Does it sound familiar if I say that you have created a Win32 app in the past, but you didn’t save the configuration/source files, which means that you can’t modify this particular Win32 app? Don’t worry; at least we both dealt with this scenario. In this blog, I will explain how to extract Win32 apps (.intunewin-file) so you can access the original source files.
To get an overview of the configuration files used to package the Win32 app, follow the instructions below to download and extract the Intunefile.
Update 23-03-2022: After receiving feedback from the community I've engaged with some community members to find a solution on how to extract Win32 apps. Below you will find the new method. Keep in mind that this method isn't that clean as it was before. Use it only when you really need the package.
Extract Win32 apps
I reached out to Rudy Ooms on LinkedIn to check if there could be a similar way to extract Win32 apps. I have shared some necessary information on how this went in the past and some information regarding MDM certificates. In addition, he wrote a blog post on how this process completely works.
With this said, he started with his research, and we came to the conclusion that the Win32 app that is being downloaded is decrypted and zipped in the C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staging folder. After the installation, the files get deleted immediately by the SYSTEM account. We have now published a script and executable on how to temporarily deny the SYSTEM account, deleting this zipped file with source files. You can download the script from my GitHub repo.
Step 1: Download the script or executable
Step 2: Run the executable as an Administrator
Step 3: You will receive a pop-up that warns you that the SYSTEM account permissions will be denied on the IMECACHE folder when pressing OK. At this point, click on OK.
Step 4: We will now receive a pop-up that asks us to open the Company Portal and install the desired app. At this stage, do not click on OK or cancel until you have installed the application. It should give you the status “Failed to install” in the company portal (since it does not have the correct permissions). Now click on OK. At this point, you can browse to the C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staging folder and see the app ID with the source files. Do not copy this file yet.
Note: If you have clicked on Cancel, it will restore the SYSTEM permissions.
Step 5: Now that we have seen the source files, we want to copy these. Click on OK. The C:\Install\Intune folder should pop up with the (zipped) source files.
Step 6: After the folder pops up, click on OK to restore the permissions.
If you want to install the appropriate application, you can click on Retry in the Company Portal app to download and install it. When you want to download the source files from an application that’s already installed, simply remove the application and follow Step 1.
Update 03-03-2022: Unfortunately, we can’t get the relevant information through the log files anymore.I will update the blog as soon as there is a solution.You can still extract your Win32 file if you have the .intunewinfile
The old method of unpacking and decrypting a Win32 file.
First, I would like to give my kudos to Oliver Kieselbach for making this script and executable available. The PowerShell script that we are using will read the most recent Intune Management Log file, which is saved under the location C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log. Within this log file, we have all the necessary information to download and decrypt the Intunefile. This log file contains the URL that allows us to download the Intunefile as a .bin file. Keep in mind that you still need to follow the below steps to extract Win32 apps after downloading this file. This script doesn’t have to be run if you already have the Intunefile stored on your client.
* Decrypting is only needed when the .intunewin-file is downloaded directly from the tenant.
How to extract your Win32 apps?
If you don’t have the Intunefile available on your client anymore, make sure to have a compliant and enrolled device available where the Win32 app that you are trying to extract is installed. This is a requirement to download the Win32 app directly from your tenant. The steps for downloading the app are explained in step 1 till step 4. If you already have the Intunefile available, proceed to step 5.
Step 1: Download the most recent version of the PowerShell script that gathers all the information for our Intunefile. The script can be downloaded from here.
Step 2: As soon as you have downloaded the script, start PowerShell as an administrator and browse to the location where the PowerShell script is stored. In my case, it is stored under “C:\Script\Decoder.”
Step 3: Execute the PowerShell script to get an overview of the installed apps on the client. Make sure that the app is deployed on the client to get the Win32 app available in this overview.
PS C:\Script\Decoder> .\Get-DecryptInfoFromSideCarLogFiles.ps1
Step 4: Copy the yellow marked URL to your browser session and download the .bin extension file.
If you don’t know which of the URLs contains your application, I would suggest you download all the files and extract them locally.
Step 5: Now that we have the Intunefile, we need to extract it. This can be done with the program IntuneWinAppUtilDecoder.
Step 6: Paste the downloaded IntuneWinAppUtilDecoder.exe file into the same location where the PowerShell script was saved. In my case, this is “C:\Script\Decoder” again.
Step 7: Depending on if your Intunefile was just downloaded or you already had the Intunefile available, you should run one of the three below commands to extract the Win32 app. If you just downloaded your Intunefile from your tenant, remove the .bin extension and run the command that says “With keys.” The keys can be found in the output that you received after running Step 3. If you already have your Intunefile, you can use the “Interactive” or “Silent” command to extract your file.
If you didn’t decrypt your intunewinfile, and you try to run the interactive command, you will receive an error “Can not open file (filename) as an archive.”
Interactive: IntuneWinAppUtilDecoder.exe "C:\Temp\MyWin32Package.intunewin"
Silent: IntuneWinAppUtilDecoder.exe "C:\Temp\MyWin32Package.intunewin" /s
With Keys: IntuneWinAppUtilDecoder.exe "C:\Temp\EncryptedMyWin32Package.intunewin" /key:AbC= /iv:XyZ==
In my case, I wanted to extract an Intunefile that I just downloaded directly from my tenant, so I ran the following command:
PS C:\Script\Decoder> .\IntuneWinAppUtilDecoder.exe .\12033f08-b323-4e57-96ad-8c0b022f3ac6.intunewin /key:+9jy....Y= /iv:eu/1o....A==
This gave me a new output file with the .decoded extension. Now you can use 7-Zip to open the file.
I hope my blog helps you to have fun extracting your Win32 apps.
Did you already have the chance to read my previous blog about the feature Azure AD Staged Rollout?
Hello, I just want to have a quick question because I followed the steps carefully but when I run the .ps1 file on Admin PS to generate the URL, Key and IV it didn’t return any like what you are showing on your screenshot.
I open the review the script and it somehow tried to get this “<![LOG[Get content info from service,ret = {" in the "Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log" however, when I tried to search this on that log its not there!
Can you tell me if I'm missing anything from what I'm doing?
Thank you!
Hi Mark,
This sounds familiar. In this case, your device has already overwritten the IntuneManagementExtension.log. This means the application was already installed, that’s why the log file doesn’t show you the URL and key. Do you perhaps have the possibility to enroll in a new device? If not, you can delete the application (so the required app) will be installed again on the client. The URL must appear in the log file if the application has been installed.
Good luck!
Hi Bilal
I’m running the power shell script but getting the following; Any ideas mate?
Is it same as the above question that has been posted by Mark?
PS C:\Decoder> .\Get-DecryptInfoFromSideCarLogFiles.ps1
ConvertFrom-Json : Invalid object passed in, ‘:’ or ‘}’ expected. (2): {}
At C:\Decoder\Get-DecryptInfoFromSideCarLogFiles.ps1:36 char:53
+ $reply = “{$($_.ToString().TrimStart())}” | ConvertFrom-Json
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [ConvertFrom-Json], ArgumentException
+ FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ConvertFromJsonCommand
Cheers
Hi Liam,
Thanks for reaching out! This isn’t the same error that Mark received.
I have just tested the script on my client, and it seems that Microsoft has made some changes.
We can’t get the relevant information through the log files anymore. I will update the blog as soon as there is a solution.
Yeah I thought so… Cool mate I’ll look out for any updates on your blog
I just updated the blog post. You should be good to go again! Good luck!
Love you work by the way
I noticed the same thing. It also appears that the wintunewin.bin file downloaded directly from Intune might also be fully encrypted and not a zip file with encrypted contents.
I just updated the blog post. You should be good to go again! Good luck!
The executable on your github contains the Tesla trojan
Just FYI… extractwin32.exe seems to trigger CrowdStrike AV
The ps script worked great though.
Just downloaded and extracted your zip and default defender AV quarantined the EXE – why is there an exe to run a powershell script?? The reported malware was: TrojanDownloader:MSIL/AgentTesla.JZR!MTB
Thanks, Tom for reaching out. I am aware of this warning, and you are downloading the PowerShell and executable file. The possible reason for this is that the application changes the SYSTEM rights to deny for a short time period. I am working on a solution and will update the files as soon as it’s fixed.
The files are updated. You shouldn’t be warned now. Make sure to unblock the application within Windows before running.
Hi Bilal, I followed your steps but the app installed correctly rather than failing and the two directories you reference were both empty. This is a powershell script packaged as a win32 app in Intune. I am trying to recover the script from Intune. Any ideas if this is possible? Thanks
Can you monitor when the installation starts of this particular Win32 app if this folder (C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staging) gets filled with the installation files? That’s what the script does. It freezes the SYSTEM account so it won’t be able to delete the installation files.