Replacing WFP Protected files

5 Dec

On Windows 2000, XP and Server 2003 a mechanism called Windows File Protection (WFP) is used to protect system integrity.

How does WFP Work?
Inside SFCFILES.DLL a list of files is kept that are monitored for changes. When a monitored file gets deleted, modified or overwritten WFP will restore the original from one of the following locations:

Cache Folder (%systemroot%\System32\DllCache)
Network Installation Path
Windows CD (or i386 folder on harddisk)

But what if we need to replace such a file? You could write a batch file that copies the modified file to the cache folder, installation path and destination. And this may work if it’s quick enough.

A more reliable method is to use an undocumented export from sfc_os.dll called SfcFileException (only exported by ordinal #5).

It’s signature is: DWORD WINAPI SfcFileException(RPC_BINDING_HANDLE hServer, LPCWSTR lpSrc, DWORD dwUnknown)

This function makes an RPC call to Winlogon and possibly we can even call this remotely. If we pass null for the server handle a Local RPC Connection will be setup:

DWORD __stdcall SfcFileException(RPC_BINDING_HANDLE hServer, LPCWSTR lpSrc, int Unknown)
{
  RPC_BINDING_HANDLE hServerVar; // eax@2
  int nts; // eax@6
  __int32 dwResult; // eax@7
  DWORD dwResultVar; // esi@9
  int v8; // [sp+8h] [bp-8h]@1
  int v9; // [sp+Ch] [bp-4h]@1

  LOWORD(v8) = 0;
  *(int *)((char *)&v8 + 2) = 0;
  HIWORD(v9) = 0;
  if ( !hServer )
  {
    hServerVar = _pRpcHandle;
    if ( !_pRpcHandle )
    {
      hServerVar = SfcConnectToServer(0);
      _pRpcHandle = hServerVar;
      if ( !hServerVar )
        return 0x6BA;                           // RPC_S_SERVER_UNAVAILABLE
    }
    hServer = hServerVar;
  }
  nts = SfcRedirectPath(lpSrc, (int)&v8);
  if ( nts &gt;= 0 )
    dwResult = SfcCli_FileException((int)hServer, v9, Unknown).Simple;
  else
    dwResult = RtlNtStatusToDosError(nts);
  dwResultVar = dwResult;
  MemFree(v9);
  return dwResultVar;
}

DWORD __stdcall SfcFileException(RPC_BINDING_HANDLE hServer, LPCWSTR lpSrc, int Unknown)

{

RPC_BINDING_HANDLE hServerVar; // eax@2

int nts; // eax@6

__int32 dwResult; // eax@7

DWORD dwResultVar; // esi@9

int v8; // [sp+8h] [bp-8h]@1

int v9; // [sp+Ch] [bp-4h]@1

LOWORD(v8) = 0;

*(int *)((char *)&v8 + 2) = 0;

HIWORD(v9) = 0;

if ( !hServer )

{

hServerVar = _pRpcHandle;

if ( !_pRpcHandle )

{

hServerVar = SfcConnectToServer(0);

_pRpcHandle = hServerVar;

if ( !hServerVar )

return 0x6BA; // RPC_S_SERVER_UNAVAILABLE

}

hServer = hServerVar;

}

nts = SfcRedirectPath(lpSrc, (int)&v8);

if ( nts >= 0 )

dwResult = SfcCli_FileException((int)hServer, v9, Unknown).Simple;

else

dwResult = RtlNtStatusToDosError(nts);

dwResultVar = dwResult;

MemFree(v9);

return dwResultVar;

}

After calling the SfcFileException the given file is not monitored for a minute. After this minute it will be monitored again but only for new changes, the modified file that was places within the minute will not be restored.

This makes the call to this API very easy so I wrote a commandline tool that calls the SfcFileException.

The tool takes one parameter: the filename:

When the call was successful you have one minute to update the given file. After this minute WFP starts monitoring the file again.

WfpReplace.zip (2134 downloads)

Please consider donating something (even a small amount is ok) to support this site and my work:

Filed under: Windows 2003, Windows Internals, Windows XP

One Response for "Replacing WFP Protected files"

Application Hangs when Scanning in Citrix XenApp December 6th, 2012 at 15:50 1
[…] on Windows XP please note that the file is protected by Windows File Protection. You can use my WfpReplace tool to easily overwrite it! share: Bookmark on Delicious Digg this post Recommend on Facebook […]