1

How to disable Windows File Protection in Windows 7 and/or XP from Registry?

I want to automatically replace a driver with my created driver. I used PendingFileRenameOperations key in HKLM\System\CurrentControlSet\Control\Session Manager but I've found that it can ONLY be used for simple (not-system) files, because Windows File Protection disables it for system files (see this post).

Now I need to temporarily disable WFP (and turn it on after changing driver). You can tell me another way to disable it. It can help me too. Any ideas?

Community
  • 1
Searush
  • 817
  • 2
  • 10
  • 20

1 Answers1

2

It cannot be done as silently as you were probably hoping for, mainly because of the debugger requirement:

You may disable WFP by setting the value SFCDisable (REG_DWORD) in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon. By default, SFCDisable is set to 0, which means WFP is active. Setting SFCDisable to 1 will disable WFP. Setting SFCDisable to 2 will disable WFP for the next system restart only (without a prompt to re-enable).

Important: You must have a kernel debugger attached to the system via null modem cable (for example:I386kd.exe or Windbg.exe) to use SFCDisable = 1 or SFCDisable = 2.

After WFP is disabled using the SFCDisable = 1 setting, the following message will appear after logon:

Warning! Windows File Protection is not active on this system. Would you like to enable Windows File Protection now? This will enable Windows File Protection until the next system restart. .

Clicking Yes will reactivate WFP until the next system restart. This message will appear at every successful logon until SFCDisable is set to 0.

See here.

Have you considered using devcon or, better yet, pnputil to load your driver from the command line?

Kasius
  • 498
  • 1
  • 4
  • 10
  • Thanks for devcon and pnputil very much! I will try them. They seem useful. – Searush Sep 25 '12 at 19:52
  • But I can't find HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\Winlogon\SFCDisable in my Win7. What me do? Will it work if I create new key named SFCDisable? – Searush Sep 25 '12 at 19:53
  • Yes, you can create the value, but I don't think it will do you much good. You have to attach a kernel debugger before setting the value to `1` will actually do anything. – Kasius Sep 25 '12 at 19:54
  • You mean 'creating SFCDisable' key will work after I attach kernel debugger ? – Searush Sep 25 '12 at 19:59
  • If I am correctly reading the article I quoted, then yes. It should work. It's not like attaching a debugger to other processes though. You have to connect another system to yours. Somebody has to physically connect another machine and run the debugger. See [here](http://www.wd-3.com/archive/RemoteDbg.htm). – Kasius Sep 25 '12 at 20:05
  • :( I can't connect every PC to another system, when i need them use the driver. I want to create a program which will install driver automatically. – Searush Sep 25 '12 at 20:10
  • Disabling WFP probably isn't a good way to go. Are you writing and compiling an application to do this, or are you just scripting? You probably have a lot more [research to do](http://msdn.microsoft.com/en-us/library/windows/hardware/gg463103.aspx) if you are compiling an application. If just scripting, `pnputil` is probably the way to go. If making an .MSI, you can add the `pnputil` line as a custom action. You might also look at [dpinst](http://msdn.microsoft.com/en-us/library/ff544842.aspx). – Kasius Sep 25 '12 at 20:26
  • @Kasius, (please answer the that question) – Jet Mar 17 '13 at 12:28
  • @SEARAS: Yes, the user must be an administrator. Drivers are not intended to be loaded by standard users. – Kasius Mar 30 '13 at 17:09