Windows Package Manager winget is getting portable application support

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
8,436
" The latest development version of the open source Windows Package Manager winget has preliminary support for portable applications. "
winget windows package manager
The first version of the Windows Package Manager was released in 2020, the first final version followed in 2021. It is a useful program to manage software on Windows 10 and 11 devices.

Some of the supported features include installing multiple programs at once, installing Microsoft Store apps directly without visiting the Store, updating all installed programs at once, or to remove any number of Windows programs and apps.

The developers have uploaded a new preview version of Windows Package Manager, version 1.3.1251. The new version will be released to Windows Insider Dev builds and Windows Package Manager insiders, but anyone else may download the new version and install them on their devices, provided that these run Windows 10 version 1809 or newer (including Windows 11).

The big new feature in the preview version is support for portable apps. Up until now, winget did not support portable programs, only Microsoft Store apps and Win32 applications that needed to be installed; this changes with the preview release and the upcoming next stable version of the package manager for Windows.

The feature is limited to the installation of portable programs in this release. Functions to remove and upgrade portable applications using winget are planned and will be introduced in future builds.

Note: The upgrade and uninstall behaviors have not been implemented. The community repository does not accept portable applications either. Users may test with local manifests but will need to manually clean up entries in Windows Apps & Features if this is used to install a portable application.

The installation of portable programs works exactly as the installation of programs that need to be installed or Windows Store applications.

There is still work to be done, as the developers reveal in the notes published on the release page. Community repos do not accept portable apps at this point, and anyone interested in getting these to work in the released version need to use local manifests to do so.
 

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
8,436
The Windows Package Manager team has been busy working on WinGet 1.4. This release introduces support for .zip-based packages. WinGet can now extract and run an installer inside of a .zip archive or install one or more portable packages from an archive.
The WinGet open-source community has also been busy adding new features like command aliases to help with muscle memory if you use more than one package manager, and a wait argument to keep winget.exe open long enough to see what’s happening if it’s called from other applications.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,386
Winget is not especially dangerous for experienced users, but when used with phishing, it can be still dangerous for many users. The Windows built-in mechanism that validates the packaged applications can be abused, so the package can have a proper Microsoft Store certificate and contain malicious code. The trick used by the attacker is related to the user's belief that applications signed by Microsoft Store are benign. This is true (almost always) when the application is installed from Microsoft Store, but untrue when the packaged app is downloaded from 3rd party repository.
 
Last edited:

Andrezj

Level 6
Nov 21, 2022
278
Winget is not especially dangerous for experienced users, but when used with phishing, it can be still dangerous for many users. The Windows built-in mechanism that validates the packaged applications can be abused, so the package can have a proper Microsoft Store certificate and contain malicious code. The trick used by the attacker is related to the user's belief that applications signed by Microsoft Store are benign. This is true (almost always) when the application is installed from Microsoft Store, but untrue when the packaged app is downloaded from 3rd party repository.
the average user is unaware of the potential dangers of downloading files from non-Microsoft repositories
if the attacker uses an office macro or a webpage to do the downloading then the user will just sit there and spectate
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,386
Please stop to discuss about the potential "risk" to use Winget, no need to post your opinions further in this thread.
If really important to warn about using Winget, then you can starting rather a thread in this section: General Security Discussions
I agree. The short notion about possible risks for home users is enough. Winget is used by administrators like other LOLBins to automate their work via CmdLines or scripts.
There is also Windows Package Manager PowerShell Module available on GitHub:
 

ch4mla

New Member
Jan 26, 2023
8
... I am trying to understand how you can 'install' or 'manage' a portable program with Winget... will it just download the already portable - because Winget will definitely not be acting as some sort of automated portabilizer here...surely.. - app and place it at a corner of your choosing
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top