Monitor Process creation and termination on Windows
Process Logger Service is a free program for Windows that installs itself as a service to monitor process creation on the computer it is installed on.
Processes are launched when you start a program on a device running Windows, but also automatically by software, services or the operating system.
While you may be able to identify some of the running processes easily, the programs you started for instance, you may miss the bulk of process creation and termination as it happens in the background.
Programs like the Windows Task Manager or the more suitable Process Explorer help you get a better look at what is happening on the system, but they usually provide a snapshot only in regards to that.
It is easy to miss processes that start and terminate automatically.
Monitor Process creation and termination
Process Logger Service has been designed to provide you with a process activity log. It is a bit difficult to install as it operates as a Windows Service, but once you are past that works automatically.
Download the program archive from the developer website and extract it afterwards. Copy the ProcessLoggerSvc directory to the root of the c: drive afterwards.
Open the service directory and open config.ini in a plain text editor. You may change the default configuration of the service using it.
Options include disabling the logging of process creations or terminations, disable the computing of MD5 hashes, or changing the directory log location.
Once done, right-click on install.bat under root and select run as administrator from the menu. Confirm the UAC prompt, and close the command prompt window once the execution completes.
The service is installed at this point if all things went well. You may use the same method to remove the service again, and the only difference is that you need to execute the uninstall.bat file this time with elevated privileges.
The process logs
The logs are written to the logs subdirectory where they are sorted by PC name, and then by date.
Each entry begins with the type of activity, e.g. process creation or termination, followed by date and time.
The following information is made available for each entry:
- Process ID, full path and executable filename.
- Command line.
- Process parent with ID, path and filename.
- Parent command line.
- Username and Domain.
- MD5 Hash.
- Publisher and Signer.
- Integrity Level.
- System, Protected or Metro Process.
Since the logs are provided in text form, options like searching or copying are available. The jumping to the next entry in the activity log is not as comfortable as in a gui application but it is manageable even for large logs.
Process Logger Service is compatible with all 32-bit and 64-bit versions of Windows from Windows XP to Windows 10.
On some setups, it may make sense to run the Service all the time as it provides you with information on processes that got started and terminated throughout a work day or period.
On others, you may want to run it only when you require the information, for instance when you suspect that processes run at times that should not run.
So basically what the SysInternals Sysmon tools does, but less functional?
Mark, right, Sysmon is excellent and powerful.This one is a bit easier to setup, but limited in comparison.
system explorer has a history tab that does exactly this
SysInternals SysMon is maybe more complete but it logs to the Windows event log when this ‘Process Logger Service’ logs right into a plain file. For non-techies the application could bring valuable information within an easier approach. In the spirit of “making complicated things easy”
I agree Tom, this program is simpler to use which is the main thing it has going for it. If you are an advanced user, you probably use Sysmon as it has more to offer.