Logon events record the process attempting logon. Enable failed logon auditing (Security Settings > Local Policies > Audit Policy > Audit Logon Events) in the Local Security Policy (secpol.msc) then look in the security event log for an event. You can also enable it via Group Policy, if that would be preferable.
There will be a Process Information section which records both the executable path and process ID.
Example:
Process Information:
Process ID: 0x2a4
Process Name: C:\Windows\System32\services.exe