Windows File Protection

The Windows File Protection "concept" was first introduced by Microsoft into the Windows Millennium operating system, as a way of stabilising the software.

In Windows XP we have a much better version of this service and this article has been written to inform the reader of it's benefits.

For those of you who remember using Windows 98 computers, a frequent problem was the operating system become erratic or just completely freezing for no apparent reason.

Well, the often underlying cause of these woes was the unprotected system files being overwritten, corrupted or even deleted!

This led to most of the support issues and was often referred to as "DLL HELL" because things could get so bad...

Now with the Windows File Protection service in place technical support is much easier!

What is windows file protection...

The windows file protection service is an "invisible" service that is enabled by default and runs constantly in the background after a successful logon. (It does not load in safe mode.)

ALL SYS, DLL, EXE, and OCX files that ship on the Windows XP CD are protected. True Type fonts--Micross.ttf, Tahoma.ttf, and Tahomabd.ttf - are also protected. They are all "backed up" to a special folder called dllcache. The location of this file is:

%SYSTEMROOT%\system32\dllcache

The dllcache folder is extremely important so Windows XP hides it from you! To view it go to: My Computer > Tools > Folder Options > View > "uncheck" Hide protected operating system files. This will also reveal other hidden system files so be careful! e.g. pagefile.sys

Windows File Protection works by detecting the replacement/overwriting of these system files. It then scans the file in question against several catalogue files it has access to (nt5.cat, nt5inf.cat etc...). Should the file not be the correct digitally signed version it is expecting, Windows File Protection will then replace it with the cached version stored in the %SYSTEMROOT%\system32\dllcache folder, or in cases where no cached version exists you may be prompted for the Windows XP CD in order to restore the file with a supported version.

(NB - In my separate article on the scannow sfc utility I show you how to get around this annoying request for the XP CD.)

To test this go to the dllcache folder yourself (probably C:\WINDOWS\system32\dllcache on your computer) and rename the file acctres.dll to acctress.dll

Close the explorer window and reopen at the same location. You will now see the windows file protection service has replaced the file acctres.dll (now delete acctress.dll)

This action is recorded in the system Log (via Event Viewer):

---------------------------------------------------------------------------
Event Type: Information
Event Source: Windows File Protection
Event Category: None
Event ID: 64002
Date: 28/12/2003
Time: 15:37:42
User: N/A
Computer: MARCXP
Description:
File replacement was attempted on the protected system file acctres.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2600.0.

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp
---------------------------------------------------------------------------


Is Windows File Protection a good thing...

YES it IS!
 
It exists to protect the Windows system files from being modified, whether accidentally or otherwise. As a network administrator I am VERY pleased with this feature – no more running around fixing machines due to someone installing/deleting something they shouldn’t have. You’d be surprised what people are told to delete in these email virus hoaxes that are being sent around. Another important reason for having this service running is Trojan/viruses that try to overwrite system files to then pass on information on your machine. If this happens windows file protection will kick in!

For software vendors writing software for Windows XP, they can no longer replace files on your PC as part of the install process. Part of the certification process to get the XP logo for their software products means vendors now have to follow strict rules about how software is installed. This is a GOOD thing!


What about when system files are updated by Microsoft...

If Windows File Protection protects system files then how exactly can they be updated with newer versions?

Well Microsoft has made the following methods Windows File Protection "aware" Meaning the newer files will replace the old system files and a copy of the new file will be stored in the dllcache folder. The security catalogues are also updated so the Windows File Protection service always knows what version of the digitally signed file is current!

Replacement of protected system files is supported using the following mechanisms:

• Windows Service Pack installation (UPDATE.EXE) e.g. XP SP2

• Hotfix distributions installed using (HOTFIX.EXE) e.g. KB825035

• Operating system upgrade (WINNT32.EXE)

• Windows Update Website

• Windows Device Installer


Can I turn off Windows File Protection...

The official answer form Microsoft is NO and this is be design. (The only exception is if you are using a kernel debugger.)

However, there is a way to do it, BUT I can think of no reason for you to do so!!!

On a close inspection of the system file sfc.dll it is possible to see a reference, in part of the code, that checks the value of the SFCDisable in the WinLogon key... (Something we talk about in a moment!)

This key is: 0ffffff9dh

This is NOT a documented feature from Microsoft and should NOT be used unless you REALLY are sure you need to disable the service!

(NB - It is interesting to note that the virus "W32/CodeRed.D", that caused so much mayhem by shutting down Internet Servers in the summer of 2002, used this very same undocumented setting to stop the Windows File protection service from running. The virus could then release its Trojan payload to do damage and replicate itself around the Internet!

The registry key to change is:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable

By default, SFCDisable is set to 0, which means Windows File Protection is active.

Setting SFCDisable to 1 will disable Windows File Protection . Setting SFCDisable to 2 will disable Windows File Protection for the next system restart only (without a prompt to re-enable).

Important: You must have a kernel debugger attached to the system via null modem cable to use SFCDisable = 1 or SFCDisable = 2.

After Windows File Protection is disabled using the SFCDisable = 1 setting, the following message will appear after logon:

Warning! Windows File Protection is not active on this system. Would you like to enable Windows File Protection now? This will enable Windows File Protection until the next system restart. <Yes> <No>.

Clicking Yes will reactivate Windows File Protection until the next system restart. This message will appear at every successful logon until SFCDisable is set to 0.

NOTE: The above message will only be presented to Administrators.

To verify that Windows File Protection has been disabled after rebooting click on Start menu > Control Panel > Administrative Tools > Event Viewer.

An event will be logged to indicate Windows File Protection is disabled on the PC. If this event hasn’t been logged in Event Viewer then the service has NOT been disabled...

Customizing Windows File Protection...

The Windows File Protection service can be customized in several ways with the simplest way of modifying the options being through the Group Policy Editor.

Click on Start Menu > Run box > type in gpedit.msc and hit the Ok button.

Expand Computer Configuration > Administrative Templates > System

then select the Windows File Protection folder...

ANY changes made here will update the registry keys at:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection

Administrators PLEASE note:

When Windows XP starts up, the Windows File Protection service synchronizes (copies) the Windows File Protection settings from the following registry key:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection

to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Therefore, if any of the following values are present in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection key, they will take precedence over the same values under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key.


Other edits include:

All registry settings for this service are located in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

By default, only Administrators and System will be able to modify these settings.


SFCScan (REG_DWORD)
0 = do not scan protected files at boot (default).
1 = scan protected files at every boot.
2 = scan protected files once.

SFCQuota (REG_DWORD)
n = size (in megabytes) of dllcache quota.
FFFFFFFF = all files.

If you don't know hex, here's some samples:

00000099 = 153 (MB).
0000004b = 75 (MB).
00000032 = 50 (MB).
0000000a = 10 (MB).

SFCShowProgress (REG_DWORD)
0 = System File Checker progress meter is not displayed.
1 = System File Checker progress meter is displayed (default).

SFCDllCacheDir (REG_EXPAND_SZ)
Path = local location of dllcache directory (default is %Systemroot%\system32\dllcache).

By now you should have a greater understanding of Windows File Protection in Windows XP and how it works.

Please read my separate article on the scannow sfc command line utility that allows you to manually use the Windows File protection service on your PC.

Disclaimer: Modifying the registry can cause serious problems that may require you to reinstall your operating system. I cannot guarantee that problems resulting from modifications to the registry can be solved. Use the information provided at your own risk.