Matt B

Jan 19, 2017

4 min read

Research: Modern Application Installation

Today’s post is going to lay the initial foundations into examining artifacts left by Modern UI Windows application installations. For anyone using Windows 8+, you may have also heard the term ‘Metro’. This referred to the current User Interface that encompasses a majority of Microsoft products. Back in 2012, Microsoft said adios to the Metro name, and now uses the Modern UI Style.

Last week, a student inquired about whether installing an application via Modern left the same artifacts as an MSI installation, for example, that may utilize the Windows Installation API. I started doing some research to flesh this process out, and wanted to share some preliminary results.

Selecting an Application

For this test, I’m going to install the Modern version of Slack. Here’s a screenshot of the application information:

Let’s go ahead and install this. Windows gives us a few notices as the process continues:

Event Log Entries

AppxPackaging/Operational

The first event log I’ll look at is Microsoft-Windows-AppxPackaging%4Operational.evtx. There are two notable entries, Event ID 157 and 170, respectively:

AppXDeploymentServer/Operational

There are a whole slew of events within this event log related to the Slack installation. The event log name is fairly straight-forward, as apps are technically being deployed (more on this later). Here’s a few sample EventIDs 607:

Here’s a full list of EventIDs from this event log during this process:

There are a few unrelated items, however the majority of entries correspond to the installation of Slack. The key event IDs appear to be:

  • 400 — The deployment operation on target volume <volume> finished successfully. (I’m not sure if 400 displays successfully vs. failed, or if failed is another EventID. More on this to come later).
  • 607 — A Deployment operation on a package has been de-queued and is running for <USER>
  • 613 — An AppxManifest.xml was added to a list of Uris. The corresponding XML file can be found in C:\Program Files\WindowsApps\<application information>
  • 8100 — Validation and setting of Trust Label on package. This and the next entry may be a crucial combo for determining application legitimacy.
  • 8106 — Trust Label validation results.

APPX Files

If you’ve been following the event logs above, you’ll notice that all of these entries are stored in the AppX event logs. This is due to the use of the AppX file format, which Modern applications are “contained in”. This file format was introduced with Windows 8, and represents an app package that is “efficient to package, install, and update”. As expected, with this new format and packaging method, we are provided a new set of event logs to analyze as well.

I’m going to continue digging out this process and detailing it sequentially, including the records of other AppX event logs. Expect subsequent posts on this format as I continue building this out.

Until tomorrow, Happy Forensicating!