Thursday, February 3, 2011

Tracking who installed Software on server.

Am I correct, that if a program is installed on a Server and shows up in the 'Add Remove/Program programs', then it must have been installed when a user has logged onto the server either at the physical console, or using RDP and not when a user has accessed the server via a share?

And if so, then this should show up as Event ID's 528.

In other words, if I just look at Event ID 528, I can get a list of suspects. Is this correct?

From serverfault sgmoore

  • With Windows Server you can have multiple simultaneous users logged on. You can use the Event Log to see which users were on at the time. But this will not immediately tell you which one performed the install.

    A better option might be to check the directory of the software install -- e.g. C:\program files\vendor\title. The install directory may be owned by the user that performed the install. Also/instead, the installation directory's ACL may contain an entry granting the user Full control.

    EDIT

    If the install was from an MSI you can filter your Application Event Log for the Source "MsiInstaller" to see related events.

    sgmoore : In this particular case, the program must not have been an Msi file as MsiInstaller does not show anything. Also there is only one user who is recorded via Event ID 528 (who also happens to be the owner of the directory). However I wanted to be sure that Event ID 28 was a complete list, and not just a partial list.
    jscott : @sgmoore: Event ID 528 is a successful logon event. Check the types to see which it is, as joeqwerty suggests. Types 2 and 10 are interactive logons, type 5 is as a service.
    From jscott

  • In general, yes. You probably want to look at the logon type as well to determine how the user accessed the server. I'm thinking that you want to look for logon types 2, 10, and possibly 5.

    sgmoore : You said 'In general, yes'. What are the non-general conditions?
    joeqwerty : I just meant that in general you can find logon information in the security log if you have logon auditing enabled but that this might not help you solve your mystery.
    From joeqwerty

  • That will cover the most typical use cases, however apps can be installed by remote processes (such as PSExec, batch scripting, or a remote deployment tool such as CA Unicenter.) They will not necessarily log that event code.

    What you describe is a fine place to start, however.

    From gWaldo
Posted by Mu Cat at 8:51 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)