How to run a process monitor windows 1011/10/2023 ![]() ![]() ![]() In Task Scheduler you have to now create an event to target the program start. There are A handle was open, A handle was closed events as well. You'll see more than one of these, it's not just one-to-one, 1 program start = 1 event. Object Name: C:\Program Files\Some Application\application.exe Here is an event like that from my machine:Īn attempt was made to access an object. You can Filter current log for EventID 4663 Every successful execution of application.exe will now show up in Event Viewer. Go to your application.exe, right click > Properties > Security tab > Advances > Auditing tab > EditĪdd your username and tick Traverse folder / execute file. ![]() The action may fire without the program having actually been executed. LATER EDIT: OK it does produce a few false positives. It's a Powershell script that helps you set this up. UPDATE: Conjoined Twins - IFTTT-style application actions using auditing and scheduled tasks under Windows. We're trying to get the process to raise an event when it starts, then in Task Scheduler to home in on that event as the trigger for our action. I have found a way through Auditing, which seems to work alright. Is there a better way of watching for a process start on Windows? Without polling or running a script continually in the background, but rather simply scheduling a task to respond to the event of Notepad having started? The PC is powerful enough for this job as is, but if in the future I want to watch more than one app, this approach may turn out to use too much resources. However this is meant to run all the time, which means a powershell.exe process in the background, and WMI polling every 3 seconds ( WITHIN 3 - yes I do need it to respond ASAP). Register-WMIEvent -Query "SELECT * FROM _InstanceCreationEvent WITHIN 3 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'notepad.exe'" -sourceIdentifier 'NotepadStarted' -action ![]() So I researched and found that you can detect a process start by registering a WMI event. I expected to find this in Task Scheduler under Events > Application or something like that, but only some applications have event sources there. I'm trying to tie two applications together, so that when one is started the other starts too. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |