Windows Security Tools: PowerShell, Event Viewer & Sysinternals

What Are Windows Security Tools and Why Do They Matter?

Windows runs on over 1 billion devices worldwide and dominates the enterprise desktop market with approximately 72% market share according to StatCounter. Microsoft’s own documentation states that Windows Event Logs, PowerShell, and Sysinternals Suite are core tools for security monitoring and incident response on Windows systems.

Every SOC analyst, incident responder, and security engineer needs to know how to investigate Windows systems. The vast majority of enterprise endpoints run Windows, which means the vast majority of security alerts, malware infections, and incident investigations involve Windows machines.

The good news is that Windows includes powerful built-in security tools — many of which are free. PowerShell gives you programmatic access to every corner of the operating system. Event Viewer provides a detailed audit trail of system activity. Sysinternals Suite offers deep inspection capabilities that go beyond what the standard tools provide. Together, these form the foundation of Windows security investigation.

When I started learning about SOC analysis, I assumed I needed expensive enterprise tools to do security work. Then I discovered that Windows itself comes loaded with security capabilities I had been ignoring for years. PowerShell can query every running process, every network connection, every event log entry. Event Viewer records who logged in when and what they did. Sysinternals shows you what is really running under the hood. I had been using Windows for decades — first in real estate offices, then in aged care admin — without ever realising it was also a security investigation platform. Learning these tools changed my relationship with the OS completely.

How Do Windows Security Tools Work Together?

Windows security tools operate at different layers of the operating system. Understanding these layers helps you choose the right tool for each investigation task.

Windows Security Tool Layers

From user-facing protection to deep system inspection

Windows Built-in Security Features

OS hardening — BitLocker, Windows Firewall, UAC, AppLocker, Credential Guard

Sysinternals Suite

Deep inspection — Process Explorer, Autoruns, TCPView, Sysmon, and 70+ specialised tools

PowerShell Security Commands

Programmatic investigation — query processes, connections, logs, and registry at scale

Event Viewer / Windows Event Logs

Audit trail — logon events, process creation, policy changes, and system errors

Windows Defender / Microsoft Defender for Endpoint

Endpoint protection — antivirus, EDR, threat detection, and automated response

Idle

In a typical security investigation, you might:

Receive an alert from Windows Defender or your SIEM
Check Event Viewer for the relevant security logs
Use PowerShell to query running processes and network connections
Use Sysinternals Process Explorer to inspect suspicious processes in depth
Verify that built-in security features (BitLocker, Firewall, UAC) are properly configured

How Do You Use PowerShell for Security?

PowerShell is the most powerful built-in tool for security investigation on Windows. According to Microsoft’s documentation, PowerShell provides direct access to WMI, .NET, COM objects, the Windows Event Log, the registry, and the file system — everything a security analyst needs.

Essential Security Commands

Investigating Running Processes

# List all running processes with details
Get-Process | Select-Object Name, Id, Path, CPU, WorkingSet64 | Sort-Object CPU -Descending

# Find processes running from unusual locations (not System32 or Program Files)
Get-Process | Where-Object { $_.Path -and $_.Path -notmatch 'System32|Program Files' } |
  Select-Object Name, Id, Path

# Get detailed information about a specific suspicious process
Get-Process -Id 1234 | Select-Object *

# Check the parent process (useful for detecting process injection)
Get-CimInstance Win32_Process | Select-Object ProcessId, Name, ParentProcessId, CommandLine

Investigating Network Connections

# List all active TCP connections with process information
Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State, OwningProcess |
  Sort-Object State

# Find connections to external IP addresses
Get-NetTCPConnection | Where-Object { $_.RemoteAddress -notmatch '^(127\.|10\.|172\.(1[6-9]|2|3[01])\.|192\.168\.)' -and $_.State -eq 'Established' }

# Map connections to their processes
Get-NetTCPConnection -State Established |
  Select-Object RemoteAddress, RemotePort, @{Name='Process';Expression={(Get-Process -Id $_.OwningProcess).Name}}

Querying Windows Event Logs

# Get recent security events (failed logons — Event ID 4625)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 20

# Get successful logon events (Event ID 4624)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 20 |
  Select-Object TimeCreated, Message

# Search for events in the last 24 hours
$startTime = (Get-Date).AddHours(-24)
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$startTime} -MaxEvents 100

# Search application logs for errors
Get-WinEvent -FilterHashtable @{LogName='Application'; Level=2} -MaxEvents 50

Checking Scheduled Tasks and Services

# List all scheduled tasks (malware often creates persistence here)
Get-ScheduledTask | Where-Object { $_.State -eq 'Ready' } |
  Select-Object TaskName, TaskPath, State

# Check for suspicious services
Get-Service | Where-Object { $_.Status -eq 'Running' } |
  Select-Object Name, DisplayName, StartType

# Get service binary paths (check for unusual locations)
Get-CimInstance Win32_Service | Where-Object { $_.State -eq 'Running' } |
  Select-Object Name, PathName, StartMode

How Do You Use Event Viewer for Security?

Windows Event Viewer provides access to all Windows event logs — the audit trail of everything that happens on a system. NIST SP 800-92 (Guide to Computer Security Log Management) identifies Windows event logs as a primary data source for security monitoring.

Critical Event IDs for Security

Event ID	Log	What It Means	Security Relevance
4624	Security	Successful logon	Track who accessed the system and when
4625	Security	Failed logon	Detect brute force attacks and unauthorised access attempts
4648	Security	Logon with explicit credentials	Detect lateral movement (pass-the-hash, credential reuse)
4672	Security	Special privileges assigned	Track when admin rights are used
4688	Security	Process creation	Detect malicious process execution (requires audit policy)
4697	Security	Service installed	Detect malware persistence via new services
4720	Security	User account created	Detect unauthorised account creation
4732	Security	Member added to local group	Detect privilege escalation
7045	System	New service installed	Detect persistence mechanisms
1102	Security	Audit log cleared	Detect log tampering (attackers clear logs to hide activity)

Logon Types

Event ID 4624 includes a “Logon Type” field that tells you how the user authenticated:

Logon Type	Description	Security Context
2	Interactive (local keyboard)	Normal local logon
3	Network (SMB, mapped drives)	Common — but also used in lateral movement
4	Batch (scheduled tasks)	Check if the task is legitimate
5	Service	Service account logon
7	Unlock (screen unlock)	Normal activity
10	RemoteInteractive (RDP)	Remote Desktop — monitor for unauthorised access
11	CachedInteractive	Cached credentials used offline

For SOC analysts: Logon Types 3 and 10 are the most important to monitor. Type 3 (network logons) can indicate lateral movement. Type 10 (RDP) can indicate an attacker accessing systems remotely.

What Is the Sysinternals Suite?

Sysinternals Suite is a collection of over 70 free advanced system utilities created by Mark Russinovich (now CTO of Microsoft Azure). According to Microsoft, Sysinternals tools provide capabilities that go beyond what is available in standard Windows management tools.

Process Explorer — Advanced Task Manager

Process Explorer shows you far more than the standard Task Manager. It displays:

Full process tree (parent-child relationships)
Which DLLs each process has loaded
File handles held by each process
CPU and memory usage with historical graphs
Digital signature verification for each process
VirusTotal integration (check processes against 70+ antivirus engines)

Security use: When you see a suspicious process, Process Explorer shows you exactly where it came from (parent process), what files it is accessing (handles), and whether its binary is digitally signed by a trusted publisher. Unsigned processes running from temp folders are red flags.

Autoruns — Comprehensive Persistence View

Autoruns shows every programme configured to run at startup or logon — far more locations than msconfig reveals. It checks:

Registry Run keys
Scheduled tasks
Services
Browser extensions
Drivers
Winsock providers
And dozens more persistence locations

Security use: Malware must persist somewhere to survive reboots. Autoruns reveals every persistence mechanism on the system. Look for unsigned entries, entries in unusual locations, and recently modified items.

TCPView — Real-Time Network Monitor

TCPView displays all TCP and UDP connections in real time, showing the process name, local and remote addresses, ports, and connection state.

Security use: Quickly identify which processes are communicating externally. A process making connections to unusual IP addresses or using non-standard ports warrants investigation.

Sysmon — Advanced System Monitoring

Sysmon (System Monitor) is the most security-focused Sysinternals tool. It installs as a Windows service and device driver to monitor and log system activity to the Windows Event Log.

Sysmon logs:

Process creation (Event ID 1) — including command-line arguments and parent process
Network connections (Event ID 3) — with source and destination details
File creation (Event ID 11) — especially in monitored directories
Registry modifications (Event ID 13) — changes to persistence locations
DNS queries (Event ID 22) — domain names resolved by processes

Sysmon + SIEM is the gold standard for Windows endpoint visibility. Most mature SOCs deploy Sysmon to every Windows endpoint and forward the events to their SIEM for alerting and threat hunting.

# Install Sysmon with a community configuration
# Download Sysmon from sysinternals.com
# Use SwiftOnSecurity's Sysmon config (industry standard)
.\Sysmon64.exe -accepteula -i sysmonconfig-export.xml

Windows security tools are tested on Security+, CySA+, and are daily tools in SOC analyst roles. The study tracker maps each tool to specific exam objectives and job requirements.

Career Roadmap & Study TrackerAvailable Now

Step-by-step roadmap with study tracker worksheets and certification decision framework.

Get the Guide → $27

What Are Windows Built-In Security Features?

Beyond investigation tools, Windows includes security features that protect the system:

Feature	What It Does	Security Benefit
Windows Defender Antivirus	Real-time malware scanning and removal	First line of defence against known malware
Windows Firewall	Controls inbound and outbound network traffic	Blocks unauthorised network access
BitLocker	Full-disk encryption	Protects data if the device is stolen
UAC (User Account Control)	Prompts for admin elevation	Prevents silent privilege escalation
AppLocker	Application whitelisting	Restricts which programmes can run
Credential Guard	Protects authentication credentials using virtualisation	Prevents credential theft attacks
Windows Sandbox	Isolated environment for running untrusted software	Safe malware analysis without risking the host

For the ASD Essential Eight: Application whitelisting (AppLocker), patching, and restricting admin privileges are three of the ASD Essential Eight mitigation strategies. Understanding how Windows implements these features is directly relevant to Australian cybersecurity compliance.

Summary and Key Takeaways

Windows dominates the enterprise desktop — every SOC analyst needs to know how to investigate Windows systems using built-in and free tools.
PowerShell is the primary investigation tool. Get-Process, Get-NetTCPConnection, and Get-WinEvent are commands you will use daily in security work.
Event Viewer provides the audit trail. Know the critical Event IDs — 4624 (successful logon), 4625 (failed logon), 4688 (process creation), and 1102 (log cleared).
Sysinternals Suite goes deeper than standard tools. Process Explorer, Autoruns, TCPView, and Sysmon provide the visibility needed for thorough investigations.
Sysmon is the gold standard for Windows endpoint monitoring. Deploy it in your home lab and practise querying its event logs.
Windows built-in security features (Defender, Firewall, BitLocker, UAC, AppLocker) form the baseline protection layer.
Practise in your home lab. Set up a Windows VM, enable auditing policies, install Sysmon, and investigate normal and suspicious activity.

Technical details verified in March 2026 against Microsoft’s official PowerShell documentation, Windows Event Log reference, Sysinternals documentation (learn.microsoft.com/sysinternals), and ASD Essential Eight guidance.

Frequently Asked Questions

Do I need to learn Windows security tools for a SOC analyst role?

Yes. The vast majority of enterprise endpoints run Windows. SOC analysts investigate Windows event logs, analyse processes with PowerShell, and use Sysinternals tools daily. Windows investigation skills are tested on Security+ and CySA+ and are among the most common requirements in SOC job postings.

What is the most important PowerShell command for security?

Get-WinEvent is the most versatile security command. It lets you query any Windows event log with filters for event IDs, time ranges, and keywords. For incident response, querying security events (logons, process creation, service installation) is often the first step.

What Event IDs should I memorise?

Start with these: 4624 (successful logon), 4625 (failed logon), 4688 (process creation), 4697 (service installed), 7045 (new service installed), and 1102 (audit log cleared). These cover the most common security investigation scenarios.

What is Sysmon and should I install it?

Sysmon (System Monitor) is a free Sysinternals tool that logs detailed system activity — process creation with command lines, network connections, file creation, registry changes, and DNS queries. Install it in your home lab to practise querying the logs. In enterprises, Sysmon is deployed to endpoints and the logs are forwarded to SIEM systems.

Is Process Explorer better than Task Manager?

For security investigation, yes. Process Explorer shows the full process tree (parent-child relationships), loaded DLLs, file handles, digital signature status, and VirusTotal integration. Task Manager shows basic process information but lacks the depth needed for security analysis.

Are Sysinternals tools free?

Yes, all Sysinternals tools are free and maintained by Microsoft. The complete Sysinternals Suite can be downloaded from learn.microsoft.com/sysinternals or accessed directly via the UNC path live.sysinternals.com from any Windows machine.

How do Windows security tools relate to certifications?

CompTIA Security+ (SY0-701) tests knowledge of Windows event logs and security monitoring. CompTIA CySA+ (CS0-003) tests hands-on Windows investigation skills including PowerShell and log analysis. The Blue Team Level 1 (BTL1) certification also heavily tests Windows investigation capabilities.

What is the ASD Essential Eight and how do Windows tools relate?

The ASD Essential Eight are eight mitigation strategies recommended by the Australian Signals Directorate. Three of them — application whitelisting (AppLocker), patching, and restricting admin privileges — are implemented using Windows built-in features. Understanding these tools is essential for cybersecurity compliance in Australian organisations.

More resources