If your version of Windows allows you to run Local Security Policy or Local Group Policy editor, you can enable advanced audit logging of process start and stop in the system, and the next time it occurs, look in the Security event log to see what process was launched.
To do this, run Local Security Policy editor (in "Control Panel"->"Administrative Tools") as Administrator (right-click on its icon and select "Run as Administrator"), and expand the left-hand tree "Advanced Audit Policy Configuration"->"System Audit Policies"->"Detailed Tracking". Select "Detailed Tracking", and on the right-hand side, double-click on "Audit Process Creation" to bring up the properties dialog. Tick "Configure the following audit events:", and "Success", then click on [OK] to save the setting. It should take effect immediately.
The next time the window appears briefly, record the system time (not the time on the clock on the wall), run Event Viewer (in "Control Panel"->"Administrative Tools") as Administrator (see above) and expand "Windows Logs" to select "Security". You should see a number of events; you're interested in the ones with Task Category "Process Creation" with Event ID 4688, at about the time that you recorded. You'll probably see a few events; look at the General tab in the details. You're interested in the Process Information bit, specifically the New Process ID
, New Process Name
, Creator Process ID
and Creator Process Name
. There should be a "C:\Windows\System32\conhost.exe" process, which is the Command Prompt window that you see. Its Creator Process Name
value will tell you how it was launched. Look at the following events to find one whose Creator Process ID
is the same as the conhost's New Process ID
. That's the program that actually ran in the Command Prompt.
Hope that helps.