cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Claim your free VMworld 2020 ticket now for a completely digital experience to learn about how VMware Carbon Black can protect you from sophisticated threats.

Programs Installed In Non-Standard Windows Locations

Description: Programs Installed In Non-Standard Windows Locations

What The Data Shows: Programs Installed Outside of C:\Program Files 

SQL: 

SELECT path,
                DATETIME(atime,"unixepoch","localtime") AS "Last Accessed",
                DATETIME(mtime,"unixepoch","localtime") AS "Last Modified",
                DATETIME(ctime,"unixepoch","localtime") AS "Created"
FROM file
WHERE path LIKE "\users\%\AppData\%.exe"
    OR path LIKE "\users\%\AppData\Roaming\%.exe"
    OR path LIKE "\ProgramData\%.exe";

 

2 Comments
Carbon Black Employee
Status changed to: Under Review

@stympanick Thanks for your submission, and sorry it took me awhile to review it.

I would suggest not relying on the programs table when writing these types of queries. The data in this table is dependant on the creator of the MSI to properly construct it so all the data populates. On a lab system I have 70 items in the programs table and 62 of them do not have an install_location. Also if a binary is installed without a Windows installer then it will not populate in this table.

Instead I have found leveraging the file table to be a much better solution. Here is an example of a query looking for executables in non-standard locations:

SELECT path,
                DATETIME(atime,"unixepoch","localtime") AS "Last Accessed",
                DATETIME(mtime,"unixepoch","localtime") AS "Last Modified",
                DATETIME(ctime,"unixepoch","localtime") AS "Created"
FROM file
WHERE path LIKE "\users\%\AppData\%.exe"
    OR path LIKE "\users\%\AppData\Roaming\%.exe"
    OR path LIKE "\ProgramData\%.exe";

 

Carbon Black Employee
Status changed to: Approved