Windows debugging: How can I determine which application is opening my web browser

Question

I'm just debugging a potential malware problem where blank browser windows (full windows not tabs) keep opening, but can't find any malware after multiple scans and after installing fresh browser so I'm thinking there might be a buggy application accidentally opening these windows.

Usually if I want to determine which application launched another application I would use Microsoft's Process Explorer for example you can see notepad was opened from cmd.exe:

However when I do the same thing for Chrome and Firefox it doesn't tell me what application opened them they just appear directly at the top of the tree:

Is there anyway I can log what application opened these browser windows?

There a related but outdated question: How do I tell which application has opened a link in my browser?

Answer 1

It would help to know What URL is being opened, or is Firefox being launched without parameters. You may see that in Process Explorer by examining the properties of Firefox.

To trace the launch of Firefox, use Process Monitor.

For example, I set in Process Monitor the following trigger:

When I called Firefox from the Start menu I got this :

As you can see, Firefox was called by explorer.exe.

If this happens very early in the boot, you may need to set boot monitoring in Process Monitor, which will slow the boot very much and create a huge trace file. You may then examine the log using the appropriate trigger to select the events that interest you.

Answer 2

You can try this batch file that use WMIC

@echo off
Title Get Process with WMIC
wmic process where (Name like "%%chrome%%") get processid,parentprocessid,executablepath,commandline /Value
pause

EDIT : Batch that can filter by process name

@echo off & color 0B
Title Get Processes with WMIC
:Get_Details_Processes
Cls & echo( & echo Type The Name Of The Process For Looking For ...
set /p FilterProcess=
wmic process where (Name like "%%%FilterProcess%%%") get processid,parentprocessid,executablepath,commandline /Value
echo Type The Parentprocessid to get its executablepath and its commandline
set /p parentprocessid=
wmic process where (processid=%parentprocessid%) get executablepath,commandline /Value
pause
goto Get_Details_Processes