Audit process creation events

Using standard Windows auditing mechanisms, you can log all process creation events. This also works in the Home editions of Windows.

  1. Enable auditing for process creation events:
  2. Enable the Include command line in process creation events feature:
    enable-command-line.reg

Every log message will contain this very verbose explanation:

This is particularly distracting when querying the event log from PowerShell. This PowerShell function therefore removes this explanation from each message:

Get-ProcessAuditEvents.ps1

Use this function as follows:

You can also easily filter the events: