Re: Replace in use files protected by WFP

From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 11/17/05

• Next message: brandon.spamacct_at_gmail.com: "Re: Do not save RUN AS credentials"
• Previous message: Karl Levinson, mvp: "Re: Do not save RUN AS credentials"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 17 Nov 2005 11:39:56 -0500

When trying to defeat WFP, the first thing you have to do is replace the
copy of the file in the hidden %windir%\system32\dllcache\ folder. After
that, at least one the things you already tried should hopefully work, such
as mv.exe

"Ishmealm" <Ishmealm@discussions.microsoft.com> wrote in message
news:A45F494D-0CC6-489C-9EA5-010C4CCB9F86@microsoft.com...
> Hi,
> This isn't really a security question, but I think that the answer may
> come from how security patches are deployed.
>
> I need to replace a system file (C:\Winnt\System32\dbghelp.dll) that is
> protected by Windows File Protection on a Windows 2000 SP 4 server. While
> the OS is up, the file is locked. I've tried several different ways to do
> it, but the WFP seems to throw most of them off. I know that some patches
> and service packs replace in use files, so I know that there is a way to
do
> it. Here are some of the things I've tried:
>
> inuse.exe
>
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/inuse-o.asp
> inuse.exe C:\temp\dbghelp.dll c:\winnt\system32\dbghelp.dll /y
> c:\winnt\system32\dbghelp.dll is protected by WFP
>
> mv.exe
> mv.exe /x /d C:\temp\dbghelp.dll c:\winnt\system32\dbghelp.dll
> Seems to work, but on reboot, the old file is still there (I think because
> of WFP)
>
> Registry Change
> http://support.microsoft.com/?kbid=181345
> On reboot the old file is still there (I think because of WFP)
>
> Any help would be greatly appreciated!
> Thanks,
> Ishmeal

• Next message: brandon.spamacct_at_gmail.com: "Re: Do not save RUN AS credentials"
• Previous message: Karl Levinson, mvp: "Re: Do not save RUN AS credentials"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [Full-Disclosure] Silencing Windows File Protection ... That's peculiar as I didn't need to reboot for either OS. ... >> the operation of WFP and has a variety of potential uses. ... >> dllcache directory serves as a backup directory for all critical files ... >> replaced from the copy in the dllcache directory. ... (Full-Disclosure) How to disable Window File protection system ... I need to implement a class that disbales Windows File Protection ... (WFP) ... untill next reboot and that shouldn't require Rebooting the ... (microsoft.public.vc.mfc) How to disable Windows FIle Protection System. ... I need to implement a class that disbales Windows File Protection ... (WFP) ... untill next reboot and that shouldn't require Rebooting the ... (microsoft.public.vc.language)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint