ClickOnce Technical Details

When opening an installed ClickOnce application Explorer looks the registry keys associated with .appref-ms by using the following involved registry keys:

• HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

• Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.appref-ms

• HKCU\Software\Classes\.appref-ms\OpenWithProgids

• Computer\HKEY_CLASSES_ROOT\Application.Reference\shell\open\command

Last one contains the command to open that type of file:

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbShortcut %1|%2

Explorer translates the registry key

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbShortcut C:\Users\dev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\xxx.xxx\xxxx.appref-ms

DLL loaded dfshim.dll gets installed ClickOnce applications/deployments by calling GetCurrentActContext + 0xa4f12 which in turn reads registry keys:

HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\

Those keys are used essentially for getting:

• AppplicationSourceUri

• DeploymentSourceUri

• IsFullTrust

• Appid

• ShellVisible

By traversing SideBySide 2.0 store it gets the location of the assemblies

Process creation follows the next call stack:

When launching a ClickOnce application from MSEdge

dfshim.dll is also used, and a URL can be passed down to ShOpenVerbApplication argument

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication https://xxxxxxx.xxxxxx/xxxxxx/xxxxx/xxxxx.application

rundll32.exe launches dfsvc.exe process

Deployment files get stored by msedge and read by dfsvc.exe on: C:\Users\dev\AppData\Local\Deployment__su..ck___none_0000.0000_none_e7ec9ac100600590

Assemblies and dependencies inside .manifest get downloaded in the default ClickOnce apps directory