Foo - How to Find out which User Installed an Application?

We have an issue where I work where, on a shared workstation, a user keeps installing a non-approved application which has serious conflicts with work-required applications.

Is there a way I can figure out which user is installing the application (over and over and over each time it's uninstalled)? I talked with IT and they know less about computers than my sister, so my one co-worker and I basically are the immediate IT team.

Windows XP Pro SP3 and I am an admin on the workstations in question.

A Google search wasn't very helpful, probably because I don't know what I am searching for, so I'd thought I'd FOOgle it!

Thanks in advance!

Put a big fake house plant next to the computer and hide behind it. Wait until the perp uses the computer and installs the application, then jump out and yell "Got'cha!"

Wow, your IT allows users to install applications?

Wow, your IT allows users to install applications?

Generally, no, but our department has special workstation privileges due to other stuff which requires those special privileges. But, if the privileges get abused, well... this happens.

We have an issue where I work where, on a shared workstation, a user keeps installing a non-approved application which has serious conflicts with work-required applications.

Is there a way I can figure out which user is installing the application (over and over and over each time it's uninstalled)? I talked with IT and they know less about computers than my sister, so my one co-worker and I basically are the immediate IT team.

Windows XP Pro SP3 and I am an admin on the workstations in question.

A Google search wasn't very helpful, probably because I don't know what I am searching for, so I'd thought I'd FOOgle it!

Thanks in advance!

You need to join a computer forum. You will get the help you need to find out who the culprit is!

This app uses the software registry, does it not?

I suggest remotely monitoring this machine's registry looking for the incriminating key to show up. Log non-existence and existence in a log file and later compare to the system's event log (to get the logged-in user id).

Perl's Win32::TieRegistry module would seem to be a good place to start...

I haven't had to screw around with group policy for years, but it's easy enough to make it so files with names matching certain patterns or falling in certain directories cannot be executed. That will let you target the app without screwing everything else up. After he installs it a few times and it doesn't work, he'll give up.

Most apps are internet aware or must be downloaded from specific locations. You could also add an entry (or entries) to the hosts file that points to 127.0.0.1 which will make it impossible for him to download or use the software.

Although these tricks are very simple, the picture you paint suggests that the users are not sophisticated enough to undo them.

The event viewer could contain clues about who's installing it. The app is bound to leave files in the users home directory if timestamps don't give everything away.

Wow, your IT allows users to install applications?

I thought the same thing...Most don't even allow the use of thumb drives anymore....

I thought the same thing...Most don't even allow the use of thumb drives anymore....
I love places like that -- disable the machines and wreck productivity in the name of making things work.

At my last job where I was head of systems, I implemented the policy of letting people be admins on their own machines. Guidelines were issued, but the most important thing for everyone to know is that those caught abusing this privilege would have their machines totally locked down.

We found that this works for the vast majority (around 95%) of people. Audits of machines and network activity showed that recreational use of resources was minimal. When you put up barriers, people find ways to circumvent them and waste time/resources doing so. It's better to just focus on the knuckleheads rather than on most people who do what they should.

I love places like that -- disable the machines and wreck productivity in the name of making things work.

At my last job where I was head of systems, I implemented the policy of letting people be admins on their own machines. Guidelines were issued, but the most important thing for everyone to know is that those caught abusing this privilege would have their machines totally locked down.

We found that this works for the vast majority (around 95%) of people. Audits of machines and network activity showed that recreational use of resources was minimal. When you put up barriers, people find ways to circumvent them and waste time/resources doing so. It's better to just focus on the knuckleheads rather than on most people who do what they should.

Amen!

My last workplace was like that. Unfortunately, however, they also used the crappy software builds that Lenovo ships their systems with. When they upgraded my computer from a T42 to a T60, despite both having XP, the newer one took almost twice as long to boot and did almost everything else slower, too.

Locking down a system doesn't have to interfere with productivity. Just make sure all of the software you need to use is on the allowed list. Personally, I know I wasted over 800 hours in 1995 playing networked DOOM at the office. Same with websites. I don't see how blocking www.getfreeanimalporn.biz would in any way harm your business.

As for monitoring software, check these out:

http://www.keykeymonitor.com
http://www.freewarebox.com/free_145_spectre-download.html

Be sure to add whatever monitoring software you use to your antivirus exceptions list.

Locking down a system doesn't have to interfere with productivity. Just make sure all of the software you need to use is on the allowed list.
This is true. If the systems dept has a pretty good grip on what users are doing, communication is good, and the systems dept has enough resources to respond quickly to requests a locked down machine won't get in the way of people. The network guys I work with are like that. This morning, I requested a domain name, IP, plus a wildcard DNS entry (explanation was provided with the request), and it was done within an hour.

However, if the people on support are overextended, don't understand how the software is used, define what people need based on uniformed gut reactions rather than understanding of what people do, or don't have a feel for how what they do affects others, the situation can be entirely different.

I have been on both ends of this with fabulous and crappy systems people. Systems departments tend to be understaffed which makes it hard for even good people to keep up. In such situations, it is usually better to have too little security than too much. What I always used to guide my actions was the "front page test" -- i.e. if a story explaining what you did appeared on the front page of the paper, you would still think you did the right thing.

I'd turn auditing on, then periodically check the logs. The log files will be huge, but you can tell who installed what.

Windows 7 has a nice feature for enterprise use -- the App Locker. Each user can be assigned applications that they can run, and nothing else.

Bust some kneecaps. Someone will fess or point their horribly mangled finger.

I figured it out the really old fashioned way... I checked the work schedule and it just so happened only one person worked between shifts during the time I was there and the app was installed again, so I got 'em. It was pure luck; the chances of being so obvious like that normally wouldn't happen (normally far too many people would have touched the computer during that time frame). :)

One program I highly recommend, but it is expensive, is VMWare's ThinApp, formerly Thinstall. Most apps that require admin rights can be "wrapped" by this utility and only run as a user. This allows places to not have to give users administrative rights on machines.

Thinstall does not work with apps that need drivers to function (like TrueCrypt), but for most things, it is pretty good. It also allows an admin to easily slipstream upgraded versions as well.

Bust some kneecaps. Someone will fess or point their horribly mangled finger.

You failed anatomy didn't you?

You failed anatomy didn't you?Tell someone you're about to bust their kneecaps. What's the first thing they do? Try to protect their kneecaps... with their hands.

Tell someone you're about to bust their kneecaps. What's the first thing they do? Try to protect their kneecaps... with their hands.

Not if you tie their hands behind the chair first.


... amateurs.

Not if you tie their hands behind the chair first.


... amateurs.That just makes more work when you want to also break their fingers. Why not let their reflexes help you out?

You guys ever seen a knee bent backwards in reverse???