All programs you run in Windows in one way or another leave a trace in the system, and this applies not only to installed, but also to portable applications. Traces of launching programs remain in the form of logs, history of actions, registry keys, and prefetching files.
In fact, Windows has a simpler and more convenient solution – audit policies. Once the setting is activated, Windows will automatically create informative entries in the system event log every time you run an executable file of this or that program.
To do this:
- Press the “Win+R” shortcut and run the “gpedit.msc” command to open the “Local Group Policy Editor”.
- From the menu on the left, go to “Computer Configuration” → “Windows Configuration” → “Security Settings” → “Local Policies” → “Audit Policy”.
- Open the “Process Tracking Audit” option, check the “Success” checkbox, and apply the settings.
To read the audit records, open the system event log with the “Win+R” keys and the “eventvwr.msc” command. Go to “Windows Logs” → “Security”. Events under the code 4688 will indicate that processes are running. You can use the “Current Log Filter” to sort the events by this code.