The equivelant code %SystemDrive% in batch translated into C++

Question

To anyone that can help Please, (My operating system is Windows XP) I have looked on the this forum but have not found a similair answer that I could use or adapt to suite this particular situation. I will try to explain (I apologise in advance if my question seems confusing) I am constructing a batch file that will call a C++ program (.exe) The C++ program is hard coded to the C: drive. By the way I did not write the C++ program as I am incapable of writing in C++ but would like to exchange the C: in C++ for what would be in batch %SystemDrive%. The line of code in C++ reads as follows:

        SetSfcFileException(0, L"c:\\windows\\system32\\calc.exe",-1);
    // Now we can modify the system file in a complete stealth.
}

The bit of code I would like to alter in the above code is C: or "C" to change it to %systemDrive% but in C++ code language, in effect change the hard coded part of the C++ program to read a System path variable within XP.

I have also looked elsewhere on the net but have not found a suitable answer as I do Not want to break the C++ code you see.

The C++ code was obtained from the folowing website written by Abdellatif_El_Khlifi:

https://www.codeproject.com/Articles/14933/A-simple-way-to-hack-Windows-File-Protection-WFP-u

Many Thanks for any help given,

David

Answer 1

The search term you should be looking for is Known Folders .

Specifically, calling SHGetKnownFolderPath() with the FOLDERID_System identifier, one of the many IDs found here .

That's for Vista or better. For earlier than that (such as XP), you have to use CSIDL values, CSIDL_SYSTEM (see here for list) passed into SHGetFolderPath() .

You can still use the pre-Vista ones but I think they're just thin wrappers around the newer ones.

---

This is the simplest console application I could come up with that shows this in action (Visual Studio 2019):

#include <iostream>
#include <shlobj_core.h>
#include <comutil.h>

int main()
{
    PWSTR path = NULL;
    HRESULT hr = SHGetKnownFolderPath(FOLDERID_System, 0, NULL, &path);
    _bstr_t bstrPath(path);
    std::string strPath((char*)bstrPath);
    std::cout << "Path is '" << strPath << "'\n";
}

and the output on my system is:

Path is 'C:\WINDOWS\system32'

Answer 2

This is not really answering my own question, well it is but in a alternative manner, many ways to skin a cat so to speak!

Here is one encouraging bit of news though I have stumbled across the very thing I need called WFPReplacer, it is a commandline windows utility that pretty well does what I want & generally in the same manner. it disables WFP for both singular files & can be used for wholesale switching off of WFP if the right file is replaced. All I need to do is write a batch file as a front end to back up the system files I want to disable use WFPReplacer.exe. So if in the event of the proceedings the routine gets stuffed I can revert back to the backed up files. I think this program uses the same type of embedded coding but is written in Delphi/pascal, it is called Remko Weijnen's Blog (Remko's Blog) "replacing Wfp protected files".

I generally like to leave whatever I am doing on a positive note. So just in case someone else lands on this forum & is trying to accomplish a similair exercise here is the code that one can compile (This is not my code it belongs to Remko Weijnen's Blog (Remko's Blog)) Please be advised it is NOT C++ it is a commandline exe Delhi/Pascal found at this link, so all credits belong to him. The link is:

https://www.remkoweijnen.nl/blog/2012/12/05/replacing-wfp-protected-files/

DWORD __stdcall SfcFileException(RPC_BINDING_HANDLE hServer, LPCWSTR lpSrc, int Unknown)
{
  RPC_BINDING_HANDLE hServerVar; // eax@2
  int nts; // eax@6
  __int32 dwResult; // eax@7
  DWORD dwResultVar; // esi@9
  int v8; // [sp+8h] [bp-8h]@1
  int v9; // [sp+Ch] [bp-4h]@1

  LOWORD(v8) = 0;
  *(int *)((char *)&v8 + 2) = 0;
  HIWORD(v9) = 0;
  if ( !hServer )
  {
    hServerVar = _pRpcHandle;
    if ( !_pRpcHandle )
    {
      hServerVar = SfcConnectToServer(0);
      _pRpcHandle = hServerVar;
      if ( !hServerVar )
        return 0x6BA;                           // RPC_S_SERVER_UNAVAILABLE
    }
    hServer = hServerVar;
  }
  nts = SfcRedirectPath(lpSrc, (int)&v8);
  if ( nts >= 0 )
    dwResult = SfcCli_FileException((int)hServer, v9, Unknown).Simple;
  else
    dwResult = RtlNtStatusToDosError(nts);
  dwResultVar = dwResult;
  MemFree(v9);
  return dwResultVar;
}

Also as one further warning (Unless you know what you are doing!!!) do not attempt to use this program, ALWAYS ALWAYS ALWAYS backup your system files before deletion or alteration. What this program will do is disarm WFP for 60 seconds whilst you intercange or amend your files. Example usage for example is: WfpReplacer.exe c:\\windows\\Notepad.exe (Errorlevel true or false will be produced on execution).

Best Regards David