{"id":28,"date":"2013-03-05T21:22:01","date_gmt":"2013-03-05T21:22:01","guid":{"rendered":"http:\/\/montgomeryminds.com\/blog\/?p=28"},"modified":"2016-06-07T21:49:50","modified_gmt":"2016-06-08T02:49:50","slug":"description-of-the-windows-file-protection-feature-detailed","status":"publish","type":"post","link":"https:\/\/montgomeryminds.com\/blog\/description-of-the-windows-file-protection-feature-detailed\/","title":{"rendered":"Description of the Windows File Protection feature &#8211; Detailed"},"content":{"rendered":"<style>\n.mybold {\nfont-weight: bold;\ncolor: yellow;\n}\n<\/style>\n<p>A copy \/ excerpt of <a title=\"http:\/\/support.microsoft.com\/kb\/222193\/EN-US\" href=\"http:\/\/support.microsoft.com\/kb\/222193\/EN-US\">Description of the Windows File Protection feature<\/a> (kb222193)<\/p>\n<p>For an Intro see <a title=\"https:\/\/montgomeryminds.com\/blog\/?p=8\" href=\"https:\/\/montgomeryminds.com\/blog\/?p=8\">Windows File Protection &#8211; Intro<\/a><\/p>\n<p>&nbsp;<\/p>\n<h2 id=\"tocHeadRef\">SUMMARY<\/h2>\n<div id=\"MT0\">This article describes the Windows File Protection (WFP) feature.<\/div>\n<div>\n<h2 id=\"tocHeadRef\">MORE INFORMATION<\/h2>\n<div id=\"MT1\">Windows File Protection (WFP) prevents programs from replacing critical Windows system files. Programs must not overwrite these files because they are used by the operating system and by other programs. Protecting these files prevents problems with programs and the operating system.WFP protects critical system files that are installed as part of Windows (for example, files with a .dll, .exe, .ocx, and .sys extension and some True Type fonts). WFP uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions. Replacement of protected system files is supported only through the following mechanisms:<\/p>\n<ul>\n<li>Windows Service Pack installation using Update.exe<\/li>\n<li>Hotfixes installed using Hotfix.exe or Update.exe<\/li>\n<li>Operating system upgrades using Winnt32.exe<\/li>\n<li>Windows Update<\/li>\n<\/ul>\n<p>If a program uses a different method to replace protected files, WFP restores the original files. The Windows Installer adheres to WFP when installing critical system files and calls WFP with a request to install or replace the protected file instead of trying to install or replace a protected file itself.<\/p>\n<h3 id=\"tocHeadRef\">How the WFP feature works<\/h3>\n<p>The WFP feature provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WFP receives a directory change notification for a file in a protected directory. After WFP receives this notification, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WFP replaces the new file with the file from the cache folder (if it is in the cache folder) or from the installation source. WFP searches for the correct file in the following locations, in this order:<\/p>\n<ol>\n<li>The cache folder (by default, %systemroot%\\system32\\dllcache).<\/li>\n<li>The network install path, if the system was installed using network install.<\/li>\n<li>The Windows CD-ROM, if the system was installed from CD-ROM.<\/li>\n<\/ol>\n<p>If WFP finds the file in the cache folder or if the installation source is automatically located, WFP silently replaces the file and logs an event that resembles the following in the System log:<\/p>\n<blockquote><p>Event ID: 64001<br \/>\nSource: Windows File Protection<br \/>\nDescription: File replacement was attempted on the protected system file c:\\winnt\\system32\\ file_name . This file was restored to the original version to maintain system stability. The file version of the system file is x.x:x.x.<\/p><\/blockquote>\n<p>If WFP cannot automatically find the file in any of these locations, you receive one of the following messages, where <var>file_name<\/var> is the name of the file that was replaced and <var>product<\/var> is the Windows product you are using:<\/p>\n<ul>\n<li>\n<blockquote><p>Windows File Protection<br \/>\nFiles that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your <var>product<\/var> CD-ROM now.<\/p><\/blockquote>\n<\/li>\n<li>\n<blockquote><p>Windows File Protection<br \/>\nFiles that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. The network location from which these files should be copied, \\\\<var>server<\/var>\\<var>share<\/var>, is not available. Contact your system administrator or insert <var>product<\/var> CD-ROM now.<\/p><\/blockquote>\n<\/li>\n<\/ul>\n<p><b>Note<\/b> If an administrator is not logged on, WFP cannot display either of these dialog boxes. In this situation, WFP displays the dialog box after an administrator logs on. WFP may wait for an administrator to log on in the following scenarios:<\/p>\n<ul>\n<li>The SFCShowProgress registry entry is missing or is set to 1, and the server is set to scan every time that the computer starts. In this situation, WFP waits for a console logon. Therefore, the RPC server does not start until the scan is performed. The computer has no protection during this time.<b>Note<\/b> You can still map network drives, use system files, and use Terminal Services to log on to the server. WFP does not consider these operations as a console logon, and keeps waiting indefinitely.<\/li>\n<li>WFP has to restore a file from a network share. This situation may occur if the file is not present in the Dllcache folder or if the file is corrupted. In this situation, WFP may not have the correct credentials to access the share from the network-based installation media.<\/li>\n<\/ul>\n<p>The second protection mechanism that is provided by the WFP feature is the System File Checker (Sfc.exe) tool. At the end of GUI-mode Setup, the System File Checker tool scans all the protected files to make sure that they are not modified by programs that were installed by using an unattended installation. The System File Checker tool also checks all the catalog files that are used to track correct file versions. If any of the catalog files are missing or damaged, WFP renames the affected catalog file and retrieves a cached version of that file from the cache folder. If a cached copy of the catalog file is not available in the cache folder, the WFP feature requests the appropriate media to retrieve a new copy of the catalog file.<\/p>\n<p>The System File Checker tool gives an administrator the ability to scan all the protected files to verify their versions. The System File Checker tool also checks and repopulates the cache folder (by default, %SystemRoot%\\System32\\Dllcache). If the cache folder becomes damaged or unusable, you can use either the <b class=\"mybold\">sfc \/scanonce<\/b> command or the <b class=\"mybold\">sfc \/scanboot<\/b> command at a command prompt to repair the contents of the folder.<\/p>\n<p>The <code class=\"mybold\">SfcScan<\/code> value in the following registry key has three possible settings:<\/p>\n<pre class=\"mybold\">\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\r\n<\/pre>\n<p>The settings for the <code class=\"mybold\">SfcScan<\/code> value are:<\/p>\n<ul>\n<li> <code class=\"mybold\">0x0<\/code> = do not scan protected files after restart. (Default value)<\/li>\n<li> <code class=\"mybold\">0x1<\/code> = scan all protected files after every restart (set if <b class=\"mybold\">sfc \/scanboot<\/b> is run).<\/li>\n<li> <code class=\"mybold\">0x2<\/code> = scan all protected files one time after a restart (set if <b class=\"mybold\">sfc \/scanonce<\/b> is run).<\/li>\n<\/ul>\n<p>By default, all system files are cached in the cache folder, and the default size of the cache is 400 MB. Because of disk space considerations, it may not be desirable to maintain cached versions of all system files in the cache folder. To change the size of the cache, change the setting of the <code class=\"mybold\">SFCQuota<\/code> value in the following registry key:<\/p>\n<pre class=\"mybold\">HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon<\/pre>\n<p>WFP stores verified file versions in the Dllcache folder on the hard disk. The number of cached files is determined by the setting of the <code class=\"mybold\">SFCQuota<\/code> value (the default size is 0xFFFFFFFF, or 400 MB). The administrator can make the setting for the <code class=\"mybold\">SFCQuota<\/code> value as large or small as needed. Note that if you set the <code class=\"mybold\">SFCQuota<\/code> value to <code class=\"mybold\">0xFFFFFFFF<\/code> , the WFP feature caches all protected system files (approximately 2,700 files).<\/p>\n<p>There are two cases in which the cache folder may not contain copies of all protected files, regardless of the SFCQuota value:<\/p>\n<ol>\n<li>Not enough disk space.Under Windows XP, WFP stops populating the Dllcache folder when less than (600 MB + maximum size of the page file) of space is available on the hard disk.<br \/>\nUnder Windows 2000, WFP stops populating the Dllcache folder when less than 600 MB of space is available on the hard disk.<\/li>\n<li>Network Install.When Windows 2000 or Windows XP is installed over the network, files in the i386\\lang directory are not populated in the Dllcache folder.<\/li>\n<\/ol>\n<p>Additionally, all drivers in the Driver.cab file are protected, but they are not populated in the Dllcache folder. WFP can restore these files from the Driver.cab file directly without prompting the user for the source media. However, running the <b class=\"mybold\">sfc \/scannow<\/b> command does populate the files from the Driver.cab file into the Dllcache folder.<\/p>\n<p>If WFP detects a file change and the affected file is not in the cache folder, WFP examines the version of the changed file that the operating system is currently using. If the file that is currently in use is the correct version, WFP copies that version of the file to the cache folder. If the file that is currently in use is not the correct version, or if the file is not cached in the cache folder, WFP tries to locate the installation source. If WFP cannot find the installation source, WFP prompts an administrator to insert the appropriate media to replace the file or the cached file version.<\/p>\n<p>The <code class=\"mybold\">SFCDllCacheDir<\/code> value ( <code class=\"mybold\">REG_EXPAND_SZ<\/code> ) in the following registry key specifies the location of the Dllcache folder.<\/p>\n<pre class=\"mybold\">\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon<\/div>\r\n<\/pre>\n<p>The default value data for the <b class=\"mybold\">SFCDllCacheDir<\/b> value is <code class=\"mybold\">%SystemRoot%\\System32<\/code> . The <code class=\"mybold\">SFCDllCacheDir<\/code> value can be a local path. By default, the <code class=\"mybold\">SFCDllCacheDir<\/code> value is not listed in the<\/p>\n<pre class=\"mybold\">\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon<\/pre>\n<p>registry key. To modify the cache location, you must add this value.<\/p>\n<p>When Windows starts up, WFP synchronizes (copies) the WFP settings from the following registry key<\/p>\n<pre class=\"mybold\">HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Windows File Protection<\/pre>\n<p>to the following registry key:<\/p>\n<pre class=\"mybold\">HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon<\/pre>\n<p>Therefore, if the <code class=\"mybold\">SfcScan<\/code> , <code class=\"mybold\">SFCQuota<\/code> , or <code class=\"mybold\">SFCDllCacheDir<\/code> values are present in the<\/p>\n<pre>HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Windows File Protection<\/pre>\n<p>subkey, the values take precedence over the same values in the<\/p>\n<pre>HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon<\/pre>\n<p>subkey.<\/p>\n<div id=\"MT2\">For more information about the WFP feature, click the following article number to view the article in the Microsoft Knowledge Base:<\/p>\n<div><a href=\"http:\/\/support.microsoft.com\/kb\/222473\">222473<\/a> Registry settings for Windows File Protection<\/div>\n<p>For more information about the System File Checker tool in Windows XP and Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:<\/p>\n<div><a href=\"http:\/\/support.microsoft.com\/kb\/310747\">310747<\/a> Description of Windows XP and Windows Server 2003 System File Checker (Sfc.exe)<\/div>\n<p>For more information about the System File Checker tool in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:<\/p>\n<div><a href=\"http:\/\/support.microsoft.com\/kb\/222471\">222471<\/a> Description of the Windows 2000 System File Checker (Sfc.exe)<\/div>\n<\/div>\n<h3 id=\"tocHeadRef\">REFERENCES<\/h3>\n<div id=\"MT4\">For more information about the WFP feature, visit the following Microsoft Web site:<\/p>\n<div><a href=\"http:\/\/msdn2.microsoft.com\/en-us\/library\/aa382551.aspx\">http:\/\/msdn2.microsoft.com\/en-us\/library\/aa382551.aspx<\/a><\/div>\n<p>For more information about Windows Installer and WFP, visit the following Microsoft Web site:<\/p>\n<div><a href=\"http:\/\/msdn2.microsoft.com\/en-us\/library\/aa372820.aspx\">http:\/\/msdn2.microsoft.com\/en-us\/library\/aa372820.aspx<\/a><\/div>\n<div>\n<h5>APPLIES TO<\/h5>\n<ul>\n<li>Microsoft Windows 2000 Server<\/li>\n<li>Microsoft Windows 2000 Advanced Server<\/li>\n<li>Microsoft Windows 2000 Professional Edition<\/li>\n<li>Microsoft Windows 2000 Datacenter Server<\/li>\n<li>Microsoft Windows XP Professional x64 Edition<\/li>\n<li>Microsoft Windows XP Home Edition<\/li>\n<li>Microsoft Windows XP Professional<\/li>\n<li>Microsoft Windows XP Media Center Edition 2005 Update Rollup 2<\/li>\n<li>Microsoft Windows XP Tablet PC Edition<\/li>\n<li>Microsoft Windows Server 2003, 64-Bit Datacenter Edition<\/li>\n<li>Microsoft Windows Server 2003, Enterprise x64 Edition<\/li>\n<li>Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)<\/li>\n<li>Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)<\/li>\n<li>Microsoft Windows Server 2003, Standard Edition (32-bit x86)<\/li>\n<li>Microsoft Windows Server 2003, Web Edition<\/li>\n<li>Microsoft Windows Small Business Server 2003 Premium Edition<\/li>\n<li>Microsoft Windows Small Business Server 2003 Standard Edition<\/li>\n<\/ul>\n<table>\n<tbody>\n<tr>\n<td>\n<h5>Keywords:<\/h5>\n<\/td>\n<td>kbinfo KB222193<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div>\n<h2>Montgomery Minds here: results:<\/h2>\n<p>The results are on the command line screen, and not in the event viewer (<code>eventvwr.exe<\/code>), but more results are in <strong><code>c:\\Windows\\Logs\\CBS\\CBS.log<\/code><\/strong>.<\/p>\n<p>See <a href=\"https:\/\/montgomeryminds.com\/blog\/description-of-windows-xp-and-windows-server-2003-system-file-checker-sfc-exe\/\">post on <code>sfc.exe<\/code><\/a>  for a bit more.\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A copy \/ excerpt of Description of the Windows File Protection feature (kb222193) For an Intro see Windows File Protection &#8211; Intro &nbsp; SUMMARY This article describes the Windows File Protection (WFP) feature. MORE INFORMATION Windows File Protection (WFP) prevents &hellip; <a href=\"https:\/\/montgomeryminds.com\/blog\/description-of-the-windows-file-protection-feature-detailed\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,3],"tags":[],"_links":{"self":[{"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/posts\/28"}],"collection":[{"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/comments?post=28"}],"version-history":[{"count":21,"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/posts\/28\/revisions"}],"predecessor-version":[{"id":1468,"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/posts\/28\/revisions\/1468"}],"wp:attachment":[{"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/media?parent=28"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/categories?post=28"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/montgomeryminds.com\/blog\/wp-json\/wp\/v2\/tags?post=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}