Jump to content

Remove a file protected by Windows File Protection


Recommended Posts

Hi all.

I'd like to know how to delete a file located on the system32 and dllcache subdirectories after the operating system is installed.

If I delete the file with a VBScript after the system is installed, this file is automatically regenerated (copied again from source). I've tried several ways, including the editing of \Windows\System32\restore\filelist.xml in order to add the file to the exclusion list.

Please, bear in mind that I don't want to disable or hack Windows File Protection, only exclude this file of the list of protected files. The file should be deleted permanently. And another important thing: I don't want to remove this file from the installation source in order to avoid errors in the setup log.

Is this possible?

Thanks.

Edited by ponghy
Link to comment
Share on other sites


If you delete the file first in \WINDOWS\system32\dllcache and then \WINDOWS\system32, you'll have to take care of the warning message and it seem possible to do it with a vbscript.

Link to comment
Share on other sites

Thanks for your replies.

@cluberti: It's the "plugin.ocx" old file. This is no longer supported by Microsoft, and it's deleted in serveral cumulative updates of Internet Explorer.

If I remove that file from installation source I get the following error in setuperr.log:

LoadLibrary cannot register ActiveX control blah blah blah...

Is it possible to get rid of this file?? (without the previous error).

@jdoe: Actually, that trick doesn't work. If you leave the CD-ROM inserted on the drive, Windows File Protection will silently copy the file again, without warning boxes.

Link to comment
Share on other sites

I believe it's possible. Install the system normally with the target file (plugin.ocx). Now, install the KB933566 hotfix (a cumulative update of IE) and you'll realize that this hotfix PERMANENTLY removes this file from the system and this file is no longer protected by Windows File Protection. These actions are done without any error in the event log (try this in a VM and you'll agree).

With this idea, I've tried to monitor the system changes when installing this patch, but I've not found the proper registry entry or file modification that do the trick.

Download the KB933566 patch. Now, run it and find the temporary directory this patch creates in order to put the extracted files (for example, C:\a0c7cbee6146a2ef23). Then, navigate to the update subdirectory and open the update_SP2QFE.inf file. Now, search for the [system32.Delfiles] and [Cache.Delfiles] sections. Note that these sections only reference 1 file, my target file: plugin.ocx. Indeed, these sections are launched by 2 DelFiles directives in the [ProductInstall.ReplaceFilesIfExist] section:

[ProductInstall.ReplaceFilesIfExist]
DelFiles=Cache.Delfiles; <-------- Directive to permanently remove the file from the WFP repository.
CopyFiles=System32.files
CopyFiles=program_files.internet_explorer
DelFiles=System32.Delfiles; <-------- Directive to permanently remove the file from the System folder.

Due to this, I think it's possible to emulate the patch behavior, but how?

Any other user with experience in monitoring registry and file changes can do the test for me? (in a VM, of course).

Thanks very much in advance :)

Edited by ponghy
Link to comment
Share on other sites

With this idea, I've tried to monitor the system changes when installing this patch, but I've not found the proper registry entry or file modification that do the trick.

This is actually a feature of the update engine that is used to install Windows Updates - it is able to directly deal with the SFC thread and components, and update as necessary. I can't say specifically where this data is stored, but it isn't the registry.

Link to comment
Share on other sites

Ok, thanks for your reply, cluberti :)

I've installed the complex and powerful Process Monitor tool from Sysinternals. Then, I've installed the patch and monitored the changes. But there are several changes to analyze, even with activated filters!!! :blink: I can pass you the log if you want help me a bit more...

Thanks again :rolleyes:

Link to comment
Share on other sites

Yes, you're right. Thanks for the tip.

Finally, I've coded my own tool to delete the protected system file, by calling the SfcFileException() undocumented API function.

It works like a charm and probably it's the only way to bypass WFP.

If anyone is interested in my tool, let me know.

Edited by ponghy
Link to comment
Share on other sites

Finally, I've coded my own tool to delete the protected system file, by calling the SfcFileException() undocumented API function.

It works like a charm and probably it's the only way to bypass WFP.

Hi mate, nice work!!

One thing to look out for, which can be a silent surprise: the list of files monitored by SFC, WFP and other systems are kept in a file called sfcfiles.dll, which also has the enumeration function getsfcfiles() - the list returned from this function is used by other things than SFC/WFP so the only way to completely fix potential lookups is to edit this list, or the function it calls. I'm guessing SfcFileException() works for SFC & WFP, but does it also modify the list returned by sfcgetfiles() ? Some things like replace-on-next-boot also use the sfcgetfiles() function and won't replace certain files under certain conditions if they are returned in this list.

Is SfcFileException() a magic bullet that actually modifies the list returned by sfcgetfiles()? I'm just curious. Again, excellent work finding something that fixes your problem! :) :) :)

Link to comment
Share on other sites

Hi ElTorquiro:

I've carefully read your post here. Indeed, a very good research work :yes: . I'm very surprised with your discovery, put the '\\' character at the beginning of any path in SFCFILES.DLL :thumbup But, are you completely sure this will not have adverse effects? I'm unsure if modifying system files is a good idea, although SFCFILES.DLL is not signed.

Let me explain the SfcFileException() trick:

According to Collake's researchings (http://www.bitsum.com/aboutwfp.asp), this API function generates an exception in the watcher thread of SFC, so no files will be modified in the system, but SFC is instructed to unprotect the file.

It works very well. You can run SFC /SCANNOW and the file will not appear! :) But, it's not perfect, and it has a little fault. Suppose the following scenario:

1) You upgrade your Windows version with another version which reinstalls the previously unprotected file.

2) You use my tool to delete again the unprotected file. And yes, the file will disappear from the system32 subdirectory (no attempts are made to restore it. This is good).

3) But if you run again the SFC /SCANNOW command, the file will appear ONLY at the dllcache subdirectory!! :( Note the file will NOT appear under the system32 subdirectory (thus, the file will not be "present" for the system, i.e., it will not be usable).

I think it's necessary to add your trick to my tool, in order to permanent delete the file across Windows reinstalls.

If you want, I can send you via PM the source code of my tool. It's written in pure C++ (not C# or .NET), compiled with VC++ 6.0.

Thanks for your interest too :hello:

PD: I think Windows updates use the SfcFileException() method in order to delete unnecesary/unsupported files, because they have the SAME fault as described in the above scenario...

PD2: Do you think it is possible to install a patched SFCFILES.DLL file directly from installation source (i.e., replace the original file in the I386 installation source with the patched and modifype'd version)?

Edited by ponghy
Link to comment
Share on other sites

Hello there!

I have (maybe) similar problem & I need your help!

When I installed my unattended WindowsXP I realize that I could no longer install some visual styles because of Windows File Protection. Now, I'm desperate because I can't install my favourite Flyakite (MacOSX) theme ...

I found out that problem is related with uxtheme.dll (or something like that). I tried some patch that I found on Net, but nothing helped.

What could I do?

Please help me!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...