The Application Experience and Compatibility feature ensures compatibility of existing software between different versions of the Windows operating system. The implementation of this feature results in some interesting program execution artifacts that are relevant to Digital Forensic and Incident Response (DFIR). I spent a lot of time talking about these artifacts in my posts:,, and.
In this short post I'm discussing another source containing program execution information, which is the Application-Experience Program Inventory Event Log. Where Is the Program Inventory Event Log Similar to the other event logs on a Windows system, the program inventory event log (Microsoft-Windows-Application-Experience%4Program-Inventory.evtx) is located in the C: Windows System32 winevt Logs folder as shown below. Program Inventory Event Log Relevance to DFIR The DFIR relevance of the events recorded in this log has been mentioned by others.
The description for Event ID 4096 from source Tableau Server () cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. Event Type: Information Event Source: MsiInstaller Event Category: None Event ID: 1042 Date: 12/9/2016 Time: 13:38:57 User: NT AUTHORITY SYSTEM Computer: Description: Ending a Windows. For instance a Windows update that hasn't finalized yet, or some other software installation?
The Cylance Blog briefly mentions it in their post. The NSA document references the log in the Recommended Events to Collect section (pg 27). The document outlined the following event IDs: 800 (summary of software activities), 903 & 904 (new application installation), 905 & 906 (updated application), and 907 & 908 (removed application). Harlan provides more context on how the events in this log can be useful in his post. Pokemon Season 16 Torrent Download on this page.
Download Heroes Lore 6 Stigmata Of The Gaia. He shared how he used this log to determine an intruder installed a tool on a compromised system. Now let's take a closer look at these event IDs to see what information they contain. Event ID 800 (summary of software activities).