How to find invocation of an application in Event log?

Question

I have a custom developed application (stand-alone) installed in Windows 2012 R2 server and the drive is mapped to end user's Windows 10 workstation. User opens the mapped drive and double click on the application to run it.

Now my question is: Is there a way to find who (user ID) executes the application and when? It may be in event log or may be somewhere else, but I am looking for that information to satisfy my auditor.

Also if not captured right now, is there a way (through some batch file etc.) to capture these information?

spacenomyous · Answer 1 · 2018-10-25T14:46:32.317

Not unless proper auditing was configured beforehand.

For the system:
Advanced Audit Policy, Object Access, Audit File System (Success and Failure)

For the directory:
Advanced Security Settings, Auditing, Everyone, All, Read & Execute

With those configured, you'd see Event ID 4663 An attempt was made to access an object in the Security Log:

An attempt was made to access an object.
Subject:
    Security ID:    DOMAIN\SamAccountName
Object:
    Object Name:    <FILEPATH>
Access Request Information:
    Accesses:       Execute/Traverse

score 0 · Answer 2 · answered Feb 13 '19 at 11:10

0

Similar to spacenomyous (finding the correct EventID), you can set up log collection of EventLog IDs (ie based on EventID mentioned by them) and forward these out to your collector server or some sort of monitoring suite.

answered Feb 13 '19 at 11:10

NASAhorse

111
4

How to find invocation of an application in Event log?

2 Answers2