This EnScript is designed to read installed application information and display it in a similar fashion to the Windows Programs & Features control-panel applet.

The script will parse NTUSER.DAT and SYSTEM Registry-hive files selected by the user. Any other files that fall within the selection will be ignored.

The script reads installed application-information from the Microsoft\Windows\CurrentVersion\Uninstall Registry key, including the WOW6432Node Registry key from 64-bit systems.

Summary output is provided by way of a data-bookmark written to the bookmarks tab. There will be one bookmark for each file parsed.

The script will also write a tab-delimited spreadsheet containing all of the information that has been parsed.

When it comes to interpreting the application install date, it would appear that Windows reads this information from a value called InstallDate. If this value doesn't exist, it will derive it from the last-written date of the application's Uninstall key.

The examiner should note that a value of zero in the spreadsheet does not necessarily mean that the associated property was set for an application.

The Size value displayed in the data-bookmark originates from a property called EstimatedSize. If this value is zero or doesn't exist, the script will show an empty cell to aid readability. Due to a limitation in EnScript, the Size column displays a string-representation of the size - this prevents numeric sorting.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training