Table of Contents
- Which Sneaky User Installed That Risky Software on Your Windows Server?
- Why Track Software Changes?
- Using Windows Event Viewer
- Finding the Specific User
- PowerShell Method for Advanced Tracking
- Alternative: Reliability Monitor
- Important Limitations
- Security Event Log Alternative
- Best Practices for Monitoring
- Troubleshooting Common Issues
Which Sneaky User Installed That Risky Software on Your Windows Server?
Tracking software installations and removals becomes critical when managing multiple Windows systems. I'll show you exactly how to identify which user performed these actions using built-in Windows tools.
Why Track Software Changes?
In enterprise environments, unauthorized software installations can create security risks. Compliance requirements often demand detailed audit trails. When problems arise, knowing who installed or removed specific programs helps with troubleshooting and accountability.
Using Windows Event Viewer
Windows automatically logs software installation activities through the MsiInstaller service. This service handles MSI packages and creates detailed event records.
Step-by-step process:
- Press Windows + R and type eventvwr.msc to open Event Viewer
- Navigate to Windows Logs > Application
- Right-click the Application log and select Filter Current Log
- Choose MsiInstaller as the event source
- Click OK to apply the filter
Key Event IDs to monitor:
- Event ID 11707: Successful software installation
- Event ID 11724: Successful software removal
Each event entry shows the program name, timestamp, and the user account that performed the action.
Finding the Specific User
The event properties contain crucial user information. Here's how to extract it:
- Double-click any installation or removal event
- Go to the Details tab
- Switch to XML view
- Look for the Security UserID attribute containing the user's SID
To convert the SID to a readable username, use this command:
wmic useraccount where sid='YOUR-SID-HERE' get name
Replace 'YOUR-SID-HERE' with the actual SID from the event.
PowerShell Method for Advanced Tracking
PowerShell offers more flexible searching capabilities. This command retrieves all installation and removal events:
Get-WinEvent -FilterHashtable @{LogName="Application";ID=11707,11724;ProviderName='MsiInstaller'} | Select TimeCreated,Message
For tracking specific software, modify the command to filter by program name:
Get-WinEvent -FilterHashtable @{LogName="Application"; ID=11707,11724; ProviderName='MsiInstaller'} | Where-Object { $_.Message -like '*ProgramName*' } | Select TimeCreated, @{Name='Username'; Expression={(New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).Value}}, Message
This script automatically converts user SIDs to readable account names.
Alternative: Reliability Monitor
Windows includes a user-friendly tool called Reliability Monitor that displays software changes graphically:
- Open Control Panel > Security and Maintenance
- Click View reliability history in the Maintenance section
- Or run perfmon /rel directly
This tool shows installation and removal events over time, including Windows Store apps and system updates.
Important Limitations
Not all software uses the Windows Installer service. Programs installed through:
- Portable executables
- Custom installers
- Direct file copying
- Some third-party package managers
These won't appear in MsiInstaller logs. You'll need additional monitoring tools for comprehensive coverage.
Security Event Log Alternative
For more detailed user tracking, check Event ID 592 in the Security log. This event provides additional user account information during installation and removal processes.
Best Practices for Monitoring
Regular monitoring helps maintain system security:
- Set up automated alerts for unauthorized installations
- Review logs weekly in high-security environments
- Document approved software lists
- Train users on installation policies
- Consider group policy restrictions for software installation
Increase log retention for better tracking:
Windows event logs have size limits. Increase the maximum log size in Event Viewer properties to retain more historical data.
Troubleshooting Common Issues
If events don't appear, verify:
- The software used MSI installer technology
- Event logging services are running
- You have administrative privileges
- Log files aren't corrupted or full
Some enterprise software uses custom deployment methods that bypass standard Windows logging mechanisms.
This comprehensive approach gives you multiple methods to track software changes on Windows systems. The Event Viewer method works for most standard installations, while PowerShell provides advanced filtering capabilities. Reliability Monitor offers the most user-friendly interface for casual monitoring needs.