imageOn Windows 2000, XP and Server 2003 a mechanism called Windows File Protection (WFP) is used to protect system integrity.

How does WFP Work?
Inside SFCFILES.DLL a list of files is kept that are monitored for changes. When a monitored file gets deleted, modified or overwritten WFP will restore the original from one of the following locations:

  • Cache Folder (%systemroot%\System32\DllCache)
  • Network Installation Path
  • Windows CD (or i386 folder on harddisk)

But what if we need to replace such a file? You could write a batch file that copies the modified file to the cache folder, installation path and destination. And this may work if it’s quick enough.

A more reliable method is to use an undocumented export from sfc_os.dll called SfcFileException (only exported by ordinal #5).

It’s signature is: DWORD WINAPI SfcFileException(RPC_BINDING_HANDLE hServer, LPCWSTR lpSrc, DWORD dwUnknown)

imageThis function makes an RPC call to Winlogon and possibly we can even call this remotely. If we pass null for the server handle a Local RPC Connection will be setup:

After calling the SfcFileException the given file is not monitored for a minute. After this minute it will be monitored again but only for new changes, the modified file that was places within the minute will not be restored.

This makes the call to this API very easy so I wrote a commandline tool that calls the SfcFileException.

The tool takes one parameter: the filename:


When the call was successful you have one minute to update the given file. After this minute WFP starts monitoring the file again. (753)