/build/static/layout/Breadcrumb_cap_w.png

Software installed in the user(s) profile

Is there anyway for Kace to detect software that was installed to the users profile?

The software would put it's uninstall key here:

HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall

 

This question is not about a particular peice of software, I would like to know if there is any software installed there and report it back.

Thanks.


0 Comments   [ + ] Show comments

Answers (2)

Posted by: jknox 11 years ago
Red Belt
0

Create a custom software inventory item and give it a custom inventory rule to find the registry key.  User installed Chrome requires this: http://www.itninja.com/question/how-to-detect-google-chrome-user-installed


Comments:
  • Thanks - I saw that article yesterday when I did a search... but it's not useful to me. That example shows how to detect software if you know the name of it already. In my case, I do not know the name of the software, I simply need to return the name of the software if they exist. - baist111 11 years ago
Posted by: msalsbury 11 years ago
Second Degree Blue Belt
0

I've actually done some research into this.  A former employee (retired now) created a command line tool for us on Windows XP that would show you anything that anyone had installed on a system, provided that software's installer recorded its presence in the registry.

The reason I had to research this is that we are upgrading from Windows XP to Windows 7 64-bit, and there are additional registry keys for Windows 7 x64 that have to be examined.  I'm still working out how they are related to provide all the information I want, but I believe I'll be able to produce a new version of the tool by combining information found in these keys and their subkeys:

HKEY_CLASSES_ROOT\Installer\Products
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList


It's kind of involved to describe here, and I'm still working some of it out, but basically from a combination of the above keys, you can determine:

  • What software was installed by an administrator (The CurrentVersion\Uninstall keys)
  • What software was installed by Group Policy (the Group Policy\AppMgmt keys)
  • What software was installed by an end user (e.g., through published applications or on their own) and which end user installed it (the Installer\UserData key)
  • When it was installed (CurrentVersion\Uninstall and maybe others)
  • Where it was installed from (e.g., \\server\share\distributionpoint)


And some other information.

Some of this data is stored by the GUID of the application itself.  Some is stored by the SID of the person who installed it.  I haven't put much time into it yet to figure out how the keys relate.  I only know our original tool used this combination of keys thanks to Sysinternals Process Monitor.

 

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ