Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.
Proof of Software Installation
For legal reasons, I am required to provide evidence of when a software application was installed or uninstalled from a Windows 7 PC. We know the software was uninstalled about 4 years ago from Programs and Features.
What are some ways / methods / tools that I can use to find the existence of this software. Are there some obscure logs in Windows that record information that could help me? Anything in the registry?
What are some ways / methods / tools that I can use to find the existence of this software. Are there some obscure logs in Windows that record information that could help me? Anything in the registry?
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Depends on the software. Sometimes there are artifacts that are created / left behind during install / uninstall.
Can you provide any input about the actual software you're trying to prove? (name, etc?)
Can you provide any input about the actual software you're trying to prove? (name, etc?)
The software is custom made and is not public. It is only provided to organizations in a vertical market that need it. It was uninstalled through Programs and Features which leads me to believe that it must have registered with Windows in such a way as to appear there.
"For legal reasons"
How legal is this going to get? Before starting you may need to clone the machine as proof of how it was before forensic analysis. If this ends up in court you may need a Court approved investigator for any evidence to be admissible.
Hopefully we're looking at something less formal than this but just something you might need to consider.
Yes, installers and software all work slightly differently so knowing what package we're dealing with will make this a lot easier.
How legal is this going to get? Before starting you may need to clone the machine as proof of how it was before forensic analysis. If this ends up in court you may need a Court approved investigator for any evidence to be admissible.
Hopefully we're looking at something less formal than this but just something you might need to consider.
Yes, installers and software all work slightly differently so knowing what package we're dealing with will make this a lot easier.
Do you have a legitimate install to compare with. My first suggestion would be to either extract the GUID from the registry from thar or the publisher and search the registry under investigation for that. GUID remnants are some of the most common "left-overs" when software is uninstalled.
I would start with looking at the application event log. If you are lucky, you will find 4-year-old record there that the software was uninstalled back then.
Also, search the machine for the files with the names beginning with MSI and file extension .log. Chances are, you fill find the log of the un-installation.
Also, search the machine for the files with the names beginning with MSI and file extension .log. Chances are, you fill find the log of the un-installation.
Thanks MASQ. I do have similar concerns. However, knowing the context and weight of the issue, I think it is unlikely to get too heavy as to need approved investigators and certified forensic analysis. If I only need to look at files on the drive then I might just attach the drive through a USB interface. If I need to interact with the OS software then I will likely clone it first.
I will try to find what installer was used but it's unlikely.
I will try to find what installer was used but it's unlikely.
Not the installer - the GUID is unique to the software and identifies it in the registry for purposes of file association, menuing, window position and size etc.
For example the GUID for Adobe Acrobat Reader is {AC76BA86-7AD7-1033-7B44-A
For currently installed software you can demonstrate this quickly by typing wmic product get in a command window (you'll need to wait a couple of minutes for the IDs to be enumerated) you can also pipe the same command line to a text file (eg wmic product get > C:\temp\Whatsinstalled.txt
The GUID you're looking for may not appear in that list but the code may still appear in the registry
For example the GUID for Adobe Acrobat Reader is {AC76BA86-7AD7-1033-7B44-A
For currently installed software you can demonstrate this quickly by typing wmic product get in a command window (you'll need to wait a couple of minutes for the IDs to be enumerated) you can also pipe the same command line to a text file (eg wmic product get > C:\temp\Whatsinstalled.txt
The GUID you're looking for may not appear in that list but the code may still appear in the registry
@MASQ,
If you are talking about the product code, first, it exists only for MSI-based installations, and in order to find it you need to either open the installation in an editor like ORCA, or install the product and find it under HKEY_LOCAL_MACHINE\SOFTWAR
Usually the applications leave much more "material" evidence, such as log files, and especially the data under %appdata%.
If you are talking about the product code, first, it exists only for MSI-based installations, and in order to find it you need to either open the installation in an editor like ORCA, or install the product and find it under HKEY_LOCAL_MACHINE\SOFTWAR
Usually the applications leave much more "material" evidence, such as log files, and especially the data under %appdata%.
@MASQ, your command might have led me on the path. From the wmic output I found the name of the software in the results. The installed date seems to be around the right time, but there is no uninstalled date.
Other data that I took from the results led me to the installation path which was a temporary folder under content.ie5 and doesn't seem to contain any relevant files anymore.
I found an msi under Windows\Installer (the file name is only random numbers) and a GUID which has a folder and an exe under Windows\Installer\{GUID}. The exe file starts with an underscore followed by a long string of numbers and letters.
Since I think I have the GUID and the msi, could I go further and try to determine the uninstall date?
Other data that I took from the results led me to the installation path which was a temporary folder under content.ie5 and doesn't seem to contain any relevant files anymore.
I found an msi under Windows\Installer (the file name is only random numbers) and a GUID which has a folder and an exe under Windows\Installer\{GUID}. The exe file starts with an underscore followed by a long string of numbers and letters.
Since I think I have the GUID and the msi, could I go further and try to determine the uninstall date?
That's promising, you've got your proof of software presence. Now to see if there's a log of the uninstall.
Try running:
reg query hklm\software\microsoft\wi
The text file will contain the registry keys for software uninstalled - mainly by GUID. Now we're relying a lot more on luck that the uninstaller wasn't 100% perfect and it's left some traces.
Try running:
reg query hklm\software\microsoft\wi
The text file will contain the registry keys for software uninstalled - mainly by GUID. Now we're relying a lot more on luck that the uninstaller wasn't 100% perfect and it's left some traces.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial