Replace in use files protected by WFP

[Guest]

Hi,
This isn't really a security question, but I think that the answer may
come from how security patches are deployed.

I need to replace a system file (C:\Winnt\System32\dbghelp.dll) that is
protected by Windows File Protection on a Windows 2000 SP 4 server. While
the OS is up, the file is locked. I've tried several different ways to do
it, but the WFP seems to throw most of them off. I know that some patches
and service packs replace in use files, so I know that there is a way to do
it. Here are some of the things I've tried:

inuse.exe
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/inuse-o.asp
inuse.exe C:\temp\dbghelp.dll c:\winnt\system32\dbghelp.dll /y
c:\winnt\system32\dbghelp.dll is protected by WFP

mv.exe
mv.exe /x /d C:\temp\dbghelp.dll c:\winnt\system32\dbghelp.dll
Seems to work, but on reboot, the old file is still there (I think because
of WFP)

Registry Change
http://support.microsoft.com/?kbid=181345
On reboot the old file is still there (I think because of WFP)

Any help would be greatly appreciated!
Thanks,
Ishmeal

 

[Karl Levinson, mvp]

When trying to defeat WFP, the first thing you have to do is replace the
copy of the file in the hidden %windir%\system32\dllcache\ folder. After
that, at least one the things you already tried should hopefully work, such
as mv.exe