Pretty neat script I found on reddit that will Detect who installed what software on Windows Server and send email with alert. This can be so useful, is so many different ways.




1) Configure Event Logs:

Run eventvwr.msc → Windows Logs → Right-click “Application” log → Properties:
Make sure the “Enable logging” check box is selected
Increase the log size for at least 1gb
Set retention method to “Overwrite events as needed” or “Archive the log when full”.

2) Creating an alert:

To create an instant alert that is triggered upon any software installation, you need to edit the following powershell script by setting your parameters up and saving it anywhere as .ps1 file (e.g., detect_software.ps1):

3) Code:

4) Create new scheduled task

Run Task Scheduler → Create new schedule task → Enter its name → Triggers tab → New trigger → Set up the following options:
Begin the task on an event
Log – Application
Source – Blank
EventID – 11707.

5)Action settings

Go to the Actions Tab → New action with following parameters:
Action – Start a program
Program script: powershell
Add arguments (optional): -File “specify file path to our script”
Click “OK”.

Now you will be notified about every software installation on your Windows server via e-mail message that will contain details on software installation time, software name and installer’s userID (SID).

6) Convert SID to username: