The current writeup is a work in progress and will be updated with more details and context in the future.

Introduction#

The code snippet below is the main function of calc.exe.

int __stdcall wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int nShowCmd)
{
  GUID ProviderId; // [rsp+30h] [rbp-58h] BYREF
  _BYTE v6[32]; // [rsp+40h] [rbp-48h] BYREF
  const char *v7; // [rsp+60h] [rbp-28h]
  int v8; // [rsp+68h] [rbp-20h]
  int v9; // [rsp+6Ch] [rbp-1Ch]
 
  ProviderId = (GUID)*((_OWORD *)off_140004008 - 1);
  if ( RegHandle )
    __fastfail(5u);
  xmmword_140004028 = 0LL;
  if ( !EventRegister(&ProviderId, tlgEnableCallback, &dword_140004000, &RegHandle) )
    EventSetInformation(RegHandle, 2LL, off_140004008, *(unsigned __int16 *)off_140004008);
  if ( (unsigned int)dword_140004000 > 5
    && (qword_140004010 & 0x2000000000000LL) != 0
    && (qword_140004018 & 0x2000000000000LL) == qword_140004018 )
  {
    v9 = 0;
    v7 = "CalculatorStarted";
    v8 = 18;
    tlgWriteTransfer_EventWriteTransfer(
      &dword_140004000,
      &unk_140003489,
      0LL,
      0LL,
      3,
      v6,
      *(_QWORD *)&ProviderId.Data1,
      *(_QWORD *)ProviderId.Data4);
  }
  ShellExecuteW(0LL, 0LL, L"ms-calculator:", 0LL, 0LL, 1);
  return 0;
}

On modern Windows, when you execute calc.exe located in the C:\Windows\System32\ directory, it will call ShellExecuteW with the URI scheme ms-calculator:. This means that calc.exe is essentially a launcher for whatever is registered to handle that URI scheme.

On Windows 10 and Windows 11, where the modern Calculator app is installed, the ms-calculator URI scheme is registered to launch CalculatorApp.exe, else it will fallback to launching the old Win32Calc.exe.

Below are the related registry keys for the URI scheme as well as how the process tree looks like when you execute calc.exe.

Registry Keys and Process Tree#

If the store is not available for example on a Windows Server, you'll see the following key populated: HKEY_CLASSES_ROOT\ms-calculator\shell\open\command with the value (Default) pointing to C:\Windows\System32\Win32Calc.exe.

The process tree would look like this:

-- calc.exe
   -- Win32Calc.exe

However if the modern Calculator app is installed. Then the registry path is different.

Related Articles

Other threads in the archive worth reading next.

Field Notes

UWP / Packaged Desktop Application Startup Persistence

Detailed writeup on how UWP and Packaged desktop applications can create startup tasks to execute at startup, where the information about these tasks is stored, and how to enumerate them.

Field Notes

Why Does MsMpEng Spawn svchost.exe Without Flags?

An RE deep dive at why Microsoft Defender can create an svchost.exe process without the usual service-host command-line flags.

Field Notes

DismHost - Command-Line, COM Registration, and DLL Loading

Notes from reversing DismHost.exe, the out-of-process COM host used by DISM image sessions.