{"id":1345,"date":"2017-07-28T14:37:58","date_gmt":"2017-07-28T22:37:58","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/commandline\/?p=1345"},"modified":"2019-02-18T13:29:44","modified_gmt":"2019-02-18T21:29:44","slug":"how-to-determine-what-just-ran-on-windows-console","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/commandline\/how-to-determine-what-just-ran-on-windows-console\/","title":{"rendered":"How to Determine What Just Ran on Windows Console"},"content":{"rendered":"

Ever wonder what was run in that Console window that briefly appeared on your screen? In this guest post, Craig Loewen<\/a> – our awesome summer intern explains how you can find out what command-line applications run on your machine. Over to you Craig …<\/p>\n

\n

[This article includes samples from <\/i>Nathan Gau\u2019s Blog on Using SCOM to Capture Suspicious Process Creation<\/a>]<\/i><\/p>\n

At some point during any user\u2019s time using Windows, they have probably had a Console Window pop open for a millisecond and then disappear, leaving them to wonder \u2018What was that?\u2019.<\/p>\n

I had exactly the same experience which led me to investigate, answer that question, and reveal a way to obtain a list of every process that attached itself to a console window!<\/p>\n

For some background, a console window (running as ConHost.exe) opens & is attached to a command-line application when executed. When Windows launches a new process, an event with ID 4688<\/a> is generated. This event is disabled by default, and needs to be turned-on through a Group Policy Object setting before it can be tracked.<\/p>\n

Enabling Console Window Creation Events to be Recorded<\/h2>\n

Note:<\/strong><\/span> <\/span>Take a minute to consider whether you should enable command line auditing before doing so. <\/span>Nathan Gau wrote a blog post about this<\/a> where he detailed the following:<\/span><\/p>\n

\u201c[enabling command line auditing] will generate a lot of security events. If you have tools such as ArcSight, Splunk, OMS, or SCOM collecting these events, you\u2019d be wise to do this incrementally to ensure that you aren\u2019t overloading these tools, and I\u2019d add that if you don\u2019t have a plan in place to review and respond to what you find, then you should think about that before you start turning on auditing that won\u2019t be looked at.\u00a0 The other problem is that by turning on command line auditing, anyone that can read security events could read the contents, and potentially read something sensitive. So please, think this through carefully. A full write up on TechNet can be found here<\/a>.\u201d<\/p><\/blockquote>\n

Once you are sure that this is the right course of action for your system, enabling command line auditing is very straightforward. Full instructions can be found here<\/a>, but let’s step through the process:<\/u><\/p>\n

Here are some screenshots of how to enable logging on your system.<\/p>\n

1) First, open the Group Policy Editor: hit start, type “group”, and hit the “Edit Group Policy” item in your search results.<\/p>\n

2) Enable Audit Process Creation:<\/p>\n

Navigate to:<\/p>\n

Local Computer Policy<\/p>\n

Computer Configuration<\/p>\n

Windows Settings<\/p>\n

Security Settings<\/p>\n

Advanced Audit Policy Configuration<\/p>\n

System Audit Policies<\/p>\n

Detailed Tracking<\/p>\n

Double click the “Audit Process Creation” item, check the “Success” box and hit OK.<\/p>\n

\"\"<\/a><\/p>\n

3) Enable command line process creation<\/p>\n

Navigate to the following items:<\/p>\n

Local Computer Policy<\/p>\n

Computer Configuration<\/p>\n

Administrative Templates<\/p>\n

System<\/p>\n

Audit Process Creation<\/p>\n

Double-click the “Include command line in process creation events<\/span>” setting, select the “Enabled” field and hit OK.<\/p>\n

\"\"<\/a><\/p>\n

Be sure to reboot your PC so that process tracking is fully enabled. After rebooting, your machine should now start logging process creation events.<\/p>\n

Let’s<\/span> <\/strong>find and view these process creation events:<\/p>\n

Viewing the List of What Created a Console Window<\/h2>\n

You can view process creation events in one of two ways, either with PowerShell, or Windows Event Viewer.<\/p>\n

In PowerShell<\/h2>\n

Open a PowerShell window with administrative privileges<\/b>, this is necessary to access the logs. Then simply type the command:<\/p>\n

Get-WinEvent Security | ? id -eq 4688 | ? { $_.Properties[5].Value -match 'conhost' } | Select TimeCreated,@{ Label = \"ParentProcess\"; Expression = { $_.Properties[13].Value } } | Select -First 10<\/pre>\n
The number at the end of the command (currently 10) determines how many processes to show you before PowerShell stops looking for them.<\/p>\n
\"\"<\/a><\/p>\n
In Windows Event Viewer<\/h2>\n
If you prefer a GUI based approach, it is also possible to view this list in Windows Event Viewer. Open Event Viewer and create a custom view:<\/p>\n
\"\"<\/a><\/p>\n
Navigate to the XML tab and click \u2018Edit Query Manually\u2019 and press \u2018OK\u2019 on the dialogue box that will open:<\/p>\n
\"\"<\/a><\/p>\n
 <\/p>\n
Into the text box, paste the following piece of XML:<\/span><\/p>\n
 <\/p>\n
<QueryList>\n  <Query Id=\"0\" Path=\"Security\">\n    <Select Path=\"Security\"> *[System[(EventID=4688)] and EventData[Data[@Name='NewProcessName'] and (Data='C:\\Windows\\System32\\conhost.exe')]]\n    <\/Select>\n  <\/Query>\n<\/QueryList><\/pre>\n
Press OK, give your Custom view a name and description, and then you should see items inside of the event view. To find out what process created the console window click on an item and look at the \u2018Creator Process Name\u2019:<\/p>\n
\"\"<\/a><\/p>\n
 <\/p>\n
Finishing Up<\/h2>\n
Once you\u2019ve finished recording your data and discovering what processes were launched, please disable command line auditing which will stop tracking when processes are created. And just to be sure that tracking is fully disabled, be sure to reboot your PC. Your computer will then run just the same as before.<\/p>\n
\n
We hope you find this guide useful if you ever need to track down what command-line processes are running on your machine.<\/p>\n","protected":false},"excerpt":{"rendered":"
Ever wonder what was run in that Console window that briefly appeared on your screen? In this guest post, Craig Loewen – our awesome summer intern explains how you can find out what command-line applications run on your machine. Over to you Craig … [This article includes samples from Nathan Gau\u2019s Blog on Using SCOM […]<\/p>\n","protected":false},"author":910,"featured_media":4568,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[10,2,6,9],"tags":[27,31],"class_list":["post-1345","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cmd","category-command-line","category-windows-console","category-bash-on-ubuntu-on-windows","tag-cmd","tag-console"],"acf":[],"blog_post_summary":"
Ever wonder what was run in that Console window that briefly appeared on your screen? In this guest post, Craig Loewen – our awesome summer intern explains how you can find out what command-line applications run on your machine. Over to you Craig … [This article includes samples from Nathan Gau\u2019s Blog on Using SCOM […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/commandline\/wp-json\/wp\/v2\/posts\/1345","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/commandline\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/commandline\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/commandline\/wp-json\/wp\/v2\/users\/910"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/commandline\/wp-json\/wp\/v2\/comments?post=1345"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/commandline\/wp-json\/wp\/v2\/posts\/1345\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/commandline\/wp-json\/wp\/v2\/media\/4568"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/commandline\/wp-json\/wp\/v2\/media?parent=1345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/commandline\/wp-json\/wp\/v2\/categories?post=1345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/commandline\/wp-json\/wp\/v2\/tags?post=1345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}