I'm trying to determine whether a Windows MSI or installer .exe is considered the same as a portable file .exe in the Portable Executable (PE) format, or if it's considered a dropper. What are the differences between them?
2 Answers
Simplified Comparison Table
Below is simplified comparison between MSI (Microsoft Installer), Portable Executables (PE), and EXE Installers
| Property | MSI (Microsoft Installer) | Portable Executables (PE) | EXE Installers |
|---|---|---|---|
| File Format | MSI files are compound storage files containing multiple streams of data. They consist of a structured relational database containing tables with rows and columns defining various aspects of the installation, such as components, files, registry entries, shortcuts, features, and custom actions. | Portable Executable (PE) is the file format used for executables, DLLs, and other files on Windows. It consists of a header, followed by sections containing executable code, data, resources, and other metadata. | EXE installers are standard Windows executables in Portable Executable (PE) format. They contain machine code, data sections, and resources necessary for the installer's operation. |
| Installation/Loading Logic | The Windows Installer service (msiexec.exe) interprets and executes MSI files. It processes the installation database, performs actions specified in the database (such as file copying, registry updates, and service registrations), and manages the installation transaction, allowing for rollback in case of failure. |
When a PE executable is executed, the Windows Loader parses the PE header, loads necessary sections into memory, resolves dependencies (such as DLLs), and transfers control to the executable's entry point to begin execution. | EXE installers embed installation logic directly within the executable. This logic typically includes routines for extracting files, creating registry entries, displaying user interfaces, and performing other installation-related tasks. |
| Additional Notes | MSI installations can include custom actions, which are executable code sequences that can perform tasks not natively supported by the Windows Installer. Custom actions can be written in scripting languages (such as VBScript or JavaScript) or compiled executables. | PE files contain sections that organize different types of data within the file. Common sections include .text (executable code), .data (initialized data), .rsrc (resources), and .reloc (relocation information). |
EXE installers are created using specialized authoring tools like InstallShield, NSIS, WiX Toolset, or custom scripts. These tools provide environments for defining installation sequences, user interfaces, customization options, and post-installation tasks. |
Summary
MSI files, EXE installers, and Portable Executables (PE) have distinct internal structures, processing mechanisms, and purposes in the context of Windows software installation and execution. While MSI files rely on the Windows Installer service for installation management, EXE installers embed installation logic within executable files, and Portable Executables serve as the standard format for executable code and libraries on Windows.
File Header Comparison
Here we can see 3 different files MSI (Microsoft Installer), Portable Executable (PE), and EXE Installer
- The screenshot below shows that both EXEInstaller.exe and NormalPE.exe share the same header PE32 and PE32+ (for x64)
- MSIInstaller.msi shows different information as shown below:
Hope That Helped!
.msi files are based on the OLE file format and has d0cf11e0 header as opposed to MZ header for a PE file format. you could use a tool such as oledump (oledump) to parse it, or a tool called orca (orca) which is part of the windows SDK to analyze the scripts in the msi. be careful while using orca with malware, use it in a safe vm environment since it might execute some scripts.
