A simple way to hack Windows File Protection (WFP) using the SetSfcFileException undocumented function
3.29/5 (20 votes)
How to delete/modify a system file which is protected by Windows without being detected by the OS protection.
Introduction
There are many ways to disable WFP. Among them is setting the Registry value SFCDisable found at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" to 2, patching sfc.dll.
But, there is another method which will be discussed in this article. This is using the SetSfcFileException Win32 API function.
SetSfcFileException function
This function is exported by sfc_os.dll. Normally, it makes Windows to allow modification of any protected file given in the parameter during a 60 second period. But I tested it under WinXP and I discovered that its effect is unlimited!
Of course, this function is used in a privileged session! Its main role is to disable the Windows warning dialog when a protected file is modified; this is stealthier than terminating/patching services or changing Registry values.
The prototype of the SetSfcFileException function is:
SetSfcFileException(DWORD param1 , PWCHAR param2 , DWORD param3);
param1: Always set to 0param2: The full path of the file to modify laterparam3: Always set to -1
A small demonstrative program
Let's try to disable the WFP concerning the "c:\windows\system32\calc.exe" file:
typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);
void Disable_WFP() {
hmod=LoadLibrary("sfc_os.dll");
CPP SetSfcFileException;
// the function is stored at the fifth ordinal in sfc_os.dll
SetSfcFileException=(CPP)GetProcAddress(hmod,(LPCSTR)5);
SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
// Now we can modify the system file in a complete stealth.
}