I'd like to know wWhen an application was started or closed: for example: Google Chrome, Microsoft Word, Notepad etc.
I've been looking at the Event Viewer longs but couldn't find any logs for this.
I wonder if there's some way to know this, preferrably without having to install any application.
Any help much welcome
A brief search suggests
windows - How can I get a history of running processes - Super User
Perhaps that will point you in the right direction
Thanks for your answer. I already tried that, that's the article I based myself on. Neither 4688,4689 nor all other Security, System and Application IDs I tried get triggered when an app is opened/closed in my testing. This works fine to track shut-downs, start-up, restart, User account login, log out, etc, but I still couldn't' find how to track when apps are opened or closed.
Just to confirm, those event ids appear conditional on this:
But that requires Pro up, or perhaps the equivalent registry info for the setting.Sure. You can use Windows' built-in event logging (assuming you're not on some cheap edition that doesn't have it). Press Win+R and type gpedit.msc to open the group policy manager
- In the left pane, navigate to
Local Computer Policy \ Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Audit Policy- In the right pane, double-click "Audit process tracking" and check both boxes
From now on, all process creations and deletions (and failed attempts at same) will appear in the Security log.
To view them, run Event Viewer. (Hit the Windows key and start typing "Event Viewer".) In the left pane expand the "Windows Logs" sub-tree and click "Security". All the security events will be displayed.
For interest (?) on event id 4688
Windows Security Log Event ID 4688 - A new process has been created
Clear example here:
How can I track what programs come and go on my machine? - Ask Leo!
You can do this.
This example will work for when sublime text closes. Amend to suit. I've set a cleaning pyton script to clean out files, folders and projects that no longer exist on the system to run once ST has closed using the Task scheduler with this code and a screenshot of where you enter it.
Code:<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (band(Keywords,9007199254740992)) and (EventID=4689)]] and *[EventData[Data[@Name='ProcessName'] and (Data='W:\Apps (Portable)\Sublime Text\sublime_text.exe')]] and *[EventData[(Data='0x0')]] </Select> </Query> </QueryList>
Screenshot example of Task Scheduler.
Quote
