I noticed that sometimes after Windows 10 boots up, there is a black box cmd.exe pops up and closes quickly. I want to know what was running. Besides looking in autoruns, are there tools or registry which can help me track down what was running? Like a history of programs and parameters spawned by cmd.exe?
11 Answer
Yes, definitely you can know.
First Open gpedit.msc and go to
Local Computer Policy Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Detailed Tracking and click Audit Process Creation and check mark Success and Failure.
Then go to
Local Computer Policy Computer Configuration > Administrative Templates > System > Audit Process Creation and click Include command line in process creation events and enable the policy.
Now you can log all events each time when you log in to windows and get Process start time and parent process with
Get-WinEvent Security | Where-Object {$_.id -eq 4688} | Where-Object { $_.Properties[5].Value -match 'conhost' } | Select TimeCreated,@{ Label = "ParentProcess"; Expression = { $_.Properties[13].Value } } Or to get verbose details (All properties):
Get-WinEvent Security | Where-Object {$_.id -eq 4688}Events are created with ID 4688, you can also view in Event viewer. You can use Export-Csv to export results to a CSV file.
Inspired by
