Tracking software installation & deletion

There are a number of ways to go about this…and BTW, thanks for specifying the version of the Windows OS up front. Regardless of what most folks think, this is important.

XP performs application prefetching, and the number of .pf files in the Prefetch directory is limited to 128. If you look in this directory and locate a file whose name starts with the executable name of this application you're looking for, then the file itself will contain the run count (number of times it was run) and the timestamp for the last time it was run at different offsets within the file.

For the user, check the contents of the UserAssist keys in the user's NTUSER.DAT file. The values names in these keys are ROT-13 encrypted…depending on how you're accessing the system (live, or via an acquired image) I can provide you with tools to parse the info out of these keys. The value names will be applications (or links) that were run, and the data *may* contain the run count and last run time.

The UserAssist key may also contain a reference to the "Add/Remove Programs" Control Panel applet.

Another useful method available only on XP (hence why knowing the version of the Windows OS is important) is the System Restore points. If a user installs an application via an installer (ie, .msi file or similar) a restore point will be created. Many times, the uninstall procedure will also create a restore point. Information in the restore points provides the reasons and dates for the restore points being created. Of course, this is all subject to available drive space, etc. (Note I blogged about this not too long ago).

Anyway, if you need further help with this, or would like access to the tools I have for collecting this information from either live systems or system images, feel free to contact me here, or email me directly.

Harlan
http//windowsir.blogspot.com
keydet89@yahoo.com