Description of the Windows 2000 Windows File Protection Feature

ID: q222193

This article discusses a beta test product not yet announced by Microsoft. Please feel free to familiarize yourself with this product, test it, and report problems to Microsoft.

The information in this article applies to:

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server

SUMMARY

Earlier versions of the Windows operating system do not prevent shared system files from being overwritten by program installations. After these changes are made, the user often experiences unpredictable performance results, ranging from program errors to an unstable operating system. This problem affects several types of files, most commonly dynamic link libraries (DLLs) and executable (EXE) files.

Windows 2000 includes a new feature called Windows File Protection (WFP) that prevents the replacement of certain monitored system files. By doing so, file version mismatches can be avoided.

The Windows File Protection feature uses the file signatures and catalog files generated by code signing to verify if protected system files are the correct Microsoft versions. The Windows File Protection feature does not generate signatures of any type.

MORE INFORMATION

How the Windows File Protection Feature Works

The Windows File Protection feature provides protection for system files using two mechanisms. The first mechanism runs in the background. The Windows File Protection feature is implemented when it is notified that a file in a protected folder is modified. Once this notification is received, the Windows File Protection feature determines which file was changed. If the file is protected, the Windows File Protection feature looks up the file signature in a catalog file to determine if the new file is the correct Microsoft version. If it is not, the file is replaced from the Dllcache folder (if it is in the Dllcache folder) or the distribution media. By default, the Windows File Protection feature displays the following dialog box to an administrator:

A file replacement was attempted on the protected system file file name. To maintain system stability, the file has been restored to the correct Microsoft version. If problems occur with your application, please contact the application vendor for support.

The second protection mechanism provided by the Windows File Protection feature is the System File Checker (Sfc.exe) tool. At the end of GUI-mode Setup, the System File Checker tool scans all protected files to ensure they are not modified by programs installed using an unattended installation. The System File Checker tool also checks all catalog files used to track correct file versions. If any catalog files are missing or damaged, the Windows File Protection feature renames the affected catalog file and retrieves a cached version of that file from the Dllcache folder. If a cached copy of the catalog file is not available in the Dllcache folder, the Windows File Protection feature requests the appropriate media to retrieve a new copy of the catalog file.

The System File Checker tool gives an administrator the ability to scan all protected files to verify their versions. The System File Checker tool also checks and repopulates the %Systemroot%\System32\Dllcache folder. If the Dllcache folder becomes damaged or unusable, you can use the "sfc /scanonce" (without quotation marks) or "sfc /scanboot" (without quotation marks) command to repair its contents.
All SYS, DLL, EXE, TTF, FON and OCX files included on the Windows 2000 CD-ROM are protected. However, due to disk space considerations, maintaining cached versions of all these files in the Dllcache folder is not desirable on all computers.

Depending on the size of the SFCQuota value in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key (the default size is 0x32h or 50 megabytes [MB]), the Windows File Protection feature keeps verified file versions cached in the Dllcache folder on the hard disk. The SFCQuota setting can be made as large or small as needed by the system administrator. Setting the SFCQuota value to 0xFFFFFFFF causes the Windows File Protection feature to cache all protected system files (approximately 2,700 files).

If a file change is detected by the Windows File Protection feature, the affected file is not in the Dllcache folder, and the corresponding file in use by the operating system is the correct version, the Windows File Protection feature copies that version of the file to the Dllcache folder. If the affected file in use by the operating system is not the correct version or the file is not cached in the Dllcache folder, the Windows File Protection feature attempts to locate the installation media. If the installation media is not found, the Windows File Protection feature prompts an administrator to insert the appropriate media to replace the file or the Dllcache file version.

The SFCDllCacheDir value (REG_EXPAND_SZ) in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key specifies the location of the Dllcache folder. The default value data for the SFCDllCacheDir value is %systemroot%\system32. The SFCDllCacheDir value can either be a local path or a network path. Using a network path provides a single shared network source for files in the Dllcache folder, provided all clients using that share have the same Service Pack or hotfix revision.

For additional information about the System File Checker tool, please see the following article in the Microsoft Knowledge Base:

Q222471 Description of the Windows 2000 System File Checker Tool

Additional query words: wfp sfp compatguidechange


Keywords          : kbtool kbWinOS2000 
Version           : WINDOWS:2000
Platform          : WINDOWS 
Issue type        : kbinfo

Last Reviewed: July 8, 1999