Click here to Skip to main content
15,394,479 members
Articles / Desktop Programming / MFC
Posted 25 Jul 2006


20 bookmarked

A simple way to hack Windows File Protection (WFP) using the SetSfcFileException undocumented function

Rate me:
Please Sign up or sign in to vote.
3.29/5 (20 votes)
1 Sep 2007CPOL
How to delete/modify a system file which is protected by Windows without being detected by the OS protection.


There are many ways to disable WFP. Among them is setting the Registry value SFCDisable found at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" to 2, patching sfc.dll.

But, there is another method which will be discussed in this article. This is using the SetSfcFileException Win32 API function.

SetSfcFileException function

This function is exported by sfc_os.dll. Normally, it makes Windows to allow modification of any protected file given in the parameter during a 60 second period. But I tested it under WinXP and I discovered that its effect is unlimited!

Of course, this function is used in a privileged session! Its main role is to disable the Windows warning dialog when a protected file is modified; this is stealthier than terminating/patching services or changing Registry values.

The prototype of the SetSfcFileException function is:

SetSfcFileException(DWORD param1 , PWCHAR param2 , DWORD param3);
  • param1: Always set to 0
  • param2: The full path of the file to modify later
  • param3: Always set to -1

A small demonstrative program

Let's try to disable the WFP concerning the "c:\windows\system32\calc.exe" file:

typedef DWORD(__stdcall *CPP) (DWORD param1, PWCHAR param2, DWORD param3);

void Disable_WFP() {
    CPP SetSfcFileException;
    // the function is stored at the fifth ordinal in sfc_os.dll
    SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
    // Now we can modify the system file in a complete stealth.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Tunisia Tunisia
- Software / Hardware / Embedded engineer - C/C++ engineer

- IEEE computer society member

- Web page:

Comments and Discussions

GeneralMy vote of 5 Pin
JJMatthews13-Dec-12 20:29
MemberJJMatthews13-Dec-12 20:29 
GeneralSetSfcFileException needed in VB Pin
Cisco R.26-Aug-08 3:53
MemberCisco R.26-Aug-08 3:53 
Generalvaluable article Pin
echosong12-Sep-07 21:28
Memberechosong12-Sep-07 21:28 
GeneralRe: valuable article Pin
Abdellatif_El_Khlifi13-Sep-07 3:54
MemberAbdellatif_El_Khlifi13-Sep-07 3:54 
GeneralRe: We need more articles like this! Pin
Abdellatif_El_Khlifi10-Sep-07 6:13
MemberAbdellatif_El_Khlifi10-Sep-07 6:13 
GeneralFollow Up Pin
BTrabon31-May-07 16:16
MemberBTrabon31-May-07 16:16 
GeneralRe: Follow Up [modified] Pin
Abdellatif_El_Khlifi3-Jun-07 10:13
MemberAbdellatif_El_Khlifi3-Jun-07 10:13 
GeneralRe: Follow Up Pin
BTrabon3-Jun-07 10:22
MemberBTrabon3-Jun-07 10:22 
GeneralRe: Follow Up Pin
Bogdan Apostol17-Jun-08 22:53
MemberBogdan Apostol17-Jun-08 22:53 
GeneralRe: Follow Up Pin
Abdellatif_El_Khlifi18-Jun-08 4:32
MemberAbdellatif_El_Khlifi18-Jun-08 4:32 
QuestionError code? Pin
psu8222-Oct-06 23:07
Memberpsu8222-Oct-06 23:07 
QuestionWindows 2000 ? Pin
psu8222-Oct-06 21:20
Memberpsu8222-Oct-06 21:20 
AnswerRe: Windows 2000 ? Pin
Hansa4Ever15-Nov-06 4:35
MemberHansa4Ever15-Nov-06 4:35 
QuestionRe: Windows 2000 ? Pin
faceold4-Jul-07 17:27
Memberfaceold4-Jul-07 17:27 
GeneralNo SetSfcFileException exported in sfc_os.dll Pin
wang_xiaopin24-Aug-06 20:30
Memberwang_xiaopin24-Aug-06 20:30 
GeneralRe: No SetSfcFileException exported in sfc_os.dll Pin
Abdellatif_El_Khlifi25-Aug-06 0:45
MemberAbdellatif_El_Khlifi25-Aug-06 0:45 
GeneralAdmin Privs needed??!! Pin
dbaier25-Jul-06 13:40
Memberdbaier25-Jul-06 13:40 
GeneralRe: Admin Privs needed??!! Pin
Abdellatif_El_Khlifi25-Jul-06 23:20
MemberAbdellatif_El_Khlifi25-Jul-06 23:20 
QuestionWhy? Pin
Dave Goodman25-Jul-06 7:52
MemberDave Goodman25-Jul-06 7:52 
AnswerRe: Why? Pin
Jim Crafton26-Jul-06 6:58
MemberJim Crafton26-Jul-06 6:58 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.