Finding installed Software applications

[ohio_grad_06]

So maybe this isn't the right place, but we are adopting a software policy of approved software, so we are attempting to see what users have installed on their PC's.

We were attempting to use the commands listed here.

How to get installed software list with version numbers using PowerShell

See how to list installed programs & their versions with PowerShell. Check if GPO deployment was successful. Guide for local & remote PCs.

www.codetwo.com

Specifically this command

Get-WmiObject Win32_Product -ComputerName TestComputerName| select Name,Version

Replacing the "TestComputerName" with the name of a system on the network, and it does seem to work and goes out and pulls some data on applications installed, but when we are looking and comparing, for example, I'm not finding everything that I can see installed on my own PC if I run it against that.

I also tried some of the options for remote registry, but still the same. Programs such as 1Password etc, are not showing up. Is there an easier way to do this where we can just read the output? Prefer not to have to use an agent of some kind to have to install on each system.

 

[Markverhyden]

I'd bet that won't capture any portable applications.

 

[ohio_grad_06]

Doesn't seem to. For example, we've had people install free software on their systems, which is obviously not good. Some of the people think they know more than they do, and we are trying to get a list of approved software, such as Office, Adobe, whatever properly licensed software people use and then attempt to lock it to only those applications.

 

[britechguy]

My favorite utility for doing this has always been Belarc Advisor.

 

[glennd]

There'll always be a bunch of stuff people use that won't show up in the uninstall list. Many programs don't have installation procedures. Many programs do, but don't have official Windows installations, many won't add themselves to the programs list. Running scripts will never give you the complete picture.

 

[Markverhyden]

The catch is M$ still allows "unregistered", as in not registered with the registry, software. Meaning it'll allow a .com or .exe to be run as long as the login credentials allow that. The only way to control that is to implement tightly control Domain GP's

Apple has a procedure to block apps not registered with them. But it's a bit of a joke. Not only can you turn the feature off they allow cr@pware like Genio and Mac cleaner to run since they pay to belong to the developers sites.

 

[NviGate Systems]

I dabbled in this for a bit as part of my diagnostics program. Depending on what you query in Windows you get different answers.

I think my line of thought before I abandoned it, was a combo of folder names in the program files plus a registry dump of the current installation. I was looking for something I could parse and display. A standalone app on each PC will get you better results. I tried the network approach but it was hit and miss.

Part of the way that you can prevent unwanted apps is by remove administrator rights from each user. Frankly, letting users have admin rights is just asking for trouble. That will cut out most installation. Some apps that don't need admin access will still run, but you can at least cut back on the ones that do.

 

[ohio_grad_06]

That is another part of the discussion lol. We are a non profit, so many times a system would be purchased, and sometimes divisions would just go out and buy systems. Like we'd have an executive just show up with a system from Costco for example and want us to make it work.

We used to have the policy of not letting users install their own software but people grumbled and complained so often and so loudly that my boss got tired of dealing with a lot of calls complaining about the policy, even though we all know that you need policies like that. It used to be we had to act almost like a repair shop within the organization, which is we had to bill out to every division for tickets they put in, so you had users who would get very afraid their division would get billed for something(I think we charged like 12 dollars an hour). But people would not put in a ticket until their systems were basically almost not working.

In recent years they've gone more towards a traditional model of giving IT a budget so that we don't have to do the above any longer, but hopefully recent news has helped. We are trying to get people towards using an approved list of software, and towards putting everything into OneDrive where it can be synced and have versioning since it's included with Office 365, and I would say to start getting away from file servers at some point.

 

[britechguy]

We are trying to get people towards using an approved list of software

Which is a great idea provided that those doing the approving are willing to revisit what's on that list promptly, on demand. These things tend to become ossified and treated as a cudgel to prevent people from being able to try out new software that is pertinent to the jobs they're doing.

It doesn't take all that long to review most programs and make a go/no-go decision, and to be able to give an explanation of just why a no-go decision has been made when it's been made.

The problem is, that virtually never happens.

And heaven forbid you're in a setting like a school, a rehabilitation center, or similar where playing with new software is part and parcel of what one should be doing on a routine basis. You either need to have computers that are dedicated to that, which still have internet access at least, or have a waiver system in place for specific users who cannot do their jobs if forced to use "the standard setup" with no latitude to dabble.

 

[Markverhyden]

We are trying to get people towards using an approved list of software,

This is a management issue, plain and simple. The problem is management is afraid of loosing people by implementing procedures and processes like that. Especially with a non-profit where, I'm sure, the pay is a bit lower than other types of organizations. So you need to sell them on it.

If it was me I'd try to log past support requests, especially time involved, dealing with so many dissimilar systems. As mentioned above if you remove admin privs from the accounts that'll restrict installations. But that requires Pro versions to manage the fleet in an economical fashion.

 

[britechguy]

dealing with so many dissimilar systems.

The question is also: How many?

If we're talking a tiny non-profit with 10 computers or less, it's not a herculean task to deal with all the computers as truly personal computers, or it shouldn't be. If people are given admin permissions then they are responsible for making informed choices about what they change, whether that's installing software, removing it, etc.

If we're talking anything much beyond that, it starts getting very hairy very quickly.

 

[ohio_grad_06]

It's probably between 100-200 devices lol. I think we've finally decided on, we have a spiceworks account, so they have an inventory agent that you can use. We are going to take a sampling for now of about 2-3 systems per division, that way we at least have an overview of what people are using for the time being. Then we can dig more into stuff as we go if needed.

 

[britechguy]

@ohio_grad_06

If this organization has any employees who, due to actual business need, cannot be restricted in the way that the vast majority can, be certain to plan for that, too.

One of the IT "enforcers" I was once subject to did this, and granted only very rare exceptions, for "out of scope" machines that could still use the network. And I was one of the people who needed one of those. I was a cognitive rehab therapist in a brain injury services program right around the time that Palm was rapidly reaching its zenith and when Palm-powered devices were beginning to be used extensively as cognitive prosthetics for memory and executive function. Between those constantly evolving, and Palm Desktop with it, and a number of other pieces of software that we needed to trial out based on client needs, I could never have done my job were I not to have been given free rein over that one particular PC. I will note, too, that it was not my "office PC" where I did things like report writing and dealing with any HIPAA information.

 

[ohio_grad_06]

There are definitely going to be some things to check. We have what they call an IT governance committee. So essentially, it's a committee made up of the executives from each division, so they are starting to wade into some of the issues. So they can make further determinations.