IExpress notes

IExpress (iexpress.exe) is a useful Microsoft tool for creating self-extracting executables and SFX installers. It has been bundled with Windows since at least XP, and was available before that as part of the Internet Explorer Administration Kit.

I have attempted to answer many StackOverflow questions relating to IExpress. But after going away from it and coming back, I found I couldn’t remember many things. This is an attempt to document all that I know of this useful, yet limited, tool.

This document will not explain basic usage; it’s meant to keep track of important notes, and to explore the technical workings of IExpress and related utilities (eg makecab.exe).

Table of contents:

Modes of operation

IExpress can run in one of three modes:
  1. Extract files and run an installation command. This is an “installer-builder” mode, similar to 7-Zip’s 7zS.sfx module or WinRAR’s SFX “temporary mode”.
  2. Extract files only. This prompts a user for a destination directory, similar to 7-Zip’s 7z.sfx or 7zCon.sfx modules.
  3. Create compressed files only (ActiveX Installs). A .cab file maker front-end. [I have no idea why it mentions “ActiveX Installs”, but I will find out.]
I am primarily interested in the first mode.

Installer packages (“type 1”)

General tips for IExpress installer packages

Use the x86 version of iexpress.exe

The IExpress output package executable has the same architecture as the version of iexpress.exe you run (ie, x86 or x64). On an x64 machine, by default, that will produce an x64-only IExpress package. When this package is executed on an x86 machine, it will fail, and display a nasty message about the file being incompatible.

You can avoid this by generating an x86 package. Execute the iexpress.exe which is in SySWOW64, eg:

C:\ixptest>%SystemRoot%\SysWOW64\iexpress.exe /n test.sed
Even if your installation requires x64, you can still display a friendlier error message to x86 users during the install process, perhaps in your installation script.

Specify cmd.exe for batch files

When executing a batch file, be sure to run it using cmd /c explicitly:

IExpress Wizard: Install Program to Launch

If you don’t do this, it will be run via command.com – yes, the 16-bit one! Depending on your system, one of the following will happen:
  1. On systems that have a working NTVDM, you’ll really get a 16-bit “DOS” experience.
  2. On x64 systems, your batch file will not execute at all. (wextract will say: “Error creating process <Command.com /c C:\Users\...\Temp\IXP000.TMP\file.bat>.”)

If you decide to specify the full path, I suggest you use C:\Windows\System32\cmd.exe /c. If the IExpress package is x86 (as recommended), the call to cmd.exe will be redirected to SysWOW64 on x64 machines.

Always use long filenames

At the Package Name and Options screen, you are given the option Store files using Long File Name inside Package:

IExpress Wizard: Package Name and Options

Always select this option! What filesystem are you using nowadays that doesn’t support more that 8.3 filenames?! :-)

A technical look at the IExpress process

Preventing intermediate file deletion

iexpress.exe appears to use the location of your SED file for its temporary files. To inspect the intermediate results, I applied a deny ACE to this directory:
C:\>icacls C:\ixptest /deny user:(OI)(DE,DC)
processed file: C:\ixptest
Successfully processed 1 files; Failed processing 0 files
That icacls command explained: When you’re done, use the following command to undo that:
C:\>icacls C:\ixptest /remove:d user

An example SED file

In the investigation below, I use the following SED file, which was auto-generated by IExpress:
[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=0
HideExtractAnimation=0
UseLongFileName=1
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles
[Strings]
InstallPrompt=
DisplayLicense=
FinishMessage=
TargetName=C:\ixptest\test.exe
FriendlyName=test
AppLaunched=cmd
PostInstallCmd=<None>
AdminQuietInstCmd=
UserQuietInstCmd=
FILE0="setup1.exe"
FILE1="setup2.exe"
[SourceFiles]
SourceFiles0=C:\ixptest\foo\
SourceFiles1=C:\ixptest\bar\
[SourceFiles0]
%FILE0%=
[SourceFiles1]
%FILE1%=

The setup?.exe files are just copies of Notepad. Note that they have to have different names, despite coming from different source directories – more on this later.

Essentially this extracts the files to a temporary directory, then runs cmd.exe and waits.

The IExpress build process

Using procmon, one can see exactly the process that IExpress uses. Start Process Monitor, then run IExpress:
C:\ixptest>%SystemRoot%\SysWOW64\iexpress /n test.sed
The result, according to Process Monitor:
  1. iexpress.exe creates a file C:\ixptest\~test.DDF with instructions for makecab.exe.
  2. iexpress.exe launches makecab.exe /f "C:\ixptest\~test.DDF"
  3. makecab.exe reads the DDF file and creates three files: ~test.CAB, ~test_LAYOUT.INF and ~test.RPT.
    • During this process, makecab creates a series of files in %temp%, with names like cab_pid_N and inf_pid_N, where pid is the process ID of makecab, and N is a sequential integer.
    • It also creates some zero-byte files C:\ixptest\CABnnnnn.TMP, eg CAB00356.TMP, where nnnnn is a right-padded number beginning with the process ID of makecab.
  4. iexpress.exe reads the RPT file, and deletes the DDF, INF and RPT files (without having examined the INF file).
  5. iexpress.exe copies wextract.exe into C:\ixptest\test.exe.
  6. iexpress.exe merges test.exe and ~test.CAB into a new, temporary file C:\ixptest\RCX441A.tmp.
    • During this process, it seems some of the executable part (ie the “wextract portions”) of the temp file are modified, possibly to adjust for things like the new executable length.
  7. Finally, iexpress.exe renames RCX441A.tmp to C:\ixptest\test.exe, overwriting it. It deletes the ~test.CAB file.

The CAB file

7-Zip has this to say about the generated ~test.CAB file:
C:\ixptest>set path=%path%;C:\Program Files\7-Zip

C:\ixptest>7z l "~test.CAB"

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18

Listing archive: ~test.CAB

--
Path = ~test.CAB
Type = Cab
Method = LZX
Blocks = 1
Volumes = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2015-01-20 04:52:54 ....A       215040               setup1.exe
2015-01-20 04:52:54 ....A       215040               setup2.exe
------------------- ----- ------------ ------------  ------------------------
                                430080       146334  2 files, 0 folders

No surprises here – a standard CAB file. Notice, though, that it has no “subdirectories“.

The DDF file

;Auto-generated Diamond Directive File. Can be deleted without harm.
.Set CabinetNameTemplate=C:\ixptest\~test.CAB
.Set CompressionType=LZX
.Set CompressionLevel=7
.Set InfFileName=C:\ixptest\~test_LAYOUT.INF
.Set RptFileName=C:\ixptest\~test.RPT
.Set MaxDiskSize=CDROM
.Set ReservePerCabinetSize=0
.Set InfCabinetLineFormat=*cab#*=Application Source Media,*cabfile*,0
.Set Compress=on
.Set CompressionMemory=21
.Set DiskDirectoryTemplate=
.Set Cabinet=ON
.Set MaxCabinetSize=999999999
.Set InfDiskHeader=
.Set InfDiskLineFormat=
.Set InfCabinetHeader=[SourceDisksNames]
.Set InfFileHeader=
.Set InfFileHeader1=[SourceDisksFiles]
.Set InfFileLineFormat=*file*=*cab#*,,*size*,*csum*
"C:\ixptest\foo\setup1.exe"
"C:\ixptest\bar\setup2.exe"

This file is used by makecab.exe. Its directives are documented elsewhere [1][2], so I won’t go into much detail. Suffice it to say that this file generates a ‘plain’ CAB file.

Interestingly, you can see the “shell” of this file in the .text section of iexpress.exe:

.Set CabinetNameTemplate=%s

Note the %s C-style (printf) substitution there.

The INF file

;*** BEGIN **********************************************************
;**                                                                **
;** Automatically generated on: Mon Sep 07 22:01:32 2015           **
;**                                                                **
;** MakeCAB Version: 10.0.9800.0                                 **
;**                                                                **
;*** BEGIN **********************************************************


[SourceDisksNames]
1=Application Source Media,C:\ixptest\~test.CAB,0

[SourceDisksFiles]
setup1.exe=1,,215040,c1fe9638
setup2.exe=1,,215040,c1fe9638
;*** END ************************************************************
;**                                                                **
;** Automatically generated on: Mon Sep 07 22:01:32 2015           **
;**                                                                **
;*** END ************************************************************
According to [2] (emphasis in original):

The key feature of MakeCAB is that it takes a set of files and produces a disk layout while at the same time attempting to minimize the number of disks required.

This hearkens back to the days when products were shipped on floppy diskettes. Remember Windows 95 (13 disks), Windows NT 3.1 (22 disks), or Windows 98 (38 disks!)?

The RPT file

MakeCAB Report: Mon Sep 07 22:01:32 2015

Total files:              2
Bytes before:       430,080
Bytes after:        146,124
After/Before:            33.98% compression
Time:                     0.30 seconds ( 0 hr  0 min  0.30 sec)
Throughput:            1414.14 Kb/second
Fairly self-explanatory – just a summary report.

The EXE file

7-Zip shows us how wextract.exe was modified when forming test.exe:
C:\ixptest>7z l test.exe

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18

Listing archive: test.exe

--
Path = test.exe
Type = PE
CPU = x86
Characteristics = Executable 32-bit
	[...snip...]
----
Path = .rsrc\RCDATA\CABINET
Size = 146334
Packed Size = 146334
--
Path = .rsrc\RCDATA\CABINET
Type = Cab
Method = LZX
Blocks = 1
Volumes = 1

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2015-01-20 04:52:54 ....A       215040               setup1.exe
2015-01-20 04:52:54 ....A       215040               setup2.exe
------------------- ----- ------------ ------------  ------------------------
                                430080       301056  2 files, 0 folders

Looks like the CAB was actually added as an RCDATA resource named CABINET. Neat!

That’s a somewhat different approach than 7-Zip’s 7zS.sfx, in which one simply gloms the installer config file and 7z archive onto the end of the executable.

The install program environment

Here is what the environment looks like during the execution of the install program:
Microsoft Windows [Version 10.0.9926]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\Users\user\AppData\Local\Temp\IXP000.TMP>set
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\user\AppData\Roaming
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=WIN-1F6OEAJ3U9Q
ComSpec=C:\Windows\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Users\user
LOCALAPPDATA=C:\Users\user\AppData\Local
LOGONSERVER=\\WIN-1F6OEAJ3U9Q
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\7-Zip
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 70 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=4601
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\user\AppData\Local\Temp
TMP=C:\Users\user\AppData\Local\Temp
USERDOMAIN=WIN-1F6OEAJ3U9Q
USERDOMAIN_ROAMINGPROFILE=WIN-1F6OEAJ3U9Q
USERNAME=user
USERPROFILE=C:\Users\user
windir=C:\Windows
__COMPAT_LAYER=ElevateCreateProcess WRPMitigation

The current directory is C:\Users\user\AppData\Local\Temp\IXP000.TMP.

Note that the cmd.exe is actually the x86 (32-bit) one, since the x86 version of IExpress generated an x86 executable. If you really need an x64 cmd.exe, you can run %SystemRoot%\Sysnative\cmd.exe from your x86 cmd.

Quick tasks

Persisting files

A question that gets asked a lot is, “How can I prevent the IExpress temporary files from being deleted?” or “How can I extract the files to a specific [predetermined] location?”

The problem is that the extracted files from a “type 1” installer package get cleaned up after the install program is finished, and the “type 2” installer prompts the user for the extraction location. My answer on Stack Overflow is a fairly complete response to this.

Essentially, you should create a installer-type package, and include in it a script of some sort (eg, a batch file) that copies the files from the temporary location (eg %temp%\IXP000.TMP) to a more permanent location of your choosing, perhaps something like:

@echo off
xcopy /y * "%ProgramFiles%\MyProgram\"
del /f "%ProgramFiles%\MyProgram\copyfiles.bat"

Subdirectories

“Can IExpress-generated cabinets contain subdirectories?” or “How can I preserve my folder structure?”

The short answer is: no. To understand this, it’s useful to know how the CAB file within the package is generated.

As seen above, IExpress generates a DDF file (based on your SED file) which contains a series of directives followed by a list of full pathnames of files to include. But no matter the source location, the files are all placed into the ‘root’ of the CAB file*, as no destination directives were specified. This also creates a requirement that all files be named uniquely (irrespective of their source location).

If we could somehow intercept the DDF file and modify it before makecab.exe ran, we could add subdirectories by adding new directives. The end of the DDF file could look something like:

[...snip...]
.Set InfFileHeader1=[SourceDisksFiles]
.Set InfFileLineFormat=*file*=*cab#*,,*size*,*csum*
.Set DestinationDir=foo
"C:\ixptest\foo\setup1.exe"
.Set DestinationDir=bar
"C:\ixptest\bar\setup2.exe"

If we run makecab.exe directly on a file like this, we can see the paths in the generated CAB file:

C:\ixptest>7z l "~test.CAB" | find "A"
Listing archive: ~test.CAB
Path = ~test.CAB
   Date      Time    Attr         Size   Compressed  Name
2015-01-20 04:52:54 ....A       215040               foo\setup1.exe
2015-01-20 04:52:54 ....A       215040               bar\setup2.exe

But I don’t really see a convenient way of modifying the DDF file, as it exists for only a few seconds.

You could use the same method as described in Persisting files above: in your install script, move the files to their appropriate subdirectories. Obviously this would get increasingly tedious as the number of files increases.

[* CAB files don’t really have “directories”, per se, but are nevertheless supported by several utilities, including 7-Zip.]

Disabling compression

If the files you’re including are already compressed, you might not want to compress them within the CAB archive. To do that, add Compress=0 to your SED file, anywhere in the [Options] section:

[Options]
Compress=0

You can use 7-Zip to check whether it’s compressed. For a ‘typical’ IExpress file, the Method will be LZX:

C:\ixptest>7z l test.exe
[...]
Path = .rsrc\RCDATA\CABINET
Type = Cab
Method = LZX
Blocks = 1
Volumes = 1
[...]

Whereas for an uncompressed CAB, the Method will be None:

C:\ixptest>7z l test.exe
[...]
Path = .rsrc\RCDATA\CABINET
Type = Cab
Method = None
Blocks = 1
Volumes = 1
[...]

[ This SED option causes the Compress directive to be changed in the DDF file to: .Set Compress=0 ]

Overriding file version details

As the generated package is based on wextract.exe, the Details pane will look something like this:

test Properties

You can override some of those fields using a custom definition in your SED file. You need to define the VersionInfo option in the [Options] section, then add the new section.

Here is an example that takes the data from notepad.exe:

[Options]
VersionInfo=VersionSection
[VersionSection]
FromFile=C:\Windows\notepad.exe

You can further customize that with additional [VersionSection] options. According to a quick dump of iexpress.exe, the available fields are:

CompanyName
InternalName
OriginalFilename
ProductName
ProductVersion
FileVersion
FileDescription
LegalCopyright

An example:

[Options]
VersionInfo=VersionSection
[VersionSection]
FromFile=C:\Windows\notepad.exe
LegalCopyright=© Fabrikam, Inc. All rights reserved.

Which will look something like:

test Properties

Ta-da!

Note that this only updates the string version information, not the binary version information. See my answer on Stack Overflow for more details.

Security considerations

It’s been reported that IExpress has “security vulnerabilities”, eg:

However I’m rather inclined to agree with the (unnamed) Microsoft representative who said:

“I still do not see any security vulnerability here. I can see an escalation of UAC privileges, but as has been documented on numerous occasions, UAC is not considered to be a security boundary, so such an escalation is not considered to be a security vulnerability.”
In any case, let us examine these claims to see how they came about.

Install program launch behaviour

Looking at the imports for wextract.exe, one can see: CreateProcessA. [Interesting that wextract.exe uses ANSI functions! Must be legacy behaviour dating back to earlier Windows days (95?).] Since I don’t see ShellExecute, I conclude that IExpress install packages use CreateProcess to launch the install program.

According to its MSDN article, if a full path is not specified, CreateProcess uses the following order when searching for the executable:

  1. The directory from which the application [ie, the IExpress package] loaded.
  2. The current [ie, working] directory for the parent process [eg, %temp%\IXP000.TMP].
  3. The 32-bit Windows system directory [ie, %SystemRoot%\System32 or %SystemRoot\SysWOW64 (if redirected)].
  4. […a number of other Windows directories…]
  5. %path%

But before CreateProcess occurs, wextract also checks if the install program you specified was a file in the CAB archive and executes it preferentially.

Here is the full behaviour, in order:

The risk is that, if the CreateProcess search happens, it will prefer to execute your install program from the same directory as your IExpress package executable, ie not from %temp%\IXP000.TMP. That is because of the search order of CreateProcess.

In other words, if you knew that an IExpress package was configured to launch, eg, msiexec /qb /i capcom2.msi, you could drop your own msiexec.exe into the same directory; when you execute the IExpress package, the msiexec.exe you dropped would be executed instead of the one from %SystemRoot%\System32. Had you instead specified C:\Windows\System32\msiexec.exe, that would not be the case. (Unfortunately, environment variables can’t be used directly.)

Here is a procmon screenshot showing the search for foo (which exists nowhere):

procmon - CreateProcess search

The first entry is wextract checking for an exact match within %temp%\IXP000.TMP; after that, it’s the CreateProcess search (which is ultimately unsuccessful in this case).

IExpress and UAC Installer Detection

UAC Installer Detection attempts to detect whether an application that isn’t UAC-aware needs elevation.

Having neither the time nor the interest to examine old versions of IExpress (say, anything older than the version bundled with Windows 7), I can’t say what the behaviour of ‘old’ wextract.exe is with regards to UAC.

However, I can see that relatively recent wextract.exe contains a manifest with the following:

  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel
          level="asInvoker"
          uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>

According to MSDN, asInvoker means: The application will run with the same permissions as the process that started it. In other words, no UAC elevation will be requested for IExpress-generated packages (by default). Of course, the executable inside the package might itself request elevation.

Stefan Kanthak’s IExpress vulnerability

Now that I’ve explored the two mechanisms in play, I’ll summarize the vulnerability mentioned by Kanthak:

  1. Download or create an IExpress package which triggers UAC’s Installer Detection.
    • Probably this requires an old version of IExpress, as new versions of wextract.exe seem to have a manifest that would prevent this.
    • One such file that exists already is CAPICOM-KB931906-v2102.exe. The wextract.exe for that file has a date of 2004-08-03 23:01:37, and an OS Version of 5.1 (ie, Windows XP/2003).
  2. Place an executable in the same directory as the IExpress package, and give it the same name as its install program (msiexec.exe in this case).
    • The author supplies a very handy program called sentinel.exe for this purpose (just rename it to, eg, msiexec.exe).
  3. Execute the IExpress package. UAC prompts for elevation based on the details of the IExpress package itself; but when you elevate, the ‘fake’ msiexec.exe executes from the same directory, rather than from System32. And it is executing with elevated privileges.

Of course, the user still had to consent to the UAC elevation, so it’s not a ‘bypass’, strictly speaking. Essentially it’s unexpected behaviour – you’re ‘piggybacking’ off of a UAC elevation for a different program.

The upshot

If you’re concerned that someone might try to hijack your IExpress package for nefarious purposes, you can either:

Obviously the latter is difficult if you want to maintain good compatibility (eg, Windows not being installed in C:\Windows).

Using a setup INF file

Extract-only packages (“type 2”)

Command-line switches

CAB making using IExpress (“type 3”)

References

  1. Makecab Directive File syntax
  2. Microsoft MakeCAB User’s Guide