Summary Windows File Protection (WFP)

Windows File Protection prevents critical system files from being overwritten. During the installation critical system files with a Sys, DLL, EXE, TTF, FON, and OCX extension are copied to the \winnt\system32\dllcache directory. When a file in a protected directory (\winnt) is changed, it checks in the catalogue file if the new file has the correct Microsoft version. If not, WFP warns the user and restores the file from the dllcache-directory. If the file is not available in the dllcache-directory Windows searches for the installation media or asks the user for the media. When a file is replaced by WFP, or if this replacement is cancelled by the user, it is logged in the event database.

Via the policy Computer
Configuration\Administrative Templates\System\Windows File
Protection\ you can define the following settings :

bulletSet windows file protection scanning. (Do not scan during startup (default), scan during startup, scan once)
bulletHide the file scan progress window.
bulletLimit windows file protection size. (default maximum 4294967295 MB)
bulletSpecify windows file protection cache location. (default %systemroot%\system32\dllcache.

The default size for the dllcache-folder can be changed with the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCQuota. 

The root location of the dllcache-folder can be set via HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ SFCDllCacheDir

Other registry keys for WPF are described in article http://support.microsoft.com/support/kb/articles/Q222/4/73.ASP

System File Checker (SFC) is a tool used to check the signature of system files. It starts via 'sfc.exe' and has the following parameters :

bullet/Scannow. Scans all system files immediately.
bullet/Scanonce. Scans all system files on the next reboot.
bullet/Scanboot. Scans all the system files on every boot.
bullet/Cancel. Stops the scanning of the system files on a boot.
bullet/Quiet. Replaces all wrong system files without asking the user.
bullet/Enable. Replaces all wrong system files after asking the user.
bullet/Purgecache. Purges the file cache and scans all protected system files immediately. This command is required after running the /Cachesize=X command.
bullet/Cachesize=x. Sets the file cache size in MB. This requires a reboot followed by a /Purgecache command to adjust the size of the on-disk cache.

The SFC tool runs automatically after the installation, to detect if any system files or catalog files where replaced during an automatic installation. If so, they are renamed and replaced by the correct files.

The SFC tool can also be used to check and refill the dllcache directory by using the /scanonce or /scanboot option.

Windows file protection also runs in the background. If you delete a system file (e.g. notepad.exe) it will be copied back from the CSC-folder within a few seconds.

More information

Links

bulletDescription of the Windows 2000 System File Checker (Q222471)
bulletWindows system file utilities (Windows 2000 magazine)
bulletThe system file checker (Windows 2000 magazine nov 2000)
bulletDescription of Windows file protection (Microsoft)
bulletWindows file protection and Windows 2000 (Microsoft)
bulletHow WFP protects the replacement of essential files (Microsoft)
bulletDescription of System file checker (Microsoft)
bulletWindows file protection dllcache (is-it-true.org)
bulletWindows 2000 hotfixes and Windows file protection (jsiinc)
bulletDriver signing and file system verification (Windows 2000 magazine)
bulletFile signature verification (Windows 2000 magazine oct 2000)

Last update : 3 March 2003