Wednesday, November 21, 2007

Tracking Software Installation and Removal Using Event IDs 11707, 11724, and 592

In these days of malware, spyware, and compliance regulations, a lot of admins are looking to track the installation of unauthorized programs, and/or the removal of required programs from client desktops. There are actually several events you can look for in both the Application Event Log and Security Event Log that will help you do this.

In the Application log, setup packages that use the Windows Installer to install themselves will create numerous events, all with an event source of MsiInstaller.

Event ID 11707 tells you when a install completes successfully, and also the user who executed the install package.

Event Type: Information
Event Source: MsiInstaller
Event Category: None
Event ID: 11707
Date: 11/9/2006
Time: 3:21:45 PM
User: DOMAIN\USER
Computer: COMPUTERNAME
Description:
Product: Event Archiver Enterprise -- Installation operation completed successfully.

Event ID 11724 tells you when a software package is removed successfully, again logging the user behind the operation.

Event Type: Information
Event Source: MsiInstaller
Event Category: None
Event ID: 11724
Date: 11/12/2007
Time: 7:50:13 PM
User: DOMAIN\USER
Computer: COMPUTERNAME
Description:
Product: Event Archiver Enterprise -- Removal completed successfully.

You can track both of these events in our Event Analyst software by setting up appropriate filters and building a custom report.

Also, if you want to correlate the name of the executable setup package that was executed to install a piece of software, turn on Process Tracking auditing on the relevant Group Policy Object for one or more computers (e.g. Domain Security Policy, Local Security Policy), and look for events with Event ID 592 in the Security log that occur around the time of the 11707 event in the Application log, e.g.

Event Type: Success Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 592
Date: 11/9/2006
Time: 3:20:30 PM
User: DOMAIN\USER
Computer: COMPUTERNAME
Description:
A new process has been created:
New Process ID: 2816
Image File Name: \EvntArch.exe
Creator Process ID: 516
User Name: USER
Domain: DOMAIN
Logon ID: (0x0,0x3E7)

Event Analyst also has a built-in Process Usage report that is very useful for viewing all of the executable files that were loaded and unloaded on one or more systems for a given time frame. It automatically determines the executable files that are run the most frequently for any given user.

1 comment:

J Teddy said...

Thanks for this post. I just started searching, on how to monitor software application installs, as our employee workstations are locked down and only admins can install software.