.

How to determine which user installed software on Windows XP

<<

neteng33

Newbie
Newbie

Posts: 8

Joined: Sat Jul 12, 2008 8:36 am

Post Fri Aug 14, 2009 5:32 pm

How to determine which user installed software on Windows XP

Hello All,

I am examining a Windows XP system, and there are multiple profiles on this system.  I would like to determine which user installed some of the software on this machine, but am not sure exactly where to look or what tools would be most useful for this task; can anyone point me in the right direction?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Fri Aug 14, 2009 6:05 pm

Re: How to determine which user installed software on Windows XP

This one  is a little tough.   Your friend with this one is the registry.   There is a key that tracks track installed software, however it is on a per-machine basis.    The isn't necessarily going to tell you who installed the software.  

  Code:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstal


What you can do is look for the registered owner of the software.   This would be something  the user entered during the installation wizard process.  You could get lucky and have that field completed.   You would look for "RegCompany" and "RegOwner" entries in the registry.   This could be under the above registry key or under the individual registry key for the software you are investigating.

You could also look for instances of the msiexec process being run in each users' Event Log.   The logs may tell you what the software being installed is, or they may not.  This wouldn't work if the installer didn't user msiexec.  

Another valuable registry key is the User Assist key.  It is user specific and could provide you with the information you are looking for.   The key is ROT13 encrypted, but there are a ton of parsers for this key on the web.  

  Code:
HKCU\Software\Microsoft\Windows\CurrentVersion \Explorer\UserAssist


Various MRU registry keys (Most Recently Used) are a good place to look for programs being executed, including setup programs.

  Code:
HKCU\Software\Microsoft\Windows\ CurrentVersion\Explorer\RunMRU


additional MRUs are referenced here:

http://windowsxp.mvps.org/RegistryMRU.htm

Mounted Devices is another good registry key to correlate to various Link files you may find on the machine.   You can even reference that against prefetch files based on the times.  For example, suppose that a USB drive was mounted, and find a link file pointing to the Setup.exe file on the USB device.  You can look for a prefetch file for most likely msiexec and see if it was executed around the same time.

  Code:
HKLM\SYSTEM\MountedDevices
HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR


For Internet downloaded software, check the users Internet History and Link files.  If they downloaded the file, chances are they installed it.  You can reference the above artifacts to confirm this.

Check out this PDF from Access Data for additional registry artifacts that may help you:

http://www.accessdata.com/media/en_US/print/papers/wp.Registry_Quick_Find_Chart.en_us.pdf

When all else fails, search the entire registry for a list of keywords.   It helps if you have access to a tool like Access Data's Registry Viewer.  

<edit> I forgot to mention that the HKCU hive is the ntuser.dat file under each profile.  The HKLM\SOFTWARE hive is in the WINDOWS\SYSTEM32\CONFIG folder, it's the SOFTWARE file. </edit>
Hope this helps.
Last edited by Ketchup on Fri Aug 14, 2009 6:08 pm, edited 1 time in total.
~~~~~~~~~~~~~~
Ketchup
<<

neteng33

Newbie
Newbie

Posts: 8

Joined: Sat Jul 12, 2008 8:36 am

Post Mon Aug 17, 2009 3:39 pm

Re: How to determine which user installed software on Windows XP

Thanks a bunch Ketchup - The info you provided did spark my "creative thought process", and I was able to find most of what I was looking for. 
<<

jimbob

Post Wed Aug 19, 2009 6:51 am

Re: How to determine which user installed software on Windows XP

If you have logs of when users logged in you may be able to match this to the creation date of the software which was installed. You may also find shortcuts on the desktop and start menu of particular users which may also indicate who installed it.

Regards,
Jimbob

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software