Written by 10:09 Microsoft Intune • 16 Comments Views: 10,917

Extract Win32 apps (.intunewinfile)


Does it sound familiar if I say that you have created a Win32 app in the past, but you didn’t save the configuration/source files, which means that you can’t modify this particular Win32 app? Don’t worry; at least we both dealt with this scenario. In this blog, I will explain how to extract Win32 apps (.intunewin-file) so you can access the original source files.

To get an overview of the configuration files used to package the Win32 app, follow the instructions below to download and extract the Intunefile.

Update 23-03-2022:
After receiving feedback from the community I've engaged with some community members to find a solution on how to extract Win32 apps. Below you will find the new method. Keep in mind that this method isn't that clean as it was before. Use it only when you really need the package.

Extract Win32 apps

I reached out to Rudy Ooms on LinkedIn to check if there could be a similar way to extract Win32 apps. I have shared some necessary information on how this went in the past and some information regarding MDM certificates. In addition, he wrote a blog post on how this process completely works.

With this said, he started with his research, and we came to the conclusion that the Win32 app that is being downloaded is decrypted and zipped in the C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staging folder. After the installation, the files get deleted immediately by the SYSTEM account. We have now published a script and executable on how to temporarily deny the SYSTEM account, deleting this zipped file with source files. You can download the script from my GitHub repo.

Step 1: Download the script or executable

Step 2: Run the executable as an Administrator

Step 3: You will receive a pop-up that warns you that the SYSTEM account permissions will be denied on the IMECACHE folder when pressing OK. At this point, click on OK.

Deny SYSTEM account

Step 4: We will now receive a pop-up that asks us to open the Company Portal and install the desired app. At this stage, do not click on OK or cancel until you have installed the application. It should give you the status “Failed to install” in the company portal (since it does not have the correct permissions). Now click on OK. At this point, you can browse to the C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Staging folder and see the app ID with the source files. Do not copy this file yet.
Note: If you have clicked on Cancel, it will restore the SYSTEM permissions.

Open the Company Portal and install the app.

Step 5: Now that we have seen the source files, we want to copy these. Click on OK. The C:\Install\Intune folder should pop up with the (zipped) source files.

Source files zipped

Step 6: After the folder pops up, click on OK to restore the permissions.

Restore SYSTEM permissions

If you want to install the appropriate application, you can click on Retry in the Company Portal app to download and install it. When you want to download the source files from an application that’s already installed, simply remove the application and follow Step 1.

Update 03-03-2022:
Unfortunately, we can’t get the relevant information through the log files anymore. I will update the blog as soon as there is a solution. You can still extract your Win32 file if you have the .intunewinfile

The old method of unpacking and decrypting a Win32 file.

First, I would like to give my kudos to Oliver Kieselbach for making this script and executable available. The PowerShell script that we are using will read the most recent Intune Management Log file, which is saved under the location C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log. Within this log file, we have all the necessary information to download and decrypt the Intunefile. This log file contains the URL that allows us to download the Intunefile as a .bin file. Keep in mind that you still need to follow the below steps to extract Win32 apps after downloading this file. This script doesn’t have to be run if you already have the Intunefile stored on your client.

* Decrypting is only needed when the .intunewin-file is downloaded directly from the tenant.

ItuneManagementExtension location
ItuneManagementExtension logfile

How to extract your Win32 apps?

If you don’t have the Intunefile available on your client anymore, make sure to have a compliant and enrolled device available where the Win32 app that you are trying to extract is installed. This is a requirement to download the Win32 app directly from your tenant. The steps for downloading the app are explained in step 1 till step 4. If you already have the Intunefile available, proceed to step 5.

Step 1: Download the most recent version of the PowerShell script that gathers all the information for our Intunefile. The script can be downloaded from here.

Step 2: As soon as you have downloaded the script, start PowerShell as an administrator and browse to the location where the PowerShell script is stored. In my case, it is stored under “C:\Script\Decoder.”

Step 3: Execute the PowerShell script to get an overview of the installed apps on the client. Make sure that the app is deployed on the client to get the Win32 app available in this overview.

PS C:\Script\Decoder> .\Get-DecryptInfoFromSideCarLogFiles.ps1
Output when running command to gather Win32 Apps URLs
The above screenshot demonstrates the output when running the above command.

Step 4: Copy the yellow marked URL to your browser session and download the .bin extension file.

If you don’t know which of the URLs contains your application, I would suggest you download all the files and extract them locally.

Step 5: Now that we have the Intunefile, we need to extract it. This can be done with the program IntuneWinAppUtilDecoder.

Step 6: Paste the downloaded IntuneWinAppUtilDecoder.exe file into the same location where the PowerShell script was saved. In my case, this is “C:\Script\Decoder” again.

Step 7: Depending on if your Intunefile was just downloaded or you already had the Intunefile available, you should run one of the three below commands to extract the Win32 app. If you just downloaded your Intunefile from your tenant, remove the .bin extension and run the command that says “With keys.” The keys can be found in the output that you received after running Step 3. If you already have your Intunefile, you can use the “Interactive” or “Silent” command to extract your file.
If you didn’t decrypt your intunewinfile, and you try to run the interactive command, you will receive an error “Can not open file (filename) as an archive.”

Interactive: IntuneWinAppUtilDecoder.exe "C:\Temp\MyWin32Package.intunewin"
Silent:      IntuneWinAppUtilDecoder.exe "C:\Temp\MyWin32Package.intunewin" /s
With Keys:   IntuneWinAppUtilDecoder.exe "C:\Temp\EncryptedMyWin32Package.intunewin" /key:AbC= /iv:XyZ==

In my case, I wanted to extract an Intunefile that I just downloaded directly from my tenant, so I ran the following command:

PS C:\Script\Decoder> .\IntuneWinAppUtilDecoder.exe .\12033f08-b323-4e57-96ad-8c0b022f3ac6.intunewin /key:+9jy....Y= /iv:eu/1o....A==

This gave me a new output file with the .decoded extension. Now you can use 7-Zip to open the file.

Output decoded file
Output when running the IntuneWinAppUtilDecoder.exe

I hope my blog helps you to have fun extracting your Win32 apps.

Did you already have the chance to read my previous blog about the feature Azure AD Staged Rollout?

Visited 10,917 times, 8 visit(s) today