I need to get a history of which processes have run on my Windows machine, and when they were run. However, I cannot use any third-party software, as I cannot guarantee that it will always be running.
Is there any way to get this information only using Windows built-in functionality?
Solution:
Sure. You can use Windows’ built-in event logging (assuming you’re not on some cheap edition that doesn’t have it).
- Press Win+R and type gpedit.msc to open the group policy manager
In the left pane, navigate to
Local Computer Policy Computer Configuration Windows Settings Security Settings Local Policies Audit Policy
In the right pane, double-click “Audit process tracking” and check both boxes
From now on, all process creations and deletions (and failed attempts at same) will appear in the Security log.
To view them, run Event Viewer. (Hit the Windows key and start typing “Event Viewer”.) In the left pane expand the “Windows Logs” sub-tree and click “Security”. All the security events will be displayed.
In the right pane you can set up a Filter to look for event IDs like 4688 or 4689, or any other supported criteria.
You might consider not enabling logging of failures since you’re looking for “what has run and when”, and if a process creation failed, then nothing has run… but that’s up to you.
You aren’t limited to just reading the event log on your screen, either. Windows “Scheduled tasks” can be triggered by event log entries that match criteria you specify. You can also read the event log with a PowerShell script (or, of course, with an ordinary program) and do stuff based on what you find.
N.B.: David Postill’s answer gives more detail on some of the event codes, etc. Don’t ignore it!