How to identify terminated Windows process if I still have its PID?

windows windows-8 process process-explorer pid
14,580

Solution 1

Are there some Windows logs containing association of PID to running process

By default there are no such logs. However you can enable Process Tracking Events in the Windows Security Event Log.

Notes:

How to Use Process Tracking Events in the Windows Security Log

In Windows 2003/XP you get these events by simply enabling the Process Tracking audit policy.

In Windows 7/2008+ you need to enable the Audit Process Creation and, optionally, the Audit Process Termination subcategories which you’ll find under Advanced Audit Policy Configuration in group policy objects.

These events are incredibly valuable because they give a comprehensive audit trail of every time any executable on the system is started as a process. You can even determine how long the process ran by linking the process creation event to the process termination event using the Process ID found in both events. Examples of both events are shown below.

enter image description here

Source How to Use Process Tracking Events in the Windows Security Log

How to enable Audit Process Creation

  1. Run gpedit.msc

  2. Select "Windows Settings" > "Security Settings" > "Local Policies" > "Audit Policy"

    enter image description here

  3. Right click "Audit process tracking" and select "Properties"

  4. Check "Success" and click "OK"

    enter image description here

What is Audit Process Tracking

This security setting determines whether the OS audits process-related events such as process creation, process termination, handle duplication, and indirect object access.

If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).

If Success auditing is enabled, an audit entry is generated each time the OS performs one of these process-related activities.

If Failure auditing is enabled, an audit entry is generated each time the OS fails to perform one of these activities.

Default: No auditing

Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see http://go.microsoft.com/fwlink/?LinkId=140969.

Solution 2

The only way to see is you must have the audit enabled to track the creation of processes.

From the "Local Security Policy" program (Type secpol.msc from the run screen if you are having trouble finding it) go to "Security Settings -> Local Polices -> Audit Policy" then enable the "Audit process tracking" for "Success".

enter image description here

Once you do that go to the event viewer and check the "Secruity" event log, in there you will see "Audit Success" entries for every time a process is started or ended.

A process has exited.

Subject:
    Security ID:        SYSTEM
    Account Name:       SCOTT-PC$
    Account Domain:     WORKGROUP
    Logon ID:       0x3E7

Process Information:
    Process ID: 0x1338
    Process Name:   C:\Windows\System32\consent.exe
    Exit Status:    0x0

You will need to convert the Process ID you are looking for from decimal into hex (3336 becomes 0xD08). The easiest way to convert is open windows calculator, go to "Programmer" mode, enter the number in "dec" mode, then click on "hex" mode. The number displayed will be converted to hex for you.

Solution 3

If this is one time thing and you don't want to be always logging your processes, I would suggest using Microsoft Process Monitor (https://technet.microsoft.com/en-us/Library/bb896645.aspx). It needs to be ran before the popular is spawned, but even after the parent process is dead it will have captured all the information you were looking for.

Share:
14,580

Related videos on Youtube

miroxlav
Author by

miroxlav

Updated on September 18, 2022

Comments

  • miroxlav
    miroxlav over 1 year

    Background: In the middle of my work, license agreement for installing "Microsoft Mouse and Keyboard Center" suddenly appeared. I'd like to understand what process launched the setup, but using Process Explorer, I saw it's gone, I was only able to find its PID (see screenshot).

    Question:

    If you are using Process Explorer, you perhaps know the situation where parent process of the process no longer exists and you can only see its PID:

    enter image description here

    Are there some Windows logs containing association of PID to running process so I can find out what process was running under given PID?

    Preferably I'm interested in scenarios, where I wasn't expecting this so I did not use Process Monitor to capture events in the system.

  • miroxlav
    miroxlav over 8 years
    Yeah, this is the kind of answer I expected. Simply said: enable some logging and thus become able to check its results.
  • miroxlav
    miroxlav over 8 years
    Dave, maybe you could use "fastest gun on the west" approach. While you were writing your long and elaborate answer, I performed steps in the other answer (the same as you added later) and was about to accept it. So now I have a dilemma which answer to accept... :)
  • DavidPostill
    DavidPostill over 8 years
    I would rather have the best answer than the first answer ;) If they are the same thing then it is a bonus. I did inform you (in a now cleaned up comment) that I was preparing my answer. And I'm using a slow tethered internet connection through my mobile :/
  • miroxlav
    miroxlav over 8 years
    Oh yeah, you did. OTOH, perhaps don't be shy to write "you can enable audit logging in local policies", post and continue creating answer with educational value. Sometimes even small clue could better help me (the OP) than waiting 60 minutes for great answer :) I mean, I know where local policies are, I just needed a minor clue.
  • user541686
    user541686 over 8 years
    @DavidPostill: Would be nice if you could mention how often these logs are cleaned (or how often they should be cleaned manually), because I imagine they can get pretty long...
  • DavidPostill
    DavidPostill over 8 years
    @Mehrdad Yes, they could get large. The event logs are not automatically cleaned. As far as I am aware it is not possilbe to delete individual events from the log, only to delete (clear) the complete log. And how often they should be deleted manually is opinion-based :/
  • DavidPostill
    DavidPostill over 8 years
    @Mehrdad The event logs can, if necessary, be deleted from the command line using wevtutil. That is easier than using the Event Viewer GUI.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Windows 8 process System takes 100% disk usage and extremly slows pc
How to overcome Access Denied when killing process in Windows?
What is a Process Handle?
How to measure total RAM usage of a program under Windows?
windows-8 : Certain process running under username "DWM-1" and "ANONYMOUS LOGON"
How to set "Process Priority" and "Process Affinity" on Windows 8?
ms c++ get pid of current process
Java, Checking if any process ID is currently running on Windows
Kill a process based on PID in Java
Get the PID of the process started by CreateProcess()