[!IMPORTANT] This tool is experimental and requires full control on your PC. Please DO NOT use it under production environment, especially for the mutation functionalities, which are not properly tested for now.
Windows Servicing Stack is the main infrastructure that integrated with the update of Windows internal components (generally).
UFCase (Utility Functions Case) provides overall enumeration (and possibly deployment in the future) of multi-level abstractions of these Windows components.
The article Understanding Component-Based Servicing provides the overview on the Servicing Stack and how it roughly works when an update is installed or removed.
I'll publish breaking changes for UFCase in the GitHub releases. And the CI will upload nightly build artifacts of the newest commit. Goto GitHub actions, click the commit you prefer and download UFCase_portable.zip
from the row Artifacts
.
All the descriptions below are woven by my own understanding. For your information only.
Firstly, let's take a look at the underlying mechanisms, which interact with our well-known filesystems and registry.
urn:schemas-microsoft-com:asm.v[1~3]
. This article Manifest File SchemaSxS
expands to Side by Side
, denoting the components with multiple versions can live within your system side by side.%WINDIR%\WinSxS
HKEY_LOCAL_MACHINE\COMPONENTS
from %WINDIR%\System32\config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide
wcp.dll
from servicing stack, is a native implementation of assembly store, or technically "Isolation Interface". Correspondingly, .Net Framework used to have its own isolation implementation. Many DLLs probably had a version that implemented isolation, includes sxs.dll
, isowin32.dll
, isoman.dll
, clr.dll
, coreclr.dll
, and even ntdll.dll
.Now let's change our point of view to the upper layers. After the Updates (Windows Update) are downloaded into the SoftwareDistribution
, what information do they take and which contents do they ship?
*.msu
. The .msu
file archives some other .cab
recursively - some contain metadata (CompDB
or OfflineSyncPackage
), some are the payloads, which are in fact called "Package".Dism /Online /Get-Packages
. The package has many available formats. Some well known technologies like msdelta a delta package format are used on it. But again and again... all of them have two parts: manifest and payload. The manifest of packages ends with .mum
, describing:
Dism /Online /Get-Capabilities
. Capabilities are generally a bunch of packages. They are not present in your disk at the first time, and can be downloaded from Windows Update Server.component
element, which is an ordinary WinSxS assembly componentpackage
element, which refer to another packagedriver
element, which is a driverMicrosoft-Windows-Foundation-Package
, and can be queried by Dism /Online /Get-Features
. These features are staged in WinSxS but not usable directly. If you need it you can enable it without network connection.I'm completing an unofficial schema documentation of general isolation manifests. The current progress is under the directory ./docs
. And the main page is here.
If you are interested, contributions are welcomed. Just use UFCase to inspect manifests of packages and components, and fill in the unknown elements with your inference. It would be better if you can attach full-text xml manifests.
Priority undetermined.
IReferenceIdentity
input boxFiles -> Components
Registry -> Components
Component -> Packages
Long term:
NtRegOpenKey
, but I don't have time to investigate into kernel internals.GITObject
.PackagedCOM
. The COM objects registered by packaged UI process is NOT visible to elevated processes. See microsoft/WindowsAppSDK #567 for details. I don't know whether DynamicDependency can provide some helps -- I'll give a try in future.So I decided to leave UFCase an unpackaged app for now. I surely prefer MSIX packaging, and UFCase is still packagable except for having the first payload path bug. If you have need for a msix package of the newest build, please feel free to contact me.