update, which is usually better at handling firmware stuff, but no dice there, either. Finally, I visited the Lenovo Support pages, plugged in the serial number, and got a standalone flash installer named n4fuj05w.exe.

Starting UEFI Update Is Good, Finishing Is Better

The installer does its initial thing inside Windows getting the UEFI, Intel Management Engine (ME), and other update elements unpacked and ready before it reboots the machine. Then the flash installer takes over. That’s what hung on me.

Initially, Copilot advised me to remove the back deck of the unit and unplug the battery to force a cold reboot quickly. But this laptop costs over US$9K and the back deck didn’t want to come off. I had to use more force than I was comfortable exercising just to get the back edge to lift a little. Copilot yammered on I should keep trying and that the unit is notorious for tight clips and challenging extraction.

Nope! I also knew that draining the power over time would achieve the same end, with no danger of scratching the finish. So I waited overnight instead.

Getting Going On Intake

Now that the updates are all in place, WU is happy, winget’s been satisfied, and the Store is caught up, I can pay attention to the machine itself. I’ve got all my apps and tools installed, and am ready to report on what I see about this monster of a laptop.

Here’s a quick summary of key components:
• It’s NOT a Copilot+ PC
• Intel Core Ultra9 275HX (8P-Cores, 16 E-Cores, 24 threads)
• 128 GB DDR5 UDIMM RAM
• Intel integrated graphics Arc Xe‑LPG Graphics (64 exe units)
• NVIDIA RTX Pro 5000 Blackwell Generation (ADA arch, 7,424 CUDA cores, 16GB GDDR6, 58 3G RT cores, 232 4G Tensor cores)
• 4TB SAMSUNG MZVLC4T0HBL1-00BLL (SSD)

Pretty serious complement of components, eh?`

Here are the ports provided on the unit, listed by side as left, back and right:
LEFT (from front, items listed back to front)
• 1xSD slot (full-sized)
• 1xThunderbolt 4 (USB-C) up to 40 Gbps, DP1.4, USB4 compatible
• 1xUSB-A 3.2 Gen 1 (5 Gbps)
REAR (left to right, looking at rear)
• RJ-45 2.5GbE
• HDMI 2.1
• 2xThunderbolt 5 (USB-C) up to 80 Gbps, DP2.1, USB4 compatible
RIGHT
• Kensington lock slot
• 1xUSB-A 3.2 Gen 1 (5 Gbps)

Most notably, this P16’s got Thunderbolt 5 and USB5 (aka 4.2) support! Now I’ll finally be able to test TB5/USB5 stuff.  The internal SSD — a PCIe x5 Samsung model — reports speeds over 11,000 for 1GB block transfers in CrystalDiskMark. A USB4 drive attached to the high-speed USB-C port clocks in over 6,000. It’s the fastest USB I/O I’ve ever seen. Cool!

From the Belly of this Beast

Weighing in right at 6.5 lbs (2.95 kg) this is a massive monster of a laptop. But if you need lots of horsepower, capability and connectivity this could be your mobile workstation, too. Lenovo tells me its MSRP is ~US$9,200. You’ll need some serious financial backing to make this baby yours, too. So far, I like it a lot!!!

 

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 11, Windows Update

CU Aftermath: One TPM Update Elicits WTF?

1 Comment

Microsoft’s February 2026 cumulative update, KB5077181, brought most Windows 11 25H2 systems up to build 26200.7840. At least, that’s what I was expecting. But as I rolled out the update across a mix of systems here at Chez Tittel, I noticed something odd. My Lenovo ThinkPads and an ASUS Zenbook A14 quietly updated and rebooted into 26200.7840. The DIY desktop (built on an ASRock motherboard with a Ryzen 5800X) threw a TPM warning and required multiple reboots after a forced cold startup. You guessed it: that one TPM elicits WTF as I must respond to “Update Y/N” for things to proceed.

One TPM Update Elicits WTF, Others Don’t

Let’s unpack what happened. First, the update itself. KB5077181 is a standard cumulative update, but it also includes boot-chain changes that affect Secure Boot and TPM values. On systems with stable firmware and well-behaved TPM implementations, these changes get absorbed quietly. That’s what happened on my Lenovo and ASUS laptops. They rebooted twice and landed on build 26200.7840 without a peep. Copilot tells me that the first reboot is for a servicing stack update, the second for the aforementioned CU.

The ASRock-based Ryzen system, aka “Flo6,” had a different reaction. Upon reboot it froze on a black screen. After I cycled power and forced a cold boot, it presented a UEFI-level prompt. That prompt  warned about changes to the TPM and Secure Boot configuration, and asked me to enter “Y” to confirm, or “N” to deny. This signals that the Platform Configuration Register 7 (PCR 7) that tracks Secure Boot components has detected a change. The system requires manual confirmation to proceed and reseal the TPM, followed with an additional reboot. But man, is that a cryptic message or what? (It appears as the lead-in graphic above.)

Why this discrepancy? It comes down to platform differences. OEM systems like Lenovo and ASUS laptops benefit from tightly integrated firmware, drivers, and update pipelines. Their UEFI implementations are mature. Also, their TPM and Secure Boot configurations get validated against Microsoft’s updates. Thus, they handle PCR changes gracefully and typically reseal the TPM silently with no user intervention.

The ASRock Difference

ASRock, on the other hand, does things differently. Though their firmware is functional and generally reliable, but it’s not as polished or tightly integrated as enterprise-grade or premium OEM systems. ASRock tends to use more standard, out-of-the-box AMI firmware. It offers only minimal validation for Secure Boot and TPM changes. Combine that with AMD’s fTP (known to be more sensitive to boot-chain changes than Intel’s PTT), and you get a prompt for TPM confirmation after updates like KB5077181.

You Get What You Pay For

That’s not to say ASRock is bad. For enthusiasts and DIY builders, their boards offer decent value and performance. But when it comes to firmware maturity and seamless integration with Windows security features, they’re noticeably behind the big OEMs.

The takeaway? Platform matters. As Windows continues to evolve its security posture, particularly around Secure Boot, TPM, and boot checks, users should expect some variation in how different systems respond to updates. OEM systems generally offer a smoother ride. DIY builds like my ASRock-based Flo6, appear to need more attention and manual intervention.

For those who live in the trenches of Windows-World, it’s just another reminder of how things sometimes work, or not. The best antidote is to know your hardware, expect the unexpected, and keep recovery media handy, just in case something goes awry. I’m glad I didn’t need recovery for this update. Indeed, I started wondering when I had to cycle power for a cold start, and an extra reboot to get to the desktop.

Facebooklinkedin
Facebooklinkedin
Hardware Reviews, Insider stuff, Recent Activity, Troubleshooting, WED Blog

Zotac 4070 Shows Up Munged

Leave a comment

Got an email last night from the USPS, informing me that the Zotac 4070 card I ordered would be delivered by 6:30 PM. This morning I walked to the mailbox to retrieve that item. As you can see in the edge-on photo, the 800-lb gorilla had his way with the card during shipment. The front plate is badly bent. Worse, the right-hand fan (from the top) doesn’t spin freely, as it properly should. I’m asking for a refund, as the Zotac 4070 shows up munged.

If Zotac 4070 Shows Up Munged, Now What?

I’m ordering a replacement card. Given the issues finding a performance GPU that’s also compact, I’m “trading down” to get a 5060 model for my next try. I just ordered a Gigabyte RTX 5060 Mini from Amazon, for delivery tomorrow. In the meantime, I’m fighting with the vendor platform — Mercari, in this case — for a refund. Somehow, the sale shows as completed even though I hadn’t even had the card in my hands for 18 hours when that status made itself known. I’m hoping I’ll get the purchase price back, but I have a bad feeling…

As I opened the package, in fact, I saw the front plate had been savaged in transit. “That can’t be good,” I thought. It wasn’t. Gosh only knows what hit this unit, but it literally looks stepped on. I can only hope I’ll get a refund: we’ll see about that.

Tomorrow Is Another Day

Amazon will put the next candidate in my hands tomorrow morning. I’ve never had trouble with their delivery resulting in damage of any kind, let alone the mauling that the Zotac card took en route. Fingers crossed that I can get it installed, and Secure Boot working, on the upstairs B550/5800X PC. These things happen here in Windows-World. Several lessons learned from this encounter, none of them good. Sigh, and sigh again…

 

Facebooklinkedin
Facebooklinkedin
Device drivers, Insider stuff, Recent Activity, WED Blog, Windows 11

So Long Samsung ML-2850

Leave a comment

Over the weekend, I saw a story at Tom’s Hardware that reported MS is phasing out V3 and V4 printer drivers.  “Hmmm,” I thought, “I bet this means my 2009 vintage monochrome laser printer is included.” Copilot confirmed that it’s time to say so long, Samsung ML-2850. It runs V3 printer drivers and MS is halting support for same, like now.

Succession Plans After So Long, Samsung ML-2850

The printer still works fine. And it still works — for the time being, at least — with Windows 11. But it’s just a matter of time before it won’t work any more. That might hit as early as whenever 26H2 hits public release. Or it might last as long as 27H2. But its days are now officially numbered.

Here’s my plan: I’m going to use up the laser cartridge(s) I have at my disposal. When the ML-2850 runs out of toner, it’s toast. At that point, I’ll drop it off at Goodwill, where I routinely recycle my used electronika.

How long does that give this device to remain in use here at Chez Tittel? I might print 100 pages of output a month on this printer, max — probably less. So it could be 6 months or more  before I pull the plug and pack it off to Goodwill. Let’s see what happens, shall we?

But Wait, There’s More…

My Dell 2155cn is also facing obsolescence, but it qualifies as a V4 driver, not V3. So I’ve probably got another year or two before it, too, goes off to Goodwill for lack of driver support. What will I buy next? I’m thinking something like the HP M455dn, which is a low-end business class networked color laser printer that retails for US$550-800 depending on bells and whistles. Or whatever its equivalent may be when I exhaust my final set of CMYK cartridges for that printer (I’ve got a set of spares, and CMY all ahow 100% in the Dell Printer Hub’s toner status display, with B at 80%).

I’ve got at least 2 years left on that printer, it seems. Then, I’ll buy another. Interesting note: it will probably be the last printer I ever purchase, seeing as how the Samsung has lasted 17 years, and the Dell more than 13. It seems that obsolescence comes calling long before the hardware itself runs out. That was also the case for my Apple LaserWriter 1, purchased in 1985 and still running like a champ when I gave it away in 2005. For all I know, it’s still running today — that thing was built like a battleship.

MS Changes Its Tune (Added 2/25/26)

The news is out all over the place that MS is NOT dropping support for older V3, V4 printers and their drivers. Looks like they’re just limiting what OEMs can do to update or improve such drivers. The roadmap page that had promised deprecation is changed. At Windows Central, Zac Bowden quotes MS as follows:

“Windows has not ended support for legacy printer drivers. If your printer works with Windows today, it will continue to work, and no action is required,”

I guess that means this was a false alarm, of sorts. I’m still planning to retire the Samsung and Dell printers, and replace them. But the urgency is definitely dialed down. Change is the unvarying attribute of life here Windows-World. In this case, change is good!

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 11

Sysmon Lands in Windows 11 Beta

2 Comments

Lots of Windows nerds have spent years bolting Sysinternals’ Sysmon into every PC we work on. For them — and me — the latest Windows 11 Beta build (26220.7752) brings a welcome surprise: Sysmon is now a built-in optional feature. That’s right — no more downloading, unzipping, or scripting installs from Sysinternals. No need to run its handy web-based version, either. Microsoft has quietly slipped this powerful tool into the OS itself, and it’s ready to roll with some simple PowerShell commands.

What Sysmon Lands in Windows 11 Beta Means

Sysmon (System Monitor) has long been a staple in toolkits for security pros, blue teamers, and forensic analysts. It provides deep visibility into system activity — process creation, network connections, file writes, registry changes, and more. Until now, deploying Sysmon meant managing binaries and XML configuration files. With its inclusion as a Windows Optional Feature, Sysmon becomes easier to deploy, update, and manage across PC fleets.

PowerShell: Enable and Install Sysmon

To enable the built-in Sysmon feature from Windows itself, and then start monitoring stuff, run these two commands:

Enable-WindowsOptionalFeature -Online -FeatureName Sysmon
sysmon -i

In case it’s not obvious, the first command enables the Sysmon feature; the second installs it, ready for use.

Quick Peek: View Sysmon Events

Here’s a PowerShell one-liner that shows the 25 most recent Sysmon events.  Gives a taste of how it works and what it shows:

Get-WinEvent -LogName “Microsoft-Windows-Sysmon/Operational” -MaxEvents 25 | Format-Table -AutoSize

Unless your PC is acting up or ill, sysmon mostly shows process creation and termination (like here).

What Sysmon Illuminates

Sysmon shines brightest when you need to understand what’s really happening under the hood in Windows. It logs detailed info about process creation, including parent-child relationships, command-line arguments, and DLLs loaded. Sysmon captures network connections with source and destination IPs, ports, and process IDs. It can even detect code injections, image loads, and registry modifications. With a well-tuned configuration, Sysmon becomes a forensic goldmine. It’s like a time machine for system activity. Properly used, it can help you trace malware behavior, insider threats, and suspicious persistence mechanisms.

Adding Sysmon Into the Mix Is Good!

The integration of Sysmon into Windows 11 Beta is a quiet but powerful shift. It signals Microsoft’s growing commitment to built-in security observability and makes it easier than ever to deploy advanced monitoring at scale. For IT pros and security teams, this is a win. If you’re running a Beta build, it’s time to fire up PowerShell, flip the switch, and start watching your system like never before.

Showcasing Sysmon in Action

Sysmon’s long history in the Windows ecosystem is best illustrated through several well‑known case studies that show how deeply it illuminates system behavior. Both cases listed below not only show Sysmon’s diagnostic power but also its ability to reveal subtle, causal relationships that define complex system activity.

  • Mark Russinovich – Case of My Mom’s Chronically Infected PC: A classic Sysinternals investigation where Sysmon and related tools helped uncover persistent malware reinfection patterns. [URL is 404, look for episode 108 through the WayBack Machine {checked}]
  • License to Kill: Malware Hunting with the Sysinternals Tools (2021): In this case study, Mark Russinovich demonstrates how Sysmon’s detailed process‑creation and network‑connection telemetry exposes true behavior of a persistently compromised system that traditional antivirus repeatedly missed. By correlating Sysmon events with suspicious activity patterns, he shows how threat hunters can reconstruct attacker techniques, identify persistence mechanisms, and ultimately eradicate deeply embedded malware.

Together, these cases demonstrate Sysmon’s unique strengths: high‑fidelity process creation logging, deep visibility into network connections, precise registry and file‑system monitoring, and the ability to reconstruct causal chains that ordinary Windows logs simply cannot express. Whether used for diagnostics, security investigations, or system forensics, Sysmon remains one of the most powerful visibility tools available on Windows.

And that, dear readers, is why Sysmon is already well-regarded in Windows-World. That’s ultimately what makes it a amazing addition to the collection of built-in Windows features.

Facebooklinkedin
Facebooklinkedin

Author, Editor, Expert Witness