Question How to get a list of "tasks" executed as "cmd" windows opened/closed automatically?

[Manuel Jordan]

Hello

In Windows 11 Home (and even 10)

Sometimes is opened automatically one cmd window to do a task (mostly an update) and it is closed by itself. It takes around 2/3 seconds. It is a quick event

Question

• How to get a list of "tasks" executed as "cmd" windows opened/closed automatically?

Thank You

 

[USAFRet]

What is this CMD window running?
What task?

If this is not something you invoked, I'd be very suspicious.

 

[Manuel Jordan]

What is this CMD window running?

The Command Prompt window

What task?

That is the reason of this question . I want to know what task was executed

 

[Cilantro7536]

I think you are talking about any executables that output to the console windows. AFAIK, there isn't a list keeping track of all executed files. If the console windows show after login following an update, they are most likely parts of the update. If they show regularly but unexpectedly, these might be problems.

The only (tedious) ways I know to check are:

1. Look through startup files using tools like Microsoft internals' Autoruns.
2. Check Windows Scheduler's Run Start/Run End/Triggers time via "Task Scheduler (Local) > Task Status/Active Tasks."

If you can't locate the culprits and you are suspicious, BleepingComputer's malware removal help forum might be able to help you spot the unexpected task.

 

[Manuel Jordan]

I think you are talking about any executables that output to the console windows.

Yes, when you either startup the laptop or suddenly it appears from nothing (it happened 1 day after of a bios update)

AFAIK, there isn't a list keeping track of all executed files

Oh I see

If the console windows show after login following an update, they are most likely parts of the update. If they show regularly but unexpectedly, these might be problems.

Yes, normally about that, and even after of a bios update

1. Look through startup files using tools like Microsoft internals' Autoruns.
2. Check Windows Scheduler's Run Start/Run End/Triggers time via "Task Scheduler (Local) > Task Status/Active Tasks."

Thank You

If you can't locate the culprits and you are suspicious, BleepingComputer's malware removal help forum might be able to help you spot the unexpected task.

Understood

Thanks for the support

 

[Ralston18]

@Manuel Jordan

As I understand the requirements you want to capture, know, and/or record every time a *.exe file is launched - is that correct?

You can look, as has been mentioned, in Task Manager > Startup and also Task Scheduler for applications being launched at start up or lated via some trigger.

However, the requirement is to discover when any application (*.exe) has been opened especially if that occurred via the Command Window.

= = = =

You can look in Reliability History/Monitor and Event viewer for error codes, warnings, and even informational events being logged when processes are started and stopped.

Event Viewer permits customized filters. However, I am not sure (full disclosure) about flagging tasks that were specifically launched via cmd (Command Window). That may take a bit of trial and error to work out.

The requirement likely being achievable using Powershell.

Likely some PS script (with admin rights) running in the background (launched at startup) that watches for the Command Window (cmd.exe) being opened and then starts recording what is entered and/or run thereafter.

Or use the Get-EventLog cmdlet to search the Event Viewer logs looking for occurences of "*.exe"

FYI:

https://learn.microsoft.com/en-us/p...l.management/get-eventlog?view=powershell-5.1

You may need to use Get-Process in some manner as well to watch for when cmd.exe is run. That may be much more cumbersome to achieve. TBD.

Focus first on simply finding the required log entries and then, second, work on the presentation of that information.

Powershell permits "piping" cmdlet results (the list) to screen/display, printers, or files.

= = = =

And do not forget: There is also a Windows Update History file.