Getting Data In

Tracking software install/removal

tmontney
Builder

For Windows, I've been trying to track installs/removals. MSI was a breeze. I'm attempting now anything that isn't MSI. I'm tracking changes in the following paths:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall

Two issues arose:

  1. Uninstalled items just delete the whole key. I'd need to do a back-reference to determine what that was.
  2. Programs that upgrade tend to do another CreateKey. It's difficult to differentiate between Installs and Upgrades.

Here's an example of my search for detecting installs.

index="winregmon" process_image!=*msiexec* registry_type="SetValue" *displayname*
| join type=left max=0 host data [
search index="winregmon" process_image!=*msiexec* (registry_type="CreateKey" OR registry_type="DeleteKey") latest=-16m
| dedup host
| rename registry_type as last_registry_type
| rename data AS deleted_data]
| dedup host data
| eval Date=strftime(_time, "%m-%d-%Y")
| eval Time=strftime(_time, "%H:%M:%S")
| table host data Date Time last_registry_type

In my various modifications of this search, either I detect installs + upgrades (i just want installs) or I miss data all together. I'm aware the search above isn't right, just for reference. My idea:

  • Find the most recent registry change, per host
  • Back-reference to the last Key modification event, Create/Delete
  • If Create, it's an upgrade. If Delete, it's an install.
  • Only show Installs (DeleteKey being the last event, for that host)
0 Karma

DalJeanis
Legend

what is your question?

0 Karma

tmontney
Builder

How to track software install/removal? If from the registry, how do I back-search? Given my OP, how do I make my existing search work to tell me when new software is installed?

0 Karma

somesoni2
Revered Legend

Do you think may be monitoring WIndows event logs to this would be better?
https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Knowledgebase_Articles/Monitor...

0 Karma

tmontney
Builder

That's MSI. As mentioned in my OP, I've already covered MSI (note I exclude msiexec in my search, too). Granted, I've encouraged everyone when installing to install by MSI (so it can be tracked). But I still want to catch non-MSI installs.

0 Karma

radparik
Engager

@tmontney  how did you catch MSI installs? I am trying to create alerts to track MSI Installations and MSI Removals.

Thanks!

0 Karma
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...