Hi everyone,
I replace an existing driver in WinXP with a new one
in winnt/system32/drivers and reboot my machine
then I see again the old version of my driver in
winnt/system32/drivers .
According to windows.programmer.nt.kernel-mode
newsgroup. This problem has to do with System file
protection. However, I could not solve my problem from
the information of that newsgroup.
I did the following To disable SFC:
–I set HKLM/SOFTWARE/Microsoft/Windows
NT/CurrentVersion/Winlogon/SfcDisable
to 1 and reboot my machine. This does NOT work.
–I set HKLM/SOFTWARE/Microsoft/Windows
NT/CurrentVersion/Winlogon/SfcDisable
to 2 and reboot my machine. This does NOT work.
– I rename C:\WINNT\Driver Cache\i386\driver.cab to
C:\WINNT\Driver Cache\i386\driver.bak
and reboot my machine. This does not work.
I only have this problem with WinXP. I do not
experience this problem with Win2k.
Would anyone help?
thanks
P. Ho
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com
Peter,
Setting the SfcDisable to 1 normally works for me. But I do see the problem
you’ve mentioned on some XP boxes.
Personally, I would prefer using kdfiles on the debug host to bypass the SFC
in WXP or WNET system. Also, you get the bonus that the symbol and binary
are automatically synced and the debugger is being able to locate the symbol
and source info automatically.
For usage of kdfiles, please see WinDbg doc.
cheers,
Calvin
----- Original Message -----
From: “Peter Ho”
To: “NT Developers Interest List”
Sent: Saturday, April 19, 2003 10:31 AM
Subject: [ntdev] System file protection
> Hi everyone,
>
> I replace an existing driver in WinXP with a new one
> in winnt/system32/drivers and reboot my machine
> then I see again the old version of my driver in
> winnt/system32/drivers .
>
> According to windows.programmer.nt.kernel-mode
> newsgroup. This problem has to do with System file
> protection. However, I could not solve my problem from
> the information of that newsgroup.
>
> I did the following To disable SFC:
>
> --I set HKLM/SOFTWARE/Microsoft/Windows
> NT/CurrentVersion/Winlogon/SfcDisable
> to 1 and reboot my machine. This does NOT work.
>
> --I set HKLM/SOFTWARE/Microsoft/Windows
> NT/CurrentVersion/Winlogon/SfcDisable
> to 2 and reboot my machine. This does NOT work.
>
> – I rename C:\WINNT\Driver Cache\i386\driver.cab to
> C:\WINNT\Driver Cache\i386\driver.bak
> and reboot my machine. This does not work.
>
> I only have this problem with WinXP. I do not
> experience this problem with Win2k.
> Would anyone help?
> thanks
> P. Ho
>
> __________________________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo
> http://search.yahoo.com
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@hotpop.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
I’ve solved this problem by collecting a complete new set of installation files :
- original *inf
- eventually additional original DLL('s)
- your new driver !
Then , do an “update” of the existing driver with your version. Be sure your XP system is
configured to accept non-signed drivers. Once your version is installed, you will be able
to replace your own version in the \Drivers directory and let it run after a reboot.
----- Original Message -----
From: “Peter Ho”
To: “NT Developers Interest List”
Sent: Saturday, April 19, 2003 4:31 PM
Subject: [ntdev] System file protection
> Hi everyone,
>
> I replace an existing driver in WinXP with a new one
> in winnt/system32/drivers and reboot my machine
> then I see again the old version of my driver in
> winnt/system32/drivers .
>
> According to windows.programmer.nt.kernel-mode
> newsgroup. This problem has to do with System file
> protection. However, I could not solve my problem from
> the information of that newsgroup.
>
> I did the following To disable SFC:
>
> --I set HKLM/SOFTWARE/Microsoft/Windows
> NT/CurrentVersion/Winlogon/SfcDisable
> to 1 and reboot my machine. This does NOT work.
>
> --I set HKLM/SOFTWARE/Microsoft/Windows
> NT/CurrentVersion/Winlogon/SfcDisable
> to 2 and reboot my machine. This does NOT work.
>
> – I rename C:\WINNT\Driver Cache\i386\driver.cab to
> C:\WINNT\Driver Cache\i386\driver.bak
> and reboot my machine. This does not work.
>
> I only have this problem with WinXP. I do not
> experience this problem with Win2k.
> Would anyone help?
> thanks
> P. Ho
>
> __________________________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo
> http://search.yahoo.com
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Do the following steps in this order exactly:
- If you installed XP from a CD-ROM, remove the XP CD from the CD-ROM
drive. If you installed XP from a folder on your hard drive, rename the
folder. Also, do the same for the XP SP1 upgrade.
- Delete the contents of “C:\WINDOWS\Driver Cache”.
- I recall that SP1 also places some backup files in a directory under
Windows call “Service Pack 1 Files” or something similary. Empty this
folder also.
- Delete the contents of “C:\WINDOWS\SYSTEM32\dllcache”.
- Now when you overwrite the target driver, instead of silently
replacing the file Windows should complain it can’t find anything to
replace it with. 
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Ho
Sent: Saturday, April 19, 2003 7:31 AM
To: NT Developers Interest List
Subject: [ntdev] System file protection
Hi everyone,
I replace an existing driver in WinXP with a new one
in winnt/system32/drivers and reboot my machine
then I see again the old version of my driver in
winnt/system32/drivers .
According to windows.programmer.nt.kernel-mode
newsgroup. This problem has to do with System file
protection. However, I could not solve my problem from
the information of that newsgroup.
I did the following To disable SFC:
–I set HKLM/SOFTWARE/Microsoft/Windows
NT/CurrentVersion/Winlogon/SfcDisable
to 1 and reboot my machine. This does NOT work.
–I set HKLM/SOFTWARE/Microsoft/Windows
NT/CurrentVersion/Winlogon/SfcDisable
to 2 and reboot my machine. This does NOT work.
– I rename C:\WINNT\Driver Cache\i386\driver.cab to
C:\WINNT\Driver Cache\i386\driver.bak
and reboot my machine. This does not work.
I only have this problem with WinXP. I do not
experience this problem with Win2k.
Would anyone help?
thanks
P. Ho
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com
You are currently subscribed to ntdev as: xxxxx@nryan.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Yes, this works. But be aware that you create inconsitencies within the setup & repair complex.
One should avoid this if other methods can be used. By the way, why deleting the complete caches
to replace one particular file ?
----- Original Message -----
From: “Nicholas Ryan”
To: “NT Developers Interest List”
Sent: Saturday, April 19, 2003 10:21 PM
Subject: [ntdev] RE: System file protection
> Do the following steps in this order exactly:
>
> 1. If you installed XP from a CD-ROM, remove the XP CD from the CD-ROM
> drive. If you installed XP from a folder on your hard drive, rename the
> folder. Also, do the same for the XP SP1 upgrade.
> 2. Delete the contents of “C:\WINDOWS\Driver Cache”.
> 3. I recall that SP1 also places some backup files in a directory under
> Windows call “Service Pack 1 Files” or something similary. Empty this
> folder also.
> 4. Delete the contents of “C:\WINDOWS\SYSTEM32\dllcache”.
> 5. Now when you overwrite the target driver, instead of silently
> replacing the file Windows should complain it can’t find anything to
> replace it with.
>
> - Nicholas Ryan
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of Peter Ho
> > Sent: Saturday, April 19, 2003 7:31 AM
> > To: NT Developers Interest List
> > Subject: [ntdev] System file protection
> >
> >
> > Hi everyone,
> >
> > I replace an existing driver in WinXP with a new one
> > in winnt/system32/drivers and reboot my machine
> > then I see again the old version of my driver in
> > winnt/system32/drivers .
> >
> > According to windows.programmer.nt.kernel-mode
> > newsgroup. This problem has to do with System file
> > protection. However, I could not solve my problem from
> > the information of that newsgroup.
> >
> > I did the following To disable SFC:
> >
> > --I set HKLM/SOFTWARE/Microsoft/Windows
> > NT/CurrentVersion/Winlogon/SfcDisable
> > to 1 and reboot my machine. This does NOT work.
> >
> > --I set HKLM/SOFTWARE/Microsoft/Windows
> > NT/CurrentVersion/Winlogon/SfcDisable
> > to 2 and reboot my machine. This does NOT work.
> >
> > – I rename C:\WINNT\Driver Cache\i386\driver.cab to
> > C:\WINNT\Driver Cache\i386\driver.bak
> > and reboot my machine. This does not work.
> >
> > I only have this problem with WinXP. I do not
> > experience this problem with Win2k.
> > Would anyone help?
> > thanks
> > P. Ho
> >
> > __________________________________________________
> > Do you Yahoo!?
> > The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@nryan.com
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
> >
>
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@compaqnet.be
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Because it’s easier. Who cares what happens to my test machine?
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
Christiaan Ghijselinck
Sent: Saturday, April 19, 2003 3:27 PM
To: NT Developers Interest List
Subject: [ntdev] RE: System file protection
Yes, this works. But be aware that you create inconsitencies
within the setup & repair complex.
One should avoid this if other methods can be used. By the
way, why deleting the complete caches to replace one particular file ?
----- Original Message -----
From: “Nicholas Ryan”
> To: “NT Developers Interest List”
> Sent: Saturday, April 19, 2003 10:21 PM
> Subject: [ntdev] RE: System file protection
>
>
> > Do the following steps in this order exactly:
> >
> > 1. If you installed XP from a CD-ROM, remove the XP CD from
> the CD-ROM
> > drive. If you installed XP from a folder on your hard drive, rename
> > the folder. Also, do the same for the XP SP1 upgrade. 2. Delete the
> > contents of “C:\WINDOWS\Driver Cache”. 3. I recall that SP1 also
> > places some backup files in a directory under Windows call “Service
> > Pack 1 Files” or something similary. Empty this folder also.
> > 4. Delete the contents of “C:\WINDOWS\SYSTEM32\dllcache”.
> > 5. Now when you overwrite the target driver, instead of silently
> > replacing the file Windows should complain it can’t find anything to
> > replace it with.
> >
> > - Nicholas Ryan
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On Behalf Of Peter Ho
> > > Sent: Saturday, April 19, 2003 7:31 AM
> > > To: NT Developers Interest List
> > > Subject: [ntdev] System file protection
> > >
> > >
> > > Hi everyone,
> > >
> > > I replace an existing driver in WinXP with a new one
> > > in winnt/system32/drivers and reboot my machine
> > > then I see again the old version of my driver in
> > > winnt/system32/drivers .
> > >
> > > According to windows.programmer.nt.kernel-mode
> > > newsgroup. This problem has to do with System file protection.
> > > However, I could not solve my problem from the
> information of that
> > > newsgroup.
> > >
> > > I did the following To disable SFC:
> > >
> > > --I set HKLM/SOFTWARE/Microsoft/Windows
> > > NT/CurrentVersion/Winlogon/SfcDisable
> > > to 1 and reboot my machine. This does NOT work.
> > >
> > > --I set HKLM/SOFTWARE/Microsoft/Windows
> > > NT/CurrentVersion/Winlogon/SfcDisable
> > > to 2 and reboot my machine. This does NOT work.
> > >
> > > – I rename C:\WINNT\Driver Cache\i386\driver.cab to
> > > C:\WINNT\Driver Cache\i386\driver.bak
> > > and reboot my machine. This does not work.
> > >
> > > I only have this problem with WinXP. I do not
> > > experience this problem with Win2k.
> > > Would anyone help?
> > > thanks
> > > P. Ho
> > >
> > > __________________________________________________
> > > Do you Yahoo!?
> > > The New Yahoo! Search - Faster. Easier. Bingo
> > > http://search.yahoo.com
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as: xxxxx@nryan.com To
> > > unsubscribe send a blank email to xxxxx@lists.osr.com
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@compaqnet.be
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@nryan.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Thanks everyone,
Nicholas solution seems to be the easier. I use WinXP
without SP1.
I delete the “C:\WINDOWS\Driver Cache”. I do not have
the “C:\WINDOWS\SYSTEM32\dllcache” directory.
But Winxp still copies the old version of my driver to
my “winnt/system32/drivers” directory.
Now my question is:
if “C:\WINDOWS\Driver Cache” has been deleted,where
does WinXP get the old version of my driver to copy
to the “winnt/system32/drivers” directory?
Thanks
— Nicholas Ryan wrote:
> Do the following steps in this order exactly:
>
> 1. If you installed XP from a CD-ROM, remove the XP
> CD from the CD-ROM
> drive. If you installed XP from a folder on your
> hard drive, rename the
> folder. Also, do the same for the XP SP1 upgrade.
> 2. Delete the contents of “C:\WINDOWS\Driver Cache”.
> 3. I recall that SP1 also places some backup files
> in a directory under
> Windows call “Service Pack 1 Files” or something
> similary. Empty this
> folder also.
> 4. Delete the contents of
> “C:\WINDOWS\SYSTEM32\dllcache”.
> 5. Now when you overwrite the target driver, instead
> of silently
> replacing the file Windows should complain it can’t
> find anything to
> replace it with.
>
> - Nicholas Ryan
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On
> Behalf Of Peter Ho
> > Sent: Saturday, April 19, 2003 7:31 AM
> > To: NT Developers Interest List
> > Subject: [ntdev] System file protection
> >
> >
> > Hi everyone,
> >
> > I replace an existing driver in WinXP with a new
> one
> > in winnt/system32/drivers and reboot my machine
> > then I see again the old version of my driver in
> > winnt/system32/drivers .
> >
> > According to windows.programmer.nt.kernel-mode
> > newsgroup. This problem has to do with System file
> > protection. However, I could not solve my problem
> from
> > the information of that newsgroup.
> >
> > I did the following To disable SFC:
> >
> > --I set HKLM/SOFTWARE/Microsoft/Windows
> > NT/CurrentVersion/Winlogon/SfcDisable
> > to 1 and reboot my machine. This does NOT work.
> >
> > --I set HKLM/SOFTWARE/Microsoft/Windows
> > NT/CurrentVersion/Winlogon/SfcDisable
> > to 2 and reboot my machine. This does NOT work.
> >
> > – I rename C:\WINNT\Driver Cache\i386\driver.cab
> to
> > C:\WINNT\Driver Cache\i386\driver.bak
> > and reboot my machine. This does not work.
> >
> > I only have this problem with WinXP. I do not
> > experience this problem with Win2k.
> > Would anyone help?
> > thanks
> > P. Ho
> >
> >
> > Do you Yahoo!?
> > The New Yahoo! Search - Faster. Easier. Bingo
> http://search.yahoo.com
> >
> >
> > —
> > You are currently subscribed to ntdev as:
> xxxxx@nryan.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
>
>
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com
That’s very odd you don’t have a dllcache directory. By default, that
directory has the system and hidden attributes. Are you sure you’ve
configured Explorer to display system and hidden files?
The next step is to install Filemon and try to determine where the
system is reading the file from.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Ho
Sent: Saturday, April 19, 2003 4:19 PM
To: NT Developers Interest List
Subject: [ntdev] RE: System file protection
Thanks everyone,
Nicholas solution seems to be the easier. I use WinXP
without SP1.
I delete the “C:\WINDOWS\Driver Cache”. I do not have
the “C:\WINDOWS\SYSTEM32\dllcache” directory.
But Winxp still copies the old version of my driver to
my “winnt/system32/drivers” directory.
Now my question is:
if “C:\WINDOWS\Driver Cache” has been deleted,where
does WinXP get the old version of my driver to copy
to the “winnt/system32/drivers” directory?
Thanks
— Nicholas Ryan wrote:
> > Do the following steps in this order exactly:
> >
> > 1. If you installed XP from a CD-ROM, remove the XP
> > CD from the CD-ROM
> > drive. If you installed XP from a folder on your
> > hard drive, rename the
> > folder. Also, do the same for the XP SP1 upgrade.
> > 2. Delete the contents of “C:\WINDOWS\Driver Cache”.
> > 3. I recall that SP1 also places some backup files
> > in a directory under
> > Windows call “Service Pack 1 Files” or something
> > similary. Empty this
> > folder also.
> > 4. Delete the contents of
> > “C:\WINDOWS\SYSTEM32\dllcache”.
> > 5. Now when you overwrite the target driver, instead
> > of silently
> > replacing the file Windows should complain it can’t
> > find anything to
> > replace it with.
> >
> > - Nicholas Ryan
> >
> > > -----Original Message-----
> > > From: xxxxx@lists.osr.com
> > > [mailto:xxxxx@lists.osr.com] On
> > Behalf Of Peter Ho
> > > Sent: Saturday, April 19, 2003 7:31 AM
> > > To: NT Developers Interest List
> > > Subject: [ntdev] System file protection
> > >
> > >
> > > Hi everyone,
> > >
> > > I replace an existing driver in WinXP with a new
> > one
> > > in winnt/system32/drivers and reboot my machine
> > > then I see again the old version of my driver in
> > > winnt/system32/drivers .
> > >
> > > According to windows.programmer.nt.kernel-mode
> > > newsgroup. This problem has to do with System file protection.
> > > However, I could not solve my problem
> > from
> > > the information of that newsgroup.
> > >
> > > I did the following To disable SFC:
> > >
> > > --I set HKLM/SOFTWARE/Microsoft/Windows
> > > NT/CurrentVersion/Winlogon/SfcDisable
> > > to 1 and reboot my machine. This does NOT work.
> > >
> > > --I set HKLM/SOFTWARE/Microsoft/Windows
> > > NT/CurrentVersion/Winlogon/SfcDisable
> > > to 2 and reboot my machine. This does NOT work.
> > >
> > > – I rename C:\WINNT\Driver Cache\i386\driver.cab
> > to
> > > C:\WINNT\Driver Cache\i386\driver.bak
> > > and reboot my machine. This does not work.
> > >
> > > I only have this problem with WinXP. I do not
> > > experience this problem with Win2k.
> > > Would anyone help?
> > > thanks
> > > P. Ho
> > >
> > >
> > > Do you Yahoo!?
> > > The New Yahoo! Search - Faster. Easier. Bingo
> > http://search.yahoo.com
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as:
> > xxxxx@nryan.com
> > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as: xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo http://search.yahoo.com
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@nryan.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Thanks everyone,
I forgot to configure Explorer to display hidden
files.
Thanks
P. Ho
— Nicholas Ryan wrote:
> That’s very odd you don’t have a dllcache directory.
> By default, that
> directory has the system and hidden attributes. Are
> you sure you’ve
> configured Explorer to display system and hidden
> files?
>
> The next step is to install Filemon and try to
> determine where the
> system is reading the file from.
>
> - Nicholas Ryan
>
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On
> Behalf Of Peter Ho
> > Sent: Saturday, April 19, 2003 4:19 PM
> > To: NT Developers Interest List
> > Subject: [ntdev] RE: System file protection
> >
> >
> > Thanks everyone,
> > Nicholas solution seems to be the easier. I use
> WinXP
> > without SP1.
> > I delete the “C:\WINDOWS\Driver Cache”. I do not
> have
> > the “C:\WINDOWS\SYSTEM32\dllcache” directory.
> > But Winxp still copies the old version of my
> driver to
> > my “winnt/system32/drivers” directory.
> >
> > Now my question is:
> > if “C:\WINDOWS\Driver Cache” has been
> deleted,where
> > does WinXP get the old version of my driver to
> copy
> > to the “winnt/system32/drivers” directory?
> >
> > Thanks
> >
> >
> >
> > — Nicholas Ryan wrote:
> > > Do the following steps in this order exactly:
> > >
> > > 1. If you installed XP from a CD-ROM, remove the
> XP
> > > CD from the CD-ROM
> > > drive. If you installed XP from a folder on your
> > > hard drive, rename the
> > > folder. Also, do the same for the XP SP1
> upgrade.
> > > 2. Delete the contents of “C:\WINDOWS\Driver
> Cache”.
> > > 3. I recall that SP1 also places some backup
> files
> > > in a directory under
> > > Windows call “Service Pack 1 Files” or something
> > > similary. Empty this
> > > folder also.
> > > 4. Delete the contents of
> > > “C:\WINDOWS\SYSTEM32\dllcache”.
> > > 5. Now when you overwrite the target driver,
> instead
> > > of silently
> > > replacing the file Windows should complain it
> can’t
> > > find anything to
> > > replace it with.
> > >
> > > - Nicholas Ryan
> > >
> > > > -----Original Message-----
> > > > From: xxxxx@lists.osr.com
> > > > [mailto:xxxxx@lists.osr.com] On
> > > Behalf Of Peter Ho
> > > > Sent: Saturday, April 19, 2003 7:31 AM
> > > > To: NT Developers Interest List
> > > > Subject: [ntdev] System file protection
> > > >
> > > >
> > > > Hi everyone,
> > > >
> > > > I replace an existing driver in WinXP with a
> new
> > > one
> > > > in winnt/system32/drivers and reboot my
> machine
> > > > then I see again the old version of my driver
> in
> > > > winnt/system32/drivers .
> > > >
> > > > According to windows.programmer.nt.kernel-mode
> > > > newsgroup. This problem has to do with System
> file protection.
> > > > However, I could not solve my problem
> > > from
> > > > the information of that newsgroup.
> > > >
> > > > I did the following To disable SFC:
> > > >
> > > > --I set HKLM/SOFTWARE/Microsoft/Windows
> > > > NT/CurrentVersion/Winlogon/SfcDisable
> > > > to 1 and reboot my machine. This does NOT
> work.
> > > >
> > > > --I set HKLM/SOFTWARE/Microsoft/Windows
> > > > NT/CurrentVersion/Winlogon/SfcDisable
> > > > to 2 and reboot my machine. This does NOT
> work.
> > > >
> > > > – I rename C:\WINNT\Driver
> Cache\i386\driver.cab
> > > to
> > > > C:\WINNT\Driver Cache\i386\driver.bak
> > > > and reboot my machine. This does not work.
> > > >
> > > > I only have this problem with WinXP. I do not
> > > > experience this problem with Win2k.
> > > > Would anyone help?
> > > > thanks
> > > > P. Ho
> > > >
> > > >
>
> > > > Do you Yahoo!?
> > > > The New Yahoo! Search - Faster. Easier. Bingo
> > > http://search.yahoo.com
> > > >
> > > >
> > > > —
> > > > You are currently subscribed to ntdev as:
> > > xxxxx@nryan.com
> > > > To unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
> >
> >
> > Do you Yahoo!?
> > The New Yahoo! Search - Faster. Easier. Bingo
> http://search.yahoo.com
> >
> >
> > —
> > You are currently subscribed to ntdev as:
> xxxxx@nryan.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >
>
>
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com
If you set HKLM/SOFTWARE/Microsoft/Windows
NT/CurrentVersion/Winlogon/SfcDisable = 0xffffff9d it will shut off SFP.
This may only work if a kernel mode debugger is hooked up, (I don’t have a
machine I can test this on at the moment). At any rate I have used this on
XP for years.
–
Bill McKenzie
Compuware Corporation
http://www.compuware.com/products/driverstudio/
“Peter Ho” wrote in message news:xxxxx@ntdev…
>
> Hi everyone,
>
> I replace an existing driver in WinXP with a new one
> in winnt/system32/drivers and reboot my machine
> then I see again the old version of my driver in
> winnt/system32/drivers .
>
> According to windows.programmer.nt.kernel-mode
> newsgroup. This problem has to do with System file
> protection. However, I could not solve my problem from
> the information of that newsgroup.
>
> I did the following To disable SFC:
>
> --I set HKLM/SOFTWARE/Microsoft/Windows
> NT/CurrentVersion/Winlogon/SfcDisable
> to 1 and reboot my machine. This does NOT work.
>
> --I set HKLM/SOFTWARE/Microsoft/Windows
> NT/CurrentVersion/Winlogon/SfcDisable
> to 2 and reboot my machine. This does NOT work.
>
> – I rename C:\WINNT\Driver Cache\i386\driver.cab to
> C:\WINNT\Driver Cache\i386\driver.bak
> and reboot my machine. This does not work.
>
> I only have this problem with WinXP. I do not
> experience this problem with Win2k.
> Would anyone help?
> thanks
> P. Ho
>
> __________________________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo
> http://search.yahoo.com
>
>
>
Actually, as of W2K SP3 settign SfcDisable to 0xffffff9d doesn’t work
anymore (not sure about XP).
I’ve been sort of following this thread and all the complicated means to get
around SFC and wondering why you don’t just use the documented method; set
SfcDisable to 1 and reboot with the kernel debugger attached…
Alternatively, assuming you have a .inf file for your driver, use the device
manager to update the driver to the new unsigned one; once you do that you
wont be bothered by SFC anymore…
/simgr
-----Original Message-----
From: Bill McKenzie [mailto:xxxxx@driver.attbbs.com]
Sent: Sunday, April 20, 2003 12:58 AM
To: NT Developers Interest List
If you set HKLM/SOFTWARE/Microsoft/Windows
NT/CurrentVersion/Winlogon/SfcDisable = 0xffffff9d it will shut off SFP.
This may only work if a kernel mode debugger is hooked up, (I don’t have a
machine I can test this on at the moment). At any rate I have used this on
XP for years.
–
Bill McKenzie
Compuware Corporation
http://www.compuware.com/products/driverstudio/
“Peter Ho” wrote in message news:xxxxx@ntdev…
>
> Hi everyone,
>
> I replace an existing driver in WinXP with a new one
> in winnt/system32/drivers and reboot my machine
> then I see again the old version of my driver in
> winnt/system32/drivers .
>
> According to windows.programmer.nt.kernel-mode
> newsgroup. This problem has to do with System file
> protection. However, I could not solve my problem from
> the information of that newsgroup.
>
> I did the following To disable SFC:
>
> --I set HKLM/SOFTWARE/Microsoft/Windows
> NT/CurrentVersion/Winlogon/SfcDisable
> to 1 and reboot my machine. This does NOT work.
>
> --I set HKLM/SOFTWARE/Microsoft/Windows
> NT/CurrentVersion/Winlogon/SfcDisable
> to 2 and reboot my machine. This does NOT work.
>
> – I rename C:\WINNT\Driver Cache\i386\driver.cab to
> C:\WINNT\Driver Cache\i386\driver.bak
> and reboot my machine. This does not work.
>
> I only have this problem with WinXP. I do not
> experience this problem with Win2k.
> Would anyone help?
> thanks
> P. Ho
>
> __________________________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo
> http://search.yahoo.com
>
>
>
—
You are currently subscribed to ntdev as: xxxxx@stratus.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
I don’t believe you could set SFCDisable to 0xffffff9d
on XP. On XP, SFCDisable can only take 0xffffff.
P. Ho
— “Graham, Simon” wrote:
> Actually, as of W2K SP3 settign SfcDisable to
> 0xffffff9d doesn’t work
> anymore (not sure about XP).
>
> I’ve been sort of following this thread and all the
> complicated means to get
> around SFC and wondering why you don’t just use the
> documented method; set
> SfcDisable to 1 and reboot with the kernel debugger
> attached…
>
> Alternatively, assuming you have a .inf file for
> your driver, use the device
> manager to update the driver to the new unsigned
> one; once you do that you
> wont be bothered by SFC anymore…
>
> /simgr
>
> -----Original Message-----
> From: Bill McKenzie
> [mailto:xxxxx@driver.attbbs.com]
> Sent: Sunday, April 20, 2003 12:58 AM
> To: NT Developers Interest List
>
> If you set HKLM/SOFTWARE/Microsoft/Windows
> NT/CurrentVersion/Winlogon/SfcDisable = 0xffffff9d
> it will shut off SFP.
> This may only work if a kernel mode debugger is
> hooked up, (I don’t have a
> machine I can test this on at the moment). At any
> rate I have used this on
> XP for years.
>
> –
> Bill McKenzie
> Compuware Corporation
> http://www.compuware.com/products/driverstudio/
>
>
>
> “Peter Ho” wrote in message
> news:xxxxx@ntdev…
> >
> > Hi everyone,
> >
> > I replace an existing driver in WinXP with a new
> one
> > in winnt/system32/drivers and reboot my machine
> > then I see again the old version of my driver in
> > winnt/system32/drivers .
> >
> > According to windows.programmer.nt.kernel-mode
> > newsgroup. This problem has to do with System file
> > protection. However, I could not solve my problem
> from
> > the information of that newsgroup.
> >
> > I did the following To disable SFC:
> >
> > --I set HKLM/SOFTWARE/Microsoft/Windows
> > NT/CurrentVersion/Winlogon/SfcDisable
> > to 1 and reboot my machine. This does NOT work.
> >
> > --I set HKLM/SOFTWARE/Microsoft/Windows
> > NT/CurrentVersion/Winlogon/SfcDisable
> > to 2 and reboot my machine. This does NOT work.
> >
> > – I rename C:\WINNT\Driver Cache\i386\driver.cab
> to
> > C:\WINNT\Driver Cache\i386\driver.bak
> > and reboot my machine. This does not work.
> >
> > I only have this problem with WinXP. I do not
> > experience this problem with Win2k.
> > Would anyone help?
> > thanks
> > P. Ho
> >
> >
> > Do you Yahoo!?
> > The New Yahoo! Search - Faster. Easier. Bingo
> > http://search.yahoo.com
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@stratus.com
> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com
Hello,
or maybe you could try the following code snippet - taken from
W32/Serot by Benny/29A that i try to reverse.
#include <windows.h>
#include <assert.h>
#include <stdio.h>
typedef DWORD (* SFPEXC)(DWORD, wchar_t *, DWORD);
void wmain(int argc, wchar_t **argv)
{
HMODULE sfc_os;
SFPEXC sfp_exc;
assert(argc==2);
assert(sfc_os=LoadLibrary(“sfc_os.dll”));
assert(sfp_exc=(SFPEXC) GetProcAddress(sfc_os, (char *) 5));
assert(!sfp_exc(0, argv[1], -1));
wprintf(L"File %s should now be unprotected for 1 minute", argv[1]);
}
compile: cl sfp_exc.c
usage: eg sfp_exc.exe %systemroot%\system32\ntoskrnl.exe
it uses undocumented export from sfc_os.dll named SfcFileException.
according to my tests it creates a one minute hole in SFP. it works on
my XP box (no sp), so hopefully it will work on sps too - maybe export
has changed or it has been even removed. test if you like and let us
know pls.
–
Best regards,
Ivona Prenosilova</stdio.h></assert.h></windows.h>
Really? You have a 3 byte registry value type? What is the name of that
type I haven’t heard of it?
I have SFCDisable set to 0xffffff9d on my XP box right here, don’t know why
mine is different than yours?? I am replacing NTFS.sys which I am guessing
is a protected system file, and I am not having any problems replacing it.
Can’t speak to Windows 2003 haven’t tried it.
I don’t know why MS couldn’t provide some sane way to shut this crap off,
kernel debugger or no kernel debugger. I guess they were afraid of some
malicious or stupid app/service switching it off and leaving it off? I
could create a malicious and stupid app to rip the cab files just as well,
so maybe not. At any rate, I wish a mechanism could be provided, I really
don’t need SFP on my target.
–
Bill McKenzie
Compuware Corporation
http://www.compuware.com/products/driverstudio
“Peter Ho” wrote in message news:xxxxx@ntdev…
>
> I don’t believe you could set SFCDisable to 0xffffff9d
> on XP. On XP, SFCDisable can only take 0xffffff.
>
> P. Ho
>
> — “Graham, Simon” wrote:
> > Actually, as of W2K SP3 settign SfcDisable to
> > 0xffffff9d doesn’t work
> > anymore (not sure about XP).
> >
> > I’ve been sort of following this thread and all the
> > complicated means to get
> > around SFC and wondering why you don’t just use the
> > documented method; set
> > SfcDisable to 1 and reboot with the kernel debugger
> > attached…
> >
> > Alternatively, assuming you have a .inf file for
> > your driver, use the device
> > manager to update the driver to the new unsigned
> > one; once you do that you
> > wont be bothered by SFC anymore…
> >
> > /simgr
> >
> > -----Original Message-----
> > From: Bill McKenzie
> > [mailto:xxxxx@driver.attbbs.com]
> > Sent: Sunday, April 20, 2003 12:58 AM
> > To: NT Developers Interest List
> >
> > If you set HKLM/SOFTWARE/Microsoft/Windows
> > NT/CurrentVersion/Winlogon/SfcDisable = 0xffffff9d
> > it will shut off SFP.
> > This may only work if a kernel mode debugger is
> > hooked up, (I don’t have a
> > machine I can test this on at the moment). At any
> > rate I have used this on
> > XP for years.
> >
> > –
> > Bill McKenzie
> > Compuware Corporation
> > http://www.compuware.com/products/driverstudio/
> >
> >
> >
> > “Peter Ho” wrote in message
> > news:xxxxx@ntdev…
> > >
> > > Hi everyone,
> > >
> > > I replace an existing driver in WinXP with a new
> > one
> > > in winnt/system32/drivers and reboot my machine
> > > then I see again the old version of my driver in
> > > winnt/system32/drivers .
> > >
> > > According to windows.programmer.nt.kernel-mode
> > > newsgroup. This problem has to do with System file
> > > protection. However, I could not solve my problem
> > from
> > > the information of that newsgroup.
> > >
> > > I did the following To disable SFC:
> > >
> > > --I set HKLM/SOFTWARE/Microsoft/Windows
> > > NT/CurrentVersion/Winlogon/SfcDisable
> > > to 1 and reboot my machine. This does NOT work.
> > >
> > > --I set HKLM/SOFTWARE/Microsoft/Windows
> > > NT/CurrentVersion/Winlogon/SfcDisable
> > > to 2 and reboot my machine. This does NOT work.
> > >
> > > – I rename C:\WINNT\Driver Cache\i386\driver.cab
> > to
> > > C:\WINNT\Driver Cache\i386\driver.bak
> > > and reboot my machine. This does not work.
> > >
> > > I only have this problem with WinXP. I do not
> > > experience this problem with Win2k.
> > > Would anyone help?
> > > thanks
> > > P. Ho
> > >
> > >
> > > Do you Yahoo!?
> > > The New Yahoo! Search - Faster. Easier. Bingo
> > > http://search.yahoo.com
> > >
> > >
> > >
> >
> >
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@stratus.com
> > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
> >
> > —
> > You are currently subscribed to ntdev as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>
>
>
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo
> http://search.yahoo.com
>
>
>
Sorry, my mistake. Multi-taskings!!!
I should have entered “ffffff9d” instead of
“0xffffff9d”
P. Ho
— Bill McKenzie wrote:
> Really? You have a 3 byte registry value type?
> What is the name of that
> type I haven’t heard of it?
>
> I have SFCDisable set to 0xffffff9d on my XP box
> right here, don’t know why
> mine is different than yours?? I am replacing
> NTFS.sys which I am guessing
> is a protected system file, and I am not having any
> problems replacing it.
> Can’t speak to Windows 2003 haven’t tried it.
>
> I don’t know why MS couldn’t provide some sane way
> to shut this crap off,
> kernel debugger or no kernel debugger. I guess they
> were afraid of some
> malicious or stupid app/service switching it off and
> leaving it off? I
> could create a malicious and stupid app to rip the
> cab files just as well,
> so maybe not. At any rate, I wish a mechanism could
> be provided, I really
> don’t need SFP on my target.
>
> –
> Bill McKenzie
> Compuware Corporation
> http://www.compuware.com/products/driverstudio
>
>
> “Peter Ho” wrote in message
> news:xxxxx@ntdev…
> >
> > I don’t believe you could set SFCDisable to
> 0xffffff9d
> > on XP. On XP, SFCDisable can only take 0xffffff.
> >
> > P. Ho
> >
> > — “Graham, Simon”
> wrote:
> > > Actually, as of W2K SP3 settign SfcDisable to
> > > 0xffffff9d doesn’t work
> > > anymore (not sure about XP).
> > >
> > > I’ve been sort of following this thread and all
> the
> > > complicated means to get
> > > around SFC and wondering why you don’t just use
> the
> > > documented method; set
> > > SfcDisable to 1 and reboot with the kernel
> debugger
> > > attached…
> > >
> > > Alternatively, assuming you have a .inf file for
> > > your driver, use the device
> > > manager to update the driver to the new unsigned
> > > one; once you do that you
> > > wont be bothered by SFC anymore…
> > >
> > > /simgr
> > >
> > > -----Original Message-----
> > > From: Bill McKenzie
> > > [mailto:xxxxx@driver.attbbs.com]
> > > Sent: Sunday, April 20, 2003 12:58 AM
> > > To: NT Developers Interest List
> > >
> > > If you set HKLM/SOFTWARE/Microsoft/Windows
> > > NT/CurrentVersion/Winlogon/SfcDisable =
> 0xffffff9d
> > > it will shut off SFP.
> > > This may only work if a kernel mode debugger is
> > > hooked up, (I don’t have a
> > > machine I can test this on at the moment). At
> any
> > > rate I have used this on
> > > XP for years.
> > >
> > > –
> > > Bill McKenzie
> > > Compuware Corporation
> > > http://www.compuware.com/products/driverstudio/
> > >
> > >
> > >
> > > “Peter Ho” wrote in
> message
> > > news:xxxxx@ntdev…
> > > >
> > > > Hi everyone,
> > > >
> > > > I replace an existing driver in WinXP with a
> new
> > > one
> > > > in winnt/system32/drivers and reboot my
> machine
> > > > then I see again the old version of my driver
> in
> > > > winnt/system32/drivers .
> > > >
> > > > According to windows.programmer.nt.kernel-mode
> > > > newsgroup. This problem has to do with System
> file
> > > > protection. However, I could not solve my
> problem
> > > from
> > > > the information of that newsgroup.
> > > >
> > > > I did the following To disable SFC:
> > > >
> > > > --I set HKLM/SOFTWARE/Microsoft/Windows
> > > > NT/CurrentVersion/Winlogon/SfcDisable
> > > > to 1 and reboot my machine. This does NOT
> work.
> > > >
> > > > --I set HKLM/SOFTWARE/Microsoft/Windows
> > > > NT/CurrentVersion/Winlogon/SfcDisable
> > > > to 2 and reboot my machine. This does NOT
> work.
> > > >
> > > > – I rename C:\WINNT\Driver
> Cache\i386\driver.cab
> > > to
> > > > C:\WINNT\Driver Cache\i386\driver.bak
> > > > and reboot my machine. This does not work.
> > > >
> > > > I only have this problem with WinXP. I do not
> > > > experience this problem with Win2k.
> > > > Would anyone help?
> > > > thanks
> > > > P. Ho
> > > >
> > > >
>
> > > > Do you Yahoo!?
> > > > The New Yahoo! Search - Faster. Easier. Bingo
> > > > http://search.yahoo.com
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as:
> > > xxxxx@stratus.com
> > > To unsubscribe send a blank email to
> > > xxxxx@lists.osr.com
> > >
> > >
> > > —
> > > You are currently subscribed to ntdev as:
> > > xxxxx@yahoo.com
> > > To unsubscribe send a blank email to
> > xxxxx@lists.osr.com
> >
> >
> >
> > Do you Yahoo!?
> > The New Yahoo! Search - Faster. Easier. Bingo
> > http://search.yahoo.com
> >
> >
> >
>
>
>
> —
> You are currently subscribed to ntdev as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
xxxxx@lists.osr.com
__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com
> ----------
From:
xxxxx@compuware.com[SMTP:xxxxx@compuware.com]
Reply To: xxxxx@lists.osr.com
Sent: Monday, April 21, 2003 10:54 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] Re: System file protection
I don’t know why MS couldn’t provide some sane way to shut this crap off,
kernel debugger or no kernel debugger. I guess they were afraid of some
malicious or stupid app/service switching it off and leaving it off? I
could create a malicious and stupid app to rip the cab files just as well,
so maybe not. At any rate, I wish a mechanism could be provided, I really
don’t need SFP on my target.
I completely agree. There should be an easy and documented way how to turn
it off. MS should understand not everybody uses their debugger. No problem
if admin rights are necessary. No problem if system reports it at logon
screen to alert users. As for malicious apps, there is always a way. There
is no security through obscurity. Years before I wrote a utility which kills
SFC watcher thread because didn’t know about uncodumented registry setting.
Just tried it at XP and still works (don’t ask, I won’t give it away).
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
Hello,
Monday, April 21, 2003, 11:15:38 PM, you wrote:
MV> I completely agree. There should be an easy and documented way how to turn
MV> it off. MS should understand not everybody uses their debugger. No problem
MV> if admin rights are necessary. No problem if system reports it at logon
MV> screen to alert users. As for malicious apps, there is always a way. There
MV> is no security through obscurity. Years before I wrote a utility which kills
MV> SFC watcher thread because didn’t know about uncodumented registry setting.
MV> Just tried it at XP and still works (don’t ask, I won’t give it away).
if Michal doesn’t want to, I will
http://29a.host.sk/29a-6/29a-6.201 this is w2k only, but minor changes
should be make for WXP (mainly sfc.dll -> sfc_os.dll and maybe
different bytes), but the idea is the same. it could be easily ported
to c. it does what Michal said - kills the SFC watcher thread.
(btw found some months before after a lil of googling :))
–
Best regards,
Ivona Prenosilova
ivona prenosilova wrote:
if Michal doesn’t want to, I will
It’s irresponsible of you to post a link to a program like this in a
public forum. Offer to e-mail the program to someone whose bona fides
you can check if you wish, but realize that evil people will now be able
to search google essentially forever and find another way to get past
the security of the world’s most prolific operating system.
I’ve said this over and over again: our job as responsible adults is to
prevent attacks on critical infrastructure, not to make them easier.
There may someday be actual blood on your hands because of your casual
attitude to this problem.
–
Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Now teaming with John Hyde for USB Device Engineering Seminars
Check out our schedule at http://www.oneysoft.com
Security through obscurity has never worked. Perhaps a better thing would
be for microsoft to not allow anyone to access that from user mode without
the correct security (ie administrators only)?
-Jeff
-----Original Message-----
From: Walter Oney [mailto:xxxxx@oneysoft.com]
Sent: Tuesday, April 22, 2003 8:00 AM
To: NT Developers Interest List
Subject: [ntdev] Re: System file protection
ivona prenosilova wrote:
if Michal doesn’t want to, I will
It’s irresponsible of you to post a link to a program like this in a
public forum. Offer to e-mail the program to someone whose bona fides
you can check if you wish, but realize that evil people will now be able
to search google essentially forever and find another way to get past
the security of the world’s most prolific operating system.
I’ve said this over and over again: our job as responsible adults is to
prevent attacks on critical infrastructure, not to make them easier.
There may someday be actual blood on your hands because of your casual
attitude to this problem.
–
Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Now teaming with John Hyde for USB Device Engineering Seminars
Check out our schedule at http://www.oneysoft.com
You are currently subscribed to ntdev as: xxxxx@concord.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
the latest virus scan software available for the presence of computer
viruses.
**********************************************************************
“Curless, Jeffrey” wrote:
Security through obscurity has never worked. Perhaps a better thing would
be for microsoft to not allow anyone to access that from user mode without
the correct security (ie administrators only)?
Actually, that’s probably already the case. Additionally, I forgot for a
moment that this forum requires password access and is *probably* not
archived on google. So the damage may be not be so severe as I was
worried it might be.
I agree that obscurity is not a sufficient way to provide security.
However, I would at least like to see Al Qaeda have to work harder than
just typing “hack” in google to find all possible back doors into the
system. After all, if all of the people who are smart enough to get past
the obscurity are responsible enough not too, we don’t have an actual
problem, do we?
–
Walter Oney
Even paranoids have enemies