Check the Software Installation/Removal History in Windows
A complete history of software installations, updates, and removals on a computer can be found in Windows Event logs. These logs can also be used to identify the specific user who initiated the installation or removal of the application.
How to view the application installation logs in Windows:
- Open the Event Viewer snap-in (
eventvwr.msc
) - Expand Windows Logs -> Application
- Right-click on the log and select Filter current log
- Select MsiInstaller as the event source.
- Check the following events for information about installing or removing software.
- To find out which specific user uninstalled or installed the program, go to the Details tab in the event properties. Switch to the XML view mode. The user’s SID is specified in the Security UserID attribute value. Copy it.
- To find out which specific user uninstalled or installed the program, go to the Details tab in the event properties. Switch to the XML view mode. The user’s SID is specified in the Security UserID attribute value. Copy it.
- Run the following command to convert the user SID to an account name:
wmic useraccount where sid='S-1-5-21-3414967564-454070197-2746421142-1001' get name
This log only contains installation events for applications packaged in MSI/MSP packages (or in EXE files that actually run the MSI installer using msiexec.exe). The Windows Installer service (MSIServer) is used to install MSI packages. This service is used to manage the installation, maintenance, rollback, and removal of software on Windows. Some apps distributed in EXE file format don’t use the MSIServer service and therefore don’t write such events.
This command returns the name of the user who initiated the installation or removal of the program.
To get all the software installation and removal events from the Event log, use the Get-WinEvent cmdlet. For example, to list a history of successful software installations:
Get-WinEvent -FilterHashtable @{LogName="Application";ID=11707;ProviderName='MsiInstaller'} | Select TimeCreated,Message
Windows has a more convenient tool for viewing the history of installing, removing, and updating applications, including Microsoft Store (UWP) apps, and the Windows Update logs. This is the system Reliability Monitor.
Reliability Monitor is a separate graphical applet in the Classic Control Panel that displays the system stability index and detailed information about events that could affect the operating system’s stability (application crashes, software installation, removal events, etc.).
To open Reliability Monitor, go to Control Panel -> Security and Maintenance. In the Maintenance section, click the View reliability history link (or run the perfmon /rel
command).
View which updates, programs, and UWP apps have been installed or removed by day or week. For more information about the event, click the View technical details button.
This script displays all program installation, removal, and update events (including Windows updates and APPX/MSIX installations) on the computer for the last 7 days in the Out-GridView interactive graphical table.
$DaysAgo = (Get-Date).AddDays(-7)
$RealiabilityFilter= "TimeGenerated > '$DaysAgo' and (SourceName='Microsoft-Windows-WindowsUpdateClient' or SourceName='MsiInstaller')"
Get-CimInstance -ClassName Win32_ReliabilityRecords -filter $RealiabilityFilter|Select TimeGenerated,ProductName,User,message |Out-GridView
Filter events by a specific app, event, or user using Out-GridView’s built-in filters.