In enterprise environments with multiple administrators, tracking who installed or uninstalled software on Windows systems is crucial. To do this, you can extract information from the Windows Event Viewer logs.
When applications are installed or uninstalled using the MSI installer, specific events are logged. The relevant event codes include:
- 11707: Indicates successful installation of an MSI application.
- 11724: Indicates an MSI application has been removed.
To view these logs, open the Event Viewer by running eventvwr.msc, and filter for events with IDs 11707 and 11724 in the Application log. Upon doing so, you’ll see a list of software installation and removal events, along with descriptions of each event, such as:
Product: Zabbix Agent 2 (64-bit) -- Removal completed successfully.Product: 7-Zip 24.09 (x64 edition) -- Installation completed successfully.The event will also display the name of the user who performed the installation or uninstallation in the “User” property.
For a more efficient approach, you can use PowerShell to find all installation and uninstallation events related to a specific application. The following script outputs all events related to the Zabbix agent, including the usernames of those who performed the actions:
Get-WinEvent -FilterHashtable @{LogName="Application"; ID=11707,11724; ProviderName='MsiInstaller'} | Where-Object { $_.Message -like '*Zabbix*' } | Select TimeCreated, @{Name='Username'; Expression={(New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).Value}}, MessageThis script converts the userid field, which contains the user’s SID, into a readable account name.
Additionally, the Reliability Monitor can be used to check the installation and removal history of applications in Windows. More detailed information about how to access this history can be found in this article on viewing app installation and removal history.
For anyone managing multiple users and installations on Windows servers or workstations, these methods can streamline the process of tracking software changes and user actions efficiently.