Intro
Windows OS maintains a repository in the registry to keep track of applications that have been installed using the Windows Installer. This database is used by varying parts of the operating system in order to manage the installation, modification, and removal of software on the host.
This information can aid incident responders in determining if a user has fallen victim to a social engineering attack and had unauthorized software installed, such as screen sharing, or remote-control tools used by malicious actors.
Windows Installer
When an application is installed using the Windows Installer, the installer writes information about the application to the Windows Installer database, including information such as the application’s display name, version number, publisher, installation location, and uninstall string. This information is stored in the Windows registry, with a subkey for each installed application under the ‘Software\Microsoft\Windows\CurrentVersion\Uninstall’ key.
The information in the Windows Installer database can be found in either of these registry keys:
HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall
The Windows Installer is a standard way of installing and removing software programs on Windows systems. Programs that are installed using the Windows Installer are easier to manage and can be removed more easily than programs that are installed manually or using a custom installation script.
For instance, when you open control panel and click on ‘Add/Remove Programs’ or query with Windows Management Instrumentation (WMI), this uses the Windows Installer database to pull necessary information regarding the application.
It is important to note that not all software installations are recorded in the Windows Installer database. Manual additions to the registry for software installations will not be documented. Furthermore, in-house or third-party custom installation scripts that are designed for customizing software installations are also unlikely to be recorded. Portable applications, like portable executables, which are designed to run without installing anything on disk, will also not be recorded in the Windows Installer database as they contain all the necessary dependencies required to run independently.
Scenario
While this information might not sound like it is critical, entertain this scenario:
A user receives a call from someone claiming to be a technical support representative from their IT department. The caller tells the user that they have detected some suspicious activity on their computer, and they need to help fix the issue. The caller convinces the user to download and install TeamViewer, a remote-control access software, so they can access the user’s computer and fix the supposed problem.
Once the user has installed and setup TeamViewer, the attacker gains full control of the user’s computer, allowing them to access sensitive information, install malicious software, or perform any other actions they desire. The user is unaware that their computer has been compromised, and the attacker continues to carry out their malicious activities unnoticed under the guise of being a good Samaritan.
In the event of an incident, it is crucial to have a comprehensive understanding of the tools involved. A thorough inventory of installed applications on the host can provide valuable insights into potential sources of malicious activity. Having this information readily available can aid incident responders in painting a more comprehensive picture of the situation.
Script
The following script will output to C:\temp\installed_applications.csv
, extracting the most useful information about each application. It is important to note that each application may use its own customizations and some data may vary depending on the application itself. However, this should give you most of the information required in order to make a quick decision.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
$hives = @("HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall", "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall")
foreach ($hive in $hives) {
$results = Get-ChildItem $hive |
ForEach-Object {
$obj = Get-ItemProperty $_.PsPath
$obj | Add-Member -MemberType NoteProperty -Name Hive -Value $hive
$obj | Add-Member -MemberType NoteProperty -Name Hostname -Value (Get-WmiObject -Class Win32_ComputerSystem).Name
Write-Host $obj
$obj
} |
Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, InstallLocation, URLInfoAbout, URLUpdateInfo, EstimatedSize, Comments, Contact, DisplayIcon, PSPath, PSChildName, UninstallString, QuietUninstallString, Hive, Hostname
$results = $results | Sort-Object -Property InstallDate -Descending
$results | Export-Csv -Path "C:\temp\installed_applications.csv" -NoTypeInformation -Append
}
Conclusion
In a forensic or incident response scenario, it is crucial to have a complete understanding of the tools and applications that were used. Inventorying installed applications on a host and gathering relevant information can help paint a larger picture for incident responders and assist in investigating any malicious activity.
The Windows Installer database, which contains information about software installations made through the Windows Installer, can be a valuable resource in this regard. By using techniques such as searching the registry, incident responders can obtain a comprehensive understanding of the applications present on a host.