This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Software Installs not logging in Event Viewer

FormerMember
FormerMember

OS - Windows 7 Professional (x64bit)

I am trying to find if there are ways to set so that when any software has been installed, it will get recorded in the event viewer. For example....I was trying to install MS Word Viewer...it got recorded in that computer's event viewer (as MSI Installer under the Application event logs). But when I installed software like (Adobe flash / notepadd ++ / google chrome) it didnt record in the event viewer application logs. Are there any ways we can set that so that any one installs any software it will get recorded in the event viewer, pls let me know.....

  • Since the MS Word Viewer installation used MSI installer (maybe with the logging feature enabled by default), it makes sense that this installation was logged in the Events Viewer. There's no requirement for other software developers to use the same technology for their installation routines. Unfortunately, I don't believe LEM would be your best solution if this is your goal.

  • FormerMember
    0 FormerMember

    From my experience, I think anything that installs via MsiInstaller is going to get caught and logged, but things that have their OWN installers either need to log this stuff on their own or won't be caught in the Event Log.

    You could use process auditing and look for stuff like "setup.exe" or "install.exe" to catch a little bit more, but of course someone could rename or have a non-conventional name and fall through the cracks.

    If you're using software deployment tools, you could probably capture the data there, but that doesn't cover the case of a manual install.

    Anyone else have any advice/experience with logging software installations reliably? Speak up!

  • FormerMember
    0 FormerMember in reply to FormerMember

    Hi Nicole....my apologies as I didnt respond for sometime...was looking for another options as well...when we install software..its getting written to the registry location mentioned below -

    HKLM/Software/Microsoft/WINDOWS/CurrentVersion/Uninstall

    and HKLM/Software/Wow6432Node/Microsoft/WINDOWS/CurrentVersion/Uninstall

    Is there a way, we can have that logged in the eventviewer using the scripting (either by using Powershell or anyother scripting language), so it get alerted in LEM...any help or feedback please let me know....

  • FormerMember
    0 FormerMember in reply to FormerMember

    You might be able to use a combination of file/object auditing and registry permissions to get it to log to the Security Log. These articles are 2003/XP but should still apply: How to use Group Policy to audit registry keys and To Audit Activity on a Registry Key

    Note: You might also generate a fair amount of noise doing this, so I'd test on a few systems first. The alerts should come into LEM as either FileAudit or ObjectAudit.

  • FormerMember
    0 FormerMember in reply to FormerMember

    Hi Nicole...thanks for letting me know about the links...yes I got quite a bit noise..so I am looking into just getting the information from the regkeys mentioned above by running scripts in addition to the Task Scheduler. I am testing that I a system, if it worked, I can post the scripts....

  • FormerMember
    0 FormerMember in reply to FormerMember

    mlgroms wrote:

    Hi Nicole...thanks for letting me know about the links...yes I got quite a bit noise..so I am looking into just getting the information from the regkeys mentioned above by running scripts in addition to the Task Scheduler. I am testing that I a system, if it worked, I can post the scripts....

    That would be awesome. Good luck!

  • FormerMember
    0 FormerMember in reply to FormerMember

    Hi...took sometime as I was working on few other things as well. I got this script (using powershell) this far...idea was to get the output in count - while running the script once a day in a scheduled task (when a software is installed from that registry location) in a text file entry using powershell script...I am getting that in the text file and I am still working on getting the count entry to be logged to the eventviewer...any ideas...or any changes that can be made...pls let me know....

    if (!([diagnostics.process]::GetCurrentProcess().Path -match '\\syswow64\\'))
    {
        $uninstallPath = "\Software\Microsoft\Windows\CurrentVersion\Uninstall\"
        $uninstallWow6432Path = "\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\"
        @(
        if (Test-Path "HKLM:$uninstallWow6432Path" ) {Get-ChildItem "HKLM:$uninstallWow6432Path" -Recurse | Measure-Object | Out-File "C:\PS Output\Total6432.csv"}
        if (Test-Path "HKLM:$uninstallpath" ) {Get-ChildItem "HKLM:$UninstallPath" -Recurse | Measure-Object | Out-File "C:\PS Output\Total32.csv"}
        )
       
    Write-EventLog -LogName Application -Source ApplicationInstall -EventId 1234 -EntryType Warning -Message "Application Installed" | Get-Content 'C:\PS Output\Total32.csv'
    Write-EventLog -LogName Application -Source ApplicationInstall -EventId 1234 -EntryType Warning -Message "Application Installed" | Get-Content 'C:\PS Output\Total6432.csv'

    }

  • FormerMember
    0 FormerMember in reply to FormerMember

    Finally....this code helped to log in the event logs...

    if (!([diagnostics.process]::GetCurrentProcess().Path -match '\\syswow64\\'))
    {
        $uninstallPath = "\Software\Microsoft\Windows\CurrentVersion\Uninstall\"
        $uninstallWow6432Path = "\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\"
        @(
        if (Test-Path "HKLM:$uninstallWow6432Path" ) {Get-ChildItem "HKLM:$uninstallWow6432Path" -Recurse | Measure-Object | Out-File "C:\PS Output\Total6432.csv"}
        if (Test-Path "HKLM:$uninstallpath" ) {Get-ChildItem "HKLM:$UninstallPath" -Recurse | Measure-Object | Out-File "C:\PS Output\Total32.csv"}
        )
       
    Write-EventLog -LogName Application -Source ApplicationInstall -EventId 1234 -EntryType Warning -Message ("Application Installed" + (Get-Content 'C:\PS Output\Total6432.csv'))
    Write-EventLog -LogName Application -Source ApplicationInstall -EventId 1234 -EntryType Warning -Message ("Application Installed" + (Get-Content 'C:\PS Output\Total32.csv'))

    }