-
PROBLEMCHYLD
- Posts: 1001
- Joined: 2013-03-22 12:55
Yeah, I do. I was able to get System restore working on Windows 98 from Windows ME. The thing is, System Restore does a check for files with hashes, signatures etc.... I need SFC.DLL from Windows ME patched so it doesn't do a check and disable file protection. http://www.vorck.com/windows/sfc.html the link is for Windows 2000, but see if you can do the same for the WinME version.
-
PROBLEMCHYLD
- Posts: 1001
- Joined: 2013-03-22 12:55
Yes 
Here is the thing, I'm not a 100% sure if SFC.DLL or SFPDLL.DLL should be patched or maybe both needs to be patched. System Restore won't work at all without the 2 files. After researching this matter, it seems system restore and system file protection uses system.cat (catalog) file to check for signatures, hashes, timestamps etc of system files..... when the files don't match the ones from the catalog file, you get the infamous Restoration Was Unsuccessful error. We need to figure out which file to patch, so it doesn't check for signatures, hashes, timestamps etc..... We also need to disable system file protection so we are able to replace files when ever we want without SFP interference. In other words, we want to disable System File Protection and not have it check the SYSTEM.CAT file. After we get this done, we can move to the next step. Thanks you for your interest. BTW, System Restore can be used as a Full Backup application editing the FILELIST.XML by adding files and directories
Here is the thing, I'm not a 100% sure if SFC.DLL or SFPDLL.DLL should be patched or maybe both needs to be patched. System Restore won't work at all without the 2 files. After researching this matter, it seems system restore and system file protection uses system.cat (catalog) file to check for signatures, hashes, timestamps etc of system files..... when the files don't match the ones from the catalog file, you get the infamous Restoration Was Unsuccessful error. We need to figure out which file to patch, so it doesn't check for signatures, hashes, timestamps etc..... We also need to disable system file protection so we are able to replace files when ever we want without SFP interference. In other words, we want to disable System File Protection and not have it check the SYSTEM.CAT file. After we get this done, we can move to the next step. Thanks you for your interest. BTW, System Restore can be used as a Full Backup application editing the FILELIST.XML by adding files and directories
-
Blissy
PROBLEMCHYLD wrote:We also need to disable system file protection so we are able to replace files when ever we want without SFP interference. In other words, we want to disable System File Protection and not have it check the SYSTEM.CAT file.
Well, I can see a few different of ways of doing this. You could use an empty .CAT file, but any update you install would probably add new entries to it. You could patch the code to read data from a different .CAT file (and empty one) than it writes to when it does updates. Or, you could patch the code which determines if a file is protected or not, and always have it report every file is not protected.
Looking through SFC.DLL I found this export that might just be what we are looking for on the last option:
Code: Select all
;------------------------------------------------------------------------------
SfcIsFileProtected:
push ebp
mov ebp,esp
push FFFFFFFFh
push L76112320
push jmp_MSVCRT.dll!_except_handler3
mov eax,fs:[00000000h]
push eax
mov fs:[00000000h],esp
sub esp,00000120h
push ebx
push esi
push edi
mov [ebp-18h],esp
mov dword ptr [ebp-00000124h],0000054Fh
xor edi,edi
cmp [ebp+0Ch],edi
jnz L76113E9A
mov eax,[atrace.dll!__dwEnabledTraces]
test byte ptr [eax],02h
jz L76114016
push 00000002h
push SSZ7611230C_SfpIsFileProtected
push 00000124h
push SSZ761172F0_d__mpcfre_restore_src_rpc_client
call [atrace.dll!_SetAsyncTraceParams@16]
test eax,eax
jz L76114016
push SSZ761122FC_NULL_file_name
jmp L7611400A
L76113E9A:
push L761179E0
call SUB_L76113911
test eax,eax
jnz L76113EDF
mov eax,[atrace.dll!__dwEnabledTraces]
test byte ptr [eax],02h
jz L76114016
push 00000002h
push SSZ7611230C_SfpIsFileProtected
push 0000012Dh
push SSZ761172F0_d__mpcfre_restore_src_rpc_client
call [atrace.dll!_SetAsyncTraceParams@16]
test eax,eax
jz L76114016
push SSZ7611226C_Cannot_init_RPC
jmp L7611400A
L76113EDF:
push edi
push edi
push 00000104h
lea eax,[ebp-0000011Ch]
push eax
push FFFFFFFFh
push [ebp+0Ch]
push edi
call SUB_L76115C62
push eax
call [KERNEL32.dll!WideCharToMultiByte]
test eax,eax
jnz L76113F53
call [KERNEL32.dll!GetLastError]
mov esi,eax
mov eax,[atrace.dll!__dwEnabledTraces]
test byte ptr [eax],02h
jz L76114016
push 00000002h
push SSZ7611230C_SfpIsFileProtected
push 0000013Fh
push SSZ761172F0_d__mpcfre_restore_src_rpc_client
call [atrace.dll!_SetAsyncTraceParams@16]
test eax,eax
jz L76114016
push esi
push [ebp+0Ch]
push SSZ761122D4_Failed_to_convert__S_to_ANSI__er
push 00000201h
call SUB_L76113A1A
add esp,00000010h
jmp L76114016
L76113F53:
mov [ebp-04h],edi
lea eax,[ebp-0000011Ch]
push eax
call SUB_L76112CEB
mov [ebp-00000124h],eax
xor ecx,ecx
cmp eax,edi
setz cl
mov esi,ecx
mov [ebp-00000120h],esi
jmp L76113FCE
L76113F79:
mov eax,[ebp-14h]
mov eax,[eax]
mov eax,[eax]
mov [ebp-00000130h],eax
push 00000001h
pop eax
retn
;------------------------------------------------------------------------------
-
Blissy
Specifically, we might try changing the jz at 76113F13 to jmp, since it is the last conditional branch before it sets that it is protected.
Code: Select all
76113F09 8BF0 mov esi,eax
76113F0B A1E4101176 mov eax,[atrace.dll!__dwEnabledTraces]
76113F10 F60002 test byte ptr [eax],02h
76113F13 0F84FD000000 jz L76114016
76113F19 6A02 push 00000002h
76113F1B 680C231176 push SSZ7611230C_SfpIsFileProtected
76113F20 683F010000 push 0000013Fh
76113F25 68F0721176 push SSZ761172F0_d__mpcfre_restore_src_rpc_client
76113F2A FF15EC101176 call [atrace.dll!_SetAsyncTraceParams@16]
76113F30 85C0 test eax,eax
76113F32 0F84DE000000 jz L76114016
-
PROBLEMCHYLD
- Posts: 1001
- Joined: 2013-03-22 12:55
I don't understand code, but if you patch the file, I can give it a test run. Damn that was fast. I wasn't expecting to hear from you at least a week down the line.
-
PROBLEMCHYLD
- Posts: 1001
- Joined: 2013-03-22 12:55
Its probably best to go with the last solution, reason being, we don't have to deal with any catalog file. 
-
Blissy
You know, I started to think about this and I seemed to remember that Windows ME (unlike 2k which had some files hardcoded) was fairly to easy to configure which files would be protected by sfp. So, I started to look into it a little and have configured sfpdb.sfp and filelist.xml files to only protect the dos command EDIT.COM. I would have removed everything, but when I did that it system restore fail to make restore points, so at least 1 file is needed. Instead of patching a .dll, which, by the way, could be overwritten by an update, this is probably an easier way to go about it, if you're willing to give it a try.
wfp by default protects the filelist.xml file, so here is how to install it without booting to DOS and overwriting both files at once:
1. Check the "Disable System Restore" checkbox in system properties -> troubleshooting -> filesystem
2. reboot
3. overwrite %windir%systemsfpsfpdb.sfp to remove protection for files (including filelist.xml)
4. reboot
5. overwrite %windir%system estorefilelist.xml to remove system restore's protecting sfp files
6. Uncheck the "Disable System Restore" checkbox in system properties -> troubleshooting -> filesystem
7. reboot to rebuild the _restorevxdmon.dat file which system restore actually uses.
Once finished you should have a working system restore and a system that is only protecting the dos executable %windir%EDIT.COM.
wfp by default protects the filelist.xml file, so here is how to install it without booting to DOS and overwriting both files at once:
1. Check the "Disable System Restore" checkbox in system properties -> troubleshooting -> filesystem
2. reboot
3. overwrite %windir%systemsfpsfpdb.sfp to remove protection for files (including filelist.xml)
4. reboot
5. overwrite %windir%system estorefilelist.xml to remove system restore's protecting sfp files
6. Uncheck the "Disable System Restore" checkbox in system properties -> troubleshooting -> filesystem
7. reboot to rebuild the _restorevxdmon.dat file which system restore actually uses.
Once finished you should have a working system restore and a system that is only protecting the dos executable %windir%EDIT.COM.
-
PROBLEMCHYLD
- Posts: 1001
- Joined: 2013-03-22 12:55
I tried all steps and still got Restoration Was Unsuccessful 
One other thing, the SFC.DLL and SFPDLL.DLL are native to System Restore, which means there is no UPDATE to replace those 2 files. Thanks. If you want to quit that's fine, but with your help we have gotten a step closer. I have the utmost respect for you and thank you very much for your time and skills.
One other thing, the SFC.DLL and SFPDLL.DLL are native to System Restore, which means there is no UPDATE to replace those 2 files. Thanks. If you want to quit that's fine, but with your help we have gotten a step closer. I have the utmost respect for you and thank you very much for your time and skills.-
Blissy
Make certain you have 290700usam.exe installed from this knowledge base: http://support.microsoft.com/kb/290700
You should be able to extract the file on windows 98 and install it by using:
290800usam.exe /C /T:C:Temp
Then navigate the the C:Temp folder and rightclick the .inf file and click install. I had to do it on ME to get it to be able to restore without getting that error.
Otherwise, tell me how I can set up a 98 install to get the same error. Do you have a vmware image I can work from?
You should be able to extract the file on windows 98 and install it by using:
290800usam.exe /C /T:C:Temp
Then navigate the the C:Temp folder and rightclick the .inf file and click install. I had to do it on ME to get it to be able to restore without getting that error.
Otherwise, tell me how I can set up a 98 install to get the same error. Do you have a vmware image I can work from?