2 of 2 people found this helpful
Thank you KMSigma for your due diligence in both identifying these events, as well as offering suggestions for improvement . We are aware that queries to the Win32_Product class are not query optimized which is partly why we will only be polling asset inventory information once a day. When we first encountered these messages in the Event Log we thoroughly investigated this issue and determined that querying this class is perfectly safe. Nothing is being installed/reinstalled/etc unless the installation was corrupted anyway, which would occur on it's own when the next time the application launched thanks to MSI Self Healing.
A quick checksum is done on the original installer the same as when you open "Programs & Features" under "Settings" in Windows Server 2008 and later. This is why the list sometimes takes a minute or two to fully populate. This same process occurs when the Win32_Product class is queried.
Microsoft recommends avoiding its use during operations such as login scripts, group policy filters, or continuous monitoring products like patch management, vulnerability assessment, and computer posturing/NAC, as this process takes up to a minute to return results on slower/older machines with many products installed.
While I understand your concerns with such an ominous message stating that it might repair or even re-install a package as a result this query. However, this same WMI class is the industries de facto standard, used by virtually every product that collects installed software information via WMI.
We do however plan to investigate alternative methods for collecting this information or allowing software inventory to be disabled entirely.
Thanks for the thorough response, aLTeReGo. We were seeing the Event ID's and people here got spooked. I'm not 100% sure if it's actually going to be an issue, but we opened a case (#473616) just in case. Since that time we've not been polling using our development server. If this turns out to be an informational event and won't cause problems, I'll just need to make sure that the other teams are aware that it is safe to ignore.
While this information is useful, and adheres to existing standards, the standards themselves could use updating. Microsoft has a very useful article, revised just this year, that advises use of Win32_AddRemovePrograms as a less intrusive class to use for this query than Win32_Product. See support.microsoft.com/en-us/help/974524/event-log-message-indicates-that-the-windows-installer-reconfigured-al for more information.