# Installed Applications

## Overview

**Evidence:** Installed Applications\
**Description:** Enumerate Installed Applications\
**Category:** System\
**Platform:** windows\
**Short Name:** apps\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Windows maintains a list of installed applications in registry Uninstall keys. This provides software inventory and key metadata such as version, publisher and key last write time.

## Data Collected

This collector gathers structured data about installed applications.

### Installed Applications Data

| Field             | Description                                | Example             |
| ----------------- | ------------------------------------------ | ------------------- |
| `AppName`         | Application display name                   | Google Chrome       |
| `Is32Bit`         | Whether this is a 32-bit application       | FALSE               |
| `AppVersion`      | Application version                        | 118.0.5993.89       |
| `Publisher`       | Software publisher                         | Google LLC          |
| `SystemComponent` | Whether this is a Windows system component | FALSE               |
| `LastWriteTime`   | Registry key last write time               | 2023-10-15T14:30:00 |

## Collection Method

This collector enumerates HKLM\SOFTWARE...\Uninstall in both 64-bit and 32-bit (WOW64) registry views, reading DisplayName, DisplayVersion, Publisher, SystemComponent and key last write time.

## Forensic Value

This evidence is crucial for forensic investigations to identify installed or recently added software, detect suspicious tools, and support timeline and compliance analysis.