How to determine who installed a program?
I need to figure out who installed a particular program (Adobe Flash) on a server.
How can I do that?
Depending on your logging level, you may be able to look through the event logs and see who called the installer.
In fact, I just installed Adobe Reader on a default 2008 R2 VM, and did find that it recorded the user who installed the program. Sort of.
EventID 1040, Source: MsiInstaller UserID: [GUID].
Correlate that GUID to a user, and you're golden.
If, of course, you're in the unfortunate position of not having that log entry, your best bet is to go through and see if you can determine when, precisely, it was installed, and correlate that with the Security Event Logs to determine with had an interactive logon session at that time.
The Adobe installer logs might be more helpful in narrowing down the precise time of install too, as it's possible your logging level didn't even log a non-MS application installation in the Event Logs. Either way, it's probably a matter of finding the precise time, and going through the Security logs to determine who had an open type 2 or type 10 logon during that time.
It's really kind of a pain, and if you're the one who's going to be relegated to log diving, it might not be a horrible idea to do a quick cost/benefit breakdown of how much it's going to cost to ferret out this [not-entirely-conclusive] information, because it's not exactly a smoking gun. It'll give you a pretty strong case as to who did it, but unless you have a high enough logging level to see which user called the installer, it's not going to be considered definitive proof. (Or at least I've never seen it taken that way.)
Using Event Viewer, you can filter the Application log
for Event ID 11707
. Search by the particular date/time you think the program was installed and it will also list a user name. Very useful if you need to track who is installing what, when.
Alternatively, you can filter the Application log
for Event ID 11724
if you need to see who uninstalled an application.
Information found through this website.