45

In Windows, is there a log that records what programs were run/called?

While browsing the internet, viewing a static page with no ads, mouse clicks, keypresses, or miscellaneous plugins/addons/scripts running, I just saw a spontaneous CMD.exe console pop open and then immediately close in a flash, fast enough that I wasn't able to see anything in the window -- and with no apparent triggering on my part.

I'm wondering if there is some type of Windows log that shows what programs have been run/called/activated? I'd like to see what was happening behind the scenes when this console window flashed, and hopefully determine it wasn't something rogue.

For reference, I'm running Windows 7 Ultimate x64.

Coldblackice
  • 6,233
  • 20
  • 60
  • 89

4 Answers4

40

You will not be able to check what ran, but you can prepare for the next time. If you open secpol.msc you can go to local policies/audit policy. Activate Success (and maybe also Failure) on Audit process tracking and you will get an event log entry in the security event log every time a process starts or ends. Unfortunately you'll see the process that ran but not the command line it was started with.

If you activate the auditing, a lot of logs might get generated, so you should adjust the size of the security event log.

You can access the logs with eventvwr.msc, Windows protocols, Security.

Werner Henze
  • 4,977
11

Mark Russinovich Sysinternals Process Monitor does that. Among tracking file/reg/network accesses, it can track proc/thread lifetime and allows a lot of filtering.

Val
  • 6,535
2

It may have been a scheduled task running. Check the Task Scheduler for tasks.

You could also check the Event Viewer for anything, though it probably won't have anything.

-3

Same here Windows 7 Ultimate x64 (Spanish).

I found out that the culprit is: C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.exe

Apparently it is a Know bug.

Jorge Ramirez
  • 1