Image may be NSFW.
Clik here to view.
Have you enabled this?
It basically logs all command lines launched to the security event log under ID 4688.
To enable it you first need to deploy update KB3004375 to support Windows 7 devices then enable the following group policies:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit process tracking
Image may be NSFW.
Clik here to view.
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Configuration\Detailed Tracking\Audit Process Creation
Image may be NSFW.
Clik here to view.
Administrative Templates\System\Audit Process Creation\Include command line in process creation events
Image may be NSFW.
Clik here to view.
I'm sure this will be useful