Application start event from windows?

  • Thread starter Thread starter Big D
  • Start date Start date
B

Big D

I'm wanting to write a service that monitors when an application is
started, and then logs its name, and the time it ran... Is there an event
that I could handle that is fired each time an application is started? I
need to be able to do this without knowing the name of the application.

Thanks,

D
 
Big D said:
I'm wanting to write a service that monitors when an application is
started, and then logs its name, and the time it ran... Is there an event
that I could handle that is fired each time an application is started? I
need to be able to do this without knowing the name of the application.
Click to expand...

The OS can write an entry to the event log when a process starts or
finishes. It will do this if you set it to turn on "detailed reporting" in
Group Policy (or gpedit.msc for local policy).
 
Can't seem to find that setting... where is it at? I'm looking at group
policy msc: Local -> Computer Configuration -> Administrative Template ->
System -> Group Policy, but can't find anything about detailed reporting.

-D
 
It's tricky on systems below XP/2003 (where you can use the
Win32_ProcessStartTrace WMI class). Sysinternals and others use a driver to
hook process and thread creation, look up PsSetCreateProcessNotifyRoutine.
On Windows 2000 you could use WMI events with something like:

"SELECT * FROM __instancecreationevent WITHIN 5 WHERE targetinstance isa
'Win32_Process'"
 
Big D said:
Can't seem to find that setting... where is it at? I'm looking at group
policy msc: Local -> Computer Configuration -> Administrative Template ->
System -> Group Policy, but can't find anything about detailed reporting.
Click to expand...

Sorry, wrong name. It's Local -> Computer Configuration -> Windows
Settings -> Security Settings -> Audit Policy -> Audit Process Tracking.
 
Hi,

Did you still have any concern on this issue please feel free to post here.

Best regards,

Peter Huang
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top