Jump to content

SFC_OS.DLL hack for XP SP2 Final


Recommended Posts

In reviewing and trying to understand what's going w/WFP and RaveRod's hacked "SFC_OS.DLL" I noticed some discrepancies between what nLite does, RyanVM's RVMUpdatePack1.03Full.cab, and RaveRod's instructions and actual file.

Can you all review this and tell me if my analysis & conclusions are correct? :unsure:

Analysis-1 The SFC_OS.DL_ file in this thread provided by RaveRod is different from the SFC_OS.DL_ file in the final product nLite (v.99.4) creates BUT it is identical to the SFC_OS.DL_ file in RyanVM's RVMUpdatePack1.03Full.cab (I can list the differences if you need them - 13 total changed). The version in all 3 is the same: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

Conclusion-1 Not sure why the nLite file would be different but the obvious safe course of action is to "swap it out" for RaveRod's. Right? :thumbup

Analysis-2-1 The entry for HIVESFT.INF suggested by RaveRod is:

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SFCSetting",0x00010003,0xffffff9d

Analysis-2-2 The entry actually in the nLite build HIVESFT.INF is:

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SfcDisable",0x00010000,0xFFFFFF9D

Analysis-2-3 The entry in the official Bypassing Windows File ProtectionMSFN Unattended Site section on "Bypassing Windows File Protection" is:

HKLM,"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon","SFCSetting",0x00010001,0xffffff9d

Conclusion-2 Okay, this one's tougher... :blushing:

RaveRod and nLite are saying almost the same thing except RaveRod's entry adds the NOCLOBBER qualifier to the REG_MULTI_SZ that both he and nLite use. If memory serves, NOCLOBBER means that a new value cannot replace an old (existing) value.

On the other hand, the Unattended Guide is actually creating a REG_DWORD entry which is a different kind of animal altogether (text vs. hex)!?! And on checking my computer--which only has SP1 right now--it is a REG_DWORD entry. :huh:

Since the value is in hex format I believe the entry should be REG_DWORD or 0x00010000.

Comments, corrections, suggestions anyone?

Link to comment
Share on other sites


Heh. nLite's version uses a modified sfcfiles.dll to unprotect system files. That's why it is different to mine.

Mine disables WFP on protected files. nuhi's version (combined with the sfcfiles.dll file) removes the protected files from the WFP list.

I'm beginning to prefer nuhi's way better than mine because it actually removes the list of files protected by WFP.

The reason for the 2 different keys is simple. Mine is a made up key by me. I use it to change the key that Windows looks for when determining whether WFP is enabled or disabled.

SFCDisable is the default Windows key... SFCSetting is a key made up by me. nLite uses the default key because it doesn't have to worry about actually DISABLING WFP... it just helps in removing the list of files protected by WFP.

So basically...

My way DISABLES WFP

nLite's way REMOVES THE LIST of FILES protected by WFP.

nLite's way is slightly cleaner than mine. Hope that clears it up for you.

Link to comment
Share on other sites

RyanVM;

What exactly was the point of your analysis?

The "point" was made/answered by RaveRod in his reply right after yours...

Information from reputable sources (including you) didn't agree. I was attempting to figure it out myself, THEN ask you all if I had done it correctly rather than just throwing out the problem and waiting for someone else to do it for me.

BTW, thank you for the update cab! That really saved me a lot of time & hassle. Good work!

RaveRod;

If I understand you correctly, you're saying the nLite method turns off WFP by eliminating the list of files that are protected--no files are protected, therefore no WFP? Whereas your method turns off WFP regardless of whether or not there's a list?

If that's correct, then wouldn't the next update that wants to add to the WFP protected list just create a new list under the nLite method, thus turning WFP "on"--at least for that item?

My "bad" on the SFCDisable vs SFCSetting... I completely missed that difference until you pointed it out. I understand now.

Have you considered a combination of your method and nLites? Wouldn't that get rid of the list, stop WFP, AND stop another list from being started?

Thanks again to both of you for helping!

Link to comment
Share on other sites

I still cannot get this to work. I've replaced every sfc_os.dll file on my machine with this one AND changed both SFCSetting and SFCDisable in the registry. This doesn't work for me.

Any help would be greatly appreciated.

Link to comment
Share on other sites

I still cannot get this to work.  I've replaced every sfc_os.dll file on my machine with this one AND changed both SFCSetting and SFCDisable in the registry.  This doesn't work for me.

Disabling Windows File Protection Permanently.

I made an hacked SFC_OS.DLL for disabling WFP without any registry settings.

You can replace the file from your Windows XP SP2 source files or follow this guide if you have already installed XP.

1) Rename the hacked SFC_OS.DLL to SFC_OS.DLL.HACK

2) Unchecked "Hide protected operating system files" from "Folder Options"

3) Copy SFC_OS.DLL.HACK to "%WINDIR%\system32\dllcache"

4) Copy SFC_OS.DLL.HACK to "%WINDIR%\system32"

5) Start Task Manager, select Processes tab, right-click on explorer.exe and select End Process

6) On Task Manager menu, select File / New Task(Run...) and browse to "%WINDIR%\system32\dllcache"

7) Rename SFC_OS.DLL to SFC_OS.DLL.BAK and rename SFC_OS.DLL.HACK to SFC_OS.DLL

8) Browse to "%WINDIR%\system32"

9) Rename SFC_OS.DLL to SFC_OS.DLL.BAK and rename SFC_OS.DLL.HACK to SFC_OS.DLL

If windows appears select "Cancel" and on Task Manager menu, select Shutdown / Restart

That's it. For re-enabling I think it's obvious.

English SP2 SFC_OS.DL_

French SP2 SFC_OS.DL_

Edited by jdoe
Link to comment
Share on other sites

@jdoe

Will there be complications when using the registry tweak with your hacked dll?

What my hacked file does is simple. Instead of reading the registry for a key and value, the code execution is redirected where it should goes if the SFCDisable was FFFFFF9D (WFP disabled).

If this hacked file is used with unattended installation of Windows then SFCDisable is not created in the registry.

If this hacked file is installed using the guide then SFCDisable is there but useless.

Hoping it answer your question.

Edited by jdoe
Link to comment
Share on other sites

Very cool, jdoe

Thanks,

I made it while ago but I didn't thought one more was needed after RaveRod and nLite. But for those who really don't like WFP and don't want to deal with registry, now they have an other option.

BTW, the guide is also good for UXTHEME.DLL and maybe others files replacement with WFP enable.

P.S.: the guide is inspired from something I red but I just can't remember where. So if some of you know where it come from, a credit goes to that source for the idea.

:)

Link to comment
Share on other sites

I still cannot get this to work.  I've replaced every sfc_os.dll file on my machine with this one AND changed both SFCSetting and SFCDisable in the registry.  This doesn't work for me.

Disabling Windows File Protection Permanently.

I made an hacked SFC_OS.DLL for disabling WFP without any registry settings.

3) Copy SFC_OS.DLL.HACK to "%WINDIR%\system32\dllcache"

4) Copy SFC_OS.DLL.HACK to "%WINDIR%\system32"

I don't have an sfc_os.dll file in my \windows\system32\dllcache folder. I have an sfc.exe, but no sfc_os.dll. There is one in system32, but not in dllcache.

This is the same problem I had before. Thanks for any help!

Link to comment
Share on other sites

I still cannot get this to work.  I've replaced every sfc_os.dll file on my machine with this one AND changed both SFCSetting and SFCDisable in the registry.  This doesn't work for me.

Disabling Windows File Protection Permanently.

I made an hacked SFC_OS.DLL for disabling WFP without any registry settings.

3) Copy SFC_OS.DLL.HACK to "%WINDIR%\system32\dllcache"

4) Copy SFC_OS.DLL.HACK to "%WINDIR%\system32"

I don't have an sfc_os.dll file in my \windows\system32\dllcache folder. I have an sfc.exe, but no sfc_os.dll. There is one in system32, but not in dllcache.

This is the same problem I had before. Thanks for any help!

Well it's not the end of the world. :P

You can type this at command prompt to know where the file is and follow the guide to replace the file where it is. From what I understand you must have only one sfc_os.dll on your system and it must be in \windows\system32

At Command Prompt

DIR /S /B %SYSTEMDRIVE%\SFC_OS.DLL

After restart, WFP should be disabled.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...