Monitor Process creation and termination on Windows

Martin Brinkmann
Jun 27, 2016
Software
|
5

Process Logger Service is a free program for Windows that installs itself as a service to monitor process creation on the computer it is installed on.

Processes are launched when you start a program on a device running Windows, but also automatically by software, services or the operating system.

While you may be able to identify some of the running processes easily, the programs you started for instance, you may miss the bulk of process creation and termination as it happens in the background.

Programs like the Windows Task Manager or the more suitable Process Explorer help you get a better look at what is happening on the system, but they usually provide a snapshot only in regards to that.

It is easy to miss processes that start and terminate automatically.

Monitor Process creation and termination

monitor process creation termination

Process Logger Service has been designed to provide you with a process activity log. It is a bit difficult to install as it operates as a Windows Service, but once you are past that works automatically.

Installation

install process logger

Download the program archive from the developer website and extract it afterwards. Copy the ProcessLoggerSvc directory to the root of the c: drive afterwards.

Open the service directory and open config.ini in a plain text editor. You may change the default configuration of the service using it.

Options include disabling the logging of process creations or terminations, disable the computing of MD5 hashes, or changing the directory log location.

Once done, right-click on install.bat under root and select run as administrator from the menu. Confirm the UAC prompt, and close the command prompt window once the execution completes.

The service is installed at this point if all things went well. You may use the same method to remove the service again, and the only difference is that you need to execute the uninstall.bat file this time with elevated privileges.

The process logs

The logs are written to the logs subdirectory where they are sorted by PC name, and then by date.

Each entry begins with the type of activity, e.g. process creation or termination, followed by date and time.

The following information is made available for each entry:

  1. Process ID, full path and executable filename.
  2. Command line.
  3. Process parent with ID, path and filename.
  4. Parent command line.
  5. Username and Domain.
  6. MD5 Hash.
  7. Publisher and Signer.
  8. Description.
  9. Version.
  10. Integrity Level.
  11. System, Protected or Metro Process.

Since the logs are provided in text form, options like searching or copying are available. The jumping to the next entry in the activity log is not as comfortable as in a gui application but it is manageable even for large logs.

Closing Words

Process Logger Service is compatible with all 32-bit and 64-bit versions of Windows from Windows XP to Windows 10.

On some setups, it may make sense to run the Service all the time as it provides you with information on processes that got started and terminated throughout a work day or period.

On others, you may want to run it only when you require the information, for instance when you suspect that processes run at times that should not run.

Summary
software image
Author Rating
1star1star1star1stargray
2.5 based on 2 votes
Software Name
Process Logger Service
Operating System
Windows
Software Category
Security
Landing Page
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Tom Hawack said on June 27, 2016 at 8:15 pm
    Reply

    SysInternals SysMon is maybe more complete but it logs to the Windows event log when this ‘Process Logger Service’ logs right into a plain file. For non-techies the application could bring valuable information within an easier approach. In the spirit of “making complicated things easy”

    1. Martin Brinkmann said on June 27, 2016 at 10:43 pm
      Reply

      I agree Tom, this program is simpler to use which is the main thing it has going for it. If you are an advanced user, you probably use Sysmon as it has more to offer.

  2. Brandon said on June 27, 2016 at 5:55 pm
    Reply

    system explorer has a history tab that does exactly this

  3. Mark Woan said on June 27, 2016 at 2:52 pm
    Reply

    So basically what the SysInternals Sysmon tools does, but less functional?

    https://technet.microsoft.com/en-gb/sysinternals/sysmon

    1. Martin Brinkmann said on June 27, 2016 at 3:38 pm
      Reply

      Mark, right, Sysmon is excellent and powerful.This one is a bit easier to setup, but limited in comparison.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.