Research: Modern Application Installation

Today’s post is going to lay the initial foundations into examining artifacts left by Modern UI Windows application installations. For anyone using Windows 8+, you may have also heard the term ‘Metro’. This referred to the current User Interface that encompasses a majority of Microsoft products. Back in 2012, Microsoft said adios to the Metro name, and now uses the Modern UI Style.

Last week, a student inquired about whether installing an application via Modern left the same artifacts as an MSI installation, for example, that may utilize the Windows Installation API. I started doing some research to flesh this process out, and wanted to share some preliminary results.

Selecting an Application

For this test, I’m going to install the Modern version of Slack. Here’s a screenshot of the application information:

Screenshot of Slack Modern Application Information

Let’s go ahead and install this. Windows gives us a few notices as the process continues:

Screenshot of Windows Store showing Slack installation

Screenshot of Windows Message showing Slack installation

Event Log Entries

AppxPackaging/Operational

The first event log I’ll look at is Microsoft-Windows-AppxPackaging%4Operational.evtx. There are two notable entries, Event ID 157 and 170, respectively:

EventID 157 from AppxPackaging/Operational Event Log

EventID 170 from AppxPackaging/Operational Event Log

AppXDeploymentServer/Operational

There are a whole slew of events within this event log related to the Slack installation. The event log name is fairly straight-forward, as apps are technically being deployed (more on this later). Here’s a few sample EventIDs 607:

EventID 607 from AppXDeploymentServer/Operational

EventID 607 from AppXDeploymentServer/Operational, 6 seconds later

Here’s a full list of EventIDs from this event log during this process:

List of EventIDs from AppXDeploymentServer/Operational from a Slack installation

There are a few unrelated items, however the majority of entries correspond to the installation of Slack. The key event IDs appear to be:

• 400 — The deployment operation on target volume <volume> finished successfully. (I’m not sure if 400 displays successfully vs. failed, or if failed is another EventID. More on this to come later).

EventID 400 from AppXDeploymentServer/Operational from a Slack installation

• 607 — A Deployment operation on a package has been de-queued and is running for <USER>

EventID 607 from AppXDeploymentServer/Operational from a Slack installation

• 613 — An AppxManifest.xml was added to a list of Uris. The corresponding XML file can be found in C:\Program Files\WindowsApps\<application information>

EventID 613 from AppXDeploymentServer/Operational from a Slack installation

• 8100 — Validation and setting of Trust Label on package. This and the next entry may be a crucial combo for determining application legitimacy.

EventID 8100 from AppXDeploymentServer/Operational from a Slack installation

• 8106 — Trust Label validation results.

EventID 8106 from AppXDeploymentServer/Operational from a Slack installation

APPX Files

If you’ve been following the event logs above, you’ll notice that all of these entries are stored in the AppX event logs. This is due to the use of the AppX file format, which Modern applications are “contained in”. This file format was introduced with Windows 8, and represents an app package that is “efficient to package, install, and update”. As expected, with this new format and packaging method, we are provided a new set of event logs to analyze as well.

I’m going to continue digging out this process and detailing it sequentially, including the records of other AppX event logs. Expect subsequent posts on this format as I continue building this out.

Until tomorrow, Happy Forensicating!