You are on page 1of 3

Normal process usually entails hex editing sfc_os.dll.

I am testing SP3 RC1 and I could not find anyone who had hacked it yet. Searching the net I found a guy who figured out a way to make XP think it was in safe mode thus SFC/WMP is disabled. The cool thing about this hack is no matter what previous or future version you are running WFP can be disabled in the same manner. Using the hex editor method the values constantly change. He also found out a way to enable the security tab when your machine is not a member of a domain. FYI just in case: rshx32.dll = Security tab sfc_os.dll = WFP Credit goes to Neowinian on neowin.net forums for the solution: Here's how to make the Windows XP file system think it's in safe mode. This will disable Windows File Protection, and also add the Security tab when you right-click on a file in Explorer and select Properties. Step 0: XP ships with a simple hex editor called DEBUG.EXE that is required for this procedure. If you deleted it, put it back in the windows\system32 directory -- you can remove it afterwards if you wish. Step 1: Click Start>Run, type in SERVICES.MSC and press the <enter> key. Find the entry labeled Cryptographic Services and double-click it. Change the startup type to Disabled and click Apply, then click the Stop button, and then click OK. (Note: if you already had Cryptographic Services disabled, omit this step as well as step 8.) Step 2: Open a CMD.EXE Command Prompt window and type the following commands: cd \windows\system32 ren rshx32.dll rshx32.old ren sfc_os.dll sfc_os.old You will probably receive warning messages from Windows File Protection after each REN command. Make sure to select the options to ignore the warning and allow the files to be renamed. Step 3: Type the following commands: cd \ del rshx32.dll /s del sfc_os.dll /s cd \windows\system32 copy rshx32.old rshx32.dll copy sfc_os.old sfc_os.dll IMPORTANT!!! You MUST rename the files in Step 2 before you can copy them in Step 3, or this procedure will not work!

Step 4: Type the following command: DEBUG rshx32.dll You'll now have a minus-sign as a prompt. Type the following command: S 100 8000 74 00 5C 00 4F DEBUG will return a line of the form: 0ADE:0AC0 The four-character letter-number combination after the colon is what you must enter in the command below. Now type the following three commands: E 0AC0 74 00 00 00 4F (use the value returned to you above and not 0AC0!!!) W Q Step 5: Type the following command: DEBUG sfc_os.dll You'll now have a minus-sign as a prompt. Type the following command: S 100 8000 74 00 5C 00 4F DEBUG will return a line of the form: 0ADE:0AC0 The four-character letter-number combination after the colon is what you must enter in the command below. Now type the following three commands: E 0AC0 74 00 00 00 4F (use the value returned to you above and not 0AC0!!!) W Q Step 6: Type the following commands: copy rshx32.dll dllcache copy sfc_os.dll dllcache Step 7: Close the Command Prompt window, open Regedit, and go to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot Create a new DWORD value called OptionValue and give it a value of 1. Close Regedit.

Step 8: Run the SERVICES.MSC program, select Cryptographic Services, change the startup type to Manual, and click Apply. Do not start the service! (Note: omit this step if Cryptographic Services was disabled before you began this procedure.) Step 9: Reboot your system. That's it! You will now have the security tab at all times, and Windows File Protection will be disabled. If you would like to remove the tab and re-enable Windows File Protection, use Regedit to change OptionValue to 0, and then reboot your system. The method used to patch RSHX32.DLL and SFC_OS.DLL should work on any version of the file, including future versions issued in upcoming service packs or hotfixes. Please note that if you apply these patches, they will take precedence over safe mode. This means that you must first set OptionValue to 1 in the registry before you boot into safe mode in order to see the security tab and to have Windows File Protection disabled.

This post has been edited by snooz: 12 January 2008 - 02:55 PM

You might also like