The WFP feature uses two mechanisms to provide protection for system files. The first mechanism runs in the background. This protection mechanism is triggered after WFP receives a directory change notification for a file in a protected directory. Once WFP receives this notification, it determines which file was changed. If the file is a protected file, WFP looks for the file signature in the catalog file to determine if the new file is the correct version. If this file is an incorrect version, WFP will replace the new file with the file from the cache folder (if the file is in the cache folder) or from the installation source. WFP searches for the correct files in the following locations in the following order:
The cache folder (the default location is %systemroot%\system32\dllcache).
Network installation path (if the system is installed over the network).
Windows CD-ROM (if the system was installed from a CD-ROM).
If WFP finds the file in the cache folder or automatically finds the installation source, WFP replaces the file without prompting. If WFP cannot automatically find the file in any of these locations, one of the following messages will appear. Where file_name is the name of the file being replaced and product is the Windows product you are using: Windows File Protection
A file required to run Windows properly has been replaced with an unrecognized version. To maintain system stability, Windows must restore the original versions of these files. Please insert the productCD-ROM now.
Windows File Protection
The network location \\server\share from which these files should be copied cannot be used. Please contact your system administrator or insert the productCD-ROM now.
Note: If the administrator is not logged in, WFP cannot display any of the above dialog boxes. In this case, WFP displays the dialog box after the administrator logs in. WFP may wait for the administrator to log in under the following circumstances:
The SFCShowProgress registry key is missing or set to 1, and the server is set to scan every time the computer starts. In this case, WFP waits for the console to log in. Therefore, the RPC server is not started before the scan is performed. During this period, the computer has no protective features.
Note: You can still map network drives, use system files, and log in to the server using Terminal Services. WFP does not treat these operations as console logins and waits indefinitely.
WFP must restore files from a network share. This can happen if the file is not in the Dllcache folder or is corrupted. In this case, WFP may not have the correct credentials to access the share from the network-based installation media.
The second protection mechanism provided by the WFP feature is the System File Checker (Sfc.exe) tool. At the end of the GUI mode installation, the System File Checker tool scans all protected files to ensure that they have not been modified by programs installed using the unattended installation process. The System File Checker tool also checks all catalog files used to track correct file versions. If any catalog file is missing or corrupted, WFP will rename the affected catalog file and retrieve the cached version of the file in the cache folder. If there is no cached copy of the catalog file in the cache folder, the WFP feature requests the appropriate media to retrieve a new copy of the catalog file.
Administrators can use the System File Checker tool to scan all protected files to verify their versions. The System File Checker tool can also be used to check and repopulate the cache folder (the default location is %SystemRoot%\System32\Dllcache). If the cache folder is corrupted or unusable, you can use the sfc /scanonce or sfc /scanboot command at the command prompt to repair the contents of this folder.
The
SfcScan
value in the following registry key has three possible settings: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon p>
SfcScan
Value setting is: 0x0
= Do not scan protected files after reboot. (Default) 0x1
= Scan all protected files after every reboot (set this value if running sfc /scanboot).
0x2
= Scan all protected files once after reboot (set this value if running sfc /scanonce). By default, all system files are cached in the cache folder, and the default size of the cache is 400 MB. Considering limited disk space, it is best not to save cached versions of all system files in the cache folder. To change the size of the cache, change the setting of the SFCQuota
value in the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
WFP will verify Past versions of the file are stored in the Dllcache folder on the hard drive. The number of cache files depends on the setting of the SFCQuota
value (the default size is 0xFFFFFFFF or 400 MB). Administrators can set the SFCQuota
value as needed. Note that if you set the SFCQuota value to 0xFFFFFFFF, the WFP feature caches all protected system files (approximately 2700 files).
No matter what the SFCQuota value is set to, the cache folder may not contain copies of all protected files under the following two conditions: Insufficient disk space.
Under Windows XP, WFP stops filling the Dllcache folder when the free space on the hard disk is less than 600 MB plus the maximum page file size.
Under Windows 2000, WFP stops filling the Dllcache folder when there is less than 600 MB of free space on the hard disk.
Network installation.
When installing Windows 2000 or Windows XP over a network, the i386\lang directory files are not populated in the Dllcache folder.
In addition, all drivers in the Driver.cab file are protected, however, they are not populated in the Dllcache folder. WFP can restore these files directly from the Driver.cab file without prompting the user to specify the source media. However, if you run the sfc /scannow command, the Dllcache folder will be populated with these files from the Driver.cab file.
If WFP detects that a file change has occurred and the affected file is not in the cache folder, WFP checks the version of the changed file that is being used by the operating system. If the correct version of the file is currently being used, WFP copies this file version to the cache folder. If the file currently in use is not the correct version, or if the file is not cached in the cache folder, WFP attempts to locate the installation source. If WFP cannot find the installation source, it will prompt the administrator to insert the appropriate media to replace the file or cached file version.
The SFCDllCacheDir
value (REG_EXPAND_SZ
) in the following registry key specifies the location of the Dllcache folder. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The default value data of SFCDllCacheDir value is %SystemRoot%\System32
. SFCDllCacheDir
The value can be a local path. By default, the SFCDllCacheDir
value is not listed in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
registry key. To modify the cache location, you must add this value.
When Windows starts, WFP synchronizes (copies) the WFP settings in the registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection
to the following registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Therefore, if the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection
subkey contains SfcScan
, SFCQuota
or SFCDllCacheDir
values, these values ??take precedence over HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The same value in the child.