How to Detect Who Installed What Software on Your Windows Server (2024)

1. Run eventvwr.msc → Windows Logs → Right-click "Application" log → Properties:

• Make sure the "Enable logging" check box is selected
• Increase the log size for at least 1 GB
• Set the retention method to "Overwrite events as needed" or "Archive the log when full".

1. Open Event Viewer and search the application log for the 11707 event ID with MsiInstaller Event Source to find the latest installed software.
2. To create an instant alert that is triggered upon any software installation, you need to edit the following PowerShell script by setting your parameters up and saving it anywhere as .ps1 file (e.g., detect_software.ps1):

#Mail SMTP Setup Section
$Subject = "New Software Has Been Installed on $env:COMPUTERNAME" # Message Subject
$Server = "smtp.server" # SMTP Server
$From = "From@domain.com" # From whom we are sending an e-mail(add anonymous logon permission if needed)

$To = "to@uncc.edu" # To whom we are sending
$Pwd = ConvertTo-SecureString "enterpassword" -AsPlainText –Force #Sender account password
#(Warning! Use a very restricted account for the sender, because the password stored in the script will be not encrypted)
$Cred = New-Object System.Management.Automation.PSCredential("From@domain.com" , $Pwd) #Sender account credentials

$encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display

#Generates human readable userID from UserSID in log.

$UserSID = (Get-WinEvent -FilterHashtable @{LogName="Application";ID=11707;ProviderName="MsiInstaller"}).UserID.Value | select -First 1
$objSID = New-Object System.Security.Principal.SecurityIdentifier("$UserSID")
$UserID = $objSID.Translate([System.Security.Principal.NTAccount])

#Generates email body containing time created and message of application install.

$Body=Get-WinEvent -FilterHashtable @{LogName="Application";ID=11707;ProviderName='MsiInstaller'} | Select TimeCreated,Message | select-object -First 1

#Sending an e-mail.
Send-MailMessage -From $From -To $To -SmtpServer $Server -Body "$Body . Installed by: $UserID" -Subject $Subject -Credential $Cred -Encoding $encoding

1. Run Task Scheduler → Create new schedule task → Enter its name → Triggers tab → New trigger → Set up the following options:
   • Begin the task on an event
   • Log – Application
   • Source – Blank
   • EventID – 11707.
2. Go to the Actions Tab → New action with the following parameters:
   • Action – Start a program
   • Program script: PowerShell
   • Add arguments (optional): -File "specify the file path to our script"
   • Click "OK".x
3. Now, you will be notified about every software installation on your Windows server via e-mail message containing details on the software installation time, software name, and installer’s userID (SID).

Run Netwrix Auditor → Navigate to "Reports" → "Windows Server" → "Windows Server Changes"→ Select the "Programs Added and Removed" report → Click "View".

To receive the report regularly by email, click the "Subscribe" button and select the preferred schedule.

It is best to set up an alert on new software installation, by following the below steps:

1. From the Netwrix Auditor home page, navigate to "Alerts" → Click "Add" → Specify the alert’s name.
2. Switch to the "Recipients" tab → Click "Add Recipient" → Specify an email address where you want the alert to be delivered.
3. Navigate to the "Filters" tab → Adjust the following filters:
4. Click "Add" to save the alert.

Whenever someone installs new software, you will receive a similar alert: