Does Windows log programs that have been run/called?
Solution 1
You will not be able to check what ran, but you can prepare for the next time. If you open secpol.msc you can go to local policies/audit policy. Activate Success (and maybe also Failure) on Audit process tracking and you will get an event log entry in the security event log every time a process starts or ends. Unfortunately you'll see the process that ran but not the command line it was started with.
If you activate the auditing, a lot of logs might get generated, so you should adjust the size of the security event log.
You can access the logs with eventvwr.msc, Windows protocols, Security.
Solution 2
Mark Russinovich Sysinternals Process Monitor does that. Among tracking file/reg/network accesses, it can track proc/thread lifetime and allows a lot of filtering.
lyrica
Updated on September 18, 2022Comments
-
lyrica over 1 year
In Windows, is there a log that records what programs were run/called?
While browsing the internet, viewing a static page with no ads, mouse clicks, keypresses, or miscellaneous plugins/addons/scripts running, I just saw a spontaneous CMD.exe console pop open and then immediately close in a flash, fast enough that I wasn't able to see anything in the window -- and with no apparent triggering on my part.
I'm wondering if there is some type of Windows log that shows what programs have been run/called/activated? I'd like to see what was happening behind the scenes when this console window flashed, and hopefully determine it wasn't something rogue.
For reference, I'm running Windows 7 Ultimate x64.
-
lyrica almost 11 yearsWould this have to have been running to capture a process that opened? Or is it able to report the thread lifetime independent of Procmon's tracking?
-
Val almost 11 yearsWhat "this" is independent of pmon? Do you mean monitoring without the monitor? How do you imagine this?
-
lyrica almost 11 yearsWhat I meant -- would Process Monitor needed to have been running in order to track proc/thread lifetime, or is that globally stored independent of Process Monitor?
-
Val almost 11 yearsProcess Monitor is what it says -- a monitor. It is not Windows Log Viewer. It injects some drivers into the windows core functions and logs the calls himslef. You cannot monitor without the monitor. Ok?
-
lyrica almost 11 yearsOops -- I was confusing Process Monitor with Process Explorer -- Process Explorer can see process start/running times without having been active (monitoring) when the respective program was first started. I thought it was Process Explorer you were talking about. Thanks.
-
Dims over 7 yearsIf I don't see the command line, then what will I see?
-
Werner Henze over 7 years@Dims If "notepad myfile.txt" was started then you will see "notepad" but not the "myfile.txt". -
Pacerier over 7 years@WernerHenze, Anyway to do this on a home computer? ... Windows cannot find
secpol.msc -
Werner Henze over 7 years@Pacerier Which Windows version/edition?
-
user2711915 almost 7 yearsThis is probably not the problem encountered by the original poster, however when I enabled audit logging for processes (as suggested by Werner Herze) it turned out that this was the problem in my case. As of May 2017, this is to be fixed in a future Windows update "soon". If the problem persists after updating Windows (and you are from the future) this is probably not your issue.
-
tisaconundrum about 6 yearswhere are the logs located? -
Werner Henze about 6 years@tisaconundrum I updated my answer to give that information. Hope it helps.
-
userJT almost 5 yearshitting start button and typing secpol.msc does not start any program. Please elaborate got to start secpol.msc (windows home)
-
Werner Henze almost 5 years@userJT secpol.msc is not part of Windows Home Edition, but the page itechtics.com/enable-gpedit-windows-10-home might help you.
