If you manage a system that is used by multiple people, each with their own login to the system, then you may find it helpful to know which of those users installed a program or app. For instance, a user may have downloaded and installed a program that is causing problems, and you need to talk to the user who actually did the installation. Similarly, you may need to know who uninstalled a particular program from the system.
Provided that the program was installed or removed using the normal MSI installer built into Windows, you can find out the information you need by examining the event logs maintained by Windows. Go ahead and start the Event Viewer; the easiest way is to use the searching capabilities of Windows, looking for "Event Viewer," without the quote marks. Once the program is started—it can take a few moments to load—you are greeted by the initial screen. (See Figure 1.)
Figure 1. The Event Viewer's initial window.
In the right pane, near the top, click the Create Custom View option. Windows displays the Create Custom View dialog box. The Filter tab should be displayed in the dialog box. (See Figure 2.)
Figure 2. Filtering an event log.
Using the Event Sources drop-down list, (click on the radio button to the right of By Source to activate Event Sources) choose the MsiInstaller option and click the OK button. Windows displays the Save Filter to Custom View dialog box. (See Figure 3.)
Figure 3. The Save Filter to Custom View dialog box.
Name the Custom view as desired and select where to save the Custom view and click OK. This instructs the Event Viewer to display only events generated by the installer, which is exactly what happens when you click the OK button.
In the resulting set of filtered events, look for an event that was logged around the time you figure that the installation or removal occurred. When you find one that looks promising, you can select it and view its details in the viewer. Among those details is the name of the user account that was active when the installation or removal occurred.
You should note that this approach will only work if the system users only use their own accounts—in other words, users log out and log in as they should on the system. If everyone shares a common login, then the user information in the event log will be of little value. (It will tell you the event occurred, but you have no indication as to who performed the event.)
Also, if the program installed or removed didn't use MsiInstaller or it used a method that doesn't utilize the event logs, then you won't be able to find the events by following these steps.
This tip (13465) applies to Windows 7, 8, and 10.
By default, the event logs are implemented in a circular buffer, i.e., when its maximum size is reached, the oldest ...
Discover MoreWindows event logs are great resources to see what is "invisibly" going on with your system. By understanding the various ...
Discover MoreThe System event log holds messages generated by device drivers. This tip explains more about it.
Discover MoreThere are currently no comments for this tip. (Be the first to leave your comment—just use the simple form above!)
Copyright © 2024 Sharon Parq Associates, Inc.
Comments