New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Idea] Clean removal of system apps (bypass error 0x80073CFA) #48

Closed
leonghui opened this Issue Aug 26, 2015 · 20 comments

Comments

Projects
None yet
10 participants
@leonghui
Copy link

leonghui commented Aug 26, 2015

Hi,

I would like to share my findings. The error 0x80073CFA can be bypassed by toggling the "IsInbox" column for the system package in the Package table in %ProgramData%\Microsoft\Windows\AppRepository\StateRepository-Machine.srd. It is an SQLite database that can be viewed and edited with any SQLite tool after stopping the StateRepository service and taking over the file ownership.

I managed to remove Microsoft Edge from the Start menu using Remove-AppxPackage afterwards, but there were no changes to the package list exported from the install_wim_tweak tool (http://www.msfn.org/board/topic/152688-win6x-registry-tweak/) so further cleanup maybe necessary.

Best of luck.

Remove-AppxPackage : Deployment failed with HRESULT: 0x80073CFA, Removal failed. Please contact your software vendor. (Exception from HRESULT: 0x80073CFA)
error 0x80070032: AppX Deployment Remove operation on package xxx from:
xxx failed. This app is part of Windows and cannot be uninstalled on a per-user basis. An administrator can attempt to remove the app from the computer using Turn Windows Features on or off. However, it may not be possible to uninstall the app.
@leonghui

This comment has been minimized.

Copy link

leonghui commented Aug 26, 2015

Some steps and screenshots:

  1. Try removing the system package using Remove-AppxPackage
    before

  2. Run cmd as SYSTEM using PsExec (https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) in an elevated command prompt
    psexec -i -s cmd

  3. Copy %ProgramData%\Microsoft\Windows\AppRepository\StateRepository-Machine.srd to the Desktop (do make a backup)

    copy %ProgramData%\Microsoft\Windows\AppRepository\StateRepository-Machine.srd %USERPROFILE%\Desktop
    
  4. Toggle _IsInbox_ to 0
    Find the package under PackageFullName
    Change IsInbox from 1 to 0

  5. Kill sihost.exe and the svchost.exe instance that shares the same PID as the StateRepository service (cannot be stopped via usual methods)

    taskkill /im sihost.exe /f
    FOR /F "usebackq tokens=2 skip=2" %i IN (`tasklist /svc /fi "services eq StateRepository"`) DO taskkill /PID %i /f
    
  6. Ignore the warning window, note that Start Menu will not work until reboot
    Ignore this

  7. Delete %ProgramData%\Microsoft\Windows\AppRepository\StateRepository-Machine.* (including the SQLite temp files). This would not work until step 5 is done properly.

    del %ProgramData%\Microsoft\Windows\AppRepository\StateRepository-Machine.*
    
  8. Copy the edited StateRepository-Machine.srd to _%ProgramData%\Microsoft\Windows\AppRepository_

    copy %USERPROFILE%\Desktop\StateRepository-Machine.srd %ProgramData%\Microsoft\Windows\AppRepository\
    
  9. Restart the StateRepository service and try removing the system package again

    sc start StateRepository
    

    Success

  10. Reboot to restore the Start Menu

@leonghui leonghui changed the title [Idea] Clean removal of system apps (bypass error 0x80070032) [Idea] Clean removal of system apps (bypass error 0x80073CFA) Aug 26, 2015

@10se1ucgo

This comment has been minimized.

Copy link
Owner

10se1ucgo commented Aug 26, 2015

Not sure how I'd do this programmatically. Any recommendations?

@Ruined1

This comment has been minimized.

Copy link
Collaborator

Ruined1 commented Sep 3, 2015

Assign this one to me, I'll do it.

@10se1ucgo 10se1ucgo assigned 10se1ucgo and Ruined1 and unassigned 10se1ucgo Sep 3, 2015

@10se1ucgo

This comment has been minimized.

Copy link
Owner

10se1ucgo commented Sep 3, 2015

@Ruined1 Added you as a collaborator and assigned you to the issue. Thanks for your work :)

@Ruined1

This comment has been minimized.

Copy link
Collaborator

Ruined1 commented Sep 3, 2015

It's an honor.

@Ruined1

This comment has been minimized.

Copy link
Collaborator

Ruined1 commented Sep 3, 2015

@leonghui nevermind, continuing to work on this

@ghost

This comment has been minimized.

Copy link

ghost commented Sep 5, 2015

What's the progess so far on this?

@Ruined1

This comment has been minimized.

Copy link
Collaborator

Ruined1 commented Sep 5, 2015

It's currently in developement, there is no ETA. I am working diligently on this, but I don't make money writing code, so it gets done between work and sleep 😅

@Ruined1

This comment has been minimized.

Copy link
Collaborator

Ruined1 commented Sep 5, 2015

There are a couple of batch files on the /r/windows10 subrddit on Reddit

I'll keep that in mind.

If I disable the services rather than delete them is there ANY kind of possibility for them to be enabled by Microsoft again, without me knowing it?

Absolutely, with any windows update and (who knows) at any time they like if they've left such ability in their operating system. It's closed source, so who knows? To assume that far is borderline paranoia, but times are strange...

And, if I just delete them, will that cause problems to my system? I don't think so, but I still want to be sure.

We eat what we cook, @10se1ucgo and I both use this and haven't experienced any issues. I use the DELETE option on my computers.

@W4RH4WK

This comment has been minimized.

Copy link

W4RH4WK commented Sep 6, 2015

Wow, it's nice to see that there is a way to remove those packages with some workaround using the Remove-AppxPackage commandlet. Does the removal work in a clean way?
The way I did it was using the dism.exe tool. (https://github.com/W4RH4WK/Debloat-Windows-10/blob/47c2666ddd162a511a6517d74502d3dc8465a430/scripts/remove-default-apps.ps1#L64-L98)

It would be great if one can remove all apps (listed) using the Remove-AppxPackage commandlet. @Ruined1 do you think that'd be possible?

@Ruined1

This comment has been minimized.

Copy link
Collaborator

Ruined1 commented Oct 5, 2015

@10se1ucgo I still need to know which ones you want to be able to remove, there are certain one I would think it unwise to allow removal of. Here is a list:

Microsoft.Windows.CloudExperienceHost_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy|1
Microsoft.AAD.BrokerPlugin_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy|1
Microsoft.AccountsControl_10.0.10240.16384_neutral__cw5n1h2txyewy|1
Microsoft.BioEnrollment_10.0.10240.16384_neutral__cw5n1h2txyewy|1
Microsoft.LockApp_10.0.10240.16384_neutral__cw5n1h2txyewy|1
Microsoft.MicrosoftEdge_20.10240.16384.0_neutral__8wekyb3d8bbwe|1
Microsoft.Windows.ContentDeliveryManager_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy|1
Microsoft.Windows.ParentalControls_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy|1
Microsoft.Windows.ShellExperienceHost_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy|1
Microsoft.XboxGameCallableUI_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy|1
Microsoft.XboxIdentityProvider_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy|1
Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy|1
windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy|1
Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy|1
Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy|1
Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy|1
windows.devicesflow_6.2.0.0_neutral_neutral_cw5n1h2txyewy|1
Microsoft.WindowsFeedback_10.0.10240.16393_neutral_neutral_cw5n1h2txyewy|1
Microsoft.Windows.Cortana_1.4.8.176_neutral_neutral_cw5n1h2txyewy|1

Obviously, we shouldn't remove some such as ShellExperienceHost and AccountsControl

@10se1ucgo

This comment has been minimized.

Copy link
Owner

10se1ucgo commented Oct 5, 2015

@Ruined1

  • WindowsFeedback
  • MicrosoftEdge
  • ContactSupport
  • CloudExperienceHost
  • ParentalControls
  • Xbox[GameCallableUI/IdentityProvider]
  • Cortana
@Ruined1

This comment has been minimized.

Copy link
Collaborator

Ruined1 commented Oct 12, 2015

@10se1ucgo going to start working on this today, had a busy week 😪

@Draxler

This comment has been minimized.

Copy link

Draxler commented Oct 12, 2015

Great work you guys doing.
Thaks again to all devs and contributors to this project. 👍

@intika

This comment has been minimized.

Copy link

intika commented Nov 5, 2015

Thanks a million !!!!!!!

@Fifteen15Studios

This comment has been minimized.

Copy link

Fifteen15Studios commented Jun 23, 2016

I found this Powershell script somewhere, edited it slightly:

function Enable-Privilege {  
  param($Privilege)
  $Definition = @'
using System;  
using System.Runtime.InteropServices;  
public class AdjPriv {  
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
    ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name,
    ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid {
    public int Count;
    public long Luid;
    public int Attr;
  }
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool EnablePrivilege(long processHandle, string privilege) {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = new IntPtr(processHandle);
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
      ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_ENABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero,
      IntPtr.Zero);
    return retVal;
  }
}
'@  
  $ProcessHandle = (Get-Process -id $pid).Handle
  $type = Add-Type $definition -PassThru
  $type[0]::EnablePrivilege($processHandle, $Privilege)
}

function Take-Over($path) {  
  $owner = [Security.Principal.NTAccount]'Administrators'

  $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($path, 'ReadWriteSubTree', 'TakeOwnership')
  $acl = $key.GetAccessControl()
  $acl.SetOwner($owner)
  $key.SetAccessControl($acl)

  $acl = $key.getaccesscontrol()
  $rule = New-Object System.Security.AccessControl.RegistryAccessRule "Administrators", "FullControl", "ContainerInherit", "None", "Allow"
  $acl.SetAccessRule($rule)
  $key.SetAccessControl($acl)
}

do {} until (Enable-Privilege SeTakeOwnershipPrivilege)

function Remove-Package($name) {  
  $key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$name"
  Take-Over $key
  Remove-Item -Path HKLM:"$key\Owners" -Force -Recurse
  & C:\Windows\System32\PkgMgr.exe /up:$name /norestart /quiet
}

#Remove Feedback
$packageBase = "Microsoft-WindowsFeedback"
$packageNames = (dir ("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\" + $packageBase + "*")).name

forEach ($package in $packageNames)
{   
    Remove-Package $package.substring($package.indexOf($packageBase))
}

You can change $packageBase to different package names. I changed the script slightly from its original state because the original only worked on very specific versions of the packages, whereas this will work with any version. it gets the whole package identifier (including version number) from the registry.

Verified working with "Feedback" (Microsoft-WindowsFeedback) and "Contact Support" (Microsoft-Windows-ContactSupport). I tried with "Cortana" (Microsoft-Windows-Cortana) but it didn't seem to work fully. I think Cortana has other hooks into the OS. Haven't tried any of the others listed by @10se1ucgo

@elimn

This comment has been minimized.

Copy link

elimn commented Nov 23, 2016

Thank you for sharing the script @Fifteen15Studios. This was the top result on Google for uninstalling Cortana. I tried removing Cortana with it. After a reboot the application was indeed missing and the start menu worked. However, the keyboard search in the Start Menu was completely disabled. The Search Windows box still appears, but typing in it does nothing.

For anyone using your script: You probably do not want to remove Cortana, unless you never type in the Search Windows box nor Start Menu. If you use a replacement Start Menu application then this caveat probably does not apply to you.

@Suncatcher

This comment has been minimized.

Copy link

Suncatcher commented Mar 18, 2017

The variable $packageNames is always empty for me. What's the matter?

@Ruined1 Ruined1 closed this Apr 26, 2017

@ijry

This comment has been minimized.

Copy link

ijry commented Jul 3, 2018

does anyone know remove AppX packages installed for a user that doesn't exists!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment