Article ID: 222193 - View products that this article applies to.
This article was previously published under Q222193
Windows File Protection (WFP) prevents programs from replacing critical Windows system files. Programs must not overwrite these files because they are used by the operating system and by other programs. Protecting these files prevents problems with programs and the operating system.
WFP protects critical system files that are installed as part of Windows (for example, files with a .dll, .exe, .ocx, and .sys extension and some True Type fonts). WFP uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions. Replacement of protected system files is supported only through the following mechanisms:
How the WFP feature worksThe WFP feature provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WFP receives a directory change notification for a file in a protected directory. After WFP receives this notification, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WFP replaces the new file with the file from the cache folder (if it is in the cache folder) or from the installation source. WFP searches for the correct file in the following locations, in this order:
Event ID: 64001
Source: Windows File Protection
Description: File replacement was attempted on the protected system file c:\winnt\system32\ file_name . This file was restored to the original version to maintain system stability. The file version of the system file is x.x:x.x.
If WFP cannot automatically find the file in any of these locations, you receive one of the following messages, where file_name is the name of the file that was replaced and product is the Windows product you are using:
The System File Checker tool gives an administrator the ability to scan all the protected files to verify their versions. The System File Checker tool also checks and repopulates the cache folder (by default, %SystemRoot%\System32\Dllcache). If the cache folder becomes damaged or unusable, you can use either the sfc /scanonce command or the sfc /scanboot command at a command prompt to repair the contents of the folder.
SfcScanvalue in the following registry key has three possible settings:
The settings for the
SFCQuotavalue in the following registry key:
WFP stores verified file versions in the Dllcache folder on the hard disk. The number of cached files is determined by the setting of the
SFCQuotavalue (the default size is 0xFFFFFFFF, or 400 MB). The administrator can make the setting for the
SFCQuotavalue as large or small as needed. Note that if you set the
0xFFFFFFFF, the WFP feature caches all protected system files (approximately 2,700 files).
There are two cases in which the cache folder may not contain copies of all protected files, regardless of the SFCQuota value:
If WFP detects a file change and the affected file is not in the cache folder, WFP examines the version of the changed file that the operating system is currently using. If the file that is currently in use is the correct version, WFP copies that version of the file to the cache folder. If the file that is currently in use is not the correct version, or if the file is not cached in the cache folder, WFP tries to locate the installation source. If WFP cannot find the installation source, WFP prompts an administrator to insert the appropriate media to replace the file or the cached file version.
REG_EXPAND_SZ) in the following registry key specifies the location of the Dllcache folder.
The default value data for the SFCDllCacheDir value is
SFCDllCacheDirvalue can be a local path. By default, the
SFCDllCacheDirvalue is not listed in the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogonregistry key. To modify the cache location, you must add this value.
When Windows starts up, WFP synchronizes (copies) the WFP settings from the following registry key
to the following registry key:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection
Therefore, if the
SFCDllCacheDirvalues are present in the
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protectionsubkey, the values take precedence over the same values in the
For more information about the WFP feature, click the following article number to view the article in the Microsoft Knowledge Base:
222473For more information about the System File Checker tool in Windows XP and Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/222473/ )Registry settings for Windows File Protection
310747For more information about the System File Checker tool in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/310747/ )Description of Windows XP and Windows Server 2003 System File Checker (Sfc.exe)
(https://support.microsoft.com/kb/222471/ )Description of the Windows 2000 System File Checker (Sfc.exe)
For more information about the WFP feature, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/aa382551.aspxFor more information about Windows Installer and WFP, visit the following Microsoft Web site:
Article ID: 222193 - Last Review: September 11, 2009 - Revision: 12.0