Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Sign in to follow this  
Zoofield

Windows File Protection

Recommended Posts

This might be slightly off topic, but does anyone know how Windows determines that a sytem file has been modified? I have not looked into this, but I assume it has a list of file checksums or suchlike stashed away somewhere, since it can detect changes even if it does not have the original file available.

It would be useful to know how this works as it might open the door to replacing system files (is it OK to mention wpa kill here?) without getting pestered by WFP. Turning WFP off completely is not an attractive option.

Share this post


Link to post
Share on other sites

The "feature" is called either WFP or SFC, it is (mostly) inside the SFC.DLL.

Originally it was possible to enable/disable it changing a value in the Registry.

Later it has been modified.

Read here:

http://www.vorck.com/remove-ie.html

http://www.vorck.com/2ksp4.html#8

http://www.d--b.webpark.pl/reverse04_en.htm

http://www.bitsum.com/aboutwfp.asp

http://www.bitsum.com/index.asp#WfpAdmin

jaclaz

Share this post


Link to post
Share on other sites

Thank you very much jaclaz. These are very useful links, especially the bitsum stuff, which appears to let me do exactly what I wanted via 'hack 5' and looks like a good source of information generally. Brill.

I was not aware that the ffffff9d trick had disappeared, but I would be loath to user it anyway as I believe that SFC offers a useful level of protection most of the time. I just want to be able to sneak round it when I choose to.

Share this post


Link to post
Share on other sites
Have you maybe deleted Dllcache somehow...check in system32\dllcache is it full, around 300mb.

Hi nuhi,

I have the same problem. My DLL cache is VERY small ~13 MB. I have definitely not deleted the files in there, as I had the problems described in this thread right after installing. Any way to fill the dllcache again?

I am using the latest nLite (no component removal or tweaks applied with nLite, just SP2 and ryan VM)

Thanks

Pusso aka Gero

Share this post


Link to post
Share on other sites
Thank you very much jaclaz.  These are very useful links, especially the bitsum stuff, which appears to let me do exactly what I wanted via 'hack 5' and looks like a good source of information generally.  Brill.

I was not aware that the ffffff9d trick had disappeared, but I would be loath to user it anyway as I believe that SFC offers a useful level of protection most of the time.  I just want to be able to sneak round it when I choose to.

Looky here:

http://www.msfn.org/board/index.php?showtopic=46964

(untested)

B)

jaclaz

Share this post


Link to post
Share on other sites

In setuperr.log there is two files: syssetup.dll and tcpip.sys

Errore:

Il file di sistema denominato [c:\windows\system32\syssetup.dll] non è stato firmato correttamente

da Microsoft. La versione corretta del file potrebbe non venire ripristinata.

Utilizzare l'utilità SFC per accertarsi che il file sia integro.

***

Errore:

Il file di sistema denominato [c:\windows\system32\drivers\tcpip.sys] non è stato firmato correttamente

da Microsoft. La versione corretta del file potrebbe non venire ripristinata.

Utilizzare l'utilità SFC per accertarsi che il file sia integro.

***

Excuse me, i don't think this topic is closed :whistle: . This means i can't write about windows file protection :} or there's a solution in the next release :rolleyes: ?

Thanks for your very good work!

Edited by primianoc

Share this post


Link to post
Share on other sites

The WFP problem is still persisting.

In 99% of the cases the protection only asks for the CD

but it doesn't recover any files from it ??? :realmad:

(at least not detected with filemon or no traces in eventviewer)

TIP:

Maybe this will help people who doesn't want to turn off WFP

Copy the i386 dir from the install cd to your HDD

and add the newly created path to following regkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Installation Sources

I haven't tried it yet but it could be worth a try.

Keep us informed :hello:

Edited by Davelicious

Share this post


Link to post
Share on other sites

Your suggestion don't work. I try to regenerate the dll cache with command "sfc /scannow" and some file anren't located on winLite disc nor on original windows xp sp2 corporate. The file dir_dllcache.txt is what i get by the dir command in the directory c:\windows\system32\dllcache. I think the sfc system try to restore some files i remove by nlite, for exemple keyboard layout. Any ideas? ;)

Edited by primianoc

Share this post


Link to post
Share on other sites

I also performed "sfc /scannow" command to check what files are missing.

and I discovered that it are in most cases the files of components I removed. (like games, etc)

see my nlite Preset File. _20_6_05_.ini I used.

the scannow resulted in following missing files on the nlited installCD:

c:\windows\msagent\intl\agt0401.dll
c:\windows\msagent\intl\agt0408.dll
c:\windows\msagent\intl\agt040d.dll
c:\windows\msagent\intl\agt0412.dll
c:\windows\msagent\intl\agt0419.dll
c:\windows\msagent\intl\agt041f.dll
c:\program files\msn gaming zone\windows\bckg.dll
c:\program files\msn gaming zone\windows\bckgres.dll
c:\program files\msn gaming zone\windows\bckgzm.exe
c:\windows\system32\blastcln.exe
c:\windows\system32\c_10003.nls
c:\windows\system32\c_10004.nls
c:\windows\system32\c_10005.nls
c:\windows\system32\c_10006.nls
c:\windows\system32\c_10007.nls
c:\windows\system32\c_10017.nls
c:\windows\system32\c_10021.nls
c:\windows\system32\c_10081.nls
c:\windows\system32\c_1361.nls
c:\windows\system32\c_20000.nls
c:\windows\system32\c_20932.nls
c:\windows\system32\c_20936.nls
c:\windows\system32\c_20949.nls
c:\windows\system32\c_28594.nls
c:\windows\system32\c_28595.nls
c:\windows\system32\c_28596.nls
c:\windows\system32\c_28597.nls
c:\windows\system32\c_28598.nls
c:\windows\system32\c_28599.nls
c:\windows\system32\c_28603.nls
c:\windows\system32\c_708.nls
c:\windows\system32\c_720.nls
c:\windows\system32\c_737.nls
c:\windows\system32\c_855.nls
c:\windows\system32\c_857.nls
c:\windows\system32\c_862.nls
c:\windows\system32\c_864.nls
c:\windows\system32\c_866.nls
c:\windows\system32\c_869.nls
c:\windows\system32\c_875.nls
c:\windows\system32\c_is2022.dll
c:\windows\system32\c_iscii.dll
c:\windows\system32\cards.dll
c:\program files\msn gaming zone\windows\chkr.dll
c:\program files\msn gaming zone\windows\chkrres.dll
c:\program files\msn gaming zone\windows\chkrzm.exe
c:\program files\msn gaming zone\windows\cmnclim.dll
c:\program files\msn gaming zone\windows\cmnresm.dll
c:\windows\system32\freecell.exe
c:\windows\system32\ftlx041e.dll
c:\windows\ime\imkr6_1\dicts\hanja.lex
c:\windows\ime\imkr6_1\dicts\hanjadic.dll
c:\program files\msn gaming zone\windows\hrtz.dll
c:\program files\msn gaming zone\windows\hrtzres.dll
c:\program files\msn gaming zone\windows\hrtzzm.exe
c:\windows\ime\imkr6_1\applets\hwxkor.dll
c:\windows\ime\imkr6_1\dicts\imekr.lex
c:\windows\system32\imekr61.ime
c:\windows\ime\imkr6_1\imekrcic.dll
c:\windows\ime\imkr6_1\applets\imekrmbx.dll
c:\windows\ime\imkr6_1\imekrmig.exe
c:\windows\ime\imkr6_1\imkrinst.exe
c:\windows\system32\kbd101a.dll
c:\windows\system32\kbd101b.dll
c:\windows\system32\kbd101c.dll
c:\windows\system32\kbd103.dll
c:\windows\system32\kbda1.dll
c:\windows\system32\kbda2.dll
c:\windows\system32\kbda3.dll
c:\windows\system32\kbdarme.dll
c:\windows\system32\kbdarmw.dll
c:\windows\system32\kbdaze.dll
c:\windows\system32\kbdazel.dll
c:\windows\system32\kbdblr.dll
c:\windows\system32\kbdbu.dll
c:\windows\system32\kbddiv1.dll
c:\windows\system32\kbddiv2.dll
c:\windows\system32\kbdest.dll
c:\windows\system32\kbdfa.dll
c:\windows\system32\kbdgeo.dll
c:\windows\system32\kbdgkl.dll
c:\windows\system32\kbdhe.dll
c:\windows\system32\kbdhe220.dll
c:\windows\system32\kbdhe319.dll
c:\windows\system32\kbdheb.dll
c:\windows\system32\kbdhela2.dll
c:\windows\system32\kbdhela3.dll
c:\windows\system32\kbdhept.dll
c:\windows\system32\kbdinbe1.dll
c:\windows\system32\kbdinben.dll
c:\windows\system32\kbdindev.dll
c:\windows\system32\kbdinguj.dll
c:\windows\system32\kbdinhin.dll
c:\windows\system32\kbdinkan.dll
c:\windows\system32\kbdinmal.dll
c:\windows\system32\kbdinmar.dll
c:\windows\system32\kbdinpun.dll
c:\windows\system32\kbdintam.dll
c:\windows\system32\kbdintel.dll
c:\windows\system32\kbdkaz.dll
c:\windows\system32\kbdkor.dll
c:\windows\system32\kbdkyr.dll
c:\windows\system32\kbdlt.dll
c:\windows\system32\kbdlt1.dll
c:\windows\system32\kbdlv.dll
c:\windows\system32\kbdlv1.dll
c:\windows\system32\kbdmon.dll
c:\windows\system32\kbdru.dll
c:\windows\system32\kbdru1.dll
c:\windows\system32\kbdsyr1.dll
c:\windows\system32\kbdsyr2.dll
c:\windows\system32\kbdtat.dll
c:\windows\system32\kbdth0.dll
c:\windows\system32\kbdth1.dll
c:\windows\system32\kbdth2.dll
c:\windows\system32\kbdth3.dll
c:\windows\system32\kbdtuf.dll
c:\windows\system32\kbdtuq.dll
c:\windows\system32\kbdur.dll
c:\windows\system32\kbdurdu.dll
c:\windows\system32\kbdusa.dll
c:\windows\system32\kbduzb.dll
c:\windows\system32\kbdvntc.dll
c:\windows\system32\kbdycc.dll
c:\windows\system32\ksc.nls
c:\program files\movie maker\moviemk.exe
c:\windows\srchasst\msgr3en.dll
c:\windows\system32\mshearts.exe
c:\windows\srchasst\nls302en.lex
c:\windows\ime\shared\res\padrs412.dll
c:\program files\windows nt\pinball\pinball.exe
c:\program files\msn gaming zone\windows\rvse.dll
c:\program files\msn gaming zone\windows\rvseres.dll
c:\program files\msn gaming zone\windows\rvsezm.exe
c:\program files\msn gaming zone\windows\shvl.dll
c:\program files\msn gaming zone\windows\shvlres.dll
c:\program files\msn gaming zone\windows\shvlzm.exe
c:\windows\system32\sol.exe
c:\windows\system32\spider.exe
c:\windows\srchasst\srchctls.dll
c:\windows\srchasst\srchui.dll
c:\windows\help\tours\mmtour\tour.exe
c:\windows\system32\tourstart.exe
c:\program files\msn gaming zone\windows\uniansi.dll
c:\windows\system32\winmine.exe
c:\windows\system32\winntbbu.dll
c:\program files\movie maker\wmm2ae.dll
c:\program files\movie maker\wmm2eres.dll
c:\program files\movie maker\wmm2ext.dll
c:\program files\movie maker\wmm2filt.dll
c:\program files\movie maker\wmm2fxa.dll
c:\program files\movie maker\wmm2fxb.dll
c:\program files\movie maker\wmm2res.dll
c:\program files\movie maker\wmm2res2.dll
c:\windows\system32\wscntfy.exe
c:\windows\system32\wscsvc.dll
c:\windows\system32\wscui.cpl
c:\program files\msn gaming zone\windows\zclientm.exe
c:\program files\msn gaming zone\windows\zcorem.dll
c:\program files\msn gaming zone\windows\zeeverm.dll
c:\program files\msn gaming zone\windows\znetm.dll
c:\program files\msn gaming zone\windows\zoneclim.dll
c:\program files\msn gaming zone\windows\zonelibm.dll
c:\windows\system32\setup\zoneoc.dll

and like "primianoc" mentioned even if I perform sfc /scannow

with an original XP+SP2 (non nlited)

It misses a few files:

c:\windows\system32\kbd101b.dll
c:\windows\system32\kbd101c.dll
c:\windows\system32\kbd103.dll
c:\windows\system32\kbdkor.dll

Share this post


Link to post
Share on other sites

Well, i don't see which files sfc try to restore (and can't find on original cd "not nlited"), but i think there's somethink in the system (a .ini file?) in which there's the complete list of "important files". So the os is nlited but sfc don't know it! We must tell it that the system is nlited! But.... how? :}

Share this post


Link to post
Share on other sites

The list of files is INSIDE sfcfiles.dll.

(NOT sfc.dll) thanks Toods.

Read the links in my previous posts.

jaclaz

Edited by jaclaz

Share this post


Link to post
Share on other sites
I think you mean sfcfiles.dll.

Yep, sorry, I meant SFCFILES.DLL.

I am correcting my previous post, so that it does not make confusion.

Here is where it is explained:

http://www.vorck.com/2ksp4.html#8

Edited by jaclaz

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...