14
4
Background: In the middle of my work, license agreement for installing "Microsoft Mouse and Keyboard Center" suddenly appeared. I'd like to understand what process launched the setup, but using Process Explorer, I saw it's gone, I was only able to find its PID (see screenshot).
Question:
If you are using Process Explorer, you perhaps know the situation where parent process of the process no longer exists and you can only see its PID:
Are there some Windows logs containing association of PID to running process so I can find out what process was running under given PID?
Preferably I'm interested in scenarios, where I wasn't expecting this so I did not use Process Monitor to capture events in the system.
Dave, maybe you could use "fastest gun on the west" approach. While you were writing your long and elaborate answer, I performed steps in the other answer (the same as you added later) and was about to accept it. So now I have a dilemma which answer to accept... :)
– miroxlav – 2015-08-29T20:49:21.6131I would rather have the best answer than the first answer ;) If they are the same thing then it is a bonus. I did inform you (in a now cleaned up comment) that I was preparing my answer. And I'm using a slow tethered internet connection through my mobile :/ – DavidPostill – 2015-08-29T20:52:59.427
Oh yeah, you did. OTOH, perhaps don't be shy to write "you can enable audit logging in local policies", post and continue creating answer with educational value. Sometimes even small clue could better help me (the OP) than waiting 60 minutes for great answer :) I mean, I know where local policies are, I just needed a minor clue. – miroxlav – 2015-08-29T20:57:09.067
@DavidPostill: Would be nice if you could mention how often these logs are cleaned (or how often they should be cleaned manually), because I imagine they can get pretty long... – user541686 – 2015-08-30T04:19:44.347
@Mehrdad Yes, they could get large. The event logs are not automatically cleaned. As far as I am aware it is not possilbe to delete individual events from the log, only to delete (clear) the complete log. And how often they should be deleted manually is opinion-based :/ – DavidPostill – 2015-08-30T06:51:30.820
1@Mehrdad The event logs can, if necessary, be deleted from the command line using
wevtutil
. That is easier than using the Event Viewer GUI. – DavidPostill – 2015-08-30T06:53:54.523