Why can’t I copy programs out of Windows?

I've seen people internally and externally ask for help copying files out of \Windows on the device, usually EXEs and DLL files. I'm not sure what their end goal - sometimes it's to try those binaries on a different device but there are probably other reasons too. In general, it's pretty hard to do this and the obvious methods won't work.

There are two main sections of the internal ROM of a device, called FILES and MODULES. You can copy anything you want out of the FILES section. All of the data files like graphics and other multimedia go in the FILES section. Some program binaries will also end up in the FILES section, depending on where Microsoft and the OEM choose to put them. You can tell a file in the MODULES section because it will have the FILE_ATTRIBUTE_ROMMODULE attribute as well as FILE_ATTRIBUTE_INROM. Files in the FILES section will only have FILE_ATTRIBUTE_INROM. If you're looking at the files in a file explorer that shows attributes in hex, FILE_ATTRIBUTE_ROMMODULE|FILE_ATTRIBUTE_INROM shows up as 0x2040.

The programs in the MODULES section of ROM are specially processed before getting put into ROM. Most of the headers are removed and the addresses are fixed up so that the programs can run without having to be loaded into RAM first. This saves RAM and performance later on. What this means to you is that even if you could get the bytes out of ROM, you wouldn't be able to use them. The binary has been stripped down and customized for that particular device.

There are unsupported tools externally available that are able to copy the modules out of ROM and then try to reconstruct the original file. If you still need to extract those bytes, you can probably find one of those tools.



Comments (15)
  1. Tibor says:

    When you target multiple Windows Mobile versions from one binary, it is often the case that you statically link to a function or dll which doesn’t exists on one version or flavour but works fine on others. Currently there is no usable tool to find these troubleshot points.

    On desktop Windows you would just use “depends” and identify these issues in minutes. On Mobile the only way currently is to get a third party implementation of “depends” which supports CE (Dependency Walker), but to be able to use that efficiently you do need to extract the DLLs from the Windows folder, which is not supported officially.

    This is a legitimate scenario, which I run into quite a few times already. When will we have an implementation of “depends”, which runs on the device, I can feed it with an “EXE” or “DLL”, and it gives me back the incorrect links? Or a legitimate way to extact the DLLs from the device.

  2. scyost says:

    I’m not sure I have a great answer for you. Dependency Walker is what we use internally, but like you mention, you can’t use it on the device.

    I doubt it will ever be easier in the short term to extract binaries from the MODULES section. The information that you need to reconstruct that DLL has been discarded to save space and boost runtime performance. It’s probably possible to write a version of depends that would work on a device, though. That is a little bit out of my area of expertise.

  3. Davide De Marchi says:

    Hy Scott

    I have an old HTC P3600 with Windows Mobile 5 and I buy the new HTC TyTN II.

    My VERY BIG problem is that I use thet phone for work and in the new Windows Mobile 6 there isn’t the Remote Desktop Connection Client!!!!!!!

    I didn’t find programs for the remote desktop connection (there are some program but all of these need to install something on the server and I don’t wanto to do it) so I would try to extract mstsc40.exe from P3600 and copy it on TyTN II: could you tell me a name of "unsupported tools externally available that are able to copy the modules out of ROM"?

    thank you


  4. djet says:

    Thanks for this post, one question less I have. Yet the others:

    1) Long time ago Mike wrote about significant difference between NAND and NOR storage that the latter can XIP. But AFAIK NOR is rare guest in modern PDAs. How can modules XIP then?

    2) Are these modules somehow connected with different WM *features* or they are just another type of file storage?

    3) How are modules physically stored in the firmware and what type of ROM area they correspond to: XIP, IMGFS, ..?

    Davide De Marchi, don’t bother, better search for WM6 RDP cab. I doubt it’s legal but when a $1000 device lacks basic features it’s us who feel robbed.

  5. davidedemarchi says:


    Thankyou for the signalling, I find and instll WM6 RDP cab and it work very well.

    Still cannot understand why Microsoft doesn’t install it by default: it’s only 700Kb and don’t disturb anyone who don’t want to use it….boh….

    Thank again

    Davide De Marchi

  6. jabbp says:

    I have an dell Axim 51V with Windows Mobile 5 and I will buy the new HTC .

    My VERY BIG problem is that When I use the Remote Desktop Connection (Terminal service Client) in Axim51V , I  see all desktop screen, but  when I use  the Terminal Service Client in HTC I see a small part of desktop screen

    I would try to extract mstsc40.exe from Dell Axim 51V and copy it on HTC: could you tell me a name of "unsupported tools externally available that are able to copy the modules out of ROM"?

    thank you

    Jorge Babo


  7. scyost says:

    I can’t help you do that. It violates our licensing agreements.

  8. jabbp says:

    When I use the Remote Desktop Connection (Terminal service Client) in Axim51V , I can  see all desktop screen, so Could you tell me wich Smarthphone it’s same  Axim 51V Terminal service Client?

    Please help me!!!!!!!!!!!

  9. cmonex says:

    well i’d like to correct some of the info here

    1. the original purpose of modules was indeed running them directly from ROM but nowadays that doesn’t really happen (NAND). kind of an outdated concept unless you care about the time it takes the loader to fixup the addresses for an ordinary dll.

    2. you can extract and fully reconstruct DLL modules from wm5 and wm6. the information has not been discarded (as the update loader needs it). you have always been able to fully reconstruct EXEs (information has never been discarded for them). you can also fully reconstruct DLLs from earlier devices than WM5 (and from plain CE5) but that is a bit harder, though if the device is ARM then it can be 99% automated in a tool.

    3. it applies both to XIP and IMGFS modules.

    4. as for djet’s other questions, they are not connected with features. physical storing? this is a broad topic, what did you mean?

    5. executabilitycheck will work as a dependencywalker on ARM and MIPS devices.

  10. Alex Soh says:

    When doing device driver development, I am only able to overwrite the dll file in Windows once. I am not able to overwrite the dll file the second time. Why is it so?

  11. guna says:

    i bet microsoft should have been crazy thinking this as some part of security.

    its obvious that any person with WinCE knowledge and the output binary format will get the files back.

    this idea just makes life tough for normal average application developers.

  12. cmonex says:

    @ alex soh: rename the dll then copy your new version of it there then reboot. when it is in rom it lets you "overwrite", afterwards it will be in use so no overwrite

    @ guna: yeah, though if you had read my post a bit more carefully, you’d see it wasn’t entirely trivial before WM5. 🙂

  13. cmonex says:

    @ guna: I forgot to add, this was not for security reasons originally, I think

  14. crusher says:

    not to sound harsh, nor funny, but the most logical answer for this is that you actually probably load the DLL into memory for usage, and "running" code may not be overwritten.

  15. Ryan says:

    After reading WM docs and this thread, I still have following questions. Much appreciated if someone can help answer.

    First, try to confirm my understanding. The whole flash normally is partitioned into several pieces: ULDR section, NK section, IMGFS section and USERSTOE (configuable via memory.cfg.xml). Is this right?

    Second, are files in IMGFS partition are mapped into windows directory? Those files (not MODULES) in IMGFS can be copied out of the device?

    Third, where are the files (core.dll, nk.exe, etc) in NK parition mapped to? are they readable (and copy-able) via Explorer in ActiveSync?

Comments are closed.

Skip to main content