# Edit Your Sysmon Config in Style Does this look familiar ? [![](https://1.bp.blogspot.com/-Vjsi2ApgVxE/XnUuKCDuhiI/AAAAAAAAIDM/X5XZHm_MDW0y2Dl4CNdeYak2QZjL2DzzQCLcBGAsYHQ/s1600/2020-03-20_16-56-08.png)](https://1.bp.blogspot.com/-Vjsi2ApgVxE/XnUuKCDuhiI/AAAAAAAAIDM/X5XZHm_MDW0y2Dl4CNdeYak2QZjL2DzzQCLcBGAsYHQ/s1600/2020-03-20_16-56-08.png) Until very recently, I was there too. Notepad++ is a fantastic tool that I use for hours every day, but it's not ideal for editing large Sysmon config files, I recently looked at other options and found a setup that I was happy with - let's take a look at how you can replicate this. To begin, grab a copy of Visual Studio Code ( ) Navigate to the Extensions menu and search for and install the Sysmon extension: [![](https://1.bp.blogspot.com/-UOTCnXy20Uo/XnUv4BGNfBI/AAAAAAAAIDY/hgNf5MSFmA48lP_Q_R0tTB3UaZQ6EMHgACLcBGAsYHQ/s1600/2020-03-20_17-03-25.png)](https://1.bp.blogspot.com/-UOTCnXy20Uo/XnUv4BGNfBI/AAAAAAAAIDY/hgNf5MSFmA48lP_Q_R0tTB3UaZQ6EMHgACLcBGAsYHQ/s1600/2020-03-20_17-03-25.png) We'll also be installing the "Bookmarks" extension: [![](https://1.bp.blogspot.com/-yQiwuhGYfZk/XnUwNoAji8I/AAAAAAAAIDg/RcA5YXMCgMoRnaEQg5pVk7_-KclwO9hVwCLcBGAsYHQ/s1600/2020-03-20_17-05-33.png)](https://1.bp.blogspot.com/-yQiwuhGYfZk/XnUwNoAji8I/AAAAAAAAIDg/RcA5YXMCgMoRnaEQg5pVk7_-KclwO9hVwCLcBGAsYHQ/s1600/2020-03-20_17-05-33.png) Next up, install and setup git for Windows ( ) During the setup, you'll have the option to use VS Code as the default edit for git, I chose this option: [![](https://1.bp.blogspot.com/-JJnN97V9YGE/XnUwzWeJhuI/AAAAAAAAIDo/w9fCpWJvLCc9oo3c-yJts9jqdWJ_HO4ngCLcBGAsYHQ/s1600/2020-03-20_17-08-13.png)](https://1.bp.blogspot.com/-JJnN97V9YGE/XnUwzWeJhuI/AAAAAAAAIDo/w9fCpWJvLCc9oo3c-yJts9jqdWJ_HO4ngCLcBGAsYHQ/s1600/2020-03-20_17-08-13.png) Now restart VS Code and start a new Sysmon config, the Sysmon extension will help you here: [![](https://1.bp.blogspot.com/-84E-rVQNi24/XnVEZH3-SRI/AAAAAAAAIGM/g07d7_bZALEB6zZ3Sab1Qy-XmTUHNuvHQCLcBGAsYHQ/s1600/2020-03-20_18-31-15.png)](https://1.bp.blogspot.com/-84E-rVQNi24/XnVEZH3-SRI/AAAAAAAAIGM/g07d7_bZALEB6zZ3Sab1Qy-XmTUHNuvHQCLcBGAsYHQ/s1600/2020-03-20_18-31-15.png) In my case, I had a private GitHub repo set up for my Sysmon config, so I want to set that repo up and then save my new blank Sysmon config file to it: [![](https://1.bp.blogspot.com/-80WkKboW-QQ/XnU7dpG3_8I/AAAAAAAAIFI/0gKhlPGQkSAcujTbkrpWxqaJn5EpoEnsQCLcBGAsYHQ/s1600/2020-03-20_17-53-42.png)](https://1.bp.blogspot.com/-80WkKboW-QQ/XnU7dpG3_8I/AAAAAAAAIFI/0gKhlPGQkSAcujTbkrpWxqaJn5EpoEnsQCLcBGAsYHQ/s1600/2020-03-20_17-53-42.png) Now save your config file and give it a name, make sure to save it to the folder where you initialized your Git repo, in my case C:\Repos\sysmon-config You should see a "1" icon next to the source control menu option in VS Code after saving your config file. Navigate to that menu, add your commit message, stage the changes and then commit them to your GitHub repo: [![](https://1.bp.blogspot.com/-pde97-u5dXg/XnU8GB6Ia-I/AAAAAAAAIFQ/FCJML1j58jAbeOg5TeIUtgpIOlJvx4ioACLcBGAsYHQ/s1600/2020-03-20_17-56-19.png)](https://1.bp.blogspot.com/-pde97-u5dXg/XnU8GB6Ia-I/AAAAAAAAIFQ/FCJML1j58jAbeOg5TeIUtgpIOlJvx4ioACLcBGAsYHQ/s1600/2020-03-20_17-56-19.png) When you are done committing your changes, push them via the terminal or GUI, you should now see your changes in GitHub: [![](https://1.bp.blogspot.com/-kcdF6gQPSTc/XnU_Gkn2UkI/AAAAAAAAIFc/FVZz_aaWNTMVX1xqxXncah_6agogZbEXQCLcBGAsYHQ/s1600/2020-03-20_18-09-18.png)](https://1.bp.blogspot.com/-kcdF6gQPSTc/XnU_Gkn2UkI/AAAAAAAAIFc/FVZz_aaWNTMVX1xqxXncah_6agogZbEXQCLcBGAsYHQ/s1600/2020-03-20_18-09-18.png) Now your Sysmon config is source controlled and resides in a feature-rich text editor with auto-complete unique to Sysmon's config syntax, nice! As a final step, use the Bookmarks add-on to configure bookmarks within your Sysmon config so you can follow along with the various sections in a large config file. If you've installed the bookmarks extension, navigate to the line where you want to set your bookmark and hit CTRL+ALT+K (Or right click --> toggle bookmark), in my case I'm going to bookmark my ProcessCreate exclusions section: [![](https://1.bp.blogspot.com/-_znyRAB4mLE/XnVCqrU0LcI/AAAAAAAAIGA/4klEZlmOMo410yMGv3prsTFe_TviM7ffgCLcBGAsYHQ/s1600/2020-03-20_18-13-39.png)](https://1.bp.blogspot.com/-_znyRAB4mLE/XnVCqrU0LcI/AAAAAAAAIGA/4klEZlmOMo410yMGv3prsTFe_TviM7ffgCLcBGAsYHQ/s1600/2020-03-20_18-13-39.png) You can also rename this bookmark to your liking, I've found this kind of bookmark layout time saving: [![](https://1.bp.blogspot.com/-6JnBJmQprY4/XnVCSkPTugI/AAAAAAAAIF4/z-oseIIu9qQHxRILkRgKWCIfkh0zNqYRgCEwYBhgL/s1600/2020-03-20_18-17-38.png)](https://1.bp.blogspot.com/-6JnBJmQprY4/XnVCSkPTugI/AAAAAAAAIF4/z-oseIIu9qQHxRILkRgKWCIfkh0zNqYRgCEwYBhgL/s1600/2020-03-20_18-17-38.png) And that's it -- a nice upgrade from Notepad++ **Notes:** * Thank you for the awesome VSCode Sysmon extension * For great Sysmon configs, check out: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.pwntario.com/team-posts/antons-posts/edit-your-sysmon-config-in-style.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.