8 Replies Latest reply on Dec 27, 2012 9:50 AM by mlgroms

    Software Installs not logging in Event Viewer

    mlgroms

      OS - Windows 7 Professional (x64bit)

      I am trying to find if there are ways to set so that when any software has been installed, it will get recorded in the event viewer. For example....I was trying to install MS Word Viewer...it got recorded in that computer's event viewer (as MSI Installer under the Application event logs). But when I installed software like (Adobe flash / notepadd ++ / google chrome) it didnt record in the event viewer application logs. Are there any ways we can set that so that any one installs any software it will get recorded in the event viewer, pls let me know.....

        • Re: Software Installs not logging in Event Viewer
          qle

          Since the MS Word Viewer installation used MSI installer (maybe with the logging feature enabled by default), it makes sense that this installation was logged in the Events Viewer. There's no requirement for other software developers to use the same technology for their installation routines. Unfortunately, I don't believe LEM would be your best solution if this is your goal.

          • Re: Software Installs not logging in Event Viewer
            nicole pauls

            From my experience, I think anything that installs via MsiInstaller is going to get caught and logged, but things that have their OWN installers either need to log this stuff on their own or won't be caught in the Event Log.

             

            You could use process auditing and look for stuff like "setup.exe" or "install.exe" to catch a little bit more, but of course someone could rename or have a non-conventional name and fall through the cracks.

             

            If you're using software deployment tools, you could probably capture the data there, but that doesn't cover the case of a manual install.

             

            Anyone else have any advice/experience with logging software installations reliably? Speak up!

              • Re: Software Installs not logging in Event Viewer
                mlgroms

                Hi Nicole....my apologies as I didnt respond for sometime...was looking for another options as well...when we install software..its getting written to the registry location mentioned below -

                 

                HKLM/Software/Microsoft/WINDOWS/CurrentVersion/Uninstall

                and HKLM/Software/Wow6432Node/Microsoft/WINDOWS/CurrentVersion/Uninstall

                 

                Is there a way, we can have that logged in the eventviewer using the scripting (either by using Powershell or anyother scripting language), so it get alerted in LEM...any help or feedback please let me know....

                  • Re: Software Installs not logging in Event Viewer
                    nicole pauls

                    You might be able to use a combination of file/object auditing and registry permissions to get it to log to the Security Log. These articles are 2003/XP but should still apply: How to use Group Policy to audit registry keys and To Audit Activity on a Registry Key

                     

                    Note: You might also generate a fair amount of noise doing this, so I'd test on a few systems first. The alerts should come into LEM as either FileAudit or ObjectAudit.

                      • Re: Software Installs not logging in Event Viewer
                        mlgroms

                        Hi Nicole...thanks for letting me know about the links...yes I got quite a bit noise..so I am looking into just getting the information from the regkeys mentioned above by running scripts in addition to the Task Scheduler. I am testing that I a system, if it worked, I can post the scripts....

                          • Re: Software Installs not logging in Event Viewer
                            nicole pauls

                            mlgroms wrote:

                             

                            Hi Nicole...thanks for letting me know about the links...yes I got quite a bit noise..so I am looking into just getting the information from the regkeys mentioned above by running scripts in addition to the Task Scheduler. I am testing that I a system, if it worked, I can post the scripts....

                             

                            That would be awesome. Good luck!

                              • Re: Software Installs not logging in Event Viewer
                                mlgroms

                                Hi...took sometime as I was working on few other things as well. I got this script (using powershell) this far...idea was to get the output in count - while running the script once a day in a scheduled task (when a software is installed from that registry location) in a text file entry using powershell script...I am getting that in the text file and I am still working on getting the count entry to be logged to the eventviewer...any ideas...or any changes that can be made...pls let me know....

                                 

                                if (!([diagnostics.process]::GetCurrentProcess().Path -match '\\syswow64\\'))
                                {
                                    $uninstallPath = "\Software\Microsoft\Windows\CurrentVersion\Uninstall\"
                                    $uninstallWow6432Path = "\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\"
                                    @(
                                    if (Test-Path "HKLM:$uninstallWow6432Path" ) {Get-ChildItem "HKLM:$uninstallWow6432Path" -Recurse | Measure-Object | Out-File "C:\PS Output\Total6432.csv"}
                                    if (Test-Path "HKLM:$uninstallpath" ) {Get-ChildItem "HKLM:$UninstallPath" -Recurse | Measure-Object | Out-File "C:\PS Output\Total32.csv"}
                                    )
                                   
                                Write-EventLog -LogName Application -Source ApplicationInstall -EventId 1234 -EntryType Warning -Message "Application Installed" | Get-Content 'C:\PS Output\Total32.csv'
                                Write-EventLog -LogName Application -Source ApplicationInstall -EventId 1234 -EntryType Warning -Message "Application Installed" | Get-Content 'C:\PS Output\Total6432.csv'

                                }

                                  • Re: Software Installs not logging in Event Viewer
                                    mlgroms

                                    Finally....this code helped to log in the event logs...

                                     

                                    if (!([diagnostics.process]::GetCurrentProcess().Path -match '\\syswow64\\'))
                                    {
                                        $uninstallPath = "\Software\Microsoft\Windows\CurrentVersion\Uninstall\"
                                        $uninstallWow6432Path = "\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\"
                                        @(
                                        if (Test-Path "HKLM:$uninstallWow6432Path" ) {Get-ChildItem "HKLM:$uninstallWow6432Path" -Recurse | Measure-Object | Out-File "C:\PS Output\Total6432.csv"}
                                        if (Test-Path "HKLM:$uninstallpath" ) {Get-ChildItem "HKLM:$UninstallPath" -Recurse | Measure-Object | Out-File "C:\PS Output\Total32.csv"}
                                        )
                                       
                                    Write-EventLog -LogName Application -Source ApplicationInstall -EventId 1234 -EntryType Warning -Message ("Application Installed" + (Get-Content 'C:\PS Output\Total6432.csv'))
                                    Write-EventLog -LogName Application -Source ApplicationInstall -EventId 1234 -EntryType Warning -Message ("Application Installed" + (Get-Content 'C:\PS Output\Total32.csv'))

                                    }