none
Deleted file keeps coming back even after it's been deleted from EVERYWHERE (Testing for SP3 reboot loop issue)

    Question

  • Hi all.  Something whacked is going on here.  In efforts to find a fix for the SP3 reboot loop issue*, I have deleted a file on my PC from every single location PC 50-60 times and it keeps coming back.  This DOES include the dllcache folder, and yes, all hidden files are shown and all protected system files/folders are shown.  Where in the heck is it coming from??  This has never happened to me before with any DLL or SYS file, and I've replaced or deleted dozens of them from the same folders and I had no issue with them.  Yet this one specific file cannot be deleted permanently!  WFP (Windows File Protection) and SFC is disabled!

     

    (FTR the file is sbp2port.sys, too long to explain, it's regarding an SP3 testing issue*).

     

    If I had to guess I'd say it's coming from some .cab file, but searching for "A word or phrase in the file" in order to find it, takes ages.

    Thanks.

     

    *See 2nd post from the bottom for details if interested:

    http://forums.microsoft.com/technet/showpost.aspx?postid=3321844&siteid=17&pageid=11

    Thursday, July 03, 2008 11:32 AM

Answers

  • I disabled the FireWire and still could not delete the file, it came back. 

     

    So then I unpacked the driver.cab file (where it has been coming from), deleted the sbp2port.sys from it, packed it back......and it STILL came back!  I checked the driver.cab file again to be sure the file was not in it, and the file is NOT in it.  I then checked the sp3.cab file, and there it was, also in that file.  So I did the same thing to that file as I did the driver.cab file, and then I was able to delete it from the dllcache and the drivers folder.  It did not come back.

     

    So apparently, as discussed in other posts above, SP3's WFP is different and it is obviously impossible to delete certain files such as this one (unless you do the hex editor hack), but for some reason you can delete/rename certain other files, in the same folders, and with the same extensions (if you sort of disable WFP with that reg change)I don't know why this file is different than the other files I've successfully deleted or renamed.

    Sunday, July 06, 2008 11:30 AM

All replies

  •  Clint D wrote:
    WFP (Windows File Protection) ... is disabled!

    How exactly did you disable Windows File Protection?

    Thursday, July 03, 2008 10:06 PM
  •  rdhw wrote:

     Clint D wrote:
    WFP (Windows File Protection) ... is disabled!

    How exactly did you disable Windows File Protection?

     

    It's a key in the registry.  I've tried changing the DWORD value for it to 1, 2, 4, and even fffffff9 (I think it was that, something like fffffff9, can't remember now.  "0" is default).  Upon further research it would appear that SP3 has a different way of utilizing WFP which may need further hacks.  But this still should work because like I said I've replaced/renamed/deleted dozens of dll and sys files with no problems.

     

    I found out the file is in the driver.cab file, so that's probably where it's coming from.  I'm going to try a few things, like unpack it and either remove the file, or rename the file, then cab it back.  Or disabling FireWire and try deleting the file.

    Friday, July 04, 2008 12:04 PM
  •  Clint D wrote:
    It's a key in the registry.

    What is the name of the key that you are referring to?

    Friday, July 04, 2008 1:04 PM
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]

    "SFCDisable"=dword:ffffff9d

     

    (After posting I see that 1st line wraps here, but you know that).

     

    I see now it's ffffff9d, I forgot the "d" on the end. 

     

    This is odd, I just went to that key and it's still set to "1"!  It won't change from 1 via the reg file.  I had to manually edit it.  But at any rate, that should not matter since "0" is the default.  Yeah, I tried deleting the file again and it still came back.  I haven't tried those other methods I mentioned above yet, but I will when I get the chance.

     

    Actually it's two keys, but if you change one the other changes with it.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

    Friday, July 04, 2008 1:41 PM
  •  Clint D wrote:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]

    "SFCDisable"=dword:ffffff9d

    I'm afraid you've fallen victim to an urban myth.  That registry setting has not worked since Windows 2000 SP1, and has never worked in Windows XP.  Microsoft do not want to provide an easy way to disable Windows File Protection, because any such easy method would be instantly adopted by malware writers.  It is not possible for an end user to disable Windows File Protection without patching XP system program files, or by running a kernel debugger.

     

    There is more on this at http://www.bitsum.com/aboutwfp.asp

     

    This inabaility to disable Windows File Protection is probably why your earlier attempts to replace USB drivers etc only seemed to work for a few days: WFP restored them to their original versions when it noticed that they had changed.

    Friday, July 04, 2008 3:48 PM
  •  rdhw wrote:

    I'm afraid you've fallen victim to an urban myth.  That registry setting has not worked since Windows 2000 SP1, and has never worked in Windows XP.  Microsoft do not want to provide an easy way to disable Windows File Protection, because any such easy method would be instantly adopted by malware writers.  It is not possible for an end user to disable Windows File Protection without patching XP system program files, or by running a kernel debugger.

     

    It worked for me on SP2, I never had any problems with WFP on it.  But like I said earlier, I think SP3 goes about it a different way.  I've been reading some more and it appears a hex editor has to be used to modify the SFC dll file in order to totally disable the WFP.

     

     

    This inabaility to disable Windows File Protection is probably why your earlier attempts to replace USB drivers etc only seemed to work for a few days: WFP restored them to their original versions when it noticed that they had changed.

     

    No, the USB files, browseui.dll, etc., I replaced never came back.  That reg change I did (apparently) worked for them, that's why I don't understand why this file is different.    Could be that the other files I replaced were not in the driver.cab file, but, I would assume they are at least in the sp3.cab file which is in the same folder (C:\WINDOWS\Driver Cache\i386) and I would think it would have the same "behavior" as the driver.cab file.

     

    I have HAD IT with this BS!!!

     

    Unknown Error
      We apologize, but an unknown error has occurred in the forums.

    This error has been logged.

    Friday, July 04, 2008 4:05 PM
  • I disabled the FireWire and still could not delete the file, it came back. 

     

    So then I unpacked the driver.cab file (where it has been coming from), deleted the sbp2port.sys from it, packed it back......and it STILL came back!  I checked the driver.cab file again to be sure the file was not in it, and the file is NOT in it.  I then checked the sp3.cab file, and there it was, also in that file.  So I did the same thing to that file as I did the driver.cab file, and then I was able to delete it from the dllcache and the drivers folder.  It did not come back.

     

    So apparently, as discussed in other posts above, SP3's WFP is different and it is obviously impossible to delete certain files such as this one (unless you do the hex editor hack), but for some reason you can delete/rename certain other files, in the same folders, and with the same extensions (if you sort of disable WFP with that reg change)I don't know why this file is different than the other files I've successfully deleted or renamed.

    Sunday, July 06, 2008 11:30 AM
  • I've been experiencing the exact same problem. After hours of research I remembered I had specific folders backing up to my online cloud in the background. I looked at the options and noticed there were several backup options.

    - backup both upload / download

    - backup upload only

    - backup download only

    I had to set my backup to only upload new files and delete any files online storage that were not on my computer.

    Problem solved for me. Hope this helps.

    Sunday, January 12, 2014 2:26 AM