pkgprobe is a Windows-first CLI tool that statically analyzes EXE and MSI installers and produces a machine-readable install plan for endpoint management and packaging workflows.
Think: package intelligence for Intune, SCCM, Jamf, RMM, and Client Platform Engineering teams.
Available on PyPI.
Full usage documentation — Commands, options, output formats, and trace-install behavior.
Packaging software on Windows is still more art than science:
- Silent install flags are undocumented or inconsistent
- Installer technologies vary widely (Inno, NSIS, InstallShield, Burn, etc.)
- Detection rules are often copied, guessed, or discovered via trial-and-error
- Testing installers directly is slow and risky on production machines
pkgprobe focuses on the analysis phase first:
Understand what an installer is likely to do --- before you ever run it.
Given an .msi or .exe, pkgprobe outputs a structured install
plan containing:
- Detects installer type (MSI, Inno Setup, NSIS, InstallShield, Burn, Squirrel, etc.)
- Confidence-scored classification with supporting evidence
- Probable silent install commands, ranked by confidence
- Probable uninstall commands
- Evidence explaining why each command was suggested
- MSI ProductCode--based detection (when available)
- Follow-up guidance for improving detection accuracy
- Designed to integrate cleanly into Intune / SCCM detection logic
- JSON output suitable for pipelines and tooling
- Human-readable CLI summary for engineers
Safety-first by design
This version performs static analysis only.
No installers are executed.
pkgprobe analyze .\setup.exe --out installplan.json
CLI summary:
Type: Inno Setup (confidence 0.92)
Install candidates:
setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP- (0.88)
setup.exe /SILENT /SUPPRESSMSGBOXES /NORESTART /SP- (0.62)
Uninstall candidates:
unins000.exe /VERYSILENT (0.55)
Generated installplan.json (excerpt):
{
"installer_type": "Inno Setup",
"confidence": 0.92,
"install_candidates": [
{
"command": "setup.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-",
"confidence": 0.88
}
]
}pip install pkgprobe
pkgprobe --version
pkgprobe analyze .\setup.exe --out installplan.jsonThis project uses uv for fast, reproducible Python environments.
pip install uv
git clone https://github.com/Zeph3r/pkgprobe.git
cd pkgprobe
uv venv
uv sync
uv run pkgprobe --helpUse --quiet / -q to suppress the banner when scripting (CI,
pipelines, etc.).
File type Status Notes
MSI ✅ Metadata parsed via Windows Installer APIs EXE ✅ Heuristic detection via string & signature analysis MSIX / AppX 🔍 Detection hints only (wrapper detection)
pkgprobe combines:
- Static string extraction (ASCII + UTF-16LE)
- Known installer signature patterns
- Heuristic confidence scoring
- Evidence tracking (matched strings, metadata clues)
This keeps analysis fast, safe, and explainable.
- Windows-first (intentional --- this targets Windows endpoints)
- EXE analysis is heuristic-based (not guaranteed)
- No execution or sandbox tracing in v0.1
- Detection accuracy improves significantly with runtime tracing (planned)
CLI UX
- JSON to stdout -- Support
pkgprobe analyze <file> --format json(or-o -) for pipeline consumption --summary-only-- Print only human summary (no file output)- Exit codes -- Standardized scripting-friendly exit codes
- Subcommand examples in
--help
Output & format
--format yaml-- Optional YAML install plan output
Later (v0.3.0+)
- install4j / Java-based installer detection
- Partial-read scanning for very large EXEs
- ProcMon-backed trace mode
- Optional trace-install mode (opt-in, sandboxed)
- Client Platform Engineers
- Endpoint / EUC Engineers
- Intune / SCCM / Jamf admins
- Security teams validating installer behavior
- Anyone tired of guessing silent install flags
pkgprobe is intentionally conservative.
It prefers:
- Explainability over magic
- Confidence scoring over certainty
- Safety over speed
If it can't be confident, it tells you why.
That's how real platform tooling should behave.
MIT