Converting .manifest Files Into Windows Defender Documentation

oxnan
oxnan
Sep 15, 2020 · 4 min read

tl;dr I learned how to decrypt .manifest files and used them to document data fields in Windows Defender. (.manifest can be seen here)

About 6 months ago, I was tasked with writing a parser for Windows Defender, to correctly get syslogs from endpoints into our SIEM platform at work. Writing the Regex was trivial, as I had been writing parsers for a couple of months at the time, but when it came to classifying the different logs, I ran into some issues.

The problem was the documentation from Microsoft, or rather, the lack of it. I simply could not find any documentation from Microsoft on the fields in the syslog messages. Okay, that might not be entirely fair, as Microsoft has some documentation on the different Event ID’s in the logs (link), but some of the data fields in a regular log are not documented and appear as “%%” followed by 3 digits.

Image for post
Image for post
Interresting values marked in red

As with any problem you don’t know the answer to, I started searching online. I found the usual Microsoft documentation (linked further up), but nothing else really caught my eye at first. I went all the way to page 3 (i know most of you don’t do this) on one of the google searches when I finally came across this site. It was a weird Japanese xmail server, that hosted a manifest file for Windows Defender, and at the bottom of the file were definitions for everything I needed. Every line looked a bit like the following, and every value corresponded to something different.

<message ... symbol="MP_EVENT_WGA_VISTA_PRODUCT_NAME" value="827" />

So looking at the example log above, you can see there is a Data field called “Product Name” with a value of %%827. Taking that 827 and checking the manifest file, gives the product name: “MP_EVENT_WGA_VISTA_PRODUCT_NAME”. As I said in the beginning, this was about 6 months ago, and back then I had everything I wanted from that .manifest file, so I quit searching and completed the task. But when I had to make new parsers earlier today, I realized i had a problem.

The range of values provided in the original .manifest, was only from 800–842, but taking a look at the log above we have values as high as 870. So I had to go back to finding a solution. The reason for the lack of values is, that the .manifest file corresponds to the Defender version 6.1.7600.16385. Searching for this version online provides a Microsoft helpdesk question from the 15th of May 2013.

I took another look at the Japanese site, and noticed the URL looked weird.

xmail.dojo.jp/sample/xmailcfg/cgi/file_download.cgi?_files_+Windows/winsxs/Manifests+amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea.manifest

It was a cgi file that showed files on the local Windows Machine online, so I guessed that the path (C:\Windows\WinSxS\Manifests\) might have a new and updated .manifest. It did, but since 2013 Microsoft had made some changes. The files are now compressed. This was not a huge issue I imagined so I went back to Google and DDG. I found an old post from someone on mydigitallife called “Aunty Mel’s Cheap And Nasty SxS File Expander” and tried to find a download link. As most of the filesharing services had gone down, only a single one still had the file, but after running the program and then trying to solve the following issue for a while, I went on searching.

Image for post
Image for post
Program run on a Windows 10 machine

I eventually found a GitHub repo from hfiref0x that had exactly what I needed. I am grateful that he provided binaries, as I had some trouble compiling the code myself. The program is simple to run, I copied one of the manifest files to a folder with the sxsexp64.exe program, and run with the syntax described in the README of the GitHub repo. The output should look something like this:

Image for post
Image for post
Output from conversion

The final result should then be a manifest in XML format that is humanly readable, in which the remaining ID’s are. So after a couple of hours of searching and trying to figure out what I needed, I ended up with an entire list of the ids from 800–902.

The Decompressed .manifest can be seen here

Image for post
Image for post
The log with the missing names filled in

To be fair, this does not make it 100% clear to read for me, as I am no windows expert, but I am still not sure why Microsoft doesn’t have this documented anywhere. For now, I will concentrate on something else, and just enjoy my win.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium