The classic "Whodunit": Who removed IIS?

I had a recent issue where a customer's SCCM Distribution Point came up non-functional. Upon looking at the IIS logs, it appeared that the DP was missing components until just recently. So, how did we find our suspect, who did this?

There's a couple places to check:
ACT I: The Event Logs
The log to look through is Setup, under the Windows Logs.

What you are looking for is this:

  • Source: Servicing
  • Level: Information
  • EventID: 8

Note that you will see a bunch of these messages, depending on the amount of features you have installed with IIS. In a typical SCCM installation, there are quite a few.

The first message I was received was "Initiating changes to turn off update WCF-HTTP-Activation of package Microsoft .NET Framework 3.0 WCF Components. Client id: DISM Package Manager Provider."

Really, you are just looking for the first part: "Initiating changes to turn off"

So, now I know when Server Manager attempted to remove IIS.

But, if you note, in the event details, that SYSTEM account removed IIS, not a real person. You'll see something like this at the bottom of "System / Friendly View":

Security
[ UserID] S-1-5-18
- UserData
- CbsUpdateChangeState
UpdateName WCF-HTTP-Activation
PackageIdentifier Microsoft .NET Framework 3.0 WCF Components
ErrorCode
Client DISM Package Manager Provider

Okay, so I know what, when, and where, but still missing who. PowerShell to the rescue for Act II.

ACT II: Security Logs
We can narrow down our list of suspects by scanning the security logs of the server in question (entire solution in the way of "PS without BS"). Is there a HTML tag for "cheap plug?" :)

Some notes: I am aware that this event happened in the last day or two. So set $Days to whatever matches is in the vicinity of your change. $strComputer is the name of the server that IIS was removed from in this case.

$Days=2
$strComputer="computername.domain.local"
$Logons = @()
$EventLogs = Get-EventLog System -Source Microsoft-Windows-WinLogon -After (Get-Date).AddDays(-$Days) -ComputerName $strComputer
If ($EventLogs)
{
ForEach ($EventLog in $EventLogs){
switch ($EventLog.InstanceID) {
7001 {$EventType = "Logon"}
7002 {$EventType = "Logoff"}
default {Continue}
} $Logons += New-Object PSObject -Property @{
'Logon Time' = $EventLog.TimeWritten
'Logon Event' = $EventType
User = (New-Object System.Security.Principal.SecurityIdentifier $EventLog.ReplacementStrings[1]).Translate([System.Security.Principal.NTAccount])
}
}
}
$Logons | Select "Logon Time","Logon Event",User | Sort "Logon Time" -Descending

This produces a nice output of logons and logoffs - and you should be able to narrow your suspects from this list.

Logon Time Logon Event User
---------- ----------- ----
8/3/2017 8:22:16 AM Logon DOMAIN\User1
8/3/2017 8:20:56 AM Logoff DOMAIN\User1
8/3/2017 8:17:19 AM Logon DOMAIN\User1

I knew it, it was User1 all along. Why? At 8:18am IIS was removed by EventID 8, and the logoff (for reboot) happened at 8:20. So, now we have the "Who" in addition to the "What, Where and When". All that's left is "Why". Time to present the evidence to User1 and work on the confession. Case closed and mystery solved.

— If you like my blogs, please share it on social media, rate it, and/or leave a comment. —