PowerShell Script of the Week: June 1st 2015 – Detect who installed what software on Windows Server and send email with alert.

Published by Jose on

1) Configure Event Logs:

Run eventvwr.msc → Windows Logs → Right-click “Application” log → Properties:
Make sure the “Enable logging” check box is selected
Increase the log size for at least 1gb
Set retention method to “Overwrite events as needed” or “Archive the log when full”.

2) Creating an alert:

To create an instant alert that is triggered upon any software installation, you need to edit the following powershell script by setting your parameters up and saving it anywhere as .ps1 file (e.g., detect_software.ps1):

3) Code:

PowerShell


$Subject = “New Software Has Been Installed” # Message Subject
$Server = “smtp.server” # SMTP Server
$From = “From@domain.com” # From whom we are sending an e-mail(add anonymous logon permission if needed)
$To = “To@domain.com” # To whom we are sending
$Pwd = ConvertTo-SecureString “enterpassword” -AsPlainText –Force #Sender account password
#(Warning! Use a very restricted account for the sender, because the password stored in the script will be not encrypted)
$Cred = New-Object System.Management.Automation.PSCredential(“From@domain.co m” , $Pwd) #Sender account credentials
$encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display
#Powershell command for filtering the security log about software installation event
$Body=Get-WinEvent -FilterHashtable @{LogName=”Application”;ID=11707;ProviderName=’MsiInstaller’} | Select TimeCreated, Message, UserID | select-object -first 1
#Sending an e-mail.
Send-MailMessage -From $From -To $To -SmtpServer $Server – Body “$Body” -Subject $Subject -Credential $Cred -Encoding $encoding

4) Create new scheduled task

Run Task Scheduler → Create new schedule task → Enter its name → Triggers tab → New trigger → Set up the following options:
Begin the task on an event
Log – Application
Source – Blank
EventID – 11707.

5)Action settings

Go to the Actions Tab → New action with following parameters:
Action – Start a program
Program script: powershell
Add arguments (optional): -File “specify file path to our script”
Click “OK”.

Now you will be notified about every software installation on your Windows server via e-mail message that will contain details on software installation time, software name and installer’s userID (SID).

6) Convert SID to username:PowerShell

$objSID = New-Object System.Security.Principal.SecurityIdentifier(“Enter your SID Here”)$objUser = $objSID.Translate([System.Security.Principal.NTAccount])$objUser.Value
Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Uncategorized

10 items to consider when migrating your workloads to the cloud.

Moving an on-premise datacenter workload to a cloud offering can bring many benefits, such as scalability, reduced costs, and increased flexibility. However, before making the move, it’s important to evaluate various criteria to ensure that Read more…

Uncategorized

The Benefits of A.I. and Its Effect on the Technology Space of the Future.

Artificial intelligence (AI) is rapidly changing the world as we know it. From self-driving cars to facial recognition software, AI is becoming increasingly common in our everyday lives. And while there are some concerns about Read more…

Uncategorized

Exciting times at Microsoft!

Microsoft to acquire Activision Blizzard to bring the joy and community of gaming to everyone, across every device Legendary games, immersive interactive entertainment and publishing expertise accelerate growth in Microsoft’s Gaming business across mobile, PC, Read more…