Wednesday, November 21, 2007

Tracking Software Installation and Removal Using Event IDs 11707, 11724, and 592

In these days of malware, spyware, and compliance regulations, a lot of admins are looking to track the installation of unauthorized programs, and/or the removal of required programs from client desktops. There are actually several events you can look for in both the Application Event Log and Security Event Log that will help you do this.

In the Application log, setup packages that use the Windows Installer to install themselves will create numerous events, all with an event source of MsiInstaller.

Event ID 11707 tells you when a install completes successfully, and also the user who executed the install package.

Event Type: Information
Event Source: MsiInstaller
Event Category: None
Event ID: 11707
Date: 11/9/2006
Time: 3:21:45 PM
User: DOMAIN\USER
Computer: COMPUTERNAME
Description:
Product: Event Archiver Enterprise -- Installation operation completed successfully.

Event ID 11724 tells you when a software package is removed successfully, again logging the user behind the operation.

Event Type: Information
Event Source: MsiInstaller
Event Category: None
Event ID: 11724
Date: 11/12/2007
Time: 7:50:13 PM
User: DOMAIN\USER
Computer: COMPUTERNAME
Description:
Product: Event Archiver Enterprise -- Removal completed successfully.

You can track both of these events in our Event Analyst software by setting up appropriate filters and building a custom report.

Also, if you want to correlate the name of the executable setup package that was executed to install a piece of software, turn on Process Tracking auditing on the relevant Group Policy Object for one or more computers (e.g. Domain Security Policy, Local Security Policy), and look for events with Event ID 592 in the Security log that occur around the time of the 11707 event in the Application log, e.g.

Event Type: Success Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 592
Date: 11/9/2006
Time: 3:20:30 PM
User: DOMAIN\USER
Computer: COMPUTERNAME
Description:
A new process has been created:
New Process ID: 2816
Image File Name: \EvntArch.exe
Creator Process ID: 516
User Name: USER
Domain: DOMAIN
Logon ID: (0x0,0x3E7)

Event Analyst also has a built-in Process Usage report that is very useful for viewing all of the executable files that were loaded and unloaded on one or more systems for a given time frame. It automatically determines the executable files that are run the most frequently for any given user.

Tuesday, November 6, 2007

Free Software Offer For Early Vista/EVTX Log Format Adopters

As promised in our previous post on Event Analyst's full support for working with EVT and EVTX log files natively on Windows Vista™, we are making a special free software offer available to admins that wish to use Vista as their OS platform for log management.

Here are the details of the offer, directly from our sales division:

Do you already have some Windows Vista machines generating EVTX logs? Great. We'd like to give you some software. That's right. At no charge. We're offering 5 server license packs of Event Archiver™ and Event Analyst™ bundled together. Basic email-based support is included with all licenses. If you wish to pick up an upgrade service or another of our more advanced support options, we can arrange for the purchase. Interested? Simply request more details at
http://www.doriansoft.com/evtxsoftwareoffer.


As you can gather, this is a fantastic promotion, as it allows you to gather event log data from both your non-Vista and Vista systems and report on that data by running Event Archiver and Event Analyst on a Microsoft Vista workstation. We're convinced that once you see the power of Dorian's LogRefiner™ technology in action, you'll be much more comfortable in putting forth a plan for log management for your larger migration to Microsoft Windows Vista and Windows Server 2008™. As we've stated numerous times before, our exclusive LogRefiner technology is here and ready for you whenever that migration begins.

Friday, November 2, 2007

Event Analyst Works With EVT and EVTX Files, Side-By-Side!

Greetings, gentle readers. It's been a while since our last blog post, but that's because we've been slaving on the Version 6 release of Event Analyst. And what a fantastic release it is!

Just like our Event Archiver release of a few months ago, this version of Event Analyst is completely Microsoft Vista™ compatible, and features our revolutionary LogRefiner™ technology. You can download it here: http://www.doriansoft.com/download.

We've already mentioned in a bunch of posts that trying to read saved, legacy EVT files on Windows Vista is quite a chore, with missing fields and information being quite common. In fact, a recent blog posting from the Performance Team at Microsoft shows you how to perform a whole bunch of contortions in an attempt to convert an EVT file to an EVTX file, with of course there being no guarantee that the converted log will parse properly when you attempt to read it.

Well here's the good news. Thanks to our pioneering LogRefiner™ technology, you can work with EVT and EVTX files natively and side-by-side when Event Analyst is installed to a Microsoft Vista computer. No weird conversions or intermediate steps are necessary, and you get all the data parsed correctly from both log formats the first time. For those admins who are attempting to run Windows Vista on their workstations, this is a big plus because now you can use Event Analyst as your preferred log reader/analysis tool/reporting tool for all of your systems and your saved EVT log files. You no longer need to convert EVT files or juggle both the Microsoft Classic Event Viewer and the new Vista Event Viewer when switching back and forth between EVT and EVTX files.

Here's a screenshot of both an EVT and EVTX log being viewed within Event Analyst 6 at the same time:




Again, bear in mind that this technology lets you work with active AND saved EVT files from your older operating systems all natively inside Vista. It's very cool stuff.

We'll have more information for you on this technology soon, including a very nice licensing promotion, so please stay tuned.