This post contains some of the knowledge I use to work with Windows installation packages or any setup-like binary.
Be warned, here be dragons 😁
Foreword
If you’re creating an installer, I urge you to provide an MSI or MSIX installer, on behalf of everyone who has to deploy your application (for example via Microsoft Intune, Configuration Manager, an RMM solution, etc). It makes the job a lot easier.
Also if you do provide an MSI installer, make sure that it can run without UI in an uninteractive session. You can verify this by running it with psexec.exe -s msiexec.exe /i setup.msi /qn /norestart. If /qn is unsupported (/qb is required), please rethink and change your MSI installer to make this work. If you don’t, the target audience for this guide usually have to make some really ugly workarounds or re-create your installer.
A word of warning about unknown binaries
When working with binaries you don’t entirely trust, always run them in a virtual machine or Windows Sandbox.
This applies both to setup/installer binaries as well as tool binaries.
This also applies when not directly executing a setup/installer file. Some of the tools mentioned may end up executing (parts of) the setup/installer files.
Installation frameworks
There are many frameworks available to create Windows installation packages. While I wish everyone would just use MSI or MSIX, this is not happening any time soon.
Why? InstallShield was established in 1992. Windows Installer 1.0 was first released in 1999. Go figure.
The list below contains:
- information about the frameworks
- command-line switches for performing silent/unattended installs
- tools for inspecting, editing or extracting installers
- (re-)packaging tools or universal tools are not included in this list, as they often support multiple installer frameworks (they get their own list below)
List of common installation frameworks
Ordered by ease of use for unattended application deployment.
Microsoft Intune (.intunewin)
Packaging
- Microsoft-Win32-Content-Prep-Tool (GitHub)
Extraction
- IntuneWinAppUtilDecoder (GitHub)
Microsoft App Installer (.msix, .appx, .appxbundle)
Packaging
- MSIX Packaging Tool (MS Store)
Extraction
- 7-Zip (Website) - download 7-Zip Extra to obtain
7za.exe, a command-line tool
Silent/unattended install
Add-AppxPackage
Add-AppxProvisionedPackageMicrosoft Windows Installer (.msi)
Inspection/editing tools
-
Orca.exe
(Microsoft Learn) -
InstEd
(Website)
Extraction
msiexec.exe /a C:\path\to\setup.msi /qb TARGETDIR=C:\path\to\extractedSilent/unattended install
msiexec.exe /i setup.msi /qn /norestartFireGiant Windows Installer XML (WiX) Toolset v4+ (.exe/.msi)
Extraction
-
wix.exe extract(download - wix-cli-x64.msi)
Silent/unattended install
setup.exe /quiet /norestartFireGiant Windows Installer XML (WiX) Toolset v3 (.exe/.msi)
Extraction
-
dark.exe+winterop.dll+wix.dll(download)
Silent/unattended install
setup.exe /quiet /norestartInno Setup (.exe)
Extraction
- innounp (Website) (Sourceforge)
- innoextract (Website) (GitHub)
Silent/unattended install
setup.exe /verysilent /norestartNullsoft Scriptable Install System (NSIS) (.exe)
Extraction
- 7-Zip (Website) - download 7-Zip Extra to obtain
7za.exe, a command-line tool
Silent/unattended install
setup.exe /S /NCRC
Revenera InstallShield (.exe/.msi)
(formerly Flexera, Acresso, Macrovision, Stirling Technologies)
(Website) (Wikipedia)
(Website) (Wikipedia)
Extraction
- ISx (GitHub)
- isxunpack (Internet Archive)
- unshield (GitHub)
Silent/unattended install
setup.exe /s /smsInstallShield with MSI (.msi in .exe)
Silent/unattended install
setup.exe /s /v"/qn /norestart"Milestone Systems Installer (.exe)
History
- (2019 - 2023): WiX self-extracting setup archive (MSI in EXE)
- (2024 - present): Custom installer, .zip resource inside a .NET assembly
Extraction
$assembly = [Reflection.Assembly]::LoadFile("setup.exe")
$resourceStream = $assembly.GetManifestResourceStream("VideoOS.Installer.Setup.InitialData.EmbeddedZip")
$fileStream = New-Object -TypeName System.IO.FileStream -ArgumentList @("setup_extracted.zip","OpenOrCreate")
$resourceStream.CopyTo($fileStream)
$fileStream.Close()Qt Installer Framework
Detecting which framework an installer uses (if any)
A fast method that sometimes works is to just open the binary in 7-Zip and see what happens. If you just see the PE sections (.text, .rsrc and such), move on to another detection method.
The best way to do this is probably using a YARA scanner along with some YARA rules. For example:
Another very common way to do this is with signature-scanning tools like PEiD.exe or exeinfope.exe...
(Re-)packaging tools
- Advanced Installer (Website)
- InstallAware (Website)
- PowerShell App Deployment Toolkit (PSADT) (Website) (GitHub)
Reverse engineering
Sometimes an installer is entirely custom-made, not using a framework at all. For example, see the Milestone Systems Installer mentioned above.
If you’re lucky, your custom installer just contains an embedded MSI or ZIP file.
Figuring out a custom installer sometimes requires breaking it apart with some reverse engineering.
Tools for reverse engineering
This is my list of recommended tools for reverse engineering.
There are many like it, but this one is mine.
- .NET assembly editor: dnSpyEx (GitHub)
- .NET deobfuscator: de4dot (GitHub)
- x86/x86_64 disassembler: Ghidra (GitHub)
- Dependency Walker (Website), or a newer alternative, Dependencies (GitHub)
- Resource Hacker (Website)
- Sysinternals Process Explorer (Microsoft Learn), alternatively System Informer, formerly known as Process Hacker (Website)
- Sysinternals Process Monitor (Microsoft Learn)
