Windows File Protection
In versions of Windows prior to Windows 2000,
application setup software might overwrite shared system files such as
dynamic-link libraries and executable files. When system files are overwritten
it is possible that system performance becomes
unpredictable, programs behave erratically, and the operating system fails.
In Windows 2000 and Windows XP, Windows File Protection prevents the replacement
of protected system files such as .sys, .dll, .ocx, .ttf, .fon, and .exe files.
Windows File Protection runs in the background and protects all files installed
by the Windows Setup program.
Windows File Protection detects attempts by other programs to replace or move a
protected system file. Windows File Protection checks the file's digital
signature to determine if the new file is the correct Microsoft version. If the
file is not the correct version, Windows File Protection either replaces the
file from the backup stored in the Dllcache folder or from the Windows CD. If
Windows File Protection cannot locate the appropriate file, it prompts you for
the location. Windows File Protection also writes an event to the event log,
noting the file replacement attempt.
By default, Windows File Protection is always enabled and allows Windows
digitally signed files to replace existing files. Currently, signed files are
- Windows Service Packs
- Hotfix distributions
- Operating system upgrades
- Windows Update
- Windows Device Manager/Class Installer
Depending on the size of the
SFCQuota value in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
registry key (the default size is 0xFFFFFFFF, or 400 MB), the WFP feature stores
verified file versions cached in the Dllcache folder on the hard disk. The
SFCQuota setting can be made as large or small as needed by the administrator.
Note that if you set the SFCQuota value to 0xFFFFFFFF, the WFP feature will
cache all protected system files (approximately 2,700 files).
The System File Checker SFC command can be used
to scan and verify the protected files. The SFC help information follows.
Microsoft(R) Windows XP Windows File Checker
(C) 1999-2000 Microsoft Corp. All rights reserved
Scans all protected system files and replaces incorrect versions with correct
SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/REVERT] [/PURGECACHE] [/CACHESIZE=x]
/SCANNOW Scans all protected system files immediately.
/SCANONCE Scans all protected system files once at the next boot.
/SCANBOOT Scans all protected system files at every boot.
/REVERT Return scan to default setting.
/PURGECACHE Purges the file cache.
/CACHESIZE=x Sets the file cache size.
Disabling Windows File Protection
Warning! Disabling WFP may result in the deletion of vital
Here’s how to disable Windows File Protection. Find the key SFCDisable in
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon and set the
value to 0xFFFFFF9D.
If you want to re-enable File Protection, just re-set the value to 0.
Delete C:\WINDOWS\NOTEPAD.EXE and then after a few
seconds check to see that it has automatically been restored.