Are any files executed during extraction?

Do ALL extraction methods (For all files MSI/NSIS etc) extract without executing the programs? If not can you name which extractions do execute programs. Thank you.

No, not all file extractions occur without executing the file. I do that whenever possible, but in cases where it either makes sense to do it by executing the file (such as MSI administrative installs or some InstallShield installers) or there simply is no other available method the file is executed with the proper arguments passed to facilitate extraction rather than installation. This is only done for files that are recognized as supporting this feature - no file that is not recognized as a self-extracting file should ever be executed. The only possible exception to this is if filetype detection via TrID or PEiD is incorrect.

This isn't done for a whole lot of file types, but it is done for more than I can think of off the top of my head right now. Next time I'm on a Windows system I'll take a look at it again post a more thorough list. Check back here in a day or two.

If I may ask, is there some reason in particular that you'd like to know, or is this just out of simple concern about running untrusted executables on your system?


Sometimes I examine malicious files. They come in all types of packages. Sometimes they come in packages which Universal Extractor is able to extract. IF at any time Universal Extractor has to execute to get files because there is no other way, it would be cool if a little popup comes up and asks if we want to continue with extraction (with execution) or cancel extraction (no execution).


Sorry it's taken me so long to get back to this, but here's the list of files that may be directly executed during extraction:

  • Microsoft Type 1 hotfixes (SFX cab files)
  • Netopsystems FEAD Optimizer packages (Adobe Reader uses it, among others)
  • InstallShield installers using '/b' switch (this may be an issue since TrID has a high false-positive rate with InstallShield)
  • SuperDAT files (McAfee virus definition packages)
  • certain packages created with Visual Studio that support SFX; specifically, this includes files with the following PEiD signatures:
    signature = E8 21 48 00 00 E9 16 FE FF FF 51 C7 01 08 B4 00 30 E8 A4 48 00 00 59 C3 56 8B F1 E8 EA FF FF FF F6 ?? ?? ?? ?? 74 07 56 E8 F6 04 00 00 59 8B C6 5E C2 04 00 8B 44 24 04 83 C1 09 51 83 C0 09 50
    signature = 60 BE 00 B0 44 00 8D BE 00 60 FB FF 57 83 CD FF EB 10 90 90 90 90 90 90 8A 06 46 88 07 47 01 DB 75 07 8B 1E 83 EE FC 11 DB 72 ED B8 01 00 00 00 01 DB 75 07 8B 1E 83 EE FC 11 DB 11 C0 01 DB 73

    I have no idea how common these types of files are, but I added support based on a couple of requests through the forum
  • Wise Installers using '/x' switch
  • Wise MSI Installers

That should cover it. Hope this helps.


Personally, I think this should be a fairly important feature. As a new user, I really couldn't quickly grasp what that app was going to do, or where it was going to put things. I'm sure the info was there, but like most things --- if it isn't brain-dead simple, even smart folks will not do the work they could. Also, even if I could figure it out, I couldn't trust that, since I also had a friend try it, that they would be as careful as I usually am.

I do have a way that I can ensure that nothing bad gets out of an executable, but as of right now, it is not generally available. to the public.

In any case, If I do get back to this site, [and I hope to], I will be providing an app, [free for non-servers], that with one click, will provide an easy ability to sandbox, [or revert], your whole hard drive from any writes, whatsoever.

Thanks for a truly great "little" utility, that has a ton of power and useful features.

Add new comment

Filtered HTML

  • Allowed HTML tags: <a href hreflang> <acronym> <blockquote cite> <br> <cite> <code> <dd> <div> <dl> <dt> <em> <img src alt title height width> <li> <ol start type> <p> <pre> <span> <strong> <sub> <sup> <ul type>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.