Greetings!
I’d like to share the following procedure/script in case it is useful to anyone else. Feel free to do with it as you wish. I’m writing this up in detail in order to show the methodology used and make it easier for the community to use, edit, understand or improve.
Overview
This procedure runs a powershell script that finds the latest applications that have been installed or uninstalled along with date, and user ID that performed the action. A report is generated and then emailed in HTML format. The email settings as well as how many days prior to include in the report are all configurable via the procedures parameters for easy setup and modification. Optionally, a CSV file can be included and attached to the email. The goal was to make the procedure modular and mobile, so that the core script code doesn’t need to be modified for basic usage.
Use Cases
This was developed as a way to audit devices for software activity, in order to find when and by whom software was installed or removed. Helpful when mysterious software applications show up on a machine or just as mysteriously disappear. This report can help inform you when it happened, and the user account that performed it. This can aid in troubleshooting issues or for compliance in security related policies. This can be used in conjunction with a monitor that detects when an install or uninstall event has occurred. This procedure can then be run on auto remediation to provide a report when the monitor is triggered.
Requirements and Limitations
This script relies on gathering events from the windows application event log. It looks for event IDs 11707 or 11724 with provider name MsiInstaller. As such, if an application does not use the msiinstaller it will not record an event and be logged. Additionally, the amount of history the script can pull is dependent on how far back the application event log goes on the machine its run on. By default, assuming a reasonably standard and healthy windows machine, it should be able to go back at least a month.
How to setup and use
- Download the procedure:
- Import the procedure under Configuration Templates - Procedures - Import Procedure
- Configure the default parameters for the procedure from the Parameters tab of the script. You can set this up at run-time but the defaults need to be set in order for it to be used for auto remediation. Here are the current configurable parameters
- SMTP Server Address
- SMTP Port
- SMTP Username
- SMTP Password
- From Email Address
- Send to Email Address
- Number of Days to Retrieve History
- Create CSV - Y for Yes - N for No
- Create a new monitor under Configuration Templates - Monitors - Create Monitor. Configure with these settings (modify to your environment and desired settings)
- Name: Software Change Alert
- Condition 1: Type = Event, Event ID = 11707, Source = MsiInstaller
- Condition 2: Type = Event, Event ID = 11724, Source = MsiInstaller
- Trigger an alert if: Any of the conditions are met
- Select an appropriate alert setting
- Auto remediation on alert: Run procedure = Software install and uninstall activity report
- If not already done so, configure parameters of the report procedure
- Apply the monitor to your desired profile. I especially use this on servers as I always want to know exactly when, what and by whom any software is installed or removed. Leverage the maintenance window profile feature to prevent unwanted alerting/reporting when performing intended software install/removal tasks
- Making a configurable parameter to specify storing the report in a configurable path (server/local path). Currently you can edit script variable $csvoutputpathfile and then comment out or remove the code block under #Done with CSV. By default it only creates the CSV temporarily in order to attach it to the email then removes to keep things clean. It can easily be modified to store and hold it somewhere permanently.
- Add more output options, such as HTML and PDF file
- Add integration with siPortal/IT Portal using their API to store output information in a device or config items history/notes.
- Gather more detail on the event, such as the installer file name and its location that initiated the event. Will require file level auditing enabled in windows, and matching up times with events gathered from the security log.
- Add detection and gathering of upgrade or change events. Include capturing all changes during an application install, removal or upgrade event. Such as registry, files and folder changes.
Thanks!
Software-install-and-uninstall-activity-report.json (12.3 KB)
