In-depth study of Windows XP System File Protection Function

When you install an application that does not expect Windows to crash, it is likely that the application has changed the key Windows System File, resulting in a system crash. After a file is modified, the results are often unpredictable. The system may run normally, cause some errors, or crash completely. Fortunately, Windows 2000, XP, and Server 2003 apply a mechanism called Windows File Protection (WFP) that prevents critical system files from being rewritten. In this article, I will explain what WFP is and how it works. I also want to tell you how to modify or ignore WFP behavior. (Note: although WFP runs normally on Windows 2000, XP, and Server 2003, the information in this article, including Registry related entries and SFC syntax, is for XP .)
How does Windows File Protection Work?

WFP is designed to protect the content of Windows folders. WFP Protects specific file types, such as SYS, EXE, DLL, OCX, FON, and TTF, rather than blocking any modifications to the entire folder. The registry key value determines the file type protected by WFP.

When an application tries to replace a protected file, WFP checks the digital signature of the replacement file to determine whether the file is from Microsoft and the correct version. If both conditions are met, replacement is allowed. Under normal circumstances, the types of files that allow replacement of system files include Windows service packages, patches, and operating system upgrade programs. The system file can also be replaced by a Windows Update program or a Windows Device Manager/class installer.

If both conditions are not met, the protected file will be replaced by the new file, but will soon be replaced by the correct file. In this case, Windows will copy the correct version of the file from the CD installation on Windows or from the DLLCache folder on the computer.

Windows File Protection not only protects files by rejecting modifications, but also by rejecting deletion. Let's take a look at WFP's practices. Open the WINDOWSSYSTEM32 folder and rename the CALC. EXE file to CALC. OLD. When you do this, a message will prompt you that changing the file extension may make the file unavailable. Click Yes to confirm the warning. Now, wait a few minutes and press F5 to refresh the view of the file system. It may take some time to complete the replacement. After the file is replaced, Windows records the file in the event log.

It is worth noting that WFP is closely integrated with Windows installer. Whenever a Windows Installer needs to install a protected file, it will give it to WFP instead of trying to install it. Then WFP determines whether to allow installation.

System File Check

Although automatic file replacement saves time, manual intervention is also required. For example, you may not want to wait for WFP to determine whether the protected file has been replaced. Fortunately, you can use a tool named System File Check (SFC) to manually control WFP.

SFC is a command line tool that needs to be run in a command prompt window. Its syntax is as follows:

SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/REVERT] [/PURGECACHE] [/CACHESIZE = x]

The/SCANNOW option notifies SFC to immediately scan all protected system files. If an incorrect file version is found during the scan, the version will be replaced with the correct version of Microsoft. Of course, this means that you may have to install CD, the latest service package, or upgrade patches for Windows.

The/SCANONCE parameter notifies WFP to scan protected system files at the next startup. During the scan, any wrong file will be replaced by the correct version. As this parameter name means, this scan is only performed once. After the system starts, it will return to normal and SFC will no longer run.

The/SCANBOOT parameter is similar to the/SCANONCE option. The difference is that SCANONCE only scans protected files at the next Startup of Windows, while SCANBOOT scans system files at every startup of Windows. If necessary, these two parameters will replace the wrong system file, which may require you to copy the correct file version.

The/REVERT option is used to disable SFC. For example, suppose you use the SCANBOOT option to scan the files that are protected each time the system starts. As you can think of, this will indeed increase the total time of computer startup. Finally, you may get tired of a long start time and want to disable SFC. You can simply use SFC/REVERT to disable SFC at startup.

Be cautious with the/PURGECACHE option. Before that, I explained that Windows uses a cache folder to store backups of the correct versions of various system files. If you run the SFC/PURGECACHE command, the File Cache will be cleared and those backup files will be deleted. This command also causes Windows to start scanning various types of protected files and rebuilding the File Cache while scanning. Of course, this may mean that you must provide Windows with a copy of the Windows installation CD or system file upgrade.

The last SFC command option is/CACHESIZE = x. The default File Cache size does have a lot of self-contradictory information. When I wrote this article, I found that the default File Cache size specified in three different Microsoft Knowledge Base articles was different. In one article, the recommended File Cache size is 50 MB, while in another article, the recommended File Cache size is 300 MB. What's more, the third article points out that the size should be infinite. In fact, the size of the default value is not important, because you can use the CACHESIZE option to change the File Cache size as needed.

When using the CACHESIZE option, you must enter the command SFC/CACHESIZE = x, which refers to the number of megabytes that you want to allocate to the file cache. After specifying the New File Cache size, you must restart the system and run the SFC/PURGECACHE command.

Control WFP and SFC through Registry

Before that, I explained that the Registry controls the general behavior of WFP. You can modify several different registry key values to control WFP behavior. You can directly perform operations on some of these keys each time you run SFC. Others have lower-level functions. For example, specify the File Cache or installation file location.

It may be dangerous to modify the registry. If you make an incorrect modification, it may cause Windows to crash or destroy your application. Therefore, before trying any technology described in this section, I strongly recommend that you, first, make a complete backup of the Registry.

To access the SFC registry key, type the REFEDIT command in the Run command. This will open the Registry Editor, And now browse the registry tree to find the following key:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinLogon

Generally, the WinLogon key in the registry is used to control various startup options. Although many SFC options can control whether SFC runs at startup, Microsoft has put the SFC-related registry key in this section.

SFCDisabled

This registry key controls whether SFC is activated or not. In fact, you only need to change the value of DWORD to get four different options. The default DWORD value is 0. This setting activates SFC. Generally, you do not need to change this value. However, you can modify the value between 0 and 4 to activate SFC but not let it pop up.

If you suspend the kernel debugger, you 'd better disable SFC. If you are using a kernel debugger, you can change the DWORD value of the registry key to 1. This will disable SFC and will prompt you whether to activate SFC again every time you start it later.

You can also disable SFC by setting the DWORD Value to 2. This option only disables SFC at next startup. No option to activate SFC again, because SFC will be automatically activated when it is started later.

SFCScan

Before that, I explained the SFC SCANONCE, SCANBOOT, and REVERT options. As long as you use these options, SFC is actually modifying the SFCScan registry key. You can modify the key by changing its DWORD Value.

The default value is 0. This value does not need to scan protected files at startup. This setting is equivalent to running the SFC/REVERT command.

Change the value of DWORD to 1, which means scanning protected files every time you start. Setting SFCScan to 1 is equivalent to running the SFC/SCANBOOT command.

Finally, setting the value of DWORD to 2 tells SFC to scan the protected file at the next startup, but not all subsequent startup. This is equivalent to running the SFC/SCANONCE command.

SFCQuota

The SFCQuota registry key is used to control the size of the SFC File Cache. You may remember that when I talked about the SFC/CACHESIZE = x command, I mentioned a lot of inconsistency information about the default File Cache size. However, in my system, the DWORD value of the registry key SFCQuota is 0 xffffffff by default. According to the Microsoft Knowledge Base, the size of the File Cache corresponding to this value is 300 MB. An article in the same knowledge base indicates that by modifying this value to FFFFFFFF, You can buffer all protected system files.

SFCDllCacheDir

Before that, I explained that Windows uses the DLLCACHE folder as the storage system file backup location. Normally, this folder is located in the WINDOWSSYSTEM32 directory. However, you can modify the File Cache location by modifying the SFCDllCacheDir registry key.

The File Cache folder is generally located in the DLLCACHE directory, but you can modify the directory by modifying the registry key. The only note is that you must specify an address that already exists on the local hard drive. In Windows 2000, you can specify a network share as the DLLCACHE path, but this option is not available in Windows XP.

SFCShowProgress

Another SFC-related registry key is the SFCShowProgress key. This registry key allows you to set its DWORD value to 0 or 1. The default value is 0, which will disable the display of SFC processes. Set the value to 1 to display the progress of SFC.

Source file address

Before that, I explained how WFP and SFC work. I pointed out that under some conditions, you may have to provide a copy of the Windows installation CD or valid source files. However, it is entirely possible to specify a source file directory for Windows by modifying the registry, instead of asking you about these files for Windows.

This registry key is in another part of the Registry. You must find the following key:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionSetup

Once you find this location, you can specify the location of the Windows system file by using a drive letter or path or a UNC.

To use this command, you must put the file in the I386 directory. For example, if your Windows system file is located in a directory named C: I386, you only need to specify the path to C: in the registry, because Windows assumes that the I386 directory exists. Similarly, if you want to use a UNC share, the I386 folder must exist in the shared directory. For example, if you want to share the directory named FILES, you need to put the I386 folder under the FILES directory. Then you can tell Windows to find shared files in the \ server_nameFILES directory. Windows will search for it in the \ server_nameFILESI386 directory