Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Windows Installed Application Parser

This EnScript is designed to read installed application information and display it in a similar fashion to the Windows Programs & Features control-panel applet.

The script will parse NTUSER.DAT and SYSTEM Registry-hive files selected by the user. Any other files that fall within the selection will be ignored.

The script reads installed application-information from the Microsoft\Windows\CurrentVersion\Uninstall Registry key, including the WOW6432Node Registry key from 64-bit systems.

Summary output is provided by way of a data-bookmark written to the bookmarks tab. There will be one bookmark for each file parsed.

The script will also write a tab-delimited spreadsheet containing all of the information that has been parsed.

When it comes to interpreting the application install date, it would appear that Windows reads this information from a value called InstallDate. If this value doesn't exist, it will derive it from the last-written date of the application's Uninstall key.

The examiner should note that a value of zero in the spreadsheet does not necessarily mean that the associated property was set for an application.

The Size value displayed in the data-bookmark originates from a property called EstimatedSize. If this value is zero or doesn't exist, the script will show an empty cell to aid readability. Due to a limitation in EnScript, the Size column displays a string-representation of the size - this prevents numeric sorting.

Download Now



Version: 1.0.1
Tested with:
EnCase Forensic 8.05
Developer: Simon Key
Category: Artifact

1837 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
7449 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
141 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
98 Downloads
App
Artifact

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents
By Simon Key
84 Downloads
App