In large enterprise environments with multiple administrators, it is often necessary to determine which user installed or uninstalled a program on a specific Windows server or workstation. Let’s explore how to extract information from Windows Event Viewer logs to identify the specific user who initiated the installation or removal of a program.
When you install or uninstall classic Windows apps using the MSI installer, the corresponding MsiInstaller events are written in the Event Viewer log.
- 11707 – event code of the successful installation of an MSI app.
- 11724 – MSI app removal event
Open the Event Viewer event log console (eventvwr.msc) and filter for events with IDs 11707 and 11724 in the Application log. A list of program installation and removal events will appear. The name of the program that was installed or removed is included in the event description. For example:
Product: Zabbix Agent 2 (64-bit) -- Removal completed successfully.
Product: 7-Zip 24.09 (x64 edition) -- Installation completed successfully.
The name of the user who installed or uninstalled the app can be found in the “User” property of the event.
You can use PowerShell to quickly find all installation and uninstallation events for a specific program. The following script will output all Zabbix agent installation or removal events on the server, including the names of the users who performed these actions.
Get-WinEvent -FilterHashtable @{LogName="Application"; ID=11707,11724; ProviderName='MsiInstaller'} | Where-Object { $_.Message -like '*Zabbix*' } | Select TimeCreated, @{Name='Username'; Expression={(New-Object System.Security.Principal.SecurityIdentifier($_.userid)).Translate([System.Security.Principal.NTAccount]).Value}}, Message
userid field contains the user’s SID, the script converts it to an account name.The Reliability Monitor also provides information about program installation and removal events. This post provides a detailed explanation of how to view the installation and removal history of apps in Windows.