Scan event log to find if service was installed in the system

I recently had to scan system event log on all production servers to find out which services have been installed. In this article I will describe how to scan your infrastracture for this specific event.

For selecting servers I used Out-GridView command:

$List = ( Import-Csv 'D:\scripts\Servers.csv' )
             
# Opening new window to select servers
$Servers = $List | Out-GridView -Title  "Select Servers (Holding CTRL Button)" -PassThru
	

Please note that in Foreach loop you need to provide name for servers column in CSV file – in my case it was “Server name”:

ForEach($Server in $Servers."Server name")

We have to find eventid 7045 where message start with “A service was installed in the system”. We also have to exclude events for NT AUTHORITY\SYSTEM. To scan event log we can use command available in PowerShell Get-EventLog:

	
Get-EventLog -log "System" -Source "Service Control Manager" | Where-Object {$_.EventId -eq "7045" -and $_.UserName -notlike "NT AUTHORITY\SYSTEM"}
	
eventlog
eventlog

Script will create Array with following information:

– Server
– EventID
– Date
– User
– Service
– Path

At the end results will be displayed in formatted table in host:

$Array | Format-Table -AutoSize 

If you need to open results in new window or save it in CSV file then you can use this examples:

# Open results in pop-up window
$Array | Sort-Object Service | Out-GridView -Title "Services"
  
# Export CSV
$Array | Export-Csv -Path C:\users\$env:username\desktop\results.csv -NoTypeInformation
	

Final script:

$ErrorActionPreference = "Stop"
$Array = @()
$Time = "5"
$List = ( Import-Csv 'D:\scripts\Servers.csv' )
            
# Opening new window to select servers
$Servers = $List | Out-GridView -Title  "Select Servers (Holding CTRL Button)" -PassThru 

# If options have not been selected write warning
If(!$Servers)
{
    Write-Warning "Servers have not been selected"
}
Else
{
    ForEach($Server in $Servers."Server name")
    {
        Write-Warning "Processing $server"

        Try
        {
            $Events = Invoke-Command -ComputerName $Server -ScriptBlock{param($Time) Get-EventLog -log "System" -Source "Service Control Manager" -After (Get-Date).AddDays(-$Time) | 
            Where-Object {$_.EventId -eq "7045" -and $_.UserName -notlike "NT AUTHORITY\SYSTEM"}} -ArgumentList $Time
        }
        Catch
        {
            $_.Exception.Message
            Continue
        }

        If($Events)
        {            
            ForEach($Event in $Events)
            {
                $Object = New-Object PSObject -Property ([ordered]@{ 
                    
                    Server                = $Server
                    EventID               = $Event.EventId
                    Date                  = $Event.TimeGenerated
                    User                  = $Event.Username
                    Service               = $Event.ReplacementStrings[0] 
                    Path                  = $Event.ReplacementStrings[1] 
                })
  
                $Array += $Object
            }

        }
    }
}

    If($Array)
    {

        Write-Host "`nResults:" -ForegroundColor Yellow
        $Array | Format-Table -AutoSize 
    }

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.