Log all process starts and terminations?

  • Thread starter Thread starter Bert Hyman
  • Start date Start date
B

Bert Hyman

Is there a utility or technique I can use which will log the starting
and termination of every process, from boot to shutdown, or as close
to each as possible?

Maybe a policy setting that will put something in one of the event
logs?

--
Bert Hyman | St. Paul, MN | bert@iphouse.com
 
Scripting the WMI is possible. Here's a demo.
run this with:
cscript go.vbs > process.txt
--go.vbs--cut here--
for each Process in GetObject
("winmgmts:").InstancesOf("Win32_Process")
WScript.Echo Process.Handle, Process.Name
next
--cut here--
Look at process.txt in notepad.

Process scripts:
http://msdn2.microsoft.com/en-us/library/aa394599.aspx

Monitor Process Creation:
http://www.microsoft.com/technet/scriptcenter/scripts/os/process/monitor/pcmovb04.mspx
--
Mark L. Ferguson
e-mail subject line must include "QZ" or it's deleted
..
"Bert Hyman" <RBob@community.nospam> wrote in message
news:Xns99695E65E5F78VeebleFetzer@207.46.248.16...
> Is there a utility or technique I can use which will log the starting
> and termination of every process, from boot to shutdown, or as close
> to each as possible?
>
> Maybe a policy setting that will put something in one of the event
> logs?
>
> --
> Bert Hyman | St. Paul, MN | bert@iphouse.com
 
marfer_mvp@Yahoo.com (Mark L. Ferguson) wrote in
news:uiGwiPwwHHA.484@TK2MSFTNGP06.phx.gbl:

> Scripting the WMI is possible. Here's a demo.
> run this with:
> ...

Thanks; that looks like a good place to start.

Still, I was hoping there was something I could just use or turn on
without actually doing any work of my own :-)

--
Bert Hyman | St. Paul, MN | bert@iphouse.com
 
Even looking into the options available in "Performance Logging" would be
work.
start/run, type:
HH mk:@MSITStore:%windir%\Help\howto.chm::/snap_sysmon.htm

As far as 'built in, ready to use' stuff, task manager is about it.

--
Mark L. Ferguson
e-mail subject line must include "QZ" or it's deleted
..
"Bert Hyman" <RBob@community.nospam> wrote in message
news:Xns99696A0FE5657VeebleFetzer@207.46.248.16...
> marfer_mvp@Yahoo.com (Mark L. Ferguson) wrote in
> news:uiGwiPwwHHA.484@TK2MSFTNGP06.phx.gbl:
>
>> Scripting the WMI is possible. Here's a demo.
>> run this with:
>> ...
>
> Thanks; that looks like a good place to start.
>
> Still, I was hoping there was something I could just use or turn on
> without actually doing any work of my own :-)
>
> --
> Bert Hyman | St. Paul, MN | bert@iphouse.com
 
"Bert Hyman" wrote in message
news:Xns99695E65E5F78VeebleFetzer@207.46.248.16...
> Is there a utility or technique I can use which will log the starting
> and termination of every process, from boot to shutdown, or as close
> to each as possible?
>
> Maybe a policy setting that will put something in one of the event
> logs?


For local policy settings, run:

secpol.msc

Under Local Settings -> Audit Policy, enable success and failure
audition for process tracking, and maybe system events, too. I haven't
used these but perhaps they put into the Event Viewer logs what you
want.
 
In news:u7W#mnzwHHA.1776@TK2MSFTNGP03.phx.gbl "Vanguard"
<no@mail.invalid> wrote:

> "Bert Hyman" wrote in message
> news:Xns99695E65E5F78VeebleFetzer@207.46.248.16...
>> Is there a utility or technique I can use which will log the starting
>> and termination of every process, from boot to shutdown, or as close
>> to each as possible?
>>
>> Maybe a policy setting that will put something in one of the event
>> logs?
>
>
> For local policy settings, run:
>
> secpol.msc
>
> Under Local Settings -> Audit Policy, enable success and failure
> audition for process tracking, and maybe system events, too. I
> haven't used these but perhaps they put into the Event Viewer logs
> what you want.

Thanks; the process tracking puts just what I want into the Security
event log.

I had written a little VBScript using the WMI calls mentioned in the
other posts, but it gets shut down at some random point during Windows
shutdown, so I'm not seeing everything I wanted to see.

I don't know at what point these log entries stop being made either, so
maybe it won't be any better, but at least I don't need my own
application running.

--
Bert Hyman St. Paul, MN bert@iphouse.com
 
Back
Top