Software Uninstall Forensics

Best practice

Software Uninstall Forensics

This article has been contributed by Alex Cojocaru, Senior Advisor, at Ernst & Young. 

As Software Asset Management (SAM) professionals one of our main focus areas is managing the installed software. We want to know how the installed software reconciles with the available software license and their related licensing rules. There are many SAM related tools on the market which can help you do a proper inventory of your IT estate however virtually none are taking into account the uninstalled software logs.

Knowing what software was uninstalled from a particular device can have practical security and compliance related implications:

• From a security point of view, it can help you uncover potential security breaches. According to research 37% of the software installed on computers worldwide is not licensed. There is a strong correlation between unlicensed software and malware infections.
• From a compliance point of view, in the event of an on-site audit the auditors might employ software uninstall forensics methods to uncover potentially unlicensed software in order to strengthen their case.

Next time you do your internal SAM audit, it might be a good idea to do this additional verification. As SAM professionals we need to oversee the processes and people interacting with the software we manage. Having a clear view of the uninstalled software in your company will help you verify if your software policies are followed by everyone. It enables you to identify if unauthorised or unlicensed software was previously installed and creates an opportunity for dialogue, spreading awareness and reducing human error.

So how do you check the uninstalled software?

I’ll restrict my answer to the Windows operating system (OS), since this is the most commonly used OS by commercial enterprises around the world.

The Windows Event Viewer is a component of the Windows OS which allows admins and users to view the system event logs on local or remote machines. The Event Viewer also records the install / uninstall software events which are captured under the “MsiInstaller” source event file.

Step by step guide:

1. 

   Alex Cojocaru, Senior Advisor, Ernst & Young

   Click on “Start” and type “Event Viewer”;

2. On the left side window, go to “Windows Logs” and then click on the “Application” event log.
3. Once you’ve accessed the “Application” event log, on the right-side window, from the “Actions” menu, click “Save All Events As…” and save the event log as .CSV (comma separated values);
4. Open the file in Excel and be sure to select all the content (note: use “Ctrl + A” as there are some empty lines and simply applying a filter on the top row wont’ work) and then click on “Filter”;
5. The uninstall events are typically found in the Source event location called “MsiInstaller”. So, filter column C “Source” and select “MsiInstaller”;
6. The events showing the uninstalled software typically start with this string “Windows Installer removed the product.”. You’ll find them on column F.

By doing this you’ll find the date and time when a particular piece of software was installed. Of course, this is just a simple and manual way of doing this and only serves as a proof of concept. A more efficient way would be by means of a script, which can be pushed via Active Directory on your network in order to collect this information from all your devices.

---

This article has been contributed by Alex Cojocaru, Senior Advisor, at Ernst & Young. 

Alex is a Senior Advisor at Ernst & Young, focused on Software Asset Management and Data Analytics. He uses the knowledge gathered in the field of SAM, Software Licensing and Data Analytics since 2011, to help organizations reduce software cost and manage risk associated to software licensing. You can connect with him on LinkedIn here.

Can’t find what you’re looking for?