There are multiple types of Windows applications: console, desktop, service, and so on. Applications can be portable, which don't require installation, or installable, which need to be installed and registered in the local Windows application registry. Applications are almost always involved in cybersecurity incidents—for example, malware is often executable, malicious macros run in Microsoft Word, and phishing e-mail can be received by Microsoft Outlook.

It is important to monitor use of applications on the host. You should monitor activities such as application installation, removal, execution, application crashes, and application blocking events by AppLocker. In this chapter you will find detailed information about monitoring these scenarios and more.

New Application Installation

Depending on how software installation is designed, it may register an application in the Windows software manager database. The software manager is designed to provide users an easy-to-use interface to remove, modify, and repair installed applications, components, and updates.

In Windows Server 2016 and Windows 10, the software manager can be invoked using Programs and Features item in Control Panel or using the command rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl. Figure 12-1 shows the Windows Server 2016 software manager.