Installed Applications

Overview

Evidence: Installed Applications Description: Enumerate Installed Applications Category: System Platform: windows Short Name: apps Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows maintains a list of installed applications in registry Uninstall keys. This provides software inventory and key metadata such as version, publisher and key last write time.

Data Collected

This collector gathers structured data about installed applications.

Installed Applications Data

Field

Description

Example

AppName

Application display name

Google Chrome

Is32Bit

Whether this is a 32-bit application

FALSE

AppVersion

Application version

118.0.5993.89

Publisher

Software publisher

Google LLC

SystemComponent

Whether this is a Windows system component

FALSE

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

Collection Method

This collector enumerates HKLM\SOFTWARE...\Uninstall in both 64-bit and 32-bit (WOW64) registry views, reading DisplayName, DisplayVersion, Publisher, SystemComponent and key last write time.

Forensic Value

This evidence is crucial for forensic investigations to identify installed or recently added software, detect suspicious tools, and support timeline and compliance analysis.

PreviousINF Setup NextIPv4 Routes

Last updated 3 days ago

Was this helpful?