SFC and WFP information / help

  • Thread starter Thread starter Jim Carlock
  • Start date Start date
J

Jim Carlock

:-)

I've found two SFC functions. I'm working on a program to
restore all files that were deleted out of the dllcache folder.

Anyone here have any information on these two functions?

BOOL SfcIsFileProtected(
HANDLE RpcHandle,
LPCWSTR ProtFileName
);
BOOL SfcGetNextProtectedFile(
HANDLE RpcHandle,
PPROTECTED_FILE_DATA ProtFileData
);

BOOL are 16-bit values, is that correct?
HANDLE is a 32-bit pointer, right?

typedef struct _PROTECTED_FILE_DATA {
WCHAR FileName[MAX_PATH];
DWORD FileNumber;
} PROTECTED_FILE_DATA, *PPROTECTED_FILE_DATA;

I'm thinking along the lines of the following for the type declaration.

Public MAX_PATH As Long = 256&
Public Type PROTECTED_FILE_DATA
sFileName As String * (MAX_PATH * 2&) '2 characters per character
iFileNumber As Long
End Type

Dim SNULL As String * (MAX_PATH * 2&)
SNULL = String(0, Len(SNULL))

'I'm a little tipsy, pardon me while I hiccup.

Dim udtProtFileData As PROTECTED_FILE_DATA

'Anyone up for another beer?

This is where I get a little lost. I don't want to run through every
file in the system to find what files are supposed to be in the
dllcache folder. And given that the dllcache is empty or missing
files, I can't enumerate the files in the cache. And I think I have
seen msvbm60.dll in the list but I don't see it there now,
because a couple things are not working.

Is there a list of files kept somewhere that are supposed to be
stored in the dllcache? I keep thinking it's got to be in the
registry. There should be a key there that stores information
about the files, where the files are located, filenames, file
version, etc. I have noticed that visual c runtimes are thrown
in there and a couple ocx files as well.

Any help is greatly appreciated.

Thanks. :-)
 
Your post is some what vague and I'm not entirely sure what it is you are asking. If you go>start\run and type in sfc /scannow the system will do a System File Check. You will need your XP CD or your Recovery CD if an OEM of XP. This compares the present os files with the originals and replaces any missing or corrupt files with the ones found on the disk. If you need any other parameters you go>start\run and type in cmd and hit ok. Now type in sfc /? and you will get all the parameters available for this utility. Be sure you put the space after sfc . I hope this is what you want. Welcome to the eXPeriance. {:~)
 
LOL

It doesn't work the way you think. It never asks for a CD.

;-)

::The Unknown P... wrote:::::
If you go>start\run and type in sfc /scannow

I run it from the Command prompt. No need for the extra clicking.
the system will do a System File Check.

Well, what does it check? I ran sfc /purgecache first. That is one
question that needs an answer.
You will need your XP CD or your Recovery CD if an
OEM of XP.

That is untrue. It does not ask for a CD anymore.
This compares the present os files with the originals

That is untrue, the originals are themselves and there is nothing to
compare against. I'm not sure "what" YOU are referring to. Why
compare an ntdll.dll thats been updated 2 or 3 times, with an
original ntdll.dll on a CD that is 3 years outdated? There is no use
in such behaviors. And it doesn't ask for a CD or even look for
a CD anymore. :-)
and replaces any missing or corrupt files with the ones found
on the disk.

It is NOT doing what you say it should do. I don't think it likes
you. :-)
If you need any other parameters you go>start\run and type in
cmd and hit ok.

I just click on the Cmd.exe shortcut. You know how you can
place a cmd.exe shortcut in the right click menu? I have done
similar things in the past, but I really would like to place it at
the top of the Explorer list for right clicks. That way I don't
have to move down to the taskbar.
Now type in sfc /? and you will get all the parameters

LOL Really? See my previous post about pulling functions out
of sfc.dll. Very interesting. Take a look at this:

File Name: SFC.EXE
File Type: EXECUTABLE IMAGE
Section Examined: IMPORTS
Section contains the following imports:
msvcrt.dll
77C33632 98 __set_app_type
77C1EB68 85 __p__fmode
77C1EB4A 80 __p__commode
77C5D388 B6 _adjust_fdiv
77C48F60 9A __setusermatherr
77C379DB 13A _initterm
77C1E8AF A4 __wgetmainargs
77C5C9EC A5 __winitenv
77C33EB0 ED _except_handler3
77C37B00 C8 _cexit
77C31269 4E _XcptFilter
77C37AEE F6 _exit
77C37B11 C5 _c_exit
77C31F83 2F3 setlocale
77C426B8 228 _wcsicmp
77C4299A 22C _wcsnicmp
77C1D7F9 338 wcstoul
77C5AC80 13E _iob
77C3CD6E 323 vswprintf
77C37ADC 28F exit
77C4A658 D6 _controlfp
77C43DBC 32C wcslen
77C3EE11 320 vfwprintf

ADVAPI32.dll
77DD609C DF FreeSid
77DD1EB4 38 CheckTokenMembership
77DD60A2 1D AllocateAndInitializeSid

KERNEL32.dll
77F5157D 15A GetLastError
77E7F295 E1 FormatMessageW
77E79A45 238 LocalFree
77E707A7 275 ProcessIdToSessionId
77E78406 150 GetFileType
77E76052 375 WriteConsoleW
77E80656 130 GetCurrentProcessId
77E79F93 167 GetModuleHandleA
77E79881 234 LocalAlloc
77E79C3D 19E GetStdHandle

RPCRT4.dll
77D28400 7A NdrClientCall2

USER32.dll
77D4A92C 2D9 wsprintfW

sfc_os.dll
10010AC Import Address Table
1001CE8 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference

76C693D6 Ordinal 4
76C69471 Ordinal 6
76C69395 Ordinal 3

Header contains the following bound import information:
Bound to msvcrt.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
Bound to ADVAPI32.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
Bound to KERNEL32.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
Contained forwarders bound to NTDLL.DLL [3B7DE01E] Fri Aug 17 23:25:18
2001
Bound to RPCRT4.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
Bound to USER32.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
Bound to sfc_os.dll [3B7DFE12] Sat Aug 18 01:33:06 2001

'-----------------------------------------------
It is very interesting to note that it is bound to sfc_os.dll. And it is
not bound to sfc.dll, which holds the two functions that I previously
was inquiring about. And I don't see the connections to sfc_os.dll.

So the connections are hidden? Do you know what the deal is with
that? I'm wondering if it is plain data that is held in that file?

I see the following for sfc_os.dll:

File Name: sfc_os.dll
File Type: DLL
Section contains the following exports for sfc_os.dll
0 characteristics
3D6D9F5D time date stamp Thu Aug 29 00:13:17 2002
0.00 version
1 ordinal base
11 number of functions
4 number of names
ordinal hint RVA name
8 0 00009736 SfcGetNextProtectedFile
9 1 00009841 SfcIsFileProtected
10 2 00012D40 SfcWLEventLogoff
11 3 000137F9 SfcWLEventLogon
1 0000EB10 [NONAME]
2 0000E9CE [NONAME]
3 00009345 [NONAME]
4 00009386 [NONAME]
5 000093A0 [NONAME]
6 00009421 [NONAME]
7 00009463 [NONAME]

That is very interesting there, as well. I will need to explore what
is in the NONAME things.

:-) Oh, it looks like they are internally called functions, maybe
jumped to through certain conditions. T
I hope this is what you want. Welcome to the eXPeriance. {:~)

Thanks, but you were way off target. Feel free to read along. I
meant to post this information to the VB newsgroup, but had a
little too much too drink last night. ;-)

By the way, the list of files that are protected by the system is
contained inside sfcfiles.dll.

There is one exported function inside sfcfiles.dll:
SfcGetFiles

And there is no documentation about it in the Platform SDK.
There is documentation about the other two functions which
is found in both sfc.dll and sfc_os.dll.

The sfc.dll is a small wrapper. It holds the functions listed in
sfc_os.dll and forwards those function calls to sfc_os.dll.

There are also a couple extra functions inside sfc.dll which
forward the calls to sfc_os.dll:

SfcGetNextProtectedFile (forwarded to sfc_os.SfcGetNextProtectedFile)
SfcIsFileProtected (forwarded to sfc_os.SfcIsFileProtected)
SfcWLEventLogoff (forwarded to sfc_os.SfcWLEventLogoff)
SfcWLEventLogon (forwarded to sfc_os.SfcWLEventLogon)


And the functions inside of sfc.dll that are NOT forwarded:

SRSetRestorePoint
SRSetRestorePointA
SRSetRestorePointW
SfpVerifyFile

I still have to did deeper unless someone else knows more.

Thanks for your comments!
 
As a friend of mine once said, "Windows is DLL soup!"

Steve

Jim said:
LOL

It doesn't work the way you think. It never asks for a CD.

;-)

::The Unknown P... wrote:::::
If you go>start\run and type in sfc /scannow


I run it from the Command prompt. No need for the extra clicking.

the system will do a System File Check.


Well, what does it check? I ran sfc /purgecache first. That is one
question that needs an answer.

You will need your XP CD or your Recovery CD if an
OEM of XP.


That is untrue. It does not ask for a CD anymore.

This compares the present os files with the originals


That is untrue, the originals are themselves and there is nothing to
compare against. I'm not sure "what" YOU are referring to. Why
compare an ntdll.dll thats been updated 2 or 3 times, with an
original ntdll.dll on a CD that is 3 years outdated? There is no use
in such behaviors. And it doesn't ask for a CD or even look for
a CD anymore. :-)

and replaces any missing or corrupt files with the ones found
on the disk.


It is NOT doing what you say it should do. I don't think it likes
you. :-)

If you need any other parameters you go>start\run and type in
cmd and hit ok.


I just click on the Cmd.exe shortcut. You know how you can
place a cmd.exe shortcut in the right click menu? I have done
similar things in the past, but I really would like to place it at
the top of the Explorer list for right clicks. That way I don't
have to move down to the taskbar.

Now type in sfc /? and you will get all the parameters


LOL Really? See my previous post about pulling functions out
of sfc.dll. Very interesting. Take a look at this:

File Name: SFC.EXE
File Type: EXECUTABLE IMAGE
Section Examined: IMPORTS
Section contains the following imports:
msvcrt.dll
77C33632 98 __set_app_type
77C1EB68 85 __p__fmode
77C1EB4A 80 __p__commode
77C5D388 B6 _adjust_fdiv
77C48F60 9A __setusermatherr
77C379DB 13A _initterm
77C1E8AF A4 __wgetmainargs
77C5C9EC A5 __winitenv
77C33EB0 ED _except_handler3
77C37B00 C8 _cexit
77C31269 4E _XcptFilter
77C37AEE F6 _exit
77C37B11 C5 _c_exit
77C31F83 2F3 setlocale
77C426B8 228 _wcsicmp
77C4299A 22C _wcsnicmp
77C1D7F9 338 wcstoul
77C5AC80 13E _iob
77C3CD6E 323 vswprintf
77C37ADC 28F exit
77C4A658 D6 _controlfp
77C43DBC 32C wcslen
77C3EE11 320 vfwprintf

ADVAPI32.dll
77DD609C DF FreeSid
77DD1EB4 38 CheckTokenMembership
77DD60A2 1D AllocateAndInitializeSid

KERNEL32.dll
77F5157D 15A GetLastError
77E7F295 E1 FormatMessageW
77E79A45 238 LocalFree
77E707A7 275 ProcessIdToSessionId
77E78406 150 GetFileType
77E76052 375 WriteConsoleW
77E80656 130 GetCurrentProcessId
77E79F93 167 GetModuleHandleA
77E79881 234 LocalAlloc
77E79C3D 19E GetStdHandle

RPCRT4.dll
77D28400 7A NdrClientCall2

USER32.dll
77D4A92C 2D9 wsprintfW

sfc_os.dll
10010AC Import Address Table
1001CE8 Import Name Table
FFFFFFFF time date stamp
FFFFFFFF Index of first forwarder reference

76C693D6 Ordinal 4
76C69471 Ordinal 6
76C69395 Ordinal 3

Header contains the following bound import information:
Bound to msvcrt.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
Bound to ADVAPI32.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
Bound to KERNEL32.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
Contained forwarders bound to NTDLL.DLL [3B7DE01E] Fri Aug 17 23:25:18
2001
Bound to RPCRT4.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
Bound to USER32.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
Bound to sfc_os.dll [3B7DFE12] Sat Aug 18 01:33:06 2001

'-----------------------------------------------
It is very interesting to note that it is bound to sfc_os.dll. And it is
not bound to sfc.dll, which holds the two functions that I previously
was inquiring about. And I don't see the connections to sfc_os.dll.

So the connections are hidden? Do you know what the deal is with
that? I'm wondering if it is plain data that is held in that file?

I see the following for sfc_os.dll:

File Name: sfc_os.dll
File Type: DLL
Section contains the following exports for sfc_os.dll
0 characteristics
3D6D9F5D time date stamp Thu Aug 29 00:13:17 2002
0.00 version
1 ordinal base
11 number of functions
4 number of names
ordinal hint RVA name
8 0 00009736 SfcGetNextProtectedFile
9 1 00009841 SfcIsFileProtected
10 2 00012D40 SfcWLEventLogoff
11 3 000137F9 SfcWLEventLogon
1 0000EB10 [NONAME]
2 0000E9CE [NONAME]
3 00009345 [NONAME]
4 00009386 [NONAME]
5 000093A0 [NONAME]
6 00009421 [NONAME]
7 00009463 [NONAME]

That is very interesting there, as well. I will need to explore what
is in the NONAME things.

:-) Oh, it looks like they are internally called functions, maybe
jumped to through certain conditions. T

I hope this is what you want. Welcome to the eXPeriance. {:~)


Thanks, but you were way off target. Feel free to read along. I
meant to post this information to the VB newsgroup, but had a
little too much too drink last night. ;-)

By the way, the list of files that are protected by the system is
contained inside sfcfiles.dll.

There is one exported function inside sfcfiles.dll:
SfcGetFiles

And there is no documentation about it in the Platform SDK.
There is documentation about the other two functions which
is found in both sfc.dll and sfc_os.dll.

The sfc.dll is a small wrapper. It holds the functions listed in
sfc_os.dll and forwards those function calls to sfc_os.dll.

There are also a couple extra functions inside sfc.dll which
forward the calls to sfc_os.dll:

SfcGetNextProtectedFile (forwarded to sfc_os.SfcGetNextProtectedFile)
SfcIsFileProtected (forwarded to sfc_os.SfcIsFileProtected)
SfcWLEventLogoff (forwarded to sfc_os.SfcWLEventLogoff)
SfcWLEventLogon (forwarded to sfc_os.SfcWLEventLogon)


And the functions inside of sfc.dll that are NOT forwarded:

SRSetRestorePoint
SRSetRestorePointA
SRSetRestorePointW
SfpVerifyFile

I still have to did deeper unless someone else knows more.

Thanks for your comments!
 
I've also got Tom Petty's "Refugee" going through my head but the words
have changed to "You don't have to edit the registry!" . . . been a very
long week.

Good luck!

Steve
 
Back
Top