Windows File Protection

[babyboomer]

This might be slightly off topic, but does anyone know how Windows determines that a sytem file has been modified? I have not looked into this, but I assume it has a list of file checksums or suchlike stashed away somewhere, since it can detect changes even if it does not have the original file available.

It would be useful to know how this works as it might open the door to replacing system files (is it OK to mention wpa kill here?) without getting pestered by WFP. Turning WFP off completely is not an attractive option.

[jaclaz]

The "feature" is called either WFP or SFC, it is (mostly) inside the SFC.DLL.

Originally it was possible to enable/disable it changing a value in the Registry.

Later it has been modified.

Read here:

http://www.vorck.com/remove-ie.html

http://www.vorck.com/2ksp4.html#8

http://www.d--b.webpark.pl/reverse04_en.htm

http://www.bitsum.com/aboutwfp.asp

http://www.bitsum.com/index.asp#WfpAdmin

jaclaz

[babyboomer]

Thank you very much jaclaz. These are very useful links, especially the bitsum stuff, which appears to let me do exactly what I wanted via 'hack 5' and looks like a good source of information generally. Brill.

I was not aware that the ffffff9d trick had disappeared, but I would be loath to user it anyway as I believe that SFC offers a useful level of protection most of the time. I just want to be able to sneak round it when I choose to.

[Pusso]

Have you maybe deleted Dllcache somehow...check in system32\dllcache is it full, around 300mb.

<{POST_SNAPBACK}>

Hi nuhi,

I have the same problem. My DLL cache is VERY small ~13 MB. I have definitely not deleted the files in there, as I had the problems described in this thread right after installing. Any way to fill the dllcache again?

I am using the latest nLite (no component removal or tweaks applied with nLite, just SP2 and ryan VM)

Thanks

Pusso aka Gero

[jaclaz]

Thank you very much jaclaz.  These are very useful links, especially the bitsum stuff, which appears to let me do exactly what I wanted via 'hack 5' and looks like a good source of information generally.  Brill.

I was not aware that the ffffff9d trick had disappeared, but I would be loath to user it anyway as I believe that SFC offers a useful level of protection most of the time.  I just want to be able to sneak round it when I choose to.

Looky here:

http://www.msfn.org/board/index.php?showtopic=46964

(untested)

B)

jaclaz

[RJARRRPCGP]

This don't appear to be in the right category. Oops.

Edited June 30, 2005 by RJARRRPCGP

[primianoc]

In setuperr.log there is two files: syssetup.dll and tcpip.sys

Errore:

Il file di sistema denominato [c:\windows\system32\syssetup.dll] non è stato firmato correttamente

da Microsoft. La versione corretta del file potrebbe non venire ripristinata.

Utilizzare l'utilità SFC per accertarsi che il file sia integro.

***

Errore:

Il file di sistema denominato [c:\windows\system32\drivers\tcpip.sys] non è stato firmato correttamente

da Microsoft. La versione corretta del file potrebbe non venire ripristinata.

Utilizzare l'utilità SFC per accertarsi che il file sia integro.

***

Excuse me, i don't think this topic is closed . This means i can't write about windows file protection or there's a solution in the next release ?

Thanks for your very good work!

Edited July 8, 2005 by primianoc

[Davelicious]

The WFP problem is still persisting.

In 99% of the cases the protection only asks for the CD

but it doesn't recover any files from it ???

(at least not detected with filemon or no traces in eventviewer)

TIP:

Maybe this will help people who doesn't want to turn off WFP

Copy the i386 dir from the install cd to your HDD

and add the newly created path to following regkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

I haven't tried it yet but it could be worth a try.

Keep us informed

Edited July 8, 2005 by Davelicious

[primianoc]

Your suggestion don't work. I try to regenerate the dll cache with command "sfc /scannow" and some file anren't located on winLite disc nor on original windows xp sp2 corporate. The file dir_dllcache.txt is what i get by the dir command in the directory c:\windows\system32\dllcache. I think the sfc system try to restore some files i remove by nlite, for exemple keyboard layout. Any ideas?

Edited July 8, 2005 by primianoc

[Davelicious]

I also performed "sfc /scannow" command to check what files are missing.

and I discovered that it are in most cases the files of components I removed. (like games, etc)

see my nlite Preset File. _20_6_05_.ini I used.

the scannow resulted in following missing files on the nlited installCD:

c:\windows\msagent\intl\agt0401.dll
c:\windows\msagent\intl\agt0408.dll
c:\windows\msagent\intl\agt040d.dll
c:\windows\msagent\intl\agt0412.dll
c:\windows\msagent\intl\agt0419.dll
c:\windows\msagent\intl\agt041f.dll
c:\program files\msn gaming zone\windows\bckg.dll
c:\program files\msn gaming zone\windows\bckgres.dll
c:\program files\msn gaming zone\windows\bckgzm.exe
c:\windows\system32\blastcln.exe
c:\windows\system32\c_10003.nls
c:\windows\system32\c_10004.nls
c:\windows\system32\c_10005.nls
c:\windows\system32\c_10006.nls
c:\windows\system32\c_10007.nls
c:\windows\system32\c_10017.nls
c:\windows\system32\c_10021.nls
c:\windows\system32\c_10081.nls
c:\windows\system32\c_1361.nls
c:\windows\system32\c_20000.nls
c:\windows\system32\c_20932.nls
c:\windows\system32\c_20936.nls
c:\windows\system32\c_20949.nls
c:\windows\system32\c_28594.nls
c:\windows\system32\c_28595.nls
c:\windows\system32\c_28596.nls
c:\windows\system32\c_28597.nls
c:\windows\system32\c_28598.nls
c:\windows\system32\c_28599.nls
c:\windows\system32\c_28603.nls
c:\windows\system32\c_708.nls
c:\windows\system32\c_720.nls
c:\windows\system32\c_737.nls
c:\windows\system32\c_855.nls
c:\windows\system32\c_857.nls
c:\windows\system32\c_862.nls
c:\windows\system32\c_864.nls
c:\windows\system32\c_866.nls
c:\windows\system32\c_869.nls
c:\windows\system32\c_875.nls
c:\windows\system32\c_is2022.dll
c:\windows\system32\c_iscii.dll
c:\windows\system32\cards.dll
c:\program files\msn gaming zone\windows\chkr.dll
c:\program files\msn gaming zone\windows\chkrres.dll
c:\program files\msn gaming zone\windows\chkrzm.exe
c:\program files\msn gaming zone\windows\cmnclim.dll
c:\program files\msn gaming zone\windows\cmnresm.dll
c:\windows\system32\freecell.exe
c:\windows\system32\ftlx041e.dll
c:\windows\ime\imkr6_1\dicts\hanja.lex
c:\windows\ime\imkr6_1\dicts\hanjadic.dll
c:\program files\msn gaming zone\windows\hrtz.dll
c:\program files\msn gaming zone\windows\hrtzres.dll
c:\program files\msn gaming zone\windows\hrtzzm.exe
c:\windows\ime\imkr6_1\applets\hwxkor.dll
c:\windows\ime\imkr6_1\dicts\imekr.lex
c:\windows\system32\imekr61.ime
c:\windows\ime\imkr6_1\imekrcic.dll
c:\windows\ime\imkr6_1\applets\imekrmbx.dll
c:\windows\ime\imkr6_1\imekrmig.exe
c:\windows\ime\imkr6_1\imkrinst.exe
c:\windows\system32\kbd101a.dll
c:\windows\system32\kbd101b.dll
c:\windows\system32\kbd101c.dll
c:\windows\system32\kbd103.dll
c:\windows\system32\kbda1.dll
c:\windows\system32\kbda2.dll
c:\windows\system32\kbda3.dll
c:\windows\system32\kbdarme.dll
c:\windows\system32\kbdarmw.dll
c:\windows\system32\kbdaze.dll
c:\windows\system32\kbdazel.dll
c:\windows\system32\kbdblr.dll
c:\windows\system32\kbdbu.dll
c:\windows\system32\kbddiv1.dll
c:\windows\system32\kbddiv2.dll
c:\windows\system32\kbdest.dll
c:\windows\system32\kbdfa.dll
c:\windows\system32\kbdgeo.dll
c:\windows\system32\kbdgkl.dll
c:\windows\system32\kbdhe.dll
c:\windows\system32\kbdhe220.dll
c:\windows\system32\kbdhe319.dll
c:\windows\system32\kbdheb.dll
c:\windows\system32\kbdhela2.dll
c:\windows\system32\kbdhela3.dll
c:\windows\system32\kbdhept.dll
c:\windows\system32\kbdinbe1.dll
c:\windows\system32\kbdinben.dll
c:\windows\system32\kbdindev.dll
c:\windows\system32\kbdinguj.dll
c:\windows\system32\kbdinhin.dll
c:\windows\system32\kbdinkan.dll
c:\windows\system32\kbdinmal.dll
c:\windows\system32\kbdinmar.dll
c:\windows\system32\kbdinpun.dll
c:\windows\system32\kbdintam.dll
c:\windows\system32\kbdintel.dll
c:\windows\system32\kbdkaz.dll
c:\windows\system32\kbdkor.dll
c:\windows\system32\kbdkyr.dll
c:\windows\system32\kbdlt.dll
c:\windows\system32\kbdlt1.dll
c:\windows\system32\kbdlv.dll
c:\windows\system32\kbdlv1.dll
c:\windows\system32\kbdmon.dll
c:\windows\system32\kbdru.dll
c:\windows\system32\kbdru1.dll
c:\windows\system32\kbdsyr1.dll
c:\windows\system32\kbdsyr2.dll
c:\windows\system32\kbdtat.dll
c:\windows\system32\kbdth0.dll
c:\windows\system32\kbdth1.dll
c:\windows\system32\kbdth2.dll
c:\windows\system32\kbdth3.dll
c:\windows\system32\kbdtuf.dll
c:\windows\system32\kbdtuq.dll
c:\windows\system32\kbdur.dll
c:\windows\system32\kbdurdu.dll
c:\windows\system32\kbdusa.dll
c:\windows\system32\kbduzb.dll
c:\windows\system32\kbdvntc.dll
c:\windows\system32\kbdycc.dll
c:\windows\system32\ksc.nls
c:\program files\movie maker\moviemk.exe
c:\windows\srchasst\msgr3en.dll
c:\windows\system32\mshearts.exe
c:\windows\srchasst\nls302en.lex
c:\windows\ime\shared\res\padrs412.dll
c:\program files\windows nt\pinball\pinball.exe
c:\program files\msn gaming zone\windows\rvse.dll
c:\program files\msn gaming zone\windows\rvseres.dll
c:\program files\msn gaming zone\windows\rvsezm.exe
c:\program files\msn gaming zone\windows\shvl.dll
c:\program files\msn gaming zone\windows\shvlres.dll
c:\program files\msn gaming zone\windows\shvlzm.exe
c:\windows\system32\sol.exe
c:\windows\system32\spider.exe
c:\windows\srchasst\srchctls.dll
c:\windows\srchasst\srchui.dll
c:\windows\help\tours\mmtour\tour.exe
c:\windows\system32\tourstart.exe
c:\program files\msn gaming zone\windows\uniansi.dll
c:\windows\system32\winmine.exe
c:\windows\system32\winntbbu.dll
c:\program files\movie maker\wmm2ae.dll
c:\program files\movie maker\wmm2eres.dll
c:\program files\movie maker\wmm2ext.dll
c:\program files\movie maker\wmm2filt.dll
c:\program files\movie maker\wmm2fxa.dll
c:\program files\movie maker\wmm2fxb.dll
c:\program files\movie maker\wmm2res.dll
c:\program files\movie maker\wmm2res2.dll
c:\windows\system32\wscntfy.exe
c:\windows\system32\wscsvc.dll
c:\windows\system32\wscui.cpl
c:\program files\msn gaming zone\windows\zclientm.exe
c:\program files\msn gaming zone\windows\zcorem.dll
c:\program files\msn gaming zone\windows\zeeverm.dll
c:\program files\msn gaming zone\windows\znetm.dll
c:\program files\msn gaming zone\windows\zoneclim.dll
c:\program files\msn gaming zone\windows\zonelibm.dll
c:\windows\system32\setup\zoneoc.dll

and like "primianoc" mentioned even if I perform sfc /scannow

with an original XP+SP2 (non nlited)

It misses a few files:

c:\windows\system32\kbd101b.dll
c:\windows\system32\kbd101c.dll
c:\windows\system32\kbd103.dll
c:\windows\system32\kbdkor.dll

[primianoc]

Well, i don't see which files sfc try to restore (and can't find on original cd "not nlited"), but i think there's somethink in the system (a .ini file?) in which there's the complete list of "important files". So the os is nlited but sfc don't know it! We must tell it that the system is nlited! But.... how?

[jaclaz]

The list of files is INSIDE sfcfiles.dll.

(NOT sfc.dll) thanks Toods.

Read the links in my previous posts.

jaclaz

Edited July 9, 2005 by jaclaz

[Toods]

The list of files is INSIDE sfc.dll.

Read the links in my previous posts.

jaclaz

<{POST_SNAPBACK}>

I think you mean sfcfiles.dll.

[jaclaz]

I think you mean sfcfiles.dll.

Yep, sorry, I meant SFCFILES.DLL.

I am correcting my previous post, so that it does not make confusion.

Here is where it is explained:

http://www.vorck.com/2ksp4.html#8

Edited July 9, 2005 by jaclaz

[primianoc]

It's a good site, but that's a way to disable totally sfc. Is there a way for enable sfc only for any files?