Windows 2000 File Protection Explained

Microsoft® Windows 2000 Knowledge Center

Windows 2000 Windows File Protection Explained

If you have arrived here through a search engine, click here!

Windows NT versions prior to Windows 2000 do not prevent shared system files from being overwritten by program installations. Obviously, when these changes occur, you often experience all types of unpredictable performance results, ranging from program errors to an unstable operating system. Most often these problems affect several types of files, most commonly dynamic link libraries files (.dll) and program files (.exe).

Of the many new features included with Windows 2000, one important one is Windows File Protection (WFP). This new feature prevents the replacement of certain monitored system files. By monitoring system files and preventing them from being overwritten by errant program installers, file version mismatches can be avoided. WFP uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions. Windows File Protection itself does not generate signatures of any type.

How Windows File Protection Works
This feature provides protection for system files using two mechanisms. The first runs in the background and is implemented when it is notified that a file that is in a protected folder is modified. After this notification, WFP determines which file was changed and, if protected, it then looks up the file signature in a catalog file to determine if the new file is the correct Microsoft version. If it is an incorrect version, the file is replaced by WFP from the Dllcache folder (presuming that it is there) or from the distribution media. By default, the WFP feature displays the following dialog box to an administrator, where file_name is the name of the file:

A file replacement was attempted on the protected system file file_name. To maintain system stability, the file has been restored to the correct Microsoft version. If problems occur with your application, please contact the application vendor for support.

The second protection mechanism is the System File Checker (Sfc.exe of SFC) tool, which is similar, but yet different, than the one included with Windows 98. At the end of Windows 2000 Setup, the System File Checker tool scans all of the protected files to ensure that they are not modified by programs that were installed by using an unattended installation. Note: For the inexperienced, an unattended implementation of Windows 2000 involves both the roll-out of the operating system itself, as well as any additional applications intended for installation on the same computer. The Windows 98 version of SFC does not run this check. The System File Checker tool also checks all of the catalog files that are used to track correct file versions. If any of the catalog files are missing or damaged, WFP renames the affected catalog file and retrieves a cached version of that file from the Dllcache folder. If the cached copy is not available in the Dllcache folder, WFP requests that you insert the appropriate media so that it can retrieve a new copy.

SFC provides administrators with the ability to scan all protected files to verify their versions, as well as checking and repopulating the %SystemRoot%\System32\Dllcache folder if necessary. If the Dllcache folder becomes damaged or unusable, you can use either the following commands at a command prompt to repair the contents of the folder.

sfc /scanonce or sfc /scanboot

All of the .sys, .dll, .exe, .ttf, .fon, and .ocx files that are included on the Windows 2000 CD-ROM and thus installed during the installation process, are protected. Note, however, due to disk space considerations, you may not want to maintain cached versions of all of these files in the Dllcache folder.

Depending on the size of the SFCQuota value setting in the following registry key, (the default size is 0xFFFFFFFF, or about 400 MB), WFP will cache verified file versions Dllcache folder on the hard disk.

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

The SFCQuota setting can be made as large or small as needed, but you must have an administrators logon to do so. If you set the SFCQuota value to 0xFFFFFFFF, WFP will cache “all” protected system files, or approximately 2,700 of them .

If WFP detects a file change, and the affected file is not in the Dllcache folder, but the corresponding file that is in use by the operating system is the correct version, WFP will copy that version of the in-use file to the Dllcache folder. If the affected file that is in use by the operating system is not the correct version or the file is not cached in the Dllcache folder, WFP attempts to locate the installation media in order to locate the correct file version. If the installation media is not found, WFP will prompts you to insert the appropriate media in order to replace the file or the Dllcache file version.

The SFCDllCacheDir value (REG_EXPAND_SZ) in the following registry key specifies the location of the Dllcache folder.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The SFCDllCacheDir value can be a local path. By default, the SFCDllCacheDir value is not listed in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

In order to modify or change the cache location, you must add this value.

You can review more about Windows File Protection and the System File Checker at the following Microsoft Knowledge Base articles:

Q222473 Registry Settings for Windows File Protection

Q222471 Description of the Windows 2000 System File Checker Tool

Notice: Windows® 95, Windows® 98, Windows® NT, Windows® 2000 and
Microsoft® Office are registered trademarks or trademarks of the Microsoft Corporation.

About Dewwa Socc