Windows Store and Apps (APPX) Analysis
While attending the Magnet User Summit in Nashville, I had the opportunity to sit in on fascinating talks and labs. One of my favorites was the talk about Universal Windows Apps given by our very own Professor Yogesh Khatri and Jack Farley. As somebody who knew next to nothing about UWP apps, I was both impressed and surprised by Microsoft. Let’s talk about some of the highlights!
UWP Apps Pros and Cons
Firstly, what is a UWP app? The Universal Windows Platform is Microsoft’s vision for the future of Windows apps. This vision evolved to include the HoloLens and IoT devices in the equation for one SDK and one user experience. You may not think you use these, but the Windows 10 photo viewer, calculator, and settings menu are UWP apps.
The Microsoft Store securely delivers apps. This helps to ensure the integrity and authenticity of Windows apps. The app packages are also sandboxed, have very limited access to the win32 API, and no access to the registry or computer filesystem outside of their own container folder. That’s where Microsoft surprised me—sandboxing has been a hallmark of Mac App Store apps for years, and it’s great to see this essential security feature come to Windows.
You can manage permissions for these apps and these permissions are called “capabilities”. The apps are also all neatly organized into their own folders, each with a unique directory name. And this is where I am not at all surprised by Microsoft: there are FOUR different naming schemes for these apps and each scheme is used in a different place. This is the sort of confusing and complicated design choice that I would expect of the people who brought us… well, Windows. Further, to interact outside of their folder, they need to link to another process on the system called RuntimeBroker. This seems like a sloppy implementation since there will probably be numerous different RuntimeBrokers running at any given time.
App Use and Functionality
As for what sorts of artifacts you can find in these container folders, if there is any internet functionality in the app, there will be cookies, history, and so on. There are also folders for files that are synced across Microsoft accounts and a cache for large files that the app can recreate but would rather not.
These apps function like mobile apps in that when they are inactive, they are suspended to conserve resources. The threads are stopped but the app stays in memory (unless Windows needs the memory for something else). Memory pages are stored in C:\swapfile.sys if they need to be set aside for a while. It’s possible that these pages will be compressed.
There was a lot more to talk about, too: what’s leftover after an app is uninstalled (lots of registry stuff!), how you can get lists of installed apps, and so on. The slides and tools from the presentation can be found at https://github.com/ydkhatri/Appx-Analysis if you want to learn more.
I am grateful to have had the opportunity to attend this talk and many others at the conference. Thank you to the LCDI and Magnet Forensics for making this possible!