Software to package online installs for air gap

I’ve got a strange one that is making googling for it hard: Anyone know of a software package or methodology to get a full download of software for Windows environments that requires an internet connection? I imagine for nix admins there are lots of options (find source, download, self host, change yum info etc and would hit up @oO.o ) but for Windows… I would imagine if there is such a thing for Windows @wendell would know.

Scenario: Brand X, Y and Z software builds are all small sized exe’s (Windows software) that when executed on the client reaches out to the internet to grab the rest of the installation components and then installs. I believe this is becoming more and more common place.

Many venders/devs offer offline versions for download. But in the case where that is not provided, is there a solution for grabbing a full install to be taken into an air gapped test environment? Kind of like WSUS offline?

This is all way over my head but I assume the installation exe executes some kind of call and requires connectivity and working DNS to then find a host server of the vendor for the rest of the package, some hand shakes probably involved and some loops and checks throughout the process so I know this is a huge ask, but wondering if someone has maybe made some kind of sandbox like app that can do a quasi install in a sandbox, and package that up into an exe or msi, and now it can be distributed in an environment you do not want to punch a temporary hole in the network to have internet connectivity. Maybe a feature in Chocolatey?

Could a proxy work or is it literally airgapped?


Lets say yes as I want to investigate how to administrate in such a situation/use-case. In fact from a non-airgrapped situation its still very interesting if someone wanted to self host software that has since been removed/taken down/out of business.

I ran into two Notepad++ plugins that I really wanted and their source URLs are no longer working and there is not ‘stash’ on someone else’s github (that I could find). Not 100% the same thing, but similar’ish.

1 Like

Yeah, all I can think of is to pre-load a caching proxy.


Would that be something like having Squid on pfsense, install the software on a box that does have internet access, and then after that other boxes would only need access to the caching proxy (squid) for subsequent installs?

1 Like

Yeah, but I have no idea if that’s a good approach. I’ve never used squid tbh.

1 Like

This is something I would be somewhat interested in as well. Primarily, this is because I really want to be able to reinstall my personal windows environment completely offline, like inside a VM, with VFIO. I’m not even close to being able to do that, but I have been doing some planning.

Personally, this is what I try:

  1. Find an offline installer. Most open source software has an offline installer available. Or for say games, GOG is awesome, and quite a few games on Steam/Epic are DRM free (and can be put in a archive, extracted on another machine and run no issue). Some places, like Autodesk, have full installers available for download if you know where to look and get past their pushing of the online installer.
  2. See if there is an offline layout option. Microsoft office, Microsoft dev products, Macrium, and a number of other places have a way to use the bootstrapper .exe to download a copy of the files required for install, and those files can be used for an offline install.
  3. Look for alternatives. Not necessarily an option in a business environment, but for personal use it normally is.
  4. Open up fiddler and take a look at what calls the .exe is making. For example, the Bitwarden Desktop has a bootstrapper .exe, which downloads a .7z archive with the actual program files. Fortunately, the .exe works just fine if the archive is pre-downloaded next to the .exe and the archive is available at the github release, so it is relatively easy to make it installable offline.

Where it gets more complex, as you mentioned, and are asking about, is where there are one or more api calls to get file(s), instead of just downloading something at a specific url.

I’m not really sure what the best option is here. I sort of like the idea of recording/caching network requests while running the program in a sandbox, but for anything that has API calls that may change that won’t work as well. You may basically need to reverse engineer their server, or at least a part of it. Other times, this approach may work great.

I know that there are programs that do this sandboxing and record things an installer is doing. But they generally work of the principle of what filesystem/registry/service changes are made instead of network calls.

One example, which I have played with a bit, is advanced installer:

It’s quite pricey, like 3.5k USD license + 1k/year for updates per user, which is why I’ve just played around with the trial a bit.

I know that there are some completitors, and that they are also super pricy, and I don’t know how they compare to each other.

The Chocolatey feature you might be thinking of (package internalizer) is for getting the installer inside the package file, instead of being downloaded separately during install. This would not help your situation, as the installer that would be included in the package by the internalizer feature would be that small .exe.

1 Like

Wow quite a reply!