Standard metadata and installation practices involved in application & OS-updates on Windows computers. Other operating systems have similar but different metadata and practices.
Overview of categories of SW installers supported by Windows:
| Category | Installation process | Installer metadata | Detection and uninstallation |
|---|---|---|---|
| Executable (or script) | App-specific (command-line arguments and return codes not standardized) | In general not parseable, since the installer is a black-box that Windows doesn't understand | Standard registry location |
| MSI | Standardized (using msiexec) |
Contains metadata that can be parsed. The installation steps can also be statically analyzed to asses security risk | MSI APIs or standard registry location |
| MSIX | Standardized (using APIs) | Contains metadata that can be parsed. The installation steps can also be statically analyzed to asses security risk | Get-AppxPackage |
Package identifier: ProductCode (128bit unique GUID for MSI), PackageFullName string (for MSIX) or similar. All SW applications that show up in the Windows control panel for uninstallation does have a unique identifier.
The source of truth for installed EXE and MSI apps are the HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{ProductCode} registry folders.
Format: MSI (self-described format with metadata). Primarily designed for application SW, but drivers and system configuration can also be MSI-packaged for unified installation.
Common operations:
| Operation | Description |
|---|---|
| Install | msiexec.exe /i <appname>.msi /qn (background installation) |
| Uninstall | Command in HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{ProductCode}\UninstallString registry key (msiexec /x "{ProductCode}" /qn for MSI apps) |
| Upgrade | msiexec.exe /i <appname>.msi /qn (will automatically uninstall the old version before installing the new version and perform migration steps) |
| Downgrade | Achieved through uninstall followed by install of the old version. |
| Identify ProductCode | Check MsiQuery for code sample. |
| Check if installed | Check MsiQuery for code sample. |
Command-line tool for querying MSI files and installed Windows apps
Usage: MsiQuery.exe [*|<filename.msi>|{ProductCode}|{UpgradeCode}] where * will list all installed products.
The following is listed for each product:
- ProductCode: Unique identifier for a particular product release. Must be changed as part of a major version upgrade but can be kept unchanged for small updates
- UpgradeCode (if present): Product identifier that remain unchanged across major version changes.
- ProductName
- ProductVersion
- Manufacturer
- Product features and feature installation status
The following details are also listed:
- Custom Actions that might affect system state
- Path to installed EXE & DLL files (based on File table query with MsiGetComponentPath lookup) (only for installed apps)
- Added registry entries (can also be created through custom actions)
The DetectInstalledApps.ps1 script can be used to detect installed EXE and MSI applications through a registry scan.
It's possible to use the Get-WmiObject Win32_Product command to list all MSI-installed apps with ProductCode on the system. However, this listing will not include EXE-installed apps without a ProductCode, like 7-zip and Notepad++. It's therefore insufficient if we also want to support non-MSI installers.
The ParseMSI.ps1 script can be used to detect installed MSI applications through the WindowsInstaller COM interfaces.
Sample installer for testing of reboot handling. The installer always returns ERROR_SUCCESS_REBOOT_REQUIRED (3010) to indicate that a reboot is required to complete the install.
Microsoft is recommending to migrate to the newer MSIX installer format. However, it's more restrictive with limitations on inter-app communication. Also, tooling support is lagging behind - at least for Qt (see How to package a Win32 desktop app in MSIX?). Adoption can therefore be challenging.
The MsixQuery tool can be used to detect installed MSIX apps.
MSU files is a separate format used for distribution of Windows OS updates. They are technically archives that contain cabinet (CAB) files with updates together with XML and TXT metadata.
Description of the Windows Update Standalone Installer in Windows.
Get OS version:
PS > Get-WmiObject Win32_OperatingSystem
SystemDirectory : C:\Windows\system32
Organization : <org-name>
BuildNumber : 19044
RegisteredUser : <user>
SerialNumber : <serial>
Version : 10.0.19044
Get list of installed hotfixes (KB's):
PS > Get-HotFix
Source Description HotFixID InstalledBy InstalledOn
------ ----------- -------- ----------- -----------
MYMACHINE Update KB5027122 NT AUTHORITY\SYSTEM 2023-06-23 12:00:00 AM
MYMACHINE Update KB5003791 2021-10-06 12:00:00 AM
MYMACHINE Security Update KB5012170 NT AUTHORITY\SYSTEM 2022-12-14 12:00:00 AM
MYMACHINE Security Update KB5028166 NT AUTHORITY\SYSTEM 2023-07-28 12:00:00 AM
MYMACHINE Security Update KB5014032 NT AUTHORITY\SYSTEM 2022-11-11 12:00:00 AM
MYMACHINE Update KB5016705 NT AUTHORITY\SYSTEM 2022-11-11 12:00:00 AM
MYMACHINE Update KB5018506 NT AUTHORITY\SYSTEM 2022-11-21 12:00:00 AM
MYMACHINE Update KB5020372 NT AUTHORITY\SYSTEM 2022-12-21 12:00:00 AM
MYMACHINE Update KB5022924 NT AUTHORITY\SYSTEM 2023-03-23 12:00:00 AM
MYMACHINE Update KB5023794 NT AUTHORITY\SYSTEM 2023-04-21 12:00:00 AM
MYMACHINE Update KB5025315 NT AUTHORITY\SYSTEM 2023-05-18 12:00:00 AM
MYMACHINE Update KB5026879 NT AUTHORITY\SYSTEM 2023-06-23 12:00:00 AM
MYMACHINE Update KB5028318 NT AUTHORITY\SYSTEM 2023-07-20 12:00:00 AM
MYMACHINE Security Update KB5005699 2021-10-06 12:00:00 AM
Installers are using the following return-codes to signal installation result:
| Code | Interpretation |
|---|---|
| 0 | Success (installation completed successfully) |
| 1707 | Success (installation completed successfully) |
| 3010 | Soft reboot (restart is required to complete the install) |
| 1641 | Hard reboot (installer have initiated a restart) |
| 1618 | Retry (another installation is already in progress) |
| Other values are treated as failure |
The above codes are used by InTune and probably other MDM solutions to detect installation success/failure and retry or restart if needed afterwards. We should therefore do the same.
The codes are documented on MsiExec.exe and InstMsi.exe error messages.
Related tools:
- Orca MSI viewer: Included with Windows 10 SDK. By default installed to
%ProgramFiles(x86)%\Windows Kits\10\bin\<version>\x86\Orca-x86_en-us.msi - msitools for building & inspecing MSI files on Linux/Mac.
Documentation: