Two categories of things you can do. Implement allow listing of software to only allow authorized things to run. Inventory all installed software, and review what is running.
Allow listing is a large project, not many accomplish it, but will reliably improve your security and compliance with software licensing. AppLocker or Windows Defender Application control are not the only implementations out there, but Server Fault is not for recommendations, you'll have to find something that fits your needs.
Obviously people still need software to do their jobs, so a major part of the allow list implementation is letting them to do so. Get input from people, and make it easy to approve software they want. Perhaps start gradually by blocking anything signed by Oracle, but allow most other things. Ideally, eventually get to the point where all software providers are known, and anything unknown is blocked.
Locking down known install paths is a weak defense. Clever users may get around this by using portable binaries in another location. Or the software has some versioned path that keeps updating. If you are attempting something high maintenance anyway, might as well consider getting tools that will allow full control and visibility over what runs.
As to inventory, find some method of listing all installed packages on hosts. Review these, and identify platforms. You mentioned Java, you can make policy where Java apps will use a preferred OpenJDK build, and keep it updated.