starred/terminal
1
0
Fork 0
mirror of https://github.com/microsoft/terminal.git synced 2026-02-04 05:35:20 +00:00
Code Issues 19.0k Packages Projects Releases 20 Wiki Activity

Option for Terminal to log to Event Viewer (or a logfile in user's homedir) its own process creation+cmdline args (and maybe other useful event types) #20086

New Issue
Closed
opened 2026-01-31 07:03:01 +00:00 by claunia · 5 comments
claunia commented 2026-01-31 07:03:01 +00:00
Owner
Copy Link

Originally created by @vadimkantorov on GitHub (Jun 15, 2023).

Orignally discussed at https://github.com/microsoft/terminal/issues/15001#issuecomment-1565649833

Currently it's not easy to discover what are the Terminals / cmd.exe / conhosts (given that in modern Windows, Terminal subsumed cmd.exe) that are executed by Windows as part of start-up / logon.

Windows Home does not have Group Policy editor and then it's complex to figure out how to filter the correct events for regular users (not Windows system admins)

I propose to have options for proper logging (of cmd.exe / conhost / terminal launch command line arguments and maybe some other events) to Event Viewer or even a text file in user's homedir. Windows PowerShell apparently does have a special topic and logs to Event Viewer (although not many event types are logged there), and Terminal could have its own topic too.

image
Originally created by @vadimkantorov on GitHub (Jun 15, 2023). Orignally discussed at https://github.com/microsoft/terminal/issues/15001#issuecomment-1565649833 Currently it's not easy to discover what are the Terminals / cmd.exe / conhosts (given that in modern Windows, Terminal subsumed cmd.exe) that are executed by Windows as part of start-up / logon. Windows Home does not have Group Policy editor and then it's complex to figure out how to filter the correct events for regular users (not Windows system admins) I propose to have options for proper logging (of cmd.exe / conhost / terminal launch command line arguments and maybe some other events) to Event Viewer or even a text file in user's homedir. `Windows PowerShell` apparently does have a special topic and logs to Event Viewer (although not many event types are logged there), and Terminal could have its own topic too. <img width="238" alt="image" src="https://github.com/microsoft/terminal/assets/1041752/2dc41ee7-be08-4e13-930a-65b1b39c03c6">
claunia added the Issue-FeatureProduct-TerminalArea-ServerResolution-Won't-Fix labels 2026-01-31 07:03:02 +00:00
claunia commented 2026-01-31 07:03:03 +00:00
Author
Owner
Copy Link

@zadjii-msft commented on GitHub (Jun 15, 2023):

I think we actually already tracelog this:

a38388615e/src/cascadia/TerminalConnection/ConptyConnection.cpp (L363-L376)

which is probably lower overhead than event viewer

@zadjii-msft commented on GitHub (Jun 15, 2023): I think we actually already tracelog this: https://github.com/microsoft/terminal/blob/a38388615e299658072f906578acd60e976fe787/src/cascadia/TerminalConnection/ConptyConnection.cpp#L363-L376 which is probably lower overhead than event viewer
claunia commented 2026-01-31 07:03:04 +00:00
Author
Owner
Copy Link

@vadimkantorov commented on GitHub (Jun 15, 2023):

I guess for this to be useful for the enduser, there should be a way for this to apply to all Terminals produced by cmd.exe spun up as part of Windows logon; this should probably write to a user's homedir + there should be an event including the command line arguments.

Writing to a file would solve my original problems, although an option for also sending these traces to ETW might still be useful for people accustomed to Windows ETW - I have no serious opinion about it

@vadimkantorov commented on GitHub (Jun 15, 2023): I guess for this to be useful for the enduser, there should be a way for this to apply to all Terminals produced by cmd.exe spun up as part of Windows logon; this should probably write to a user's homedir + there should be an event including the command line arguments. Writing to a file would solve my original problems, although an option for also sending these traces to ETW might still be useful for people accustomed to Windows ETW - I have no serious opinion about it
claunia commented 2026-01-31 07:03:04 +00:00
Author
Owner
Copy Link

@DHowett commented on GitHub (Jul 19, 2023):

Thanks again for the request!

We met as a team and discussed the merits of offering an alternative channel for logging console application spawning. On the balance, how niche of a request it is didn't justify the risk--to maintainability, to code size, to attack surface--or the engineering time given that there's a mostly serviceable solution already.

TL;DR: I'm rejecting it. That doesn't mean we should stop talking about it!

The event log is by no means perfect, but that config option works on every version of Windows that's in active support (even where Terminal doesn't run!) and produces enough information to diagnose errant console windows.

Technical notes

  • When Terminal is launched on behalf of a console application, it does not receive a copy of that application's commandline.
    • The console application spawns first, and then a Terminal window is provided to it. Unfortunately, it's not as easy as saying "wt was started with foo.exe bar baz as arguments" -- foo.exe already has a process handle and everything! It was running before we were!
    • Terminal may not have the rights to that process handle, and we would like to avoid putting more invasive cross-process stuff into the startup path.
  • Emitting a log file to your home directory under contention (multiple Terminals spawning at once, as is quite common during enterprise managed login scripts) gets us into all the trouble of IPC coordination without many of the nice platform affordances for making it safe
  • Writing to the event log is a choice of last resort; further, I believe (?) that registering a new event log requires admin rights. PowerShell gets by by having an installer; we don't have that luxury unfortunately.

Applicability notes

Any way we could slice it, logging all console process creation is a power user feature rare even among power user features. The existing solutions (event log, etw) aren't perfect, but they're a heck of a lot better than where we were 15 years ago. I'd rather focus our engineering time on things that will impact the broadest set of our userbase 😄

@DHowett commented on GitHub (Jul 19, 2023): Thanks again for the request! We met as a team and discussed the merits of offering an alternative channel for logging console application spawning. On the balance, how niche of a request it is didn't justify the risk--to maintainability, to code size, to attack surface--or the engineering time given that there's a mostly serviceable solution already. **TL;DR**: I'm rejecting it. _That doesn't mean we should stop talking about it_! --- The event log is by no means perfect, but that config option works on every version of Windows that's in active support (even where Terminal doesn't run!) and produces enough information to diagnose errant console windows. ## Technical notes - When Terminal is launched on behalf of a console application, it does not receive a copy of that application's commandline. - The console application spawns _first,_ and then a Terminal window is provided to it. Unfortunately, it's not as easy as saying "wt was started with `foo.exe bar baz` as arguments" -- `foo.exe` already has a process handle and everything! It was running before we were! - Terminal may not have the rights to that process handle, and we would like to avoid putting more invasive cross-process stuff into the startup path. - Emitting a log file to your home directory under contention (multiple Terminals spawning at once, as is quite common during enterprise managed login scripts) gets us into all the trouble of IPC coordination without many of the nice platform affordances for making it safe - Writing to the event log is a choice of last resort; further, I believe (?) that registering a new event log requires admin rights. PowerShell gets by by having an installer; we don't have that luxury unfortunately. ## Applicability notes Any way we could slice it, logging all console process creation is a power user feature rare even _among power user features_. The existing solutions (event log, etw) aren't perfect, but they're a heck of a lot better than where we were 15 years ago. I'd rather focus our engineering time on things that will impact the broadest set of our userbase :smile:
claunia commented 2026-01-31 07:03:04 +00:00
Author
Owner
Copy Link

@vadimkantorov commented on GitHub (Jul 19, 2023):

but they're a heck of a lot better than where we were 15 years ago

I must say, I could not find how to do filtering and so Event Viewer failed with me. I very humbly ask you to ask internal experts to produce a tutorial / video showing end-to-end how to do this audit / filtering on the example of .cmd startup scripts and to even make sure that Terminal audit to event viewer is working - I'm not even sure that Group Policy had any effect on my Windows 11 Home as I could not find any events related to the Terminal in the general log. And even you yourself don't know how to achieve this :)

For the standard cmd.exe triggering Terminal, would Terminal have rights to the handle? If yes, at least it would be sufficient to have a logging option if it does have the permissions. If not - it could just log insufficient permissions?

Regarding IPC, an option could be to log to different files like ~/.terminal/terminal.log.YYYYMMDD.PID this would avoid any contention, right?

Regarding the ETW topic, should this be somehow elevated to the Windows team? This seems a quite generic problem, and maybe they have thought of a solution? Maybe Terminal could write to the Application topic?

@vadimkantorov commented on GitHub (Jul 19, 2023): > but they're a heck of a lot better than where we were 15 years ago I must say, I could not find how to do filtering and so Event Viewer failed with me. I very humbly ask you to ask internal experts to produce a tutorial / video showing end-to-end how to do this audit / filtering on the example of `.cmd` startup scripts and to even make sure that Terminal audit to event viewer is working - I'm not even sure that Group Policy had any effect on my Windows 11 Home as I could not find any events related to the Terminal in the general log. And even you yourself don't know how to achieve this :) <hr> For the standard `cmd.exe` triggering Terminal, would Terminal have rights to the handle? If yes, at least it would be sufficient to have a logging option if it does have the permissions. If not - it could just log insufficient permissions? Regarding IPC, an option could be to log to different files like `~/.terminal/terminal.log.YYYYMMDD.PID` this would avoid any contention, right? Regarding the ETW topic, should this be somehow elevated to the Windows team? This seems a quite generic problem, and maybe they have thought of a solution? Maybe Terminal could write to the `Application` topic?
claunia commented 2026-01-31 07:03:05 +00:00
Author
Owner
Copy Link

@vadimkantorov commented on GitHub (Oct 6, 2025):

Or maybe Windows could create an event topic for Terminal by itself? I.e. not have it created as part of installer, but as part of Windows / Windows update (given that Terminal is a quite core app). If it's empty and no Terminal app is present on a given system, it would likely not be hurting anyone likewise

@vadimkantorov commented on GitHub (Oct 6, 2025): Or maybe Windows could create an event topic for Terminal by itself? I.e. not have it created as part of installer, but as part of Windows / Windows update (given that Terminal is a quite core app). If it's empty and no Terminal app is present on a given system, it would likely not be hurting anyone likewise
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Reserved
A11yCO
A11yMAS
A11ySev1
A11ySev2
A11ySev3
A11yTTValidated
A11yUsable
A11yVoiceAccess
A11yWCAG
Area-Accessibility
Area-AtlasEngine
Area-AzureShell
Area-Build
Area-Build
Area-Chat
Area-CmdPal
Area-CodeHealth
Area-Commandline
Area-CookedRead
Area-DefApp
Area-Extensibility
Area-Fonts
Area-GroupPolicy
Area-i18n
Area-Input
Area-Interaction
Area-Interop
Area-Localization
Area-Output
Area-Performance
Area-Portable
Area-Quality
Area-Remoting
Area-Rendering
Area-Schema
Area-Server
Area-Settings
Area-SettingsUI
Area-ShellExtension
Area-ShellExtension
Area-ShellExtension
Area-Suggestions
Area-Suggestions
Area-TerminalConnection
Area-TerminalControl
Area-Theming
Area-UserInterface
Area-VT
Area-Windowing
Area-WPFControl
AutoMerge
Blocking-Ingestion
Culprit-Centennial
Culprit-WinUI
Disability-All
Disability-Blind
Disability-LowVision
Disability-Mobility
External-Blocked-WinUI3
Fixed
Gathering-Data
good first issue
HCL-E+D
HCL-WindowsTerminal
Help Wanted
Impact-Compatibility
Impact-Compliance
Impact-Correctness
Impact-Visual
In-PR
InclusionBacklog
InclusionBacklog-Windows TerminalWin32
InclusionCommitted-202206
Issue-Bug
Issue-Docs
Issue-Feature
Issue-Feature
Issue-Question
Issue-Samples
Issue-Scenario
Issue-Task
Needs-Attention
Needs-Author-Feedback
Needs-Bisect
Needs-Discussion
Needs-Repro
Needs-Tag-Fix
Needs-Tag-Fix
Needs-Triage
No-Recent-Activity
Priority-0
Priority-1
Priority-2
Priority-3
Product-Cmd.exe
Product-Colortool
Product-Colortool
Product-Colortool
Product-Conhost
Product-Conpty
Product-Meta
Product-Powershell
Product-Terminal
Product-WSL
pull-request
Mirrored from GitHub Pull Request
 Resolution-Answered
Resolution-By-Design
Resolution-Duplicate
Resolution-External
Resolution-Fix-Available
Resolution-Fix-Committed
Resolution-No-Repro
Resolution-Won't-Fix
Severity-Blocking
Severity-Crash
Severity-DataLoss
spam
this-will-be-a-breaking-change
Tracking-External
WindowsTerminal_Win32
Work-Item
zAskModeBug
zInbox-Bug
No Label Area-Server Issue-Feature Product-Terminal Resolution-Won't-Fix
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/terminal#20086
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?