Checking what commands were run on windows?

Question

From time to time a cmd windows popps up (or two of them) for a split second I cannot track what was started. Is there a way to monitor the cmd/powershell window? Sysmon?

Or is there a way to force cmd window to not close when command finishes?

The main issue is that I cannot see what command was started

Sysmon would work. An alternative would be procmon and keep it running until the window pops up. — Lieven Keersmaekers, Mar 07 '18 at 07:22
Yes, both will. Sysmon shows it in the eventlog, procmon shows it in the process details. For a one of situation, procmon would be the easier choice. Do make sure you don't hang up your computer by letting the log grow to large. — Lieven Keersmaekers, Mar 07 '18 at 07:24

score 2 · Answer 1 · answered Mar 07 '18 at 07:31

2

For a one of situation, procmon would be the easiest choice

Disable the registry, file and network activity to minimize the amount of logging.
Make sure the process activity is enabled
start capturing and wait for the popup (end capturing once the popup has, well, popped up)
double click the process
get the command line

answered Mar 07 '18 at 07:31

Lieven Keersmaekers

303
1
12

more than I wished for :) – kol23 Mar 07 '18 at 07:54
@koller23 - I'm curious what it is :). I remember a similar issue on my machine that turned out to be a Windows update problem *(nothing to worry about but annoying)*. – Lieven Keersmaekers Mar 07 '18 at 08:25

Checking what commands were run on windows?

1 Answers1