Back to binalyze.com

Installed Applications

Overview

Evidence: Installed Applications Description: Enumerate Installed Applications Category: System Platform: Windows Short Name: apps Is Parsed: Yes - Registry data is parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows maintains a registry-based inventory of installed applications in the Uninstall key. Both 32-bit and 64-bit applications register themselves here during installation, providing a comprehensive list of software installed on the system.

This information is used by Windows for the "Programs and Features" control panel and is a reliable source for application inventory, though some applications may not register themselves properly.

Data Collected

Field
Description
Example

AppName

Application display name

Google Chrome

Is32Bit

Whether this is a 32-bit application

FALSE

AppVersion

Application version

118.0.5993.89

Publisher

Software publisher

Google LLC

SystemComponent

Whether this is a Windows system component

FALSE

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

Collection Method

This collector enumerates registry keys under:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (64-bit apps on 64-bit systems, 32-bit apps on 32-bit systems)

  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall (32-bit apps on 64-bit systems)

For each application key, it reads:

  • DisplayName (required)

  • DisplayVersion (optional)

  • Publisher (optional)

  • SystemComponent (optional)

  • Registry key last write time

Usage

Installed application inventory is essential for security assessments and incident response. Investigators use this data to identify vulnerable software versions, detect unauthorized software installations, establish software installation timelines, identify potentially malicious applications, track software inventory for compliance, detect remote access tools and hacking utilities, and correlate application presence with system events.

Known Limitations

  • Only shows applications that register themselves in the Uninstall key

  • Portable applications are not captured

  • Some applications may not populate all fields

  • Registry key timestamps may not reflect actual installation time

Notes

The registry key last write time can indicate when an application was installed or updated, though it's not always reliable. Cross-reference with prefetch, amcache, and event logs for accurate installation timelines.

PreviousIconcacheNextJumplist

Last updated

Was this helpful?