You can use Application and Device Control. For example, to log launching processes from %APPDATA% and %TEMP%, create an ADC ruleset. First, create a rule with the asterisk "*" as process:
Then a "Launch Process Attempts" condition with %APPDATA%\* and %TEMP%\*:
It's also possible to write %APPDATA\*\* to cover all nested subfolders below %APPDATA% as well.
Under "Actions", allow and log execution:
To log file creation in %APPDATA%, use the "File and Folder Access Attempts" condition instead of "Launch Process Attempts".
HTH!