Software Compliance Tool

The Software Compliance Tool is a small application designed to reduce the overhead in managing unwanted applications in a business environment. While Windows 7 / 8 have made a lot of headway in easing reduced user rights into the Enterprise, it’s still very common that Local Administrator rights are given to end users. The reasoning for this is usually to work around application compatibility (both external and in-house). However, this introduces the ability for end users to install whatever they want on their computers, including games, peer-to-peer software and security vulnerable applications. It is the company’s responsibility to ensure that copyrights are not infringed, and that the network is secure.


  • Can automatically remove most Windows Installer (MSI) based installations
  • Uninstall Strings for non MSI-based installs can be supplemented with switches (ie, “/S” for silent)
  • Blacklist allows partial name matches (ie, “Mozilla” will blacklist all Mozilla applications)
  • Blacklist allows version matches (ie, allow all versions greater than v1.6.5, remove all previous versions)
  • Blacklist, but allow exclusions based on Active Directory Users or Groups
  • Blacklist policy is encrypted to prevent tampering or reading by users
  • AD Exclusions list is cached and encrypted, to allow running SCT off-domain
  • Simple SQL logging to allow tracking of policy breaches (and potentially further action for repeated breaches)
  • Extremely fast execution. Can be run from your AD login script (I recommend using a Scheduled Task instead though)

How it works

The Software Compliance Tool starts as a hidden applications and scans the registry for application details (under HKLMSoftwareMicrosoftWindowsCurrentVersionUninstall). It then compares the applications found to the blacklist policy file (Policy.ECF). If no matches are found, the application closes without any notification to the end user. The policy file is encrypted to prevent users from tampering with it (when run locally).
If a match is found, SCT displays a dialog to the end user and tries to remove the application automatically. For Windows Installer applications, this is generally quite straightforward. For non-MSI based installs, the default uninstall string is used (from the registry) which can be further augmented with additions (ie, “/s” for a silent uninstall) or completely replaced with a custom action string.

Policy breaches can optionally be reported into a SQL database which can be configured in the policy file. The SCT Policy can work in a number of ways:

  • Exact Match: An exact name match whereby, for example, ‘iTunes’ is not allowed
  • Partial Match: A partial match can be specified for applications that write version information as part of the installation, for example, Firefox 3.5. With a partial name match, you can blacklist ‘Firefox’ and catch every version. This is also useful to blacklist types of applications, for example ‘Poker’ or ‘MP3’
  • Version Restriction: It is possible to have a version restriction in place for a particular application. For example Adobe Flash is allowed but not supported. Flash is notorious for having security issues, so a version restriction can be configured to allow only the latest patched version, while removing all previous versions automatically
  • Exclusions: Exclusions to the blacklist can be allowed for certain applications. Exclusions are administered through Active Directory groups. Just specify the group name in the application policy, populate the group with users, and they will be automatically excluded from the automatic removal of the application. Nested Groups are not supported with Active Directory Exclusion Groups.


The application requires the .NET Framework 3.5 to be installed on your workstations in order to run correctly. It also needs Administrator privileges in order to successfully remove applications. The best way to implement would be through a Scheduled Task running with Highest Privileges at user logon, and possibly every few hours.

Version History (22nd March 2013)

  • CHANGE: Default to Report Only Mode (use /REMOVALMODE to actually remove unwanted apps)
  • CHANGE: Default to Silent Mode when in Report Only Mode (use /DEBUGMODE to show status in the UI when in default Report Only Mode)
  • CHANGE: Exclude matched apps containing Microsoft KB numbers, “Cumulative Update”, “Security Update” or “Hotfix” – we’ll never want these removed as we might compromise security and stability
  • CHANGE: Updated ReadMe file with new instructions, including how to deploy using Group Policy Preferences and use Scheduled Tasks (28th November 2012)

  • NEW: If running in Report Only Mode, keep a living register of compliance records
  • FIX: Cached Domain Groups would be incorrectly overwritten with a blank cache in certain networking conditions. This would result in AD Exclusions no longer applying

1.090.0 (15th April 2010)

  • CHANGE: Reverse Application Enumeration to ensure that Windows Installer is processed first
  • CHANGE: Encapsulate paths as required
  • FIX: Resolve issues with uninstallers of type RunDLL32
  • FIX: Resolve issues with arguments of type /? and -?
  • FIX: Exception could be incorrectly thrown when the uninstall string contained quotation marks

1.072.0 (14th January 2010)

  • Initial Release