How to Hack Protected Windows XP Files - How Windows protects files
(Page 2 of 5 )
Windows File Protection is an integrated feature designed to protect your system against viral attacks and accidental deletions. Essentially, it monitors certain system files and replaces them with backup copies whenever they are changed.
WFP is integrated at the OS level and also at the file level. At the OS level file sizes are checked prior to file execution. If a size is different from what Windows expects, the file is replaced with a clean backup. Some files also include CRC headers that verify a file’s checksum prior to execution as well.
Some hack guides will recommend that you disable Windows File Protection completely. For obvious reasons I don’t recommend that. Instead, you can manually exclude individual files or folder trees.
There is a hidden file called filelist.xml in the Restore folder of your System32 directory. You can open it in any basic text editor.
Insert a line in the <Exclude> section with the path to the file or folder tree that you would like to unprotect. Format it exactly like the other lines in the file. You may use environmental variables for special folders. So to unprotect Explorer.exe you would use:
<REC>%windir%\Explorer.exe</REC>
Once a file has been excluded, you should delete or rename all of the backup files associated with it.
Depending on the Service Pack level of your system and whether or not you are using System Restore, there can be several layers of file backups. WFP is a recursively designed system that tries to ensure file security by not only making original backups, but also by using the backups created by these other services to back up its own backups.
Needless to say, if you are intentionally trying to alter system files, you have several securities that you’ll need to navigate past. Here’s how you’ll need to go about it.
The first thing you’ll need to do is remove any Service Pack backups. If you’ve installed Service Pack 1 or 2 there will be a ServicePackFiles folder in your %systemroot%. This directory contains an i386 directory full of backups. Most retain the original filenames. Some of them are shortened or spawned from larger DLL files, however.
Next, you’ll need to remove any System Restore backups. These can be found in the Restore folder in your System32 directory. These should have the same name as the backup in the ServicePackFiles directory.
With those out of the way, it’s time to take on another Windows line of defense—the Last Known Good Configuration. Choosing the Last Known Configuration option on the Advanced Boot Menu will boot your computer using the last configuration that worked. To remove this backup, head over to the LastGood folder in your %systemroot%.
At this point you’ll be ready to remove the final backup. This one is used by both Windows File Protection and the System File Checker utility. It’s located in the dllcache folder under System32. The dllcache folder is hidden by default so you’ll need to enable viewing hidden files and folders or enter it into the explorer address bar in order to access it.
Next: Replacing file that are in use >>
More BrainDump Articles
More By Nilpo/Developer Shed Staff Writer
/ 10 
