16
4
How do I find out what programs have been running on my computer even if they have been stopped to the extent that Task Manager can't show a thing?
I don't use my computer alone and am sometimes suspicious.
16
4
How do I find out what programs have been running on my computer even if they have been stopped to the extent that Task Manager can't show a thing?
I don't use my computer alone and am sometimes suspicious.
36
By default there are no logs of what programs have been run.
However, you can enable Process Tracking Events in the Windows Security Event Log (see below for instructions) and this information will then be available to you in the future.
Once the Process Tracking Events are enabled you can use the following Powershell commands to examine the events:
Process Start:
Get-EventLog Security | Where-Object {$_.EventID -eq 4688} | Format-List
Process Stop:
Get-EventLog Security | Where-Object {$_.EventID -eq 4689} | Format-List
The above commands dump the event information to the screen.
In Windows 2003/XP you get these events by simply enabling the Process Tracking audit policy.
In Windows 7/2008+ you need to enable the Audit Process Creation and, optionally, the Audit Process Termination subcategories which you’ll find under Advanced Audit Policy Configuration in group policy objects.
These events are incredibly valuable because they give a comprehensive audit trail of every time any executable on the system is started as a process. You can even determine how long the process ran by linking the process creation event to the process termination event using the Process ID found in both events. Examples of both events are shown below.
Source How to Use Process Tracking Events in the Windows Security Log
Run gpedit.msc
Select "Windows Settings" > "Security Settings" > "Local Policies" > "Audit Policy"
Right click "Audit process tracking" and select "Properties"
Check "Success" and click "OK"
This security setting determines whether the OS audits process-related events such as process creation, process termination, handle duplication, and indirect object access.
If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, both successes and failures, or to not audit these events at all (i.e. neither successes nor failures).
If Success auditing is enabled, an audit entry is generated each time the OS performs one of these process-related activities.
If Failure auditing is enabled, an audit entry is generated each time the OS fails to perform one of these activities.
Default: No auditing
Important: For more control over auditing policies, use the settings in the Advanced Audit Policy Configuration node. For more information about Advanced Audit Policy Configuration, see http://go.microsoft.com/fwlink/?LinkId=140969.
ExecutedProgramList does not give a complete list of programs that have been executed.
For example, it doesn't list any of the portable programs I am currently running from my thumbdrive, eg Agent, Notepad++, GSNotes as well as almost every Cygwin program I have run since my last restart.
It won't list any program that doesn't write anything to the locations mentioned in the link:
The list of previously executed programs is collected from the following data sources:
- Registry Key:
HKEY_CURRENT_USER\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
- Registry Key:
HKEY_CURRENT_USER\Microsoft\Windows\ShellNoRoam\MUICache
- Registry Key:
HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
- Registry Key:
HKEY_CURRENT_USER\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store
- Windows Prefetch folder (C:\Windows\Prefetch)
Source ExecutedProgramList
A nifty PowerShell snippet for extracting the resulting information would be a nice addition to this excellent answer.
– Peter Mortensen – 2016-02-08T09:50:32.103@PeterMortensen Thanks. Indeed it would. Unfortunately I don't know powershell well enough to write one. – DavidPostill – 2016-02-08T09:56:23.327
Auditing handle duplication sounds incredibly spammy. – user253751 – 2016-02-08T10:06:19.593
@PeterMortensen I've managed to write a one-liner that gives the information ;) – DavidPostill – 2016-02-08T10:06:22.140
@user20574 What do you mean? – DavidPostill – 2016-02-08T10:29:10.240
The solution would work in most cases, but a malicious user with physical access to the computer could still temporarily disable this logging and/or alter the logs after they've been made, if they really want to do so. – Peteris – 2016-02-08T14:16:38.427
@Peteris If someone has physical access then all bets are off. Given enough time anything is possible. However, as far as I know it is not possible to alter the existing logs (other than deleting them - which would be an obvious giveaway). Changing the policy settings requires admin access. – DavidPostill – 2016-02-08T14:21:36.357
3
Nirsoft has a small, free application, ExecutedProgramList, that shows a list of programs and batch files that executed on your system. Note that it is not always able to show the time an application last started, due to limitations inherent in Windows, and, as @DavidPostill mentioned, it may miss portable apps.
It derives its info from Windows, so does not need to be running to compile its list.
1ExecutedProgramList
does not give a complete list of programs run. For example, it doesn't list any of the portable programs I am currently running from my thumbdrive, eg Agent
, Notepad++
, GSNotes
as well as almost every Cygwin
program I have run since my last restart. So it's not very comprehensive. – DavidPostill – 2016-02-08T09:30:09.630
It won't list any program that doesn't write anything to the locations mentioned in the link. – DavidPostill – 2016-02-08T09:31:44.153
How does it work? Does it continously sample the currently running processes? Or does it get notified by Windows when processes are started and stopped? – Peter Mortensen – 2016-02-08T09:48:05.950
@PeterMortensen See the end of my answer for how it works. And it needs a manual refresh. – DavidPostill – 2016-02-08T13:13:42.453
1
Process History also does this. It's a free and portable process database.
It's a simple portable .zip download. There is a manual on how to use it with video on the download site.
As long as Process History is running, you can query processes that have ended via a separate GUI.
It will run on any version of Windows from XP.
(I am the author of this open source software.)
4If the process has been ended it will not show in task manager but it may show in a system event log, see Event Viewer. – Moab – 2016-02-08T00:31:23.893
7If you really can't trust the people who are sharing your computer, then finding out what they were running is probably too little, too late. – Cody Gray – 2016-02-08T10:53:55.433
1The irony of this question is delicious. You say you get suspicious over what others do on the shared computer you use, yet you're the one trying to snoop on what everybody else has done with their account!! – Lightness Races with Monica – 2016-02-08T17:52:08.527