How to determine wh...
 
Notifications
Clear all

How to determine which user installed software - Windows XP

13 Posts
8 Users
0 Reactions
3,523 Views
(@neteng33)
New Member
Joined: 18 years ago
Posts: 4
Topic starter  

Hello All,

I am examining a Windows XP system, and there are multiple profiles on this system. I would like to determine which user installed some of the software on this machine, but am not sure exactly where to look or what tools would be most useful for this task; can anyone point me in the right direction?


   
Quote
(@patrick4n6)
Honorable Member
Joined: 16 years ago
Posts: 650
 

If it's NTFS, have you checked the security permissions on the installed files? That can be a good indicator.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

I am examining a Windows XP system, and there are multiple profiles on this system. I would like to determine which user installed some of the software on this machine, but am not sure exactly where to look or what tools would be most useful for this task; can anyone point me in the right direction?

Depending on what software you're referring to, I'd look in the NTUSER.DAT hive under the UserAssist or RecentDocs keys. I've had a great deal of success using RegRipper to do just what you're asking.


   
ReplyQuote
(@waqas)
Active Member
Joined: 16 years ago
Posts: 5
 

for registry analysis, FTK registry viewr is a good tool.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

For what the OP is looking for, RegRipper would be a better tool; also, it's free and it's not a viewer.


   
ReplyQuote
(@cyberplod)
New Member
Joined: 15 years ago
Posts: 1
 

The information you need should be in the AppEvent.evt event log file. Look for event 11707 (install) or 11724 (remove).

Steve Guest BSc(Hons) CFCE EnCE
Hitecc Forensics UK


   
ReplyQuote
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
 

Agreed - RegRipper works very well and very fast for this. Price is right when you extract hives with FTK imager as both tools are free.

The event logs will also correlate well.

Also check MFT records and directory/file creation times.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Doug,

Thanks for the shout-out. I'd suggest that the price is MORE than right…for what RegRipper does, getting it for free is much more than just "the price is right".

Still, I wonder why with questions like this, the first answers still point at the file system. If the file permissions allow the Local Admins group to access the file, and all users are admins…does that tell you who installed the software?


   
ReplyQuote
(@rampage)
Reputable Member
Joined: 17 years ago
Posts: 354
 

Wrr (windows registry recovery) appears to be a pretty good tool, anyone tried it for registry analysis? is it good for real or it's just eye candy and user friendly but lacks in features?

also thnx for the information on installation infos, i really needed it.


   
ReplyQuote
(@patrick4n6)
Honorable Member
Joined: 16 years ago
Posts: 650
 

The information you need should be in the AppEvent.evt event log file. Look for event 11707 (install) or 11724 (remove).

Steve Guest BSc(Hons) CFCE EnCE
Hitecc Forensics UK

Welcome to FFF Steve. Good to have another IACIS member contributing.


   
ReplyQuote
Page 1 / 2
Share: