How to Detect Who Installed What Software on Your Windows Server (2025)
How to Detect Who Installed What Software on Your Windows Server
Native Auditing vs. Netwrix Auditor for Windows Server
Native AuditingNetwrix Auditor for Windows Server
Native Auditing
Netwrix Auditor for Windows Server
Steps
Run eventvwr.msc → Windows Logs → Right-click "Application" log → Properties:
Make sure the "Enable logging" check box is selected
Increase the log size for at least 1 GB
Set the retention method to "Overwrite events as needed" or "Archive the log when full".
Open Event Viewer and search the application log for the 11707 event ID with MsiInstaller Event Source to find the latest installed software.
To create an instant alert that is triggered upon any software installation, you need to edit the following PowerShell script by setting your parameters up and saving it anywhere as .ps1 file (e.g., detect_software.ps1):
#Mail SMTP Setup Section $Subject = "New Software Has Been Installed on $env:COMPUTERNAME" # Message Subject $Server = "smtp.server" # SMTP Server $From = "From@domain.com" # From whom we are sending an e-mail(add anonymous logon permission if needed)
$To = "to@uncc.edu" # To whom we are sending $Pwd = ConvertTo-SecureString "enterpassword" -AsPlainText –Force #Sender account password #(Warning! Use a very restricted account for the sender, because the password stored in the script will be not encrypted) $Cred = New-Object System.Management.Automation.PSCredential("From@domain.com" , $Pwd) #Sender account credentials
$encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display
#Generates human readable userID from UserSID in log.
Run Task Scheduler → Create new schedule task → Enter its name → Triggers tab → New trigger → Set up the following options:
Begin the task on an event
Log – Application
Source – Blank
EventID – 11707.
Go to the Actions Tab → New action with the following parameters:
Action – Start a program
Program script: PowerShell
Add arguments (optional): -File "specify the file path to our script"
Click "OK".x
Now, you will be notified about every software installation on your Windows server via e-mail message containing details on the software installation time, software name, and installer’s userID (SID).
Run Netwrix Auditor → Navigate to "Reports" → "Windows Server" → "Windows Server Changes"→ Select the "Programs Added and Removed" report → Click "View".
To receive the report regularly by email, click the "Subscribe" button and select the preferred schedule.
It is best to set up an alert on new software installation, by following the below steps:
From the Netwrix Auditor home page, navigate to "Alerts" → Click "Add" → Specify the alert’s name.
Switch to the "Recipients" tab → Click "Add Recipient" → Specify an email address where you want the alert to be delivered.
Navigate to the "Filters" tab → Adjust the following filters:
Click "Add" to save the alert.
Whenever someone installs new software, you will receive a similar alert:
Learn more about Netwrix Auditor for Windows Server
Detect Violations of Corporate Software Installation Policy
Accidental or intentional unauthorized software installation on Windows Server can enable malware to enter your network, which can lead to performance problems and the loss or leakage of sensitive data. Threats come from both inside the organization as well as from hackers on the outside: Employees may unknowingly download and install malicious programs, thereby violating your software installation policy. That is why it is critical to be aware of what software was installed, who installed software on Windows, and when it happened. You can use PowerShell scripts to look for Windows installer logs in Event Viewer, but that requires expertise in PowerShell scripting and could be hectic.
To reduce the risks of breaches and downtime, IT pros need to be able to detect when new software is installed and quickly determine all the who-what-where-when-what details. Netwrix Auditor for Windows Server delivers complete visibility into what is happening across your Windows Server infrastructure, including unauthorized software installation by looking into event logs for installed applications. IT pros simply create an alert, and they will immediately receive a detailed e-mail notification whenever new software is installed and see who installed a program on Windows, so they can fully secure the organization’s assets.
Previous How-to How to Detect Who Modified Mailbox Permissions in Exchange Online Next How-to How to Detect Changes to Organizational Units and Groups in Active Directory
Related How-tos
How to Monitor Deletions of DNS Records How to Detect Who Created a Scheduled Task on Windows Server How to Detect Modifications to Startup Items in the Windows Registry How to Get Local Group Members Report with or without PowerShell How to Get Server Inventory across Your Network How to List All User Accounts on a Windows System
Run Netwrix Auditor → Navigate to "Reports" → "Windows Server" → "Windows Server Changes"→ Select the "Programs Added and Removed" report → Click "View". To receive the report regularly by email, click the "Subscribe" button and select the preferred schedule.
Press the Windows key + R on your keyboard to open the run window. In the run dialog box, type in eventvwr and click OK. In the Event Viewer window, expand the Windows Logs menu. Under the Windows Logs menu, you'll notice different categories of event logs—application, security, setup, system, and forwarded events.
To view this audit log, go to the Event Viewer. Under Windows Logs, select Security. You can find all the audit logs in the middle pane as displayed below. Search the Security Windows Logs for the event ID 4656 with the Audit Failed keyword to find out who tried changing a file or folder.
Launch the package in debug mode from Advanced Installer
Check the Show run Log option and press the [ Run ] button to run the installer in debug mode. The resulting Windows Installer log will be shown in the “Run Log” Panel. In the bottom of your Advanced Installer project, the Run and Log panel will be displayed.
By default, Event Viewer log files use the . evt extension and are located in the %SystemRoot%\System32\winevt\Logs folder. Log file name and location information is stored in the registry. You can edit this information to change the default location of the log files.
Click on the Windows Start Button.Right-click on Computer and select Manage.In the Computer Management dialog, expand System Tools | Event Viewer | Windows Logs. Select Application Log.
You can use Computer Management and connect to the server that is hosting the file. Then you can look at System Tools > Shated Folders > Open Files.Find the file are being asked about in the list on the right.Beside the file name you will see who has it open and the Open Mode (read only; read-write).
Within the Event Viewer (Control Panel | Administrative Tools | Event Viewer) on the System tab the Service Control Manager logs who started and stop each event.
Click on the Start button and type Control Panel in the Search tab. Open it. Go to Programs > Programs and Feature, you will see a list of programs you have installed on your computer.
Hobby: Flower arranging, Yo-yoing, Tai chi, Rowing, Macrame, Urban exploration, Knife making
Introduction: My name is Madonna Wisozk, I am a attractive, healthy, thoughtful, faithful, open, vivacious, zany person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.