MsiInstaller events.
Applications that use Windows Installer logs both installation and removal events; these are available on the 'application' event log. These are extremely useful in identifying malicious application installs.
Get-WinEvent -ea 0 -FilterHashtable @{Logname='application';ID=11707} | select TimeCreated,ID,Message |ft -auto -wrap
Get-WinEvent -ea 0 -FilterHashtable @{Logname='application';ID=11724} | select TimeCreated,ID,Message |ft -auto -wrap
There are many other events related to MsiInstaller; if you need to see all, filter the application log for event source of MsiInstaller.
Get-EventLog -LogName application -Source MsiInstaller
Service start and state change events.
If you want track the services when they started, here is a one liner:
Get-WinEvent -ea 0 -FilterHashtable @{Logname='system';ID=7045} | select TimeCreated,ID,Message |ft -auto -wrap
Note that configuration changes and state changes for a service is tracked by event ID 7036; this is already part of the LRUP code.
Get-WinEvent -ea 0 -FilterHashtable @{Logname='system';ID=7036} | select TimeCreated,ID,Message |ft -auto -wrap
Symantec Risk log.
Symantec logs the risks identified in application event log; to get the specific log, issue this one liner:
Get-WinEvent -ea 0 -FilterHashtable @{Logname='application';ID=51} | select TimeCreated,ID,Message |ft -auto -wrap
Volume Shadow Copy shutdown events.
Some of the malware may shutdown the VSS; the below one liner will give you more information on this log.
Get-WinEvent -ea 0 -FilterHashtable @{Logname='application';ID=8224} | select TimeCreated,ID,Message |ft -auto -wrap
LRUP code has a one liner to show the shadow copies created in a system; it's given below as well.
Gwmi -ea 0 Win32_ShadowCopy | select DeviceObject,@{NAME='CreationDate';EXPRESSION={$_.ConvertToDateTime($_.InstallDate)}}
