top of page
Search

Forensic Analysis of Universal Windows Platform (UWP) Applications

  • Feb 25
  • 4 min read
ree
The Universal Windows Platform (UWP) is Microsoft's modern application model, designed to replace traditional desktop applications with a sandboxed, secure environment.

While UWP apps improve system security and organization, they also introduce new forensic challenges, as many of their artifacts exist outside of expected locations.

---------------------------------------------------------------------------------------------------------

What Are UWP Applications?

UWP applications were first introduced as Metro Apps in Windows 8 and later evolved into Modern Apps in early Windows 10. Over time,


Microsoft has encouraged developers to adopt this model, and now many built-in and third-party applications use it, including:

  • Notepad

  • Microsoft Paint

  • Calculator

  • Microsoft Office (some versions)

  • Microsoft Edge

  • Dropbox

  • Your Phone


Since UWP apps are installed per user, they do not follow the traditional program installation structure.


Instead, they are located in:

%UserProfile%\AppData\Local\Packages\
ree

Each installed UWP app has a dedicated folder here, containing its settings, cache, and data.

---------------------------------------------------------------------------------------------------------

Finding Installed UWP Applications on a Live System

To list installed UWP apps, run the following PowerShell command:

Get-AppxPackage | Select-Object -Property Name

This command will display all UWP applications installed for the current user.


---------------------------------------------------------------------------------------------------------

How UWP Apps Store Data: Virtualization and Sandboxing

Unlike traditional applications, UWP apps are heavily sandboxed, meaning they have limited access to system files and the registry. Instead of writing directly to the Windows Registry, UWP apps use virtualized registry hives, which are unique to each application.


According to Microsoft:

"In traditional environments, apps can create, update, and delete files in most places in the file system. And they can create, update, and delete entries in the Windows Registry. Those files and Registry entries are visible to other apps on the system. In contrast, UWP applications have their files and registry entries virtualized, making them only visible to the app that created them and removing them when the app is uninstalled."

---------------------------------------------------------------------------------------------------------

Where Are UWP Registry Files Stored?

Since UWP applications do not write directly to the system registry, they maintain their own per-application registry hives inside their respective package folders. These can be found in:

ree

%UserProfile%\AppData\Local\Packages\<AppName>\SystemAppData\Helium\

These hives include:

  • Registry.dat → Equivalent to the system SOFTWARE hive

  • User.dat → Equivalent to NTUSER.dat

  • UserClasses.dat → Equivalent to UsrClass.dat


These hives do not propagate to the system registry, meaning traditional forensic registry analysis tools may miss them unless specifically collected.

---------------------------------------------------------------------------------------------------------


Analyzing UWP Registry Data

Since UWP registry hives exist separately from traditional Windows registry locations, forensic analysts must extract and analyze them manually.


How to Identify and Extract UWP Registry Hives

A simple way to locate relevant hives is to collect them during initial triage using tools like KAPE. KAPE includes a target that recursively scans the UWP Packages folder to extract these hives for further investigation.

ree

Once extracted, hives can be analyzed using:

  • Registry Explorer

  • RegRipper

  • PowerShell scripts


Why This Matters for Investigators

  • If an uninstalled UWP application was used for malicious activity, its registry data might still be recoverable from forensic images.

  • If malware was running inside a UWP sandbox, it may have stored configuration files or registry artifacts in these virtualized locations instead of standard system paths.

  • These alternative registry hives can contain crucial forensic evidence that traditional registry analysis might miss.

---------------------------------------------------------------------------------------------------------


MSIX and UWP Registry Redirection

Microsoft also introduced the MSIX packaging format for UWP apps, which further complicates forensic investigations.

  • MSIX applications are containerized, meaning registry modifications are redirected to per-app hives, just like standard UWP apps.

  • While not all UWP applications use MSIX, those that do require registry redirection, making it even more important to check the Helium folder for forensic artifacts.

No need to worry Kape has already done it for easy collection
ree

---------------------------------------------------------------------------------------------------------


UWP Internet Artifacts and Web Data

Aside from registry data, UWP applications store web-related artifacts in their package directories.

ree
ree

  • Browser residue (such as cached websites and session data) is stored inside each UWP browser’s application folder rather than standard locations like C:

\Users\<User>\AppData\Local\Microsoft\Edge.

  • Internet metadata for UWP browsers is still recorded in the Internet Explorer WebCacheV.dat* database, even in Windows 11.


💡 Key Takeaway: Traditional browser forensics may not detect UWP browser activity unless analysts specifically check inside UWP package folders.

---------------------------------------------------------------------------------------------------------

Investigative Techniques for UWP Forensics


🔍 1. Identify Installed UWP Apps

  • Use Get-AppxPackage | Select-Object -Property Name to list UWP apps.

  • Browse %UserProfile%\AppData\Local\Packages\ for per-user installations.


🗂️ 2. Extract UWP Registry Hives

  • Check %UserProfile%\AppData\Local\Packages\<AppName>\SystemAppData\Helium\

  • Collect Registry.dat, User.dat, and UserClasses.dat for analysis.

  • Use forensic tools like Registry Explorer to review extracted hives.


🌐 3. Investigate UWP Browser Artifacts

  • Look inside each UWP browser’s package folder for cached data.

  • Examine WebCacheV*.dat for internet browsing metadata.


🛑 4. Watch for UWP Malware & Persistence

  • Malware can operate inside UWP sandboxes to avoid detection.

  • Checking UWP registry hives may reveal unauthorized app activity.

  • Look for suspicious app paths or execution timestamps inside UWP registry data.


---------------------------------------------------------------------------------------------------------


Identifying UWP Apps

UWP apps have a distinct naming convention that can help you identify them.


The name format is typically:

<ApplicationName>_<PublisherHash>

For example, the Dropbox app appears as

Microsoft.WindowsNotepad_8wekyb3d8bbwe

Whenever you encounter references to the Packages folder or these unique naming patterns, you’re likely dealing with a UWP application. Recognizing these traces will help you uncover valuable insights in your investigations.

---------------------------------------------------------------------------------------------------------


Final Thoughts: Why UWP Forensics Matters

The rise of UWP applications means forensic analysts must adapt their techniques. Unlike traditional software, UWP apps store artifacts in separate per-application directories and virtualized registry hives, making them easy to overlook.



🚀 Key Takeaway: If you’re conducting a forensic investigation on a Windows system, don’t ignore UWP applications! They could hold critical evidence that traditional forensic techniques might miss.

---------------------------------------Dean---------------------------------------------------------


 
 
 

Comments

bottom of page