Table of Contents
- Which User Secretly Installed That Annoying Program on Your Windows Server?
- Why You Need to Track Software Changes
- The Simple Way to Find Installation Records
- Step-by-Step Process I Use
- Step 1: Filter the Events
- Step 2: Find the User Information
- Step 3: Get the Real User Name
- The PowerShell Shortcut I Love
- What About Specific Programs?
- Important Things to Remember
- Making Sure You Don’t Miss Anything
Which User Secretly Installed That Annoying Program on Your Windows Server?
I’ll help you track down who’s been installing or removing programs on your Windows computers. This is something I deal with all the time in my work, and I know how frustrating it can be when you need answers fast.
Why You Need to Track Software Changes
When I’m managing multiple Windows servers, I often face this exact problem. Someone installs or removes software, and I need to know who did it. Maybe it’s for security reasons. Maybe someone removed something important. Or maybe you just need to follow company rules about software changes.
The good news? Windows keeps detailed records of everything. You just need to know where to look.
The Simple Way to Find Installation Records
Windows writes special events every time someone installs or removes programs using MSI files. Think of these like digital fingerprints that tell you exactly what happened.
Here’s what I do first:
I open Event Viewer by typing eventvwr.msc in the Run box. Then I go to Windows Logs and click on Application. This is where Windows stores all the software installation records.
The two magic numbers I look for are:
- 11707 – This means someone successfully installed a program
- 11724 – This means someone removed a program
Step-by-Step Process I Use
Step 1: Filter the Events
I right-click on the Application log and choose “Filter current log.” Then I select MsiInstaller as the event source. This shows me only the software installation and removal events.
Step 2: Find the User Information
When I see an event that interests me, I click on it. The event description shows me what program was involved. For example, I might see something like “Product: 7-Zip 24.09 (x64 edition) — Installation completed successfully”.
But here’s the tricky part. To find out WHO did this, I need to dig deeper.
Step 3: Get the Real User Name
I click on the Details tab in the event properties. Then I switch to XML view. I look for something called “Security UserID” – this shows me a long string of numbers and letters called a SID.
To turn this SID into a real person’s name, I use this command:
wmic useraccount where sid='[paste the SID here]' get name
This gives me the actual username of the person who installed or removed the software.
The PowerShell Shortcut I Love
When I need to check multiple events quickly, I use PowerShell. This command shows me all installation and removal events with the actual usernames:
Get-WinEvent -FilterHashtable @{LogName="Application"; ID=11707,11724; ProviderName='MsiInstaller'} | Select TimeCreated, @{Name='Username'; Expression={(New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).Value}}, Message
This script does the hard work for me. It finds all the events and converts those confusing SID numbers into real usernames automatically.
What About Specific Programs?
Sometimes I need to track just one program. Let’s say I want to see who’s been messing with Zabbix Agent. I modify the PowerShell command like this:
Get-WinEvent -FilterHashtable @{LogName="Application"; ID=11707,11724; ProviderName='MsiInstaller'} | Where-Object { $_.Message -like '*Zabbix*' } | Select TimeCreated, @{Name='Username'; Expression={(New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).Value}}, Message
This shows me only events related to Zabbix, along with who did what and when.
Important Things to Remember
- This method only works for programs that use MSI installers
- Some programs use different installation methods and won’t show up in these logs
- The Reliability Monitor also tracks software changes and might be easier for some people to use
Making Sure You Don’t Miss Anything
I always make sure my Event Viewer logs are set up properly. I increase the log size to at least 1 GB so I don’t lose important information. I also set the retention method to keep events as long as possible.
Tracking software installations and removals isn’t as hard as it seems. Windows gives you all the tools you need. You just need to know which events to look for and how to decode the user information.
This method has saved me countless hours of investigation. When someone asks “Who installed that program?” I can give them a name, date, and time within minutes.
The key is understanding those two event IDs – 11707 for installations and 11724 for removals. Everything else builds from there.