MSIExec.exe

To locate what msiexec.exe is installing, first look in EAM for the following command lines previous to files being written:

C:\Windows\System32\MsiExec.exe -Embedding CODE

AND

"C:\WINDOWS\system32\msiexec.exe" /x {GUID}

Then search below reg keys to locate what it is and origin point

Reg Keys for GUID

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall

HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall

For further context, use event logs within Application Event Log and search for GUID.

Also worth just google GUID first to see if it is a known one.

Last updated 1 year ago