A simple way to hack Windows File Protection (WFP) using the SetSfcFileException undocumented function

Introduction

There are many ways to disable WFP. Among them is setting the Registry value SFCDisable found at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" to 2, patching sfc.dll.

But, there is another method which will be discussed in this article. This is using the SetSfcFileException Win32 API function.

SetSfcFileException function

This function is exported by sfc_os.dll. Normally, it makes Windows to allow modification of any protected file given in the parameter during a 60 second period. But I tested it under WinXP and I discovered that its effect is unlimited!

Of course, this function is used in a privileged session! Its main role is to disable the Windows warning dialog when a protected file is modified; this is stealthier than terminating/patching services or changing Registry values.

The prototype of the SetSfcFileException function is:

SetSfcFileException(DWORD param1 , PWCHAR param2 , DWORD param3);

• param1: Always set to 0
• param2: The full path of the file to modify later
• param3: Always set to -1

A small demonstrative program

Let's try to disable the WFP concerning the "c:\windows\system32\calc.exe" file:

typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);

void Disable_WFP() {
    hmod=LoadLibrary("sfc_os.dll");
    CPP SetSfcFileException;
    // the function is stored at the fifth ordinal in sfc_os.dll
    SetSfcFileException=(CPP)GetProcAddress(hmod,(LPCSTR)5);
    SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
    // Now we can modify the system file in a complete stealth.
}