Log all process starts and terminations?

[Bert Hyman]

Is there a utility or technique I can use which will log the starting
and termination of every process, from boot to shutdown, or as close
to each as possible?

Maybe a policy setting that will put something in one of the event
logs?

 

[Mark L. Ferguson]

Scripting the WMI is possible. Here's a demo.
run this with:
cscript go.vbs > process.txt
--go.vbs--cut here--
for each Process in GetObject
("winmgmts:").InstancesOf("Win32_Process")
WScript.Echo Process.Handle, Process.Name
next
--cut here--
Look at process.txt in notepad.

Process scripts:
http://msdn2.microsoft.com/en-us/library/aa394599.aspx

Monitor Process Creation:
http://www.microsoft.com/technet/scriptcenter/scripts/os/process/monitor/pcmovb04.mspx

 

[Bert Hyman]

(e-mail address removed) (Mark L. Ferguson) wrote in

Scripting the WMI is possible. Here's a demo.
run this with:
...

Thanks; that looks like a good place to start.

Still, I was hoping there was something I could just use or turn on
without actually doing any work of my own

 

[Mark L. Ferguson]

Even looking into the options available in "Performance Logging" would be
work.
start/run, type:
HH mkMSITStore:%windir%\Help\howto.chm::/snap_sysmon.htm

As far as 'built in, ready to use' stuff, task manager is about it.

 

[Vanguard]

in message

Is there a utility or technique I can use which will log the starting
and termination of every process, from boot to shutdown, or as close
to each as possible?

Maybe a policy setting that will put something in one of the event
logs?

For local policy settings, run:

secpol.msc

Under Local Settings -> Audit Policy, enable success and failure
audition for process tracking, and maybe system events, too. I haven't
used these but perhaps they put into the Event Viewer logs what you
want.

 

[Bert Hyman]

In "Vanguard"

in message



For local policy settings, run:

secpol.msc

Under Local Settings -> Audit Policy, enable success and failure
audition for process tracking, and maybe system events, too. I
haven't used these but perhaps they put into the Event Viewer logs
what you want.

Thanks; the process tracking puts just what I want into the Security
event log.

I had written a little VBScript using the WMI calls mentioned in the
other posts, but it gets shut down at some random point during Windows
shutdown, so I'm not seeing everything I wanted to see.

I don't know at what point these log entries stop being made either, so
maybe it won't be any better, but at least I don't need my own
application running.