Jump to content

WFP technical

trodas

By trodas
in HFSLIP

 Share

Recommended Posts

trodas

trodas

Posted
Posted (edited)

I want kill the WFP childish protection. One reason - power. Certainly it has to take some CPU time to watch over what is going on.

Second reason - I can't stand OS watching me. Call me paranoic, but I can't.

IMHO is my responsibility, since it is MY system, right? Besides, I have a backup. And I frequently modify any files I feel fit, so such childish limitations I consider myself as too restricting. (like the commies once restricted us in some ways, till we found out the hard way, that in US people get restricted "for their own good" - like the commies say - by similar ways as commies did... - political ramblings, pay no attention)

Therefore I want it to go - to hell, to be precise. I also extremly hate the idea that OS is controlling what I doing. Hell, if I wand to delete any OS file, I will do it. Still. No-one can stop me - okay, dllcache can make my life harder, but still can't stop me. No way.

I already found some solutions there:

http://www.vorck.com/2ksp5.html#15

...however I have first ask the utmost important question - WITCH process is watching over my files? I did not - like I mention - are comfortable with the idea of OS watching over me, and I also did not see any SFC.exe as process into my windows!

Therefore it must be hidden or something - or simply sincluded with another process. I want to kill then the process as well! ;)

Looks like to me, that the way to go is the "totally disabled SFC.DLL, and his method has since spread far and wide to sites I won't even mention" (a link to guide like this will be appreciated) - but my technical question is - what happen then? It will be there still the "watchdog" process over the bloody files or not? What happen to the process, when the dll will be empty? Will it stop? Hardly, right? Probably just run and do not check, right?

So, how to stop it even running - what about that? :hello:

For obvious reasons I did not even consider the way to clear the watched files list into the sfcfiles.dll - this and the sfc.exe + sfc.dll is simply files I intend to remove from my HDD ASAP when possible :devil:

The sub-question goes like this.

Recently, Sonny was caught using rootkit way to hide it's spyware anti-copy protection stuff. When I read about it I realize, that there are some things I extremly hate and that is OS limiting me. Spyware processed that I can't end with classic windows task manager.

Let me state it clear - I believe that administrator user should under any circumstances end any process he desire - even if it lead to immediate hard reboot. Never, ever, ever should task manager refuse to stop process.

Now - what I read was, that I has to give myself these privilegies, even as admin. How? And will it help me to end proceses, for witch one has to use the ProcView to kill? Will it allow me to show hidden processes? Is there a way to make the task manager more powerfull in kill-task thing?

I simply believe that even system process has to bend over the user will.

W/O using the hardwired reset button, I mean :lol:;)

http://www.updatexp.com/windows-file-protection.html

Ha! It IS a invisible suxxka! KIIIILLLL!!!

Edited by trodas
Link to comment
Share on other sites

tommyp

tommyp

Posted
Posted

Why not let hfslip do it's job (without any FIX files), run NLITE, then swap files you want at the end? Also, that files to keep list for NLITE is only if you want media to play. If you don't care about media, then you can probably get away with keeping 10% of that list. I'm not sure what your goal is for your installation.

Link to comment
Share on other sites
trodas

trodas

Posted
  • Author
Posted
tommyp - Why not let hfslip do it's job (without any FIX files), run NLITE, then swap files you want at the end?

Good point. I will do that in case of WFP almost for sure. Yet I will not reinstall the other machines, folding machines and one DL server, so I want more info on subject and how to remove it totally, w/o wasting any more CPU cycles. Ever :yes:

Yet some files HAS to come into windows by the HFSLIP and FIX way, mainly the atapi.sys one. Remember, SP2 has 137G HDD limit. My HDD has ATM 250MB and sure grow over time again :P So, w/o having the SP3 version of atapi.sys and the register value enabling 48bit access is very problematic to even touch the D drive, where are all the drivers for install and stuff are :hello:

Now - shall we talk about the WFP? And the rootkit thing? How do I give myself the rights to see more? Will I see then the WFP service? (eg. cleanest way will be just turn it off)

Other way has to be, when M$ overrided the register value (curse them!) to disable the override.

But can you tell me what happen with the modified SFC.dll? I mean - is the service still running this way or not? (and how to check that, when the service will ignore the changes then?)

And sub-question - witch files can be killed then? Surely the sfc.exe, sfc.dll and sfcfiles.dll, however the article mention (and mind suggest as well), that all the checksums of all the files need more catalog files to gather, so, witch other files? There is about 7MB of cat files. These contain the up-to-date list by the Win2k SP2 time of signed files that could be all removed? (directory CatRoot inside system32 dir)

In XP SP2 is the amount of MB there little over 10MB, becuase there are two CatRoot and CatRoot2 dirs. So, when the WFP is killed, these will not be necessary any longer, right?

Link to comment
Share on other sites
tommyp

tommyp

Posted
Posted

@trodas - This forum isn't for SFC discussions. If you need answers for SFC, please refer to FDV's site if you are using files in his fileset. If you're not using his SFC files, then google is your friend.

Link to comment
Share on other sites
atomizer

atomizer

Posted
Posted (edited)

i can't really help you with your questions, but maybe i can point you to some tools that will be useful:

http://www.sysinternals.com/Utilities/RootkitRevealer.html

http://www.sysinternals.com/Utilities/ProcessExplorer.html

http://www.sysinternals.com/Utilities/Filemon.html

http://www.sysinternals.com/Utilities/Autoruns.html

http://www.sysinternals.com/Utilities/Regmon.html

there's a lot of other good tools on that site

Edited by atomizer
Link to comment
Share on other sites
trodas

trodas

Posted
  • Author
Posted

tommyp - well, I did not use any files yet, I submit serious questions and I would like (very much) to get a aducated answer on things that are ATM beyond me. Futhermore my findings suggest that the ways used / suggested to use aren't good at all - in short, I would say that they are fake. But read on...

atomizer - thank you very much for many usefull lings, however not even the Rootkit revealer did show me the cursed WFP process or stuff... :no:

Oleg_II - thank you very very much, but what if the OS is up and running? Im a bit affraid, because - well, read on...

My today findings.

by creating a totally disabled SFC.DLL, and his method has since spread far and wide to sites I won't even mention.

Totally disabled sounds very good for me. In need, please re-read my goals to get rid of CPU, memory and files asociated with the WFP hidden service.

So, I searched and found: http://www.winguides.com/registry/display.php/790

I edited the poor sfc.dll (change the values "8B C6" to read "90 90") file and replaced it by my way - just rename the orginal to sfcx.dll and copy the edited one, reboot and done. No more messages and stuff.

And then it come. When WFP is "Totally disabled", then Im sure can delete it's files, because they aren't need anymore, right? sfc.exe - manual utility - go w/o problem. However the sfcfiles.dll refuse to get deleted. I got suspicous. Renamed it (always works :lol: ), and rebooted.

As machine booting and near the end, after login - a silent reboot come. I expected blue screen, not instant reboot tough, the results is the same. The dll is still need.

Therefore is more that likely the WFP service is still up and running and the only one difference there is now - that the recover of file from dllcache or the message when apropriate file is not found is surpressed, but that it is! The service is more that likely still running, still eating my CPU time, still controling me and still need the files I want to get rid off... :no:

I call this "solution" a fake remove.

I hope nLite does better job, yet then the question - how to get REALLY rid of WFP, remain.

Link to comment
Share on other sites
Oleg_II

Oleg_II

Posted
Posted (edited)

Disabling WFP doesn't mean you can delete ALL and EVERY file in your system. Some files just can't be deleted because they are used by system processes. Is it possibe? ;)

Edited by Oleg_II
Link to comment
Share on other sites
fdv

fdv

Posted
Posted

Trodas, nothing's "fake" in the method you've cited. You've been given accurate advice here.

SFC checking is disabled via the 90 90 hack.

SFC still needs SFCFILES. After all, with the 90 90, we just disabled file checking, SFC still needs SFCFILES. We're not rewriting the whole DLL, after all!! So, just to be sure, we also give Windows an empty SFCFILES.DLL with no filenames in it. So, SFC doesn't check any files at all, but still needs SFCFILES, which is now empty. So no matter what, file protection is OFF. Also, if I read you right, you are thinking that a rootkit revealer would show you that system file protection is on. No rootkit revealer would do this, WFP is considered a valid Windows component whether on or off. A rootkit revealer is going to reveal non-Windows binaries that specifically report themselves as 'hidden' to the OS.

Finally as for stopping a process Windows says you can't, it's an inherent limitation (for the most part). An Administrator might have "administrative" rights, but not system rights.

Like TommyP says... use HFSLIP, then run nLite. Then, if you want, replace the SFC and SFCFILES dll's with the ones in my fileset, or use the 'disable SFC' checkbox in nLite, which will execute the 90 90 hack (but will not provide an empty SFCFILES.DLL).

Personally, I use SFC. The performance hit is not big when you think about the fact that there is software that will attempt to replace system files on you without asking. If SFC is off, some of your system files could be replaced by older versions shipped with the software.

Link to comment
Share on other sites
trodas

trodas

Posted
  • Author
Posted (edited)

Oleg_II - first - congratulations. I deleted all the *.cat files except for the NT5INF.CAT you recommended and system is still booting and functioning normaly :thumbup Thanks!

And sure, not, I did not expect that I can delete anything if I disable the protection - Im not dumb :hello:

Many files are actually used!

fdv - pardon me, but ATM all my findings indicated, that if the sfcfiles.dll is still need, then it looks fake to me. If the OS settle for empty sfcfiles.dll (that mean's what? Zero lenght file, or just some cleaned-up version? And how I can create / obtain one then?), then it is not fake :-P

(this is for W2K)

And what about for XP? Is there a difference between SP1.0a and SP2? There the guide show to patch the file sfc_os.dll file. sfcfiles should be there also empty? And what with the sfc.dll on XP? And the *.cat files are likely then deletable too, right? And friend CAN delete the sfcfiles.dll on XP, but he have disabled the WFP by some other application that handmade and it does not enter the 90 90 values, but something different... Questions, questions, I know. So many questions...

And yes, that is what I going to do. HFSLIP DX9.0c + IE6 + 48bit support (atapi.sys) and + my patched versions of few dlls + 3rd party versions of notepad and ping - and then nLite it :-)

No empty version of sfcfiles.dll? Well, one more reason to obtain it myself! :w00t:

And even I thank you very much for informative post, please, do not bring the discussion whatever if WFP good or not. Sure it is good. Yet crazy people did not like it. Besides, I rarely install anything (if something need installing, I did not use it) and I have backup - 5min and whole C drive is like it was in last fresh win install, so :P Please stop about it.

PS: okay, found the file: http://www.vorck.com/data/SFCFILES.DL_ ...now just how to extract it. extrac32.exe /E SFCFILES.DL_ did not seems to work...

Edited by trodas
Link to comment
Share on other sites
trodas

trodas

Posted
  • Author
Posted

Thanks, but the filesize is the very same... :no: So, I assume it is depacked and try it... And whooooa, it works!!! On my Win2kSP2 as well as on Win2k server SP3 and as well as on WinXP SP1.0a :thumbup8

Now only if I could hack the SP2 sfc_os.dll - the values 8B and C6 at offset E3BB aren't presents. Any help?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...