How to Decide What Just Ran on Windows Panel

July 28th, 2017

Ever wonder what was run in that Console window that briefly appeared on your screen? In this invitee post, Craig Loewen – our awesome summer intern explains how you lot can detect out what command-line applications run on your car. Over to you Craig …

[This article includes samples from Nathan Gau's Blog on Using SCOM to Capture Suspicious Process Creation]

At some point during whatsoever user's time using Windows, they have probably had a Panel Window pop open for a millisecond and and then disappear, leaving them to wonder 'What was that?'.

I had exactly the same feel which led me to investigate, answer that question, and reveal a way to obtain a list of every process that attached itself to a console window!

For some groundwork, a console window (running as ConHost.exe) opens & is attached to a command-line application when executed. When Windows launches a new process, an event with ID 4688 is generated. This event is disabled past default, and needs to be turned-on through a Group Policy Object setting earlier it can be tracked.

Enabling Panel Window Creation Events to exist Recorded

Annotation: Take a minute to consider whether you should enable command line auditing earlier doing and so. Nathan Gau wrote a blog post almost this where he detailed the following:

"[enabling control line auditing] will generate a lot of security events. If you lot take tools such as ArcSight, Splunk, OMS, or SCOM collecting these events, you'd be wise to do this incrementally to ensure that you lot aren't overloading these tools, and I'd add that if you don't have a programme in place to review and answer to what you find, so you should call up about that earlier you starting time turning on auditing that won't be looked at.  The other problem is that by turning on command line auditing, anyone that can read security events could read the contents, and potentially read something sensitive. And then please, think this through carefully. A full write up on TechNet tin can be found here."

In one case you are sure that this is the right grade of activity for your system, enabling control line auditing is very straightforward. Total instructions can be establish here, but let's pace through the procedure:

Hither are some screenshots of how to enable logging on your organisation.

1) Offset, open up the Group Policy Editor: striking start, type "group", and striking the "Edit Group Policy" detail in your search results.

ii) Enable Inspect Process Creation:

Navigate to:

Local Figurer Policy

Computer Configuration

Windows Settings

Security Settings

Advanced Audit Policy Configuration

System Audit Policies

Detailed Tracking

Double click the "Inspect Process Creation" item, bank check the "Success" box and hit OK.

3) Enable command line procedure creation

Navigate to the post-obit items:

Local Computer Policy

Computer Configuration

Administrative Templates

System

Audit Procedure Creation

Double-click the "Include command line in process cosmos events" setting, select the "Enabled" field and hitting OK.

Be certain to reboot your PC so that process tracking is fully enabled. After rebooting, your machine should now start logging process creation events.

Let's notice and view these process creation events:

Viewing the List of What Created a Console Window

You can view process cosmos events in 1 of ii ways, either with PowerShell, or Windows Consequence Viewer.

In PowerShell

Open a PowerShell window with administrative privileges, this is necessary to access the logs. Then simply blazon the command:

Get-WinEvent Security | ? id -eq 4688 | ? { $_.Properties[v].Value -match 'conhost' } | Select TimeCreated,@{ Label = "ParentProcess"; Expression = { $_.Backdrop[13].Value } } | Select -Beginning ten

The number at the terminate of the control (currently 10) determines how many processes to show you before PowerShell stops looking for them.

In Windows Event Viewer

If you prefer a GUI based approach, it is also possible to view this list in Windows Outcome Viewer. Open Event Viewer and create a custom view:

Navigate to the XML tab and click 'Edit Query Manually' and printing 'OK' on the dialogue box that will open:

Into the text box, paste the following slice of XML: 

<QueryList>   <Query Id="0" Path="Security">     <Select Path="Security"> *[Organization[(EventID=4688)] and EventData[Data[@Proper noun='NewProcessName'] and (Information='C:\Windows\System32\conhost.exe')]]     </Select>   </Query> </QueryList>

Press OK, give your Custom view a name and description, so you should see items within of the event view. To discover out what process created the console window click on an item and expect at the 'Creator Process Name':

Finishing Up

Once you've finished recording your information and discovering what processes were launched, please disable command line auditing which will stop tracking when processes are created. And just to be certain that tracking is fully disabled, be sure to reboot your PC. Your calculator will then run just the same equally before.

Nosotros hope you find this guide useful if you e'er need to runway downwards what command-line processes are running on your motorcar.

Rich Turner Sr. Plan Manager, Windows Console & Control-Line