How to Track Software Installation and Removal Using Event IDs 11707, 11724, and 592

image_pdfimage_print

There some requirements, you may need to trace software installations and removals along with the user account details.

Under the events you can look for in both the Application Event Log and Security Event Log that will help you do this.

In the Application log, setup packages that use the Windows Installer to install themselves will create numerous events, all with an event source of MsiInstaller.

Event ID 11707 tells you when a install completes successfully, and also the user who executed the install package.

Event ID 11724 tells you when a software package is removed successfully, again logging the user behind the operation.

Event ID 592 in the Security log tells you the exact user account, which was used during the installation / removal process.

How to Resize User Profile Disks – The easy way

image_pdfimage_print

To enlarge the drive is very simple if you have Hyper-V installed. If you are running the VM on a virtual environment, it is not possible to have Hyper-V role installed.

To overcome this issue, you can simply add the Hyper-V role on Windows 8/8.1/10 workstations.

The Steps are as follows;

  1. The affected user have to be logged off so the .vhdx file is not mounted
  2. Locate the UPD share and translate the user’s SID to username so you’ll get the correct file Sidder Tool
  3. Take a backup (copy) of the file just in case…
  4. Resize the disk (either within Hyper-V Manager or with PowerShell / on the workstation)
  5. Mount the file and extend the disk within Disk Manager

The UPD can be easily resized using the PowerShell (This will enlarge to drive to 300GB)

PS C:> Resize-VHD –Path c:path-to-vhd-fileyour-VHD-file.vhd –SizeBytes 300GB

Then, simply attach the disk and extend as necessary