It is good to know about events in the Event Viewer. Today I had learnt to know about this events and so I am writing this post.
I used to believe that only registry entries will notify the user/administrator regarding the installation and un-installation details of a software or an application being executed in the machine. But it was over-whelming moment for me when I know about this event thing.
After that moment, I digged more into that subject about Event Viewer and found an interesting about it.
After that moment, I digged more into that subject about Event Viewer and found an interesting about it.
If you want to track all the details of applications installed and removed from a computer, here is the information for you ;)
Good to know before "SOMEONE" catches you :P
In these days of malware, spyware, and compliance regulations, a lot of admins are looking to track the installation of unauthorized programs, and/or the removal of required programs from client desktops. There are actually several events you can look for in both the Application Event Log and Security Event Log that will help you do this.
In the Application log, setup packages that use the Windows Installer to install themselves will create numerous events, all with an event source of MsiInstaller.
Event ID 11707 tells you when a install completes successfully, and also the user who executed the install package.
Event Type: Information
Event Source: MsiInstaller
Event Category: None
Event ID: 11707
Date: 11/9/2006
Time: 3:21:45 PM
User: DOMAIN\USER
Computer: COMPUTERNAME
Description:
Product: Event Archiver Enterprise -- Installation operation completed successfully.
Event ID 11724 tells you when a software package is removed successfully, again logging the user behind the operation.
Event Type: Information
Event Source: MsiInstaller
Event Category: None
Event ID: 11724
Date: 11/12/2007
Time: 7:50:13 PM
User: DOMAIN\USER
Computer: COMPUTERNAME
Description:
Product: Event Archiver Enterprise -- Removal completed successfully.
You can track both of these events in our Event Analyst software by setting up appropriate filters and building a custom report.
Event ID 592
Also, if you want to correlate the name of the executable setup package that was executed to install a piece of software, turn on Process Tracking auditing on the relevant Group Policy Object for one or more computers (e.g. Domain Security Policy, Local Security Policy), and look for events with Event ID 592 in the Security log that occur around the time of the 11707 event in the Application log, e.g.
Event Type: Success Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 592
Date: 11/9/2006
Time: 3:20:30 PM
User: DOMAIN\USER
Computer: COMPUTERNAME
Description:
A new process has been created:
New Process ID: 2816
Image File Name: \EvntArch.exe
Creator Process ID: 516
User Name: USER
Domain: DOMAIN
Logon ID: (0x0,0x3E7)
Event Analyst also has a built-in Process Usage report that is very useful for viewing all of the executable files that were loaded and unloaded on one or more systems for a given time frame. It automatically determines the executable files that are run the most frequently for any given user.
Following this I will be posting about deleting the installation details from the Event Viewer in my next post.
