4

One of my co-workers loses focus on his current window each like 5 minutes or so. Now I'm wondering which process steals the focus

I found this cool application focus.exe which will list the current foreground window - the window which has the focus.

Whenever the focus was stolen, the program printed this information:

9524:Could not open process | Wed Oct 18 14:57:15 2017
19304:Could not open process | Wed Oct 18 14:57:15 2017

As you can see the focus gets stolen by a process that could not been opened, so this information doesn't help me that much. What helps me, is that it still logs the processes PID.

So i wrote a little PowerShell Oneliner which should catch every new process that get's created and should output the process information:

$p = ps ; while (1) { ps | ? { $_.id -notin $p.Id } ; sleep -milliseconds 1 }

But this didn't catch any of the PID's focus.exe pointed out.

How can I catch processes that couldn't been started, but still got a PID?

SimonS
  • 8,924
  • 5
  • 28
  • 48
  • Could look through PID history via Process Tracking instead of attempting to catch them at spawn https://superuser.com/questions/1052541/how-can-i-get-a-history-of-running-processes. Tough to judge the accuracy of `focus.exe` since the source doesn't appear to be available. – root Oct 18 '17 at 13:57
  • @root that would've probably been a better solution than mine – SimonS Oct 18 '17 at 14:05
  • @Facebook yes, eventviewer didn't log anything unfortunately – SimonS Oct 18 '17 at 14:06

1 Answers1

3

ok i got it, the PID just didn't get recognized because PowerShell put out so much that it got overwritten. so when I just out-file'd the new processes I could see the PID in the Log.

$p = ps ; while (1) { ps | ? { $_.id -notin $p.Id } | out-file C:\install\PID.txt -append ; sleep -milliseconds 1 }

the focus-stealing process was a background Task of Avira btw. :)

edit: here a solution without writing a log file. I just needed to update $p so each new process only gets printed once

$p = ps ; while (1) { ps | ? { $_.id -notin $p.Id } ; $p = ps ; sleep -milliseconds 1 }
SimonS
  • 8,924
  • 5
  • 28
  • 48
  • @Facebook I did that very unprofessionally beforehand, I just copied the whole PowerShell buffer into a text file and searched for the PID's focus.exe put out. since the buffer was too small, the PID's were already overwritten. in the flat file everything was logged so I was able to search for the PID with `CTRL & F` – SimonS Oct 18 '17 at 14:04
  • just saying, this solution created a 25MB text file within 5 minutes, so if you need to do the same, just keep that in mind – SimonS Oct 18 '17 at 14:08
  • @Facebook I don't think you can add any more logic, since you don't know which PID's you're looking for until focus.exe prints them – SimonS Oct 19 '17 at 12:09