martshep

I just wanted to make sure you are aware of the limitations of logging processes with WMI. You defined the WMI query as: "SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE...

We used it for a while in another context before realizing how it actually worked which is why I mentioned it. We backed off form using a 1-second polling interval...

I just ran across something that might be better than the WMI method you currently have without requiring sysmon - https://docs.microsoft.com/en-au/previous-versions/windows/desktop/krnlprov/win32-processtrace looks like it hooks into process creation tracing rather...