Is there a way to recieve a event about a process starting in windows?

  • 9 months ago
Comment

ChatGPT
1 / 1

Yes, you can receive notifications about a process starting in Windows by using the Windows Event Log, specifically the "Security" log. The Security log records various security-related events, including process creations. You can use this log to monitor process creations and receive notifications when a new process starts.

Here are the steps to achieve this:

  1. Enable Process Creation Auditing:

    • Open the Local Group Policy Editor (gpedit.msc).
    • Navigate to "Computer Configuration" -> "Windows Settings" -> "Security Settings" -> "Advanced Audit Policy Configuration" -> "Audit Policies" -> "Detailed Tracking".
    • Enable the "Audit Process Creation" policy.

  2. Filter and Collect Events:

    • Open the Event Viewer (eventvwr.msc).
    • Navigate to "Windows Logs" -> "Security".
    • Right-click and select "Filter Current Log..."
    • Set the filter to include event IDs 4688 (Process Creation) and 4689 (Process Termination).

  3. Create a Task to Trigger on Event:

    • Use the Task Scheduler (taskschd.msc) to create a task that triggers on event.
    • Create a new task and select "On an event" as the trigger.
    • Configure the trigger to match event ID 4688 (Process Creation).
    • In the action, you can specify a script or program to run when the event is triggered.

  4. Custom Script or Program:

    • The action of the scheduled task can be a script (e.g., PowerShell script) or a custom program.
    • In the script/program, you can include logic to send notifications or perform specific actions when a process creation event is detected.

Keep in mind that setting up process creation auditing and creating tasks in the Event Viewer might require administrative privileges. Additionally, the granularity and details of the events you receive might depend on the specific Windows version and configuration.

While using the Windows Event Log is a built-in approach, there are also third-party tools and libraries available that can provide more advanced process monitoring and notification capabilities.