Can anyone suggest the best way to detect a short lived process on windows ?

hey @Bhargav koduru, for something this, an evented table (a la

process_events

) is the way to go, this doesn’t exist right now for Windows, but is actively worked on https://github.com/osquery/osquery/pull/7821

I believe you can turn on process auditing in Windows and collect the event log

Thanks for the suggestions guys @sharvil @Mike Myers