Have you enabled this?
It basically logs all command lines launched to the security event log under ID 4688.
To enable it you first need to deploy update KB3004375 to support Windows 7 devices then enable the following group policies:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit process tracking
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Configuration\Detailed Tracking\Audit Process Creation
Administrative Templates\System\Audit Process Creation\Include command line in process creation events
I'm sure this will be useful