Description of the Windows File Protection feature (222193)

MORE INFORMATION

Windows File Protection (WFP) prevents programs from replacing critical Windows system files. Programs must not overwrite these files because they are used by the operating system and by other programs. Protecting these files prevents problems with programs and the operating system.

WFP protects critical system files that are installed as part of Windows (for example, files with a .dll, .exe, .ocx, and .sys extension and some True Type fonts). WFP uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions. Replacement of protected system files is supported only through the following mechanisms:

• Windows Service Pack installation using Update.exe
• Hotfixes installed using Hotfix.exe or Update.exe
• Operating system upgrades using Winnt32.exe
• Windows Update

If a program uses a different method to replace protected files, WFP restores the original files. The Windows Installer adheres to WFP when installing critical system files and calls WFP with a request to install or replace the protected file instead of trying to install or replace a protected file itself.

How the WFP feature works

The WFP feature provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WFP receives a directory change notification for a file in a protected directory. After WFP receives this notification, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WFP replaces the new file with the file from the cache folder (if it is in the cache folder) or from the installation source. WFP searches for the correct file in the following locations, in this order:

1. The cache folder (by default, %systemroot%\system32\dllcache).
2. The network install path, if the system was installed using network install.
3. The Windows CD-ROM, if the system was installed from CD-ROM.

If WFP finds the file in the cache folder or if the installation source is automatically located, WFP silently replaces the file. If WFP cannot automatically find the file in any of these locations, you receive one of the following messages, where file_name is the name of the file that was replaced and product is the Windows product you are using:

• Windows File Protection
  Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your product CD-ROM now.
• Windows File Protection
  Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. The network location from which these files should be copied, \\server\share, is not available. Contact your system administrator or insert product CD-ROM now.

Note If an administrator is not logged on, WFP cannot display either of these dialog boxes. In this case, WFP displays the dialog box after an administrator logs on. Until the administrator logs on, the files are unprotected. WFP also records an event to the system event log, noting the file replacement attempt. If an administrator cancels the WFP file replacement, an event noting the cancellation is logged. Note that WFP is not a replacement for having properly restricted user accounts and appropriate security policies.

The second protection mechanism that is provided by the WFP feature is the System File Checker (Sfc.exe) tool. At the end of GUI-mode Setup, the System File Checker tool scans all the protected files to make sure that they are not modified by programs that were installed by using an unattended installation. The System File Checker tool also checks all the catalog files that are used to track correct file versions. If any of the catalog files are missing or damaged, WFP renames the affected catalog file and retrieves a cached version of that file from the cache folder. If a cached copy of the catalog file is not available in the cache folder, the WFP feature requests the appropriate media to retrieve a new copy of the catalog file.

The System File Checker tool gives an administrator the ability to scan all the protected files to verify their versions. The System File Checker tool also checks and repopulates the cache folder (by default, %SystemRoot%\System32\Dllcache). If the cache folder becomes damaged or unusable, you can use either the sfc /scanonce command or the sfc /scanboot command at a command prompt to repair the contents of the folder.

The SfcScan value in the following registry key has three possible settings: The settings for the SfcScan value are:

• 0x0 = do not scan protected files after restart. (Default value)
• 0x1 = scan all protected files after every restart (set if sfc /scanboot is run).
• 0x2 = scan all protected files one time after a restart (set if sfc /scanonce is run).

By default, all system files are cached in the cache folder, and the default size of the cache is 400 MB. Because of disk space considerations, it may not be desirable to maintain cached versions of all system files in the cache folder. To change the size of the cache, change the setting of the SFCQuota value in the following registry key: WFP stores verified file versions in the Dllcache folder on the hard disk. The number of cached files is determined by the setting of the SFCQuota value (the default size is 0xFFFFFFFF, or 400 MB). The administrator can make the setting for the SFCQuota value as large or small as needed. Note that if you set the SFCQuota value to 0xFFFFFFFF, the WFP feature caches all protected system files (approximately 2,700 files).

There are two cases in which the cache folder may not contain copies of all protected files, regardless of the SFCQuota value:

1. Not enough disk space.
   
   Under Windows XP, WFP stops populating the Dllcache folder when less than (600 MB + maximum size of the page file) of space is available on the hard disk.
   Under Windows 2000, WFP stops populating the Dllcache folder when less than 600 MB of space is available on the hard disk.
2. Network Install.
   
   When Windows 2000 or Windows XP is installed over the network, files in the i386\lang directory are not populated in the Dllcache folder.

Additionally, all drivers in the Driver.cab file are protected, but they are not populated in the Dllcache folder. WFP can restore these files from the Driver.cab file directly without prompting the user for the source media. However, running the sfc /scannow command does populate the files from the Driver.cab file into the Dllcache folder.

If WFP detects a file change and the affected file is not in the cache folder, WFP examines the version of the changed file that the operating system is currently using. If the file that is currently in use is the correct version, WFP copies that version of the file to the cache folder. If the file that is currently in use is not the correct version, or if the file is not cached in the cache folder, WFP tries to locate the installation source. If WFP cannot find the installation source, WFP prompts an administrator to insert the appropriate media to replace the file or the cached file version.

The SFCDllCacheDir value (REG_EXPAND_SZ) in the following registry key specifies the location of the Dllcache folder. The default value data for the SFCDllCacheDir value is %SystemRoot%\System32. The SFCDllCacheDir value can be a local path. By default, the SFCDllCacheDir value is not listed in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key. To modify the cache location, you must add this value.

When Windows starts up, WFP synchronizes (copies) the WFP settings from the following registry keyto the following registry key: Therefore, if the SfcScan, SFCQuota, or SFCDllCacheDir values are present in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection subkey, the values take precedence over the same values in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon subkey.