Jump to content

Windows File Protection


Zoofield

Recommended Posts

This might be slightly off topic, but does anyone know how Windows determines that a sytem file has been modified? I have not looked into this, but I assume it has a list of file checksums or suchlike stashed away somewhere, since it can detect changes even if it does not have the original file available.

It would be useful to know how this works as it might open the door to replacing system files (is it OK to mention wpa kill here?) without getting pestered by WFP. Turning WFP off completely is not an attractive option.

Link to comment
Share on other sites


The "feature" is called either WFP or SFC, it is (mostly) inside the SFC.DLL.

Originally it was possible to enable/disable it changing a value in the Registry.

Later it has been modified.

Read here:

http://www.vorck.com/remove-ie.html

http://www.vorck.com/2ksp4.html#8

http://www.d--b.webpark.pl/reverse04_en.htm

http://www.bitsum.com/aboutwfp.asp

http://www.bitsum.com/index.asp#WfpAdmin

jaclaz

Link to comment
Share on other sites

Thank you very much jaclaz. These are very useful links, especially the bitsum stuff, which appears to let me do exactly what I wanted via 'hack 5' and looks like a good source of information generally. Brill.

I was not aware that the ffffff9d trick had disappeared, but I would be loath to user it anyway as I believe that SFC offers a useful level of protection most of the time. I just want to be able to sneak round it when I choose to.

Link to comment
Share on other sites

Have you maybe deleted Dllcache somehow...check in system32\dllcache is it full, around 300mb.

Hi nuhi,

I have the same problem. My DLL cache is VERY small ~13 MB. I have definitely not deleted the files in there, as I had the problems described in this thread right after installing. Any way to fill the dllcache again?

I am using the latest nLite (no component removal or tweaks applied with nLite, just SP2 and ryan VM)

Thanks

Pusso aka Gero

Link to comment
Share on other sites

Thank you very much jaclaz.  These are very useful links, especially the bitsum stuff, which appears to let me do exactly what I wanted via 'hack 5' and looks like a good source of information generally.  Brill.

I was not aware that the ffffff9d trick had disappeared, but I would be loath to user it anyway as I believe that SFC offers a useful level of protection most of the time.  I just want to be able to sneak round it when I choose to.

Looky here:

http://www.msfn.org/board/index.php?showtopic=46964

(untested)

B)

jaclaz

Link to comment
Share on other sites

In setuperr.log there is two files: syssetup.dll and tcpip.sys

Errore:

Il file di sistema denominato [c:\windows\system32\syssetup.dll] non è stato firmato correttamente

da Microsoft. La versione corretta del file potrebbe non venire ripristinata.

Utilizzare l'utilità SFC per accertarsi che il file sia integro.

***

Errore:

Il file di sistema denominato [c:\windows\system32\drivers\tcpip.sys] non è stato firmato correttamente

da Microsoft. La versione corretta del file potrebbe non venire ripristinata.

Utilizzare l'utilità SFC per accertarsi che il file sia integro.

***

Excuse me, i don't think this topic is closed :whistle: . This means i can't write about windows file protection :} or there's a solution in the next release :rolleyes: ?

Thanks for your very good work!

Edited by primianoc
Link to comment
Share on other sites

The WFP problem is still persisting.

In 99% of the cases the protection only asks for the CD

but it doesn't recover any files from it ??? :realmad:

(at least not detected with filemon or no traces in eventviewer)

TIP:

Maybe this will help people who doesn't want to turn off WFP

Copy the i386 dir from the install cd to your HDD

and add the newly created path to following regkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

I haven't tried it yet but it could be worth a try.

Keep us informed :hello:

Edited by Davelicious
Link to comment
Share on other sites

Your suggestion don't work. I try to regenerate the dll cache with command "sfc /scannow" and some file anren't located on winLite disc nor on original windows xp sp2 corporate. The file dir_dllcache.txt is what i get by the dir command in the directory c:\windows\system32\dllcache. I think the sfc system try to restore some files i remove by nlite, for exemple keyboard layout. Any ideas? ;)

Edited by primianoc
Link to comment
Share on other sites

I also performed "sfc /scannow" command to check what files are missing.

and I discovered that it are in most cases the files of components I removed. (like games, etc)

see my nlite Preset File. _20_6_05_.ini I used.

the scannow resulted in following missing files on the nlited installCD:

c:\windows\msagent\intl\agt0401.dll
c:\windows\msagent\intl\agt0408.dll
c:\windows\msagent\intl\agt040d.dll
c:\windows\msagent\intl\agt0412.dll
c:\windows\msagent\intl\agt0419.dll
c:\windows\msagent\intl\agt041f.dll
c:\program files\msn gaming zone\windows\bckg.dll
c:\program files\msn gaming zone\windows\bckgres.dll
c:\program files\msn gaming zone\windows\bckgzm.exe
c:\windows\system32\blastcln.exe
c:\windows\system32\c_10003.nls
c:\windows\system32\c_10004.nls
c:\windows\system32\c_10005.nls
c:\windows\system32\c_10006.nls
c:\windows\system32\c_10007.nls
c:\windows\system32\c_10017.nls
c:\windows\system32\c_10021.nls
c:\windows\system32\c_10081.nls
c:\windows\system32\c_1361.nls
c:\windows\system32\c_20000.nls
c:\windows\system32\c_20932.nls
c:\windows\system32\c_20936.nls
c:\windows\system32\c_20949.nls
c:\windows\system32\c_28594.nls
c:\windows\system32\c_28595.nls
c:\windows\system32\c_28596.nls
c:\windows\system32\c_28597.nls
c:\windows\system32\c_28598.nls
c:\windows\system32\c_28599.nls
c:\windows\system32\c_28603.nls
c:\windows\system32\c_708.nls
c:\windows\system32\c_720.nls
c:\windows\system32\c_737.nls
c:\windows\system32\c_855.nls
c:\windows\system32\c_857.nls
c:\windows\system32\c_862.nls
c:\windows\system32\c_864.nls
c:\windows\system32\c_866.nls
c:\windows\system32\c_869.nls
c:\windows\system32\c_875.nls
c:\windows\system32\c_is2022.dll
c:\windows\system32\c_iscii.dll
c:\windows\system32\cards.dll
c:\program files\msn gaming zone\windows\chkr.dll
c:\program files\msn gaming zone\windows\chkrres.dll
c:\program files\msn gaming zone\windows\chkrzm.exe
c:\program files\msn gaming zone\windows\cmnclim.dll
c:\program files\msn gaming zone\windows\cmnresm.dll
c:\windows\system32\freecell.exe
c:\windows\system32\ftlx041e.dll
c:\windows\ime\imkr6_1\dicts\hanja.lex
c:\windows\ime\imkr6_1\dicts\hanjadic.dll
c:\program files\msn gaming zone\windows\hrtz.dll
c:\program files\msn gaming zone\windows\hrtzres.dll
c:\program files\msn gaming zone\windows\hrtzzm.exe
c:\windows\ime\imkr6_1\applets\hwxkor.dll
c:\windows\ime\imkr6_1\dicts\imekr.lex
c:\windows\system32\imekr61.ime
c:\windows\ime\imkr6_1\imekrcic.dll
c:\windows\ime\imkr6_1\applets\imekrmbx.dll
c:\windows\ime\imkr6_1\imekrmig.exe
c:\windows\ime\imkr6_1\imkrinst.exe
c:\windows\system32\kbd101a.dll
c:\windows\system32\kbd101b.dll
c:\windows\system32\kbd101c.dll
c:\windows\system32\kbd103.dll
c:\windows\system32\kbda1.dll
c:\windows\system32\kbda2.dll
c:\windows\system32\kbda3.dll
c:\windows\system32\kbdarme.dll
c:\windows\system32\kbdarmw.dll
c:\windows\system32\kbdaze.dll
c:\windows\system32\kbdazel.dll
c:\windows\system32\kbdblr.dll
c:\windows\system32\kbdbu.dll
c:\windows\system32\kbddiv1.dll
c:\windows\system32\kbddiv2.dll
c:\windows\system32\kbdest.dll
c:\windows\system32\kbdfa.dll
c:\windows\system32\kbdgeo.dll
c:\windows\system32\kbdgkl.dll
c:\windows\system32\kbdhe.dll
c:\windows\system32\kbdhe220.dll
c:\windows\system32\kbdhe319.dll
c:\windows\system32\kbdheb.dll
c:\windows\system32\kbdhela2.dll
c:\windows\system32\kbdhela3.dll
c:\windows\system32\kbdhept.dll
c:\windows\system32\kbdinbe1.dll
c:\windows\system32\kbdinben.dll
c:\windows\system32\kbdindev.dll
c:\windows\system32\kbdinguj.dll
c:\windows\system32\kbdinhin.dll
c:\windows\system32\kbdinkan.dll
c:\windows\system32\kbdinmal.dll
c:\windows\system32\kbdinmar.dll
c:\windows\system32\kbdinpun.dll
c:\windows\system32\kbdintam.dll
c:\windows\system32\kbdintel.dll
c:\windows\system32\kbdkaz.dll
c:\windows\system32\kbdkor.dll
c:\windows\system32\kbdkyr.dll
c:\windows\system32\kbdlt.dll
c:\windows\system32\kbdlt1.dll
c:\windows\system32\kbdlv.dll
c:\windows\system32\kbdlv1.dll
c:\windows\system32\kbdmon.dll
c:\windows\system32\kbdru.dll
c:\windows\system32\kbdru1.dll
c:\windows\system32\kbdsyr1.dll
c:\windows\system32\kbdsyr2.dll
c:\windows\system32\kbdtat.dll
c:\windows\system32\kbdth0.dll
c:\windows\system32\kbdth1.dll
c:\windows\system32\kbdth2.dll
c:\windows\system32\kbdth3.dll
c:\windows\system32\kbdtuf.dll
c:\windows\system32\kbdtuq.dll
c:\windows\system32\kbdur.dll
c:\windows\system32\kbdurdu.dll
c:\windows\system32\kbdusa.dll
c:\windows\system32\kbduzb.dll
c:\windows\system32\kbdvntc.dll
c:\windows\system32\kbdycc.dll
c:\windows\system32\ksc.nls
c:\program files\movie maker\moviemk.exe
c:\windows\srchasst\msgr3en.dll
c:\windows\system32\mshearts.exe
c:\windows\srchasst\nls302en.lex
c:\windows\ime\shared\res\padrs412.dll
c:\program files\windows nt\pinball\pinball.exe
c:\program files\msn gaming zone\windows\rvse.dll
c:\program files\msn gaming zone\windows\rvseres.dll
c:\program files\msn gaming zone\windows\rvsezm.exe
c:\program files\msn gaming zone\windows\shvl.dll
c:\program files\msn gaming zone\windows\shvlres.dll
c:\program files\msn gaming zone\windows\shvlzm.exe
c:\windows\system32\sol.exe
c:\windows\system32\spider.exe
c:\windows\srchasst\srchctls.dll
c:\windows\srchasst\srchui.dll
c:\windows\help\tours\mmtour\tour.exe
c:\windows\system32\tourstart.exe
c:\program files\msn gaming zone\windows\uniansi.dll
c:\windows\system32\winmine.exe
c:\windows\system32\winntbbu.dll
c:\program files\movie maker\wmm2ae.dll
c:\program files\movie maker\wmm2eres.dll
c:\program files\movie maker\wmm2ext.dll
c:\program files\movie maker\wmm2filt.dll
c:\program files\movie maker\wmm2fxa.dll
c:\program files\movie maker\wmm2fxb.dll
c:\program files\movie maker\wmm2res.dll
c:\program files\movie maker\wmm2res2.dll
c:\windows\system32\wscntfy.exe
c:\windows\system32\wscsvc.dll
c:\windows\system32\wscui.cpl
c:\program files\msn gaming zone\windows\zclientm.exe
c:\program files\msn gaming zone\windows\zcorem.dll
c:\program files\msn gaming zone\windows\zeeverm.dll
c:\program files\msn gaming zone\windows\znetm.dll
c:\program files\msn gaming zone\windows\zoneclim.dll
c:\program files\msn gaming zone\windows\zonelibm.dll
c:\windows\system32\setup\zoneoc.dll

and like "primianoc" mentioned even if I perform sfc /scannow

with an original XP+SP2 (non nlited)

It misses a few files:

c:\windows\system32\kbd101b.dll
c:\windows\system32\kbd101c.dll
c:\windows\system32\kbd103.dll
c:\windows\system32\kbdkor.dll

Link to comment
Share on other sites

Well, i don't see which files sfc try to restore (and can't find on original cd "not nlited"), but i think there's somethink in the system (a .ini file?) in which there's the complete list of "important files". So the os is nlited but sfc don't know it! We must tell it that the system is nlited! But.... how? :}

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...