How to Detect Who Installed What Software on Your Windows Server

Native Auditing vs. Netwrix Auditor for Windows Server

Native Auditing Netwrix Auditor for Windows Server
  1. Run eventvwr.msc → Windows Logs → Right-click "Application" log → Properties:
    • Make sure the "Enable logging" check box is selected
    • Increase the log size for at least 1gb
    • Set retention method to "Overwrite events as needed" or "Archive the log when full".
  2. Open Event viewer and search the application log for the 11707 event ID with MsiInstaller Event Source to find latest installed software.
  3. To create an instant alert that is triggered upon any software installation, you need to edit the following powershell script by setting your parameters up and saving it anywhere as .ps1 file (e.g., detect_software.ps1):   

    #Mail SMTP Setup Section
    $Subject = "New Software Has Been Installed on $env:COMPUTERNAME" # Message Subject $Server = "smtp.server" # SMTP Server
    $From = "" # From whom we are sending an e-mail(add anonymous logon permission if needed)

    $To = "" # To whom we are sending
    $Pwd = ConvertTo-SecureString "enterpassword" -AsPlainText –Force #Sender account password
    #(Warning! Use a very restricted account for the sender, because the password stored in the script will be not encrypted)
    $Cred = New-Object System.Management.Automation.PSCredential("" , $Pwd) #Sender account credentials

    $encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display

    #Generates human readable userID from UserSID in log.

    $UserSID = (Get-WinEvent -FilterHashtable @{LogName="Application";ID=11707;ProviderName="MsiInstaller"}).UserID.Value | select -First 1 $objSID = New-Object System.Security.Principal.SecurityIdentifier("$UserSID") $UserID= $objSID.Translate([System.Security.Principal.NTAccount])

    #Generates email body containing time created and message of application install.

    $Body=Get-WinEvent -FilterHashtable @{LogName="Application";ID=11707;ProviderName='MsiInstaller'} | Select TimeCreated,Message | select-object -First 1

    #Sending an e-mail.
    Send-MailMessage -From $From -To $To -SmtpServer $Server -Body "$Body . Installed by: $UserID" -Subject $Subject -Credential $Cred -Encoding $encoding


  4. Run Task Scheduler → Create new schedule task → Enter its name → Triggers tab → New trigger → Set up the following options:
    • Begin the task on an event
    • Log – Application
    • Source – Blank
    • EventID – 11707.
  5. Go to the Actions Tab → New action with following parameters:
    • Action – Start a program
    • Program script: powershell
    • Add arguments (optional): -File "specify file path to our script"
    • Click "OK".
  6. Now you will be notified about every software installation on your Windows server via e-mail message that will contain details on software installation time, software name and installer’s userID (SID).




  1. Run Netwrix Auditor → Managed Objects → Windows Server → Click "Run" to gather logs (log gathering is performed automatically on specified schedule; here you may need to click "Run" button manually in order to avoid waiting the next scheduled data collection) → Open an e-mail received after log gathering.
  2. In order to create an instant alert that is triggered upon any software installation navigate, go to Managed Objects → Windows server → Event Log → Right click "Real-time alerts" → New Real-time alert → Set alert’s name and click "Next" → Click Add Event Filter → Set filter’s name → Set Application Event log → Go to Event Fields tab → Set Event ID = 11707 → click "OK" and "Finish".
  3. Now you will be able to receive an email upon each occurrence of software installation on your server.

Detect All Changes Made to Server Configuration and Receive Detailed Alerts

Accidental or intentional unauthorized software installation on Windows Server enables disruptive malware activity that can lead to server performance slowdowns and even leaks of sensitive data. Threats come from both outside and inside the organization. To gain access to systems, hackers scan targets for unprotected software and scam users into downloading malware. Employees may also unknowingly download and install malicious files in violation of your software installation policy.

To reduce the risks of installing software, IT pros need to be able to detect when new software is installed and quickly determine who installed it and on what Windows Server. Netwrix Auditor for Windows Server delivers complete visibility into what is happening across your Windows Server infrastructure, including unauthorized software installation. IT pros simply create an alert and they will immediately receive a detailed e-mail notification whenever new software is installed, so they can fully secure the organization’s assets.

Got Feedback? Share!