SysMon deployment using PowerShell

In Today’s post, I will cover deploying SySMon using a simple PowerShell script, which will then deploy using Ivanti’s EPM (you can also use SCCM as the steps are similar).

Table of Contents

Our Goal

The goal of this script was to accommodate both 86x and x64 with one deployment package. We will determine the OS architecture, detect if there is an existing install, remove it, and reinstall the SysMon version included in the distribution package. You will need to provide a sysmonconfig file as well – SwiftOnSecurity has provided a template that can be used as-is or forked.

The Script

# Variables
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$sysMon64 = 'SysMon64'
$sysMon32 = 'SysMon'
$configFile = 'sysmonconfig.xml'
$OSArch = Get-WmiObject win32_operatingsystem | Select-Object osarchitecture

# Detect Existing Installs
if (Get-Service -Name $sysMon64 -ErrorAction SilentlyContinue) {
  # Found SysMon64
  Write-Host 'SysMon 64bit found'

  # Stop Service / Uninstall / Cleanup Files
  Get-Service -Name $sysMon64 | Stop-Service -Force
  Start-Sleep -Seconds 3
  Start-Process -FilePath "$env:SystemRoot\$sysMon64.exe" -ArgumentList "-u" -Wait
  Start-Sleep -Seconds 3
  Remove-Item -Path "$env:SystemRoot\$sysMon64.exe"
  Remove-Item -Path "$env:SystemRoot\$sysMon32.exe"
  Remove-Item -Path "$env:SystemRoot\$configFile"
  Start-Sleep -Seconds 3
}
elseif (Get-Service -Name $sysMon32 -ErrorAction SilentlyContinue) {
  # Found SysMon32
  Write-Host 'SysMon 32bit found'

  # Stop Service / Uninstall / Cleanup Files
  Get-Service -Name $sysMon32 | Stop-Service -Force
  Start-Sleep -Seconds 3
  Start-Process -FilePath "$env:SystemRoot\$sysMon32.exe" -ArgumentList "-u" -Wait
  Start-Sleep -Seconds 3
  Remove-Item -Path "$env:SystemRoot\$sysMon64.exe"
  Remove-Item -Path "$env:SystemRoot\$sysMon32.exe"
  Remove-Item -Path "$env:SystemRoot\$configFile"
  Start-Sleep -Seconds 3
}

# Copy Files and Install (excludes non sys-mon files)
Get-ChildItem -Path "$ScriptDir" -Exclude *.txt, *.ps1, *.cmd | Select-Object -ExpandProperty FullName |
Copy-Item -Destination "$env:SystemRoot\" -Force

if ($OSArch.osarchitecture -eq '64-bit') {
  Start-Process -FilePath "$env:SystemRoot\$sysMon64.exe" -ArgumentList "-accepteula -i $env:SystemRoot\$configFile"
}
else {
  Start-Process -FilePath "$env:SystemRoot\$sysMon32.exe" -ArgumentList "-accepteula -i $env:SystemRoot\$configFile"
}

Deployment via Ivanti’s EPM

Launch EPM

Go to Tools, Distribution, Distribution Packages

Select New, PowerShell

Fill out package details, browse to your package location, and select the PowerShell script.

Select Additional Files on the left side and add all files except the PS1.

Default settings for all other sections are sufficient – save the package.

Select Create Scheduled Task

You should now be in the scheduled tasks section – right click your new task, and select properties.

Set your targets

Ensure Task settings and Agent settings match your preferences, select schedule task, and start now – clients should then begin downloading/install.

Client files downloaded with LANDesk to SDCache folder:

Files moved after the script is launched by EPM:

and Finally, our SysMon is installed and running: