Background: In the middle of my work, license agreement for installing "Microsoft Mouse and Keyboard Center" suddenly appeared. I'd like to understand what process launched the setup, but using Process Explorer, I saw it's gone, I was only able to find its PID (see screenshot).
Question:
If you are using Process Explorer, you perhaps know the situation where parent process of the process no longer exists and you can only see its PID:
Are there some Windows logs containing association of PID to running process so I can find out what process was running under given PID?
Preferably I'm interested in scenarios, where I wasn't expecting this so I did not use Process Monitor to capture events in the system.
Best Answer
Are there some Windows logs containing association of PID to running process
By default there are no such logs. However you can enable Process Tracking Events in the Windows Security Event Log.
Notes:
The solution requires making changes to the Group Policy using
gpedit
.Unfortunately the Group Policy Editor (gpedit) is not included with the Starter Edition, Home and Home Premium editions of Windows.
See my Q&A Windows Starter Edition, Home and Home Premium do not include gpedit, how do I install it? for instructions on how to install it.
How to Use Process Tracking Events in the Windows Security Log
In Windows 2003/XP you get these events by simply enabling the Process Tracking audit policy.
In Windows 7/2008+ you need to enable the Audit Process Creation and, optionally, the Audit Process Termination subcategories which you’ll find under Advanced Audit Policy Configuration in group policy objects.
These events are incredibly valuable because they give a comprehensive audit trail of every time any executable on the system is started as a process. You can even determine how long the process ran by linking the process creation event to the process termination event using the Process ID found in both events. Examples of both events are shown below.
Source How to Use Process Tracking Events in the Windows Security Log
How to enable Audit Process Creation
Run gpedit.msc
Select "Windows Settings" > "Security Settings" > "Local Policies" > "Audit Policy"
Right click "Audit process tracking" and select "Properties"
Check "Success" and click "OK"
What is Audit Process Tracking