Downloads
47629.zip

How can I track the programs that a user executes on his or her workstation or the programs being executed on a server?

Enable the Audit process tracking audit policy for the desired computers. You'll find this setting in any Group Policy Object (GPO) under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy in the Group Policy Management Console (GPMC). Then start monitoring for event ID 592 (A new process has been created), which Windows logs whenever a new executable is started. This event reports the full path of the program and the user who started the program, as Figure 1 shows. You can figure out when the program ended by looking in the log for an occurrence of event ID 593 (A process has exited) with the same Process ID value. For more information about these events, see my Windows Security Log Encyclopedia at http://www.ultimatewindowssecurity.com/encyclopedia.html.

Listing 1 shows a Log Parser script that reports each program executed for a specified system. To run the query against a remote computer, change the from clause to from \\computer\security, in which computer is the name of the computer you wish to query. You can specify more than one computer in the same query by simply separating the computer names with a comma. For example, from \\computer1\security, \\computer2\security would query both computer1 and computer2. To download Microsoft's Log Parser tool, go to http://www.microsoft.com/downloads/ details.aspx?familyid=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en.