Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch » The Technological

MS ActiveOrwell™

The 23rd letter of the English alphabet is all it takes.


Get It

Try It

Oh the wonder of the dunces in Redmond. Göbbels was far better at this. He made things stick. At least for a while. Those clowns in the Pacific Northwest of the US just look more and more pathetic for every day that goes by.

Last week Rixstep got hit by a lot of queries for windows file protection. It's been written about here once before but no one's bothered to look into the matter in depth - the whole point in abandoning Windows was to not have to worry about such nonsense anymore. But with the sudden surge in web activity it was perhaps time.

There are currently nearly 40,000,000 hits for 'windows file protection' on Google - and surprisingly a great many of them have to do with turning the 'feature' off. But here's where it all originates.

http://support.microsoft.com/kb/222193

How the WFP feature works

The WFP feature provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WFP receives a directory change notification for a file in a protected directory. After WFP receives this notification, WFP determines which file was changed.

Read between the lines here.

  1. It couldn't stop a system file from being overwritten.

  2. It still has to find the file(s). This is the nature of the game with change notifications - they work only on directories. This cockamamie system has to keep a log (MDs etc) of all files in the directory - and it may not assume any file has been modified either! No - any change to the directory can trigger this. It has to be ready to see a file has been added, a file has been removed, or a file has been renamed in addition to the above. And then and only then can it 'proceed'.

If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct version.

Ah now we're checking version information are we? Who is protecting whom here? If it's possible to overwrite system files what's going to stop anybody from fudging version information?

If the file is not the correct version, WFP replaces the new file with the file from the cache folder (if it is in the cache folder)

Yes if it is in the cache folder - but what if the bad guys got there first? And again: do they seriously mean they cannot stop processes from overwriting the system itself? What 'dark ages' are Windows users living in?

This is MS ActiveOrwell™: the one thing they can't do is protect your files - they therefore call this 'protection' - and taking a tip from the master they drop the word 'protect' all over the place.

WFP searches for the correct file in the following locations, in this order:
  1. The cache folder (by default, %systemroot%\system32\dllcache).
  2. The network install path, if the system was installed using network install.
  3. The Windows CD-ROM, if the system was installed from CD-ROM.

It's absolutely hysterical. We on Unix? Why we just remove the 'w' bit!!1!fifteenbinary

Everything But?

But why does the document say this concerns everything - 2003 Server et al - but not their latest failure? Easy: they've renamed it! Now it's 'Windows Resource Protection'! Of course it is!

http://msdn2.microsoft.com/en-us/library/aa372868.aspx

Windows Resource Protection (WRP) in Windows V*STA replaces Windows File Protection (WFP) in Microsoft Windows XP and Windows 2000.

Now watch this.

Window Resource Protection (WRP) on Windows V*STA can protect registry keys as well as files.

That's really funny. Know how trojans work? They protect their keys too! It's the same thing: you can't protect Registry stuff any better than you can protect disk stuff - meaning not at all.

http://msdn2.microsoft.com/en-us/library/aa382551.aspx

Windows Resource Protection

Windows Resource Protection (WRP) prevents the replacement of essential system files, folders, and registry keys that are installed as part of Windows V*STA.

NO IT DOES NOT. It tries to 'reinstall' them if they're corrupted. A simple removal of a 'w' would otherwise do, right Bill? But you don't have stuff like that, do you Bill?

Applications should not overwrite these resources because they are used by the system and other applications.

So you're saying applications have the ability to overwrite them? And if so then how can you 'prevent' their 'replacement'? You try to 'restore' these files - but you totally lack the ability to stop anyone - malfeasant or otherwise - from overwriting them - right?

WRP is the new name for Windows File Protection (WFP).

Yes we already got that. 'WFP' became a dirty name. How long before 'WRP' becomes a dirty name too?

How long before your customers wake the fuck up?

Powerful APIs!

Gee whiz you can check the system to see if a file is protected - programmatically!

http://msdn2.microsoft.com/en-us/library/aa382536.aspx

BOOL SfcIsFileProtected(
  HANDLE RpcHandle, // must be 0
  LPCWSTR ProtFileName
);

And you can check the system to see if a Registry key is protected!!1!fifteenbinary

http://msdn2.microsoft.com/en-us/library/aa382537.aspx

BOOL WINAPI SfcIsKeyProtected(
  HKEY hKey,
  LPCWSTR lpSubKey,
  REGSAM samDesired
);

Shit! In Unix all we do is 'ls'! And check for the 'w' bit!! LOLZ!!1!hexFFbinary

Afterword: Consider This

Consider this: consider how much ridiculous code Microsoft have embedded into their 'operating system' not to prevent but to recover from a single unauthorised unhampered overwrite of operating system files.

Consider the extent of their board meetings. And their messy whiteboards. And the endless days and weeks of discussions.

Consider further all the code that had to be written. And the testing that had to be done. And the debugging.

Consider finally the bulk of this new monster once on disk. And consider the CPU it's wasting all the time.

Consider all that together - then consider a single use of chown and chmod where you are today.

See Also
Rixstep: Windows File Protection

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.