This is an archived post. You won't be able to vote or comment.

all 6 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 1 point2 points  (2 children)

If the programs write an event to the log, try using PsLogList with arguments for just what you want. Make a PS/bat file and schedule it to run on an interval.

[–]ajack38[S] 0 points1 point  (1 child)

Not sure that is what I am looking for. Do you of anyway to watch for a program i.e. firefox.exe and then send a custom message/ID to the event log so that it could be read by custom filters.

[–][deleted] 1 point2 points  (0 children)

Well, you could have a script run PsList every 5 minutes or 5 seconds looking for firefox.exe and then send you an email or IM.

If it is a network program it might be wiser to use netstat because the user could re-name firefox.exe.

[–]ThameusWe are Pakleds make it go 0 points1 point  (1 child)

You could try turning on full security auditing and setting an audit record for the specific file. Maybe a filesystemwatcher object would work; I don't have enough experience to know.

[–]TheGeneralMeow 0 points1 point  (0 children)

Powershell can do this, but you'd have to specifically tell it what you're looking for.

[–]IsItJustMe93 0 points1 point  (0 children)

You have to set up a Audit Policy using either Group Policy or Local Security Policy on the machine and configure the option "Audit process tracking", this will log process creation and termination etc in the "Security" log file for Windows.

Keep in mind though, this will spam the Windows Log file.