Why can't I copy programs out of Windows?

I've seen people internally and externally ask for help copying files out of \Windows on the device, usually EXEs and DLL files. I'm not sure what their end goal - sometimes it's to try those binaries on a different device but there are probably other reasons too. In general, it's pretty hard to do this and the obvious methods won't work.

There are two main sections of the internal ROM of a device, called FILES and MODULES. You can copy anything you want out of the FILES section. All of the data files like graphics and other multimedia go in the FILES section. Some program binaries will also end up in the FILES section, depending on where Microsoft and the OEM choose to put them. You can tell a file in the MODULES section because it will have the FILE_ATTRIBUTE_ROMMODULE attribute as well as FILE_ATTRIBUTE_INROM. Files in the FILES section will only have FILE_ATTRIBUTE_INROM. If you're looking at the files in a file explorer that shows attributes in hex, FILE_ATTRIBUTE_ROMMODULE|FILE_ATTRIBUTE_INROM shows up as 0x2040.

The programs in the MODULES section of ROM are specially processed before getting put into ROM. Most of the headers are removed and the addresses are fixed up so that the programs can run without having to be loaded into RAM first. This saves RAM and performance later on. What this means to you is that even if you could get the bytes out of ROM, you wouldn't be able to use them. The binary has been stripped down and customized for that particular device.

There are unsupported tools externally available that are able to copy the modules out of ROM and then try to reconstruct the original file. If you still need to extract those bytes, you can probably find one of those tools.

 

Scott