Professionals chasing ghosts in sluggish systems often miss the ledger right under their noses. Windows logs every successful MSI-based app install and uninstall. Time-stamped. Precise. Event IDs 1033 and 1034 in the Application log capture product names, versions, the works. Afam Onyimadu spotlighted this in MakeUseOf last week, admitting even after 15 years with the OS, ‘Windows had this all along and I somehow never triggered it.’
Hit Windows key, type Event Viewer, launch it. Dive into Windows Logs, then Application. Thousands of entries stare back. Filter smartly: right pane, Filter Current Log, punch in 1033,1034 for Event IDs. OK. Noise vanishes. Sort by date. Boom—chronicle of software changes. A 1033 flags installation: say, ‘Product: Adobe Reader DC (Version: 2024.001.200) installed.’ Paired 1034s mark removals before updates. Failed ops? No dice. Only MSI triumphs make the cut. Microsoft Store apps, portables, EXEs? Ghosts.
Log caps at 20MB. Older stuff overwrites on busy rigs. Weeks of history on quiet ones, months maybe. Anchor troubleshooting here. Performance tanked last Tuesday? Scroll to that date. Spot the culprit app drop. Reliability Monitor hints at stability hits from installs but skips the full trail. Settings’ app list? Current snapshot only, no past.
PowerShell amps this up for bulk pulls. Get-WinEvent -FilterHashtable @{LogName=’Application’; ID=1033,1034} | Select TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap. Exports timelines fast. IT teams script it for audits, tying changes to tickets. Enterprise? Intune now inventories shadow IT with metadata—publisher, size, uninstall strings—per device, as Microsoft Mechanics noted on X days ago. PowerShell script installs generally available there too.
But gaps persist. Non-MSI world dominates: Store apps log elsewhere, under Microsoft-Windows-AppxDeployment/PackageManagement or StoreLibrary. Event ID 5961 for installs, say. PowerShell queries those: Get-WinEvent -FilterHashtable @{LogName=’Microsoft-Windows-AppxDeployment/PackageManagement’; ID=5961}. Enterprise pros cross-reference with registry hives like SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall for current states, but events give motion.
Forensics leans hard on this. Attackers drop payloads via MSI? Trail lights up. Blue teams hunt persistence by scanning install spikes. C:\Windows\System32\config\SOFTWARE holds install keys, but events timestamp actions. Pair with Prefetch for execution proof. Vivek on X lists these dirs as must-checks: Amcache.hve for app runs, tying back to Event Viewer hits.
Admins tweak retention. Event Viewer, right-click Application, Properties—bump max size, clear old logs. Or XML config for custom views, saving filters. PowerShell clears surgically: wevtutil cl Application. Enterprise logging? Forward to SIEM via subscriptions.
Overlooked no more. That 20MB vault beats guesswork. Systems slow? Check installs first. Changed software mid-quarter? Prove it. Windows built this tracker years back. Time to read it.
WebProNews is an iEntry Publication