Converting .manifest Files Into Windows Defender Documentation
tl;dr I learned how to decrypt .manifest files and used them to document data fields in Windows Defender. (.manifest can be seen here)
About 6 months ago, I was tasked with writing a parser for Windows Defender, to correctly get syslogs from endpoints into our SIEM platform at work. Writing the Regex was trivial, as I had been writing parsers for a couple of months at the time, but when it came to classifying the different logs, I ran into some issues.
The problem was the documentation from Microsoft, or rather, the lack of it. I simply could not find any documentation from Microsoft on the fields in the syslog messages. Okay, that might not be entirely fair, as Microsoft has some documentation on the different Event ID’s in the logs (link), but some of the data fields in a regular log are not documented and appear as “%%” followed by 3 digits.
As with any problem you don’t know the answer to, I started searching online. I found the usual Microsoft documentation (linked further up), but nothing else really caught my eye at first. I went all the way to page 3 (i know most of you don’t do this) on one of the google searches when I finally came across this site. It was a weird Japanese xmail server, that hosted a manifest file for Windows Defender, and at the bottom of the file were definitions for everything I needed. Every line looked a bit like the following, and every value corresponded to something different.
<message ... symbol="MP_EVENT_WGA_VISTA_PRODUCT_NAME" value="827" />So looking at the example log above, you can see there is a Data field called “Product Name” with a value of %%827. Taking that 827 and checking the manifest file, gives the product name: “MP_EVENT_WGA_VISTA_PRODUCT_NAME”. As I said in the beginning, this was about 6 months ago, and back then I had everything I wanted from that .manifest file, so I quit searching and completed the task. But when I had to make new parsers earlier today, I realized i had a problem.
The range of values provided in the original .manifest, was only from 800–842, but taking a look at the log above we have values as high as 870. So I had to go back to finding a solution. The reason for the lack of values is, that the .manifest file corresponds to the Defender version 6.1.7600.16385. Searching for this version online provides a Microsoft helpdesk question from the 15th of May 2013.
I took another look at the Japanese site, and noticed the URL looked weird.
xmail.dojo.jp/sample/xmailcfg/cgi/file_download.cgi?_files_+Windows/winsxs/Manifests+amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea.manifestIt was a cgi file that showed files on the local Windows Machine online, so I guessed that the path (C:\Windows\WinSxS\Manifests\) might have a new and updated .manifest. It did, but since 2013 Microsoft had made some changes. The files are now compressed. This was not a huge issue I imagined so I went back to Google and DDG. I found an old post from someone on mydigitallife called “Aunty Mel’s Cheap And Nasty SxS File Expander” and tried to find a download link. As most of the filesharing services had gone down, only a single one still had the file, but after running the program and then trying to solve the following issue for a while, I went on searching.
I eventually found a GitHub repo from hfiref0x that had exactly what I needed. I am grateful that he provided binaries, as I had some trouble compiling the code myself. The program is simple to run, I copied one of the manifest files to a folder with the sxsexp64.exe program, and run with the syntax described in the README of the GitHub repo. The output should look something like this:
The final result should then be a manifest in XML format that is humanly readable, in which the remaining ID’s are. So after a couple of hours of searching and trying to figure out what I needed, I ended up with an entire list of the ids from 800–902.
The Decompressed .manifest can be seen here
To be fair, this does not make it 100% clear to read for me, as I am no windows expert, but I am still not sure why Microsoft doesn’t have this documented anywhere. For now, I will concentrate on something else, and just enjoy my win.
