WFP technical

[trodas]

http://www.windowsnetworking.com/articles_...ection-SP2.html

Meanwhile I already dound this for the SP2

[Bilou_Gateux]

Inside Win2K Reliablity Enhancements, Part 2

When the system starts the Windows Logon subsystem (Winlogon—\%systemroot%\ system32\winlogon.exe) during the boot process, Winlogon loads System File Checker(SFC—\%systemroot%\ system32\sfc.dll), the WFP DLL. SFC exports several functions for Winlogon's use, including SfcInitProt, an initialization function. SfcInitProt first reads SFC Registry settings, all of which are located under HKEY_LOCAL_ MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\ Winlogon. The first Registry value SFC reads is SFCDisable. If the SFCDisable value is not set to 0 and a kernel debugger (e.g., WinDbg) is active, then SFC deactivates WFP.

Next, SFC reads the SFCScan value. If the SFCScan value is 1, SFC performs an initial consistency check of the system files after the system finishes initializing. An SFCScan value of 2 directs SFC to perform an initial scan and reset the SFCScan value to 0. The default SFCScan value of 0 directs SFC to protect system files, but not to perform a scan. Win2K provides a command-line tool, sfc.exe, that you can use to manipulate the SFCScan value. . . .

[fdv]

Just a 'by the way' on this. An interesting footnote to this story.

All sorts of sites on the net with this 'trick' of disabling SFC tell you to switch the 8B C6 values in SFC.DLL to 90 90 and then they require a registry setting. This is the 'Collake Hack' as discovered by Jeremy Collake. After Windows installs, however, it would set the registry back and SFC would be back on again.

A friend of mine across the world from me discovered that if you change 83 F8 9D 75 07 8B C6 to B8 9D FF FF FF 90 90, it disables SFC completely, and no registry setting is necessary. After this was published, several popular software packages suddenly were able to disable SFC completely, without the registry setting. It was interesting but my friend who helped me immeasurably with these DLLs still didn't want any credit and didn't want to be named (not because he fears authorities but because it's a point of pride with him).

[jdoe]

Thanks, but the filesize is the very same... So, I assume it is depacked and try it... And whooooa, it works!!! On my Win2kSP2 as well as on Win2k server SP3 and as well as on WinXP SP1.0a :thumbup8

Now only if I could hack the SP2 sfc_os.dll - the values 8B and C6 at offset E3BB aren't presents. Any help?

For XP SP2...

Windows XP File Protection Hack

or

Disabling Windows File Protection Permanently

This hack is used in a RyanVM pack addon and it seem to be a time tested solution.

[trodas]

fdv - I wished for longer time thank you for this one, mate, but finally I managed it!

Thanks! Using this last hack now - for safety even with the registers thing, and everything seems to working well Thx!

jdoe - thx, nice links As for the disabling WFP by repalcing the files, I use simplier trick that does work for me - rename the sfc_files.dll to sfc_filesX.dll and then copy new hacked sfc_files.dll into place and reboot. Then delete the sfc_filesX.dll and by bÿ, winblows file protection!