Decompiled .winmd file contains nothing but external calls

Question

I am trying to decompile the ComboBox control for my Windows Store app into C#, but there's no code. Instead, all the properties are calls to a separate assembly, it seems. How do I find where the real code exists, and how do I read the method bodies in C#? I cannot read assembly, so that would do me no good

Answer 1

Some notes on how to reverse-engineer the WinRT internals.
Under the hood, WinRT is pure COM. First place you want to look on your machine is

C:\Program Files (x86)\Windows Kits\8.0\Include\WinRT

This directory contains IDL files, or Interface Description Language. IDL is the starting point for describing COM types. A quick search for ComboBox will let you find Windows.UI.Xaml.Controls.IDL and the declaration for the ComboBox type:

    [marshaling_behavior(agile)]
    [threading(both)]
    [static(Windows.UI.Xaml.Controls.IComboBoxStatics, 0x06020000)]
    [version(0x06020000)]
    [composable(Windows.UI.Xaml.Controls.IComboBoxFactory, public, 0x06020000)]
    runtimeclass ComboBox : Windows.UI.Xaml.Controls.Primitives.Selector
    {
        [default] interface Windows.UI.Xaml.Controls.IComboBox;
        [overridable] interface Windows.UI.Xaml.Controls.IComboBoxOverrides;
    }

It is kinda readable as-is, resembling an interface declaration in C#. If you've tinkered with COM before then you'll see new attributes from the original IDL syntax. Extra stuff to aid the language projection built into your runtime support library to create the illusion that WinRT supports implementation inheritance, generics and static class members, features that pure COM doesn't have.

These IDL files are compiled by midlrt.exe into a machine-readable format that is usable by tools like compilers. You already know that format, the output of midlrt.exe is a .winmd file. Similar to the type libraries of old but much enhanced, the underlying format was adopted from .NET's assembly manifest format. So decompiling the .winmd file isn't useful, you already have the source on your machine ;)

As is common in COM, the registry is used to find the executable that contains the code for a COM server. Start regedit.exe and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId. You'll find a list of all WinRT types that an app can create. The Windows.UI.Xaml.Controls.ComboBox key is the one you are interested in. Note the DllPath value, that points to the DLL that contains the code: C:\Windows\System32\Windows.UI.Xaml.dll on my machine. The CLSID value is the familiar COM class guid, used to ask the class factory to create the instance.

That's about where you hit the wall; the DLL contains native code like the majority of COM servers do. Written in C++ and compiled to machine code. Quite impervious to decompilation, it is an 18 megabyte monster.