Garth Jones did an excellent blog post with some examples using a registry key or the file system.
http://be.enhansoft.com/post/2014/07/24/Comparing-Application-Model-With-Reg istry-Key-to-Application-Model-With-File-Version.aspx From: [email protected] [mailto:[email protected]] On Behalf Of ccollins9 Sent: Monday, March 30, 2015 4:08 PM To: mssms Subject: Re: [mssms] RE: Help with Detection Method Just echoing what others have said already. We have an area in the registry we created on all computers via gpo HKLM > system > company name > apps. I usually wrap the install in a script that will also write something to that area in the registry and use that for detection On Mar 30, 2015 4:25 PM, "Merenda, Kenneth" <[email protected]> wrote: There are two ways I would go about this: Option A: Script the main app together with this one. It could be as simple as a batch file to run both executables in serial. Option B: Figure out what file associations are changing. Those will be registry keys that can use as your detection method. My preference would be option B, because SCCM would be able to report success/fail on each component of the install, and not just the script that chains the components together. Kenneth Merenda From: [email protected] [mailto:[email protected]] On Behalf Of Beardsley, James Sent: Monday, March 30, 2015 2:34 PM To: [email protected] Subject: [mssms] Help with Detection Method I'm creating a deployment type for an application I'm working on and its not the main app install, it's a small script compiled to an .exe (written by the vendor) that needs to be run beforehand. The script just deletes some file associations (which ones, I'm not clear on) and I'm trying to figure out what I can use for the detection method. As far as I can tell, it doesn't create any files, it doesn't create anything in Add/Remove, and without knowing which files associations it's modifying, I have nothing to detect. I've reached out to the vendor so waiting on a response from them. Assuming they can't help, any ideas? I thought about using a Powershell script to read from the event logs (Applocker execution events) to see if its been run. I also thought about wrapping it in a script that writes something to the registry which can be used for detection. Before I went down that road, figured I'd see if there were any other ideas. Thanks! James Beardsley | Firm Technology Group Dixon Hughes Goodman LLP <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.dhgllp.com_&d=AwMFA g&c=r_B2dqKkHczsuXPCSs5DOw&r=krYjy-Xm1tps1F_nkG9sNKQIT3ZPFrUh3rvr18goJ2E&m=r w2XLdgTFI8reT8lnUcCW68tSB5tzpWWtRiyJQwPgfU&s=0EYIt5pqdvMkXrS5N9nMiTI8_LubOZf pi15LaVh1-3Y&e=> cid:8644FC49-D5C9-45AE-B387-04FAFC0CC7A5 _____ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation.

