Hello,

I'm currently trying to figure out how to go about displaying the most recently installed application on a local host? I was thinking a real simplified version would be to Dir a directory then compare and format the last right time appropriately but I noticed parent directories do not reflect the modifications in their subdirectory. For example, from C:\ the last modification was yesterday, even though I drill into C:\Users\Username\ and I can see I've changed a number of files within the last 10 minutes.

I'm thinking my logical concept is off in some way - or maybe there is a cmdlet out there I'm not aware of that will make this easier. I assume the flow will go something like > Pull all contents of drive > list in most recently modified order first > -newest 10.

First I want to apply this to installations but I would eventually like to extend it to displays most recently modified registry keys as well.

Any and all advice is greatly appreciated in advance!

Thanks!

You can request a pre-written script here:

https://gallery.technet.microsoft.com/scriptcenter/site/requests

This forum is for scripting questions rather than script requests.

• Edited by Braham20 16 hours 50 minutes ago

Hi,

Here's a starter:

Get-WmiObject Win32_Product | 
    Sort -Descending -Property InstallDate |
        Select -First 1 -Property *

Keep in mind that Win32_Product won't see applications that are not installed with Windows Installer.

Keep in mind that Win32_Product won't see applications that are not installed with Windows Installer.

This seems to be the most promising. I'll need to research a little more to better understand how to implement the command you speak of, but I believe this is the ticket.

Thanks!

Thanks for that. If I cannot figure it out with WMI I'll try the approach you've presented above.

Again, thanks everyone for the haste response.

There is always this one, which reads installed applications from the registry (and therefore will include more information about installed applications than WMI alone):

Windows IT Pro: Auditing 32-Bit and 64-Bit Applications with PowerShell

Thanks Bill. Currently using  

Get-WmiObject -Class Win32Reg_AddRemovePrograms64 | sort -Descending -Property InstallDate | fl DisplayName,InstallDate

But I notice there are a number of programs that show no InstallDate. I think you're right in that the registry will provide more valuable information. I'll see what I can put together.

Thanks again.

Alright, so I've figured out - somewhat - how this script is being used, but I can't help but notice 'date' is a property that does not exist in your hash table. I'm trying to understand how you pulled the installed programs? If I understand correctly it pulls a list from both 32 bit and 64 bit "Uninstall Keys" and then compares the 2 list to see if there is a difference? I'm not sure how I'm going to use this to determine which registry key/program was installed most recently.. I'll keep plugging away.

Security Forensics. When a host is compromised we need to know the most recent modifications to the registry, file modifications, installations, and deletions. Sorry if I'm vague. I'm still pretty new to PowerShell and how to apply it within a security environment. It should be noted this is going to be ran remotely as we have host all over the world. Right now (aside from figuring out how to use chunks of your script to support mine) I'm trying to figure out how to get-item registry keys from remote host. Currently I prompt the user for a hostname and carry that variable as the -Computername to run the commands. Get-Item does not have a -ComputerName parameter, so I'm guessing I will need to invoke-command?

Again, I appreciate the help.

• Edited by PressGo 15 hours 25 minutes ago

For forensic tracking we would use auditing of registry and file system.  This can be set up and enabled through Group Policy.   It is the only truly usable method as it provide s a pure documentation of changes as well as who made the changes.  The method you are asking for cannot be used forensically as it is missing most of the required data.

Also consider how hard it would be to match all of the data in a system in a before an after scenario.  You will have millions of bits to match and sort through.

Auditing is the builtin tool for forensic tracking.

Makes sense. Okay, so when I enable and configure this GPO object, is there a way to pull those 'audit logs' from within PowerShell? ... Sounds like I've got more reading to do around this GPO auditing.

Thanks JRV

The best place for your questions is here:

http://social.technet.microsoft.com/Forums/scriptcenter/en-Us/home?forum=winserversecurity

Makes sense. Okay, so when I enable and configure this GPO object, is there a way to pull those 'audit logs' from within PowerShell? ... Sounds like I've got more reading to do around this GPO auditing.

Thanks JRV

Get-WinEvent will get you the records.  As per Bill.  As in security forum for pointers on which records to pull and how to format them for use.  Post back here with that info and other will help you understand how to use PowerShell to do this.

• Edited by Braham20 Tuesday, March 24, 2015 2:17 PM

Security Forensics. When a host is compromised we need to know the most recent modifications to the registry, file modifications, installations, and deletions. Sorry if I'm vague. I'm still pretty new to PowerShell and how to apply it within a security environment. It should be noted this is going to be ran remotely as we have host all over the world. Right now (aside from figuring out how to use chunks of your script to support mine) I'm trying to figure out how to get-item registry keys from remote host. Currently I prompt the user for a hostname and carry that variable as the -Computername to run the commands. Get-Item does not have a -ComputerName parameter, so I'm guessing I will need to invoke-command?

Again, I appreciate the help.

• Edited by PressGo Tuesday, March 24, 2015 3:41 PM