Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

determine who installed a program on a XP box


  • Please log in to reply

#1
KStout

KStout

    New Member

  • Member
  • Pip
  • 3 posts
I need to prove who installed a program on a computer. Anyone know how to determine this?
  • 0

Advertisements


#2
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
this is not the be all end all proof...but...if you open up windows explorer...navigate to c:\program files\<the program in question's folder> and find the exe for the program....right click it...and do properties...then the security tab...then advanced...then owner...that will tell you what user account owns the program (which..usually...unless it's been changed...is the account that installed it...of course...if it was installed as administrator...well...then it's not very helpful)
  • 0

#3
Spike

Spike

    nOoB

  • Member
  • PipPipPipPip
  • 1,351 posts
Hi, this might work depending if you know when the person was on the computer. First start by looking for the program, eg. "Spybot Search & Destroy", look for the main program used to open the file, eg. "SpybotSD.exe"
now 'right click' and select properties. You should then be in the Tab "General", looking further down on the window you will see labels "Created:", "Modified:", "Accessed:". The "Created:" label is what you looking for this will tell you when the program was installed.

Note: If the program never came from an installation file, eg. "Hijackthis.exe". Windows will see when the file was made and not installed. I hope this works. If for example it is not from an installation eg. "Hijackthis.exe", and there is a folder made for the specific program eg. "Hijackthis" then you can check when the folder was created.

I hope this works, the only real way of knowing if it was someone who loaded the program is knowing when he was on.

Good luck :tazz:
  • 0

#4
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
as an adendum....both of these sollutions are based on the theory that you have more than one user account on this machine...if you only have one account...and everyone uses it...then it's going to be very close to impossible to know for sure who installed it
  • 0

#5
KStout

KStout

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I see who the owner is now with the security tab. But now I need to know when he installed it? I took a forensic image of this drive. It's not a live interaction with the PC. So the owner info is his SID account not his actual account. Which is fine.
  • 0

#6
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
you can check the "created on date" for the folder...
  • 0

#7
KStout

KStout

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
But isn't there some kind of log file or registry entry that logs Date of install and Installed by?
  • 0

#8
dsenette

dsenette

    Je suis Napoléon!

  • Administrator
  • 26,019 posts
  • MVP
if there is i haven't ever seen it...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP