OSRLogo
OSRLogoOSRLogoOSRLogo x OSR Custom Development Services
OSRLogo
x

Everything Windows Driver Development

x
x
x
GoToHomePage xLoginx
 
 

    Thu, 14 Mar 2019     118020 members

   Login
   Join


  
 
Contents
  Online Dump Analyzer
OSR Dev Blog
The NT Insider
The Basics
File Systems
Downloads
ListServer / Forum
  Express Links
  · The NT Insider Digital Edition - May-June 2016 Now Available!
  · Windows 8.1 Update: VS Express Now Supported
  · HCK Client install on Windows N versions
  · There's a WDFSTRING?
  · When CAN You Call WdfIoQueueP...ously

How Do I Replace A System File? Try .KDFILES
Getting Your Work Done In Spite of System File Protection OSR Staff | Published: 24-Aug-04| Modified: 24-Aug-04

While the Windows DDK includes numerous buildable driver samples, including a number of "in the box" drivers, any attempt to copy a driver built from the DDK onto an existing version of the driver will be thwarted by "system file protection".

Windows maintains an extra copy of critical system files including signed drivers, in the %systemroot%\system32\dllcache subdirectory. If you attempt to delete or modify any of the protected files, system file protection will copy the original version from the dllcache to the driver location.  If you attempt to delete or modify the version of the protected file in the dllcache, it will copy the original into the dllcache.

Note that system file protection isn't perfect - you can copy notepad.exe on ntoskrnl.exe and system file protection will not "fix" your system.  That is because it merely looks to ensure the binary is signed.  This doesn't mean it is the correct binary!

The Windows Debugger provides a mechanism for replacing files on a debugee by using the ".kdfiles" directive.  This is well documented in the debugger documentation, although it doesn't exactly highlight the fact that this feature can be used to bypass system file protection in the process.

If you haven't discovered ".kdfiles" yet, read up on it -- You'll be very glad you did!  This debugger command is one of the best features ever implemented.  It allows you to have the debugger automagically replace an executable image on the target system (the one that you're debugging) with an executable image from your host system (the one from which you're running the debugger).  That means that with this command, there's no longer any need to manually copy you're newly built version of fred.sys (or whatever your driver is) to \windows\system32\drivers\ while you debug.

Plus, as previously mentioned, a bonus feature of .kdfiles is that it will allow you to replace a system file.  Which is very useful for replacing the supplied version of disk.sys with the checked version built from the sources in the DDK, for example, when you're trying to figure out what's going on in the storage stack.

User Comments
Rate this article and give us feedback. Do you find anything missing? Share your opinion with the community!
 Post Your Comment

 "how to use .KDFILES command?"
nt!RtlpBreakWithStatusInstruction: 80528bec cc int 3 kd> .KDFILES No KD file associations set kd> .KDFILES No KD file associations set kd> .KDFILES disk.sys Unable to load KD file associations from 'disk.sys'

22-Apr-10, ?? ??

Post Your Comments.
Print this article.
Email this article.
bottom nav links