Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Remove a file protected by Windows File Protection

- - - - -

  • Please log in to reply
13 replies to this topic

#1
ponghy

ponghy

    MSFN Student

  • Member
  • PipPip
  • 175 posts
  • Joined 21-April 05
Hi all.

I'd like to know how to delete a file located on the system32 and dllcache subdirectories after the operating system is installed.

If I delete the file with a VBScript after the system is installed, this file is automatically regenerated (copied again from source). I've tried several ways, including the editing of \Windows\System32\restore\filelist.xml in order to add the file to the exclusion list.

Please, bear in mind that I don't want to disable or hack Windows File Protection, only exclude this file of the list of protected files. The file should be deleted permanently. And another important thing: I don't want to remove this file from the installation source in order to avoid errors in the setup log.

Is this possible?
Thanks.

Edited by ponghy, 18 June 2007 - 05:16 PM.



How to remove advertisement from MSFN

#2
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,018 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag

Donator

It's not really possible, at least not without constant errors. I guess the related question is, which file are you trying to exclude and why?
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#3
jdoe

jdoe

    Advanced Member

  • Member
  • PipPipPip
  • 314 posts
  • Joined 02-May 04
If you delete the file first in \WINDOWS\system32\dllcache and then \WINDOWS\system32, you'll have to take care of the warning message and it seem possible to do it with a vbscript.

#4
ponghy

ponghy

    MSFN Student

  • Member
  • PipPip
  • 175 posts
  • Joined 21-April 05
Thanks for your replies.

@cluberti: It's the "plugin.ocx" old file. This is no longer supported by Microsoft, and it's deleted in serveral cumulative updates of Internet Explorer.
If I remove that file from installation source I get the following error in setuperr.log:

LoadLibrary cannot register ActiveX control blah blah blah...

Is it possible to get rid of this file?? (without the previous error).

@jdoe: Actually, that trick doesn't work. If you leave the CD-ROM inserted on the drive, Windows File Protection will silently copy the file again, without warning boxes.

#5
Kelsenellenelvian

Kelsenellenelvian

    WPI Guru

  • Developer
  • 8,688 posts
  • Joined 18-September 03
  • OS:Windows 7 x64
  • Country: Country Flag
Ummm this is just my 2 cents but GIVE UP :P RyanVM has tried to get rid of that file properly since it became obsolete and even with removing it from the setup CD he has yet to find a way not to generate an error in the logs somewhere.

#6
ponghy

ponghy

    MSFN Student

  • Member
  • PipPip
  • 175 posts
  • Joined 21-April 05
I believe it's possible. Install the system normally with the target file (plugin.ocx). Now, install the KB933566 hotfix (a cumulative update of IE) and you'll realize that this hotfix PERMANENTLY removes this file from the system and this file is no longer protected by Windows File Protection. These actions are done without any error in the event log (try this in a VM and you'll agree).

With this idea, I've tried to monitor the system changes when installing this patch, but I've not found the proper registry entry or file modification that do the trick.

Download the KB933566 patch. Now, run it and find the temporary directory this patch creates in order to put the extracted files (for example, C:\a0c7cbee6146a2ef23). Then, navigate to the update subdirectory and open the update_SP2QFE.inf file. Now, search for the [System32.Delfiles] and [Cache.Delfiles] sections. Note that these sections only reference 1 file, my target file: plugin.ocx. Indeed, these sections are launched by 2 DelFiles directives in the [ProductInstall.ReplaceFilesIfExist] section:

[ProductInstall.ReplaceFilesIfExist]
	DelFiles=Cache.Delfiles; <-------- Directive to permanently remove the file from the WFP repository.
	CopyFiles=System32.files
	CopyFiles=program_files.internet_explorer
	DelFiles=System32.Delfiles; <-------- Directive to permanently remove the file from the System folder.

Due to this, I think it's possible to emulate the patch behavior, but how?

Any other user with experience in monitoring registry and file changes can do the test for me? (in a VM, of course).

Thanks very much in advance :)

Edited by ponghy, 19 June 2007 - 08:41 AM.


#7
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,018 posts
  • Joined 09-September 01
  • OS:Windows 8.1 x64
  • Country: Country Flag

Donator

With this idea, I've tried to monitor the system changes when installing this patch, but I've not found the proper registry entry or file modification that do the trick.

This is actually a feature of the update engine that is used to install Windows Updates - it is able to directly deal with the SFC thread and components, and update as necessary. I can't say specifically where this data is stored, but it isn't the registry.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#8
ponghy

ponghy

    MSFN Student

  • Member
  • PipPip
  • 175 posts
  • Joined 21-April 05
Ok, thanks for your reply, cluberti :)

I've installed the complex and powerful Process Monitor tool from Sysinternals. Then, I've installed the patch and monitored the changes. But there are several changes to analyze, even with activated filters!!! :blink: I can pass you the log if you want help me a bit more...

Thanks again :rolleyes:

#9
severach

severach

    Member

  • Member
  • PipPip
  • 163 posts
  • Joined 06-August 05
http://www.bitsum.com/aboutwfp.asp

#10
ponghy

ponghy

    MSFN Student

  • Member
  • PipPip
  • 175 posts
  • Joined 21-April 05

http://www.bitsum.com/aboutwfp.asp

Yes, you're right. Thanks for the tip.

Finally, I've coded my own tool to delete the protected system file, by calling the SfcFileException() undocumented API function.
It works like a charm and probably it's the only way to bypass WFP.

If anyone is interested in my tool, let me know.

Edited by ponghy, 25 June 2007 - 07:30 AM.


#11
ElTorqiro

ElTorqiro

    Newbie

  • Member
  • 23 posts
  • Joined 20-May 07

Finally, I've coded my own tool to delete the protected system file, by calling the SfcFileException() undocumented API function.
It works like a charm and probably it's the only way to bypass WFP.


Hi mate, nice work!!

One thing to look out for, which can be a silent surprise: the list of files monitored by SFC, WFP and other systems are kept in a file called sfcfiles.dll, which also has the enumeration function getsfcfiles() - the list returned from this function is used by other things than SFC/WFP so the only way to completely fix potential lookups is to edit this list, or the function it calls. I'm guessing SfcFileException() works for SFC & WFP, but does it also modify the list returned by sfcgetfiles() ? Some things like replace-on-next-boot also use the sfcgetfiles() function and won't replace certain files under certain conditions if they are returned in this list.

Is SfcFileException() a magic bullet that actually modifies the list returned by sfcgetfiles()? I'm just curious. Again, excellent work finding something that fixes your problem! :) :) :)

#12
ponghy

ponghy

    MSFN Student

  • Member
  • PipPip
  • 175 posts
  • Joined 21-April 05
Hi ElTorquiro:

I've carefully read your post here. Indeed, a very good research work :yes: . I'm very surprised with your discovery, put the '\\' character at the beginning of any path in SFCFILES.DLL :thumbup But, are you completely sure this will not have adverse effects? I'm unsure if modifying system files is a good idea, although SFCFILES.DLL is not signed.

Let me explain the SfcFileException() trick:

According to Collake's researchings (http://www.bitsum.com/aboutwfp.asp), this API function generates an exception in the watcher thread of SFC, so no files will be modified in the system, but SFC is instructed to unprotect the file.

It works very well. You can run SFC /SCANNOW and the file will not appear! :) But, it's not perfect, and it has a little fault. Suppose the following scenario:

1) You upgrade your Windows version with another version which reinstalls the previously unprotected file.
2) You use my tool to delete again the unprotected file. And yes, the file will disappear from the system32 subdirectory (no attempts are made to restore it. This is good).
3) But if you run again the SFC /SCANNOW command, the file will appear ONLY at the dllcache subdirectory!! :( Note the file will NOT appear under the system32 subdirectory (thus, the file will not be "present" for the system, i.e., it will not be usable).

I think it's necessary to add your trick to my tool, in order to permanent delete the file across Windows reinstalls.

If you want, I can send you via PM the source code of my tool. It's written in pure C++ (not C# or .NET), compiled with VC++ 6.0.

Thanks for your interest too :hello:

PD: I think Windows updates use the SfcFileException() method in order to delete unnecesary/unsupported files, because they have the SAME fault as described in the above scenario...
PD2: Do you think it is possible to install a patched SFCFILES.DLL file directly from installation source (i.e., replace the original file in the I386 installation source with the patched and modifype'd version)?

Edited by ponghy, 26 June 2007 - 03:00 AM.


#13
Asymmetry

Asymmetry

    Newbie

  • Member
  • 30 posts
  • Joined 19-May 07
Hello there!

I have (maybe) similar problem & I need your help!

When I installed my unattended WindowsXP I realize that I could no longer install some visual styles because of Windows File Protection. Now, I'm desperate because I can't install my favourite Flyakite (MacOSX) theme ...

I found out that problem is related with uxtheme.dll (or something like that). I tried some patch that I found on Net, but nothing helped.

What could I do?

Please help me!
What good are numbers anyway
They put perspective on the game
But we're playing off the board
Oh the rules do not apply

#14
ponghy

ponghy

    MSFN Student

  • Member
  • PipPip
  • 175 posts
  • Joined 21-April 05
@Asymmetry: This is not a WFP issue, but a non-signed desktop theme issue.

You need to patch the UXTHEME.DLL file. Read carefully the following page of the Unattended Guide:
http://unattended.ms...xp/view/web/67/

Good luck :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users