skip to Main Content

Windows 2003 EOL Tech Brief: Who’s using that legacy app?

A quick and handy solution to determine and report against the users of a file-based application on a Windows 2003 Servers


When undertaking your Windows 2003 End of Life decommissioning process it’s the old rule of 90% preparation and 10% migration effort.  One of the more lengthy investigations we’ve found is determining application usage.    You will likely discover multiple applications that your client relies on and some of them could be many years out of date.


Determining the users of these applications can be tricky, as there are potentially multiple ways to do so:-

  1.        Interview the app owner / end-users
  2.        Use Asset / System Management toolsets and query the data.
  3.        Scripting.


Interviewing the users most likely won’t provide the results you are seeking as it will depend on user cooperation and accuracy.  These things can vary wildly.   This process is also very time consuming depending on availability and location.  As you are likely on a time limited project – this isn’t a practical approach.

Asset Management tools are perfect for this type of work as they can provide detailed information about your client software estate.   You can then easily determine the frequency of application usage and who the users are.   This will allow you to shape your communication appropriate and schedule the migration of the application and data.  Unfortunately Asset Management tools are generally quite expensive and many organisation simply choose to do one of scans as apart of Professional Services in order to satisfy licencing agreements rather than maintain an up to date record of software.

Another option is using the tools available to you, and in this case – scripting.   There are handy Powershell commands that will scan the Security log and extract the user information based on when they accessed the application executable.    

You must turn on auditing on the application EXE in order for this to work:-


This will then record events to the Security log when the application is accessed.   Crucially the user information is also recorded.   It is best to leave a week or so between setting the auditing and analysing the logs so that you can be sure to have gathered enough statistics.

You can then use Powershell to query the Security log (remotely) and extract the information you need.  An example script would look like this:-


Get-EventLog security -Computername $Server |
Where-Object {$_.EventID -eq 560} | 

Foreach-Object {
            If ($_.ReplacementStrings[2] -eq $apppath)
                    Write-Host $("Adding user:" + $_.ReplacementStrings[12] + "\" + $_.ReplacementStrings[11])

                    $Users = $_.ReplacementStrings[12] + "\" + $_.ReplacementStrings[11]
$Users | Select-Object -Unique


This will output a list of users that have accessed the application.   If need be you can export the results to a CSV for further investigation.  You can then make a case to the business to decide whether the application can be retired or migrated.

That’s it for now, check back soon or subscribe for more Windows 2003 End of Life decommissioning tips.


Share on facebook
Share on linkedin
Share on twitter
Share on email
Hutton Henry
Hutton Henry
I'm a creative business owner, who has interests in technology, screenwriting and what makes people tick. Somehow these disciplines converge to provide a unique perspective on Post-Merger Integration ("PMI"). In my opinion, PMI (and most transformative change) works best when you consider the people aspect first.

Take our FREE Scorecard to find out if your investment is at risk.

Discover the value of technology in your portfolio and target investments to gain more confidence and uncover potentially significant risks that could affect the value of a sale or an acquisition.

More Stories

Back To Top