PowerShell Script of the Week: June 1st 2015 – Detect who installed what software on Windows Server and send email with alert.

Published by Jose on

1) Configure Event Logs:

Run eventvwr.msc → Windows Logs → Right-click “Application” log → Properties:
Make sure the “Enable logging” check box is selected
Increase the log size for at least 1gb
Set retention method to “Overwrite events as needed” or “Archive the log when full”.

2) Creating an alert:

To create an instant alert that is triggered upon any software installation, you need to edit the following powershell script by setting your parameters up and saving it anywhere as .ps1 file (e.g., detect_software.ps1):

3) Code:

PowerShell


$Subject = “New Software Has Been Installed” # Message Subject
$Server = “smtp.server” # SMTP Server
$From = “From@domain.com” # From whom we are sending an e-mail(add anonymous logon permission if needed)
$To = “To@domain.com” # To whom we are sending
$Pwd = ConvertTo-SecureString “enterpassword” -AsPlainText –Force #Sender account password
#(Warning! Use a very restricted account for the sender, because the password stored in the script will be not encrypted)
$Cred = New-Object System.Management.Automation.PSCredential(“From@domain.co m” , $Pwd) #Sender account credentials
$encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display
#Powershell command for filtering the security log about software installation event
$Body=Get-WinEvent -FilterHashtable @{LogName=”Application”;ID=11707;ProviderName=’MsiInstaller’} | Select TimeCreated, Message, UserID | select-object -first 1
#Sending an e-mail.
Send-MailMessage -From $From -To $To -SmtpServer $Server – Body “$Body” -Subject $Subject -Credential $Cred -Encoding $encoding

4) Create new scheduled task

Run Task Scheduler → Create new schedule task → Enter its name → Triggers tab → New trigger → Set up the following options:
Begin the task on an event
Log – Application
Source – Blank
EventID – 11707.

5)Action settings

Go to the Actions Tab → New action with following parameters:
Action – Start a program
Program script: powershell
Add arguments (optional): -File “specify file path to our script”
Click “OK”.

Now you will be notified about every software installation on your Windows server via e-mail message that will contain details on software installation time, software name and installer’s userID (SID).

6) Convert SID to username:PowerShell

$objSID = New-Object System.Security.Principal.SecurityIdentifier(“Enter your SID Here”)$objUser = $objSID.Translate([System.Security.Principal.NTAccount])$objUser.Value
Categories: Uncategorized

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *