none
How to identify a quick finishing process? RRS feed

  • Question

  • Hi,

    first the actual problem: I am trying to identify a process or tool which is started at my Windows 10 Pro system now and then. It captures the focus and pushes other fullscreen applications (e. g. games) in the background by minimizing them. The task bar shows an icon for not more than one second until it disappears (for reference, the icon has an orange background and something resembling a star in foreground). I assume that this is may be some auto updater or the like but I neither can identify the icon nor link software to that behavior.

    How would I proceed with process explorer to identify the nasty application? I assume that I have to run it all the time which is okay for me, of course. Can I list recently active / started process somehow?

    Thursday, November 12, 2020 11:57 AM

All replies

  • Process explorer shows the program's icon next to the name. Autoruns does the same. Look for the star icon.

    https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

     
    Thursday, November 12, 2020 11:55 PM
  • Hi,

    I checked both but the icon is not shown there. I went through the whole list and I do not see anything I would relate to the app. Is there any way to see what was running or started at a given time?

    Friday, November 13, 2020 2:19 PM
  • You could enable auditing in Windows to track process creation. 

    It would probably be easier to download Process Monitor from the Sysinternals web site and use that to filter on process start and exit events. Then recreate the error (if you can).

    Be sure to select the option to "Drop Filtered Events" because procmon will capture LOTS of events. 

    Friday, November 13, 2020 2:36 PM
  • Always in Process Monitor you can use the Process Tree feature.. you can easily spot short living processes and jump directly to them..

    HTH
    -mario

    Sunday, November 15, 2020 8:56 AM
  • That looks like the tool I need. I would like to run it after logon since I always forget to start it up. Unfortenately all Google search hits point to its boot logging feature which I do not need. Any hints to have it started after login is appreciated.
    Sunday, November 15, 2020 11:01 AM
  • Launch PM and set the filter and start the capture. Then export the configuration. Create a StartPM.bat file with these contents.

    c:\utils\procmon.exe /loadconfig c:\utils\ProcmonConfiguration.pmc /quiet /backingfile c:\temp\procmon.pml

    Next create a scheduled task that runs the .bat when you logon. You will have to check the "run with highest privileges" to bypass the UAC prompt.   

    Use the folder and file names that you prefer.  

    Sunday, November 15, 2020 3:01 PM