How does Windows File Protection prevent file overrides in XP?

  • Thread starter Krismosy
  • Start date
In summary: This feature is designed to protect the operating system from being modified or corrupted by malicious software. Despite this mechanism, the customer reported experiencing the ntoskrnl.exe file cloning itself in XP SP3, even when logged into safe mode. It was suggested that the customer provide evidence or explanation for this occurrence in order to address the issue for future customers.
  • #1
Krismosy
2
0
Thanks for reading,
This morning, a customer complains my explanation as to why the ntoskrnl.exe in XP SP3 seems able to clone itself if overriden. I stated that it was a feature MS people tried their best to protect their genuine version via WPF mechanism. He convinced me that his XP Home hadn't ever been doing something similar with examples. The problem is that it still clones even though I logged on my computer in safe-mode already. I was blushed! :blushing:
Long story short, someone could offer me a convincing evidence or explanation I would need to consider for, perhaps, next customers ? :cool:
 
Computer science news on Phys.org
  • #2
Krismosy said:
Thanks for reading,
This morning, a customer complains my explanation as to why the ntoskrnl.exe in XP SP3 seems able to clone itself if overriden. I stated that it was a feature MS people tried their best to protect their genuine version via WPF mechanism. He convinced me that his XP Home hadn't ever been doing something similar with examples. The problem is that it still clones even though I logged on my computer in safe-mode already. I was blushed! :blushing:
Long story short, someone could offer me a convincing evidence or explanation I would need to consider for, perhaps, next customers ? :cool:
http://en.wikipedia.org/wiki/Ntoskrnl" .

With Windows File Protection active, replacing or deleting a system file that has no file lock to prevent it getting overwritten causes Windows to immediately and silently restore the original copy of the file. The original version of the file is restored from a cached folder which contains backup copies of these files.
 
Last edited by a moderator:

FAQ: How does Windows File Protection prevent file overrides in XP?

What is ntoskrnl and why is it important?

Ntoskrnl, short for NT Operating System Kernel, is a fundamental component of the Windows operating system. It is responsible for managing system resources, such as memory and processing power, and facilitating communication between hardware and software. It also contains key functions for security and system stability.

Why would someone want to override ntoskrnl?

In certain cases, users may want to customize or modify the behavior of their operating system. Overriding ntoskrnl allows for the implementation of specialized features or changes to the default behavior of the system.

What are the risks of overriding ntoskrnl?

Overriding ntoskrnl can be a complex and delicate process, and it is not recommended for inexperienced users. Modifying this critical system component can result in system instability, crashes, and even data loss. It is important to proceed with caution and always have a backup plan in case of any issues.

What tools or techniques are used for overriding ntoskrnl?

The most common method for overriding ntoskrnl is through the use of kernel mode drivers. These drivers can be developed using programming languages such as C or C++, and they allow for the manipulation of the system's internal structures and functions. Other techniques include patching the kernel or using third-party software.

Is overriding ntoskrnl legal?

Modifying the ntoskrnl component of Windows is not illegal, but it is not officially supported by Microsoft and can void the warranty of your operating system. It is important to thoroughly research and understand the implications before attempting to override ntoskrnl.

Similar threads

BRS: PKI Cryptosystems for SA/Ms: A Tutorial
Replies
13
Views
3K

Hot Threads

Recent Insights

Back
Top