Edit local policy and enable "Audit Process Tracking" (secpol.msc)
Install KB3004375 and reboot https://support.microsoft.com/en-us/kb/3004375
Enable Audit Process Creation/Include CLI (gpedit.msc)
If you're using Win7 Home instead of professional you won't have gpedit.msc. Regedit to HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit. Set key ProcessCreationIncludeCmdLine_Enabled = 1
Run the program that launches FFMEG
Review the security event log for event ID 4688