Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

How can I track what programs come and go on my machine?

//
Recently, an entry keeps appearing on my taskbar. It appears for less than a second before disappearing again. I once managed to click it, but no window popped up. The icon is a blank rectangular box and there is no description. It’s driving me nuts trying to work out what it is! How can I identify this process?

Programs do seem to come and go at times. When you’re diagnosing performance or security issues, understanding what’s coming and going can be important. Sometimes, it can just explain a flashing item in the task bar.

Fortunately, there is a fairly simple way to trace what’s happening.

Become a Patron of Ask Leo! and go ad-free!

Auditing

Windows includes several auditing options, which can collect a list of activities over time. You can then view these in the Event Viewer. One of those auditing options is tracking every time that a program starts.

Now, let’s be clear about something: even on a machine that appears to be doing absolutely nothing, Windows and the applications on it may be very busy. In other words, there may be a lot of programs that are more or less constantly coming and going, starting and stopping, and just generally doing whatever it is that they do.

As a result, process tracking with the auditing tools can slow your machine down a lot. You won’t want to have it on all the time.

But it can be a very useful tool to turn on for “a while” just to see what’s happening.

Enable process auditing

To turn on process auditing, run gpedit.msc, the Group Policy Editor1. You can type that into the Run box on the Start menu of Windows versions that have it, enter it as a command in a Windows Command Prompt, or just start typing gpedit.msc at the Windows 8 Start screen and click it when it appears in the search results.

Finding gpedit.msc in Windows 8

In the left pane (expanded below for readability):

  • In Computer Configuration, expand Windows Settings (by clicking the triangle or boxed plus sign to its left).
  • Expand Security Settings.
  • Expand Local Policies.
  • Click Audit Policy.

Audit Policy in Windows 8 gpedit.msc

In the right pane, double-click Audit process tracking:

Audit Process Tracking

In the resulting dialog box, check the box labelled Success under Audit these attempts:.

Audit Process Tracking Properties

Click OK and close gpedit.msc.

Run your scenario

Now, run the scenario that concerns you. If it’s a start-up issue, then reboot. Otherwise, do (or wait for) whatever it is that you’re attempting to diagnose.

Don’t be at all surprised if your machine runs slower. As I mentioned above, process tracking can absolutely have a negative impact on performance.

Examine Event Viewer logs

Now, fire up the Event Viewer (Start, Run, and eventvwr will do it. Or type eventvwr at the Windows 8 Start screen and click the icon when it appears.)

Event Viewer in Windows 8 search

You might want to move the Event Viewer window and perhaps expand it to make the items within easier to see.

Expand the Windows Logs item in the left pane. Click Security underneath it:

Security item in Event Viewer

In the upper center pane, you should see a number of Audit Success events with a Task Category of either Process Created or Process Terminated. Click one of those and select the Details tab in the lower center pane (here, I’ve also made the lower pane larger by dragging the divider up):

Event Viewer Process Creation Event

You can scroll up and down in the upper pane, watching the lower pane to see what programs have been created or terminated. Hopefully, you’ll find the answer to your question there.

Did I mention there will be lots of programs starting and stopping? This is the nature of a complex operating system like Windows and the complex applications we install. You may need to do a little research to determine what some of the applications are, but a process of elimination will hopefully let you narrow down your list of suspects quickly.

Turn it off!

Don’t forget to to turn process tracking off when you’re done. Simply repeat the process that you used to turn it on, but this time, uncheck the Success checkbox for Audit these attempts that you had checked earlier.

Footnotes & references

1: This does assume that you have a version of Windows that has the Group Policy Editor. Unfortunately, it may not be available in all editions, most notably Windows Home editions. Even more unfortunately, I know of no simple/easy replacement. Without any guarantee, I did find a download that apparently installs the necessary files in Windows 7 and Windows 8 versions that do not already have gpedit.msc. Use it at your own risk and (of course) backup first.

9 comments on “How can I track what programs come and go on my machine?”

  1. Thank you for this article! It solved a major headache for me. I do not use Outlook, only Thunderbird, so I deleted the massive pst file that was hogging my disk, from a time when I experimented with Outlook a long time ago. Outlook promptly started popping up every 20 minutes or so, saying that it couldn’t find the pst file. Outlook didn’t show up in task manager and I tried Process Monitor, which only told me it’s parent was svchost, which didn’t help. But running this audit identified that svchost was first being called by Funambol, which I had experimented with when I tried out Outlook. Once I knew that, I uninstalled Funambol and the problem disappeared. Thanks!

  2. One of the first things I use when troubleshooting a clients machine is check out what’s starting on that machine. One of the tools in my usb toolkit makes this very easy. It’s called Ultra Virus Killer and one of it’s functions is to show all possible startup entries on one screen. It does much more, but this is what I use it for the most. If anyone wants to check it out and maybe add it to their toolkit: http://www.carifred.com/uvk/

    • Absolutely. msconfig just shows you some (not all even) of what gets started automatically. This process actually gives you a list of programs *as they come and go*. If a program runs 5 times while you’re auditing, for example, and for any reason, you’ll see five entries.

  3. Don’t forget about autoruns and process explorer. For the latter, right clicking on a running process will bring up tons of additional information.

    IMHO, these two should be your first stop for performance issues. Autoruns is great at finding pesky left-overs from past installs, for instance, as well as all those updates and fast starts software vendors force on us (are you listening, google and adobe?) Process explorer is great at helping one see what’s behind the various svchost processes.

Leave a reply:

Before commenting please:

  • Read the article. Comments indicating you've not read the article will be removed.
  • Comment on the article. New question? Start with search, at the top of the page. Off-topic comments will be removed.
  • No personal information. Email addresses, phone numbers and such will be removed.
  • Add to the discussion. Comments that do not — typically off-topic or content-free comments — will be removed.

All comments containing links will be moderated before publication. Anything that looks the least bit like spam will be removed.

I want comments to be valuable for everyone, including those who come later and take the time to read.