Simple WNF monitor using callback to display WNF_SHEL_APPLICATION_STARTED messages. Uncoment #define fullset (line 25) to monitor WNF_SHEL_DESKTOP_APPLICATION_STARTED, WNF_SHEL_DESKTOP_APPLICATION_TERMINATED, and WNF_SHEL_APPLICATION_TERMINATED as well.
Not sure if it is really useful, but I wanted to observe paths reported, as their format with well-known-folders GUIDs looked a bit strange for me. And now I am just sharing.
No special privileges required.
More about Windows Notification Facility: https://www.youtube.com/watch?v=MybmgE95weo - great session from BlackHat 2018, by Gabrielle Viala and Alex Ionescu.