Forums
Main Category
General (Technical,...
How to determine wh...
 
Notifications
Clear all

How to determine which user installed software - Windows XP

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by keydet89 16 years ago
13 Posts
8 Users
0 Reactions
3,565 Views
RSS
 neteng33
(@neteng33)
New Member
Joined: 18 years ago
Posts: 4
Topic starter 15/08/2009 4:35 am  

Hello All,

I am examining a Windows XP system, and there are multiple profiles on this system. I would like to determine which user installed some of the software on this machine, but am not sure exactly where to look or what tools would be most useful for this task; can anyone point me in the right direction?


   
Quote
 Patrick4n6
(@patrick4n6)
Honorable Member
Joined: 16 years ago
Posts: 650
16/08/2009 7:49 am  

If it's NTFS, have you checked the security permissions on the installed files? That can be a good indicator.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
17/08/2009 6:00 am  

I am examining a Windows XP system, and there are multiple profiles on this system. I would like to determine which user installed some of the software on this machine, but am not sure exactly where to look or what tools would be most useful for this task; can anyone point me in the right direction?

Depending on what software you're referring to, I'd look in the NTUSER.DAT hive under the UserAssist or RecentDocs keys. I've had a great deal of success using RegRipper to do just what you're asking.


   
ReplyQuote
 waqas
(@waqas)
Active Member
Joined: 16 years ago
Posts: 5
06/02/2010 12:52 am  

for registry analysis, FTK registry viewr is a good tool.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
06/02/2010 1:24 am  

For what the OP is looking for, RegRipper would be a better tool; also, it's free and it's not a viewer.


   
ReplyQuote
 Cyberplod
(@cyberplod)
New Member
Joined: 16 years ago
Posts: 1
23/02/2010 8:11 pm  

The information you need should be in the AppEvent.evt event log file. Look for event 11707 (install) or 11724 (remove).

Steve Guest BSc(Hons) CFCE EnCE
Hitecc Forensics UK


   
ReplyQuote
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 17 years ago
Posts: 812
23/02/2010 10:17 pm  

Agreed - RegRipper works very well and very fast for this. Price is right when you extract hives with FTK imager as both tools are free.

The event logs will also correlate well.

Also check MFT records and directory/file creation times.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
23/02/2010 10:30 pm  

Doug,

Thanks for the shout-out. I'd suggest that the price is MORE than right…for what RegRipper does, getting it for free is much more than just "the price is right".

Still, I wonder why with questions like this, the first answers still point at the file system. If the file permissions allow the Local Admins group to access the file, and all users are admins…does that tell you who installed the software?


   
ReplyQuote
 Rampage
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
23/02/2010 10:35 pm  

Wrr (windows registry recovery) appears to be a pretty good tool, anyone tried it for registry analysis? is it good for real or it's just eye candy and user friendly but lacks in features?

also thnx for the information on installation infos, i really needed it.


   
ReplyQuote
 Patrick4n6
(@patrick4n6)
Honorable Member
Joined: 16 years ago
Posts: 650
24/02/2010 1:31 am  

The information you need should be in the AppEvent.evt event log file. Look for event 11707 (install) or 11724 (remove).

Steve Guest BSc(Hons) CFCE EnCE
Hitecc Forensics UK

Welcome to FFF Steve. Good to have another IACIS member contributing.


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: