How To Disable Windows File Protection (WFP ). Let's first understand how WFP works. The related files are sfc_ OS .dll (SFC. dll in 2000 and SFC. dll in XP, but all of them call sfc_ OS .dll) and winlogon.exe.
The winlogo process calls the function exported by sfc dll to protect files. The latter uses the findfirstchangenotification function to monitor the directory to be protected in the user State, and then waits for the event to occur through waitforsingleobject. In fact, if you observe this process through the object viewer, you will find the handle for each protected directory. Here I use process explorer to observe:
Event/basenamedobjects/wfp_idle_trigger
File d:/Windows/system32/dllcache
File d:/Windows/system32
......
Then, we can stop the WFP monitoring system directory through findclosechangenotification or closehandle (the two are actually the same.
The procedure is as follows:
1. Run as AdministratorProgramTo improve the sedebugprivileges permission of the process.
2. Find the winlogo process ID
3. Open the winlogo process with process_dup_handle permission (copy the handle in the winlogo process later)
4. Use the ntquerysysteminformation function to traverse all opened handles in the winlogo process.
5. query the name of the handle object through ntqueryobject. If the name is the directory we need to stop protecting, use duplicatehandle to copy the handle to our process,
With the duplicate_close_source flag, and then call closehandle to close the handle.
DetailsCodeReference: http://bbs.driverdevelop.com/htm_data/101/0705/101763.html
The setsfcfileexception function exported by sfc_ OS .dll can also be used to Disable Windows File Protection. Generally, this function allows the protected file specified by the parameter to be modified and replaced within 60 seconds. After testing, it is found that there is no such time limit in XP. Function prototype:
Setsfcfileexception (DWORD param1, pwchar param2, DWORD param3 );
Param1: always set to 0
Param2: the full path of the file to modify later
Param3: always set to-1
Code example:
Typedef DWORD (_ stdcall * CPP) (DWORD param1, pwchar param2, DWORD param3 );
Void disable_wfp ()
{
Hinstance hmod = loadlibrary ("sfc_ OS .dll ");
CPP setsfcfileexception;
// The function is stored at the specified th ordinal in sfc_ OS .dll
Setsfcfileexception = (CPP) getprocaddress (hmod, (lpcstr) 5 );
Setsfcfileexception (0, l "C: // windows // system32 // calc.exe",-1 );
// Now we can modify the system file in a complete stealth.
}
--------------------------------
The above method will expire after restart
Cryptographic Services
Reference:
Provides three management services: the database catalog service, which determines windows
File signature; Protected Root Service, which adds and deletes the certificate of the Trusted Root Certificate Authority from this computer; and key service, which helps you register this computer to obtain the certificate. If the service is terminated,
These management services cannot run normally. If this service is disabled, any service dependent on it cannot be started.
After repeated tests, we found that the CS service and several features of WFP will be automatically enabled after the first shutdown.
(CS will not be automatically enabled after repeated start and stop)
So I think this is why envymask is testing in the pop-up box.
There are two solutions:
1. Use the replacement service proposed by luoluo to replace the CS service with other services, so the check function cannot be enabled even if the CS is started again.
2. Modify the Registry HKEY_LOCAL_MACHINE/system/controlset001/hardware profiles/0001/system/CurrentControlSet/Enum/root/legacy_cryptsvc/0000
0 is enabled
1 is disabled
To completely eliminate the CS service, we set the value to 1.
WFP only calls the CS service to detect the system files when they are deleted or replaced.
After the CS service is completed, the system file will not be changed when the CS service WFP is started again after the system file is deleted or replaced.
Therefore, WFP monitoring is dynamic.