Windows File Protection guide Posted on June 26, 2002 by Thomas McGuire
How It
Works
WFP designates certain files as important system files, initially those which are installed during the initial installation of the system, i.e. all dll, exe, fon, ocx, sys & tff on the Windows 2000/XP CD & creates a backup of them in a dllcache folder. After using your system for a while you’ll likely also discover many other file types being protected in this way, e.g. ax, cpl, cpx, dll, exe, fon, inf, ocx, rsp, sys, tff & tlb files. By default these are cached into the %SYSTEMROOT%\system32\dllcache folder, where they will reside until WFP needs to restore a file with that copy. As you’ve probably aware, the dllcache folder can get quite large as a result, though later on in the guide I’ll show you how you set the maximum dllcache size. WFP works by detecting the replacement/overwriting of these system files. WFP then scans the file in question against catalog files it has & should the file not be the correct version it will replace it with the cached version stored in the %SYSTEMROOT%\system32\dllcache folder, or in cases where no cached version exists you may be prompted for the Windows CD in order to restore the file with a supported version.
Uses
WFP has basically one use, it exists to protect the Windows system files from being modified, whether accidentally or otherwise. This is of far more importance if the system(s) in question are accessible my multiple users. So obviously Network Administrators should be rather pleased with this feature – No more will you need to run around fixing machines due to someone installing/deleting something they shouldn’t have. Speaking from some experiences at work you’d be surprised what people are told to do with these email virus hoaxes that are being sent around. WFP can easily & transparently replace the system file (which commonly are the targets of such hoaxes) with the copy stored in the dllcache. For
the less experienced user, the same reasoning as above can be applied. WFP
is there to make sure you don’t accidentally or deliberately do
something to your system files that you shouldn’t. Then again for the more minority power users WFP can be more of a pain, & can be seen as just being an extra burden on both CPU & hard drive space.
Updating System FilesIt’s
probably come to your attention now that if WFP replaces protected system
files then how exactly can they be updated with newer versions? Well there
are several ways this can be done. 1. During installation of Microsoft Windows Service Packs. 2. Updates installed using Windows Update. 3. Installation of Microsoft Hotfixes. Hotfixes from Microsoft are installed via the use of hotfix.exe, which allows the replacement of protected system files without WFP interfering. Most Hotfixes for Windows 2000/XP are then combined into the Service Packs, although Hotfixes are always available before Service Packs (As such Hotfixes are temporary fixes). A list of installed Hotfixes can be viewed in Add/Remove Programs, e.g.
As you can see the 2 Hotfixes shown above will be part of Windows XP Service Pack 1. 4.
Operating System
installation/upgrades that use Winnt32.exe. There is of course another less automated way to change system files, that being to first copy the file into the dllcache folder, over-writing the current copy, then trying to replace the system file itself as located in the system32 directory, or wherever it may. Should WFP initiate by this it will merely replace the system file with the one stored in the dllcache folder – which by now would have already been changed to the same as what you want to replace the system file with. The opposite however is not true, i.e. do not try replace the system file, then replace the dllcache’s copy.
Initial PreparationBefore you start to do anything with WFP you must be logged in as an Administrator. Many of the changes you can make require you to have such administrative privileges, so save yourself a lot of trouble & just be sure you are logged on as Administrator now. After you have logged in as administrator you should update an ERD (Emergency Repair Disk). Although it’s unlikely you’ll need this, it’s best to be safe. To make an ERD take the following steps; 1. Click on Start, (All Programs) Programs, Accessories, System Tools then Backup. 2. Select the Emergency Repair Disk option in the Welcome tab in Windows 2000 & backup your registry (This is where any changes you make to WFP are stored).
Now that you’ve backed up & are logged on as the correct user we can get to use WFP.
Using & Customizing WFPWindows
File Protection operation can be customized in several ways with the
simplest way of modifying the options being through the Group Policy
Editor. Click on Start, Run, type in gpedit.msc &
hit the Ok button. Expand Computer Configuration, Administrative
Templates, System & select the Windows File Protection
folder.
To
change the properties for each available setting double click on it
& select the Setting tab. Set
Windows File Protection scanning. This option may be useful to the more paranoid system administrators
out there. Selecting Enabled & setting this to Scan during
startup will set WFP to scan protected files during system startup
& replace them as required. This will prolong startup time however so
for regular users you should just select Do not scan during startup
instead for fastest startup time. Neither of these options will affect how
WFP operates once the OS is loaded however. Hide
the file scan progress window.
Setting this to Enabled will disable the display of the
progress meter for WFP, as displayed when running, say sfc /scannow.
Personally I’d recommend this set to Disabled. Limit
Windows File Protection cache size.
By default
WFP will store a large amount of protected system files (Depending on hard
drive space) in the dllcache folder. While this makes replacing protected
files easy, it also can take up an excessive amount of hard drive space
given the amount of files cached. By default there is no limit on
the size of the dllcache. To set a maximum
size for this folder select Enabled & enter in a value in MB
for the dllcache & thus can help
ensure that it doesn’t grow too large. 100MB would be a decent
size for those with smaller hard drives, though if space allows you should
try larger values (200-300MB) so as to save on potentially having to
re-insert the Windows 2000/XP CD if a file required isn’t in the
dllcache folder. For optimal operating performance of WFP though set this to
Not Configured (To allow it to cache files at will). Specify
Windows File Protection cache location. Should you wish to change the default directory where the
dllcache folder resides set this to Enabled & in the Cache
file path field enter in the desired directory you wish to use
instead. By default this will be %SystemRoot%\system32,
which will place the dllcache folder in a location such as C:\Windows\system32\dllcache.
This might be useful for those with multiple Hard Drives as it could be
used to place the dllcache on the least used Hard drive. Set this to Not
Configured should you wish to use the default directory. To
further customize WFP operation, click on Start, (All Programs)
Programs, Accessories then Command Prompt. Commands
available are as follows (Some are OS specific as noted however);
sfc
/scannow. This command
will immediately initiate WFP to scan all protected files to verify their
integrity, replacing any files which are an incorrect version (You may be
prompted for your CD during this process).
sfc
/scanonce. This command
sets WFP to scan all protected files when you reboot your system, similar
to the previous option this requires your installation media, e.g. CD, be
available. sfc
/scanboot. This works
basically same as sfc /scanonce, though rather than only running
the next time you boot the system this will run it everytime
you boot up. This would be a more useful option for system administrators
& the like, should you wish to ensure less experienced users on your
network do something they really shouldn’t have done. Both
of these last options can also be set via the registry, which you may
prefer; 1. Click on Start, Run type in regedit & hit Enter. 2. Open the following registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]. 3. In the right hand pane, Modify/Add a New DWORD Value Right click entitled SFCScan. 4. In the Value Data field, entering a Decimal value of 0 to enable normal operation of WFP (Default). A Decimal value of 1 sets WFP scan all protected system files everytime the system is booted, while a Decimal value of 2 sets WFP to scan all protected system files the next time you boot the system. 5. Reboot for any changes to take effect. sfc /cancel. In Windows 2000, this command immediately cancels all pending scans of protected system files. This has no effect in Windows XP. sfc /quiet. In Windows 2000 this sets WFP to replace any incorrect system files detected with the appropriate version from the dllcache without any user notification. This has no effect in Windows XP. sfc /purgecache. This empties the contents of the dllcache folder, in Windows 2000 WFP will also begin scanning all protected files after this deletion is complete. sfc /cachesize=x. By default WFP will store a large amount of protected system files (Depending on hard drive space) in the dllcache folder. While this makes replacing protected files easy, it also can take up an excessive amount of hard drive space given the amount of files cached. By default there is no limit on the size of the dllcache. Replacing x with a value (in MB) sets the maximum allowable size of the dllcache folder & thus can help ensure that it doesn’t grow too large. 100MB would be a decent size for those with smaller hard drives, though if space allows you should try larger values (200-300MB) so as to save on potentially having to re-insert the Windows 2000/XP CD if a file required isn’t in the dllcache folder. sfc /revert or sfc /enable. Both of these commands reset WFP to the default mode of operation – with sfc /revert to be used in Windows XP & sfc /enable in Windows 2000.
Disabling WFPFor the more performance hungry users out there disabling WFP is seen as a pretty good way of freeing up some resources, though has obvious drawbacks as stability may be concerned. Still if disabling it appeals to you it’s not too hard to do, though personally I’d recommend against it. Perhaps most critically is that since the
release of Windows 2000 Service Pack 2 & Windows XP the procedure for disabling
WFP has changed considerably, most sites you may have visited on this
subject still show the old Windows 2000 pre-Service Pack 1
method which no longer has any effect. Given that I don’t
recommend doing this at all, should you require instructions check
out Axcel216’s Guide
which covers disabling it in Windows 2000 Service Pack 2 &
Windows XP – scroll down to the DISABLE FILE PROTECTION section. To
verify that WFP has been disabled after rebooting click on Start,
Control Panel, Administrative Tools, Event Viewer. An
event will be logged (as shown beneath) to indicate WFP is disabled
on the PC.
If this event hasn’t been logged in Event Viewer then WFP has not been disabled.
ConclusionBy now you should have a greater understanding of Windows File Protection in Windows 2000/XP & how it works. You should also have learned how to better tune it to your system. You can find further Windows 2000 & XP Guides here. If you have any Questions/Comments/Suggestions about this Guide be sure to check out our Windows OS Forum, or Email me. |
One of Microsoft’s latest efforts to help
promote system stability is Windows File Protection (WFP),
as debuted in Windows 2000 & now featured in Windows XP. This guide
will take you through basic operation of WFP, how to use & configure
it for your system.
