How can I track what programs come and go on my machine?

Question: Recently, an entry keeps appearing on my taskbar. It appears for less than a second before disappearing again. I once managed to click it, but no window popped up. The icon is a blank rectangular box and there is no description. It’s driving me nuts trying to work out what it is! How can I identify this process?

Programs do seem to come and go at times. When you’re diagnosing performance or security issues, understanding what’s coming and going can be important. Sometimes, it can just explain a flashing item in the task bar.

Fortunately, there is a fairly simple way to trace what’s happening.

Auditing

Windows includes several auditing options, which can collect a list of activities over time. You can then view these in the Event Viewer. One of those auditing options is tracking every time that a program starts.

Now, let’s be clear about something: even on a machine that appears to be doing absolutely nothing, Windows and the applications on it may be very busy. In other words, there may be a lot of programs that are more or less constantly coming and going, starting and stopping, and just generally doing whatever it is that they do.

As a result, process tracking with the auditing tools can slow your machine down a lot. You won’t want to have it on all the time.

But it can be a very useful tool to turn on for “a while” just to see what’s happening.

Enable process auditing

To turn on process auditing, run gpedit.msc, the Group Policy Editor1. You can type that into the Run box on the Start menu of Windows versions that have it, enter it as a command in a Windows Command Prompt, or just start typing gpedit.msc at the Windows 8 Start screen and click it when it appears in the search results.

Finding gpedit.msc in Windows 8

In the left pane (expanded below for readability):

  • In Computer Configuration, expand Windows Settings (by clicking the triangle or boxed plus sign to its left).
  • Expand Security Settings.
  • Expand Local Policies.
  • Click Audit Policy.

Audit Policy in Windows 8 gpedit.msc

In the right pane, double-click Audit process tracking:

Audit Process Tracking

In the resulting dialog box, check the box labelled Success under Audit these attempts:.

Audit Process Tracking Properties

Click OK and close gpedit.msc.

Run your scenario

Now, run the scenario that concerns you. If it’s a start-up issue, then reboot. Otherwise, do (or wait for) whatever it is that you’re attempting to diagnose.

Don’t be at all surprised if your machine runs slower. As I mentioned above, process tracking can absolutely have a negative impact on performance.

Examine Event Viewer logs

Now, fire up the Event Viewer (Start, Run, and eventvwr will do it. Or type eventvwr at the Windows 8 Start screen and click the icon when it appears.)

Event Viewer in Windows 8 search

You might want to move the Event Viewer window and perhaps expand it to make the items within easier to see.

Expand the Windows Logs item in the left pane. Click Security underneath it:

Security item in Event Viewer

In the upper center pane, you should see a number of Audit Success events with a Task Category of either Process Created or Process Terminated. Click one of those and select the Details tab in the lower center pane (here, I’ve also made the lower pane larger by dragging the divider up):

Event Viewer Process Creation Event

You can scroll up and down in the upper pane, watching the lower pane to see what programs have been created or terminated. Hopefully, you’ll find the answer to your question there.

Did I mention there will be lots of programs starting and stopping? This is the nature of a complex operating system like Windows and the complex applications we install. You may need to do a little research to determine what some of the applications are, but a process of elimination will hopefully let you narrow down your list of suspects quickly.

Turn it off!

Don’t forget to to turn process tracking off when you’re done. Simply repeat the process that you used to turn it on, but this time, uncheck the Success checkbox for Audit these attempts that you had checked earlier.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Footnotes & references

1: This does assume that you have a version of Windows that has the Group Policy Editor. Unfortunately, it may not be available in all editions, most notably Windows Home editions. Even more unfortunately, I know of no simple/easy replacement. Without any guarantee, I did find a download that apparently installs the necessary files in Windows 7 and Windows 8 versions that do not already have gpedit.msc. Use it at your own risk and (of course) backup first.

12 comments on “How can I track what programs come and go on my machine?”

  1. I tried to do the first step, but gpedit.msc does not exist on my computer. Would it go by another name. I hve win xp home.

    Reply
  2. Thank you for this article! It solved a major headache for me. I do not use Outlook, only Thunderbird, so I deleted the massive pst file that was hogging my disk, from a time when I experimented with Outlook a long time ago. Outlook promptly started popping up every 20 minutes or so, saying that it couldn’t find the pst file. Outlook didn’t show up in task manager and I tried Process Monitor, which only told me it’s parent was svchost, which didn’t help. But running this audit identified that svchost was first being called by Funambol, which I had experimented with when I tried out Outlook. Once I knew that, I uninstalled Funambol and the problem disappeared. Thanks!

    Reply
  3. One of the first things I use when troubleshooting a clients machine is check out what’s starting on that machine. One of the tools in my usb toolkit makes this very easy. It’s called Ultra Virus Killer and one of it’s functions is to show all possible startup entries on one screen. It does much more, but this is what I use it for the most. If anyone wants to check it out and maybe add it to their toolkit: http://www.carifred.com/uvk/

    Reply
    • Absolutely. msconfig just shows you some (not all even) of what gets started automatically. This process actually gives you a list of programs *as they come and go*. If a program runs 5 times while you’re auditing, for example, and for any reason, you’ll see five entries.

      Reply
  4. Don’t forget about autoruns and process explorer. For the latter, right clicking on a running process will bring up tons of additional information.

    IMHO, these two should be your first stop for performance issues. Autoruns is great at finding pesky left-overs from past installs, for instance, as well as all those updates and fast starts software vendors force on us (are you listening, google and adobe?) Process explorer is great at helping one see what’s behind the various svchost processes.

    Reply
  5. You mentioned you know of no simple/easy replacement. for gpedit.msc. In Windows10, I was able to run a small .cmd batch file to enable gpedit.
    Open Notepad or other text editor.
    Copy the following:
    pushd “%~dp0″
    dir /b %SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~3*.mum >List.txt
    dir /b %SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~3*.mum >>List.txt
    for /f %%i in (‘findstr /i . List.txt 2^>nul’) do dism /online /norestart /add-package:”%SystemRoot%\servicing\Packages\%%i”
    pause

    Save that file as enable_gpedit.cmd and double click to run it.

    Reply
    • There must be much more to it than that. Is that CMD or PowerShell? (Doesn’t seem to work in the former, and doesn’t look like the latter.) Oh, and WordPress messed up the quotes. Where did you find this?

      Reply
      • I can’t remember where I found it. It was several months ago, and I just saved the file. Somehow it works for me. I noticed that I had name mine enable_gpedit.bat. That might work for you.
        I believe it’s legal because it’s accomplished by Windows commands and no external programs.

        Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.