Introduction to Windows File Protection

D. eetl in Tianyang

In fact, I don't know whether the experts are too professional or not .. in fact, the file protection mechanism of Windows is very flawed in design .. i/O monitoring is a very good method. Microsoft has been using it all the time .. look, you will use this API to bypass this one and then use that API to bypass it... what registry and System Service
I have studied this technology a long time ago. I have nothing to say about it today '..

Which of the following are described:
1. I/O monitoring is a very earthy Solution
2. In terms of execution efficiency, memory operations are much more efficient than I/O operations.

OK from the above two points we can implement the following logic ..

I/O operation takes 1 ms
The memory operation is performed once every 0.001 milliseconds (I am just talking about it... It is not an accurate number ..)

Speaking of this, do you probably have some ideas?

Right .. that's right .... press frequent I/O operations into the Command Stack .. although the windows File Protection System will be triggered between the first and 2nd times and the corresponding system files will be restored, after .... haha... I replaced the file when the system was restored .. that is to say, the replacement at this time is imperceptible. although it will trigger windows File Protection wit at the beginning,... it doesn't mean anything at all .. because if no terminal is in desktop mode at the time. the system will not prompt .... however, the effect you want has also been achieved ..
This method does not cause any damage to the windows File Protection Mechanism. It is not as technical as mentioned at the beginning ..

In fact, this problem has been around for many years ..

Why can't I give an example?

Del %systemroot=system32append.exe
Copy c: aaa.exe unzip systemroot=system32append.exe
%Systemroot1_system32append.exe

Try ..
The replaced program becomes exclusive to the process... to prevent replacement... then the program will not be replaced ....