Getting Data In

Tracking software install/removal

tmontney
Builder

For Windows, I've been trying to track installs/removals. MSI was a breeze. I'm attempting now anything that isn't MSI. I'm tracking changes in the following paths:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall

Two issues arose:

  1. Uninstalled items just delete the whole key. I'd need to do a back-reference to determine what that was.
  2. Programs that upgrade tend to do another CreateKey. It's difficult to differentiate between Installs and Upgrades.

Here's an example of my search for detecting installs.

index="winregmon" process_image!=*msiexec* registry_type="SetValue" *displayname*
| join type=left max=0 host data [
search index="winregmon" process_image!=*msiexec* (registry_type="CreateKey" OR registry_type="DeleteKey") latest=-16m
| dedup host
| rename registry_type as last_registry_type
| rename data AS deleted_data]
| dedup host data
| eval Date=strftime(_time, "%m-%d-%Y")
| eval Time=strftime(_time, "%H:%M:%S")
| table host data Date Time last_registry_type

In my various modifications of this search, either I detect installs + upgrades (i just want installs) or I miss data all together. I'm aware the search above isn't right, just for reference. My idea:

  • Find the most recent registry change, per host
  • Back-reference to the last Key modification event, Create/Delete
  • If Create, it's an upgrade. If Delete, it's an install.
  • Only show Installs (DeleteKey being the last event, for that host)
0 Karma

DalJeanis
Legend

what is your question?

0 Karma

tmontney
Builder

How to track software install/removal? If from the registry, how do I back-search? Given my OP, how do I make my existing search work to tell me when new software is installed?

0 Karma

somesoni2
Revered Legend

Do you think may be monitoring WIndows event logs to this would be better?
https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Knowledgebase_Articles/Monitor...

0 Karma

tmontney
Builder

That's MSI. As mentioned in my OP, I've already covered MSI (note I exclude msiexec in my search, too). Granted, I've encouraged everyone when installing to install by MSI (so it can be tracked). But I still want to catch non-MSI installs.

0 Karma

radparik
Engager

@tmontney  how did you catch MSI installs? I am trying to create alerts to track MSI Installations and MSI Removals.

Thanks!

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...