Inside Windows package manager

Windows Package Manager (winget) provides exciting features to install and upgrade apps on Windows devices. But how does winget actually work and how are new packages integrated? Within this post I want to elaborate on some questions I had when having a closer look into winget.

How does winget find sources?

  1. msstore: Microsoft Store (public)
  2. winget: Winget Content Delivery Network (CDN)
Winget default sources

When searching for a particular package, e.g: winget search wireshark all configured sources are searched for a match.

Fiddler Capture during a winget search

lesson learned: winget can install packages from the public Microsoft store and the winget CDN.

How are winget CDN packages provided?

winget-pkgs git repo hosted on GitHub

The manifests folder within the repo is grouped by the app vendor and app name and YAML contents of a manifest look like this:

PackageIdentifier: Google.Chrome
PackageVersion: 108.0.5359.125
InstallerType: wix
UpgradeBehavior: install
- ...
- ...
ReleaseDate: 2022-12-13
- Architecture: x64
Scope: user
InstallerSha256: 91411A41F74B03DD135D466A1CB9DC1B9BC58FA6C0EE311EDE5717DAF86863BD
ProductCode: '{6EA4A09D-E0E2-358F-B54C-79106D2D2C95}'
- Architecture: x64
Scope: machine
InstallerSha256: 91411A41F74B03DD135D466A1CB9DC1B9BC58FA6C0EE311EDE5717DAF86863BD
ProductCode: '{6EA4A09D-E0E2-358F-B54C-79106D2D2C95}'
ManifestType: installer
ManifestVersion: 1.2.0

Besides some basic metadata a manifest contains URLs to download the installer for different architectures and installation scopes with a SHA256 hash to verify the integrity.

How are new (versions of) manifests published?

Besides some general validation, the pipeline definition also contains external SmartScreen checks against the referenced installers within the manifest to prevent malicious apps being added.

Azure DevOps Pipeline that integrates new winget manifests

Once the pipeline has completed the package becomes discoverable for the winget client:

Packages are available as soon as the pipeline is done

That’s how the package submission process looks like from a simplified perspective:

Simplified winget package process for the official repository

Who adds the manifests?

… Unfortunately 75% of all commits use a address that hides the real domain for further analysis 🙃. But based on my subjective feelings a lot of packages are submitted by volunteers.

Grouping the commits only by the authors shows that a GitHub user with the username vedantmgoyal2009 authored more than 25% of all packages.

So that’s still a question mark for me who maintains those packages and what’s their motivation to do so… It could also be possible that some people wrote automations to submit new packages automatically once the sources appear.

My 🔑 take-aways

  • Winget supports multiple package sources you can add additional ones or even host your own
  • Winget comes with winget CDN and Microsoft Store as default sources
  • Anyone with a GitHub account can publish or update manifests
  • Manifest submissions ore updates are reviewed via GitHub pull requests
  • Most submissions come from individuals and not necessarily the organisations maintaining the software

Additional resources



Interested in endpoint management, security, identity and automation. #Intune #AzureAD #Defender #PowerShell #Azure

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Interested in endpoint management, security, identity and automation. #Intune #AzureAD #Defender #PowerShell #Azure