Government Security
Network Security Resources

Jump to content

Photo

How To Disable Windows File Protection


  • Please log in to reply
5 replies to this topic

#1 boshcash

boshcash

    Staff Sergeant

  • Sergeant Major
  • 461 posts

Posted 03 November 2003 - 06:46 AM

Windows file protection is an integrated thing in windows xp and windows 2000 which prevents users from replacing files , by making a backup at system32\dllcache , microsoft wrote about disabling the service by modifying the registry keys , but didnt mention how to disable it without prompting and for unlimited reboots , and they say a kernel debugger is required to disable that file protection , is there a way to disable windows file protection completely ?

There is a program called WFPadmin does anyone have the full version of it ?

With that file protection enabled no one actually can replace a file at the system , and i tried once to delete telnet.exe file from dllcache then system32 folder , windows popuped a dialog to tell me where is ur windows xp cd , and i tried with the svchost file , it wont be deleted , ( i taskkilled it first ) , can u offer any help ??

#2 Guest_raptor_*

Guest_raptor_*
  • Guests

Posted 03 November 2003 - 07:04 AM

on 9x systems i think was a command like "lock off"
i don't know now... it must have some alt.

#3 fertile

fertile

    Private

  • Members
  • 15 posts

Posted 03 November 2003 - 07:43 AM

Windows 2000 and Win2k SP1 (NOT SP2+ or XP)

System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
Value Name: SFCDisable
Data Type: REG_DWORD (DWORD Value)
Value Data: 0 = enabled (default), ffffff9d = disabled

Change the value of "SFCDisable" to equal "ffffff9d" to disable WFS or "0" to enable it. The other valid hexadecimal values are:

1 - disabled, prompt at boot to re-enable
2 - disabled at next boot only, no prompt to re-enable
4 - enabled, with popups disabled
ffffff9d - for completely disabled

Restart Windows for the change to take effect.

Additional Steps for Windows 2000 Service Pack 2 and Windows XP

This setting is disabled in Windows 2000 SP2+ and Windows XP, and needs to re-enabled using a hex editor and changing SFC.DLL (or SFC_OS.DLL for Windows XP) following these instructions: (alternatively you can just replace the existing dll with the one from SP1 via boot disk or whatever.. then use the reg key.. but thats no fun is it? :) )

Windows 2000 SP2 +

Make a backup the SFC.DLL in the C:\WINNT\SYSTEM32 directory.
Make an additional copy of SFC.DLL called SFC1.DLL and open it in a hex editor.
At offset 00006211 (6211h) you should find the values "8B" and "C6". Do not continue if you are unable to find these values.
Change the values "8B C6" to read "90 90" and save the changes.
Run these commands to update the system files:
copy c:\winnt\system32\sfc1.dll c:\winnt\system32\sfc.dll /y
copy c:\winnt\system32\sfc1.dll c:\winnt\system32\dllcache\sfc.dll /y

If you are prompted to insert the Windows CD, click Cancel.
Restart Windows for the change to take effect.

Windows XP

Make a backup the SFC_OS.DLL in the C:\WINDOWS\SYSTEM32 directory.
Make an additional copy of SFC_OS.DLL called SFC_OS1.DLL and open it in a hex editor.
Windows XP (no Service Pack)
At offset 0000E2B8 (0E2B8h) you should find the values "8B" and "C6".
Windows XP (Service Pack 1)
At offset 0000E3BB (0E3BBh) you should find the values "8B" and "C6".
Do not continue if you are unable to find these values.
Change the values "8B C6" to read "90 90" and save the changes.
Run these commands to update the system files:
copy c:\windows\system32\sfc_os1.dll c:\windows\system32\sfc_os.dll /y
copy c:\windows\system32\sfc_os1.dll c:\windows\system32\dllcache\sfc_os.dll /y

If you are prompted to insert the Windows CD, click Cancel.
Restart Windows for the change to take effect.
Once these files have been updated apply the registry setting above.

Alternatively you can also just start the machine with a debugger attached running the kernel with /DEBUG
I do this all the time for various reasons but I wouldnt advise this option unless you really know what your doing.

#4 boshcash

boshcash

    Staff Sergeant

  • Sergeant Major
  • 461 posts

Posted 03 November 2003 - 09:35 AM

thanks fertile , i read all what u wrote from multiple source and thats what i got from that , but the problem is : cant any program do that while running pc

wfpadmin is made by collake who disscovered the value to completely disable file protection , cant u disable that file protection while running windows ?

Second thing , i heard some viruses like variants of msblast make the trojan file as a protected system file , how can this be done and how can this be disabled ?

where is the list that has the protected file paths and can i edit it ?

#5 ghost_c

ghost_c

    Private First Class

  • Members
  • 38 posts

Posted 03 November 2003 - 11:04 AM

sweet, thnks guys nice info...:)

#6 fertile

fertile

    Private

  • Members
  • 15 posts

Posted 03 November 2003 - 11:41 AM

thanks fertile , i read all what u wrote from multiple source and thats what i got from that , but the problem is : cant any program do that while running pc

wfpadmin is made by collake who disscovered the value to completely disable file protection , cant u disable that file protection while running windows ?

Second thing , i heard some viruses like variants of msblast make the trojan file as a protected system file , how can this be done and how can this be disabled ?

where is the list that has the protected file paths and can i edit it ?

ok to see what is being protected.. use the "strings" program from sysinternals on the sfc.dll..

as for playing with wfp/sfc .. in the past when its annoying me.. i set the cache size to some stupidly low amount..

have a play with it

Under - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] , create a new DWORD value, or modify the existing value, called "SfcQuota" and set it to the allowable disk space in megabytes (decimal mode). For example, 50Mb would be 0x00000032 (50) and 200Mb would be 0x000000c8 (200). The default value is 0xffffffff (or approximately 300 MB).

or alternatively just run the SFC command with the cachesize swtich to set it :

These are the possible switches for that command :

/SCANNOW Scans all protected system files immediately.
/SCANONCE Scans all protected system files once at the next boot.
/SCANBOOT Scans all protected system files at every boot.
/CANCEL Cancels all pending scans of protected system files.
/QUIET Replaces all incorrect file versions without prompting
the user.
/ENABLE Enables Windows File Protection for normal operation
/PURGECACHE Purges the file cache and scans all protected system
files immediately.
/CACHESIZE=x Sets the file cache size

( theres an enable switch... where the hell is the damn /disable one ? :) )

that program you mentioned does everything that has been posted here but in a pretty gui..


as for adding files to the sfc yourself.. this is blatantly made up in my own head :) but try dumping a copy of the file wherever.. and then a copy of that file in ddlcache folder.. and making the original file a system file.. (properties, tick system file.. or attrib +s ) - this is bound to not work heh but its all i can think of right now..

if your a programmer you can do it the MS way by calling the correct API's of course




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users