General Discussion | Disabling WFP (Windows File Protection)

Author	Message	Time
Yoni	I'm setting up my new computer and I noticed that Windows lets you disable WFP. Useful for anyone working on hacking and modifying system files protected by this silly mechanism. (I haven't tested this but it looks like it should work.) Start -> Run -> gpedit.msc -> Computer Configuration -> Administrative Templates -> System -> Windows File Protection: Enable the "Limit Windows File Protection cache size" setting, and set the maximum cache size to 0 MB. (Does anyone know of a cleaner way to do this?) Thanks everyone... I am Yoni, that is your hacker tip...... of the day.	July 12, 2004, 9:57 AM
zorm	A webpage I found some time ago mentions several ways to disable WFP, http://home.earthlink.net/~vorck/2ksp3.html towards the top it talks about a registry setting and dll hack and at the bottom it talks about possibly disabling it at install time. For more information on the registry setting see http://www.winguides.com/registry/display.php/790	July 12, 2004, 10:12 AM
crankycefx	Hmmm. That would fuck up sfc, no? So if something breaks, sfc won't fix it. :(	July 13, 2004, 12:48 AM
Adron	[quote author=Yoni link=board=2;threadid=7673;start=0#msg69937 date=1089626273] I'm setting up my new computer and I noticed that Windows lets you disable WFP. Useful for anyone working on hacking and modifying system files protected by this silly mechanism. (I haven't tested this but it looks like it should work.) Start -> Run -> gpedit.msc -> Computer Configuration -> Administrative Templates -> System -> Windows File Protection: Enable the "Limit Windows File Protection cache size" setting, and set the maximum cache size to 0 MB. (Does anyone know of a cleaner way to do this?) Thanks everyone... I am Yoni, that is your hacker tip...... of the day. [/quote] You should go test this. I think the result will be a dialog box asking you to insert the Windows CD whenever it detects a modified file. When I want to replace particular protected files, I disallow write access to them by the system account. This prevents windows file protection from messing anything up... The clean way of disabling windows file protection is to set the disable flag in the registry and boot the system with a kernel debugger attached. Perhaps it would also be possible to just delete the windows file protection service?	July 13, 2004, 1:52 PM
crankycefx	Is this XP? if so: Hex edit the file sfc_os.dll (after copying it and renaming the copy to .bak) XP: Go to offset 0000E2B8 (E2B8 hex) XP SP1: Go to offset 0000E3BB (E3BB hex) Change 8B C6 to 9090 Edit the reg key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon DWORD Value: "SFCDisable" Double click it and put in the value: FFFFFF9D To disable: 0 Cheers.	July 13, 2004, 3:13 PM

Author

Message

Time

Yoni

I'm setting up my new computer and I noticed that Windows lets you disable WFP. Useful for anyone working on hacking and modifying system files protected by this silly mechanism. (I haven't tested this but it looks like it should work.)

Start -> Run -> gpedit.msc -> Computer Configuration -> Administrative Templates -> System -> Windows File Protection:
Enable the "Limit Windows File Protection cache size" setting, and set the maximum cache size to 0 MB.

(Does anyone know of a cleaner way to do this?)

Thanks everyone... I am Yoni, that is your hacker tip...... of the day.

July 12, 2004, 9:57 AM

zorm

A webpage I found some time ago mentions several ways to disable WFP, http://home.earthlink.net/~vorck/2ksp3.html towards the top it talks about a registry setting and dll hack and at the bottom it talks about possibly disabling it at install time. For more information on the registry setting see http://www.winguides.com/registry/display.php/790

July 12, 2004, 10:12 AM

crankycefx

Hmmm.

That would fuck up sfc, no?

So if something breaks, sfc won't fix it. :(

July 13, 2004, 12:48 AM

Adron

[quote author=Yoni link=board=2;threadid=7673;start=0#msg69937 date=1089626273]
I'm setting up my new computer and I noticed that Windows lets you disable WFP. Useful for anyone working on hacking and modifying system files protected by this silly mechanism. (I haven't tested this but it looks like it should work.)

Start -> Run -> gpedit.msc -> Computer Configuration -> Administrative Templates -> System -> Windows File Protection:
Enable the "Limit Windows File Protection cache size" setting, and set the maximum cache size to 0 MB.

(Does anyone know of a cleaner way to do this?)

Thanks everyone... I am Yoni, that is your hacker tip...... of the day.
[/quote]

You should go test this. I think the result will be a dialog box asking you to insert the Windows CD whenever it detects a modified file. When I want to replace particular protected files, I disallow write access to them by the system account. This prevents windows file protection from messing anything up...

The clean way of disabling windows file protection is to set the disable flag in the registry and boot the system with a kernel debugger attached. Perhaps it would also be possible to just delete the windows file protection service?

July 13, 2004, 1:52 PM

crankycefx

Is this XP? if so:

Hex edit the file sfc_os.dll (after copying it and renaming the copy to .bak)

XP:
Go to offset 0000E2B8 (E2B8 hex)
XP SP1:
Go to offset 0000E3BB (E3BB hex)

Change 8B C6 to 9090

Edit the reg key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

DWORD Value: "SFCDisable"

Double click it and put in the value: FFFFFF9D
To disable: 0

Cheers.

July 13, 2004, 3:13 PM

Valhalla Legends Forums Archive | General Discussion | Disabling WFP (Windows File Protection)