How can I track what programs come and go on my machine?

Windows is constantly starting and stopping programs as part of its normal operations. You can see exactly what programs are being run using a Windows technique called process auditing.

//
Recently, an entry keeps appearing on my taskbar. It appears for less than a second before disappearing again. I once managed to click it, but no window popped up. The icon is a blank rectangular box and there is no description. It’s driving me nuts trying to work out what it is! How can I identify this process?

Programs do seem to come and go at times. When you’re diagnosing performance or security issues, understanding what’s coming and going can be important. Sometimes, it can just explain a flashing item in the task bar.

Fortunately, there is a fairly simple way to trace what’s happening.

Auditing

Windows includes several auditing options, which can collect a list of activities over time. You can then view these in the Event Viewer. One of those auditing options is tracking every time that a program starts.

Now, let’s be clear about something: even on a machine that appears to be doing absolutely nothing, Windows and the applications on it may be very busy. In other words, there may be a lot of programs that are more or less constantly coming and going, starting and stopping, and just generally doing whatever it is that they do.

As a result, process tracking with the auditing tools can slow your machine down a lot. You won’t want to have it on all the time.

But it can be a very useful tool to turn on for “a while” just to see what’s happening.

Enable process auditing

To turn on process auditing, run gpedit.msc, the Group Policy Editor1. You can type that into the Run box on the Start menu of Windows versions that have it, enter it as a command in a Windows Command Prompt, or just start typing gpedit.msc at the Windows 8 Start screen and click it when it appears in the search results.

Finding gpedit.msc in Windows 8

In the left pane (expanded below for readability):

  • In Computer Configuration, expand Windows Settings (by clicking the triangle or boxed plus sign to its left).
  • Expand Security Settings.
  • Expand Local Policies.
  • Click Audit Policy.

Audit Policy in Windows 8 gpedit.msc

In the right pane, double-click Audit process tracking:

Audit Process Tracking

In the resulting dialog box, check the box labelled Success under Audit these attempts:.

Audit Process Tracking Properties

Click OK and close gpedit.msc.

Run your scenario

Now, run the scenario that concerns you. If it’s a start-up issue, then reboot. Otherwise, do (or wait for) whatever it is that you’re attempting to diagnose.

Don’t be at all surprised if your machine runs slower. As I mentioned above, process tracking can absolutely have a negative impact on performance.

Examine Event Viewer logs

Now, fire up the Event Viewer (Start, Run, and eventvwr will do it. Or type eventvwr at the Windows 8 Start screen and click the icon when it appears.)

Event Viewer in Windows 8 search

You might want to move the Event Viewer window and perhaps expand it to make the items within easier to see.

Expand the Windows Logs item in the left pane. Click Security underneath it:

Security item in Event Viewer

In the upper center pane, you should see a number of Audit Success events with a Task Category of either Process Created or Process Terminated. Click one of those and select the Details tab in the lower center pane (here, I’ve also made the lower pane larger by dragging the divider up):

Event Viewer Process Creation Event

You can scroll up and down in the upper pane, watching the lower pane to see what programs have been created or terminated. Hopefully, you’ll find the answer to your question there.

Did I mention there will be lots of programs starting and stopping? This is the nature of a complex operating system like Windows and the complex applications we install. You may need to do a little research to determine what some of the applications are, but a process of elimination will hopefully let you narrow down your list of suspects quickly.

Turn it off!

Don’t forget to to turn process tracking off when you’re done. Simply repeat the process that you used to turn it on, but this time, uncheck the Success checkbox for Audit these attempts that you had checked earlier.

This is an update to an article originally posted : May 28, 2005
Footnotes and references

1: This does assume that you have a version of Windows that has the Group Policy Editor. Unfortunately, it may not be available in all editions, most notably Windows Home editions. Even more unfortunately, I know of no simple/easy replacement. Without any guarantee, I did find a download that apparently installs the necessary files in Windows 7 and Windows 8 versions that do not already have gpedit.msc. Use it at your own risk and (of course) backup first.

There are 9 comments:

  1. Karen Reply

    I tried to do the first step, but gpedit.msc does not exist on my computer. Would it go by another name. I hve win xp home.

  2. John Reply

    Thank you for this article! It solved a major headache for me. I do not use Outlook, only Thunderbird, so I deleted the massive pst file that was hogging my disk, from a time when I experimented with Outlook a long time ago. Outlook promptly started popping up every 20 minutes or so, saying that it couldn’t find the pst file. Outlook didn’t show up in task manager and I tried Process Monitor, which only told me it’s parent was svchost, which didn’t help. But running this audit identified that svchost was first being called by Funambol, which I had experimented with when I tried out Outlook. Once I knew that, I uninstalled Funambol and the problem disappeared. Thanks!

  3. Chrispm84 Reply

    One of the first things I use when troubleshooting a clients machine is check out what’s starting on that machine. One of the tools in my usb toolkit makes this very easy. It’s called Ultra Virus Killer and one of it’s functions is to show all possible startup entries on one screen. It does much more, but this is what I use it for the most. If anyone wants to check it out and maybe add it to their toolkit: http://www.carifred.com/uvk/

    • K.Vee.Shanker. Reply

      Thanks! I appreciate your sharing the information Chrispm84!

  4. David Couture Reply

    Does this procedure give you info that you wouldn’t get if you just ran msconfig?

    • Leo Reply

      Absolutely. msconfig just shows you some (not all even) of what gets started automatically. This process actually gives you a list of programs *as they come and go*. If a program runs 5 times while you’re auditing, for example, and for any reason, you’ll see five entries.

  5. Ken Levin Reply

    Don’t forget about autoruns and process explorer. For the latter, right clicking on a running process will bring up tons of additional information.

    IMHO, these two should be your first stop for performance issues. Autoruns is great at finding pesky left-overs from past installs, for instance, as well as all those updates and fast starts software vendors force on us (are you listening, google and adobe?) Process explorer is great at helping one see what’s behind the various svchost processes.

  6. David Carriuolo Reply

    I ran across a Free program for monitoring the different processes and apps as they run called “What’s my computer doing”. It gives a real time scrolling rundown of everything going on. It also gives the time of action, whether it was 2 secs. ago or 2 min ago. Handy to have in the toolbox.
    It can be found at ” http://what-s-my-computer-doing.software.informer.com/download/

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise in comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.