Reading Recently Installed Software (Improvement #1)

by Aug 16, 2022

In the previous tip we used Get-WinEvent to read the Windows event log system and get a list of recently installed software, similar to this:

function Shoath
    }
}

The result is a list of objects, one per installed software, however most of the properties yield unnecessary information:

 
Message              : Windows Installer installed the product. Product Name: Elgato Stream Deck. 
                       Product Version: 4.9.3.13222. Product Language: 1033. Manufacturer: Elgato 
                       Systems GmbH. Installation success or error status: 0.
Id                   : 1033
Version              : 0
Qualifiers           : 0
Level                : 4
Task                 : 0
Opcode               : 0
Keywords             : 36028797018963968
RecordId             : 505773
ProviderName         : MsiInstaller
ProviderId           : 
LogName              : Application
ProcessId            : 0
ThreadId             : 0
MachineName          : DELL7390
UserId               : S-1-5-18
TimeCreated          : 09.08.2022 00:52:43
ActivityId           : 
RelatedActivityId    : 
ContainerLog         : Application
MatchedQueryIds      : {}
Bookmark             : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName     : Information
OpcodeDisplayName    : Info
TaskDisplayName      : 
KeywordsDisplayNames : {Classic}
Properties           : {System.Diagnostics.Eventing.Reader.EventProperty, 
                       System.Diagnostics.Eventing.Reader.EventProperty, 
                       System.Diagnostics.Eventing.Reader.EventProperty, 
                       System.Diagnostics.Eventing.Reader.EventProperty...}

We are interested in the actual software that was installed, and when. The software name can be found in the “Message” property, embedded in a lot of noise words, and the installation time is reported by TimeCreated. With Select-Object this is the best we can get:

function Shoath
    }
}

Now the result looks like this:

 
TimeCreated         Message                                                                             
-----------         -------                                                                             
15.07.2022 12:23:04 Windows Installer installed the product. Product Name: Elgato Stream Deck. Produc...
15.07.2022 11:49:43 Windows Installer installed the product. Product Name: Microsoft .NET Core Host -...
15.07.2022 11:49:36 Windows Installer installed the product. Product Name: Microsoft .NET Core Host F...
15.07.2022 11:49:34 Windows Installer installed the product. Product Name: Microsoft .NET Core Runtim...
15.07.2022 11:49:31 Windows Installer installed the product. Product Name: Microsoft Windows Desktop ...
15.07.2022 10:09:43 Windows Installer installed the product. Product Name: Microsoft ASP.NET Core 3.1...
15.07.2022 10:09:40 Windows Installer installed the product. Product Name: Microsoft .NET Core Toolse...
15.07.2022 10:08:55 Windows Installer installed the product. Product Name: Microsoft .NET Core 3.1 Te...
15.07.2022 10:08:54 Windows Installer installed the product. Product Name: Microsoft Windows Desktop ...
15.07.2022 10:08:50 Windows Installer installed the product. Product Name: Elgato Stream Deck. Produc...
...

That’s better than before, but there is more you can do to pick the information you need when reading event logs.

Stay tuned for our next part.

Twitter This Tip! ReTweet this Tip!