In 2014 Sysinternals released a new tool, sysmon which logs any process creation and file creation time changes.
It logs entries into the Windows Event log under Microsoft-Windows-Sysmon/Operational.
I wrote a basic script to show me the most used executables on my system.
Save the code below into a file sysmonstats.ps1 and run it, by default it looks at all events and shows the top 10, but you can specify this as parameters -lastNEvents and -topNResults.
The result look like this:
Count Name ----- ---- 2865 C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe... 2541 C:\WINDOWS\system32\conhost.exe... 2082 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe... 2079 C:\Program Files (x86)\Google\Chrome\Application\chrome.e... 1701 C:\WINDOWS\SysWOW64\find.exe... 1140 C:\WINDOWS\system32\SearchFilterHost.exe... 1101 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.ex... 1089 C:\WINDOWS\system32\SearchProtocolHost.exe... 954 C:\WINDOWS\system32\DllHost.exe... 828 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe...
Here's the script.
param( [int32]$lastNEvents = [Int32]::MaxValue, [int32]$topNResults = 10 ) Write-Host "querying the sysmon event log, this may take a while, please be patient" $logRecords = Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Where-Object {$_.ID -eq "1"} | Select -First $lastNEvents | Select -Property Message $myArray = foreach($LogEntry in $logRecords) { $pso = new-object psobject $LogEntry -match "Image: (.+)" | Out-Null $pso | add-member -membertype NoteProperty -Name Image -Value $matches[1] -passthru $LogEntry -match "ParentImage: (.+)" | Out-Null $pso | add-member -membertype NoteProperty -Name Parent -Value $matches[1] -passthru $LogEntry -match "IntegrityLevel: (.+)" | Out-Null $pso | add-member -membertype NoteProperty -Name IntegrityLevel -Value $matches[1] -passthru } Write-Host "Top Executables:" -ForegroundColor yellow $myArray | Group-Object -property Image -noelement | sort-object -property Count -Descending | Select -First $topNResults | Format-Table -AutoSize Write-Host "Top Parents:" -ForegroundColor yellow $myArray | Group-Object -property Parent -noelement | sort-object -property Count -Descending | Select -First $topNResults| Format-Table -AutoSize Write-Host "Integrity Levels:" -ForegroundColor yellow $myArray | Group-Object -property IntegrityLevel -noelement | sort-object -property Count -Descending