word-wrap

Table of contents:

IExpress can run in one of three modes:

1. Extract files and run an installation command. This is an “installer-builder” mode, similar to 7-Zip’s 7zS.sfx module or WinRAR’s SFX “temporary mode”.
2. Extract files only. This prompts a user for a destination directory, similar to 7-Zip’s 7z.sfx or 7zCon.sfx modules.
3. Create compressed files only (ActiveX Installs). A .cab file maker front-end. [I have no idea why it mentions “ActiveX Installs”, but I will find out.]

I am primarily interested in the first mode.

The IExpress output package executable has the same architecture as the version of iexpress.exe you run (ie, x86 or x64). On an x64 machine, by default, that will produce an x64-only IExpress package. When this package is executed on an x86 machine, it will fail, and display a nasty message about the file being incompatible.

You can avoid this by generating an x86 package. Execute the iexpress.exe which is in SySWOW64, eg:

C:\ixptest>%SystemRoot%\SysWOW64\iexpress.exe /n test.sed

Even if your installation requires x64, you can still display a friendlier error message to x86 users during the install process, perhaps in your installation script.

When executing a batch file, be sure to run it using cmd /c explicitly:

If you don’t do this, it will be run via command.com – yes, the 16-bit one! Depending on your system, one of the following will happen:

1. On systems that have a working NTVDM, you’ll really get a 16-bit “DOS” experience.
2. On x64 systems, your batch file will not execute at all. (wextract will say: “Error creating process <Command.com /c C:\Users\...\Temp\IXP000.TMP\file.bat>.”)

If you decide to specify the full path, I suggest you use C:\Windows\System32\cmd.exe /c. If the IExpress package is x86 (as recommended), the call to cmd.exe will be redirected to SysWOW64 on x64 machines.

At the Package Name and Options screen, you are given the option Store files using Long File Name inside Package:

Always select this option! What filesystem are you using nowadays that doesn’t support more that 8.3 filenames?! :-)

iexpress.exe appears to use the location of your SED file for its temporary files. To inspect the intermediate results, I applied a deny ACE to this directory:

C:\>icacls C:\ixptest /deny user:(OI)(DE,DC)
processed file: C:\ixptest
Successfully processed 1 files; Failed processing 0 files

That icacls command explained:

• Replace user with your username.
• The (OI) means object inherit, which indicates that the ACE should apply to files in the same directory.
• The (DE,DC) means delete, delete child, respectively.

When you’re done, use the following command to undo that:

C:\>icacls C:\ixptest /remove:d user

In the investigation below, I use the following SED file, which was auto-generated by IExpress:

[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=0
HideExtractAnimation=0
UseLongFileName=1
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles
[Strings]
InstallPrompt=
DisplayLicense=
FinishMessage=
TargetName=C:\ixptest\test.exe
FriendlyName=test
AppLaunched=cmd
PostInstallCmd=<None>
AdminQuietInstCmd=
UserQuietInstCmd=
FILE0="setup1.exe"
FILE1="setup2.exe"
[SourceFiles]
SourceFiles0=C:\ixptest\foo\
SourceFiles1=C:\ixptest\bar\
[SourceFiles0]
%FILE0%=
[SourceFiles1]
%FILE1%=

The setup?.exe files are just copies of Notepad. Note that they have to have different names, despite coming from different source directories – more on this later.

Essentially this extracts the files to a temporary directory, then runs cmd.exe and waits.

Using procmon, one can see exactly the process that IExpress uses. Start Process Monitor, then run IExpress:

C:\ixptest>%SystemRoot%\SysWOW64\iexpress /n test.sed

The result, according to Process Monitor:

1. iexpress.exe creates a file C:\ixptest\~test.DDF with instructions for makecab.exe.
2. iexpress.exe launches makecab.exe /f "C:\ixptest\~test.DDF"
3. makecab.exe reads the DDF file and creates three files: ~test.CAB, ~test_LAYOUT.INF and ~test.RPT.
   • During this process, makecab creates a series of files in %temp%, with names like cab_pid_N and inf_pid_N, where pid is the process ID of makecab, and N is a sequential integer.
   • It also creates some zero-byte files C:\ixptest\CABnnnnn.TMP, eg CAB00356.TMP, where nnnnn is a right-padded number beginning with the process ID of makecab.
4. iexpress.exe reads the RPT file, and deletes the DDF, INF and RPT files (without having examined the INF file).
5. iexpress.exe copies wextract.exe into C:\ixptest\test.exe.
6. iexpress.exe merges test.exe and ~test.CAB into a new, temporary file C:\ixptest\RCX441A.tmp.
   • During this process, it seems some of the executable part (ie the “wextract portions”) of the temp file are modified, possibly to adjust for things like the new executable length.
7. Finally, iexpress.exe renames RCX441A.tmp to C:\ixptest\test.exe, overwriting it. It deletes the ~test.CAB file.

7-Zip has this to say about the generated ~test.CAB file:

C:\ixptest>set path=%path%;C:\Program Files\7-Zip

C:\ixptest>7z l "~test.CAB"

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18

Listing archive: ~test.CAB

--
Path = ~test.CAB
Type = Cab
Method = LZX
Blocks = 1
Volumes = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2015-01-20 04:52:54 ....A       215040               setup1.exe
2015-01-20 04:52:54 ....A       215040               setup2.exe
------------------- ----- ------------ ------------  ------------------------
                                430080       146334  2 files, 0 folders

No surprises here – a standard CAB file. Notice, though, that it has no “subdirectories”.

;Auto-generated Diamond Directive File. Can be deleted without harm.
.Set CabinetNameTemplate=C:\ixptest\~test.CAB
.Set CompressionType=LZX
.Set CompressionLevel=7
.Set InfFileName=C:\ixptest\~test_LAYOUT.INF
.Set RptFileName=C:\ixptest\~test.RPT
.Set MaxDiskSize=CDROM
.Set ReservePerCabinetSize=0
.Set InfCabinetLineFormat=*cab#*=Application Source Media,*cabfile*,0
.Set Compress=on
.Set CompressionMemory=21
.Set DiskDirectoryTemplate=
.Set Cabinet=ON
.Set MaxCabinetSize=999999999
.Set InfDiskHeader=
.Set InfDiskLineFormat=
.Set InfCabinetHeader=[SourceDisksNames]
.Set InfFileHeader=
.Set InfFileHeader1=[SourceDisksFiles]
.Set InfFileLineFormat=*file*=*cab#*,,*size*,*csum*
"C:\ixptest\foo\setup1.exe"
"C:\ixptest\bar\setup2.exe"

This file is used by makecab.exe. Its directives are documented elsewhere [1][2], so I won’t go into much detail. Suffice it to say that this file generates a ‘plain’ CAB file.

Interestingly, you can see the “shell” of this file in the .text section of iexpress.exe:

.Set CabinetNameTemplate=%s

Note the %s C-style (printf) substitution there.

;*** BEGIN **********************************************************
;**                                                                **
;** Automatically generated on: Mon Sep 07 22:01:32 2015           **
;**                                                                **
;** MakeCAB Version: 10.0.9800.0                                 **
;**                                                                **
;*** BEGIN **********************************************************


[SourceDisksNames]
1=Application Source Media,C:\ixptest\~test.CAB,0

[SourceDisksFiles]
setup1.exe=1,,215040,c1fe9638
setup2.exe=1,,215040,c1fe9638
;*** END ************************************************************
;**                                                                **
;** Automatically generated on: Mon Sep 07 22:01:32 2015           **
;**                                                                **
;*** END ************************************************************

According to [2] (emphasis in original):

The key feature of MakeCAB is that it takes a set of files and produces a disk layout while at the same time attempting to minimize the number of disks required.

This hearkens back to the days when products were shipped on floppy diskettes. Remember Windows 95 (13 disks), Windows NT 3.1 (22 disks), or Windows 98 (38 disks!)?

MakeCAB Report: Mon Sep 07 22:01:32 2015

Total files:              2
Bytes before:       430,080
Bytes after:        146,124
After/Before:            33.98% compression
Time:                     0.30 seconds ( 0 hr  0 min  0.30 sec)
Throughput:            1414.14 Kb/second

Fairly self-explanatory – just a summary report.

7-Zip shows us how wextract.exe was modified when forming test.exe:

C:\ixptest>7z l test.exe

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18

Listing archive: test.exe

--
Path = test.exe
Type = PE
CPU = x86
Characteristics = Executable 32-bit
	[...snip...]
----
Path = .rsrc\RCDATA\CABINET
Size = 146334
Packed Size = 146334
--
Path = .rsrc\RCDATA\CABINET
Type = Cab
Method = LZX
Blocks = 1
Volumes = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2015-01-20 04:52:54 ....A       215040               setup1.exe
2015-01-20 04:52:54 ....A       215040               setup2.exe
------------------- ----- ------------ ------------  ------------------------
                                430080       301056  2 files, 0 folders

Looks like the CAB was actually added as an RCDATA resource named CABINET. Neat!

That’s a somewhat different approach than 7-Zip’s 7zS.sfx, in which one simply gloms the installer config file and 7z archive onto the end of the executable.

Here is what the environment looks like during the execution of the install program:

Microsoft Windows [Version 10.0.9926]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\user\AppData\Local\Temp\IXP000.TMP>set
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\user\AppData\Roaming
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=WIN-1F6OEAJ3U9Q
ComSpec=C:\Windows\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Users\user
LOCALAPPDATA=C:\Users\user\AppData\Local
LOGONSERVER=\\WIN-1F6OEAJ3U9Q
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\7-Zip
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 70 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=4601
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\user\AppData\Local\Temp
TMP=C:\Users\user\AppData\Local\Temp
USERDOMAIN=WIN-1F6OEAJ3U9Q
USERDOMAIN_ROAMINGPROFILE=WIN-1F6OEAJ3U9Q
USERNAME=user
USERPROFILE=C:\Users\user
windir=C:\Windows
__COMPAT_LAYER=ElevateCreateProcess WRPMitigation

The current directory is C:\Users\user\AppData\Local\Temp\IXP000.TMP.

Note that the cmd.exe is actually the x86 (32-bit) one, since the x86 version of IExpress generated an x86 executable. If you really need an x64 cmd.exe, you can run %SystemRoot%\Sysnative\cmd.exe from your x86 cmd.

A question that gets asked a lot is, “How can I prevent the IExpress temporary files from being deleted?” or “How can I extract the files to a specific [predetermined] location?”

The problem is that the extracted files from a “type 1” installer package get cleaned up after the install program is finished, and the “type 2” installer prompts the user for the extraction location. My answer on Stack Overflow is a fairly complete response to this.

Essentially, you should create a installer-type package, and include in it a script of some sort (eg, a batch file) that copies the files from the temporary location (eg %temp%\IXP000.TMP) to a more permanent location of your choosing, perhaps something like:

@echo off
xcopy /y * "%ProgramFiles%\MyProgram\"
del /f "%ProgramFiles%\MyProgram\copyfiles.bat"

“Can IExpress-generated cabinets contain subdirectories?” or “How can I preserve my folder structure?”

The short answer is: no. To understand this, it’s useful to know how the CAB file within the package is generated.

As seen above, IExpress generates a DDF file (based on your SED file) which contains a series of directives followed by a list of full pathnames of files to include. But no matter the source location, the files are all placed into the ‘root’ of the CAB file^*, as no destination directives were specified. This also creates a requirement that all files be named uniquely (irrespective of their source location).

If we could somehow intercept the DDF file and modify it before makecab.exe ran, we could add subdirectories by adding new directives. The end of the DDF file could look something like:

[...snip...]
.Set InfFileHeader1=[SourceDisksFiles]
.Set InfFileLineFormat=*file*=*cab#*,,*size*,*csum*
.Set DestinationDir=foo
"C:\ixptest\foo\setup1.exe"
.Set DestinationDir=bar
"C:\ixptest\bar\setup2.exe"

If we run makecab.exe directly on a file like this, we can see the paths in the generated CAB file:

C:\ixptest>7z l "~test.CAB" | find "A"
Listing archive: ~test.CAB
Path = ~test.CAB
   Date      Time    Attr         Size   Compressed  Name
2015-01-20 04:52:54 ....A       215040               foo\setup1.exe
2015-01-20 04:52:54 ....A       215040               bar\setup2.exe

But I don’t really see a convenient way of modifying the DDF file, as it exists for only a few seconds.

You could use the same method as described in Persisting files above: in your install script, move the files to their appropriate subdirectories. Obviously this would get increasingly tedious as the number of files increases.

[* CAB files don’t really have “directories”, per se, but are nevertheless supported by several utilities, including 7-Zip.]

If the files you’re including are already compressed, you might not want to compress them within the CAB archive. To do that, add Compress=0 to your SED file, anywhere in the [Options] section:

[Options]
Compress=0

You can use 7-Zip to check whether it’s compressed. For a ‘typical’ IExpress file, the Method will be LZX:

C:\ixptest>7z l test.exe
[...]
Path = .rsrc\RCDATA\CABINET
Type = Cab
Method = LZX
Blocks = 1
Volumes = 1
[...]

Whereas for an uncompressed CAB, the Method will be None:

C:\ixptest>7z l test.exe
[...]
Path = .rsrc\RCDATA\CABINET
Type = Cab
Method = None
Blocks = 1
Volumes = 1
[...]

[ This SED option causes the Compress directive to be changed in the DDF file to: .Set Compress=0 ]

As the generated package is based on wextract.exe, the Details pane will look something like this:

You can override some of those fields using a custom definition in your SED file. You need to define the VersionInfo option in the [Options] section, then add the new section.

Here is an example that takes the data from notepad.exe:

[Options]
VersionInfo=VersionSection
[VersionSection]
FromFile=C:\Windows\notepad.exe

You can further customize that with additional [VersionSection] options. According to a quick dump of iexpress.exe, the available fields are:

CompanyName
InternalName
OriginalFilename
ProductName
ProductVersion
FileVersion
FileDescription
LegalCopyright

An example:

[Options]
VersionInfo=VersionSection
[VersionSection]
FromFile=C:\Windows\notepad.exe
LegalCopyright=© Fabrikam, Inc. All rights reserved.

Which will look something like:

Ta-da!

Note that this only updates the string version information, not the binary version information. See my answer on Stack Overflow for more details.

It’s been reported that IExpress has “security vulnerabilities”, eg:

• Stefan Kanthak – “privilege escalation for dummies”
• Stefan Kanthak – “yet another (trivial) UAC bypass resp. privilege escalation”

However I’m rather inclined to agree with the (unnamed) Microsoft representative who said:

“I still do not see any security vulnerability here. I can see an escalation of UAC privileges, but as has been documented on numerous occasions, UAC is not considered to be a security boundary, so such an escalation is not considered to be a security vulnerability.”

In any case, let us examine these claims to see how they came about.

Snowpiercer Full Movie Tamilyogi -

Additionally, some websites like Tamilyogi may contain malware or viruses that can harm your device. It’s crucial to take necessary precautions, such as using a VPN and antivirus software, to protect yourself.

The movie features a talented ensemble cast, including Song Kang-ho, Lee Byung-hun, and Maury Sterling. The characters are complex and multi-dimensional, with each one bringing their own unique perspective to the story.

Snowpiercer is a thought-provoking and visually stunning movie that explores themes of class struggle, social inequality, and the human condition. If you’re looking to watch the full movie online, Tamilyogi is a popular option. However, be sure to exercise caution and take necessary precautions to protect yourself.

Snowpiercer is a 2013 South Korean science fiction film directed by Bong Joon-ho. The movie is set in a post-apocalyptic world where an experiment to stop global warming has gone wrong, causing an ice age that has devastated the planet. The story takes place on a train called the Snowpiercer, which is a self-sustaining ecosystem that travels around a frozen post-apocalyptic world. snowpiercer full movie tamilyogi

Whether you choose to watch Snowpiercer on Tamilyogi or a legitimate streaming service, make sure to enjoy the movie responsibly and support the creators

Snowpiercer Full Movie Tamilyogi: A Comprehensive Guide**

Are you a fan of science fiction and dystopian movies? Look no further than Snowpiercer, a thought-provoking film directed by Bong Joon-ho. The movie has gained a significant following worldwide, and if you’re looking to watch it online, you’ve probably come across the term “Tamilyogi.” In this article, we’ll explore what Snowpiercer is all about, its plot, characters, and themes, as well as provide information on how to watch the full movie on Tamilyogi. The characters are complex and multi-dimensional, with each

The movie begins with Curtis and his fellow tail passengers, who are tired of living in poverty and mistreatment. They hatch a plan to overthrow the ruling class and take control of the train. Along the way, they encounter various obstacles, including the train’s security forces and the enigmatic Minister Mason (played by Tilda Swinton).

While Tamilyogi may seem like a convenient option for watching movies online, it’s essential to be aware of the potential risks involved. The website may host copyrighted content without permission, which can be a concern for those who value intellectual property rights.

Whether you’re a fan of science fiction or just looking for a great movie to watch, Snowpiercer is an excellent choice. With its talented ensemble cast, stunning visuals, and thought-provoking themes, it’s a movie that will leave you thinking long after the credits roll. However, be sure to exercise caution and take

Snowpiercer is a movie that will leave you thinking and inspire you to take action. With its powerful themes and stunning visuals, it’s a must-watch for fans of science fiction and dystopian movies.

The train is divided into two main sections: the luxurious and opulent front cars, where the wealthy and powerful reside, and the tail cars, where the poor and oppressed are forced to live in squalid conditions. The movie follows the story of Curtis Everett (played by Chris Evans), a leader of a group of tail passengers who embark on a rebellion against the train’s ruling class.

Snowpiercer is more than just a science fiction movie; it’s a thought-provoking commentary on class struggle, social inequality, and the human condition. The movie explores themes of oppression, rebellion, and the consequences of playing with nature.

The film’s use of a train as a microcosm of society is a brilliant metaphor for the class divisions that exist in our own world. The movie highlights the stark contrast between the haves and have-nots, and the ways in which those in power will stop at nothing to maintain their privilege.

For those looking to watch Snowpiercer online, Tamilyogi is a popular option. Tamilyogi is a website that provides free movie and TV show streaming services, including a wide range of Tamil dubbed movies.

UAC Installer Detection attempts to detect whether an application that isn’t UAC-aware needs elevation.

Having neither the time nor the interest to examine old versions of IExpress (say, anything older than the version bundled with Windows 7), I can’t say what the behaviour of ‘old’ wextract.exe is with regards to UAC.

However, I can see that relatively recent wextract.exe contains a manifest with the following:

  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel
          level="asInvoker"
          uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>

According to MSDN, asInvoker means: The application will run with the same permissions as the process that started it. In other words, no UAC elevation will be requested for IExpress-generated packages (by default). Of course, the executable inside the package might itself request elevation.

Now that I’ve explored the two mechanisms in play, I’ll summarize the vulnerability mentioned by Kanthak:

1. Download or create an IExpress package which triggers UAC’s Installer Detection.
   • Probably this requires an old version of IExpress, as new versions of wextract.exe seem to have a manifest that would prevent this.
   • One such file that exists already is CAPICOM-KB931906-v2102.exe. The wextract.exe for that file has a date of 2004-08-03 23:01:37, and an OS Version of 5.1 (ie, Windows XP/2003).
2. Place an executable in the same directory as the IExpress package, and give it the same name as its install program (msiexec.exe in this case).
   • The author supplies a very handy program called sentinel.exe for this purpose (just rename it to, eg, msiexec.exe).
3. Execute the IExpress package. UAC prompts for elevation based on the details of the IExpress package itself; but when you elevate, the ‘fake’ msiexec.exe executes from the same directory, rather than from System32. And it is executing with elevated privileges.

Of course, the user still had to consent to the UAC elevation, so it’s not a ‘bypass’, strictly speaking. Essentially it’s unexpected behaviour – you’re ‘piggybacking’ off of a UAC elevation for a different program.

If you’re concerned that someone might try to hijack your IExpress package for nefarious purposes, you can either:

• Specify the install program to be an executable that you bundled in your install package; or
• Specify the install program by full path to the executable.

Obviously the latter is difficult if you want to maintain good compatibility (eg, Windows not being installed in C:\Windows).

1. Makecab Directive File syntax
2. Microsoft MakeCAB User’s Guide

---

Feel free to contact me with any questions, comments, or feedback.