Microsoft Now Lets You Re-Enable Windows App Installer, Here’s How


Microsoft now allows enterprise administrators to re-enable the MSIX ms-appinstaller protocol handler after Emotet misused it to deliver malicious Windows App Installer packages.

App Installer (also known as AppX Installer) allows users to install Windows applications directly from a web server using an MSIX package or App Installer file without downloading the installers to their computers first.

Microsoft has disabled the ms-appinstaller scheme in response to reports of ongoing Emotet attacks that exploit a zero-day Windows AppX Installer spoofing vulnerability, forcing users to download the app packages to their devices before using them. App Installer will be installed.

“We recognize that this feature is critical to many business organizations. We are taking the time to conduct thorough testing to ensure that protocol re-enablement can be done in a secure manner,” said Microsoft program manager Dian Hartono when announcing the termination of the protocol. †

“We are investigating the adoption of a group policy that will allow IT administrators to re-enable the protocol and control its use within their organizations.”

Re-enable the ms-appinstaller protocol

According to an update from Hartono, Microsoft has finally managed to get the issue under control and administrators can now re-enable the protocol handler by installing the latest version of the App Installer (1.17.10751.0) and enabling a group policy.

On systems where the App Installer update cannot be deployed using the Internet-based installer, Microsoft also provides an offline version on the Microsoft Download Center (download link).

The App Installer feature will be re-enabled after downloading and deploying the Desktop App Installer policy and selecting “Enable App Installer ms-appinstaller protocol”.

You can do this through the Group Policy Editor by going to Computer Configuration > Administrative Templates > Windows Components > Desktop App Installer.

“You need both the latest App Installer app and the Desktop App Installer policy to use the ms-appinstaller protocol for MSIX,” Hartono added.

ms-appinstaller misused to push malware

In early December 2021, Emotet began using malicious Windows AppX Installer packages disguised as Adobe PDF software to infect Windows devices in phishing campaigns.

The botnet’s phishing emails used stolen emails in the response chain instructing recipients to open PDFs related to previous conversations.

Instead of opening the PDF, the embedded links redirected recipients to what would launch the Windows App Installer and prompt them to install a malicious “Adobe PDF Component”.

App installer prompts to install fake Adobe PDF componentApp installer prompts to install fake Adobe PDF component (BleepingComputer)

Although it looked like a legitimate Adobe app, App Installer downloaded and installed a malicious appx bundle hosted on Microsoft Azure after the targets clicked the Install button.

You can find more details, including how Emotet exploited the Windows App Installer vulnerability, in our previous December campaign report.

The same spoofing flaw was also exploited to distribute the BazarLoader malware using malicious packages hosted on Microsoft Azure via * URLs.

“We have been investigating reports of a spoofing vulnerability in the AppX installer affecting Microsoft Windows,” explains Microsoft.

“Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages containing the malware family known as Emotet/Trickbot/Bazaloader.”

This post Microsoft Now Lets You Re-Enable Windows App Installer, Here’s How

was original published at “”