Identify the launch time of a program on Windows Server 2012 R2
Identify the launch time of a program on Windows Server 2012 R2
Hi, I have a user who’s starting an app they don’t understand how to stop properly. As a result, the license isn’t released and other users can’t access it until I manually instruct the licensing system to remove unused licenses—which takes a while. My users connect via RDP, but the licensing tool shows it’s from one of those sessions, not the actual user who’s using the license (even if it’s closed). The app is designed to record time on a touchscreen computer. Do Windows Server 2012 R2 have a way to list which programs are running and when? I’ve checked the Event Viewer, but I can’t find anything about that. I’m using the network admin account, so I can see which programs are running per user, but there’s no option to monitor live launches as they happen quickly. Please help me understand this better. Thank you.
Unless you set up a method for clients to submit logs, it's not possible to do so.
Here’s a revised version of your text:
The answer on SuperUser could be helpful: https://superuser.com/questions/1036917/...21#1036921
Spoiler: How to identify running programs after they’ve been stopped. By default, there are no logs showing which programs have executed. But you can turn on Process Tracking Events in the Windows Security Event Log (follow the steps below for details) so this data becomes accessible later. Once Process Tracking Events are active, you can run the following PowerShell commands to review them:
- Process Start: Get-EventLog Security | Where-Object {$_.EventID -eq 4688} | Format-List
- Process Stop: Get-EventLog Security | Where-Object {$_.EventID -eq 4689} | Format-List
These commands display the relevant information on your screen.
To access Process Tracking Events in Windows Security Log:
- In Windows 2003/XP, enable Process Tracking audit policy.
- In Windows 7/2008+, activate Audit Process Creation and, if needed, Audit Process Termination categories under Advanced Audit Policy Configuration in group policy.
These logs are extremely useful because they record every time an executable starts as a process, including how long it ran. You can link the creation and termination events using the Process ID to determine duration.
Examples of these events are provided below.
Source: How to enable Audit Process Creation
Run gpedit.msc
Note: The Group Policy Editor isn’t included with the Starter Edition, Home, or Home Premium versions. For installation guidance, see my answer on installing gpedit.msc on Windows Starter Edition, Home, and Home Premium.
Select: Windows Settings > Security Settings > Local Policies > Audit Policy
Right-click “Audit process tracking” and choose “Properties”
Check “Success” and click OK.