Copy below lines into a text file and call MonitorProcessStart.vbs. Shift+Right Click on the file - Copy As Path. Open Command Prompt as Administrator and
Right Click - Paste.
This will list the command lines of all programs starting.
Use Task Manager to terminate wscript.exe to stop monitoring.
Set WshShell = WScript.CreateObject("WScript.Shell")
Set objWMIService = GetObject("winmgmts:\\.\root\CIMV2")
Set objEvents = objWMIService.ExecNotificationQuery("SELECT * FROM Win32_ProcessStartTrace")
Do
Set objReceivedEvent = objEvents.NextEvent
Set colItems = objWMIService.ExecQuery("Select * From Win32_Process where ProcessID=" & objReceivedEvent.ProcessID)
For Each itm in ColItems
wscript.echo objReceivedEvent.ProcessName & " " & itm.CommandLine
Next
Loop
To print it out to a console window
Shift+Right Click on the file - Copy As Path. Open Command Prompt as Administrator and
Right Click - Paste, then press Home key and prepend csript //nologo to the path to the vbs. Then press Ctrl+C to stop monitoring.
The output will look like this
>cscript //nologo "C:\Users\User\Desktop\Bat+Vbs\ProcessMonitor.vbs"
cscript.exe cscript //nologo "C:\Users\Users\Desktop\Bat+Vbs\ProcessMonitor.vbs"
iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10456 CREDAT:9526 /prefetch:2
iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10456 CREDAT:9534 /prefetch:2
SearchFilterHost.exe "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 788
