August 14, 2009 at 10:32 pm #4124neteng33Participant
I am examining a Windows XP system, and there are multiple profiles on this system. I would like to determine which user installed some of the software on this machine, but am not sure exactly where to look or what tools would be most useful for this task; can anyone point me in the right direction?
August 14, 2009 at 11:05 pm #26095KetchupParticipant
This one is a little tough. Your friend with this one is the registry. There is a key that tracks track installed software, however it is on a per-machine basis. The isn’t necessarily going to tell you who installed the software.
What you can do is look for the registered owner of the software. This would be something the user entered during the installation wizard process. You could get lucky and have that field completed. You would look for “RegCompany” and “RegOwner” entries in the registry. This could be under the above registry key or under the individual registry key for the software you are investigating.
You could also look for instances of the msiexec process being run in each users’ Event Log. The logs may tell you what the software being installed is, or they may not. This wouldn’t work if the installer didn’t user msiexec.
Another valuable registry key is the User Assist key. It is user specific and could provide you with the information you are looking for. The key is ROT13 encrypted, but there are a ton of parsers for this key on the web.
Various MRU registry keys (Most Recently Used) are a good place to look for programs being executed, including setup programs.
additional MRUs are referenced here:
Mounted Devices is another good registry key to correlate to various Link files you may find on the machine. You can even reference that against prefetch files based on the times. For example, suppose that a USB drive was mounted, and find a link file pointing to the Setup.exe file on the USB device. You can look for a prefetch file for most likely msiexec and see if it was executed around the same time.
For Internet downloaded software, check the users Internet History and Link files. If they downloaded the file, chances are they installed it. You can reference the above artifacts to confirm this.
Check out this PDF from Access Data for additional registry artifacts that may help you:
When all else fails, search the entire registry for a list of keywords. It helps if you have access to a tool like Access Data’s Registry Viewer.
I forgot to mention that the HKCU hive is the ntuser.dat file under each profile. The HKLMSOFTWARE hive is in the WINDOWSSYSTEM32CONFIG folder, it’s the SOFTWARE file.
Hope this helps.
August 17, 2009 at 8:39 pm #26096neteng33Participant
Thanks a bunch Ketchup – The info you provided did spark my “creative thought process”, and I was able to find most of what I was looking for.
August 19, 2009 at 11:51 am #26097AnonymousParticipant
If you have logs of when users logged in you may be able to match this to the creation date of the software which was installed. You may also find shortcuts on the desktop and start menu of particular users which may also indicate who installed it.
January 9, 2016 at 9:19 pm #26098KamillaParticipant
Thank you for posting this information!)
- You must be logged in to reply to this topic.