Appxsvc Appx Deployment Service (appxsvc)

[Sherman Desrosiers]

Previousresearch on malicious Windows Apps focused on concrete system infections involving particular instances of such Apps. This article complements previous research by taking a generic perspective. I take an APPX package that malicious actors have used to deploy malware as a running example and provide:

For Windows to install an APPX package, whether malicious or not, the system first has to establish trust in the package. Microsoft provides the Microsoft Store to Windows users as a library of certified packaged Windows Apps. These packages are digitally counter-signed by Microsoft. Windows trusts by default APPX packages that originate from the Windows Store. However, when the Windows App sideloading feature is enabled, users can install APPX packages that do not originate from the Microsoft Store as well, that is, packages that are not counter-signed by Microsoft. Such are the majority of the malicious APPX packages that the security community has observed in attacks.

The edge_update.appx APPX package is signed with a code signing certificate issued to Foresee Consulting Inc. and a root certificate issued by DigiCert Trusted Root G4. Windows systems trust DigiCert root certificates and they are placed in the Trusted Root Certification Authorities certificate store.

APPX packages are ZIP archive files that store the executable files that implement the packaged Windows App and additional files. Figure 2 depicts the content of edge_update.appx. The eediwjus directory stores the malicious Windows App that the executable files eediwjus.exe and eediwjus.dll implement. eediwjus.exe is a .NET Windows App (see Figure 3) that invokes the mhjpfzvitta function from eediwjus.dll. This function executes malicious code that is heavily control-flow obfuscated with unconditional jumps (see Figure 4). The analysis of the malicious code is out of the scope of this article.

AppxManifest.xml is the package manifest, a file in XML (Extensible Markup Language) format that contains the information that Windows needs to deploy, display, and update a Windows App. This includes information about:

Figure 5 depicts the content of AppxManifest.xml in the malicious edge_update.appx. The publisher of the Windows App is Foresee Consulting Inc., the display name of the App is Edge Update, and the App has the capabilities internetClient and runFullTrust . The internetClient capability enables the malicious Windows App to download data from the Internet, probably a payload from an attacker-controlled endpoint.

AppxBlockMap.xml is the package block map, a file in XML format that stores Base-64 encoded hash values of data blocks in the files that an APPX package archives. Windows uses these hashes to verify the data integrity of these files when installing an APPX package, a topic that I discuss further in this article.

AppxSignature.p7x is the APPX package signature, a PKCS (Public-Key Cryptography Standards) #7 digital signature data in ASN.1 (Abstract Syntax Notation One) format. AppxSignature.p7x stores signature data, such as the certificate chain of the digital signature and the actual signed data. The signed data includes hashes of files in the APPX package, such as AppxManifest.xml and AppxBlockMap.xml. Figure 7 depicts the formatted content of AppxSignature.p7x in the malicious edge_update.appx.

The AppxSvc service (Appx Deployment Service), which the DLL (dynamic-link library) %SystemRoot%\System32\appxdeploymentserver.dll implements, orchestrates the installation of APPX packages. When a user installs an APPX package, the AppxSvc service verifies the data integrity of the package and verifies that the package satisfies certain trust criteria. Figure 8 depicts a simplified overview of the data integrity verification process that the AppxSvc service conducts.

The steps above ensure that the data in an APPX package is credible, with the overall process relying on a successful verification of the signed data in AppxSignature.p7x. However, for Windows to install an APPX package, also a malicious package, the system also has to verify that the package satisfies a set of trust criteria.

Previous research provides more background information on the steps above. This article focuses on the trust criteria that relate to the certificates in AppxSignature.p7x that the AppxSvc service uses to verify the signed data in AppxSignature.p7x.

These certificates represent the root of trust for the data integrity verification of an APPX package and for establishing trust in the package. In addition, in contrast to other APPX package-internal data structures for data integrity and trust verification, the certificates are more relevant entities from an operational perspective to end-users.

If any validation by CertVerifyCertificateChainPolicy or CertGetCertificateChain fails, the AppxSvc service does not establish trust in the APPX package and terminates the installation of edge_update.appx.

In practice, CertVerifyCertificateChainPolicy successfully validates the certificates in the package signature of the malicious edge_update.appx. This is because the root certificate, which is issued by DigiCert Trusted Root G4, is present in the Trusted Root Certification Authorities certificate store.

Prior to the revocation of the end certificate issued to Foresee Consulting Inc., CertGetCertificateChain did not indicate an issue with the certificate chain in the package signature of edge_update.appx. This resulted in the AppxSvc service completing the installation of the malicious APPX package and therefore compromising the system. Windows places installed Windows Apps in the %ProgramFiles%\WindowsApps directory (see Figure 13).

For Windows to install a Windows App that is packaged, for example, into an APPX package, the system first has to establish trust in the package. To this end, Windows verifies the data integrity of the package based on the package signature and evaluates whether the package satisfies certain trust criteria. Some of the trust criteria that relate to the certificates in the package signature are the following:

In the era of interconnectivity, when markets, geographies, and jurisdictions merge in the melting pot of the digital domain, the perils of the threat ecosystem become unparalleled. Crimeware families achieve an unparalleled level of technical sophistication, APT groups are competing in fully-fledged cyber warfare, while once decentralized and scattered threat actors are forming adamant alliances of operating as elite corporate espionage teams.

Provides infrastructure support for deploying Store applications. This service is started on demand and if disabled Store applications will not be deployed to the system, and may not function properly.

AppX Deployment Service (AppXSVC) is a Win32 service. In Windows 10 it is starting only if the user, an application or another service starts it. When the AppX Deployment Service (AppXSVC) is started, it is running as LocalSystem in a shared process of svchost.exe along with other services. If AppX Deployment Service (AppXSVC) fails to start, the failure details are being recorded into Event Log. Then Windows 10 will start up and notify the user that the AppXSvc service has failed to start due to the error.

3. Close the command window and restart the computer.The AppXSvc service is using the appxdeploymentserver.dll file that is located in the C:\Windows\system32 directory. If the file is removed or corrupted, read this article to restore its original version from Windows 10 installation media.

Despite disabling Windows Defender and running the optimization and decrapifier scripts (see: WOA for RPi3B+ manual install method using command prompt (MicroSD + SSD USB)), we are still left with a number of services that are eating up 80% of the RAM in the case of 18836, so we need figure out which ones can be disabled and the implications of doing so. Some services may be stoppable through methods other than via services.msc.

appmodel = State Repository Service and Capability Acccess Manager Service

ClipboardSvcGroup = Clipboard User Service_1d6fe

Local Security Authority Process: 3 services - Credential Manager, Security Accounts Manager, CNG Key Isolation

LocalServiceNoNetworkFilewall: a group of 2 services - Windows Defender Firewall and Base Filtering Engine

Microsoft Software Protection Platform Service = Software Protection

Service Host: DCOM Server Process Launcher: a group of 5 services - System Events Broker, Power, Local Session Manager, DCOM Server Process Launcher, Background Tasks Infrastructure Service

Service Host: Local Service (Network Restricted): a group of 7 services - AVCTP service, Network Store Interface Service, Network List Service, Windows Font Cache Service, COM+ Event System, Display Policy Service, Connected Devices Platform Service.

Service Host: Local Service (Network Restricted): a group of 5 services - WinHTTP Web Proxy Auto-Discovery Service, Time Broker, TCP/IP NetBIOS Helper, Windows Event Log, DHCP Client

Service Host: Local Service (Network Restricted): Windows Audio

Service Host: Local Service (Network Restricted): Windows Connection Manager

Service Host: Local Service (Network Restricted): Security Center

Service Host: Local Service (Network Restricted): Data Usage

Service Host: Local Service (No Network) = CoreMessaging

Service Host: Local System: a group of 15 services - Group Policy Client, Update Orchestrator Service, Windows Management Instrumentation, User Manager, Web Account Manager, Themes, Shell Hardware Detection, Remote Desktop Configuration, System Event Notification Service, Task Scheduler, User Profile Service, Server, IP Helper, Application Information

Service Host: Local System = Certificate Propagation

Service Host: Local System (Network Restricted): 6-7 services - Storage Service, Program Compatibility Assistant Service, Remote Desktop Services UserMode Port Redirection, Network Connection Broker, Human Interface Device Service, Windows Audio Endpoint Builder, Display Enhancement Service

Service Host: Network Service: a group of 6 services - Network Location Awareness, Workstation, DNS Client, Crytopgrahic Services

Service Host: Network Service: Remote Desktop Services

Service Host: Remote Procedure Call: 2 services - Remote Procedure Call (RPC) and RPC Endpoint Mapper

Service Host: Unistack Service Group: a group of 6 services - Sync Host_1d6e4, Windows Push Notifcations User Service_1d6e4, User Data Access_1d6e4, User Data Storage_1d6e4, Contact Data_1d6e4, Connected Devices Platform User Services_1d6e4

Windows Security Health Service = Windows Security Service

wsappx: 2 services, including AppX Deployment Service (AppXSVC)

XTA Cache Service = XtaCache service: WOW64 emulator for running 32-bit apps

3a8082e126