0

Under some circumstances, Windows has to overwrite important files such as csrss.exe and lsass.exe. Such as when updates affect these files. Or when the files are corrupted and repaired with the SFC tool. How does it accomplish this without ending the processes and triggering a blue screen?

I've tried adding the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations and giving it this value

\??\C:\csrss.exe
\??\C:\Windows\System32\csrss.exe

But when I rebooted, the registry value was deleted, but no files were changed.

My goal is to be able to overwrite files these files with my own modified versions without using an external tool like a linux live cd.

Yes, I am aware this is stupid. I'm fully responsible for any damage caused by this. Nonetheless, I still want to know how. Thanks for any help.

Daffy
  • 309

1 Answers1

3

I figured out what I'm trying to do. I was wanting to modify files the way Windows Update does. After experimenting, I found this.

Make an XML file with this in it.

<?xml version='1.0' encoding='utf-8'?>
<PendingTransaction Version="3.1">
    <POQ postAction="reboot">
        <MoveFile source="\??\C:\csrss.exe" destination="\??\C:\Windows\System32\csrss.exe"/>
    </POQ>
</PendingTransaction>

Then modify the value SetupExecute in the key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager to contain C:\Windows\System32\poqexec.exe /displayprogress \??\[PATH TO XML]

This has Windows process the "Primitive Operations Queue" before booting up.

phuclv
  • 30,396
  • 15
  • 136
  • 260
Daffy
  • 309