Ping a Specific Port

Question

sgmoore

Asked: 2010-08-26 07:02:17 +0800 CST2010-08-26 07:02:17 +0800 CST 2010-08-26 07:02:17 +0800 CST

Tracking who installed Software on server

772

Am I correct, that if a program is installed on a Server and shows up in the 'Add Remove/Program programs', then it must have been installed when a user has logged onto the server either at the physical console, or using RDP and not when a user has accessed the server via a share?

And if so, then this should show up as Event ID's 528.

In other words, if I just look at Event ID 528, I can get a list of suspects. Is this correct?

2 Answers

Voted

joeqwerty · Answer 1 · 2010-08-26T07:11:37+08:00

Best Answer

joeqwerty

2010-08-26T07:11:37+08:002010-08-26T07:11:37+08:00

In general, yes. You probably want to look at the logon type as well to determine how the user accessed the server. I'm thinking that you want to look for logon types 2, 10, and possibly 5.

1

gWaldo · Answer 2 · 2010-08-26T08:03:44+08:00

gWaldo

2010-08-26T08:03:44+08:002010-08-26T08:03:44+08:00

That will cover the most typical use cases, however apps can be installed by remote processes (such as PSExec, batch scripting, or a remote deployment tool such as CA Unicenter.) They will not necessarily log that event code.

What you describe is a fine place to start, however.

0

Tracking who installed Software on server

Ping a Specific Port

How do I tell Git for Windows where to find my private RSA key?

How do you restart php-fpm?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

How can I sort du -h output by size

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?