Tracking Down Who Installed or Removed a Program or App

Written by Allen Wyatt (last updated June 22, 2020)

If you manage a system that is used by multiple people, each with their own login to the system, then you may find it helpful to know which of those users installed a program or app. For instance, a user may have downloaded and installed a program that is causing problems, and you need to talk to the user who actually did the installation. Similarly, you may need to know who uninstalled a particular program from the system.

Provided that the program was installed or removed using the normal MSI installer built into Windows, you can find out the information you need by examining the event logs maintained by Windows. Go ahead and start the Event Viewer; the easiest way is to use the searching capabilities of Windows, looking for "Event Viewer," without the quote marks. Once the program is started—it can take a few moments to load—you are greeted by the initial screen. (See Figure 1.)

Figure 1. The Event Viewer's initial window.

In the right pane, near the top, click the Create Custom View option. Windows displays the Create Custom View dialog box. The Filter tab should be displayed in the dialog box. (See Figure 2.)

Figure 2. Filtering an event log.

Using the Event Sources drop-down list, (click on the radio button to the right of By Source to activate Event Sources) choose the MsiInstaller option and click the OK button. Windows displays the Save Filter to Custom View dialog box. (See Figure 3.)

Figure 3. The Save Filter to Custom View dialog box.

Name the Custom view as desired and select where to save the Custom view and click OK. This instructs the Event Viewer to display only events generated by the installer, which is exactly what happens when you click the OK button.

In the resulting set of filtered events, look for an event that was logged around the time you figure that the installation or removal occurred. When you find one that looks promising, you can select it and view its details in the viewer. Among those details is the name of the user account that was active when the installation or removal occurred.

You should note that this approach will only work if the system users only use their own accounts—in other words, users log out and log in as they should on the system. If everyone shares a common login, then the user information in the event log will be of little value. (It will tell you the event occurred, but you have no indication as to who performed the event.)

Also, if the program installed or removed didn't use MsiInstaller or it used a method that doesn't utilize the event logs, then you won't be able to find the events by following these steps.

 This tip (13465) applies to Windows 7, 8, and 10.

Author Bio

Allen Wyatt

With more than 50 non-fiction books and numerous magazine articles to his credit, Allen Wyatt is an internationally recognized author. He is president of Sharon Parq Associates, a computer and publishing services company. ...

MORE FROM ALLEN

Recovering Corrupt Document Files with StarOffice

A possibility to try if you have a corrupt document.

Discover More

Safely Relocking Forms

In order to use a form in Word, it must be protected. This means that you cannot make any changes to the form, even if ...

Discover More

Figuring Out the Low-Score Winner

Need to figure out the lowest score in a range of scores? Here's the formulas to get the information you need.

Discover More
More WindowsTips

Changing How Event Log Overruns are Handled

By default, the event logs are implemented in a circular buffer, i.e., when its maximum size is reached, the oldest ...

Discover More

Understanding Event Logs

Windows event logs are great resources to see what is "invisibly" going on with your system. By understanding the various ...

Discover More

What is the Purpose of the System Event Log?

The System event log holds messages generated by device drivers. This tip explains more about it.

Discover More
Comments

If you would like to add an image to your comment (not an avatar, but an image to help in making the point of your comment), include the characters [{fig}] (all 7 characters, in the sequence shown) in your comment text. You’ll be prompted to upload your image when you submit the comment. Maximum image size is 6Mpixels. Images larger than 600px wide or 1000px tall will be reduced. Up to three images may be included in a comment. All images are subject to review. Commenting privileges may be curtailed if inappropriate images are posted.

What is two more than 7?

There are currently no comments for this tip. (Be the first to leave your comment—just use the simple form above!)


Newest Tips