Process Tracking

<< Click to Display Table of Contents >>

Navigation:  Monitoring with EventSentry > Compliance Tracking >

Process Tracking

Process Tracking will record all process activity (process creation, process exit) in a central database and is intended to monitor application usage on workstations in high-security environments. The collected information can be queried through the web interface to obtain tracking data, history, statistics etc..



This feature works by intercepting Audit Success events that are written to the security event log when Audit Process Tracking is enabled in the Local Security Policy of the monitored host. As such, some requirements need to be met before process tracking can function properly. Please see requirements for details.


Collected Data

EventSentry will collect the following process information on all supported Windows platforms:




Process Identifier


Parent Process Identifier

PID of parent process


name of file executed (without path)

File Path

path of the file execute *(please see below)


username of user who executed process


domain (or computername) of user who executed the process

Start Date / End Date

date and time when process was launched and exited


the time the process was active

Token elevation

the process token elevation, indicates the elevation level of a process on a system where UA is enabled

Command Line

the command line of the process


indicates that the duration could not be determined correctly, and as such the duration is unreliable


The amount of details of the File Path field depend on the Operating System the agent is running. The following table illustrates this:


Operating System

Supported Details

Windows NT (all versions)

not supported, field is empty

Windows 2000 (all versions)

contains path to executable without logical drive information

Windows XP and later

contains path to executable including logical drive information



Process Tracking does not collect which documents have been opened, it does also not collect command line arguments that were passed to processes.


Since collecting process information does track a users activity to some extend, you will still need to make sure that collecting this information does not interfere or violate any corporate policies or laws in place.



Tracking All Processes (with exceptions)

Select "Track all processes except those listed below" to monitor all processes. To exclude processes click the + button and specify the filename (without path) of the process to exclude.


Tracking only selected Processes

Select "Only track processes listed below" and click the + button to add processes that should be monitored to the list.


Capture command line of processes

You can capture the command line of processes with this option. Obtaining the command line of a process is only possible while the process is running, and as such will not work for processes whose duration is very short (e.g. < 2 seconds). Activating this option might incur a small performance overhead.



Security Warning: Use this option with care, command line arguments may include sensitive information such as usernames and passwords.


Enabling Process Tracking in the OS

Since process tracking needs to be enabled in the Operating System you can configure the agent to active it automatically if it isn't already activated. Please see requirements for more information.


database_sql_16 Database

Select the ODBC action which points to the correct database.


Additional Features

If the database specified by the ODBC action is temporarily unavailable, then EventSentry will cache the pending process tracking data and run the transactions when the database server becomes available again.