Windows Server Troubleshooting - WFP

Click here to start saving with ING DIRECT!

Home | Up | Methodology | Architecture | Tools | Memory | Processor | Registry | Network | Active Directory | Contents

Get the Book

Major Topics
File System
Active Directory
Other Topics
Boot Records
Junction Point
Dynamic Disk
MFT Metadata
More Detail

eXpert Genealogy

Memory from

©2003-2006 Team Approach Limited
All rights reserved

Windows File Protection

In versions of Windows prior to Windows 2000, application setup software might overwrite shared system files such as dynamic-link libraries and executable files. When system files are overwritten it is possible that system performance becomes unpredictable, programs behave erratically, and the operating system fails.

In Windows 2000 and Windows XP, Windows File Protection prevents the replacement of protected system files such as .sys, .dll, .ocx, .ttf, .fon, and .exe files. Windows File Protection runs in the background and protects all files installed by the Windows Setup program.

Windows File Protection detects attempts by other programs to replace or move a protected system file. Windows File Protection checks the file's digital signature to determine if the new file is the correct Microsoft version. If the file is not the correct version, Windows File Protection either replaces the file from the backup stored in the Dllcache folder or from the Windows CD. If Windows File Protection cannot locate the appropriate file, it prompts you for the location. Windows File Protection also writes an event to the event log, noting the file replacement attempt.

By default, Windows File Protection is always enabled and allows Windows digitally signed files to replace existing files. Currently, signed files are distributed through:

  • Windows Service Packs
  • Hotfix distributions
  • Operating system upgrades
  • Windows Update
  • Windows Device Manager/Class Installer

Depending on the size of the SFCQuota value in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key (the default size is 0xFFFFFFFF, or 400 MB), the WFP feature stores verified file versions cached in the Dllcache folder on the hard disk. The SFCQuota setting can be made as large or small as needed by the administrator. Note that if you set the SFCQuota value to 0xFFFFFFFF, the WFP feature will cache all protected system files (approximately 2,700 files).

The System File Checker SFC command can be used to scan and verify the protected files. The SFC help information follows.

Microsoft(R) Windows XP Windows File Checker Version 5.1
(C) 1999-2000 Microsoft Corp. All rights reserved

Scans all protected system files and replaces incorrect versions with correct Microsoft versions.


/SCANNOW Scans all protected system files immediately.
/SCANONCE Scans all protected system files once at the next boot.
/SCANBOOT Scans all protected system files at every boot.
/REVERT Return scan to default setting.
/PURGECACHE Purges the file cache.
/CACHESIZE=x Sets the file cache size.

Disabling Windows File Protection

Warning! Disabling WFP may result in the deletion of vital Windows files.

Here’s how to disable Windows File Protection. Find the key SFCDisable in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon and set the value to 0xFFFFFF9D.
If you want to re-enable File Protection, just re-set the value to 0.

Keyboard Exercise

Delete C:\WINDOWS\NOTEPAD.EXE and then after a few seconds check to see that it has automatically been restored.