Windows servers maintain detailed installation records in the Event Viewer. The most relevant logs are:
# PowerShell command to query installation events
Get-WinEvent -LogName "Application" |
Where-Object { $_.Id -eq 11707 -or $_.Id -eq 11724 } |
Format-List -Property TimeCreated, Message, UserId
For applications installed via MSI packages (including Flash), we can dig deeper:
# Check Windows Installer execution history
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\*\Products\*\InstallProperties |
Select-Object @{Name="User";Expression={$_.PSParentPath.Split('\')[5]}},
DisplayName, InstallDate, InstallSource
When standard methods fail, try these sophisticated approaches:
# Parse Prefetch files for execution evidence
Get-ChildItem C:\Windows\Prefetch\*.pf |
Where-Object { $_.Name -match "FLASH" } |
Select-Object Name, LastAccessTime
The Windows Registry maintains timestamps that can reveal installation patterns:
# Check Uninstall registry keys with timestamps
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" |
ForEach-Object {
$props = Get-ItemProperty $_.PSPath
if($props.DisplayName -match "Adobe Flash") {
[PSCustomObject]@{
Name = $props.DisplayName
InstallDate = $props.InstallDate
Publisher = $props.Publisher
EstimatedSizeMB = [math]::Round($props.EstimatedSize/1024,2)
}
}
}
Cross-reference installation events with security logs for user context:
# Correlate installer execution with logon sessions
$events = Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4688
StartTime = (Get-Date).AddDays(-30)
} | Where-Object { $_.Properties[5].Value -match "msiexec" }
$events | Select-Object TimeCreated,
@{Name="User";Expression={$_.Properties[1].Value}},
@{Name="Process";Expression={$_.Properties[5].Value}}
When auditing server security or troubleshooting application issues, identifying the original installer of a program becomes crucial. Here's a comprehensive technical approach to trace Adobe Flash Player installations on Windows systems:
Windows Event Logs maintain detailed installation records. For Adobe Flash specifically:
# PowerShell command to filter Flash installation events
Get-WinEvent -LogName "Application" |
Where-Object {
($_.Message -like "*Adobe Flash*") -and
($_.Id -in @(1033, 1035, 11707))
} |
Format-List TimeCreated, UserId, Message
When installations occur without UI (common in enterprise environments):
# Registry paths containing installer metadata
$paths = @(
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall",
"HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall"
)
Get-ChildItem $paths |
Where-Object { $_.GetValue("DisplayName") -match "Flash" } |
Select-Object PSChildName, @{
Name="InstallerUser";
Expression={ $_.GetValue("InstallUser") }
}
For enterprise-managed servers, check configuration management logs:
# Query SCCM application deployment history
Get-WmiObject -Namespace "root\ccm\ClientSDK" -Class CCM_Application |
Where-Object { $_.Name -match "Flash" } |
Select-Object FullName, InstallUser, SoftwareVersion
When standard methods fail, consider:
- File system timestamps comparison (installer vs. created files)
- Prefetch file analysis (%SystemRoot%\Prefetch)
- User profile correlation (installer temp files)
Implement these PowerShell functions for proactive monitoring:
function Register-InstallWatcher {
param($appName)
$query = @"
SELECT * FROM __InstanceCreationEvent
WITHIN 10
WHERE TargetInstance ISA 'Win32_Product'
AND TargetInstance.Name LIKE '%$appName%'
"@
Register-WmiEvent -Query $query -Action {
[PSCustomObject]@{
AppName = $Event.SourceEventArgs.NewEvent.TargetInstance.Name
Installer = (Get-Process -Id $Event.SourceEventArgs.NewEvent.TargetInstance.InstallProcessId).Path
Timestamp = [DateTime]::Now
User = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
} | Export-Csv -Path "C:\Audit\Installs.log" -Append
}
}