7

Is there any log-file within Windows where all EXE-calls are tracked or is it possible to enable such a log? Would this contain the arguments / parameters of these calls?

Thanks

Izzy
  • 786
  • 2
  • 8
  • 29
MartinHappyCoding
  • 171
  • 1
  • 2

3 Answers3

5

This can be done using Audit Process Creation policy, which is enabled either in group policy if you're in a domain environment, or in the local policy on an individual workstation. This setting is in Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking

Each time a process is started an event will be recorded in the Windows event log with ID 4688.

The more recent versions of Windows and Windows server (8.1, 2012 R2 and above) will also record command line arguments if you enable a second policy setting called "Include command line in process creation events".

Nixphoe
  • 4,524
  • 7
  • 32
  • 51
Steve365
  • 1,253
  • 9
  • 16
3

You should take a look at the Sysinternals tool called Sysmon.

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

Sysmon includes the following capabilities:

Logs process creation with full command line for both current and parent processes.
magicandre1981
  • 1,110
  • 2
  • 10
  • 20
0

I wrote a c++ program that does just this thing. It's simple program. The program psedo-code:

start foreach arg { write write arg} call original program. end move the original program to something else (executable.original.exe). Change your program to the name of the original (executable.exe)

badda-bing.

I may still have the code - but it's probably just as easy to do it yourself.

PS - csharp doesn't work for this.

terary
  • 99
  • 6
  • This would require all executables on the system to be replaced by such a wrapper. – Sven Sep 17 '15 at 11:06
  • you want to know what all executable on your system get as arguments? – terary Sep 17 '15 at 11:18
  • No, I don't. But the OP does if you read his question carefully. He wants a log of all exe files started. – Sven Sep 17 '15 at 11:22
  • Why would C# not work for this? I can use a for loop on the args, log, and start processes. What am I missing? – Cole Tobin Sep 23 '15 at 01:14
  • You can use C#. At least it would make sense you can. The issue I had was having the .NET dependencies in-place. – terary Sep 24 '15 at 13:00