False Positive - Microsoft Photos

Gregg · March 6, 2025, 3:48pm

I’m seeing a significant number of Windows 10/11 machines flagged for Microsoft Photos vulnerability when the ‘detected’ file doesn’t exist on the Windows machine.

For instance, this is what OpenVAS complained about:

Microsoft Photos App RCE Vulnerability (October 2024)
Detection Result
Installed version: 2019.19071.12548.0
Fixed version:     2022.30050.31008.0
Installation
path / port:       C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe

But when I look at the machine, it’s not there:

C:\UTILS\sysinternals>psexec -h \\c4b0 cmd /c dir "C:\Program Files\WindowsApps\Microsoft.Windows.Photos*"

PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com


 Volume in drive C is Windows
 Volume Serial Number is EE7D-CE5D

 Directory of C:\Program Files\WindowsApps

03/04/2025  08:56 AM    <DIR>          Microsoft.Windows.Photos_2025.11020.11001.0_neutral_~_8wekyb3d8bbwe
03/04/2025  08:56 AM    <DIR>          Microsoft.Windows.Photos_2025.11020.11001.0_x64__8wekyb3d8bbwe
               0 File(s)              0 bytes
               2 Dir(s)  137,598,054,400 bytes free
cmd exited on c4b0 with error code 0.

cfi · March 7, 2025, 8:05am

Lacking the knowledge on Windows but it seems the detection happens based on the following registry key (See gb_ms_photos_app_detect_win.nasl file):

SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\

and there this affected Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe package is still included.

Not sure if this is works as expected / by design so have raised an internal Ticket for the team responsible for this topic but can’t give any info if / when / how this is getting handled.

Gregg · March 7, 2025, 1:43pm

Thanks cfi,

I can confirm that even though the actual files aren’t on the system, the registry key does still exist - just like you indicated.

C:\WINDOWS\system32>reg query "hklm\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages" | find "Photos"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Windows.Photos_2025.11020.11001.0_neutral_~_8wekyb3d8bbwe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Windows.Photos_2025.11020.11001.0_x64__8wekyb3d8bbwe