[Idea] Clean removal of system apps (bypass error 0x80073CFA)

[leonghui]

Hi,

I would like to share my findings. The error 0x80073CFA can be bypassed by toggling the "IsInbox" column for the system package in the Package table in %ProgramData%\Microsoft\Windows\AppRepository\StateRepository-Machine.srd. It is an SQLite database that can be viewed and edited with any SQLite tool after stopping the StateRepository service and taking over the file ownership.

I managed to remove Microsoft Edge from the Start menu using Remove-AppxPackage afterwards, but there were no changes to the package list exported from the install_wim_tweak tool (http://www.msfn.org/board/topic/152688-win6x-registry-tweak/) so further cleanup maybe necessary.

Best of luck.

Remove-AppxPackage : Deployment failed with HRESULT: 0x80073CFA, Removal failed. Please contact your software vendor. (Exception from HRESULT: 0x80073CFA)
error 0x80070032: AppX Deployment Remove operation on package xxx from:
xxx failed. This app is part of Windows and cannot be uninstalled on a per-user basis. An administrator can attempt to remove the app from the computer using Turn Windows Features on or off. However, it may not be possible to uninstall the app.

[leonghui]

Some steps and screenshots:

1. Try removing the system package using Remove-AppxPackage
2. Run cmd as SYSTEM using PsExec (https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx) in an elevated command prompt psexec -i -s cmd

3. Copy %ProgramData%\Microsoft\Windows\AppRepository\StateRepository-Machine.srd to the Desktop (do make a backup)

   copy %ProgramData%\Microsoft\Windows\AppRepository\StateRepository-Machine.srd %USERPROFILE%\Desktop

4. Toggle _IsInbox_ to 0

5. Kill sihost.exe and the svchost.exe instance that shares the same PID as the StateRepository service (cannot be stopped via usual methods)

   taskkill /im sihost.exe /f
   FOR /F "usebackq tokens=2 skip=2" %i IN (`tasklist /svc /fi "services eq StateRepository"`) DO taskkill /PID %i /f

6. Ignore the warning window, note that Start Menu will not work until reboot

7. Delete %ProgramData%\Microsoft\Windows\AppRepository\StateRepository-Machine.* (including the SQLite temp files). This would not work until step 5 is done properly.

   del %ProgramData%\Microsoft\Windows\AppRepository\StateRepository-Machine.*

8. Copy the edited StateRepository-Machine.srd to %ProgramData%\Microsoft\Windows\AppRepository\

   copy %USERPROFILE%\Desktop\StateRepository-Machine.srd %ProgramData%\Microsoft\Windows\AppRepository\

9. Restart the StateRepository service and try removing the system package again

   sc start StateRepository

   

10. Reboot to restore the Start Menu

[10se1ucgo]

Not sure how I'd do this programmatically. Any recommendations?

[DeeJayhX]

Assign this one to me, I'll do it.

[10se1ucgo]

@Ruined1 Added you as a collaborator and assigned you to the issue. Thanks for your work :)

[DeeJayhX]

It's an honor.

[DeeJayhX]

@leonghui nevermind, continuing to work on this

[ghost]

What's the progess so far on this?

[DeeJayhX]

It's currently in developement, there is no ETA. I am working diligently on this, but I don't make money writing code, so it gets done between work and sleep :sweat_smile:

[DeeJayhX]

There are a couple of batch files on the /r/windows10 subrddit on Reddit

I'll keep that in mind.

If I disable the services rather than delete them is there ANY kind of possibility for them to be enabled by Microsoft again, without me knowing it?

Absolutely, with any windows update and (who knows) at any time they like if they've left such ability in their operating system. It's closed source, so who knows? To assume that far is borderline paranoia, but times are strange...

And, if I just delete them, will that cause problems to my system? I don't think so, but I still want to be sure.

We eat what we cook, @10se1ucgo and I both use this and haven't experienced any issues. I use the DELETE option on my computers.

[W4RH4WK]

Wow, it's nice to see that there is a way to remove those packages with some workaround using the Remove-AppxPackage commandlet. Does the removal work in a clean way? The way I did it was using the dism.exe tool. (https://github.com/W4RH4WK/Debloat-Windows-10/blob/47c2666ddd162a511a6517d74502d3dc8465a430/scripts/remove-default-apps.ps1#L64-L98)

It would be great if one can remove all apps (listed) using the Remove-AppxPackage commandlet. @Ruined1 do you think that'd be possible?

[DeeJayhX]

@10se1ucgo I still need to know which ones you want to be able to remove, there are certain one I would think it unwise to allow removal of. Here is a list:

Microsoft.Windows.CloudExperienceHost_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy|1 Microsoft.AAD.BrokerPlugin_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy|1 Microsoft.AccountsControl_10.0.10240.16384_neutralcw5n1h2txyewy|1 Microsoft.BioEnrollment_10.0.10240.16384_neutralcw5n1h2txyewy|1 Microsoft.LockApp_10.0.10240.16384_neutralcw5n1h2txyewy|1 Microsoft.MicrosoftEdge_20.10240.16384.0_neutral8wekyb3d8bbwe|1 Microsoft.Windows.ContentDeliveryManager_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy|1 Microsoft.Windows.ParentalControls_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy|1 Microsoft.Windows.ShellExperienceHost_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy|1 Microsoft.XboxGameCallableUI_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy|1 Microsoft.XboxIdentityProvider_1000.10240.16384.0_neutral_neutral_cw5n1h2txyewy|1 Windows.ContactSupport_10.0.10240.16384_neutral_neutral_cw5n1h2txyewy|1 windows.immersivecontrolpanel_6.2.0.0_neutral_neutral_cw5n1h2txyewy|1 Windows.MiracastView_6.3.0.0_neutral_neutral_cw5n1h2txyewy|1 Windows.PrintDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy|1 Windows.PurchaseDialog_6.2.0.0_neutral_neutral_cw5n1h2txyewy|1 windows.devicesflow_6.2.0.0_neutral_neutral_cw5n1h2txyewy|1 Microsoft.WindowsFeedback_10.0.10240.16393_neutral_neutral_cw5n1h2txyewy|1 Microsoft.Windows.Cortana_1.4.8.176_neutral_neutral_cw5n1h2txyewy|1

Obviously, we shouldn't remove some such as ShellExperienceHost and AccountsControl

[10se1ucgo]

@Ruined1

• WindowsFeedback
• MicrosoftEdge
• ContactSupport
• CloudExperienceHost
• ParentalControls
• Xbox[GameCallableUI/IdentityProvider]
• Cortana

[DeeJayhX]

@10se1ucgo going to start working on this today, had a busy week :sleepy:

[Draxler]

Great work you guys doing. Thaks again to all devs and contributors to this project. :+1:

[intika]

Thanks a million !!!!!!!

[Fifteen15Studios]

I found this Powershell script somewhere, edited it slightly:

function Enable-Privilege {  
  param($Privilege)
  $Definition = @'
using System;  
using System.Runtime.InteropServices;  
public class AdjPriv {  
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
    ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr rele);
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name,
    ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid {
    public int Count;
    public long Luid;
    public int Attr;
  }
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool EnablePrivilege(long processHandle, string privilege) {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = new IntPtr(processHandle);
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
      ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_ENABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero,
      IntPtr.Zero);
    return retVal;
  }
}
'@  
  $ProcessHandle = (Get-Process -id $pid).Handle
  $type = Add-Type $definition -PassThru
  $type[0]::EnablePrivilege($processHandle, $Privilege)
}

function Take-Over($path) {  
  $owner = [Security.Principal.NTAccount]'Administrators'

  $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($path, 'ReadWriteSubTree', 'TakeOwnership')
  $acl = $key.GetAccessControl()
  $acl.SetOwner($owner)
  $key.SetAccessControl($acl)

  $acl = $key.getaccesscontrol()
  $rule = New-Object System.Security.AccessControl.RegistryAccessRule "Administrators", "FullControl", "ContainerInherit", "None", "Allow"
  $acl.SetAccessRule($rule)
  $key.SetAccessControl($acl)
}

do {} until (Enable-Privilege SeTakeOwnershipPrivilege)

function Remove-Package($name) {  
  $key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\$name"
  Take-Over $key
  Remove-Item -Path HKLM:"$key\Owners" -Force -Recurse
  & C:\Windows\System32\PkgMgr.exe /up:$name /norestart /quiet
}

#Remove Feedback
$packageBase = "Microsoft-WindowsFeedback"
$packageNames = (dir ("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\" + $packageBase + "*")).name

forEach ($package in $packageNames)
{   
    Remove-Package $package.substring($package.indexOf($packageBase))
}

You can change $packageBase to different package names. I changed the script slightly from its original state because the original only worked on very specific versions of the packages, whereas this will work with any version. it gets the whole package identifier (including version number) from the registry.

Verified working with "Feedback" (Microsoft-WindowsFeedback) and "Contact Support" (Microsoft-Windows-ContactSupport). I tried with "Cortana" (Microsoft-Windows-Cortana) but it didn't seem to work fully. I think Cortana has other hooks into the OS. Haven't tried any of the others listed by @10se1ucgo

[elimn]

Thank you for sharing the script @Fifteen15Studios. This was the top result on Google for uninstalling Cortana. I tried removing Cortana with it. After a reboot the application was indeed missing and the start menu worked. However, the keyboard search in the Start Menu was completely disabled. The Search Windows box still appears, but typing in it does nothing.

For anyone using your script: You probably do not want to remove Cortana, unless you never type in the Search Windows box nor Start Menu. If you use a replacement Start Menu application then this caveat probably does not apply to you.

[Suncatcher]

The variable $packageNames is always empty for me. What's the matter?

[ijry]

does anyone know remove AppX packages installed for a user that doesn't exists!

[ijry]

not work for me https://social.technet.microsoft.com/Forums/windows/en-US/5e7c8439-bf9a-4050-8fbd-b2c207eb7b52/how-to-delete-an-app-from-a-deleted-users-account?forum=win10itprogeneral&prof=required