cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Programs Installed In Non-Standard Windows Locations

Description: Programs Installed In Non-Standard Windows Locations

What The Data Shows: Programs Installed Outside of C:\Program Files 

SQL: 

SELECT path,
                DATETIME(atime,"unixepoch","localtime") AS "Last Accessed",
                DATETIME(mtime,"unixepoch","localtime") AS "Last Modified",
                DATETIME(ctime,"unixepoch","localtime") AS "Created"
FROM file
WHERE path LIKE "\users\%\AppData\%.exe"
    OR path LIKE "\users\%\AppData\Roaming\%.exe"
    OR path LIKE "\ProgramData\%.exe";

 

1 Comment
Carbon Black Employee
Status changed to: Under Review

@stympanick Thanks for your submission, and sorry it took me awhile to review it.

I would suggest not relying on the programs table when writing these types of queries. The data in this table is dependant on the creator of the MSI to properly construct it so all the data populates. On a lab system I have 70 items in the programs table and 62 of them do not have an install_location. Also if a binary is installed without a Windows installer then it will not populate in this table.

Instead I have found leveraging the file table to be a much better solution. Here is an example of a query looking for executables in non-standard locations:

SELECT path,
                DATETIME(atime,"unixepoch","localtime") AS "Last Accessed",
                DATETIME(mtime,"unixepoch","localtime") AS "Last Modified",
                DATETIME(ctime,"unixepoch","localtime") AS "Created"
FROM file
WHERE path LIKE "\users\%\AppData\%.exe"
    OR path LIKE "\users\%\AppData\Roaming\%.exe"
    OR path LIKE "\ProgramData\%.exe";