Ug_0Security asked, and I am answering 🙂

Not all of them are just from win11, but it’s just a quick diff between what I saw back in 2018 and one of the latest win11 builds; pretty sure some of them appeared in later versions of win10:

appinstaller.oauth2
grvopen
IE.HTTP
microsoft.windows.camera.multipicker
ms-calculator
ms-cortana2
ms-cxh-full
ms-device-enrollment2
ms-eyecontrolspeech
ms-gamebar
ms-insights
ms-meetnow
ms-meetnowflyout
ms-msime-imepad
ms-msime-imjpdct
ms-officecmd
ms-perception-simulation
ms-phone
ms-powerautomate
ms-print-addprinter
ms-print-printjobs
ms-rdx-document
ms-screenclip
ms-screensketch
ms-search
ms-teams
ms-to-do
ms-todo
ms-windows-store-deskext
ms-wxh
ms-xbet-survey
ms-xgpueject
msgamepass
msgamingapp
msnews
mssharepointclient
msxbox

While looking at \Windows\system32\oobe\ files I had a quick check what FirstLogonAnim.exe does and discovered that on top of accepting the following command line arguments:

• /zdp (for Zero Day Package)
• /oobe
• /oobetransition
• /existinguser
• /explorer

it can be run with /RunFirstLogonAnim as a first argument and in such case will launch the ‘Windows installation’ animation. If both /RunFirstLogonAnim and /explorer are present in the command line, you won’t be able to close the animation.