Misc Research

Calc Vs Win32Calc Vs CalculatorApp

otherwindows

The code snippet below is the main function of `calc.exe`. On modern Windows, when you execute `calc.exe` located in the `C:\Windows\System32\` directory, it will call `ShellExecut…

Calc Vs Win32Calc Vs CalculatorApp

The code snippet below is the main function of calc.exe.

int __stdcall wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int nShowCmd)
{
  GUID ProviderId; // [rsp+30h] [rbp-58h] BYREF
  _BYTE v6[32]; // [rsp+40h] [rbp-48h] BYREF
  const char *v7; // [rsp+60h] [rbp-28h]
  int v8; // [rsp+68h] [rbp-20h]
  int v9; // [rsp+6Ch] [rbp-1Ch]
 
  ProviderId = (GUID)*((_OWORD *)off_140004008 - 1);
  if ( RegHandle )
    __fastfail(5u);
  xmmword_140004028 = 0LL;
  if ( !EventRegister(&ProviderId, tlgEnableCallback, &dword_140004000, &RegHandle) )
    EventSetInformation(RegHandle, 2LL, off_140004008, *(unsigned __int16 *)off_140004008);
  if ( (unsigned int)dword_140004000 > 5
    && (qword_140004010 & 0x2000000000000LL) != 0
    && (qword_140004018 & 0x2000000000000LL) == qword_140004018 )
  {
    v9 = 0;
    v7 = "CalculatorStarted";
    v8 = 18;
    tlgWriteTransfer_EventWriteTransfer(
      &dword_140004000,
      &unk_140003489,
      0LL,
      0LL,
      3,
      v6,
      *(_QWORD *)&ProviderId.Data1,
      *(_QWORD *)ProviderId.Data4);
  }
  ShellExecuteW(0LL, 0LL, L"ms-calculator:", 0LL, 0LL, 1);
  return 0;
}

On modern Windows, when you execute calc.exe located in the C:\Windows\System32\ directory, it will call ShellExecuteW with the URI scheme ms-calculator:. This means that calc.exe is essentially a launcher for whatever is registered to handle that URI scheme.

On Windows 10 and Windows 11, where the modern Calculator app is installed, the ms-calculator URI scheme is registered to launch CalculatorApp.exe, else it will fallback to launching the old Win32Calc.exe.

Below are the related registry keys for the URI scheme as well as how the process tree looks like when you execute calc.exe.

Registry Keys and Process Tree

If the store is not available for example on a Windows Server, you'll see the following key populated: HKEY_CLASSES_ROOT\ms-calculator\shell\open\command with the value (Default) pointing to C:\Windows\System32\Win32Calc.exe.

The process tree would look like this:

-- calc.exe
   -- Win32Calc.exe

However if the modern Calculator app is installed. Then the registry path is different.

[Work In Progress]