Exploring the Program Inventory Event Log
Sunday, March 23, 2014
The Application Experience and Compatibility feature ensures compatibility of existing software between different versions of the Windows operating system. The implementation of this feature results in some interesting program execution artifacts that are relevant to Digital Forensic and Incident Response (DFIR). I spent a lot of time talking about these artifacts in my posts: Revealing the RecentFileCache.bcf File, Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys, and Exploring Windows Error Reporting. In this short post I'm discussing another source containing program execution information, which is the Application-Experience Program Inventory Event Log.
Similar to the other event logs on a Windows system, the program inventory event log (Microsoft-Windows-Application-Experience%4Program-Inventory.evtx) is located in the C:\Windows\System32\winevt\Logs folder as shown below.
In the Windows event viewer the log can be found at: Applications and Services Logs\Microsoft\Application-Experience\Program-Inventory as shown below.
The DFIR relevance of the events recorded in this log has been mentioned by others. The Cylance Blog briefly mentions it in their post Uncommon Event Log Analysis for Incident Response and Forensic Investigations. The NSA document Spotting the Adversary with Windows Event Log Monitoring references the log in the Recommended Events to Collect section (pg 27). The document outlined the following event IDs: 800 (summary of software activities), 903 & 904 (new application installation), 905 & 906 (updated application), and 907 & 908 (removed application). Harlan provides more context on how the events in this log can be useful in his post HowTo: Determine Program Execution. He shared how he used this log to determine an intruder installed a tool on a compromised system. Now let's take a closer look at these event IDs to see what information they contain.
Event ID 800 (summary of software activities)
Event IDs 900 & 901 (new Internet Explorer add-on)
Event IDs 903 & 904 (new application installation)
Event ID 905 (updated application)
Event IDS 907 & 908 (removed application).
Where Is the Program Inventory Event Log
Similar to the other event logs on a Windows system, the program inventory event log (Microsoft-Windows-Application-Experience%4Program-Inventory.evtx) is located in the C:\Windows\System32\winevt\Logs folder as shown below.
In the Windows event viewer the log can be found at: Applications and Services Logs\Microsoft\Application-Experience\Program-Inventory as shown below.
Program Inventory Event Log Relevance to DFIR
The DFIR relevance of the events recorded in this log has been mentioned by others. The Cylance Blog briefly mentions it in their post Uncommon Event Log Analysis for Incident Response and Forensic Investigations. The NSA document Spotting the Adversary with Windows Event Log Monitoring references the log in the Recommended Events to Collect section (pg 27). The document outlined the following event IDs: 800 (summary of software activities), 903 & 904 (new application installation), 905 & 906 (updated application), and 907 & 908 (removed application). Harlan provides more context on how the events in this log can be useful in his post HowTo: Determine Program Execution. He shared how he used this log to determine an intruder installed a tool on a compromised system. Now let's take a closer look at these event IDs to see what information they contain.
Event ID 800 (summary of software activities)
Event IDs 900 & 901 (new Internet Explorer add-on)
Event IDs 903 & 904 (new application installation)
Event ID 905 (updated application)
Event IDS 907 & 908 (removed application).
Labels:
program execution
Corey,
Great post! I've found this log useful enough to prepend events with "program execution" when parsing the records to be added to a timeline.
Great job...keep it up.
Hi Corey
Great information, i don't see any other events besides event id 800 on a windows 8 vm. have you tested in windows 8 if event ids 9XX are written elsewhere? or would it be best to focus on the Amcache.hve when hunting for malware on windows 8? thanks....
@daniel,
I haven't tested this artifact on Windows 8 so I can't speak to what is or isn't there. However, I would definately look at the Amcache since it records programs installed and executed. It's definately an awesome area for malware cases; still waiting for the chance to use it on a case