# Package Executable Mapping

Finding out which package an executable belongs to is not an trivial task and is not 100% accurate, an executable may even belong to no package. To do so, use the heuristic described below.

Let's define an executable as the tuple path, hash and name/size i.e. [PATH,HASH,FILE].

An MSI package contains both an installation and uninstallation scripts linked to embedded resources, usually binaries. Once installed, an MSI is stored on the machine but its resources are striped out to save disk space. However most embedded binaries are listed either by name or by size. In addition, an MSI defines an installation directory.

So for each MSI we have the tuple [{HASH},{FILE},DIR] even if some installed binaries may not be present neither {HASH} nor {FILE}.

Other type of packages are treated as black box and we take only the installation directory if present or by the path of its uninstallation program if not. so we have the tuple [{},{},DIR].

An executable [PATH,HASH,FILE] is associated to a package [{HASH},{FILE},{DIR}] whenever one of those conditions is met:

• HASH is contained in {HASH}
• DIR is equal to {DIR} *
• DIR parent is equal to {DIR} *
• FILE is contained in {FILE}

If no specific package can be associated to a executable, it is associated to the default "unknown" package.

The following directories are excluded:

• WINDOWS e.g. C:\WINDOWS
• SYSTEM e.g. C:\WINDOWS\system32
• PROGRAM_FILES_COMMON e.g. C:\Program Files\Common Files\Common Files
• PROGRAM_FILES e.g. C:\Program Files\Common Files