-
November 8th, 2014, 07:56 PM
#1
Which application started another
Is there any way to instruct Windows 7 to log what process/application starts another process/application? I guess there is just I don't know how to do it
Ideas please
-
November 9th, 2014, 09:29 PM
#2
Re: Which application started another
Process Explorer, or Systernals, which have tools
-
November 10th, 2014, 05:51 AM
#3
Re: Which application started another
That works as long as the parent process is known and existing. Now imagine sysinternals showing "Not found" where the parent should be. What to do then?
-
November 10th, 2014, 06:27 AM
#4
Re: Which application started another
Originally Posted by luftwaffe
That works as long as the parent process is known and existing. Now imagine sysinternals showing "Not found" where the parent should be. What to do then?
Then you should accept that "the parent process is not known or not existing"!
Victor Nijegorodov
-
November 10th, 2014, 08:38 AM
#5
Re: Which application started another
No. As a matter of fact, it was started somehow. I would like to know how or by whom. It does not sound like a big trick, or do programs just appear and disappear out of the blue? I don't think so.
-
November 10th, 2014, 09:29 AM
#6
Re: Which application started another
No, programs do not just appear out of the blue - but that does not mean that info is always available about a process's parent process. A process holds info about it's parent as an identifier - the parent process identifier. To get further info about this process it needs to be still available so that further info can be obtained - such as the name of the process executable file. If the parent process is not available then this additional info may not be able to be obtained.
If you want to be able to log always process hierarchies then you may need to write your own program. Note that there is no easy method of obtaining info about processes - or of getting a trigger event if a process is created or destroyed. You take a snapshot of all processes running at a particular instance and this snapshot provides some info. You process this info as needed and then take another snapshot and process etc. A snapshot is exactly that - a snapshot of the running processes at a particular instance; it is not real-time info.
For more info see http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx and its links which include a link to a sample program to obtain process info.
All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!
C++23 Compiler: Microsoft VS2022 (17.6.5)
-
November 11th, 2014, 01:15 PM
#7
Re: Which application started another
Originally Posted by luftwaffe
No. As a matter of fact, it was started somehow. I would like to know how or by whom. It does not sound like a big trick, or do programs just appear and disappear out of the blue? I don't think so.
It might not sound like a big trick, but if the OS doesn't keep an audit trail of that information (or expose the audit trail), you are out of luck. In that case, the best you can do is hook into new process creation and store your own audit records and hierarchy. Of course, you'll have to keep in mind that process id's get reused so you'll need to be careful about not creating invalid hierarchies with reused pids.
-
November 11th, 2014, 02:58 PM
#8
Re: Which application started another
You may find this article of interest - particularly using wmi to track process creation.
https://social.msdn.microsoft.com/Fo...orum=vcgeneral
For info about wmi see http://msdn.microsoft.com/en-us/libr...=vs.85%29.aspx and subsequent links. wmi uses COM so a knowledge of com programming is helpful to use wmi.
All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!
C++23 Compiler: Microsoft VS2022 (17.6.5)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|