All programs you run in Windows in one way or another leave a trace in the system, and this applies not only to installed, but also to portable applications. Traces of launching programs remain in the form of logs, history of actions, registry keys, and prefetching files.
In fact, Windows has a simpler and more convenient solution â audit policies. Once the setting is activated, Windows will automatically create informative entries in the system event log every time you run an executable file of this or that program.
To do this:
- Press the âWin+Râ shortcut and run the âgpedit.mscâ command to open the âLocal Group Policy Editorâ.
- From the menu on the left, go to âComputer Configurationâ â âWindows Configurationâ â âSecurity Settingsâ â âLocal Policiesâ â âAudit Policyâ.
- Open the âProcess Tracking Auditâ option, check the âSuccessâ checkbox, and apply the settings.
To read the audit records, open the system event log with the âWin+Râ keys and the âeventvwr.mscâ command. Go to âWindows Logsâ â âSecurityâ. Events under the code 4688 will indicate that processes are running. You can use the âCurrent Log Filterâ to sort the events by this code.