Thursday, July 24, 2008

Learn Something New, July 24 2008 Edition

Suppose you want to know who installed a program on a Windows server?

Enter the registry, and navigate to HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData. You'll find branches for each user that has installed anything on the server, identified by SID. Within the branches you'll see a 'Products' branch.

Expand the Products branch, and every product that user has installed is listed, by GUID.

You're probably reading this thinking to yourself that you don't care about the SIDs and GUIDs, those don't help you at all! True, but keep reading.

Now, if you expand the Product branches, and then click on 'InstallProperties' for each one, you'll see details of the installation. One of those details is the 'DisplayName'. The Display Name describes the program that was installed. You can now, obviously, go through the list and find a particular program you're interested in. Once you've found the program, you can look at the UserData branch that contains the installed program branch, and this will give you the SID of the user that did the install.

NOW, scoot over to HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList. This branch lists SIDS for each user that has a profile on the system. (Effectively, any user that has ever logged on to that machine.)

Each SID contains details that describe it, including a key labelled 'ProfileImagePath'. This points to the Documents and Settings folder for that user. These are almost always named according to the user, so if the folder is called
jsmith, then that profile is likely JSmith's profile.

Be aware that if the user has a local profile as well as a domain profile, there
will likely be two similar paths in Documents and Settings - i.e. jsmith, and
also jsmith.domainname.

No comments: