My previous post, List Running Processes and their creation time, helps you track down processes that are currently running. And, the post Find if the unknown program window that opened and closed immediately was a scheduled task tells you if a last run program window was as a scheduled task or not.
While those posts can be useful to know what’s running in the system, there is still something missing using those methods.
The first post talks about Process Explorer, which shows the real-time view of running processes. But it doesn’t keep track of processes that ran few minutes before and then terminated.
Process Explorer highlights new processes for a couple of seconds, but it doesn’t record a history of creation and termination time or processes. And the second link above deals only with Scheduled Tasks. However, you may need to get the list of processes (especially the short-lived processes) that ran for some time and then terminated. Process Monitor can be helpful to get that info.
Using Process Monitor to Track Process Start and Exit Events
Start Process Monitor, enable Process activity button, and disable the rest.
Then click the Filter button (Ctrl + L) to launch the Process Monitor Filter dialog.
Configure the filters as follows:
Operation → contains → Process
Click Add, OK. Process Monitor would start capturing events and display results containing Process Create, Process Start, Process Exit under the Operation column.
Quick Tip: If you’re going to run the trace for a long period of time, then consider enabling Drop Filtered Events under the Filter menu. This makes sure your memory or disk is not filled up unnecessarily; it only keeps the record of events that have passed your filter.
Here it is. Process Monitor has recorded some Process Start and Process Exit events. To know more details of an event, double-click the entry. It shows the full command-line and path of that process.
Optionally, you can enable the Command Line column in Process Monitor Column Selection dialog. From the Options menu, click Select Columns… and enable Command Line, and Sequence Number.
Now, a column named “Command Line” appears in the results window.
You can also view the list of processes in a tree format showing the Parent Processes, Path, Life Time, and other information. From the Tools menu, click Process Tree (Ctrl + T).
To make the Life Time bar graph use the trace time (capture start time) as the base, instead of the boot session, enable Timelines cover displayed events only.
For future analysis, you may save the events to a .PML file containing All Events, or currently shown events. If you’re going to send this log (for troubleshooting a problem) to a friend or someone you know who can interpret the log, then zip it before sending the log. Compressing reduces the .PML log file size by 90%.
One small request: If you liked this post, please share this?One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!