• Welcome to Valhalla Legends Archive.
 

Disabling WFP (Windows File Protection)

Started by Yoni, July 12, 2004, 04:57 AM

Previous topic - Next topic
Print
|
Go Down Pages1
User actions

Yoni

July 12, 2004, 04:57 AM
I'm setting up my new computer and I noticed that Windows lets you disable WFP. Useful for anyone working on hacking and modifying system files protected by this silly mechanism. (I haven't tested this but it looks like it should work.)

Start -> Run -> gpedit.msc -> Computer Configuration -> Administrative Templates -> System -> Windows File Protection:
Enable the "Limit Windows File Protection cache size" setting, and set the maximum cache size to 0 MB.

(Does anyone know of a cleaner way to do this?)

Thanks everyone... I am Yoni, that is your hacker tip...... of the day.

Zorm

#1
July 12, 2004, 05:12 AM
A webpage I found some time ago mentions several ways to disable WFP, http://home.earthlink.net/~vorck/2ksp3.html towards the top it talks about a registry setting and dll hack and at the bottom it talks about possibly disabling it at install time. For more information on the registry setting see http://www.winguides.com/registry/display.php/790
"Now, gentlemen, let us do something today which the world make talk of hereafter."
- Admiral Lord Collingwood

cefx-

#2
July 12, 2004, 07:48 PM
Hmmm.

That would fuck up sfc, no?

So if something breaks, sfc won't fix it. :(
cefx
Technodev.org (future project) / UnixPartisan.org
Future dictator

Adron

#3
July 13, 2004, 08:52 AM
Quote from: Yoni on July 12, 2004, 04:57 AM
I'm setting up my new computer and I noticed that Windows lets you disable WFP. Useful for anyone working on hacking and modifying system files protected by this silly mechanism. (I haven't tested this but it looks like it should work.)

Start -> Run -> gpedit.msc -> Computer Configuration -> Administrative Templates -> System -> Windows File Protection:
Enable the "Limit Windows File Protection cache size" setting, and set the maximum cache size to 0 MB.

(Does anyone know of a cleaner way to do this?)

Thanks everyone... I am Yoni, that is your hacker tip...... of the day.

You should go test this. I think the result will be a dialog box asking you to insert the Windows CD whenever it detects a modified file. When I want to replace particular protected files, I disallow write access to them by the system account. This prevents windows file protection from messing anything up...

The clean way of disabling windows file protection is to set the disable flag in the registry and boot the system with a kernel debugger attached. Perhaps it would also be possible to just delete the windows file protection service?

cefx-

#4
July 13, 2004, 10:13 AM
Is this XP? if so:

Hex edit the file sfc_os.dll (after copying it and renaming the copy to .bak)

XP:
Go to offset 0000E2B8 (E2B8 hex)
XP SP1:
Go to offset 0000E3BB (E3BB hex)

Change 8B C6 to 9090


Edit the reg key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

DWORD Value: "SFCDisable"

Double click it and put in the value: FFFFFF9D
To disable: 0

Cheers.

cefx
Technodev.org (future project) / UnixPartisan.org
Future dictator
Print
|
Go Up Pages1
User actions