Windows File Protection

Windows File Protection

Installation programs that are not part of the operating system can overwrite shared system files. This has been a common problem in the history of the Microsoft® Windows® operating systems. Overwriting shared system files can result in unpredictable system performance that ranges from application errors to operating system crashes. The files types that are most commonly affected by this problem are dynamic-link libraries (DLL) and executable files (EXE).

In Microsoft® Windows® 2000, a new feature called Windows File Protection (WFP) will prevent the replacement of certain monitored system files. By preventing the replacement of essential system files, file version mismatches can be avoided.

WFP protects system files by running in the background and detecting attempts to replace protected system files. Windows File Protection is triggered after it receives a directory change notification on a file in a protected directory. Once this notification is received, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct Microsoft version. If it is not, the operating system replaces the file with the correct version from the dllcache directory or the distribution media.

After detecting the replacement of a protected file, WFP searches for the replaced files in the following order:

Search the dllcache directory.
If the system was installed via network install, search the network install path.
Search on the CD.

If the file is found in dllcache or the install source is auto-located, WFP will replace the file without prompting the user and move on. If the file cannot be found, WFP displays a dialog box that prompts the user to either insert CD media or cancel the restore operation.

WFP also logs an event to the system event log, noting the file replacement attempt. If the administrative user cancels the WFP file restoration, an event noting the cancel will be logged.

NOTE: The “hit rate” of the dllcache directory is related to the size of the cache specified in the SFCQuota setting. See Protected File List, below, for more information about the SFCQuota setting.

System File Checker

A command-line utility called System File Checker (SFC.EXE) allows an Administrator to scan all protected files to verify their versions. System File Checker can also set the registry value SFCScan discussed below in Additional Registry Settings.

System File Checker will also check and repopulate the %Systemroot%\system32\dllcache directory. If the dllcache directory becomes corrupted or unusable, SFC /SCANNOW, /SCANONCE /SCANBOOT, or /PURGECACHE can be used to repair the contents of the dllcache directory.

Syntax of SFC.exe:

Scans all protected system files and replaces incorrect versions with correct Microsoft versions.

SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/CANCEL] [/QUIET] [/PURGECACHE] [/CACHESIZE=x]

/SCANNOW Scans all protected system files immediately.

/SCANONCE Scans all protected system files once.

/SCANBOOT Scans all protected system files at every boot.

/CANCEL Cancels all pending scans of protected system files.

/QUIET Replaces all incorrect file versions without prompting the user.

/PURGECACHE Purges the file cache and scans all protected system files immediately.

/CACHESIZE=x Sets the file cache size (in megabytes).

Supported File Replacement Mechanisms

Replacement of protected system files is supported using the following mechanisms:

Windows 2000 Service Pack installation (UPDATE.EXE)

Hotfix distributions installed using HOTFIX.EXE

Operating system upgrade (WINNT32.EXE)

Windows Update

Windows 2000 Device Installer

Replacing protected files by other means than those mentioned above, results in the files being replaced by WFP.

To update third-party drivers that ship with Windows 2000, driver developers will have two options:

Submit the finished driver update to Windows Hardware Quality Labs (http://www.microsoft.com/hwtest) for certification. If the driver passes, it will be signed by WHQL and will be installable via the Device Installer without issue.
Install an unsigned version of a driver that is undergoing WHQL certification. By default, the Windows 2000 Device Installer will give the user a warning dialog box when an attempt is made to install an unsigned driver. The user can choose to override that warning and install the unsigned driver.

Protected File List

All SYS, DLL, EXE, and OCX files that ship on the Windows 2000 CD are protected. True Type fonts — Micross.ttf, Tahoma.ttf, and Tahomabd.ttf — are also protected.

Maintaining cached versions of all these files in the dllcache directory is not desirable on all systems due to disk space considerations. Depending on the size of the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCQuota (default is 0x32h (50MB) for Professional; all Windows 2000 files are cached on Server products), WFP keeps verified file versions cached in the dllcache directory on the system hard drive. WFP adds files to the cache until the size of the dllcache directory reaches the SFCQuota value. Setting the SFCQuota value to 0xFFFFFFFF hex causes WFP to cache all protected system files. SFCQuota = 0xFFFFFFFFh is the default setting for Server and Advanced Server.

After Setup is complete, WFP runs a scan of all protected files to ensure that they have not been modified by applications that were installed using unattended installation methods. This scan also populates the dllcache directory with verified file versions. If the dllcache directory becomes corrupted, run SFC /PURGECACHE. SFC will delete the contents of the dllcache directory, rescan all Windows 2000 files, and repopulate the dllcache directory with verified file versions.

The location of the dllcache directory is specified in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDllCacheDir (REG_EXPAND_SZ). The default value for SFCDllCacheDir is %Systemroot%\system32\dllcache. The SFCDllCacheDir setting must be a local path.

In some instances WFP may not be able to locate the correct version of a system file in the dllcache directory. The dllcache directory might contain an outdated version of the file, or not contain any version of the file at all. In such a case WFP will attempt to locate the installation media. If WFP cannot find the installation media, it will prompt the user to insert the appropriate media. WFP will then replace the incorrect file version that is being used by the operating system or that has been found in the dllcache directory.

Unattended Setup Parameters

[SystemFileProtection]

This section contains parameters for the WFP service. If this section is missing or empty, Setup will install WFP using default values.

SFCShowProgress

Value: 0 | 1
Default: 1

Specifies if System File Checker displays a progress meter during scans.

Value: Description
0: Progress meter is not displayed.
1: Progress meter is displayed.

SFCQuota

Value: <size in MB (hex)>
Default: 0x32h (50MB) for Professional, 0xFFFFFFFFh for Server and Advanced Server.

Specifies the size of the dllcache file cache stored on the system hard drive. If 0xFFFFFFFFh is specified, all system files will be cached in the dllcache directory.

Example: SFCQuota = 0xFFFFFFFFh

SFCDllCacheDir

Value: <location of dllcache directory>
Default: %Systemroot%\system32\dllcache

Specifies the location of the dllcache directory. This path must be a local path.

Example: SFCDllCacheDir = "C:\Winnt\System32\dllcache"

Disabling Windows File Protection

You may disable WFP by setting the value SFCDisable (REG_DWORD) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. By default, SFCDisable is set to 0, which means WFP is active. Setting SFCDisable to 1 will disable WFP. Setting SFCDisable to 2 will disable WFP for the next system restart only (without a prompt to re-enable).

You must have a kernel debugger attached to the system via null modem cable (for example:I386kd.exe or Windbg.exe) to use SFCDisable = 1 or SFCDisable = 2.

After WFP is disabled using the SFCDisable = 1 setting, the following message will appear after logon:

"Warning! Windows File Protection is not active on this system. Would you like to enable Windows File Protection now? This will enable Windows File Protection until the next system restart. <Yes> <No>."

Clicking Yes will reactivate WFP until the next system restart. This message will appear at every successful logon until SFCDisable is set to 0.

NOTE: The above message will only be presented to Administrators.

Additional Registry Settings

All registry settings for WFP/System File Checker are located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. By default, only Administrators and System will be able to modify these settings.

SFCDisable (REG_DWORD)

0 = enabled (default).
1 = disabled, prompt at boot to re-enable (debugger required).
2 = disabled at next boot only, no prompt to re-enable (debugger required).

SFCScan (REG_DWORD)

0 = do not scan protected files at boot (default).
1 = scan protected files at every boot.
2 = scan protected files once.

SFCQuota (REG_DWORD)

n = size (in megabytes) of dllcache quota.
FFFFFFFF = cache-protected system files on the local hard drive.

SFCShowProgress (REG_DWORD)

0 = System File Checker progress meter is not displayed.
1 = System File Checker progress meter is displayed (default).

SFCDllCacheDir (REG_EXPAND_SZ)

Path = local location of dllcache directory (default is %Systemroot%\system32\dllcache).