The Windows Event logs maintain a comprehensive record of software installations, updates, and removals on a computer. These logs are also valuable for determining the specific user responsible for initiating any application installation or removal.
Here’s how you can access the application installation logs in Windows:
- Launch the Event Viewer snap-in by entering
eventvwr.mscin the Run dialog. - Navigate to Windows Logs and then to Application.
- Right-click on the log and choose Filter current log.
- Select MsiInstaller as the event source.
- Look for the following event IDs for information regarding software installation or removal:
EventID 11707 indicatesInstallation completed successfully.
EventID 11724 indicatesRemoval completed successfully. - To determine which user uninstalled or installed a program, open the Details tab in the event properties and switch to XML view. The Security UserID attribute will display the user’s SID. Make sure to copy it.
- Execute the following command to convert the user SID into an actual account name:
wmic useraccount where sid='S-1-5-21-3414967564-454070197-2746421142-1001' get name
This command will return the account name of the user who triggered the installation or removal of the program.
To retrieve all software installation and removal events from the Event log, you can utilize the Get-WinEvent cmdlet. For example, to display a record of successful software installations, you can use the following command:
Get-WinEvent -FilterHashtable @{LogName="Application";ID=11707;ProviderName='MsiInstaller'} | Select TimeCreated,Message
To ensure that Event Viewer logs are stored at maximum depth, consider increasing the Windows Event Log size limit.
Furthermore, Windows offers a more user-friendly tool for monitoring the history of application installations, removals, and updates, including those for Microsoft Store (UWP) apps, as well as the Windows Update logs. This tool is known as the system Reliability Monitor.
The Reliability Monitor is a distinct graphical utility found in the Classic Control Panel that illustrates the system stability index along with comprehensive information regarding events that may impact the operating system’s stability, such as application crashes and software installation or removal activities.
To access the Reliability Monitor, navigate to Control Panel -> Security and Maintenance. Within the Maintenance section, select the View reliability history link (or execute the perfmon /rel command).
You can view updates, programs, and UWP apps that have been installed or removed on a daily or weekly basis. For further details about a specific event, click the View technical details button.
This script lists all program installation, removal, and update events (including Windows updates and APPX/MSIX installations) that have occurred on the computer within the past 7 days in a visually interactive table via Out-GridView.
$DaysAgo = (Get-Date).AddDays(-7)
$RealiabilityFilter= “TimeGenerated > ‘$DaysAgo’ and (SourceName=’Microsoft-Windows-WindowsUpdateClient’ or SourceName=’MsiInstaller’)”
Get-CimInstance -ClassName Win32_ReliabilityRecords -filter $RealiabilityFilter | Select TimeGenerated, ProductName, User, message | Out-GridView
Utilize Out-GridView’s built-in filters to narrow down events by a designated application, event, or user.