Windows Software And Service Installation

As part of normal network operations, new software and services will be installed, and there is value in monitoring this activity. Administrators can review these logs for newly installed software or system services and verify that they do not pose a risk to the network.It should be noted that an additional Program Inventory event ID 800 is generated daily on Windows 7 at 12:30 AM to provide a summary of application activities (e.g., number of new application installations). Event ID 800 is generated on Windows 8 as well under different circumstances. This event is beneficial to administrators seeking to identify the number of applications that were installed or removed on a machine.

Sections on this page

SIEM Events

New Windows Service

Event Source - Microsoft-Windows-FilterManager - Event Log - System

Service Start Failure

Service Start Failure Event Source - Service Control Manager - Event Log - System

New MSI File Installed

Event Source - MsiInstaller - Event Log - Application

New Application Installation

Event Source - Microsoft-Windows-Application-Experience - Event Log - Microsoft-Windows-Application-Experience/Program-Inventory

Updated Application

Event Source - Microsoft-Windows-Application-Experience - Event Log - Microsoft-Windows-Application-Experience/Program-Inventory

Removed Application

Event Source - Microsoft-Windows-Application-Experience - Event Log - Microsoft-Windows-Application-Experience/Program-Inventory

Windows Update Installed

Event Source - Microsoft-Windows-WindowsUpdateClient - Event Log - System

AIS Managed SIEM

Last modified March 24, 2021