Thursday, June 19, 2014

Did I Do That? - Watching for software installation and removal

Have you ever wanted to know when someone installs or uninstalls software from a computer that you are responsible for managing?

On balmy spring day in the not so distant past, Steve from AwesomeTech gets a phone call from Paul at Dewey, Cheatham & Howe.  Paul is upset because he can no longer open PDF files on his office computer.  Steve opens up the Asset Tracking Modification report for the firm and finds Paul's computer on the report and sees that Adobe was uninstalled the day before.  He tells Paul that it appears someone uninstalled Adobe Reader yesterday and Paul then confesses that his twelve year-old son was "helping" him in the office yesterday.

Paul asks if there is a way for AwesomeTech to make him aware of anyone installing or uninstalling software at the firm.  Steve researches the problem and finds that the Microsoft Installer (MSI) writes to the event log with very specific event ID's when software is installed or uninstalled through the MSI.  Armed with that information Steve creates two new Daily Safety Check Event Log checks and adds them across multiple devices using the Multiple Devices button in the upper right of the Event Log Check window.

Check for Software Installed

Check for Software Uninstalled 
From now on when someone installs or uninstalls software AwesomeTech will receive an alert in their dashboard similar to this...

And when Steve opens the link in the Extra column he sees what was installed or uninstalled.
Keep in mind that this check can be applied as a 24x7 or Daily Safety Check but the Daily Safety Check is probably the most useful.  Also, these event log entries are only made by installations which utilize the MSI installer and therefore applications that do not use MSI will not be flagged by these event log checks.