Proof of Software Installation

For legal reasons, I am required to provide evidence of when a software application was installed or uninstalled from a Windows 7 PC.  We know the software was uninstalled about 4 years ago from Programs and Features.

What are some ways / methods / tools that I can use to find the existence of this software.  Are there some obscure logs in Windows that record information that could help me?  Anything in the registry?
LVL 4
jekautzAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle AbrahamsSenior .Net DeveloperCommented:
Depends on the software.  Sometimes there are artifacts that are created / left behind during install / uninstall.

Can you provide any input about the actual software you're trying to prove?  (name, etc?)
jekautzAuthor Commented:
The software is custom made and is not public.  It is only provided to organizations in a vertical market that need it.  It was uninstalled through Programs and Features which leads me to believe that it must have registered with Windows in such a way as to appear there.
☠ MASQ ☠Commented:
"For legal reasons"

How legal is this going to get? Before starting you may need to clone the machine as proof of how it was before forensic analysis. If this ends up in court you may need a Court approved investigator for any evidence to be admissible.

Hopefully we're looking at something less formal than this but just something you might need to consider.

Yes, installers and software all work slightly differently so knowing what package we're dealing with will make this a lot easier.
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

☠ MASQ ☠Commented:
Do you have a legitimate install to compare with.  My first suggestion would be to either extract the GUID from the registry from thar or the publisher and search the registry under investigation for that. GUID remnants are some of the most common "left-overs" when software is uninstalled.
Vadim RappCommented:
I would start with looking at the application event log. If you are lucky, you will find 4-year-old record there that the software was uninstalled back then.

Also, search the machine for the files with the names beginning with MSI and file extension .log. Chances are, you fill find the log of the un-installation.
jekautzAuthor Commented:
Thanks MASQ.  I do have similar concerns.  However, knowing the context and weight of the issue, I think it is unlikely to get too heavy as to need approved investigators and certified forensic analysis.  If I only need to look at files on the drive then I might just attach the drive through a USB interface.  If I need to interact with the OS software then I will likely clone it first.

I will try to find what installer was used but it's unlikely.
☠ MASQ ☠Commented:
Not the installer - the GUID is unique to the software and identifies it in the registry for purposes of file association, menuing, window position and size etc.

For example the GUID for Adobe Acrobat Reader is {AC76BA86-7AD7-1033-7B44-AC0F074E4100}

For currently installed software you can demonstrate this quickly by typing wmic product get in a command window (you'll need to wait a couple of minutes for the IDs to be enumerated) you can also pipe the same command line to a text file (eg wmic product get > C:\temp\Whatsinstalled.txt) it should even pull installation dates

The GUID you're looking for may not appear in that list but the code may still appear in the registry

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Vadim RappCommented:
@MASQ,

If you are talking about the product code, first, it exists only for MSI-based installations, and in order to find it you need to either open the installation in an editor like ORCA, or install the product and find it under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall , looking for the product name. If it's found, there will be value "Installdate" that will tell, accordingly, install date, but not uninstall date. A bigger problem is that if the software package is uninstalled, normally this whole entry is removed from the registry. Sometimes some pieces of it stay in place, such as the description of the custom icon, but it's in fact a defect of the installation, and installdate is highly unlikely to stay.

Usually the applications leave much more "material" evidence, such as log files, and especially the data under %appdata%.
jekautzAuthor Commented:
@MASQ, your command might have led me on the path.  From the wmic output I found the name of the software in the results.  The installed date seems to be around the right time, but there is no uninstalled date.  

Other data that I took from the results led me to the installation path which was a temporary folder under content.ie5 and doesn't seem to contain any relevant files anymore.

I found an msi under Windows\Installer (the file name is only random numbers) and a GUID which has a folder and an exe under Windows\Installer\{GUID}.  The exe file starts with an underscore followed by a long string of numbers and letters.

Since I think I have the GUID and the msi, could I go further and try to determine the uninstall date?
☠ MASQ ☠Commented:
That's promising, you've got your proof of software presence.  Now to see if there's a log of the uninstall.

Try running:
reg query hklm\software\microsoft\windows\currentversion\uninstall > C:\temp\whatsremoved.txt in a CMD window.

The text file will contain the registry keys for software uninstalled - mainly by GUID.  Now we're relying a lot more on luck that the uninstaller wasn't 100% perfect and it's left some traces.
jekautzAuthor Commented:
Thank you for all your good suggestions on how to find any remnants of software that was previously installed.  I thought that I found the software I was searching for, but I was mistaken.  All results were inconclusive, but we think that helps in this matter.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software

From novice to tech pro — start learning today.