OSRLogo
OSRLogoOSRLogoOSRLogo x OSR Custom Development Services
OSRLogo
x

Everything Windows Driver Development

x
x
x
GoToHomePage xLoginx
 
 

    Thu, 02 Sep 2010     81215 members

   Login
   Join


  
 
Contents
  About This Site
What's New?
Hector's Memos
The NT Insider
The Basics
File Systems
Downloads
ListServer / Forum
Driver Jobs
Store
  Express Links
  · It's Here: The NT Insider -- Digital Edition!
  · WDK Community Bug Bash 2010 -- Submit a Bug... Get FREE STUFF!
  · File Systems and Filters: A Specialty
  · It's All About The Basics
  · The NT Insider - Digital Edition

How Do I Replace A System File? Try .KDFILES
Getting Your Work Done In Spite of System File Protection OSR Staff | Published: 24-Aug-04| Modified: 24-Aug-04

While the Windows DDK includes numerous buildable driver samples, including a number of "in the box" drivers, any attempt to copy a driver built from the DDK onto an existing version of the driver will be thwarted by "system file protection".

Windows maintains an extra copy of critical system files including signed drivers, in the %systemroot%\system32\dllcache subdirectory. If you attempt to delete or modify any of the protected files, system file protection will copy the original version from the dllcache to the driver location.  If you attempt to delete or modify the version of the protected file in the dllcache, it will copy the original into the dllcache.

Note that system file protection isn't perfect - you can copy notepad.exe on ntoskrnl.exe and system file protection will not "fix" your system.  That is because it merely looks to ensure the binary is signed.  This doesn't mean it is the correct binary!

The Windows Debugger provides a mechanism for replacing files on a debugee by using the ".kdfiles" directive.  This is well documented in the debugger documentation, although it doesn't exactly highlight the fact that this feature can be used to bypass system file protection in the process.

If you haven't discovered ".kdfiles" yet, read up on it -- You'll be very glad you did!  This debugger command is one of the best features ever implemented.  It allows you to have the debugger automagically replace an executable image on the target system (the one that you're debugging) with an executable image from your host system (the one from which you're running the debugger).  That means that with this command, there's no longer any need to manually copy you're newly built version of fred.sys (or whatever your driver is) to \windows\system32\drivers\ while you debug.

Plus, as previously mentioned, a bonus feature of .kdfiles is that it will allow you to replace a system file.  Which is very useful for replacing the supplied version of disk.sys with the checked version built from the sources in the DDK, for example, when you're trying to figure out what's going on in the storage stack.

User Comments
Rate this article and give us feedback. Do you find anything missing? Share your opinion with the community!
 Post Your Comment

Post Your Comments.
Print this article.
Email this article.

Writing WDM Drivers LAB
Seattle, WA
16-Aug-2010 to 20-Aug-2010

Writing WDF Drivers LAB
Santa Clara, CA
27-Sept-2010 to 1-Oct-2010

Kernel Debugging &
Crash Analysis LAB
Portland, OR
18-Oct-2010 to 22-Oct-2010

Developing File Systems
Santa Clara, CA
26-Oct-2010 to 29-Oct-2010

Windows Internals &
Software Drivers LAB
Santa Clara, CA
15-Nov-2010 to 19-Nov-2010
 
 

Windows Debugger
V6.12.2.633 -- 26 Feb 10

Checked Build Downloads
29-Apr-10

Debugging Symbols
5-Oct-09
 

WDK Doc Updates
Now updated bi-monthly!

Windows WDK
V7.1.0 -- 26 Feb 10
 
 
x
LetUsHelp
 

Need to develop a Windows file system solution?

We've got a kit for that.

Need Windows internals or kernel driver expertise?

Bring us your most challenging project - we can help!

System hangs/crashes?

We've got a special diagnostic team that's standing by.

Visit the OSR Corporate Web site for more information about how OSR can help!
 
bottom nav links