Installed Applications
Overview
Section titled “Overview”Evidence: Installed Applications
Description: Enumerate Installed Applications
Category: System
Platform: windows
Short Name: apps
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”Windows maintains a list of installed applications in registry Uninstall keys. This provides software inventory and key metadata such as version, publisher and key last write time.
Data Collected
Section titled “Data Collected”This collector gathers structured data about installed applications.
Installed Applications Data
Section titled “Installed Applications Data”| Field | Description | Example |
|---|---|---|
AppName | Application display name | Google Chrome |
Is32Bit | Whether this is a 32-bit application | FALSE |
AppVersion | Application version | 118.0.5993.89 |
Publisher | Software publisher | Google LLC |
SystemComponent | Whether this is a Windows system component | FALSE |
LastWriteTime | Registry key last write time | 2023-10-15T14:30:00 |
Collection Method
Section titled “Collection Method”This collector enumerates HKLM\SOFTWARE…\Uninstall in both 64-bit and 32-bit (WOW64) registry views, reading DisplayName, DisplayVersion, Publisher, SystemComponent and key last write time.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations to identify installed or recently added software, detect suspicious tools, and support timeline and compliance analysis.