Where can I see what calls of EXE-programs have been made (including the arguments)?

Is there any log-file within Windows where all EXE-calls are tracked or is it possible to enable such a log? Would this contain the arguments / parameters of these calls?

Thanks


Solution 1:

This can be done using Audit Process Creation policy, which is enabled either in group policy if you're in a domain environment, or in the local policy on an individual workstation. This setting is in Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking

Each time a process is started an event will be recorded in the Windows event log with ID 4688.

The more recent versions of Windows and Windows server (8.1, 2012 R2 and above) will also record command line arguments if you enable a second policy setting called "Include command line in process creation events".

Solution 2:

You should take a look at the Sysinternals tool called Sysmon.

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

Sysmon includes the following capabilities:

Logs process creation with full command line for both current and parent processes.