Published on 7/11/2026
Unauthorized software detection: how to catch shadow IT on your business PCs
Unauthorized software detection comes down to two things: knowing what's installed on every PC, and getting notified the moment something new appears that isn't on your approved list. Argos keeps a per-machine software inventory across your fleet and can alert you the same day someone installs a TeamViewer nobody asked for, a crypto app, or a tool built for walking data out the door.
Every business with more than a handful of computers has some version of this story. An outside tech installed AnyDesk "just to fix something quick" eight months ago, and it's still there — with remote access to the billing PC. Someone downloaded a game for slow afternoons. Someone else signed into their personal Dropbox on an office machine and has been syncing client folders to a private account ever since. Not out of malice — out of convenience.
None of it went through you. Nobody approved it. And until you physically sit down at that machine — which, realistically, you never will — it doesn't exist.
That's shadow IT: software running on your company's computers without the company knowing. It's rarely sabotage; most of the time it's people getting their job done with whatever tool was closest. The problem is that every unapproved install is a door you don't know you have.
Why shadow IT is a bigger deal than it looks
An unapproved program isn't just "one more app." Depending on what it is, the risk lands in a completely different category:
- Rogue remote access. A TeamViewer or AnyDesk left over from an old support call is a standing entrance into that machine. If the account behind it gets compromised — or the tech who set it up doesn't even work with you anymore — someone can walk in without ever touching your network.
- Quiet data leakage. Personal cloud clients (Dropbox, personal Drive, MEGA) sync company folders to accounts you don't control. The day that employee leaves, the files leave with them — and you never saw them go.
- Pirated software. A cracked Office or Photoshop brings two problems at once: the installer usually ships with malware, and when a license audit comes, the fine lands on the business, not on whoever installed it.
- Crypto miners and wallet apps. They burn your CPU and your electricity for someone else's benefit, and they tend to come from sources no corporate antivirus would bless.
- Games and personal apps. The smallest security risk on this list, but the most visible productivity drain — and a clear sign that machine accepts installs with zero friction.
None of these send you an email when they arrive. All of them take two minutes to install and stay for months.
The telltale signs of shadow IT in a fleet
Before any tooling, it helps to know what you're looking for. These are the patterns that show up over and over:
| Sign | What it usually means | |---|---| | Remote access tools IT never installed (TeamViewer, AnyDesk, RustDesk) | A leftover backdoor from an old support call, or someone dialing in from home on their own | | Personal cloud clients on machines with customer data | Company files syncing to private accounts | | Odd browsers or VPNs (Tor, free VPNs, proxy tools) | Someone routing around your network controls | | Generic-named processes eating CPU around the clock | A likely crypto miner | | Game launchers (Steam, Epic) on work machines | Personal use, and installs happening unchecked | | Licensed software nobody purchased | Pirated copies, with the legal and malware risk they carry | | Bulk-copy or "recovery" utilities appearing right before a resignation | The classic prelude to data leaving with an employee |
Spotting one of these once isn't a crisis. The dangerous pattern is having no way to spot them at all.
From one-time audits to an inventory that maintains itself
The classic answer to shadow IT is the manual audit: someone walks machine to machine with a checklist and builds a spreadsheet. It works exactly once. A week later somebody installs something, and your spreadsheet is already lying to you.
What you actually need isn't a snapshot — it's a feed:
- A baseline. Know what's installed on every machine today, without walking to any of them.
- An approved list. Decide what software is normal for your operation. It doesn't have to be perfect on day one; it sharpens with use.
- An alert when something new appears. Anything outside the list showing up on a machine should trigger a notification, not wait for next quarter's audit.
- A way to act remotely. Detection without response is just frustration — you need to be able to inspect the machine and remove what shouldn't be there without driving over.
How Argos handles it
Argos puts a lightweight agent on every Windows PC in your fleet, and from that point on, software inventory stops being a project and becomes a number that's always current:
- Per-machine software inventory. From one console you see what every PC in the fleet has installed — no asking anyone for screenshots. "How many machines have AnyDesk?" becomes a ten-second question instead of an afternoon of phone calls.
- Alerts when new software appears. Set up notification rules, and when something outside your approved list lands on a machine, you get pinged over Telegram, email, or webhook. You find out the day it was installed, not the quarter you audited.
- Per-app usage. Not just what's installed, but what's actually running and for how long. A program installed a year ago that nobody opens is noise; one running four hours a day on the accounting PC is a very different conversation.
- Remote response. When something shouldn't be there, you open a remote terminal or take control of the machine and remove it from wherever you are — with a record of who did what.
For the full picture of what the agent watches on each machine — security posture, activity, performance — see the security features page.
A realistic plan for this week
- Install the agent across the fleet and let the inventory fill itself in.
- Go through the resulting list looking for the signs in the table above. Something almost always turns up on day one.
- Decide what stays, what goes, and what gets officially approved. Shadow IT sometimes reveals a real need: if half the company installed the same tool on their own, maybe the company should just provide it.
- Turn on new-software alerts for the sensitive machines first: billing, accounting, management.
- Repeat the full review monthly; the alerts cover everything in between.
Unauthorized software detection FAQ
Is it legal to check what software is installed on employee computers? On company-owned machines, with an acceptable-use policy that's been communicated, software inventory is standard IT administration practice in most jurisdictions. Put it in writing in your internal policy and tell employees it's in place — beyond covering you legally, transparency alone eliminates most shadow IT before it starts.
Does Argos block software from being installed? No — Argos detects and alerts; it doesn't prevent. Blocking installs is done with Windows permissions (accounts without admin rights), and it's a good complement. Visibility comes first for a practical reason: until you know what's out there and what keeps appearing, any blocking policy is guesswork.
What about portable apps that run from a USB stick and never install? That's exactly where inventory alone falls short and per-app usage monitoring completes the picture: Argos sees what applications actually run on each machine, installed or not. A portable executable launched from a temp folder shows up in usage even though it never touched an installer.
Am I going to drown in alerts every time Windows updates something? No — alerts fire on new software outside what's expected, not on version bumps of things already approved. Rules are set per machine or per group, so you can be strict on the billing PC and relaxed on the conference-room machine.
Want to see what an unauthorized-software alert looks like on a real fleet? Open the alerts view in the demo — two minutes to see what you're currently not seeing on your own machines.