NemoNada Posted November 22, 2004 Share Posted November 22, 2004 In reviewing and trying to understand what's going w/WFP and RaveRod's hacked "SFC_OS.DLL" I noticed some discrepancies between what nLite does, RyanVM's RVMUpdatePack1.03Full.cab, and RaveRod's instructions and actual file. Can you all review this and tell me if my analysis & conclusions are correct? Analysis-1 The SFC_OS.DL_ file in this thread provided by RaveRod is different from the SFC_OS.DL_ file in the final product nLite (v.99.4) creates BUT it is identical to the SFC_OS.DL_ file in RyanVM's RVMUpdatePack1.03Full.cab (I can list the differences if you need them - 13 total changed). The version in all 3 is the same: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)Conclusion-1 Not sure why the nLite file would be different but the obvious safe course of action is to "swap it out" for RaveRod's. Right? Analysis-2-1 The entry for HIVESFT.INF suggested by RaveRod is:HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SFCSetting",0x00010003,0xffffff9dAnalysis-2-2 The entry actually in the nLite build HIVESFT.INF is:HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SfcDisable",0x00010000,0xFFFFFF9DAnalysis-2-3 The entry in the official Bypassing Windows File ProtectionMSFN Unattended Site section on "Bypassing Windows File Protection" is:HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SFCSetting",0x00010001,0xffffff9dConclusion-2 Okay, this one's tougher... RaveRod and nLite are saying almost the same thing except RaveRod's entry adds the NOCLOBBER qualifier to the REG_MULTI_SZ that both he and nLite use. If memory serves, NOCLOBBER means that a new value cannot replace an old (existing) value.On the other hand, the Unattended Guide is actually creating a REG_DWORD entry which is a different kind of animal altogether (text vs. hex)!?! And on checking my computer--which only has SP1 right now--it is a REG_DWORD entry. Since the value is in hex format I believe the entry should be REG_DWORD or 0x00010000.Comments, corrections, suggestions anyone? Link to comment Share on other sites More sharing options...
RyanVM Posted November 22, 2004 Share Posted November 22, 2004 What exactly was the point of your analysis? Link to comment Share on other sites More sharing options...
Denney Posted November 22, 2004 Author Share Posted November 22, 2004 Heh. nLite's version uses a modified sfcfiles.dll to unprotect system files. That's why it is different to mine.Mine disables WFP on protected files. nuhi's version (combined with the sfcfiles.dll file) removes the protected files from the WFP list.I'm beginning to prefer nuhi's way better than mine because it actually removes the list of files protected by WFP.The reason for the 2 different keys is simple. Mine is a made up key by me. I use it to change the key that Windows looks for when determining whether WFP is enabled or disabled.SFCDisable is the default Windows key... SFCSetting is a key made up by me. nLite uses the default key because it doesn't have to worry about actually DISABLING WFP... it just helps in removing the list of files protected by WFP.So basically...My way DISABLES WFPnLite's way REMOVES THE LIST of FILES protected by WFP.nLite's way is slightly cleaner than mine. Hope that clears it up for you. Link to comment Share on other sites More sharing options...
NemoNada Posted November 22, 2004 Share Posted November 22, 2004 RyanVM;What exactly was the point of your analysis?The "point" was made/answered by RaveRod in his reply right after yours...Information from reputable sources (including you) didn't agree. I was attempting to figure it out myself, THEN ask you all if I had done it correctly rather than just throwing out the problem and waiting for someone else to do it for me.BTW, thank you for the update cab! That really saved me a lot of time & hassle. Good work!RaveRod;If I understand you correctly, you're saying the nLite method turns off WFP by eliminating the list of files that are protected--no files are protected, therefore no WFP? Whereas your method turns off WFP regardless of whether or not there's a list?If that's correct, then wouldn't the next update that wants to add to the WFP protected list just create a new list under the nLite method, thus turning WFP "on"--at least for that item?My "bad" on the SFCDisable vs SFCSetting... I completely missed that difference until you pointed it out. I understand now.Have you considered a combination of your method and nLites? Wouldn't that get rid of the list, stop WFP, AND stop another list from being started?Thanks again to both of you for helping! Link to comment Share on other sites More sharing options...
verbal Posted November 25, 2004 Share Posted November 25, 2004 I still cannot get this to work. I've replaced every sfc_os.dll file on my machine with this one AND changed both SFCSetting and SFCDisable in the registry. This doesn't work for me.Any help would be greatly appreciated. Link to comment Share on other sites More sharing options...
jdoe Posted November 25, 2004 Share Posted November 25, 2004 (edited) I still cannot get this to work. I've replaced every sfc_os.dll file on my machine with this one AND changed both SFCSetting and SFCDisable in the registry. This doesn't work for me.Disabling Windows File Protection Permanently.I made an hacked SFC_OS.DLL for disabling WFP without any registry settings.You can replace the file from your Windows XP SP2 source files or follow this guide if you have already installed XP.1) Rename the hacked SFC_OS.DLL to SFC_OS.DLL.HACK2) Unchecked "Hide protected operating system files" from "Folder Options"3) Copy SFC_OS.DLL.HACK to "%WINDIR%\system32\dllcache"4) Copy SFC_OS.DLL.HACK to "%WINDIR%\system32"5) Start Task Manager, select Processes tab, right-click on explorer.exe and select End Process6) On Task Manager menu, select File / New Task(Run...) and browse to "%WINDIR%\system32\dllcache"7) Rename SFC_OS.DLL to SFC_OS.DLL.BAK and rename SFC_OS.DLL.HACK to SFC_OS.DLL8) Browse to "%WINDIR%\system32"9) Rename SFC_OS.DLL to SFC_OS.DLL.BAK and rename SFC_OS.DLL.HACK to SFC_OS.DLLIf windows appears select "Cancel" and on Task Manager menu, select Shutdown / RestartThat's it. For re-enabling I think it's obvious.English SP2 SFC_OS.DL_French SP2 SFC_OS.DL_ Edited September 26, 2005 by jdoe Link to comment Share on other sites More sharing options...
bucketbuster Posted November 25, 2004 Share Posted November 25, 2004 @jdoeWill there be complications when using the registry tweak with your hacked dll? Link to comment Share on other sites More sharing options...
jdoe Posted November 25, 2004 Share Posted November 25, 2004 (edited) @jdoeWill there be complications when using the registry tweak with your hacked dll?What my hacked file does is simple. Instead of reading the registry for a key and value, the code execution is redirected where it should goes if the SFCDisable was FFFFFF9D (WFP disabled).If this hacked file is used with unattended installation of Windows then SFCDisable is not created in the registry.If this hacked file is installed using the guide then SFCDisable is there but useless.Hoping it answer your question. Edited September 23, 2005 by jdoe Link to comment Share on other sites More sharing options...
bucketbuster Posted November 25, 2004 Share Posted November 25, 2004 Thanks for clarifying Link to comment Share on other sites More sharing options...
RyanVM Posted November 25, 2004 Share Posted November 25, 2004 Very cool, jdoe Link to comment Share on other sites More sharing options...
jdoe Posted November 25, 2004 Share Posted November 25, 2004 Very cool, jdoeThanks,I made it while ago but I didn't thought one more was needed after RaveRod and nLite. But for those who really don't like WFP and don't want to deal with registry, now they have an other option.BTW, the guide is also good for UXTHEME.DLL and maybe others files replacement with WFP enable.P.S.: the guide is inspired from something I red but I just can't remember where. So if some of you know where it come from, a credit goes to that source for the idea. Link to comment Share on other sites More sharing options...
verbal Posted December 2, 2004 Share Posted December 2, 2004 I still cannot get this to work. I've replaced every sfc_os.dll file on my machine with this one AND changed both SFCSetting and SFCDisable in the registry. This doesn't work for me.Disabling Windows File Protection Permanently.I made an hacked SFC_OS.DLL for disabling WFP without any registry settings.3) Copy SFC_OS.DLL.HACK to "%WINDIR%\system32\dllcache"4) Copy SFC_OS.DLL.HACK to "%WINDIR%\system32" I don't have an sfc_os.dll file in my \windows\system32\dllcache folder. I have an sfc.exe, but no sfc_os.dll. There is one in system32, but not in dllcache.This is the same problem I had before. Thanks for any help! Link to comment Share on other sites More sharing options...
jdoe Posted December 2, 2004 Share Posted December 2, 2004 I still cannot get this to work. I've replaced every sfc_os.dll file on my machine with this one AND changed both SFCSetting and SFCDisable in the registry. This doesn't work for me.Disabling Windows File Protection Permanently.I made an hacked SFC_OS.DLL for disabling WFP without any registry settings.3) Copy SFC_OS.DLL.HACK to "%WINDIR%\system32\dllcache"4) Copy SFC_OS.DLL.HACK to "%WINDIR%\system32" I don't have an sfc_os.dll file in my \windows\system32\dllcache folder. I have an sfc.exe, but no sfc_os.dll. There is one in system32, but not in dllcache.This is the same problem I had before. Thanks for any help! Well it's not the end of the world. You can type this at command prompt to know where the file is and follow the guide to replace the file where it is. From what I understand you must have only one sfc_os.dll on your system and it must be in \windows\system32At Command PromptDIR /S /B %SYSTEMDRIVE%\SFC_OS.DLLAfter restart, WFP should be disabled. Link to comment Share on other sites More sharing options...
itsme_4ucz Posted December 3, 2004 Share Posted December 3, 2004 Hiallcan u all guys make SFC_OS.DLL to somthing like this SFC_OS.DL_ so even newbe can diretly add to the i386 folder to the cd itself.Bcos i myself dono how to make it.AndRyanVM you can add it to ur upcomming Update Pack 1.4.THX Link to comment Share on other sites More sharing options...
RyanVM Posted December 3, 2004 Share Posted December 3, 2004 As I've already explained, I don't include hacked DLLs which don't give the user the ability to use the original functionality as well. Hence why I don't include a hacked tcpip.sys either. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now