How can I see which programs were ran by the user?

1

Programs & Features (or even better Nirsoft's MyUninstaller) tell me the program installed, and I can accessed some cached installation data, but is there a way to get a log of the executables that were ran by a user?

setup.exe's (usally?) contain msi info, but I'm looking for a list of the setup.exe's ran by the user.

I'm trying to work out the executable (filename, and path ideally) that was ran that installed a program, to backup the installer.

I have date/time created (15/05/2015), and using the epic 'Everything' search tool (from Void) I can see files accessed on that date (using da:15/05/2015 *.exe) but I can't see anything that sticks out, which makes me think the installers already been trashed... is there a log anywhere?

for example, I see some huge installers like 30475b.msi in C:\Windows\Installer I can open the .msi and see what's in them I guess - is there any log anywhere that records a correlation between these ubiquitous .msi files and their originating 'container executable'?

Wondering (if not), if any search tools can search inside executables for source.msi etc

Jonny

Posted 2015-10-16T12:43:47.917

Reputation: 21

Answers

1

I see some huge installers like 30475b.msi in C:\Windows\Installer I can open the .msi and see what's in them I guess - is there any log anywhere that records a correlation between these ubiquitous .msi files and their originating 'container executable'

Yes, you can track the relationship between those MSI files stored in C:\Windows\Installer, the source setup.exe/setup.msi directory path from where the setup was ran, the installation date, the target installation path, and additional info.

Navigate to registry key [HKCU|HKLM]\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\{YOUR USER SID}\Products and there you will found the corresponding info for each installed MSI package.

Here is an example image: enter image description here

Also you could find info in these other registry keys:

  • [HKCU|HKLM]\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • [HKCU|HKLM]\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  • [HKCU|HKLM]\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

(note only the keys that has a GUID as name)

How can I see which programs were ran by the user?

For example with the usage of a third party application which informs you about the general computer activity, such as LastActivityView of Nirsoft.

http://www.nirsoft.net/utils/computer_activity_view.html

enter image description here

It is freeware.

ElektroStudios

Posted 2015-10-16T12:43:47.917

Reputation: 1 282

Asked: 2015-10-16T12:43:47.917

Viewed: 280 times

Active: 2015-10-16T13:38:06.050