Files Manually Copied to the DLLCache Folder Are Not Used Until the Next Reboot (236995)

SUMMARY

Windows File Protection (WFP) protects operating system files from being replaced by third-party programs or being accidentally deleted. When a file that is protected by this process is deleted or overwritten, WFP automatically replaces the file with the original version.

The %SystemRoot%\System32\DllCache folder by default caches all files on Windows 2000 Professional installations as long as there is enough disk space available. All protected files are cached in all Windows 2000 Server products.You can manually adjust the WFP cache size limit by using the Sfc.exe command-line utility. Type sfc /? to display usage and syntax information for Sfc.exe.

If your DLLCache is set to a certain size and you want to manually add files to the DllCache, you can do so but the files are not used until the next time you restart the computer.

WFP initializes and generates a list of files that are currently in the %SystemRoot%\System32\DLLCache folder each time the computer is booted. This file list is referenced whenever a protected file is modified or deleted. If the file is not on the current list that was created during the last reboot, WFP checks the original Windows 2000 installation source.

MORE INFORMATION

Windows File protection Overview

When a WFP protected file is overwritten or deleted, WFP checks the digital signature of the new file to see if it matches the digital signature listed in a catalog. If the digital signatures do not match, WFP replaces the file with the original version.

When it is replacing files, WFP looks in the following locations to find the correct version:

%SystemRoot%\System32\DllCache folder
%SystemRoot%\Driver Cache\Platform\Driver.cab file
Original Windows 2000 installation source (which could be a network share or a local CD-ROM drive)

NOTE: The Windows 2000 source location is stored in the following registry location and can be modified to point to the drive letter of a volume that has an I386 flat folder of the installation files

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\SourcePath:REG_SZ:<drive letter>:

where drive letter is the appropriate drive letter. After Rebooting, WFP and SFC /SCANNOW will use the new source path instead of prompting for the installation CD-ROM.

NOTE: If Windows 2000 was installed by running Winnt.exe or Winnt32.exe from a folder (for example, the \I386 folder) on the local hard disk, Setup considers it to be equivalent to a local CD-ROM installation method; WFP looks to the local CD-ROM drive for the source of system files.

If the file required for replacement is found in any of these sources, WFP automatically overwrites the file and the following event is placed in the System event log:

Event ID: 64001
Source: Windows File Protection
Description: File replacement was attempted on the protected system file c:\winnt\system32\file_name. This file was restored to the original version to maintain system stability. The file version of the system file is x.x:x.x.

If the file is not located in any of the source folders and the original installation source (network share or local CD-ROM) is not available, the user is prompted to insert the Windows 2000 installation CD-ROM.

For additional information about the WFP feature, click the article number below to view the article in the Microsoft Knowledge Base:

222193 Description of the Windows 2000 Windows File Protection Feature