Windows Package Manager 'WinGet'

[silversurfer]

" The latest development version of the open source Windows Package Manager winget has preliminary support for portable applications. "

The first version of the Windows Package Manager was released in 2020, the first final version followed in 2021. It is a useful program to manage software on Windows 10 and 11 devices.

Some of the supported features include installing multiple programs at once, installing Microsoft Store apps directly without visiting the Store, updating all installed programs at once, or to remove any number of Windows programs and apps.

The developers have uploaded a new preview version of Windows Package Manager, version 1.3.1251. The new version will be released to Windows Insider Dev builds and Windows Package Manager insiders, but anyone else may download the new version and install them on their devices, provided that these run Windows 10 version 1809 or newer (including Windows 11).

The big new feature in the preview version is support for portable apps. Up until now, winget did not support portable programs, only Microsoft Store apps and Win32 applications that needed to be installed; this changes with the preview release and the upcoming next stable version of the package manager for Windows.

The feature is limited to the installation of portable programs in this release. Functions to remove and upgrade portable applications using winget are planned and will be introduced in future builds.

Note: The upgrade and uninstall behaviors have not been implemented. The community repository does not accept portable applications either. Users may test with local manifests but will need to manually clean up entries in Windows Apps & Features if this is used to install a portable application.

The installation of portable programs works exactly as the installation of programs that need to be installed or Windows Store applications.

There is still work to be done, as the developers reveal in the notes published on the release page. Community repos do not accept portable apps at this point, and anyone interested in getting these to work in the released version need to use local manifests to do so.

Windows Package Manager winget is getting portable application support - gHacks Tech News

The latest development version of the open source Windows Package Manager winget has preliminary support for portable applications.

www.ghacks.net

 

[silversurfer]

The Windows Package Manager team has been busy working on WinGet 1.4. This release introduces support for .zip-based packages. WinGet can now extract and run an installer inside of a .zip archive or install one or more portable packages from an archive.
The WinGet open-source community has also been busy adding new features like command aliases to help with muscle memory if you use more than one package manager, and a wait argument to keep winget.exe open long enough to see what’s happening if it’s called from other applications.

Windows Package Manager 1.4

The Windows Package Manager team has been busy working on WinGet 1.4. This release introduces support for .zip-based packages. WinGet can now extract and run an installer inside of a .zip archive or install one or more portable packages from an archive. The WinGet open-source community has also...

devblogs.microsoft.com

 

[Andy Ful]

It is also a great LOLBin for the attackers.
For me, this would be the first LOLBin to block at home on the computer of the casual user.

 

[Andrezj]

It is also a great LOLBin for the attackers.
For me, this would be the first LOLBin to block at home on the computer of the casual user.

since winget is a more recent addition to windows, it is one of the few windows processes added to the lolbin list in years

winget | LOLBAS

lolbas-project.github.io

 

[Andy Ful]

Winget is not especially dangerous for experienced users, but when used with phishing, it can be still dangerous for many users. The Windows built-in mechanism that validates the packaged applications can be abused, so the package can have a proper Microsoft Store certificate and contain malicious code. The trick used by the attacker is related to the user's belief that applications signed by Microsoft Store are benign. This is true (almost always) when the application is installed from Microsoft Store, but untrue when the packaged app is downloaded from 3rd party repository.

 

[Andrezj]

Winget is not especially dangerous for experienced users, but when used with phishing, it can be still dangerous for many users. The Windows built-in mechanism that validates the packaged applications can be abused, so the package can have a proper Microsoft Store certificate and contain malicious code. The trick used by the attacker is related to the user's belief that applications signed by Microsoft Store are benign. This is true (almost always) when the application is installed from Microsoft Store, but untrue when the packaged app is downloaded from 3rd party repository.

the average user is unaware of the potential dangers of downloading files from non-Microsoft repositories
if the attacker uses an office macro or a webpage to do the downloading then the user will just sit there and spectate

 

[silversurfer]

Please stop to discuss about the potential "risk" to use Winget, no need to post your opinions further in this thread.
If really important to warn about using Winget, then you can starting rather a thread in this section: General Security Discussions

 

[Andy Ful]

Please stop to discuss about the potential "risk" to use Winget, no need to post your opinions further in this thread.
If really important to warn about using Winget, then you can starting rather a thread in this section: General Security Discussions

I agree. The short notion about possible risks for home users is enough. Winget is used by administrators like other LOLBins to automate their work via CmdLines or scripts.
There is also Windows Package Manager PowerShell Module available on GitHub:

Releases · microsoft/winget-cli

Windows Package Manager CLI (aka winget). Contribute to microsoft/winget-cli development by creating an account on GitHub.

github.com

 

[ch4mla]

... I am trying to understand how you can 'install' or 'manage' a portable program with Winget... will it just download the already portable - because Winget will definitely not be acting as some sort of automated portabilizer here...surely.. - app and place it at a corner of your choosing

 

[brambedkar59]

... I am trying to understand how you can 'install' or 'manage' a portable program with Winget... will it just download the already portable - because Winget will definitely not be acting as some sort of automated portabilizer here...surely.. - app and place it at a corner of your choosing

Yeah, I also can't seem to figure this one out. How do I tell winget that the location of portable apps is "D:\Backup\PortableApps"? I already have a lot of portable apps stored in there and I want Winget to recognize them.

 

[silversurfer]

Microsoft has now added support for installing ZIP files on its Windows Package Manager CLI or winget with the latest version. Aside from that, it has also received native PowerShell support, and many more changes and bugfixes. These two major features were requested back in 2020.

Following Windows 11 RAR support, Microsoft Winget gets ZIP install, native PowerShell

Microsoft recently added support for opening RAR files on Windows 11. Following that, ZIP, which is also a similar format, gets installation support on Winget, alongside native PowerShell support.

www.neowin.net

Features​

• Support installing .zip files #140
• Add Native PowerShell Support #221
• Support --no-upgrade option for install flow #2655

Release Windows Package Manager 1.4.11071 · microsoft/winget-cli

This release is the second stable release of Windows Package Manager 1.4 for Windows 10 (1809+) and Windows 11. This release contains a minor servicing fix related to refreshing store source certif...

github.com

 

[silversurfer]

WinGet 1.8 allows users to download Microsoft Store apps for offline distribution​

Windows Package Manager is a package manager solution that includes a command-line tool (winget) and a set of services for installing apps on Windows 10 and Windows 11 PCs. Using the winget command-line tool, anyone can install, upgrade, remove, and configure apps on Windows.

Microsoft recently highlighted that the latest Windows Package Manager (winget) 1.8 release allows users to download Microsoft Store apps. This feature will be especially helpful for IT teams within organizations, allowing them to download Microsoft Store apps for offline distribution in their network. This feature will replace the existing Enterprise Offline feature from the Microsoft Store for Business.

Here's how you can use WinGet to download Microsoft Store apps:

• Download and install the latest version of WinGet installed on your Windows PC.
• To download a Microsoft Store app, use the download command as below.
  • winget download Calculator -s msstore
• The above command will create a folder in Downloads directory and the downloaded app package will be available in it.
• To install the downloaded app in another Windows PC, copy the package and use the following command:
  • Add-AppxPackage -Path C:\Users\username\downloads\9WZDNCRFHVN5\Calculator.appx
• If you use winget tool without administrator privileges, during installation, Windows will prompt you to elevate to admin user. If you choose not to elevate, the application installation will not proceed further.

WinGet 1.8 allows users to download Microsoft Store apps for offline distribution

Microsoft's Windows Package Manager (winget) has been updated to version 1.8, introducing the ability to download Microsoft Store apps for offline distribution. This feature is useful for IT teams.

www.neowin.net

Use WinGet 1.8 to download Microsoft Store apps

A new feature in WinGet 1.8 allows IT professionals to download Microsoft Store apps.

techcommunity.microsoft.com

 

[Andy Ful]

I had some concerns about abusing WinGet by malicious actors, but it seems that Microsoft put much effort into making it safe:

Teracopy package hijacked? Is it really this easy to take control of a package? · microsoft winget-pkgs · Discussion #31547

In PR #20548, it looks like the Teracopy install URL has been changed from the official one (https://www.codesector.com/files/teracopy.exe) to some BackBlaze B2 bucket (https://codesector.s3.us-wes...

github.com

How to use the Winget tool to deploy apps in Microsoft Intune

Learn what the Winget Windows Package Manager Tool is and how it can be useful when deploying Store Apps in Microsoft Intune.

www.advancedinstaller.com

I don't see where security risks would be an issue here because every installer goes through Dynamic Analysis (Virus Scan) in the Pipelines' VMs, and if there's a PUA or malware in the installer, it's immediately flagged by the pipelines. The PR is also manually validated by Moderators, in either VMs, or Bare Metal - so installers are always double checked to make sure that it isn't a malicious package intended to steal people's passwords or monitor what they're typing on their keyboard:

As mentioned, WinGet has multiple repositories from which we can search and install applications. It uses Smart Screen, static analysis, and SHA256 hash validation to prevent any malicious packages.