Friday, February 09 2007 @ 01:33 PM CET Contributed by: Devoney Views: 20777
Level : newbie
You all probably know about the windows file protection? No? Let me explain. The files in the directory system32(or system) are critical for windows. Therefore, windows has it own file protection system managed by sfc.exe. (Start -> Run -> cmd.exe -> sfc.exe and you see its parameters). This file is activate during windows. It checks if the files are the original ones, otherwise, the not original files get replaced by the original ones.
SFC scans the filetimes (creation and last modification time) and the file its size to check for originality. SFC does not check for actually changed (patched) bytes. I will describe two ways to get around this problem so you can replace the files with your patched ones.
Figure 1. Showing the parameters of SFC
You can disable this file its purpose by changing the CACHSIZE to 0. And then PURGECACHE so it has no files in his memory anymore so it can not copy the good files over the bad files anymore when it runs into a wrong file in the system dirs. So by doing this (first reboot after the modifications) you can copy modified files to the system dirs, replacing the originals. For example you have patched taskmgr.exe so it quits right away, and you have copied it to the systemdir so the CTRL ALT DEL will not pop up taskmgr.exe
The second way, without disabling SFC is coding a little program. I have made a very simple application, its all API wrapping. See the download below. The app gets the filetime of the file to be replaced, then the app replaces the original file with the one specified and sets the new filetime of the copied file to the original filetime attained earlier.
Advantages & Disadvantages:
When you want to play around with your own system and you have internet connection and you are using the current windows installation for other things then messing around with Windows, it is dangerous to totally disable SFC. Because malicious programs can also easily replace the system files. On remote computers this maybe doesn’t matter.
Another thing to consider is that the file size of the not original file must be exactly the same as the original one or else it gets replaced again by the original one if you leave SFC on.