FMAPI

The File Management API (FMAPI) from the end user perspective seems to be one of the less useful APIs in the Windows operating system.
​
Fmapi.dll contains only eight exported functions, but it does not work anyway, returning ERROR_NOT_SUPPORTED if you call them from the regular Windows environment. The API itself is surprisingly well documented, including details about enumerations, functions and structures, and I would even say that it may serve as a good example for the rest of the team responsible for API documentation.
​
Even if the FMAPI may look interesting, the documentation says "FMAPI can only be used in the Windows Preinstallation Environment (WinPE)". It’s exactly why it returns an error when used in a typical Windows instance. I will not cover WinPE in detail today, but rather I would look at the way the DLL uses to determine if it is called from installed OS or from the installer.
​
If you want to have relatively simple exercise to practice your debugging skills, you can stop reading here and try to find the way on your own.
​
If you are not feeling comfortable using debugger, you should try with Sysinternals Process Monitor watching "rundll32.exe fmapi.dll,CreateFileRestoreContext". Configured symbols in procmon will help a lot, letting you clearly see the "IsWinPE" call, but you can just try to guess, as number of entries related to the command is relatively low. If you are fan of ready solutions, here is the one for you: fmapi.dll checks the HKLM\System\CurrentControlSet\Control\MiniNT registry key.
​
If such key exists, everything works well. It means that if you are brave enough, you can create such key and use FMAPI to find undeletable files etc. Of course, it’s only an experiment and I would never recommend doing it on prod. Checking MiniNT key seems to be quite unreliable way of making sure it’s WinPE, but FMAPI is not the only one doing it. Security event log seems to be way more important than FMAPI, and it behaves the opposite way: if MiniNT key exists it DOES NOT work, which seems to be a ready-to-use tip for both red and blue teams.
​
The main difference though is that FMAPI checks the key for every single method call and Security event logging does it only during boot. Anyway, if you want to play with it, you can try to take a look at a code I have written couple of years ago, trying to call FMAPI functions: https://github.com/gtworek/PSBits/tree/master/FMAPI
​
It creates the MiniNT key, calls function and then deletes the key. Dirty and error-prone, but good enough for testing and demonstration purposes.