pkgprobe 0.1.2

Windows-first static installer analysis for endpoint / CPE teams

<<<<<<< Updated upstream

installer-intel

=======

pkgprobe 🔍

Stashed changes

pkgprobe is a Windows-first CLI tool that statically analyzes EXE and MSI installers and produces a machine-readable install plan for endpoint management and packaging workflows.

Think: package intelligence for Intune, SCCM, Jamf, RMM, and Client Platform Engineering teams.

<<<<<<< Updated upstream Available on PyPI: https://pypi.org/project/installer-intel/

Available on PyPI.

Stashed changes

---

<<<<<<< Updated upstream

Why installer-intel exists

=======

✨ Why pkgprobe exists

Stashed changes

Packaging software on Windows is still more art than science:

• Silent install flags are undocumented or inconsistent
• Installer technologies vary widely (Inno, NSIS, InstallShield, Burn, etc.)
• Detection rules are often copied, guessed, or discovered via trial-and-error
• Testing installers directly is slow and risky on production machines

<<<<<<< Updated upstream installer-intel focuses on the analysis phase first.

pkgprobe focuses on the analysis phase first:

Stashed changes

Understand what an installer is likely to do — before you ever run it.

---

What it does (v0.1)

<<<<<<< Updated upstream Given an .msi or .exe, installer-intel outputs a structured install plan suitable for automation and review.

Given an .msi or .exe, pkgprobe outputs a structured install plan containing:

Stashed changes

Installer intelligence

• Detects installer type (MSI, Inno Setup, NSIS, InstallShield, Burn, Squirrel, etc.)
• Confidence-scored classification with supporting evidence

Command inference

• Probable silent install commands, ranked by confidence
• Probable uninstall commands
• Evidence explaining why each command was suggested

Detection guidance

• MSI ProductCode–based detection (when available)
• Follow-up guidance for improving detection accuracy
• Designed to integrate cleanly into Intune / SCCM detection logic

Automation-friendly output

• JSON output suitable for pipelines and tooling
• Human-readable CLI summary for engineers

Safety-first by design
This version performs static analysis only.
No installers are executed.

---

Example

<<<<<<< Updated upstream

installer-intel analyze .\setup.exe --out installplan.json
=======
``` powershell
pkgprobe analyze .\setup.exe --out installplan.json
>>>>>>> Stashed changes

CLI summary:

Type: Inno Setup (confidence 0.92)

Install candidates:
  setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP- (0.88)
  setup.exe /SILENT /SUPPRESSMSGBOXES /NORESTART /SP-     (0.62)

Uninstall candidates:
  unins000.exe /VERYSILENT (0.55)

Generated installplan.json (excerpt):

{
  "installer_type": "Inno Setup",
  "confidence": 0.92,
  "install_candidates": [
    {
      "command": "setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-",
      "confidence": 0.88
    }
  ]
}

---

Installation

From PyPI (recommended)

<<<<<<< Updated upstream

pip install installer-intel
installer-intel --version
installer-intel analyze .\setup.exe --out installplan.json
=======
``` powershell
pip install pkgprobe
pkgprobe --version
pkgprobe analyze .\setup.exe --out installplan.json
>>>>>>> Stashed changes

From source (development)

This project uses uv for fast, reproducible Python environments.

pip install uv
git clone https://github.com/Zeph3r/pkgprobe.git
cd pkgprobe
uv venv
uv sync
uv run pkgprobe --help

Use --quiet / -q to suppress the banner when scripting (CI, pipelines, etc.).

---

Supported inputs

File type	Status	Notes
MSI	✅	Metadata parsed via Windows Installer APIs
EXE	✅	Heuristic detection via string & signature analysis
MSIX / AppX	🔍	Detection hints only (wrapper detection)

---

How detection works

pkgprobe combines:

• Static string extraction (ASCII + UTF-16LE)
• Known installer signature patterns
• Heuristic confidence scoring
• Evidence tracking (matched strings, metadata clues)

This keeps analysis fast, safe, and explainable.

---

Current limitations

• Windows-first (intentional — this targets Windows endpoints)
• EXE analysis is heuristic-based (not guaranteed)
• No execution or sandbox tracing in v0.1
• Detection accuracy improves significantly with runtime tracing (planned)

---

Roadmap

v0.2.0 (next)

<<<<<<< Updated upstream

• MSI parsing via Windows Installer COM (ProductCode, UpgradeCode, Version)

• install4j / Java-based installer detection

• Partial-read scanning for very large EXEs

• ProcMon-backed trace mode to summarize filesystem, registry, service, and persistence changes

• --format yaml

• --summary-only

• Optional sandboxed execution mode (opt-in) ======= CLI UX

• JSON to stdout – Support pkgprobe analyze <file> --format json (or -o -) so scripts can consume JSON only from stdout without writing a file.

• --summary-only – Option to print only the human summary (no JSON file, no "Wrote: ..."); useful for quick terminal checks.

• Exit codes – Document and standardize exit codes (e.g. 0 = success, 1 = usage, 2 = file/analysis error) for scripting.

• Subcommand examples – Add a one-line example in pkgprobe analyze --help so first-time users see usage immediately.

Output & format

• --format yaml – Optional YAML output for install plan (alongside JSON).

Later (v0.3.0+)

• install4j / Java-based installer detection
• Partial-read scanning for very large EXEs
• ProcMon-backed trace mode
• Optional trace-install mode (opt-in, sandboxed)

Stashed changes

---

Who this is for

• Client Platform Engineers
• Endpoint / EUC Engineers
• Intune / SCCM / Jamf admins
• Security teams validating installer behavior
• Anyone tired of guessing silent install flags

---

Philosophy

installer-intel is intentionally conservative.

It prefers:

• Explainability over magic
• Confidence scoring over certainty
• Safety over speed

<<<<<<< Updated upstream If it can’t be confident, it tells you why.

pkgprobe is intentionally conservative.

Stashed changes

That’s how real platform tooling should behave.

---

License

MIT