Track which program launches a certain process?

Solution 1:

There is a thing called PPID (Parent Process ID) but it's relatively "tricky" to find in Windows because it's not a column shown in Task Manager, and i'm not even seeing it for columns in Process Explorer either.

Two methods of doing this

Method 1 - WMIC
Method 2 - Process Monitor

Both of these are pretty quick methods

Method 1 - WMIC

I'll use an answer of how to find the PPID using WMIC from over here https://stackoverflow.com/questions/7486717/finding-parent-process-id-on-windows

And that makes the rest of this fairly simple

C:\blah>wmic process get processid,parentprocessid
ParentProcessId  ProcessId
0                0
0                4
4                320
392              572
320              656
648              664
392              688
688              740
688              756
688              764
...              ...

The rest is fairly obvious.

So let's suppose you want to find who launched calc.exe

and calc.exe you see from task manager, is PID 7384

C:\blah>wmic process get processid,parentprocessid | find "7384"
10896            7384

PPID             PID


C:\crp>

WMIC shows the associations between PID and PPID. Then look up 10896 in Task Manager, (10896 is the PPID listed for calc.exe's PID of 7384), and in task manager I see that the process with PID of 10896 is cmd.exe which is the process I used to launch calc.exe And indeed cmd.exe is the parent process that spawned calc.exe

Method 2 - Process Monitor

You can do it in sysinternals process monitor.

click filter..filter in the menu bar, and add a filter filtering the name or path or PID of the process e.g. process name calc.exe or a filter for path and enter c:\windows\system32\calc.exe

I happened to use process name

Do OK.. and file..capture if it's not yet capturing.

Double click the right process so in this case load image calc.exe and a properties dialog comes up, click the correct tab, 'process', and you see the PID and PPID(parent process id).

And of course when you know the PPID as you now would, then you can look it up in task manager to know what process spawned it

Solution 2:

If this was a process that was running in the background, I would probably use the Process Explorer or wmic process approaches outlined by Barlop or Robert Koritnik. If the process is transient and launches/exits very quickly, leaving not enough time to perform the necessary clicks and keystrokes, I would use Process Monitor, as outlined by nixda.

I'm a bit late to this party, but for the sake of completion:

Another alternative to this (if for whatever reason, you don't want to use Process Monitor), is to use the built-in process tracking. This can be enabled by going to:

Control Panel -> Administrative Tools -> Local Security Policy -> Local Policies -> Audit Policy If Administrative Tools isn't present in your Control Panel another way to open Local Security Policy is by clicking the Start button and typing secpol.msc.

You should see several auditing options, including Audit Process Tracking. Turn this on for the category of Success.

Now in Event Viewer -> Windows Logs -> Security, you will see an event for "process creation"(that's event ID 4688), and the name/path of the process being created, and a field called Creator Process ID. This contains the hex representation of the PID of the process which created this process (you can convert this easily using calc.exe in the Programmer view).

You can look for that PID (the PID of that 'creator process' i.e. the PPID) in either Task Manager, or the output of something like tasklist /svc.
If the process is no longer there, you can look for other events with ID 4688 for that other PID, from when it was created.