Software Uninstalled

Windows 10Windows 7ApplicationApplication Activity

Enabled by default

Service: Service Control Manager

Log type: System

Software removal may indicate previously used malicious software being taken off a machine or an attempt to disrupt the normal workflow.

View Logs
Get-WinEvent -FilterHashTable @{LogName='Application';ID='11724'} -MaxEvents 1 | Format-List
Check Logging Status
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Disable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Enable Logging
Unfortunately, due to current limitations, we do not yet have this command, stay tuned for updates!
Language: Powershell
Back to Windows

Compliance

HIPAA

Level: Recommended

https://www.hipaajournal.com/patch-update-computer-software-face-hipaa-sanction/

Software removal is logged automatically by windows and logs can be viewed in the application tab of the Event Viewer. However, it is important to note windows only logs events that are done through the MSInstaller in this log. To view these logs, sort or filter by event ID 11724.

To view this log in the command line with Get-WinEvent, open PowerShell as an administrator. From here, enter the command Get-WinEvent -FilterHashTable @{LogName='Application';ID='11724'} -MaxEvents 1 | Format-List

To view this log in the command line with wevtutil, open PowerShell or Command Prompt as an administrator. From here, enter the commandwevtutil qe Application "/q:*[System [(EventID=11724)]]" /f:text /c:1

Additional References