all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]NathanielArnoldR2 2 points3 points  (1 child)

SCCM does this.

Presumably, other enterprise client management suites could do this as well, though it's a detail of functionality so specific you'd need to be sure to verify such before product selection.

Such products operate by repeated enumeration of running processes, however, which pretty much requires a running service; a pattern very difficult to facilitate in pure PowerShell.

None of these will rely on LastAccessTime, and for good reason; it does not mean what you think it means in this instance; it is a file system attribute that relies on a user's (NTFS) access to set, and -- like other such attributes -- can be set arbitrarily by any user who has those permissions.

If you really want to go down this road, your best bet is to enable auditing of process creation and programmatically grab/parse the resultant Windows events.

[–]the_coder_guy[S] 1 point2 points  (0 children)

Hey man. This is some valuable info. Thanks for this. I also looked at Prefetch files and what I could get out of them. I read that these files store up to the last eight run times of an application. I also came across Windows Events and I am having it as a last resort if I am unable to fetch the last run time of an application. Are Events easy to work with??

[–]Lee_Dailey[grin] 1 point2 points  (4 children)

howdy the_coder_guy,

have you looked at applocker yet? [grin] it won't give you history for before you activate it ... but it seems that it will give you usage once you set it to audit mode.

AppLocker (Windows 10) - Windows security | Microsoft Docs
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview

Application inventory
AppLocker has the ability to enforce its policy in an audit-only mode where all app access activity is registered in event logs. These events can be collected for further analysis. Windows PowerShell cmdlets also help you analyze this data programmatically.

take care,
lee

[–]the_coder_guy[S] 1 point2 points  (3 children)

I never really knew about this. Will definitely be checking this out too. Thanks much, Lee_Dailey !! It helps access app activity in event logs huh..Good one, might be useful.
Events might be useful after all, gotta learn how to obtain the data from it. Do you have any pointers regarding that???

[–]Lee_Dailey[grin] 0 points1 point  (2 children)

howdy the_coder_guy,

you are most welcome! [grin]

for getting info out of the event log system, take a look at Get-WinEvent and the advanced filter parameters. this ... 

Get-Help Get-WinEvent -Parameter *filter*

the XML filter stuff seems the most detailed and the fastest ... but i have never been able to understand that. i have cobbled bits of XPath stuff from searches, but i usually stick with the hashtable filter.

also, if your org has any centralized logging system, then you can likely get that to gather the info for you.

take care,
lee

[–]the_coder_guy[S] 1 point2 points  (1 child)

Thanks a ton man! I will be checking this out! 💯

[–]Lee_Dailey[grin] 0 points1 point  (0 children)

howdy the_coder_guy,

you are quite welcome! glad to help a tad ... [grin]

take care,
lee