How to detect whether a process is running for more than X seconds/minutes
- Create event log package labeled "Long Running Process"
- Create an include filter in that package labeled “Process Creation”:
To monitor a specific process, click the (+) button under the “Content Filter & Notes” section and select ‘Insertion string six matches’ and then add the process, for example:
C:\Program Files (x86)\Notepad++\notepad++.exe
- Create an include filter in that package labeled “Process Termination”:
**NOTE: **The same content filter should be added to this filter only this time, it is insertion string seven.
C:\Program Files (x86)\Notepad++\notepad++.exe
Going back to the “Process Creation” filter, click the “Timers” tab, then check “Enable Timer” and in the “Timeout”, you can select the maximum you want that process running before getting alerted. In this example, we will use two minutes.
Below that, click the (+) and add the “Process Termination” filter as the filter to clear the timer.
In the “Insertion Strings” section, click the (+) and add five-six (this is the ‘Process ID’). In this example, if the process “Notepad++.exe” runs for longer than two minutes we will receive an email. However, using the timer filter, if this process is terminated before those two minutes, our process termination filter will clear that timer and we will not receive an alert.
Right-click the package "Long Running Process" and assign it to the correct machines and save.
