Jump to content

Disabled SFC automatically Enabled ?

bhurtel

By bhurtel
in Windows XP

 Share

Recommended Posts

bhurtel

bhurtel

Posted
Posted (edited)

sfc_os.dll is patched (rvyan's)

and registry entry is disabled

SFCDisable=ffffff9d

but after installing some programs, it changes the "SFCDisable" key back to

"0" which leads SFC to be enabled.

Uxtheme, longhorn transformation packs are such programs.

can this registry seeting be locked permanently..

i don't want this to be changed always and annoy me all the time.

just disable permanently

i had tried dreampack , but it was detected as Virus/Trojan by some AntiVirus

i also tried

SFCDisable=00000000

SFCSetting=ffffff9d

.. in vain.. still popup WFP dialogue

I want it to be included in UAXPCD as well

post-53790-1126964609_thumb.jpg

Edited by bhurtel

bhurtel

bhurtel

Posted
  • Author
Posted (edited)

What should be done just to disable SFC oonly permanently

sfc_os.dll patch

and

SFCDisable=FFFFFF9D

will do ?

Edited by bhurtel
MHz

MHz

Posted
Posted (edited)

I use a patched sfc_os.dll. The registry setting for disabling is SFCSetting, not SFCDisable. The system manages SFCDisable and will reset it. SFCSetting is added, so it will remain as set.

Edited by MHz
bhurtel

bhurtel

Posted
  • Author
Posted (edited)

i have also patched version of sfc_os.dll

and this key in registry

Windows Registry Editor Version 5.00 

;Disable Windows File Protection (WFP) (to enable, change to 0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"SFCDisable"=dword:FFFFFF9D

but where is this SFCSetting

i haven't heard abt this thing

whats the difference bttween

SFCDisable

SFCSetting

is this a registry value

how can it be done??

is this permanent?

do some programs changes this value back to 0

Edited by bhurtel
Yurek3

Yurek3

Posted
Posted

How to fully disable System File Checker (SFC, WFP).

The method with patching sfc_os.dll (or sfc.dll) file dont disable fully WFP. Protected files can be replaced only manually. If any installator will use function MoveFileEx (with MOVEFILE_DELAY_UNTIL_REBOOT flag) to replace in-use protected files, then the files will be not replaced. The reason for this is, that session manager (smss.exe) while loading system, before replace any files, check list of protected files. If given file is in this list, then replace will fail. Until you add to registry AllowProtectedRenames value, the protected files will be not replaced.

Second often used function is SetupInstallFile (with SP_COPY_FORCE_IN_USE flag). This function before add a file to replace-list, check with SfcIsFileProtected (from sfc_os.dll) whether the file is protected or not. If file sfc_os.dll is patched, then SfcIsFileProtected will return always false. So SetupInstallFile will no add AllowProtectedRenames value to the registry.

I have develop my own method to full disabling WFP. This method is simple, more flexible and dont need to patch any files. It based on empty list of protected files. So WFP is on, but list of protected files is empty and all files are not protected. List of protected files is in file sfcfiles.dll. I have wrote my own sfcfiles.dll file with empty list. One thing that is to do, is replace this one file.

How replace sfcfiles.dll file ?

This file is a in-use protected file. To replace it, you need copy my sfcfiles0.dll into system directory and add two values to this key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

After reboot, WFP will be fully disabled.

To add this two values to registry you must have admin rights. And dont forget to make backup of old sfcfiles.dll.

1)

Value name: PendingFileRenameOperations

Value type: array of null-terminated strings (REG_MULTI_SZ)

Value data:

\??\c:\winnt\system32\sfcfiles0.dll

!\??\c:\winnt\system32\sfcfiles.dll

This value is used to replace files at reboot time.

In first line is a path to the file that should be moved. In second line is new path for this file.

Note: Creating a value of REG_MULTI_SZ type in registry editor is available from XP version. To replace this file in Windows 2000 use automatic installation descripted below.

2)

Value name: AllowProtectedRenames

Value typ: DWORD (REG_DWORD)

Value data:

1

This value is needed to replace protected file.

And that is all.

Automatic installation mode for Windows 2000 user (work also in XP).

I have added two functions to sfcfiles0.dll file: Install and Uninstall. These functions will add two values to registry. Before calling these functions, file sfcfiles0.dll should be in system directory.

Function: Install

Calling: Select a command "Execute..." from start menu (or in command prompt) and enter:

rundll32 sfcfiles0 Install

First, this function will make backup of old sfcfiles.dll file to system32\dllcache directory, and add two registry values. If file sfcfiles.dll exist already in dllcache, then it will be not overwrite. After reboot file sfcfiles0.dll will be renamed to sfcfiles.dll.

Function: Uninstall

Calling: Select a command "Execute..." from start menu (or in command prompt) and enter:

rundll32 sfcfiles Uninstall

This function copy in dllcache the file sfcfiles.dll to sfcfiles.tmp. This temporary file will be moved after reboot to system32 directory. File sfcfiles.dll (with empty list) from system directory will be copyed to sfcfiles0.dll..

http://www.d--b.webpark.pl/reverse04_en.htm

bhurtel

bhurtel

Posted
  • Author
Posted (edited)

Your file is a trojan.. i have already post it on ur thread..

My Antivirus becomes angry with ur file..

i am not looking this method..

i just wanted this screen never to popup (permanently) with any of my activities

I also wan't all this in my unattended CD.. not manually after installation of windows.

i don't prefer to edit these files manually

my registry setting is as in attached Pic :

SFCDisable is changed back to 0 by some programs :so i tried

SFCSetting......... but still WFP windows popups...

i am using

rvyans patched sfc_os.dll

post-53790-1126963372_thumb.jpg

post-53790-1126964307_thumb.jpg

Edited by bhurtel
Yurek3

Yurek3

Posted
Posted

It isn't trojan. M$ doesn't like such files and he gave them trojan for antyvir campaigns

Trojan wants going outside in order to seize check-ups above this computer. this file isn't doing it.

He is only showing wasps, that niem of no files to protection.

DonDamm

DonDamm

Posted
Posted

Hmmm. You could try temporarily disabling your AV or stopping the service while you make the changes. In fact. just swpping out the list file seems to me to be a very clever approach and easily restorable. What's the problem with that??

Nepali

Nepali

Posted
Posted
Hmmm. You could try temporarily disabling your AV or stopping the service while you make the changes. In fact. just swpping out the list file seems to me to be a very clever approach and easily restorable. What's the problem with that??

i think he is asking abt permanent and wan't the whole process/idea included in UAXP.

this is not the thing he is looking for...

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...