How to list out unwanted software installed on use...

syed_star357 · ‎08-28-2016

Dear team,

What is the search condition to list out, which are the software installed on user workstation.

Regards,
syed

jconger · ‎08-30-2016

If your workstation OS is Windows, you can use the following PowerShell as a scripted input on your Universal Forwarder to get the installed software in a Splunk index.

Save this as GetInstalledSoftware.ps1 (or similar):

Param($Computer = $ENV:ComputerName)   
$ScriptRunTime = (get-date).ToFileTime()
$RemoteRegistry = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey("LocalMachine",$Computer)   
$RegKey = $RemoteRegistry.OpenSubKey("SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\")
if($RegKey)
{
    foreach($key in $RegKey.GetSubKeyNames())   
    {
        $output = @()
        $SubKey = $RegKey.OpenSubKey($key)
        $DisplayName = $SubKey.GetValue("DisplayName")
        if($DisplayName)
        {
            $output += 'Name="{0}"'            -f $DisplayName
            $output += 'Version="{0}"'         -f ($SubKey.GetValue("DisplayVersion"))  
            $output += 'InstallLocation="{0}"' -f ($SubKey.GetValue("InstallLocation")) 
            $output += 'Vendor="{0}"'          -f ($SubKey.GetValue("Publisher")) 
            $output += 'ScriptRunTime="{0}"'   -f $ScriptRunTime
        }

        if($output.count -gt 0)
        {
            Write-Host ("{0:MM/dd/yyyy HH:mm:ss} GMT - {1}" -f ((get-date).ToUniversalTime()),( $output -join " " ))
        }
    }   
}

$RegKey = $RemoteRegistry.OpenSubKey("SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall")
if($RegKey)
{
    foreach($key in $RegKey.GetSubKeyNames())   
    {
        $output = @()
        $SubKey = $RegKey.OpenSubKey($key)   
        $DisplayName = $SubKey.GetValue("DisplayName")
        if($DisplayName)
        {
            $output += 'Name="{0}"'            -f $DisplayName
            $output += 'Version="{0}"'         -f ($SubKey.GetValue("DisplayVersion")) 
            $output += 'InstallLocation="{0}"' -f ($SubKey.GetValue("InstallLocation"))
            $output += 'Vendor="{0}"'          -f ($SubKey.GetValue("Publisher"))
            $output += 'ScriptRunTime="{0}"'   -f $ScriptRunTime
        }

        if($output.count -gt 0)
        {
            Write-Host ("{0:MM/dd/yyyy HH:mm:ss} GMT - {1}" -f ((get-date).ToUniversalTime()),( $output -join " " ))
        }
    }   
}

Then, you can use a search like the following to see what software is installed per workstation:

index=YOUR_INDEX sourcetype="YOUR_SOURCETYPE" |  stats values(host) AS Hosts by Name Version Vendor |  sort Name |  rename Name AS "Application Name"

woodcock · ‎08-29-2016

Splunk does not do this by default. You need to create or acquire something else that can track software and forward this periodically into Splunk. Typically this is done with a Scripted Input. You can check to see if somebody else has created one by visiting splunkbase:

http://apps.splunk.com/

I know that Tanium also does this and plays well with Splunk:

https://www.tanium.com/

sundareshr · ‎08-28-2016

You will need to provide a lot more information. What data do you have in splunk, do you have a list of "wanted" software etc. Share some events and/or query that you have tried to get the best possible answer.

How to list out unwanted software installed on user machine

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation