IMECache: Attack of the Cleaner

IMECache: Attack of the Cleaner

This blog will show you what happens when you are trying to install a Win32app which is deployed by serviceui.exe and how to troubleshoot errors.  Of course, I will show you how to solve a particular problem.

I will divide this blog into 5 parts

  1. Describing each phase and where to find it in the log
  2. Background info about Serviceui.exe
  3. The problem itself
  4. Troubleshooting the Problem
  5. The Solution

1.Win32 App IME installation phases

When you want to monitor or troubleshoot a Win32 app installation you will need the Intune Management Extension log file:

C:\programdata\microsoft\intunemanagementextension\logs\IntuneManagementextension.log

You can open this log file with notepad, but I am recommending the CMTrace tool from the config manager toolkit.

Download System Center 2012 R2 Configuration Manager Toolkit from Official Microsoft Download Center

To understand how apps are being deployed to the device we need to take a look at each phase.

1.Downloading Phase

This is the first phase where the Intune Management Extension (IME) downloads the intunewin file (*.bin) from the Intune service to the device.   The download will be placed in the  C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Incoming

Luckily the device certificate is available. When it is not available or expired you could get some weird behaviour. I dedicated a blog to this some time ago.

Alice and the Device Certificate – Call4Cloud

2.Decrypting and verifying Phase

After the download is ready it will verify and decrypt the .bin file into a zip file in the staging folder.

C:\Program Files (x86)\Microsoft Intune Management Extension\staging\  and from the staging folder is will be unzipped to the c:\windows\imecache folder.

3.Installing Phase

IME will start and retry (3x 5 minutes) the installation from the IMECache folder.

4.Detection Phase

IME will try to detect if the installation is successful by checking the detection rules you specified in the Win32App in Intune

5.Reporting Phase

The final phase of the app installation is the reporting phase, IME will send the results back to the service.

I updated this Flow below because some information wasn’t correct. The data will be decrypted and moved to the IMECache folder instead of the staged folder. Of course, I notified Microsoft about this little flaw.

2.Background info about Serviceui.exe

We were asked to publish a new app for all users, called Eplan. When Installing the app and some user interaction is required, the only option you have got is using serviceui.exe

By default the Win32 apps which are being installed by IME, are installed by default in the system context (0)

A normal user session has no permission to view any messages or prompts from the app installation that is running in the system context.

Of course you could change the install behavior in which context the app must be installed

When your users are all Local admin’s be my guest to change it to “users” but if you are reading my blogs often, you will know I really don’t like Local Admin’s. So changing this option to User is not going to work.

Serviceui.exe to the rescue. Serviceui.exe makes sure when the app is being installed in the system context it can detect the user session and allow to interact with it.

https://www.microsoft.com/en-us/download/details.aspx?id=54259

A while ago, I created a blog about how to do this

Company App: Unchained – Call4Cloud

3.The problem

Creating an App with serviceui.exe could be done within a few minutes. We have done this literally a thousand times…. But this one was a little bit different

After the app was visible in the company app we tried to install it. After a few minutes, the installing phase begins. After pressing next, next, selecting some specific settings, next, this error was shown.

That’s strange because the installation file which is executed was copied to the imecache folder in the decrypting phase?.

4. Troubleshooting the problem

First, we checked if the contents of the bin/intunewinfile where the same.  You could follow this blog from Oliver if you want to know-how.

How to decode Intune Win32 App Packages – MSEndpointMgr

We detected no differences…. Let’s check what has been copied to the IMECache folder

Looking at the IMECache folder itself… it is missing a lot of files… almost every file which is needed to install the app is missing.

We double-checked the intunemanagement log to be sure we didn’t miss any error. But unfortunately no errors for us.

To be sure, it was not the device itself we also tried it on multiple clean installed VM’s and retried the installation multiple times.

So what’s happening here?

-No PathTooLongException:  The folder is not over the 248 characters

-No Defender issue (we excluded the imecache folder and content folder and checked the defender logs)

-When you are creating intunewinapp’s please make sure you have the latest version installed!

In version 1.7 some issues where fixed with Unicode support.

When looking closer and refreshing the IMECache folder every few seconds, we noticed the files were removed even while the installation was not yet completed…?

Let’s open the Intune log again. After scrolling down the log we noticed this StatusService error a few minutes while it was installing the App

The installation is a success but the detection rules failed… and within 7 seconds it starts to delete the temporary IMECache folder.

Of course, this is default behaviour because the app was installed successfully! Let’s take a look at the first installation window and the last error prompt.

That’s makes totally sense!!! The first installation is the 5.70 version, when this installation is completed successfully it will send a good exit code and the IME will start cleaning up but the installation is not done yet, it still needs version 5.70 sp1!  The 5.70 sp1 install will start, but it is missing all the files and will throw an error and reverts the installation!

5.The solution

Okay. Now we know it is default behaviour but how are we going to solve this? The solution is very simple! We need to make sure we combine all the files into a zip file. When the deploy application is called upon we need to make sure it first extracts all the files and when all the files are extracted it will start the installation.

1.Zipping it:

Instead of adding all the separate files and folders inside the app\files folder, we need to zip them.

2.Changing the deploy-application.ps1

We need to make sure we add an additional install task: Expand-Archive and change the execute-process parameter to match the setup file from the zip file.

3.Testing the Win32App

Create a new Intunewin app and upload it to Intune. While installing the app, watch the IMECache folder… instead of extracting all the files, it extracts the zip file.

It will start extracting the files to the specified folder and it will install successfully, because this folder is not emptied after the first installation is completed.

Conclusion

Again… another deep dive into troubleshooting win32app installations

It’s very important you know how to troubleshoot win32 apps and it’s even more important to know how to read the intune management log.

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  7  =  12