Skip to content

deadarcher/SwitchHunt

Repository files navigation

SwitchHunt

Drop a Windows installer in your browser → get its silent-install switches. No upload, no signup, no agent. The file you drop is read entirely in your browser - it never touches a server.

Use it now (hosted): https://getrff.com/switchhunt

Works on ~85% of installers out of the box, plus a curated catalog for the painful vendor one-offs.


What it does

Drop an .exe or .msi and SwitchHunt identifies the installer engine from its bytes, then hands you:

  • The full command set - install / repair / uninstall / extract, not just a single silent flag - with the modifier switches for each.
  • CMD ⇄ PowerShell toggle (rewrites .\, the & call operator, $env: paths) and an interactive command builder (operation, UI level, INSTALLDIR, properties).
  • Deep MSI analysis - a from-scratch in-browser MS-CFB (compound-file) reader decodes the Property, Control, LaunchCondition and CustomAction tables to surface a tiered "properties you probably need to set" list (required / likely / sensitive / optional), a full property dump, and an uninstall-replay warning (MSI properties are transaction-scoped, so secrets set at install must be passed again at /x).
  • Package for deployment, client-side:
    • a PSAppDeployToolkit v4 wrapper (Invoke-AppDeployToolkit.ps1) with the right Start-ADTMsiProcess / Start-ADTProcess calls, plus DeployMode / suppress-reboot / Terminal-Server options;
    • a real .intunewin built in the browser (STORE zip + AES-256-CBC + HMAC-SHA256 + Detection.xml, exactly like IntuneWinAppUtil.exe) - uploadable straight to Intune, no toolchain to install.

Engines detected

MSI · WiX Burn · Advanced Installer · Inno Setup · NSIS · InstallShield · InstallAware · BitRock InstallBuilder · Wise · MSIX/AppX · Squirrel · 7-Zip/WinRAR self-extractors - with a best-effort switch harvest for the packed/custom long tail.

The catalog (the weird stuff)

Signature detection can't derive a custom CLI's flags (Citrix, Teams machine-wide, AnyDesk, Docker Desktop, CrowdStrike, GlobalProtect…). Those live in src/lib/catalog.ts as hand-verified known strings, clearly labeled in the UI as "from catalog, not read from your file." For well-known apps the catalog also carries the real uninstall command and a detection path (the install dir an EXE installer never records).

This is where the project most needs help. CATALOG.md + catalog/catalog.json are generated from the .ts - run npm run gen:catalog, don't hand-edit them.


Why client-side?

Feeding a community-sourced "install command" into a tool that runs it as SYSTEM across a fleet is a supply-chain attack surface. SwitchHunt deliberately does not run anything - it only reads bytes and looks up strings. Nothing is uploaded; you can pull your network cable and it still works. Open the devtools Network tab and watch: zero requests with your file.

Run it locally

npm install
npm run dev      # http://localhost:4321
npm run build    # static output in dist/ - deploy anywhere

No backend. dist/ is plain static files; host it on GitHub Pages, Cloudflare Pages, Netlify, or npx serve dist.

How it works (short version)

  • Engine detection (src/lib/installerDetect.ts): byte signatures + PE version-resource parsing for metadata. .NET requires the _CorExeMain stub (not just an mscoree.dll string) to avoid false positives, etc.
  • MSI parsing (src/lib/msi.ts): a hand-rolled MS-CFB reader (the cfb npm package chokes on the 4096-byte-sector MSIs large enterprise packages use) that decodes the table streams.
  • Packaging (src/lib/psadt.ts, src/lib/intunewin.ts): pure string-templating + WebCrypto. No native deps.

License

MIT - see LICENSE.

Built by RFF - Really Freakin' Fast Windows endpoint deployment.

About

Drop a Windows installer in your browser, get its silent-install switches. Detects MSI, Inno, NSIS, WiX Burn, Advanced Installer, MSIX & more — builds PSADT v4 + .intunewin packages and catalogs the weird-vendor one-offs. 100% client-side; nothing is uploaded.

Resources

License

Contributing

Stars

10 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors