How can I get a history of running processes

I need to get a history of which processes have run on my Windows machine, and when they were run. However, I cannot use any third-party software, as I cannot guarantee that it will always be running.

Is there any way to get this information only using Windows built-in functionality?

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

Sure. You can use Windows’ built-in event logging (assuming you’re not on some cheap edition that doesn’t have it).

  1. Press Win+R and type gpedit.msc to open the group policy manager
  2. In the left pane, navigate to

    Local Computer Policy \ Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Audit Policy

  3. In the right pane, double-click “Audit process tracking” and check both boxes

From now on, all process creations and deletions (and failed attempts at same) will appear in the Security log.

To view them, run Event Viewer. (Hit the Windows key and start typing “Event Viewer”.) In the left pane expand the “Windows Logs” sub-tree and click “Security”. All the security events will be displayed.

In the right pane you can set up a Filter to look for event IDs like 4688 or 4689, or any other supported criteria.

You might consider not enabling logging of failures since you’re looking for “what has run and when”, and if a process creation failed, then nothing has run… but that’s up to you.

You aren’t limited to just reading the event log on your screen, either. Windows “Scheduled tasks” can be triggered by event log entries that match criteria you specify. You can also read the event log with a PowerShell script (or, of course, with an ordinary program) and do stuff based on what you find.

N.B.: David Postill’s answer gives more detail on some of the event codes, etc. Don’t ignore it!

Solution 2

How can I get a history of running processes

By default there is no such history and it is not logged anywhere.

However you can enable Process Tracking Events in the Windows Security Event Log.

This will give you the information you require.

Notes:


How to Use Process Tracking Events in the Windows Security Log

In Windows 2003/XP you get these events by simply enabling the Process
Tracking audit policy.

In Windows 7/2008+ you need to enable the Audit Process Creation and,
optionally, the Audit Process Termination subcategories which you’ll
find under Advanced Audit Policy Configuration in group policy
objects.

These events are incredibly valuable because they give a comprehensive
audit trail of every time any executable on the system is started as a
process. You can even determine how long the process ran by linking
the process creation event to the process termination event using the
Process ID found in both events. Examples of both events are shown
below.

enter image description here

Source How to Use Process Tracking Events in the Windows Security Log


How to enable Audit Process Creation

  1. Run gpedit.msc

  2. Select “Windows Settings” > “Security Settings” > “Local Policies” > “Audit Policy”

    enter image description here

  3. Right click “Audit process tracking” and select “Properties”

  4. Check “Success” and click “OK”

    enter image description here


What is Audit Process Tracking

This security setting determines whether the OS audits process-related
events such as process creation, process termination, handle
duplication, and indirect object access.

If this policy setting is defined, the administrator can specify
whether to audit only successes, only failures, both successes and
failures, or to not audit these events at all (i.e. neither successes
nor failures).

If Success auditing is enabled, an audit entry is generated each time
the OS performs one of these process-related activities.

If Failure auditing is enabled, an audit entry is generated each time
the OS fails to perform one of these activities.

Default: No auditing

Important: For more control over auditing policies, use the settings
in the Advanced Audit Policy Configuration node. For more information
about Advanced Audit Policy Configuration, see
http://go.microsoft.com/fwlink/?LinkId=140969.


Further Reading

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply