Windows Event Log – Installs

Posted on

QUESTION :

Is there a way to find distinct program installs in the Windows Event log? I have tried looking for a specific ID to look for but cannot find one that references installs.
If not, is there an easy way to access installed program data on a Windows machine?

ANSWER :

You can filter by EventID to see specific types of events. There are many Windows Installer Event IDs corresponding to different sorts of actions. 1033 indicates a product was installed, 1034 indicates a product was uninstalled.

For Windows Installer you can also filter by Source. MsiInstaller is the source for all Windows Installer events.

InstallShield tends to be a wrapper for MSI scripts, so it would generally have the same event IDs. However, other installer packages will generally not use the same EventIDs. For any installer you’ll need to find the appropriate event ids it uses (if any).

UPDATE details:
Oh, and those are all found in the event viewer under Application.

UPDATE response:
The Windows Event IDs do not change from OS to OS as these are determined by the application. In this case, Windows Installer.

I tested on my XP box and a 2003 server and they both used 1033 for install and 1034 for uninstall.

You may try installing a windows update patch or similar. Something small, like a root certificate update or the like. Then check the event logs for corresponding entries. This will allow you to see if the logs have been cleared since the last install.

UPDATE further details, alternate IDs:
There is a plethora of information online regarding event IDs, including lists of all possible EventIDs for MSI Installers. Looking briefly I’m not really sure what the difference is between 1033/1034 and 11707/11708 IDs. MS documentation seems to show that the two different types indicate the same thing, namely the successful install or uninstall, but contain different sorts of information.

Leave a Reply

Your email address will not be published.