| Legal Information |
|
Windows File Protection (WFP) prevents programs from replacing critical Windows system files. Programs must not overwrite these files because they are used by the operating system and by other programs. Protecting these files prevents problems with programs and the operating system.
WFP protects critical system files that are installed as part of Windows (for example, files with a .dll, .exe, .ocx, and .sys extension and some True Type fonts). WFP uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions. Replacement of protected system files is supported only through the following mechanisms:
The WFP feature provides protection for system files using two mechanisms.
The first mechanism runs in the background. This protection is triggered after WFP receives a directory change notification for a file in a protected directory. After WFP receives this notification, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct version.
If the file is not the correct version, WFP replaces the new file with the file from the cache folder (if it is in the cache folder) or from the installation source. WFP searches for the correct file in the following locations, in this order:
Windows File Protection
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your product CD-ROM now.
Windows File ProtectionNOTE: If an administrator is not logged on, WFP cannot display either of these dialog boxes. In this case, WFP displays the dialog box after an administrator logs on. WFP also records an event to the system event log, noting the file replacement attempt. If an administrator cancels the WFP file replacement, an event noting the cancellation is logged. Note that WFP is not a replacement for having properly restricted user accounts and appropriate security policies.
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. The network location from which these files should be copied, \\server\share, is not available. Contact your system administrator or insert product CD-ROM now.
The second protection mechanism that is provided by the WFP feature is the System File Checker (Sfc.exe) tool. At the end of GUI-mode Setup, the System File Checker tool scans all the protected files to make sure that they are not modified by programs that were installed by using an unattended installation. The System File Checker tool also checks all the catalog files that are used to track correct file versions. If any of the catalog files are missing or damaged, WFP renames the affected catalog file and retrieves a cached version of that file from the cache folder. If a cached copy of the catalog file is not available in the cache folder, the WFP feature requests the appropriate media to retrieve a new copy of the catalog file.
The System File Checker tool gives an administrator the ability to scan all the protected files to verify their versions. The System File Checker tool also checks and repopulates the cache folder (by default, %SystemRoot%\System32\Dllcache). If the cache folder becomes damaged or unusable, you can use either the sfc /scanonce command or the sfc /scanboot command at a command prompt to repair the contents of the folder.
WFP is controlled by a range of registry settings.
The above applies to:
| Search Knowledge Base | Feedback |