PE Capture Service is able to capture PE files loaded in the system: http://www.novirusthanks.org/products/pe-capture-service/ Code: [21-May-2017] v1.1.0.0 + Added option to delete log files older than N days + Added option to delete intercepted PE files older than N days + By default, delete logs older than 30 days + By default, delete intercepted PE files older than 30 days + Intercepted PE files are saved as %md5filehash%.file [13-Feb-2016] v1.0.0.0 + Initial release
After starting of a simple application (Notepad3) i can see this in the logfile: Code: 25.05.2017 13:49:27 C:\Program Files\Notepad3\Notepad3.exe 9F6D6782268E16AD036B43ACD8DD70F2 25.05.2017 13:49:28 C:\Windows\System32\hmpalert.dll 01BAAD5475E0C6DE3F4C62ABB1B55304 25.05.2017 13:49:29 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.17359_none_4188b989718cf1c6\comctl32.dll 9CCDE92BDACC2D39EA86C91BA2A0042A And these files were captured ("Intercepted PE files are saved as %md5filehash%.file") The capturing of files can be turned off (EnableCapture = n), now it is only logging. I noticed that subsequent executions of applications are not logged. I executed VeraCrypt 5x times, but i can only see the first one: Code: 25.05.2017 15:07:05 C:\Program Files\VeraCrypt\VeraCrypt.exe 61212B2F271DC1818BFB7412A5ED20AA After a restart of the service and executing VeraCrypt i can see it again in the logfile. It seems the information about executions is cached and is therefore only shown one time.