The Windows Process Journey — tar.exe (BSD tar Archive Tool)

“tar.exe” is a PE binary located at “%windir%\System32\tar.exe”. It is a command line tool which enables us to create archives and extract files (https://learn.microsoft.com/en-us/virtualization/community/team-blog/2017/20171219-tar-and-curl-come-to-windows). “tar.exe” is based on the “libarchive” (https://libarchive.org/), you can check out the code on GitHub (https://github.com/libarchive/libarchive). This is referenced by “tar.exe” by using “%windir%\System32\archiveint.dll”.

Moreover, “tar.exe” was added to Windows 10 (1803) from build 17063 or later as a pre-installed binary (https://renenyffenegger.ch/notes/Windows/dirs/Windows/System32/tar_exe). There is also a 32-bit version of the binary located at “%windir%\SysWOW64\tar.exe”. Microsoft also digitally signs the “tar.exe” binary.

Overall, by going over the command line options of “tar.exe” we can see that we can perform different operations: create archives, list files inside archives, update archives and extract them. Also, we can compress an archive using gzip/bzip2/xz/lzma and use other formats ustar/pax/cpio/shar (https://ss64.com/nt/tar.html).

Lastly, when extracting an archive using “tar.exe” we can keep/overwrite existing files, restore (or not) modification times, write data to stdout (and not disk) and restore ACLs (https://medium.com/@boutnaru/the-windows-security-journey-acl-access-control-list-b7d9a6fe428) and other permission information (ownership and flags).

See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.