Is there anyway for Kace to detect software that was installed to the users profile?

The software would put it's uninstall key here:

HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall

 

This question is not about a particular peice of software, I would like to know if there is any software installed there and report it back.

Thanks.

0 Comments   [ + ] Show Comments

Comments

Please log in to comment

Answers

0

Create a custom software inventory item and give it a custom inventory rule to find the registry key.  User installed Chrome requires this: http://www.itninja.com/question/how-to-detect-google-chrome-user-installed

Answered 08/02/2013 by: jknox
Red Belt

  • Thanks - I saw that article yesterday when I did a search... but it's not useful to me. That example shows how to detect software if you know the name of it already. In my case, I do not know the name of the software, I simply need to return the name of the software if they exist.
Please log in to comment
0

I've actually done some research into this.  A former employee (retired now) created a command line tool for us on Windows XP that would show you anything that anyone had installed on a system, provided that software's installer recorded its presence in the registry.

The reason I had to research this is that we are upgrading from Windows XP to Windows 7 64-bit, and there are additional registry keys for Windows 7 x64 that have to be examined.  I'm still working out how they are related to provide all the information I want, but I believe I'll be able to produce a new version of the tool by combining information found in these keys and their subkeys:

HKEY_CLASSES_ROOT\Installer\Products
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList


It's kind of involved to describe here, and I'm still working some of it out, but basically from a combination of the above keys, you can determine:

  • What software was installed by an administrator (The CurrentVersion\Uninstall keys)
  • What software was installed by Group Policy (the Group Policy\AppMgmt keys)
  • What software was installed by an end user (e.g., through published applications or on their own) and which end user installed it (the Installer\UserData key)
  • When it was installed (CurrentVersion\Uninstall and maybe others)
  • Where it was installed from (e.g., \\server\share\distributionpoint)


And some other information.

Some of this data is stored by the GUID of the application itself.  Some is stored by the SID of the person who installed it.  I haven't put much time into it yet to figure out how the keys relate.  I only know our original tool used this combination of keys thanks to Sysinternals Process Monitor.

 

Answered 08/02/2013 by: msalsbury
Second Degree Blue Belt

Please log in to comment
Answer this question or Comment on this question for clarity