New Application Installation

Event Source - Microsoft-Windows-Application-Experience - Event Log - Microsoft-Windows-Application-Experience/Program-Inventory

Sections on this page

Configuration

Query

EventID:903 OR EventID:904 AND NOT SourceName:Directory Synchronization AND NOT SourceName:InstalledADSyncPowerShellHelper AND NOT SourceName:Azure AD Connect Upgrade AND NOT SourceName:MicrosoftAzureActiveDirectoryClient AND NOT SourceName:Microsoft\-Windows\-Application\-Experience

Config

Key | Value — | — type | aggregation-v1 query | EventID:903 OR EventID:904 AND NOT SourceName:Directory Synchronization AND NOT SourceName:InstalledADSyncPowerShellHelper AND NOT SourceName:Azure AD Connect Upgrade AND NOT SourceName:MicrosoftAzureActiveDirectoryClient AND NOT SourceName:Microsoft\-Windows\-Application\-Experience streams | [5f74fe0891d2ba1b645adb8d] conditions | {expression:null} search_within_ms | 3600000 execute_every_ms | 3600000

Windows Software And Service Installation

As part of normal network operations, new software and services will be installed, and there is value in monitoring this activity. Administrators can review these logs for newly installed software or system services and verify that they do not pose a risk to the network.It should be noted that an additional Program Inventory event ID 800 is generated daily on Windows 7 at 12:30 AM to provide a summary of application activities (e.g., number of new application installations). Event ID 800 is generated on Windows 8 as well under different circumstances. This event is beneficial to administrators seeking to identify the number of applications that were installed or removed on a machine.


Last modified December 17, 2020