Description of the Windows File Protection feature
WFP protects critical system files that are installed as part of Windows (for example, files with a .dll, .exe, .ocx, and .sys extension and some True Type fonts). WFP uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions. Replacement of protected system files is supported only through the following mechanisms:
- Windows Service Pack installation usingUpdate.exe
- Hotfixes installed using Hotfix.exe orUpdate.exe
- Operating system upgrades using Winnt32.exe
- Windows Update
How the WFP feature worksThe WFP feature provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WFP receives a directory change notification for a file in a protected directory. After WFP receives this notification, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WFP replaces the new file with the file from the cache folder (if it is in the cache folder) or from the installation source. WFP searches for the correct file in the following locations, in this order:
- The cache folder (by default,%systemroot%\system32\dllcache).
- The network install path, if the system was installed usingnetwork install.
- The Windows CD-ROM, if the system was installed fromCD-ROM.
Source: Windows File Protection
Description: File replacement was attempted on the protected system file c:\winnt\system32\ file_name . This file was restored to the original version to maintain system stability. The file version of the system file is x.x:x.x.
If WFP cannot automatically find the file in any of these locations, you receive one of the following messages, where file_name is the name of the file that was replaced and product is the Windows product you are using:
- Windows File Protection
Filesthat are required for Windows to run properly have been replaced byunrecognized versions. To maintain system stability, Windows must restore theoriginal versions of these files. Insert yourproduct CD-ROM now.
- Windows File Protection
Filesthat are required for Windows to run properly have been replaced byunrecognized versions. To maintain system stability, Windows must restore theoriginal versions of these files. The network location from which these filesshould be copied,\\server\share, is notavailable. Contact your system administrator or insertproduct CD-ROM now.
- The SFCShowProgress registry entry is missing or is set to 1, and the server is set to scan every time that the computer starts. In this situation, WFP waits for a console logon. Therefore, the RPC server does not start until the scan is performed. The computer has no protection during this time.
Note You can still map network drives, use system files, and use Terminal Services to log on to the server. WFP does not consider these operations as a console logon, and keeps waiting indefinitely.
- WFP has to restore a file from a network share. This situation may occur if the file is not present in the Dllcache folder or if the file is corrupted. In this situation, WFP may not have the correct credentials to access the share from the network-based installation media.
The System File Checker tool gives an administrator the ability to scan all the protected files to verify their versions. The System File Checker tool also checks and repopulates the cache folder (by default, %SystemRoot%\System32\Dllcache). If the cache folder becomes damaged or unusable, you can use either the sfc /scanonce command or the sfc /scanboot command at a command prompt to repair the contents of the folder.
- 0x0= do not scan protected files after restart. (Defaultvalue)
- 0x1= scan all protected files after every restart (set if sfc /scanboot is run).
- 0x2= scan all protected files one time after a restart (set if sfc /scanonce is run).
There are two cases in which the cache folder may not contain copies of all protected files, regardless of the SFCQuota value:
- Not enough disk space.
Under Windows XP, WFPstops populating the Dllcache folder when less than (600 MB + maximum size ofthe page file) of space is available on the hard disk.
Under Windows 2000,WFP stops populating the Dllcache folder when less than 600 MB of space isavailable on the hard disk.
- Network Install.
When Windows 2000 or Windows XPis installed over the network, files in the i386\lang directory are notpopulated in the Dllcache folder.
If WFP detects a file change and the affected file is not in the cache folder, WFP examines the version of the changed file that the operating system is currently using. If the file that is currently in use is the correct version, WFP copies that version of the file to the cache folder. If the file that is currently in use is not the correct version, or if the file is not cached in the cache folder, WFP tries to locate the installation source. If WFP cannot find the installation source, WFP prompts an administrator to insert the appropriate media to replace the file or the cached file version.
When Windows starts up, WFP synchronizes (copies) the WFP settings from the following registry key
Article ID: 222193 - Last Review: 09/11/2009 21:45:16 - Revision: 12.0
- kbinfo KB222193