WFP protects critical system files that are installed as part of Windows (for example, files with a .dll, .exe, .ocx, and .sys extension and some True Type fonts). WFP uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions. Replacement of protected system files is supported only through the following mechanisms:
- Windows Service Pack installation using Update.exe
- Hotfixes installed using Hotfix.exe or Update.exe
- Operating system upgrades using Winnt32.exe
- Windows Update
How the WFP feature worksThe WFP feature provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WFP receives a directory change notification for a file in a protected directory. After WFP receives this notification, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WFP replaces the new file with the file from the cache folder (if it is in the cache folder) or from the installation source. WFP searches for the correct file in the following locations, in this order:
- The cache folder (by default, %systemroot%\system32\dllcache).
- The network install path, if the system was installed using network install.
- The Windows CD-ROM, if the system was installed from CD-ROM.
Source: Windows File Protection
Description: File replacement was attempted on the protected system file c:\winnt\system32\ file_name . This file was restored to the original version to maintain system stability. The file version of the system file is x.x:x.x.
If WFP cannot automatically find the file in any of these locations, you receive one of the following messages, where file_name is the name of the file that was replaced and product is the Windows product you are using:
- Windows File Protection
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your
product CD-ROM now.
- Windows File Protection
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. The network location from which these files should be copied, \\server\share, is not available. Contact your system administrator or insert
product CD-ROM now.
- The SFCShowProgress registry entry is missing or is set to 1, and the server is set to scan every time that the computer starts. In this situation, WFP waits for a console logon. Therefore, the RPC server does not start until the scan is performed. The computer has no protection during this time.
Note You can still map network drives, use system files, and use Terminal Services to log on to the server. WFP does not consider these operations as a console logon, and keeps waiting indefinitely.
- WFP has to restore a file from a network share. This situation may occur if the file is not present in the Dllcache folder or if the file is corrupted. In this situation, WFP may not have the correct credentials to access the share from the network-based installation media.
The System File Checker tool gives an administrator the ability to scan all the protected files to verify their versions. The System File Checker tool also checks and repopulates the cache folder (by default, %SystemRoot%\System32\Dllcache). If the cache folder becomes damaged or unusable, you can use either the sfc /scanonce command or the sfc /scanboot command at a command prompt to repair the contents of the folder.
The SfcScan value in the following registry key has three possible settings:
- 0x0 = do not scan protected files after restart. (Default value)
- 0x1 = scan all protected files after every restart (set if sfc /scanboot is run).
- 0x2 = scan all protected files one time after a restart (set if sfc /scanonce is run).
There are two cases in which the cache folder may not contain copies of all protected files, regardless of the SFCQuota value:
- Not enough disk space.
Under Windows XP, WFP stops populating the Dllcache folder when less than (600 MB + maximum size of the page file) of space is available on the hard disk.
Under Windows 2000, WFP stops populating the Dllcache folder when less than 600 MB of space is available on the hard disk.
- Network Install.
When Windows 2000 or Windows XP is installed over the network, files in the i386\lang directory are not populated in the Dllcache folder.
If WFP detects a file change and the affected file is not in the cache folder, WFP examines the version of the changed file that the operating system is currently using. If the file that is currently in use is the correct version, WFP copies that version of the file to the cache folder. If the file that is currently in use is not the correct version, or if the file is not cached in the cache folder, WFP tries to locate the installation source. If WFP cannot find the installation source, WFP prompts an administrator to insert the appropriate media to replace the file or the cached file version.
The SFCDllCacheDir value (REG_EXPAND_SZ) in the following registry key specifies the location of the Dllcache folder.
When Windows starts up, WFP synchronizes (copies) the WFP settings from the following registry key
رقم الموضوع: 222193 - آخر مراجعة: 11/09/2009 - المراجعة: 1