Commenter "HelpingHand" states "add the cols, "Elevated" and "UAC Virtualization". What is Elevated state of Explorer,the parent process of the cmd. Is that "Elevated=No", "UAC Virtualization-disabled"? Maybe focus on the parent proc rather than the child. I would also launch the cmd.exe with Process Monitor running. Confirm, In the Tree view, it is the child of the checked Explorer.exe process above and check the CreateProcess operation by Explorer.exe to launch cmd. Specifically the stack that is calling CreateProcess. It would be good to check there are no third party modules. Maybe paste a screenshot."
Windows 7 doesn't have an "Elevated" column! The Elevated column is specific to Windows 10(and maybe Win8 but who cares re Win8). In Win10 the columns are tab specific and it's associated with the details tab of Win10. In Win7 the columns aren't tab specific and there is no "Elevated" column.
Also you mention Process Monitor, great program, but I think when you mean a tree, you mean Process Explorer. Process monitor won't show a tree of processes. Process explorer will. Both programs are great programs by sysinternals/ Mark Russinovich, now available from MS. Where you mention an operation, (like filtering by operation), then you mean Process Monitor. There isn't a CreateProcess that I can see though there is a ThreadCreate
Looking at a fairly fresh, regular Windows 7 system that doesn't have the issue. Process explorer shows that the cmd.exe process is a child of the explorer.exe process it shows under "Explorer", and double clicking it it says the parent is the/an explorer.exe instance. Looking at various processes, some have UAC Virtualization set to Allowed, some to Disabled. Explorer has it set to Disabled. cmd has it set to Disabled.
Looking at the windows 7 system in question, looking at process explorer, I see two explorer processes. cmd isn't showing under either of them. But if I double click cmd then it says explorer.exe is the parent process. Looking at Task manager, no processes have UAC set to disabled. Explorer has it set to "Not Allowed", and cmd has it set to "Not allowed". Of the two explorer processes, one has a command line with "/factory....", the other is just a regular call to explorer.exe. Process Explorer shows the PPID(parent process ID/PPID) of cmd.exe and it matches to the instance of explorer.exe that is just called normally.
As for the process monitor info looking at the operation ThreadCreate, and the stack tab, here is a paste.
![enter image description here](https://cdn.statically.io/img/i.sstatic.net/6sWLA.png)
You mention to consider if there is a third party module there. I do not see any third party module/dll or exe there.