ClickOnce Technical Details

When opening an installed ClickOnce application Explorer looks the registry keys associated with .appref-ms by using the following involved registry keys:

HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.appref-ms
HKCU\Software\Classes\.appref-ms\OpenWithProgids
Computer\HKEY_CLASSES_ROOT\Application.Reference\shell\open\command

Last one contains the command to open that type of file:

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbShortcut %1|%2

Explorer translates the registry key

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbShortcut C:\Users\dev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\xxx.xxx\xxxx.appref-ms

DLL loaded dfshim.dll gets installed ClickOnce applications/deployments by calling GetCurrentActContext + 0xa4f12 which in turn reads registry keys:

Those keys are used essentially for getting:

AppplicationSourceUri
DeploymentSourceUri
IsFullTrust
Appid
ShellVisible

By traversing SideBySide 2.0 store it gets the location of the assemblies

Process creation follows the next call stack:

When launching a ClickOnce application from MSEdge

dfshim.dll is also used, and a URL can be passed down to ShOpenVerbApplication argument

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication https://xxxxxxx.xxxxxx/xxxxxx/xxxxx/xxxxx.application

rundll32.exe launches dfsvc.exe process

Deployment files get stored by msedge and read by dfsvc.exe on: C:\Users\dev\AppData\Local\Deployment__su..ck___none_0000.0000_none_e7ec9ac100600590

Assemblies and dependencies inside .manifest get downloaded in the default ClickOnce apps directory

Previous.NET CLR process internals NextWebDAV Technical Details

Last updated 8 months ago

Was this helpful?

ClickOnce Technical Details

When opening an installed ClickOnce application Explorer looks the registry keys associated with .appref-ms by using the following involved registry keys:

HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.appref-ms
HKCU\Software\Classes\.appref-ms\OpenWithProgids
Computer\HKEY_CLASSES_ROOT\Application.Reference\shell\open\command

Last one contains the command to open that type of file:

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbShortcut %1|%2

Explorer translates the registry key

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbShortcut C:\Users\dev\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\xxx.xxx\xxxx.appref-ms

DLL loaded dfshim.dll gets installed ClickOnce applications/deployments by calling GetCurrentActContext + 0xa4f12 which in turn reads registry keys:

Those keys are used essentially for getting:

AppplicationSourceUri
DeploymentSourceUri
IsFullTrust
Appid
ShellVisible

By traversing SideBySide 2.0 store it gets the location of the assemblies

Process creation follows the next call stack:

When launching a ClickOnce application from MSEdge

dfshim.dll is also used, and a URL can be passed down to ShOpenVerbApplication argument

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication https://xxxxxxx.xxxxxx/xxxxxx/xxxxx/xxxxx.application

rundll32.exe launches dfsvc.exe process

Deployment files get stored by msedge and read by dfsvc.exe on: C:\Users\dev\AppData\Local\Deployment__su..ck___none_0000.0000_none_e7ec9ac100600590

Assemblies and dependencies inside .manifest get downloaded in the default ClickOnce apps directory

Previous.NET CLR process internals NextWebDAV Technical Details

Last updated 8 months ago

Was this helpful?