Re: Windows 2000 WFP

Thanks, Dave.
It sounds like WFP simply consults the dllcache and servicepackfiles
directories. Think that to be rather non-robust I decided on an
experiment -- dropping a replacement file into dllcache. But first I just
wanted to verify that things were working properly: I made a copy of
notepad.exe on my desktop, and renamed it to calc.exe. Then copied and
pasted the "bogus" calc.exe into c:\winnt\system32.

1. It stayed there, and clicking on it brought up notepad.
2. It copied the bogus calc.exe into dllcache!

I noted that if I DELETE the file from system32, it will pull it from
dllcache, but not if I replace it. Assuming malware or a misguided install
tries to replace a system file, I find this behavior analogous to the
following:

1. WFP does not restore modified system file = watchdog is sound asleep.

2. WFP(?) copies modified file into dllcache = watchdog dog comes running to
thief with your wallet in its mouth.

What am I missing? Do you have to run SFC to get WFP to act?
--
Jim
"Be right back... Godot"

"Dave Patrick" <DSPatrick@xxxxxxxxxxxxxxxx> wrote in message
news:OmMJjmtoFHA.2976@xxxxxxxxxxxxxxxxxxxxxxx
> When updates are installed the \servicepackfiles and \dllcache folders are
> updated with the new versions. SFC pulls from these.
>
>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/system_file_checker.mspx
>
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/system_file_protection.mspx
>
>
> --
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
> "Jim Nugent" wrote:
> | In all my W2k research, I have never come across what it is (catalog?
> | database?) that WFP consults to determine if a system file is the
"correct
> | one." Obviously, msi files have to update this information since they
are
> | allowed to replace these files.
> |
> | But how can I repair it if something goes wrong. For example, if I were
to
> | do an sfc /scannow right now, I believe it would "break" some hot fixes
by
> | undoing some file replacements. I'd like to tell it what I believe to be
> the
> | correct files. How do I do that?
> | --
> | Jim
> | "Be right back... Godot"
> |
> |
>
>


.

Relevant Pages

  • Re: [Full-Disclosure] Silencing Windows File Protection
    ... Silencing Windows File Protection ... > shutting down, WFP. ... This allows for the replacement ... The second is the dllcache ...
    (Full-Disclosure)
  • Re: Microsoft Security Bulletin MS03-049 - Installation problems?
    ... REM Now let's replace WKSSVC.DLL. ... DLLCACHE is still 120,832. ... This must have happened otherwise WFP would have ... > patch, according to Microsoft, and Windows Update doesn't ...
    (NT-Bugtraq)
  • Re: Microsoft Security Bulletin MS03-049 - Installation problems?
    ... This is is usefull for seeing what WFP is ... > REM Now let's replace WKSSVC.DLL. ... Must be WFP putting the DLLCACHE version ... >> patch, according to Microsoft, and Windows Update doesn't ...
    (NT-Bugtraq)
  • Re: Windows 2000 WFP
    ... From: Jim Nugent ... Conversation: Windows 2000 WFP ... It sounds like WFP simply consults the dllcache and servicepackfiles ...
    (microsoft.public.win2000.setup_upgrade)
  • Windows 2000 SP4 WFP vs. Shavlik hfnetchk.
    ... I recently installed a program that apparently replaced a system file ... update WFP to reflect the change. ... But then when I next ran hfnetchk -v -nosum, ... How can installer replace a WFP-protected file without updating ...
    (microsoft.public.win2000.general)