On Windows Server 2008 and Windows Server 2008 R2 querying installed software with WMI and the Win32_Product class events are written to the Application event log.
The events are purely informational but one event is generated for each piece of software identified. What bothers me is the description contains "Windows Installer reconfigured the product. Product Name: …"
Why would a query trigger a notification that the product has be reconfigured? We have scripts that run against servers looking for changes and this is creating a little bit of an issue. 🙁
Has anyone else seen this?
Best Answer
Greg,
I would strongly recommend NOT using Win32_Product if you can avoid it. First, it is really, really slow. Second, and more significant is that you can screw up your system:
The Win32_Product class works by enumerating every MSI package that is installed on the system. When a package is touched, it performs a reconfiguration where the application is validated (and repaired if found to be inconsistent with the original MSI).
This can be a huge problem if you have applications that were configured after install (i.e. previously disabled services can be re-enabled, etc.)
As an alternative, you can do a search on a particular file and check its version to see if an application is installed. Here is a link to a blog post I did describing the technique (and also has a link to an article by Darren Mar-Elia discussing Win32_Product):
http://windowshell.wordpress.com/2010/07/08/wmi-query-for-an-installed-application/