In-depth discussion of Windows XP System File Protection function

Source: Internet
Author: User
Tags copy file system key modify window knowledge base backup
When window crashes, it is likely that the application has overwritten the critical Windows system files, causing the system to crash. When a file is modified, the results are often unpredictable. The system may be running properly, or there will be some errors, or a complete crash. Fortunately, Windows2000, XP, and Server 2003 have applied a mechanism called Windows File Protection (Windowsfile Protection, WFP) to prevent critical system files from being overwritten. In this article, I will explain what WFP is and how it works. I also want to tell you how to modify or ignore WFP's behavior. (Note: Although there is no difference in the operation of WFP on WINDOWS2000, XP, and Server 2003, the information in this article, including registry-related entries and the SFC syntax, is for XP.) )

How Windows File Protection works

WFP is designed to protect the contents of Windows folders. WFP protects specific file types, such as SYS, EXE, DLL, OCX, Fon, and TTF, rather than blocking any changes to the entire folder. The registry key determines the type of files that WFP protects.

When an application tries to replace a protected file, WFP examines the digital signature of the replacement file to determine if the file is from Microsoft and is the correct version. If both conditions are met, the substitution is allowed. Normally, the types of files that allow you to replace system files include Windows service packs, patches, and operating system upgrades. System files can also be replaced by Windows Update or Windows Device Manager/class installer.

If these two conditions are not met at the same time, the protected file will be replaced by the new file, but will soon be replaced by the correct file. When this occurs, Windows copies the correct version of the file from the Windows installation CD or from the Dllcache folder of your computer.

Windows File Protection does not protect a file simply by refusing to modify it, it can also refuse to delete it. To see what WFP is doing, open the \Windows\System32 folder and rename the CALC.EXE file to Calc.old. When you do this, a message prompts you that changing the file's extension may cause the file to become unusable. Click the Yes button to confirm this warning. Now, after a few minutes of pressing the F5 key to refresh the view of the file system, it may take some time to complete the replacement. When the file is eventually replaced, Windows makes the corresponding record in the event log.

The point of concern about WFP is that it is tightly coupled with Windows Installer. Whenever Windows Installer needs to install a protected file, it gives the file to WFP instead of trying to install it yourself. WFP then determines whether the installation is allowed.

System File Check

While automatic file substitution saves time, there are situations where manual intervention is required. For example, you may not want to wait for WFP to determine if a protected file has been replaced. Fortunately, you can manually control WFP with a tool called System file checking (SFC).

SFC is a command-line tool that needs to be run under a command prompt window. Its syntax is like this:

SFC [/scannow] [/scanonce] [/scanboot] [/revert] [/purgecache] [/cachesize=x]

The/scannow option notifies SFC to immediately scan all protected system files. If an incorrect version of the file is found during the scan, the wrong version will be replaced with the correct version of Microsoft. Of course, this means you may have to have a Windows installation CD, the latest service pack or an upgrade patch.

The/scanonce parameter notifies WFP to scan for protected system files the next time the system starts. During the scan, any error files will be replaced by the correct version. As this parameter name means, this scan is only performed once. The subsequent system boot will return to normal, and SFC is no longer running.

The/scanboot parameter is similar to the/scanonce option. The difference is that scanonce scans the protected file only when Windows next starts, while the Scanboot parameter scans the system files every time Windows starts. If required, these two parameters will replace the wrong system file, which may require you to provide a copy of the correct file version.

The/revert option is used to turn off SFC, for example, if you use the Scanboot option to scan the protected files every time the system starts. As you can imagine, this does increase the total time the computer starts up. Finally, you may be tired of the long start-up time and want to shut down SFC. Simply using Sfc/revert, you can turn off SFC at startup.

You need to be more careful with the/purgecache option. Before that, I explained that Windows uses a cache folder to hold backups of the correct versions of various system files. If you run the Sfc/purgecache command, the file cache will be emptied and those backup files will be deleted. This command also causes Windows to begin scanning various protected files and rebuilding the file cache while scanning. Of course, this may mean that you have to provide Windows with a copy of the Windows installation CD or system file upgrade.

The last SFC command option is/cachesize=x. There is a lot of conflicting information about the default size of the file cache, and when I wrote this article, I found that the default size of the file cache specified in three different Microsoft Knowledge Base articles was not the same. In an article, it is recommended that the file cache size be MB, while the other recommended size is MB. What's more, the third article points out that this size should be infinite. In fact, the size of the default value is not important, because you can use the CacheSize option to change the size of the file cache, depending on your needs.

When using the CACHESIZE option, you must type the command sfc/cachesize=x, which refers to the number of megabytes you want to allocate to the file cache. After you specify a new file cache size, you must reboot the system and run the Sfc/purgecache command.

Controlling WFP and SFC through the registry

Before that, I explained that the registry controls the general behavior of WFP. You can modify several different registry keys to control the behavior of WFP. You can run a portion of these keys directly from SFC each time, and others have lower levels of functionality. such as specifying the file cache or the location of the installation files.

Modifying the registry can be dangerous. If you make a bad change that could cause Windows to crash or destroy your application, I strongly recommend that you make a full backup of the registry before attempting any of the techniques described in this section.

To access the SFC registry key, type the RefEdit command in the Run command. This will open Registry Editor and now browse the registry tree to find the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

Typically, the Winlogon key in the registry is generally used to control various startup options. Although many SFC options can control whether or not SFC runs at startup, Microsoft has placed the SFC-related registry key in this section.



Sfcdisabled

This registry key controls whether SFC is active or not. You can actually get four different options by changing the value of the DWORD. The default DWORD value is 0. This setting activates SFC. Usually you don't need to change this value. However, you can modify this value between 0 and 4 to activate SFC but not let it pop up.

If you hang the kernel debugger, you'd better turn off SFC. If you are using a kernel debugger, you can modify the DWORD value of the registry key to 1, which closes SFC and prompts you to activate SFC again at each subsequent startup.

You can also turn off SFC by setting the DWORD value to second. This option only closes SFC on the next startup. There is no option to activate SFC again because SFC will automatically activate after this startup.

SfcScan

Before that, I explained SFC's scanonce, scanboot, and revert options. As long as you use these options, actually SFC is modifying the SfcScan registry key. You can modify the key by changing its DWORD assignment.

The default value is 0. This value means that you do not need to scan the protected file at startup. This setting is equivalent to running the Sfc/revert command.

Changing the DWORD value to 1 means that the protected file is scanned at each startup. Setting the value of SfcScan to 1 is equivalent to running the sfc/scanboot command.

Finally, setting a DWORD value of 2 tells SFC to scan the protected file at the next boot, but not all subsequent launches. This is equivalent to running the sfc/scanonce command.

SFCQuota

The SFCQuota registry key is used to control the size of the SFC file cache. Perhaps you will remember that before I talked about the sfc/cachesize=x command, I mentioned the default size of the file cache, and there was a lot of inconsistent information. On my system, however, the registry key SFCQuota's DWORD value defaults to 0xFFFFFFFF. According to the Microsoft Knowledge Base, this value corresponds to a file cache size of MB. The same knowledge Base article points out that by modifying this value to FFFFFFFF, you can buffer the storage of all protected system files.

SFCDllCacheDir

Before that, I explained that Windows used the Dllcache folder as a place to back up storage system files. Typically, this folder is located in the \Windows\System32 directory. However, by modifying the SFCDllCacheDir registry key, you can modify the location of the file cache.

The file cache folder is generally located in the Dllcache directory, but by modifying this registry key, you can modify the location of the folder. The only thing to note is that you must specify an address that already exists on your local hard drive. In Windows2000, you can specify a network share as the Dllcache path, but there is no such option in Windows XP.

Sfcshowprogress

Another registry key associated with SFC is the Sfcshowprogress key. This registry key allows you to set its DWORD value to 0, or 1. The default value is 0, which disables the display of SFC's process. Setting a value of 1 allows SFC to show progress.

Source file Address

Before that, I explained how WFP and SFC worked, and I pointed out that under certain conditions you might have to provide a copy of a Windows installation CD or a valid source file. However, by modifying the registry, it is entirely possible to indicate to Windows a directory of source files, without requiring windows to ask you these files again.

This registry key is in another part of the registry. You must find the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

Once you've found the location, you can specify the location of the Windows system files by using a drive symbol or a path or a UNC.

The premise of using this command is that you must place the file in a directory named I386. For example, if your Windows system files are located in a directory named C:\I386, you only need to specify the path in the registry as C:\, because Windows assumes I386 this directory exists. Similarly, if you plan to use a UNC share, the I386 folder must exist in the shared directory. For example, if you are going to share a directory named files, you need to place the I386 folder under the Files directory. Then you can tell Windows to look for shared files under the \\server_name\FILES directory.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.