TITLE
MDE Software Uninstall
Query
let ProductCodeGuid = "{23170F69-40C1-2702-2401-000001000000}";
DeviceProcessEvents
| where FileName contains "msiexec.exe"
| where ProcessCommandLine contains "\"msiexec.exe\" /qb /x" and ProcessCommandLine contains ProductCodeGuid
let ProductCodeGuid = "{23170F69-40C1-2702-2401-000001000000}";
DeviceRegistryEvents
| where ActionType == "RegistryKeyDeleted"
| where PreviousRegistryKey == strcat("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\",ProductCodeGuid)
// define the Installer GUIDs
let ProductGuids = datatable(GUID:string, ProductName:string,Version:string)
[
"23170F69-40C1-2702-2401-000001000000","7-Zip","24.01",
"23170F69-40C1-2702-2301-000001000000","7-Zip","23.01",
"7F39DBC3-B170-42A1-904A-660C6C3E886A","VNC",""
];
DeviceRegistryEvents
| where ActionType == "RegistryKeyDeleted" or ActionType == "RegistryKeyCreated" // or ActionType == 'RegistryValueDeleted' or ActionType == 'RegistryValueSet'
| where InitiatingProcessFileName == "msiexec.exe"
| where PreviousRegistryKey has "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\" or RegistryKey has "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\"
| extend UninstallGUID = case (
isnotempty( PreviousRegistryKey),extract(@"\{([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\}", 1, PreviousRegistryKey),
isnotempty(RegistryKey),extract(@"\{([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12})\}", 1, RegistryKey),"Unknown"
)
| extend CheckKey = case (
isnotempty(RegistryKey), RegistryKey,
isnotempty(PreviousRegistryKey), PreviousRegistryKey,"Unknown"
)
| where UninstallGUID has_any (ProductGuids)
| lookup kind=leftouter ProductGuids on $left. UninstallGUID == $right.GUID
| sort by TimeGenerated asc
| extend TimeDiffMinutes = datetime_diff('minute', prev(TimeGenerated, 1), TimeGenerated)
| extend NextAction = next(ActionType)
| extend PrevAction = prev(ActionType)
| project TimeGenerated, DeviceName, UninstallGUID , ProductName, Version, CheckKey, InitiatingProcessCommandLine, RegistryKey, PreviousRegistryKey, ActionType, PrevAction, NextAction, TimeDiffMinutes
| summarize arg_max(TimeGenerated,*) by DeviceName, ProductNameAbout this query
TITLE
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1110.003 | Credential Access: Brute Force: Password Spraying | https://attack.mitre.org/techniques/T1110/003/ |
Description
DESCRIPTION
References
Microsoft 365 Defender
Explanation
This query looks for instances where a specific software product is uninstalled on devices in a Microsoft 365 Defender environment. It checks for events related to the deletion of registry keys associated with the product's uninstallation. The query also retrieves information about the product being uninstalled, such as its name and version. The results are then sorted and summarized by device name and product name.
Details

Alex Verboon
Released: March 25, 2024
Tables
DeviceProcessEventsDeviceRegistryEvents
Keywords
DevicesIntuneUser
Operators
let|wherecontainsandstrcatdatatablehasextendcaseisnotemptyextracthas_anylookupkindon$left==$rightsortbyascdatetime_diff'minute'prevnextprojectsummarizearg_max