Powershell: How to Detect Who Installed What Software on Your Windows Server in Real Time
Why It Is Important
Accidental or intentional unauthorized software installation on Windows Server can enable malware to enter your network, which can lead to performance problems and the loss or leakage of sensitive data. Threats come from both inside the organization as well as from hackers on the outside: Employees may unknowingly download and install malicious programs, thereby violating your software installation policy. That is why it is critical to be aware of what software was installed, who did it and when it happened.
Native Auditing
Run eventvwr.msc → Windows Logs → Right-click “Application” log → Properties:
- Make sure the “Enable logging” check box is selected
- Increase the log size for at least 4gb
- Set retention method to “Overwrite events as needed” or “Archive the log when full”.
Open Event viewer and search the application log for the 11707 event ID with MsiInstaller Event Source to find latest installed software.
To create an instant alert that is triggered upon any software installation, you need to edit the following powershell script by setting your parameters up and saving it anywhere as .ps1 file (e.g., detect_software.ps1):
01.$Subject = "New Software Has Been Installed" # Message Subject 02.$Server = "smtp.server" # SMTP Server 03. $From = “From@domain.com” # From whom we are sending an e-mail(add anonymous logon permission if needed) 04.$To = "To@domain.com" # To whom we are sending 05.$Pwd = ConvertTo-SecureString "enterpassword" -AsPlainText -Force #Sender account password 06.#(Warning! Use a very restricted account for the sender, because the password stored in the script will be not encrypted) 07.$Cred = New-Object System.Management.Automation.PSCredential("From@domain.com" , $Pwd) #Sender account credentials 08.$encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display 09.#Powershell command for filtering the security log about installed software event 10.$Body=Get-WinEvent -FilterHashtable @{LogName="Application";ID=11707;ProviderName='MsiInstaller'} | Select TimeCreated, Message, UserID | select-object -first 1 11.#Sending an e-mail. 12. Send-MailMessage -From $From -To $To -SmtpServer $Server -Body “$Body” -Subject $Subject -Credential $Cred -Encoding $encodingRun Task Scheduler → Create new schedule task → Enter its name → Triggers tab → New trigger → Set up the following options:
- Begin the task on an event
- Log – Application
- Source – Blank
- EventID – 11707.
Go to the Actions Tab → New action with following parameters:
- Action – Start a program
- Program script: powershell
- Add arguments (optional): -File "specify file path to our script"
- Click “OK”.
Now you will be notified about every software installation on your Windows server via e-mail message that will contain details on software installation time, software name and installer’s userID (SID).
To convert user SID into Account Name open the following script in PowerShell ISE, enter SID to the appropriate place and click run:
1.$objSID = New-Object System.Security.Principal.SecurityIdentifier("Enter your SID Here") 2.$objUser = $objSID.Translate([System.Security.Principal.NTAccount]) 3.$objUser.Value
https://img.netwrix.com/landings/howtofriday/5/native_alert.png Real Life Use Case Video
Credits
Originally posted - https://www.netwrix.com/how_to_detect_software_installations.html