When you install an application and accidentally cause Windows to crash, the application is likely to rewrite critical Windows system files, which will cause the system to crash. When a file is modified, the result is often unpredictable. The system may run normally, or there may be some errors, or it may completely crash. Fortunately, Windows 2000, XP and Server 2003 applied a mechanism called Windows File Protection (WFP) to prevent critical system files from being rewritten. In this article, I will explain what WFP is and how it works. I will also tell you how to change or ignore WFP's behavior. (Note: Although WFP operates on Windows 2000, XP and Server 2003, the information in this article (including entries related to the registry and SFC syntax) is for XP. )

How does Windows file protection work?

WFP is designed to protect the contents of Windows folders. WFP protects specific file types, such as SYS, EXE, DLL, OCX, FON and TTF, instead of preventing any modification of the entire folder. Registry key values determine the types of files protected by WFP.

When an application tries to replace a protected file, WFP checks the digital signature of the replaced file to determine whether the file is from Microsoft and the version is correct. If these two conditions are met, substitution is allowed. Under normal circumstances, the file types that are allowed to replace system files include Windows service packs, patches and operating system upgrades. System files can also be replaced by Windows Update or Windows Device Manager/Class Installer.

If these two conditions are not met at the same time, the protected file will be replaced by the new file, but it will be replaced by the correct file soon. When this happens, Windows will copy the correct version of the file from the Windows installation CD or the computer's DLLCache folder.

Windows file protection not only protects files by refusing to modify them, but also refuses to delete them. Let's take a look at WFP's practice. Open the \WINDOWS\SYSTEM32 folder and rename the CALC.EXE file to CALC. When you do this, a message will remind you that if you change the extension of this file, it may make this file unusable. Click the Yes button to confirm the warning. Now, wait a few minutes, and then press F5 to refresh the view of the file system. It may take some time to complete the replacement. When the file is finally replaced, Windows will record it in the event log.

One thing worth noting about WFP is that it is closely integrated with Windows installer. Whenever a Windows installer needs to install a protected file, it gives it to WFP instead of trying to install it. WFP then determines whether the installation is allowed.

System file check

Although automatic file replacement will save time, there are also cases that require manual intervention. For example, you may not want to wait for WFP to determine whether a protected file has been replaced. Fortunately, you can use a tool called System File Check (SFC) to control WFP manually.

SFC is a command line tool that needs to be run in a command prompt window. Its grammar is like this:

SFC[/SCANNOW][/SCANONCE][/SCANBOOT][/REVERT][/purge cache][/CACHESIZE = x]

The /SCANNOW option tells SFC to scan all protected system files immediately. If an incorrect file version is found during scanning, the incorrect version will be replaced by the correct Microsoft version. Of course, this means that you may need the Windows installation CD, the latest service pack or upgrade patch.

The /SCANONCE parameter tells WFP to scan the protected system files the next time it starts the system. During scanning, any wrong files will be replaced by the correct version. As the name implies, this scan is only performed once. After the system is started, it will return to normal, and SFC will no longer run.

The /SCANBOOT parameter is similar to the /SCANONCE option. The difference is that SCANONCE only scans the protected files the next time Windows starts, while the SCANBOOT parameter scans the system files every time Windows starts. If necessary, these two parameters will replace the wrong system file, which may require you to provide a copy of the correct file version.

The /REVERT option is used to turn off sfc. For example, suppose you use the SCANBOOT option to scan all protected files every time the system starts. As you can imagine, this will really increase the total startup time of the computer. Finally, you may be tired of the long startup time, and if you want to close SFC, just use SFC /REVERT to close SFC at startup.

You need to be careful with the /PURGECACHE option. Before that, I explained that Windows uses cache folders to save backups of correct versions of various system files. If you run the SFC /PURGECACHE command, the file cache will be emptied and these backup files will be deleted. This command will also cause Windows to start scanning all types of protected files and rebuild the file cache. Of course, this may mean that you must provide Windows with a copy of the Windows installation CD or system file upgrade.

The last SFC command option is /cachesize = x, and there is indeed a lot of contradictory information about the default size of the file cache. At the time of writing this article, I found that the default size of the file cache specified in three different Microsoft Knowledge Base articles is different. One article suggested that the size of the file cache should be 50 MB, while another suggested that it should be 300 MB. What's more, article 3 points out that this size should be infinite. In fact, the size of the default value is not important, because you can use the CACHESIZE option to change the size of this file cache as needed.

When using the CACHESIZE option, you must type the command SFC /CACHESIZE=x, which refers to the number of megabytes to be allocated to the file cache. After specifying a new file cache size, you must restart the system and run the SFC /PURGECACHE command.

Control WFP and CSRC through the registry.

Before that, I explained that the registry controls the general behavior of WFP. You can modify several different registry keys to control the behavior of WFP. You can directly operate some of these keys every time you run SFC, while the other parts have lower-level functions. Such as specifying a file cache or a location for installing files.

Modifying the registry can be dangerous. If you make a wrong modification, it may cause Windows to crash or destroy your application, so I strongly recommend that you make a complete backup of the registry before trying any of the techniques described in this section.

To access the SFC registry key, type the REFEDIT command in the Run command. This will open the Registry Editor. Now browse the registry tree and find the following registry key:

HKEY _ LOCAL _ MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ current version \ WinLogon

In general, the WinLogon key in the registry is usually used to control various startup options. Although many SFC options can control whether SFC runs at startup, Microsoft has put SFC-related registry keys in this section.

This registry key controls whether SFC is active or invalid. In fact, you can get four different options just by changing the value of DWORD. The default DWORD value is 0. This setting activates sfc. Usually you don't need to change this value. However, you can modify this value between 0 and 4 to activate SFC without causing it to pop up.

If the kernel debugger is suspended, it is best to close the sfc. If the kernel debugger is used, you can change the DWORD value of the registry key to 1, which will close the SFC and prompt whether to activate the SFC again at each startup.

You can also turn off SFC by setting the DWORD value to 2. This option only turns off SFC at the next startup. There is no option to reactivate SFC, because SFC will be automatically activated at subsequent startup.

SFCScan

Before that, I explained SFC's SCANONCE, SCANBOOT and REVERT options. As long as these options are used, SFC is actually modifying the SFCScan registry key. You can modify the key by changing its DWORD assignment.

The default value is 0. This value means that there is no need to scan protected files at startup. This setting is equivalent to running SFC /REVERT command.

Change the DWORD value to 1, which means that the protected file will be scanned every time it is started. Setting the value of SFCScan to 1 is equivalent to running SFC /SCANBOOT command.

Finally, setting DWORD to 2 will tell SFC to scan protected files at the next startup, but not all subsequent startups. This is equivalent to running the SFC /SCANONCE command.

Sfc quota

The SFCQuota registry key is used to control the size of the SFC file cache. Perhaps you remember that when I talked about the SFC /CACHESIZE=x command, I mentioned that there was a lot of inconsistent information about the default size of the file cache. However, on my system, the DWORD value of the registry key SFCQuota defaults to 0xffffffff. According to the Microsoft knowledge base, this value corresponds to a file cache size of 300 MB. An article in the same knowledge base pointed out that all protected system files can be cached by changing this value to FFFFFFFF.

SFCDllCacheDir

Before that, I explained that Windows uses the DLLCACHE folder as the backup location of storage system files. Typically, this folder is located in the \WINDOWS\SYSTEM32 directory. However, you can modify the location of the file cache by modifying the SFCDllCacheDir registry key.

The file cache folder is usually located in the DLLCACHE directory, but you can modify the location of the folder by modifying the registry key. The only thing to note is that you must specify an address that already exists on the local hard disk. In Windows 2000, you can specify a network * * * as the path of DLLCACHE, but there is no such option in Windows XP.

SFCShowProgress

Another registry key related to SFC is the SFCShowProgress key. This registry key allows you to set its DWORD value to 0 or 1. The default value is 0, which will prevent the progress of SFC from being displayed. Set this value to 1 to allow SFC to display the progress.

Source file address

Before that, I explained how WFP and CSRC work. I pointed out that in some cases, you may have to provide a copy of the Windows installation CD or a valid source file. However, by modifying the registry, you can completely indicate the source file directory to Windows without Windows asking you about these files.

The registry key is in another part of the registry. You must find the following key:

HKEY _ LOCAL _ MACHINE \ Software \ Microsoft \ Windows \ current version \ Setup

Once the location is found, you can use a drive letter, a path, or a UNC to specify the location of the Windows system files.

The premise of using this command is that you must put the file in a directory named I386. For example, if your Windows system files are located in a directory named C:\I386, you only need to specify the path as C:\ in the registry, because Windows assumes that the I386 directory exists. Similarly, if you plan to use the UNC*** folder, the I386 folder must exist in the * * * folder. For example, if the directory you plan to share is called FILES, you need to put the I386 folder in the FILES directory. Then, you can tell Windows to look for * * * files in the \\server_name\FILES directory.