{"id":10955,"date":"2025-06-25T06:00:50","date_gmt":"2025-06-25T06:00:50","guid":{"rendered":"https:\/\/cheapwindowsvps.com\/blog\/tracking-program-installations-and-removals-a-guide-to-detecting-user-actions-on-windows\/"},"modified":"2025-07-15T12:09:41","modified_gmt":"2025-07-15T12:09:41","slug":"tracking-program-installations-and-removals-a-guide-to-detecting-user-actions-on-windows","status":"publish","type":"post","link":"https:\/\/cheapwindowsvps.com\/blog\/tracking-program-installations-and-removals-a-guide-to-detecting-user-actions-on-windows\/","title":{"rendered":"Tracking Program Installations and Removals: A Guide to Detecting User Actions on Windows"},"content":{"rendered":"<p>In enterprise environments with multiple administrators, tracking who installed or uninstalled software on <a href=\"https:\/\/cheapwindowsvps.com\/\"><strong>Windows systems<\/strong><\/a> is crucial. To do this, you can extract information from the Windows Event Viewer logs.<\/p>\n<p>When applications are installed or uninstalled using the MSI installer, specific events are logged. The relevant event codes include:<\/p>\n<ul>\n<li><strong>11707<\/strong>: Indicates successful installation of an MSI application.<\/li>\n<li><strong>11724<\/strong>: Indicates an MSI application has been removed.<\/li>\n<\/ul>\n<p>To view these logs, open the Event Viewer by running <code>eventvwr.msc<\/code>, and filter for events with IDs <strong>11707<\/strong> and <strong>11724<\/strong> in the <strong>Application<\/strong> log. Upon doing so, you&#8217;ll see a list of software installation and removal events, along with descriptions of each event, such as:<\/p>\n<pre><code>Product: Zabbix Agent 2 (64-bit) -- Removal completed successfully.<\/code><\/pre>\n<pre><code>Product: 7-Zip 24.09 (x64 edition) -- Installation completed successfully.<\/code><\/pre>\n<p>The event will also display the name of the user who performed the installation or uninstallation in the \u201c<strong>User<\/strong>\u201d property.<\/p>\n<p>For a more efficient approach, you can use PowerShell to find all installation and uninstallation events related to a specific application. The following script outputs all events related to the Zabbix agent, including the usernames of those who performed the actions:<\/p>\n<pre><code class=\"language-powershell\">Get-WinEvent -FilterHashtable @{LogName=\"Application\"; ID=11707,11724; ProviderName='MsiInstaller'} | Where-Object { $_.Message -like '*Zabbix*' } | Select TimeCreated, @{Name='Username'; Expression={(New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).Value}}, Message<\/code><\/pre>\n<p>This script converts the <code>userid<\/code> field, which contains the user&#8217;s SID, into a readable account name.<\/p>\n<p>Additionally, the <a href=\"https:\/\/cheapwindowsvps.com\/\"><strong>Reliability Monitor<\/strong><\/a> can be used to check the installation and removal history of applications in Windows. More detailed information about how to access this history can be found in this article on viewing app installation and removal history.<\/p>\n<p>For anyone managing multiple users and installations on Windows servers or workstations, these methods can streamline the process of tracking software changes and user actions efficiently.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In enterprise environments with multiple administrators, tracking who installed or uninstalled software on Windows systems is crucial. To do this, you can extract information from the Windows Event Viewer logs. When applications are installed or uninstalled using the MSI installer, specific events are logged. The relevant event codes include: 11707: Indicates successful installation of an [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":10956,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[99,108],"tags":[],"class_list":["post-10955","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-windows-11","category-windows-server-2022"],"_links":{"self":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/10955","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/comments?post=10955"}],"version-history":[{"count":2,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/10955\/revisions"}],"predecessor-version":[{"id":10986,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/10955\/revisions\/10986"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media\/10956"}],"wp:attachment":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media?parent=10955"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/categories?post=10955"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/tags?post=10955"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}