Windows-first static installer analysis for endpoint / CPE teams

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mtijan2008 from gravatar.com mtijan2008

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Tags cpe , endpoint , installer , intune , packaging , sccm , windows
  • Requires: Python >=3.9
  • Provides-Extra: dev
Report project as malware

Project description

pkgprobe

pkgprobe is a Windows-first CLI tool that statically analyzes EXE and MSI installers and produces a machine-readable install plan for endpoint management and packaging workflows.

Think: package intelligence for Intune, SCCM, Jamf, RMM, and Client Platform Engineering teams.

Available on PyPI.

Full usage documentation — Commands, options, output formats, and trace-install behavior.

✨ Why pkgprobe exists

Packaging software on Windows is still more art than science:

  • Silent install flags are undocumented or inconsistent
  • Installer technologies vary widely (Inno, NSIS, InstallShield, Burn, etc.)
  • Detection rules are often copied, guessed, or discovered via trial-and-error
  • Testing installers directly is slow and risky on production machines

pkgprobe focuses on the analysis phase first:

Understand what an installer is likely to do --- before you ever run it.

What it does (v0.1)

Given an .msi or .exe, pkgprobe outputs a structured install plan containing:

Installer intelligence

  • Detects installer type (MSI, Inno Setup, NSIS, InstallShield, Burn, Squirrel, etc.)
  • Confidence-scored classification with supporting evidence

Command inference

  • Probable silent install commands, ranked by confidence
  • Probable uninstall commands
  • Evidence explaining why each command was suggested

Detection guidance

  • MSI ProductCode--based detection (when available)
  • Follow-up guidance for improving detection accuracy
  • Designed to integrate cleanly into Intune / SCCM detection logic

Automation-friendly output

  • JSON output suitable for pipelines and tooling
  • Human-readable CLI summary for engineers

Safety-first by design
This version performs static analysis only.
No installers are executed.

Example

pkgprobe analyze .\setup.exe --out installplan.json

demo1

CLI summary:

Type: Inno Setup (confidence 0.92)

Install candidates:
  setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP- (0.88)
  setup.exe /SILENT /SUPPRESSMSGBOXES /NORESTART /SP-     (0.62)

Uninstall candidates:
  unins000.exe /VERYSILENT (0.55)

Generated installplan.json (excerpt):

{
  "installer_type": "Inno Setup",
  "confidence": 0.92,
  "install_candidates": [
    {
      "command": "setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-",
      "confidence": 0.88
    }
  ]
}

Installation

From PyPI (recommended)

pip install pkgprobe
pkgprobe --version
pkgprobe analyze .\setup.exe --out installplan.json

From source (development)

This project uses uv for fast, reproducible Python environments.

pip install uv
git clone https://github.com/Zeph3r/pkgprobe.git
cd pkgprobe
uv venv
uv sync
uv run pkgprobe --help

Use --quiet / -q to suppress the banner when scripting (CI, pipelines, etc.).

Supported inputs

File type Status Notes

MSI ✅ Metadata parsed via Windows Installer APIs EXE ✅ Heuristic detection via string & signature analysis MSIX / AppX 🔍 Detection hints only (wrapper detection)

How detection works

pkgprobe combines:

  • Static string extraction (ASCII + UTF-16LE)
  • Known installer signature patterns
  • Heuristic confidence scoring
  • Evidence tracking (matched strings, metadata clues)

This keeps analysis fast, safe, and explainable.

Current limitations

  • Windows-first (intentional --- this targets Windows endpoints)
  • EXE analysis is heuristic-based (not guaranteed)
  • No execution or sandbox tracing in v0.1
  • Detection accuracy improves significantly with runtime tracing (planned)

Roadmap

v0.2.0 (next)

CLI UX

  • JSON to stdout -- Support pkgprobe analyze <file> --format json (or -o -) for pipeline consumption
  • --summary-only -- Print only human summary (no file output)
  • Exit codes -- Standardized scripting-friendly exit codes
  • Subcommand examples in --help

Output & format

  • --format yaml -- Optional YAML install plan output

Later (v0.3.0+)

  • install4j / Java-based installer detection
  • Partial-read scanning for very large EXEs
  • ProcMon-backed trace mode
  • Optional trace-install mode (opt-in, sandboxed)

Who this is for

  • Client Platform Engineers
  • Endpoint / EUC Engineers
  • Intune / SCCM / Jamf admins
  • Security teams validating installer behavior
  • Anyone tired of guessing silent install flags

Philosophy

pkgprobe is intentionally conservative.

It prefers:

  • Explainability over magic
  • Confidence scoring over certainty
  • Safety over speed

If it can't be confident, it tells you why.

That's how real platform tooling should behave.

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for mtijan2008 from gravatar.com mtijan2008

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT
  • Tags cpe , endpoint , installer , intune , packaging , sccm , windows
  • Requires: Python >=3.9
  • Provides-Extra: dev

Release history Release notifications | RSS feed

This version

0.2.0

0.1.2

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pkgprobe-0.2.0.tar.gz (6.4 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pkgprobe-0.2.0-py3-none-any.whl (31.5 kB view details)

Uploaded Python 3

File details

Details for the file pkgprobe-0.2.0.tar.gz.

File metadata

  • Download URL: pkgprobe-0.2.0.tar.gz
  • Upload date:
  • Size: 6.4 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pkgprobe-0.2.0.tar.gz
Algorithm Hash digest
SHA256 401ef3b967ad7c55b1e0a797a294e4397e1ca488ccd76e02a39c1d68b06a710c
MD5 acfd7e183e2bc9e990190afc4b21eee2
BLAKE2b-256 1039285f5844d19c568a15faf95f4a19645826cb5898bb5c4fb365297dc0ac33

See more details on using hashes here.

Provenance

The following attestation bundles were made for pkgprobe-0.2.0.tar.gz:

Publisher: publish.yml on Zeph3r/pkgprobe

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pkgprobe-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: pkgprobe-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 31.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for pkgprobe-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b22212f2dc38828e4f2edde27b8888ee27be4ef7cfe4647edf1b5b4ed58ad9a8
MD5 0e4b19e722a874c978ed67d3c7d73550
BLAKE2b-256 05c33f42199d3f51544be313d14a9a1cc773fc76a5170bd619fca1183f017fbe

See more details on using hashes here.

Provenance

The following attestation bundles were made for pkgprobe-0.2.0-py3-none-any.whl:

Publisher: publish.yml on Zeph3r/pkgprobe

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page