Got that. Thanks. You info was really helpful. I was able to find more information (on Russian, sorry) and now I can more or less imagine what is going on.

SfcValidateFileSignature loads some API from mscat32.dll/WinTrust.dll:


CryptCATAdminCalcHashFromFileHandle - undocumented
CryptCATAdminEnumCatalogFromHash - documented -
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/cryptcatadminenumcatalogfromhash.asp

CryptCATCatalogInfoFromContext - undocumented
WinVerifyTrust
- documented -
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/winverifytrust.asp

CryptCATAdminReleaseCatalogContext - documented -
hxxp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/cryptcatadminreleasecatalogcontext.asp

Let me remind you that you can completely disable WFP by setting SFCScan value to the undocumented one described by Collake and patch sfc.dll (sfc_os.dll in XP+) with the patch I gave you above.