For Windows, I've been trying to track installs/removals. MSI was a breeze. I'm attempting now anything that isn't MSI. I'm tracking changes in the following paths:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
• HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall

Two issues arose:

1. Uninstalled items just delete the whole key. I'd need to do a back-reference to determine what that was.
2. Programs that upgrade tend to do another CreateKey. It's difficult to differentiate between Installs and Upgrades.

Here's an example of my search for detecting installs.

index="winregmon" process_image!=*msiexec* registry_type="SetValue" *displayname*
| join type=left max=0 host data [
search index="winregmon" process_image!=*msiexec* (registry_type="CreateKey" OR registry_type="DeleteKey") latest=-16m
| dedup host
| rename registry_type as last_registry_type
| rename data AS deleted_data]
| dedup host data
| eval Date=strftime(_time, "%m-%d-%Y")
| eval Time=strftime(_time, "%H:%M:%S")
| table host data Date Time last_registry_type

In my various modifications of this search, either I detect installs + upgrades (i just want installs) or I miss data all together. I'm aware the search above isn't right, just for reference. My idea:

• Find the most recent registry change, per host
• Back-reference to the last Key modification event, Create/Delete
• If Create, it's an upgrade. If Delete, it's an install.
• Only show Installs (DeleteKey being the last event, for that host)