How do I keep a log or track of installed apps under different users using single system? Has anyone dealt with auditing in detail before? What if I wanna to keep a track in detail? e.g. recently installed files for new application and registries entries created/modified as a result… Is there anything within XP/Pro or 2000/Pro machines that can help me resolve this issue? This is for mostly for identifying the users who are causing spy-ware plague.
Re: Recently Installed Application Log/history/auditing
There are different apps out there, google for it. They keep a track of all registry/system/file changes.
Re: Recently Installed Application Log/history/auditing
Toddy bear, check out http://www.sysinternals.com, if you cannot find the utility you are looking for here, you are not looking. 
Look at Regmon and Filemon.
Re: Recently Installed Application Log/history/auditing
Filemon only works when it is running prior to the installation of on application. I suspect that Regmon works the same way.
How ever there might be a way to run one of these programs and save snapshot and then run it on the suspected computer again and do a comparison.
Re: Recently Installed Application Log/history/auditing
Thanks Giz, Kaleem and Fayax I really for your answers. I am still looking for native type application. Someone pointed at Sygate, which I think is mostly for managing firewall and other issues. But do share any info that you may come across, related to this thread. Thanks!
Re: Recently Installed Application Log/history/auditing
Todd, I have read your question again. Here is what I suggest.
- You need to have a baseline of your systems when delivered to the users. What I mean by the baseline is …you need to know the state of the registry and the installed apps when the system is built and delivered to the user.
- If the problem is related to spyware…which it sounds like it is. This is what I recommend ..short of a commercial software. You can install Spybot -Search and Destroy and turn on Tea timer feature. This acts like a nuisance if nothing else …prompting users to allow the change to the registry (when an application tries to modify the registry).
- Here is an excellent article on auditing resitry keys… http://support.microsoft.com/default.aspx?kbid=324739. This will however, require you to specify the keys you want audited. I am not sure if this will help you but its a step in the right direction.
If you have a baseline of your registry. You can take a snapshot of the infected system’s registry and compare it with your standard load and remove/delete the offending software.