A common problem in the history of the Microsoft Windows operating systems has been the ability for shared system files to be overwritten by non-operating system installation programs. After such changes are made, the user may experience unpredictable system performance, ranging from application errors to operating system crashes. This problem affects several types of files--most commonly dynamic link libraries (.dll) and executable files (.exe).
In Windows 2000 and Windows XP, the Windows File Protection (WFP) feature prevents overwriting or replacement of certain system files. Overwriting shared system files can result in unpredictable system performance that ranges from application errors to operating system crashes. System instability caused by non-standard replacement of system files has been a common problem. By preventing the replacement of these essential system files, file version mismatches are avoided, and the overall stability of the system is improved.
Note: System-file protection is called System File Protection (SFP) on Windows Millennium Edition. WFP and SFP perform the same service but differ slightly in the way they monitor protected files, which files are protected, and what mechanisms can be used to replace protected files. For information about SFP, see System File Protection and Windows Me.
On This Page
About Windows File Protection
Windows File Protection and Driver Installation
System File Checker
Supported File Replacement Mechanisms
Protected File List
Unattended Setup Parameters
Disabling Windows File Protection
Additional Registry Settings
About Windows File Protection
WFP protects system files by running in the background and detecting attempts to replace protected system files. WFP is triggered after it receives a directory change notification on a file in a protected directory. Once this notification is received, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct Microsoft version. If it is not, the operating system replaces the file with the correct version from the dllcache directory or the distribution media.
After detecting the replacement of a protected file, WFP searches for the replaced files in the following order:
1. Search the dllcache directory.
2. If the system was installed via network install, search the network install path.
3. Search on the CD.
If the file is found in dllcache or the install source is auto-located, WFP replaces the file without prompting the user and moves on. If the file cannot be found, WFP displays a dialog box that prompts the user to either insert distribution media or cancel the restore operation.
WFP also logs an event to the system event log, noting the file replacement attempt. If the administrative user cancels the WFP file restoration, an event noting the cancellation is logged.
Note: The "hit rate" of the dllcache directory is related to the size of the cache specified in the SFCQuota setting. See "Protected File List" later in this article for more information about the SFCQuota setting.
Windows File Protection and Driver Installation
The protected system files in Windows 2000 and Windows XP include many files that have previously been categorized as "redistributable." Msvcrt.dll is an example of such a file. Drivers for Windows 2000 and Windows XP should not install these files, but should instead use the version provided by the operating system.
NOTE: Windows Hardware Quality Labs (WHQL) will not grant the "Designed for Windows" logo for any drivers that install any of these system files.
Unfortunately, many Windows NT 4.0 drivers require these redistributable files to function. Furthermore, device driver installation files (.inf) do not allow the driver developer to perform conditional branching or otherwise differentiate between Windows 2000, Windows XP, and Windows NT 4.0 drivers. In cases where the Windows NT 4.0 driver requires the installation of system files, the solution is straightforward: driver developers must provide two similar, yet distinct INF files.
• For Windows 2000 and Windows XP, the INF file should not install or modify any system files, whether or not they have previously been labeled as redistributable. These files must not appear in the [CopyFiles] sections of the INF.
• For Windows NT 4.0 drivers, the INF file can install redistributable files as required.
To provide the best Plug and Play experience for users, the Windows 2000/Windows XP INF file should be placed in the root directory on the distribution media. Windows Plug and Play will find this INF file and install the driver with a minimum of user intervention. The Windows NT 4.0 INF file should be placed in a subdirectory on the distribution media. Vendors can direct their Windows NT 4.0 users to navigate to this subdirectory for installing the driver.
Vendors with drivers on the Windows 2000 or Windows XP distribution media can update those drivers with newer versions by following these guidelines:
• When developing the updated driver, update the date in the DriverVer entry (or entries) in the INF file. This date should be the date when one or more of the files in the driver package was changed. For information about the DriverVer entry, see the Windows DDK documentation for the [Version] section of INF files.
• Submit the updated driver package to WHQL for Windows Logo testing and driver signature.
• Distribute the updated driver package along with the signed catalog file provided by WHQL.
• Upon receiving this updated and signed driver package, users will be able to install the updated driver without file signature verification dialog boxes appearing during installation.
Summary of WFP and Driver Issues:
• Do not redistribute any Windows 2000 or Windows XP system files. WHQL will not grant the "Designed for Windows" logo for any drivers that include, install, or otherwise modify any Windows system files.
• As needed, develop and distribute different INF files to handle device installation on Windows 2000, Windows XP, and Windows NT 4.0.
• Vendors who have drivers that are included on the Windows 2000/Windows XP distribution media can update these drivers.
• Submit drivers to WHQL for Windows Logo testing and driver signing.
• See the Windows DDK for more information about installation of device drivers.
System File Checker
A command-line utility called System File Checker (SFC.EXE) allows an Administrator to scan all protected files to verify their versions. System File Checker can also set the registry value SFCScan discussed in "Additional Registry Settings" later in this article.
System File Checker will also check and repopulate the %Systemroot%\system32\dllcache directory. If the dllcache directory becomes corrupted or unusable, SFC /SCANNOW, SFC /SCANONCE, SFC /SCANBOOT, or SFC /PURGECACHE can be used to repair the contents of the dllcache directory.
SFC.exe scans all protected system files and replaces incorrect versions with correct Microsoft versions. The following shows the syntax:
SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/CANCEL] [/QUIET] [/PURGECACHE] [/CACHESIZE=x]
/SCANNOW Scans all protected system files immediately.
/SCANONCE Scans all protected system files once.
/SCANBOOT Scans all protected system files at every boot.
/CANCEL Cancels all pending scans of protected system files.
/QUIET Replaces all incorrect file versions without prompting the user.
/PURGECACHE Purges the file cache and scans all protected system files immediately.
/CACHESIZE=x Sets the file cache size (in megabytes).
Supported File Replacement Mechanisms
Replacement of protected system files is supported using the following mechanisms:
• Windows Service Pack installation (UPDATE.EXE)
• Hotfix distributions installed using HOTFIX.EXE
• Operating system upgrade (WINNT32.EXE)
• Microsoft Update
• Windows Device Installer
Replacing protected files by other means than those mentioned above results in the files being replaced by WFP.
To update third-party drivers that ship with Windows 2000/Windows XP, driver developers will have two options:
• Submit the finished driver update to Windows Hardware Quality Labs (http://www.microsoft.com/whdc/whql/default.mspx) for validation testing. If the driver passes, it will be signed by WHQL and will be installable via the Device Installer without issue.
• Install an unsigned version of a driver that is undergoing WHQL validation testing. By default, the Windows Device Installer will give the user a warning dialog box when an attempt is made to install an unsigned driver. The user can choose to override that warning and install the unsigned driver.
Protected File List
All SYS, DLL, EXE, and OCX files that ship on the Windows CD are protected. True Type fonts--Micross.ttf, Tahoma.ttf, and Tahomabd.ttf--are also protected.
The size of the dllcache directory depends on the setting of the registry value HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon\ SFCQuota. WFP adds files to the cache until the size of the dllcache directory reaches the SFCQuota value. Setting the SFCQuota value to 0xFFFFFFFF hex causes WFP to cache all protected system files. SFCQuota = 0xFFFFFFFFh is the default setting for Windows 2000.
After Setup is complete, WFP runs a scan of all protected files to ensure that they have not been modified by applications that were installed using unattended installation methods. This scan also populates the dllcache directory with verified file versions. If the dllcache directory becomes corrupted, run SFC /PURGECACHE. SFC will delete the contents of the dllcache directory, rescan all Windows files, and repopulate the dllcache directory with verified file versions.
The location of the dllcache directory is specified in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon\SFCDllCacheDir (REG_EXPAND_SZ). The default value for SFCDllCacheDir is %Systemroot%\system32\dllcache. The SFCDllCacheDir setting must be a local path.
In some instances WFP may not be able to locate the correct version of a system file in the dllcache directory. The dllcache directory might contain an outdated version of the file, or not contain any version of the file at all. In such a case WFP will attempt to locate the installation media. If WFP cannot find the installation media, it will prompt the user to insert the appropriate media. WFP will then replace the incorrect file version that is being used by the operating system or that has been found in the dllcache directory.
Unattended Setup Parameters
[SystemFileProtection]
This section contains parameters for the WFP service. If this section is missing or empty, Setup will install WFP using default values.
SFCShowProgress
Value: 0 1
Default: 1
Specifies if System File Checker displays a progress meter during scans.
Value Description
0 Progress meter is not displayed.
1 Progress meter is displayed.
SFCQuota
Value: Default: 0xFFFFFFFFh
Specifies the size of the dllcache file cache stored on the system hard drive. If 0xFFFFFFFFh is specified, all system files will be cached in the dllcache directory.
Example: SFCQuota = 0xFFFFFFFFh
SFCDllCacheDir
Value:
Default: %Systemroot%\system32\dllcache
Specifies the location of the dllcache directory. This path must be a local path.
Example: SFCDllCacheDir = "C:\Winnt\System32\dllcache"
Disabling Windows File ProtectionYou may disable WFP by setting the value SFCDisable (REG_DWORD) in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon. By default, SFCDisable is set to 0, which means WFP is active. Setting SFCDisable to 1 will disable WFP. Setting SFCDisable to 2 will disable WFP for the next system restart only (without a prompt to re-enable).
Important: You must have a kernel debugger attached to the system via null modem cable (for example:I386kd.exe or Windbg.exe) to use SFCDisable = 1 or SFCDisable = 2.
After WFP is disabled using the SFCDisable = 1 setting, the following message will appear after logon:
Warning! Windows File Protection is not active on this system. Would you like to enable Windows File Protection now? This will enable Windows File Protection until the next system restart. .
Clicking Yes will reactivate WFP until the next system restart. This message will appear at every successful logon until SFCDisable is set to 0.
NOTE: The above message will only be presented to Administrators.
Additional Registry Settings
All registry settings for WFP/System File Checker are located in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon. By default, only Administrators and System will be able to modify these settings.
SFCDisable (REG_DWORD)
0 = enabled (default).
1 = disabled, prompt at boot to re-enable (debugger required).
2 = disabled at next boot only, no prompt to re-enable (debugger required).
SFCScan (REG_DWORD)
0 = do not scan protected files at boot (default).
1 = scan protected files at every boot.
2 = scan protected files once.
SFCQuota (REG_DWORD)
n = size (in megabytes) of dllcache quota.
FFFFFFFF = cache-protected system files on the local hard drive.
SFCShowProgress (REG_DWORD)
0 = System File Checker progress meter is not displayed.
1 = System File Checker progress meter is displayed (default).
SFCDllCacheDir (REG_EXPAND_SZ)
Path = local location of dllcache directory (default is %Systemroot%\system32\dllcache).
In Windows 2000 and Windows XP, the Windows File Protection (WFP) feature prevents overwriting or replacement of certain system files. Overwriting shared system files can result in unpredictable system performance that ranges from application errors to operating system crashes. System instability caused by non-standard replacement of system files has been a common problem. By preventing the replacement of these essential system files, file version mismatches are avoided, and the overall stability of the system is improved.
Note: System-file protection is called System File Protection (SFP) on Windows Millennium Edition. WFP and SFP perform the same service but differ slightly in the way they monitor protected files, which files are protected, and what mechanisms can be used to replace protected files. For information about SFP, see System File Protection and Windows Me.
On This Page
About Windows File Protection
Windows File Protection and Driver Installation
System File Checker
Supported File Replacement Mechanisms
Protected File List
Unattended Setup Parameters
Disabling Windows File Protection
Additional Registry Settings
About Windows File Protection
WFP protects system files by running in the background and detecting attempts to replace protected system files. WFP is triggered after it receives a directory change notification on a file in a protected directory. Once this notification is received, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct Microsoft version. If it is not, the operating system replaces the file with the correct version from the dllcache directory or the distribution media.
After detecting the replacement of a protected file, WFP searches for the replaced files in the following order:
1. Search the dllcache directory.
2. If the system was installed via network install, search the network install path.
3. Search on the CD.
If the file is found in dllcache or the install source is auto-located, WFP replaces the file without prompting the user and moves on. If the file cannot be found, WFP displays a dialog box that prompts the user to either insert distribution media or cancel the restore operation.
WFP also logs an event to the system event log, noting the file replacement attempt. If the administrative user cancels the WFP file restoration, an event noting the cancellation is logged.
Note: The "hit rate" of the dllcache directory is related to the size of the cache specified in the SFCQuota setting. See "Protected File List" later in this article for more information about the SFCQuota setting.
Windows File Protection and Driver Installation
The protected system files in Windows 2000 and Windows XP include many files that have previously been categorized as "redistributable." Msvcrt.dll is an example of such a file. Drivers for Windows 2000 and Windows XP should not install these files, but should instead use the version provided by the operating system.
NOTE: Windows Hardware Quality Labs (WHQL) will not grant the "Designed for Windows" logo for any drivers that install any of these system files.
Unfortunately, many Windows NT 4.0 drivers require these redistributable files to function. Furthermore, device driver installation files (.inf) do not allow the driver developer to perform conditional branching or otherwise differentiate between Windows 2000, Windows XP, and Windows NT 4.0 drivers. In cases where the Windows NT 4.0 driver requires the installation of system files, the solution is straightforward: driver developers must provide two similar, yet distinct INF files.
• For Windows 2000 and Windows XP, the INF file should not install or modify any system files, whether or not they have previously been labeled as redistributable. These files must not appear in the [CopyFiles] sections of the INF.
• For Windows NT 4.0 drivers, the INF file can install redistributable files as required.
To provide the best Plug and Play experience for users, the Windows 2000/Windows XP INF file should be placed in the root directory on the distribution media. Windows Plug and Play will find this INF file and install the driver with a minimum of user intervention. The Windows NT 4.0 INF file should be placed in a subdirectory on the distribution media. Vendors can direct their Windows NT 4.0 users to navigate to this subdirectory for installing the driver.
Vendors with drivers on the Windows 2000 or Windows XP distribution media can update those drivers with newer versions by following these guidelines:
• When developing the updated driver, update the date in the DriverVer entry (or entries) in the INF file. This date should be the date when one or more of the files in the driver package was changed. For information about the DriverVer entry, see the Windows DDK documentation for the [Version] section of INF files.
• Submit the updated driver package to WHQL for Windows Logo testing and driver signature.
• Distribute the updated driver package along with the signed catalog file provided by WHQL.
• Upon receiving this updated and signed driver package, users will be able to install the updated driver without file signature verification dialog boxes appearing during installation.
Summary of WFP and Driver Issues:
• Do not redistribute any Windows 2000 or Windows XP system files. WHQL will not grant the "Designed for Windows" logo for any drivers that include, install, or otherwise modify any Windows system files.
• As needed, develop and distribute different INF files to handle device installation on Windows 2000, Windows XP, and Windows NT 4.0.
• Vendors who have drivers that are included on the Windows 2000/Windows XP distribution media can update these drivers.
• Submit drivers to WHQL for Windows Logo testing and driver signing.
• See the Windows DDK for more information about installation of device drivers.
System File Checker
A command-line utility called System File Checker (SFC.EXE) allows an Administrator to scan all protected files to verify their versions. System File Checker can also set the registry value SFCScan discussed in "Additional Registry Settings" later in this article.
System File Checker will also check and repopulate the %Systemroot%\system32\dllcache directory. If the dllcache directory becomes corrupted or unusable, SFC /SCANNOW, SFC /SCANONCE, SFC /SCANBOOT, or SFC /PURGECACHE can be used to repair the contents of the dllcache directory.
SFC.exe scans all protected system files and replaces incorrect versions with correct Microsoft versions. The following shows the syntax:
SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/CANCEL] [/QUIET] [/PURGECACHE] [/CACHESIZE=x]
/SCANNOW Scans all protected system files immediately.
/SCANONCE Scans all protected system files once.
/SCANBOOT Scans all protected system files at every boot.
/CANCEL Cancels all pending scans of protected system files.
/QUIET Replaces all incorrect file versions without prompting the user.
/PURGECACHE Purges the file cache and scans all protected system files immediately.
/CACHESIZE=x Sets the file cache size (in megabytes).
Supported File Replacement Mechanisms
Replacement of protected system files is supported using the following mechanisms:
• Windows Service Pack installation (UPDATE.EXE)
• Hotfix distributions installed using HOTFIX.EXE
• Operating system upgrade (WINNT32.EXE)
• Microsoft Update
• Windows Device Installer
Replacing protected files by other means than those mentioned above results in the files being replaced by WFP.
To update third-party drivers that ship with Windows 2000/Windows XP, driver developers will have two options:
• Submit the finished driver update to Windows Hardware Quality Labs (http://www.microsoft.com/whdc/whql/default.mspx) for validation testing. If the driver passes, it will be signed by WHQL and will be installable via the Device Installer without issue.
• Install an unsigned version of a driver that is undergoing WHQL validation testing. By default, the Windows Device Installer will give the user a warning dialog box when an attempt is made to install an unsigned driver. The user can choose to override that warning and install the unsigned driver.
Protected File List
All SYS, DLL, EXE, and OCX files that ship on the Windows CD are protected. True Type fonts--Micross.ttf, Tahoma.ttf, and Tahomabd.ttf--are also protected.
The size of the dllcache directory depends on the setting of the registry value HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon\ SFCQuota. WFP adds files to the cache until the size of the dllcache directory reaches the SFCQuota value. Setting the SFCQuota value to 0xFFFFFFFF hex causes WFP to cache all protected system files. SFCQuota = 0xFFFFFFFFh is the default setting for Windows 2000.
After Setup is complete, WFP runs a scan of all protected files to ensure that they have not been modified by applications that were installed using unattended installation methods. This scan also populates the dllcache directory with verified file versions. If the dllcache directory becomes corrupted, run SFC /PURGECACHE. SFC will delete the contents of the dllcache directory, rescan all Windows files, and repopulate the dllcache directory with verified file versions.
The location of the dllcache directory is specified in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon\SFCDllCacheDir (REG_EXPAND_SZ). The default value for SFCDllCacheDir is %Systemroot%\system32\dllcache. The SFCDllCacheDir setting must be a local path.
In some instances WFP may not be able to locate the correct version of a system file in the dllcache directory. The dllcache directory might contain an outdated version of the file, or not contain any version of the file at all. In such a case WFP will attempt to locate the installation media. If WFP cannot find the installation media, it will prompt the user to insert the appropriate media. WFP will then replace the incorrect file version that is being used by the operating system or that has been found in the dllcache directory.
Unattended Setup Parameters
[SystemFileProtection]
This section contains parameters for the WFP service. If this section is missing or empty, Setup will install WFP using default values.
SFCShowProgress
Value: 0 1
Default: 1
Specifies if System File Checker displays a progress meter during scans.
Value Description
0 Progress meter is not displayed.
1 Progress meter is displayed.
SFCQuota
Value:
Specifies the size of the dllcache file cache stored on the system hard drive. If 0xFFFFFFFFh is specified, all system files will be cached in the dllcache directory.
Example: SFCQuota = 0xFFFFFFFFh
SFCDllCacheDir
Value:
Default: %Systemroot%\system32\dllcache
Specifies the location of the dllcache directory. This path must be a local path.
Example: SFCDllCacheDir = "C:\Winnt\System32\dllcache"
Disabling Windows File ProtectionYou may disable WFP by setting the value SFCDisable (REG_DWORD) in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon. By default, SFCDisable is set to 0, which means WFP is active. Setting SFCDisable to 1 will disable WFP. Setting SFCDisable to 2 will disable WFP for the next system restart only (without a prompt to re-enable).
Important: You must have a kernel debugger attached to the system via null modem cable (for example:I386kd.exe or Windbg.exe) to use SFCDisable = 1 or SFCDisable = 2.
After WFP is disabled using the SFCDisable = 1 setting, the following message will appear after logon:
Warning! Windows File Protection is not active on this system. Would you like to enable Windows File Protection now? This will enable Windows File Protection until the next system restart.
Clicking Yes will reactivate WFP until the next system restart. This message will appear at every successful logon until SFCDisable is set to 0.
NOTE: The above message will only be presented to Administrators.
Additional Registry Settings
All registry settings for WFP/System File Checker are located in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon. By default, only Administrators and System will be able to modify these settings.
SFCDisable (REG_DWORD)
0 = enabled (default).
1 = disabled, prompt at boot to re-enable (debugger required).
2 = disabled at next boot only, no prompt to re-enable (debugger required).
SFCScan (REG_DWORD)
0 = do not scan protected files at boot (default).
1 = scan protected files at every boot.
2 = scan protected files once.
SFCQuota (REG_DWORD)
n = size (in megabytes) of dllcache quota.
FFFFFFFF = cache-protected system files on the local hard drive.
SFCShowProgress (REG_DWORD)
0 = System File Checker progress meter is not displayed.
1 = System File Checker progress meter is displayed (default).
SFCDllCacheDir (REG_EXPAND_SZ)
Path = local location of dllcache directory (default is %Systemroot%\system32\dllcache).
No comments:
Post a Comment