Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Disable XP SFC/WFP (Works With SP3)

- - - - -

  • Please log in to reply
19 replies to this topic

#1
snooz

snooz

    Member

  • Member
  • PipPip
  • 119 posts
  • Joined 11-August 03
Normal process usually entails hex editing sfc_os.dll. I am testing SP3 RC1 and I could not find anyone who had hacked it yet. Searching the net I found a guy who figured out a way to make XP think it was in safe mode thus SFC/WMP is disabled. The cool thing about this hack is no matter what previous or future version you are running WFP can be disabled in the same manner. Using the hex editor method the values constantly change. He also found out a way to enable the security tab when your machine is not a member of a domain.

FYI just in case:
rshx32.dll = Security tab
sfc_os.dll = WFP

Credit goes to Neowinian on neowin.net forums for the solution:

Here's how to make the Windows XP file system think it's in safe mode. This will disable Windows File Protection, and also add the Security tab when you right-click on a file in Explorer and select Properties.

Step 0: XP ships with a simple hex editor called DEBUG.EXE that is required for this procedure. If you deleted it, put it back in the windows\system32 directory -- you can remove it afterwards if you wish.

Step 1: Click Start>Run, type in SERVICES.MSC and press the <enter> key. Find the entry labeled Cryptographic Services and double-click it. Change the startup type to Disabled and click Apply, then click the Stop button, and then click OK. (Note: if you already had Cryptographic Services disabled, omit this step as well as step 8.)

Step 2: Open a CMD.EXE Command Prompt window and type the following commands:

cd \windows\system32
ren rshx32.dll rshx32.old
ren sfc_os.dll sfc_os.old

You will probably receive warning messages from Windows File Protection after each REN command. Make sure to select the options to ignore the warning and allow the files to be renamed.

Step 3: Type the following commands:

cd \
del rshx32.dll /s
del sfc_os.dll /s
cd \windows\system32
copy rshx32.old rshx32.dll
copy sfc_os.old sfc_os.dll

IMPORTANT!!! You MUST rename the files in Step 2 before you can copy them in Step 3, or this procedure will not work!

Step 4: Type the following command:

DEBUG rshx32.dll

You'll now have a minus-sign as a prompt. Type the following command:

S 100 8000 74 00 5C 00 4F

DEBUG will return a line of the form:

0ADE:0AC0

The four-character letter-number combination after the colon is what you must enter in the command below. Now type the following three commands:

E 0AC0 74 00 00 00 4F (use the value returned to you above and not 0AC0!!!)
W
Q

Step 5: Type the following command:

DEBUG sfc_os.dll

You'll now have a minus-sign as a prompt. Type the following command:

S 100 8000 74 00 5C 00 4F

DEBUG will return a line of the form:

0ADE:0AC0

The four-character letter-number combination after the colon is what you must enter in the command below. Now type the following three commands:

E 0AC0 74 00 00 00 4F (use the value returned to you above and not 0AC0!!!)
W
Q

Step 6: Type the following commands:

copy rshx32.dll dllcache
copy sfc_os.dll dllcache

Step 7: Close the Command Prompt window, open Regedit, and go to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

Create a new DWORD value called OptionValue and give it a value of 1. Close Regedit.

Step 8: Run the SERVICES.MSC program, select Cryptographic Services, change the startup type to Manual, and click Apply. Do not start the service! (Note: omit this step if Cryptographic Services was disabled before you began this procedure.)

Step 9: Reboot your system.

That's it! You will now have the security tab at all times, and Windows File Protection will be disabled. If you would like to remove the tab and re-enable Windows File Protection, use Regedit to change OptionValue to 0, and then reboot your system. The method used to patch RSHX32.DLL and SFC_OS.DLL should work on any version of the file, including future versions issued in upcoming service packs or hotfixes.

Please note that if you apply these patches, they will take precedence over safe mode. This means that you must first set OptionValue to 1 in the registry before you boot into safe mode in order to see the security tab and to have Windows File Protection disabled.

Edited by snooz, 12 January 2008 - 02:55 PM.



How to remove advertisement from MSFN

#2
kickarse

kickarse

    the free techie

  • Member
  • PipPip
  • 227 posts
  • Joined 26-April 05
  • OS:XP Pro x86
  • Country: Country Flag
Nice guide... just curious on if WFPSwitch still works? I haven't needed to use it because of my Nlited cd's and I'm not getting the error post sp3.

Attached Files


Edited by kickarse, 12 January 2008 - 03:27 PM.

http://drop.io/wanderingit -- download DriverGeek (formally DriverForge) and FindHWIDS

#3
jdoe

jdoe

    Advanced Member

  • Member
  • PipPipPip
  • 314 posts
  • Joined 02-May 04
For those who were using my patched SFC_OS.DLL (WFP disabled permanently without dealing with the registry) just post the latest SFC_OS.DLL from SP3 and I'll patch it.

I'm curious to see how Microsoft did try to avoid us from disabling it this time :lol:

#4
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,360 posts
  • Joined 21-April 05
  • OS:none specified
  • Country: Country Flag
This is the Internet's word of mouth... a very dangerous thing.

Here is the original (?) article about getting the Security tab appear in XP home. Notice it suggests naming it OptionValuf to differ from the original.

Rshx32.dll is patched... but what about the others? Are you ready to patch your whole OS? Not to mention that I still fail to comprehend how this dll relates to SFC... But maybe that's just me. Or THAT is the method that the author has discovered. But I wouldn't risk to patch it on a live system (while I don't have that problem with sfc_os.dll).

I haven't tried this tweak and don't recommend it to anyone. All I know is, last time I created an OptionValue in the registry (I like to tinker with Regmon a lot, and I saw many applications were trying to read it) I lost my soundcard and other drivers. I believe this is the value that gets set when you choose which flavor of Safe Mode you want - with networking, etc... And by the way, many drivers don't start in safe mode.

So... do you really want to be constantly in safe mode?

GL

#5
GrofLuigi

GrofLuigi

    GroupPolicy Tattoo Artist

  • Member
  • PipPipPipPipPipPip
  • 1,360 posts
  • Joined 21-April 05
  • OS:none specified
  • Country: Country Flag
To back up my claims, here's a list of files in system32 folder that query the OptionValue entry:

advapi32.dll
credui.dll
cscdll.dll
dhcpmon.dll
filemgmt.dll
kernel32.dll
localsec.dll
lsasrv.dll
msgina.dll
msv1_0.dll
netcfgx.dll
netid.dll
ntdll.dll
ntkrnlpa.exe
ntoskrnl.exe
ntshrui.dll
pautoenr.dll
rshx32.dll
samsrv.dll
services.exe
sfc_os.dll
smlogcfg.dll
smss.exe
syssetup.dll
winlogon.exe

Found through searching unicode strings. There may be others, this is a heavily nLited system.

It seems this is an (undocumented by Microsoft?) way of determining if we're in safe mode or not.

GL

#6
mhc

mhc

    Newbie

  • Member
  • 21 posts
  • Joined 02-May 06
Since I was the "Neowinian" who originally posted the above patches, I'm wondering why the OP didn't put a link to my post (don't care about credit per se, but this seems like "ripping").

Anyway, to GrofLuigi...note that this patch moves "OptionValue" in the two DLLs to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

from

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option

and effectively gives the user control over operation of the Security tab and WFP. By setting OptionValue to 1, you see the Security tab and WFP is disabled. By setting it to 0, WFP is enabled and the Security tab disappears. The possible downside is that the patched OptionValue now takes precedence over Safe Mode for these two functions -- which for my purposes is no downside whatsoever, but it might be a problem for others. I also documented this possible downside in the patch posted above.

All other DLLs will respect the OptionValue that XP puts in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Option

when it loads in Safe Mode.

Edited by mhc, 13 January 2008 - 07:21 PM.


#7
snooz

snooz

    Member

  • Member
  • PipPip
  • 119 posts
  • Joined 11-August 03

Since I was the "Neowinian" who originally posted the above patches, I'm wondering why the OP didn't put a link to my post (don't care about credit per se, but this seems like "ripping").


Some boards don't like linking to other sites. I mentioned your name and the board that is not "ripping". Shows a lot about you since I praised your work and gave you credit.

#8
mhc

mhc

    Newbie

  • Member
  • 21 posts
  • Joined 02-May 06
Please read your post again...my name was never mentioned, and that, combined with the lack of a link, was why I reacted as I did. So for the record, here is the link to my post on Neowin which was "quoted" above.

http://www.neowin.ne...howtopic=600928

#9
gosh

gosh

    gosh 2.0

  • Patrons
  • 2,347 posts
  • Joined 03-October 03
  • OS:none specified
  • Country: Country Flag
This has been documented by Microsoft. I've known about this since xp came out but saw no need to do this. Fooling the operating system to think it's in safe mode could cause unforseen problems that i would rather avoid. This is the poor man's hex editing

-gosh

#10
mhc

mhc

    Newbie

  • Member
  • 21 posts
  • Joined 02-May 06
Wow. Where do I begin. Oh yeah, I know. Have you ever looked at the hex code in RSHX32.DLL or SFC_OS.DLL? I have, and what I did above is a FAR better way to hack these programs than, for example, finding the mysterious "-63" check in SFC_OS.DLL. Are you aware that SFC_OS.DLL does a simple check for safe mode just like it does a simple check for -63? And that RSHX32.DLL checks for safe mode for the sole reason to determine whether to display the Security tab in XP Home? And that for these reasons, the above patches affect no other operation in XP?

Geez, these patches aren't like eliminating core XP components that can break the most popular programs sold in the marketplace...it's just altering simple checks in two DLLs!

I would be reacting differently if you actually TRIED the hacks and found problems with them. Right now you're shooting from the hip with statements that IMO have no basis in reality.

Oh, FWIW, what I did above is hex editing. And what you call hex editing is also fooling the operating system as much as what I did above. The difference is that the above way is a better solution, period, than attempting to hack actual code since it is version-independent. And since the registry value set by NTOSKRNL.EXE to signify safe mode is checked by so many DLLs when they are loaded, that value will not change at this point in XP, so hacking that location in SFC-OS.DLL and RSHX32.DLL will remain valid for the remainder of XP's life.

Edited by mhc, 14 January 2008 - 06:05 PM.


#11
Fyyre

Fyyre
  • Member
  • 2 posts
  • Joined 18-January 08
sfc_os.dll: Change the xor eax,eax inc eax to nop nop nop at offset EC95, EC96, EC97:

33C041 to 909090

#12
jdoe

jdoe

    Advanced Member

  • Member
  • PipPipPip
  • 314 posts
  • Joined 02-May 04

sfc_os.dll: Change the xor eax,eax inc eax to nop nop nop at offset EC95, EC96, EC97:

33C041 to 909090


Fyyre,

I don't know where you got that but it's not good.

"xor eax, eax" and "inc eax" should be 33C040 not 33C041

And at offset EC95 there is no "xor eax, eax" but "xor ecx, ecx" which is 33C9


-----------------------


To permanently disable Windows File Protection - Windows XP Pro SP3 (5.1.2600.3264)
Without using the registry.

At offset EC84, replace 83F89D7508 by 3BC0EB3290

cmp eax, FFFFFF9D
jne 76C6F891

by

cmp eax, eax
jmp 76C6F8BA


:sneaky:

Attached Files


Edited by jdoe, 21 January 2008 - 01:23 PM.


#13
Fyyre

Fyyre
  • Member
  • 2 posts
  • Joined 18-January 08
>I don't know where you got that but it's not good.[/quote]

Hi,

I have version 3244. Since there is no such cmp eax, 0xFFFFF9D in its sfc_os.dll - that explains a lot =o

I'm using the wu registry patch from connect.microsoft.com, you? (in regards to SP build number...)[/quote]

#14
jdoe

jdoe

    Advanced Member

  • Member
  • PipPipPip
  • 314 posts
  • Joined 02-May 04

I have version 3244. Since there is no such cmp eax, 0xFFFFF9D in its sfc_os.dll - that explains a lot =o


I thought it was for SP3 RC1 but anyway, there is a typo mistake somewhere :}

#15
snooz

snooz

    Member

  • Member
  • PipPip
  • 119 posts
  • Joined 11-August 03

Please read your post again...my name was never mentioned, and that, combined with the lack of a link, was why I reacted as I did. So for the record, here is the link to my post on Neowin which was "quoted" above.

http://www.neowin.ne...howtopic=600928


Wrong

Credit goes to Neowinian on neowin.net forums for the solution:


What I find ironic is you are taking credit for the solution when as someone else pointed out that Microsoft released it. Your accusing me of not giving credit when you are the one guilty of it.

I appreciate the solution none the less.

Edited by snooz, 26 January 2008 - 06:35 PM.


#16
Finch

Finch
  • Member
  • 6 posts
  • Joined 27-April 08

Please read your post again...my name was never mentioned, ...
http://www.neowin.ne...howtopic=600928

Wrong

Credit goes to Neowinian on neowin.net forums for the solution:

Just to shed some light on this misunderstanding: "Neowinian" ist *not* his name, it's a "member level" on neowin.net just like "Newbie", "Member", "Advanced Member" etc. are on msfn.org.
So what you thought was his name was NOT AT ALL his name... and for him of course, it "obviously" just meant "some member from neowin.net" and he can not be expected to see what you thought...
Honest mistake, I'd say, but still on your part...

What I find ironic is you are taking credit for the solution when as someone else pointed out that Microsoft released it. Your accusing me of not giving credit when you are the one guilty of it.

I don't know the spec but if some mechanism is "documented" that is not at all the same as some working patch. Now you're being unreasonably unfriendly IMHO...

#17
Tribble

Tribble

    Junior

  • Member
  • Pip
  • 85 posts
  • Joined 01-June 04
Anybody got final sp3 patched sfc_os.dll ? Or better: a simple patcher like "Windows File Protection Switcher" for sp3? Windows File Protection Switcher is no longer working since SP3.

Edited by Tribble, 02 May 2008 - 04:24 PM.


#18
xrayer

xrayer

    RayeR

  • Member
  • PipPip
  • 145 posts
  • Joined 15-May 07
  • OS:98SE
  • Country: Country Flag

To permanently disable Windows File Protection - Windows XP Pro SP3 (5.1.2600.3264)
Without using the registry.
At offset EC84, replace 83F89D7508 by 3BC0EB3290


Thanks dude. I can confirm that this works also on XP SP3 CZ final.
Win98(SE)CZ unofficial support site.
Running MSDOS 6.22, FreeDOS, Win98SE+KEX-4.5.2+nSP+nUSB, NT4.0-SP6, WinXP-SP3, Debian Linux
Gigabyte GA-P31-DS3L, Core 2 Duo E8500@3,6GHz, 4GB DDR2, GF7900GT/256M, SSD Samsung 840 Pro, WD1000FBYX SATA, SB Audigy 2

#19
Joc

Joc

    Junior

  • Member
  • Pip
  • 91 posts
  • Joined 02-December 03
snooz: thank you for your help, it worked with my local (hungarian) version too!

#20
caps_buster

caps_buster

    Member

  • Member
  • PipPip
  • 117 posts
  • Joined 20-February 09

jdoe - thank you very much! Your sfc_os.dll (patched) with the original 4k sfcfiles.dll I use on WinXP SP3 (czech) and it does work for me just fine. I didn't need to touch the sfc.dll and it is working fine! Thank you a bunch!

 

Sticky? :thumbup


Disclaimer: Any errors in spelling, tact, or fact are transmission errors.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users