"DMA Mode for ATA/ATAPI Devices in Windows XP "
"Windows Hardware Error Architecture ACPI Table Specification "
"Windows Support for Hyper-Threading Technology "
Advances in Memory Management for Windows
An Introduction to COM for UMDF Developers
Analyze Driver Performance
Application Compatibility Test Rig (ACT-R)
Application Software Considerations for NUMA-Based Systems
Architecture of the Windows Driver Foundation
Archive: Driver Install Frameworks Tools v.2.01
Archive: DVD and Microsoft Operating Systems
Archive: Hardware IDs for HID Devices
Archive: HID Audio Controls and Windows
Archive: Key Support, Keyboard Scan Codes, and Windows
Archive: Network Infrastructure Device Implementer's Guide
Archive: Power Management of USB Host Controllers
Archive: Scan Code Mapper for Windows
Archive: Specification for Use of PCI IDs with Windows Operating Systems
Audio Device Performance: Driver Best Practices
Audio Driver Support for the WMA Pro-over-S/PDIF Format
Away Mode DDK for Windows Vista
Away Mode in Windows Vista
Benchmarking on Windows XP: Home Edition and Professional
BIOS Settings for Native-Mode-Capable ATA Controllers
Booting Windows from USB Storage Devices
Brightness Control in WDDM
Building a Dynamic Data Center
Building a Great Media Center PC
CardBus Controllers and Windows
CardBus I/O Resource Windows in Windows Vista
Catalog Criteria for Datacenter Servers
Changes for Vendor-provided Storage Drivers Loaded Using F6
Choosing a WAN Miniport Driver Model
Color Management and Windows: An Introduction: An Overview of Microsoft Image Color Management Technology
Color Management Concepts
Colorspace Interchange Using sRGB
Compatibility of Type 2 Pointing Devices with MS IntelliMouse
CPU Virtualization Extensions: Analysis of Rootkit Issues
Creating Windows INF Files
Debug Port Specification - ARCHIVE - Download
Debug Port Specification - ARCHIVE
Debugging Kernel-Mode Driver Framework Drivers
Design and Deploy a Great Media Center PC
Designing Multifunction Devices for Windows Operating Systems
Designing Video Capture Boards for Use with the Microsoft ActiveX Video Control
Device Driver INF Guidelines for Windows XP
Device Simulation Framework (DSF)
Digital Still Camera Support
Digital Video Camcorder Support in Windows
DirectX VA: Accelerating Video Codec Processing
Disk Subsystem Performance Analysis for Windows
DMA Support in KMDF Drivers
Driver Compatibility for Windows Vista
Driver Protection List for Windows XP and Windows Server 2003
Dump Switch Support for Windows
Enhanced Keyboards and Windows
Exposing Enhanced Functionality for Scanners
Extension Unit Plug-ins for USB Video Class Devices
External DSL Modems Design Guidelines
FAQ for PCI and PCIe Issues for “Designed for Windows” Logo
Fast System Startup for PCs Running Windows XP
Functional Specification for De-Interlacing and Frame Rate Conversion in DirectX VA
Getting Started with WDM Audio Drivers
GPD Creation for Unidrv 5
GPRS Auto-Configuration in Wireless Wide Area Networks
Guidelines for Bus and Device Specifications
Guidelines for Video-Capable Wireless Networking
Hardware Design for Surprise Removal
Hardware Management in Microsoft Windows Server 2003 "R2" Beta 2
HID Game Controllers and DirectInput
HID System Devices, DirectInput, and Windows
How to Build, Install, Test, and Debug KMDF Drivers
How to Install Windows Drivers with Software Applications
How to Update Printer Drivers Supported in Windows
How to Use an INF to Override the Monitor EDID
I/O Flow and Dispatching in WDF Drivers
I/O Ports Blocked from BIOS AML
IA-64 Systems and ACPI 2.0 64-bit Tables
IDs and Serial Numbers for ISA Plug and Play
IEEE 1394 and the Windows Platform
IEEE 802.11 Networks and Windows XP
Implementing Speakerphone-Quality Audio on Computers
INF Requirements for 64-bit Systems
Input Device Drivers and Windows
Installing and Configuring Away Mode
Installing Test Builds of Inbox Drivers on Windows Vista
Interrupt Architecture Enhancements in Windows
Introduction to Cable Architecture
Introduction to the WDF User-Mode Driver Framework
Introduction to the Windows Driver Foundation
Kernel Enhancements for Windows XP
Kernel-Mode Drivers: Fixing Common Driver Reliability Issues
Key Benefits of the I/O APIC
Low Pool Memory and Windows XP
Management of Hardware Resources
MBR System Disk Conversion for Itanium-Based Systems
MCA Implementation Guide for 64-bit Windows XP and Windows Server 2003
MCA Support in 64-bit Windows XP and Windows Server 2003
Microsoft TV Technologies
Migrating TWAIN drivers to WIA
Mobile PC Hardware Button Recommendations
Mobile System Displays and Windows: Version 1.2c
Monolithic Storage Drivers and Windows
Multifunction Printer Design Recommendations
MultiMonitor Support and Windows Vista
NDIS 5.0 and ATM Support in Windows
NDIS 5.1 Support and Windows
NDIS Driver Debugging Guidelines
NDIS Driver Tips and Guidelines
Network Driver Compatibility with the Header-Data Split Feature
Network Driver Interface Specification - NDIS 5.0 Overview
Network Drivers and Windows
Network Explorer Extensibility
Networking over IrDA in Windows XP
Non-PCM Wave Formats and WDM Audio Drivers
Output Content Protection and Windows Vista
Partial Address Decoding and I/O Space in Windows Operating Systems
PC Card and CardBus Multifunction Devices and Windows Compatibility
PC Storage Directions: The evolution of hard disk and optical solutions
PCI Express FAQ for Graphics
PCI IRQ Routing on a Multiprocessor ACPI System
PCI Multi-Level Rebalance in Windows Vista
PCI Power Management and Device Drivers
PCI Subsystem IDs and PCI-to-PCI Bridge Devices
PCMCIA IRQ Routing on Windows XP
Pen and Touch Digitizer Drivers for Windows Vista
Personalized Icons for Devices on Windows XP
Platform Compatibility for USB Boot Devices
Plug and Play for Windows 2000 and Windows XP
PnP X Out-of-Band Association
Pointer Ballistics for Windows XP
Power Management for Network Devices
PREfast with Driver-Specific Rules
QoS: Assigning Priority in IEEE 802-style Networks
Quality Windows Audio-Video Experience - qWave
Recommendations for IEEE 802.11 Access Points
Registry Reflection in Windows
Removable Storage Management and Windows
Required Commands for Writable CD/DVD Devices
Sample Drivers for the Kernel Mode Driver Framework
Security-related Best Practices for WIA Drivers
Specifications: Hardware and Firmware Standards
sRGB Color Management Case Studies
Standard Modem Command Sets and INFs
Still Image Connectivity for Windows
System Area Networks (SAN)
System State-to-Device State Mappings (SxD)
Temporal Rate Conversion: Dave Marsh. Microsoft Technical Evangelist, TV and Video
The Importance of Implementing APIC-Based Interrupt Subsystems on Uniprocessor PCs
Timeout Detection and Recovery of GPUs through WDDM
Transient Multimon Manager (TMM)
Troubleshooting Device Installation with the SetupAPI Log File
TV and Broadcast Driver Architecture
Universal Accelerated Graphics Port (UAGP)
USB 2.0 and Windows Operating Systems
USB and Game Devices - ARCHIVE
USB Handset Peripherals and Windows
USB Printers - Architecture and Driver Support
USB Printing Solutions for Windows
User-Mode Driver Framework FAQ
Versioning in the Windows Driver Foundation
Virtual Address Space Usage in Windows Game Development
WDM Human Interface Device Class Support
WDM USB Driver Interface - ARCHIVE
What's New for Plug and Play in the Windows XP DDK
Where’s the Add Hardware Wizard?
WiFi Protected Access Overview
WinColorKit: Windows Color Quality Test Kit for Device OEMs
Windows and the 5-Button Wheel Mouse
Windows Connect Now FAQ
Windows Driver Model (WDM): Compatible drivers for Microsoft Windows operating systems
Windows File Protection and Windows
Windows Hardware Error Architecture
Windows Instrumentation: WMI and ACPI
Windows Logo Program Requirement Updates - Archives
Windows Logo Requirement Updates
Windows Media Connect Device Design Considerations
Windows Native Processor Performance Control
Windows Network Task Offload
Windows Power Management: Instant PC availability and energy savings
Windows Scalable Networking Initiative
Windows Server 2003, Datacenter Edition Driver Program Overview
Windows Setup and Device Installation Logging
Windows Vista Driver Development
Windows Vista Feature Pack for Wireless
Windows XP - Guidelines for Applications
Winsock Direct and Protocol Offload on SANs
Wireless Communications and Windows
Wireless Provisioning Services (entry/EULA)
WMI and CIM Concepts and Terminology
WMI Support for SMART Drives
Write-Combining Memory in Video Miniport Drivers
Writing Drivers for Reliability, Robustness and Fault Tolerant Systems
Writing WIA Drivers for Windows 64-bit Edition for Extended Processors
Expand Minimize
7 out of 11 rated this helpful - Rate this topic

Windows File Protection and Windows

Updated: December 4, 2001


A common problem in the history of the Microsoft Windows operating systems has been the ability for shared system files to be overwritten by non-operating system installation programs. After such changes are made, the user may experience unpredictable system performance, ranging from application errors to operating system crashes. This problem affects several types of files--most commonly dynamic link libraries (.dll) and executable files (.exe).

In Windows 2000 and Windows XP, the Windows File Protection (WFP) feature prevents overwriting or replacement of certain system files. Overwriting shared system files can result in unpredictable system performance that ranges from application errors to operating system crashes. System instability caused by non-standard replacement of system files has been a common problem. By preventing the replacement of these essential system files, file version mismatches are avoided, and the overall stability of the system is improved.

Note: System-file protection is called System File Protection (SFP) on Windows Millennium Edition. WFP and SFP perform the same service but differ slightly in the way they monitor protected files, which files are protected, and what mechanisms can be used to replace protected files. For information about SFP, see System File Protection and Windows Me.

On This Page

About Windows File Protection   About Windows File Protection
Windows File Protection and Driver Installation  Windows File Protection and Driver Installation
System File Checker  System File Checker
Supported File Replacement Mechanisms  Supported File Replacement Mechanisms
Protected File List  Protected File List
Unattended Setup Parameters  Unattended Setup Parameters
Disabling Windows File Protection  Disabling Windows File Protection
Additional Registry Settings  Additional Registry Settings


About Windows File Protection

WFP protects system files by running in the background and detecting attempts to replace protected system files. WFP is triggered after it receives a directory change notification on a file in a protected directory. Once this notification is received, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct Microsoft version. If it is not, the operating system replaces the file with the correct version from the dllcache directory or the distribution media.

After detecting the replacement of a protected file, WFP searches for the replaced files in the following order:

  1. Search the dllcache directory.

  2. If the system was installed via network install, search the network install path.

  3. Search on the CD.

If the file is found in dllcache or the install source is auto-located, WFP replaces the file without prompting the user and moves on. If the file cannot be found, WFP displays a dialog box that prompts the user to either insert distribution media or cancel the restore operation.

WFP also logs an event to the system event log, noting the file replacement attempt. If the administrative user cancels the WFP file restoration, an event noting the cancellation is logged.

Note: The "hit rate" of the dllcache directory is related to the size of the cache specified in the SFCQuota setting. See "Protected File List" later in this article for more information about the SFCQuota setting.

Windows File Protection and Driver Installation

The protected system files in Windows 2000 and Windows XP include many files that have previously been categorized as "redistributable." Msvcrt.dll is an example of such a file. Drivers for Windows 2000 and Windows XP should not install these files, but should instead use the version provided by the operating system.

NOTE: Windows Hardware Quality Labs (WHQL) will not grant the "Designed for Windows" logo for any drivers that install any of these system files.

Unfortunately, many Windows NT 4.0 drivers require these redistributable files to function. Furthermore, device driver installation files (.inf) do not allow the driver developer to perform conditional branching or otherwise differentiate between Windows 2000, Windows XP, and Windows NT 4.0 drivers. In cases where the Windows NT 4.0 driver requires the installation of system files, the solution is straightforward: driver developers must provide two similar, yet distinct INF files.

  • For Windows 2000 and Windows XP, the INF file should not install or modify any system files, whether or not they have previously been labeled as redistributable. These files must not appear in the [CopyFiles] sections of the INF.

  • For Windows NT 4.0 drivers, the INF file can install redistributable files as required.

To provide the best Plug and Play experience for users, the Windows 2000/Windows XP INF file should be placed in the root directory on the distribution media. Windows Plug and Play will find this INF file and install the driver with a minimum of user intervention. The Windows NT 4.0 INF file should be placed in a subdirectory on the distribution media. Vendors can direct their Windows NT 4.0 users to navigate to this subdirectory for installing the driver.

Vendors with drivers on the Windows 2000 or Windows XP distribution media can update those drivers with newer versions by following these guidelines:

  • When developing the updated driver, update the date in the DriverVer entry (or entries) in the INF file. This date should be the date when one or more of the files in the driver package was changed. For information about the DriverVer entry, see the Windows DDK documentation for the [Version] section of INF files.

  • Submit the updated driver package to WHQL for Windows Logo testing and driver signature.

  • Distribute the updated driver package along with the signed catalog file provided by WHQL.

  • Upon receiving this updated and signed driver package, users will be able to install the updated driver without file signature verification dialog boxes appearing during installation.

Summary of WFP and Driver Issues:

  • Do not redistribute any Windows 2000 or Windows XP system files. WHQL will not grant the "Designed for Windows" logo for any drivers that include, install, or otherwise modify any Windows system files.

  • As needed, develop and distribute different INF files to handle device installation on Windows 2000, Windows XP, and Windows NT 4.0.

  • Vendors who have drivers that are included on the Windows 2000/Windows XP distribution media can update these drivers.

  • Submit drivers to WHQL for Windows Logo testing and driver signing.

  • See the Windows DDK for more information about installation of device drivers.

System File Checker

A command-line utility called System File Checker (SFC.EXE) allows an Administrator to scan all protected files to verify their versions. System File Checker can also set the registry value SFCScan discussed in "Additional Registry Settings" later in this article.

System File Checker will also check and repopulate the %Systemroot%\system32\dllcache directory. If the dllcache directory becomes corrupted or unusable, SFC /SCANNOW, SFC /SCANONCE, SFC /SCANBOOT, or SFC /PURGECACHE can be used to repair the contents of the dllcache directory.

SFC.exe scans all protected system files and replaces incorrect versions with correct Microsoft versions. The following shows the syntax:

SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/CANCEL] [/QUIET] [/PURGECACHE] [/CACHESIZE=x]

/SCANNOW Scans all protected system files immediately.

/SCANONCE Scans all protected system files once.

/SCANBOOT Scans all protected system files at every boot.

/CANCEL Cancels all pending scans of protected system files.

/QUIET Replaces all incorrect file versions without prompting the user.

/PURGECACHE Purges the file cache and scans all protected system files immediately.

/CACHESIZE=x Sets the file cache size (in megabytes).

Supported File Replacement Mechanisms

Replacement of protected system files is supported using the following mechanisms:

  • Windows Service Pack installation (UPDATE.EXE)

  • Hotfix distributions installed using HOTFIX.EXE

  • Operating system upgrade (WINNT32.EXE)

  • Microsoft Update

  • Windows Device Installer

Replacing protected files by other means than those mentioned above results in the files being replaced by WFP.

To update third-party drivers that ship with Windows 2000/Windows XP, driver developers will have two options:

  • Submit the finished driver update to Windows Hardware Quality Labs (http://www.microsoft.com/whdc/whql/default.mspx) for validation testing. If the driver passes, it will be signed by WHQL and will be installable via the Device Installer without issue.

  • Install an unsigned version of a driver that is undergoing WHQL validation testing. By default, the Windows Device Installer will give the user a warning dialog box when an attempt is made to install an unsigned driver. The user can choose to override that warning and install the unsigned driver.

Protected File List

All SYS, DLL, EXE, and OCX files that ship on the Windows CD are protected. True Type fonts--Micross.ttf, Tahoma.ttf, and Tahomabd.ttf--are also protected.

The size of the dllcache directory depends on the setting of the registry value HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon\ SFCQuota. WFP adds files to the cache until the size of the dllcache directory reaches the SFCQuota value. Setting the SFCQuota value to 0xFFFFFFFF hex causes WFP to cache all protected system files. SFCQuota = 0xFFFFFFFFh is the default setting for Windows 2000.

After Setup is complete, WFP runs a scan of all protected files to ensure that they have not been modified by applications that were installed using unattended installation methods. This scan also populates the dllcache directory with verified file versions. If the dllcache directory becomes corrupted, run SFC /PURGECACHE. SFC will delete the contents of the dllcache directory, rescan all Windows files, and repopulate the dllcache directory with verified file versions.

The location of the dllcache directory is specified in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon\SFCDllCacheDir (REG_EXPAND_SZ). The default value for SFCDllCacheDir is %Systemroot%\system32\dllcache. The SFCDllCacheDir setting must be a local path.

In some instances WFP may not be able to locate the correct version of a system file in the dllcache directory. The dllcache directory might contain an outdated version of the file, or not contain any version of the file at all. In such a case WFP will attempt to locate the installation media. If WFP cannot find the installation media, it will prompt the user to insert the appropriate media. WFP will then replace the incorrect file version that is being used by the operating system or that has been found in the dllcache directory.

Unattended Setup Parameters

[SystemFileProtection]

This section contains parameters for the WFP service. If this section is missing or empty, Setup will install WFP using default values.

SFCShowProgress

Value: 0 | 1

Default: 1

Specifies if System File Checker displays a progress meter during scans.

Value Description

0 Progress meter is not displayed.

1 Progress meter is displayed.

SFCQuota

Value: <size in MB (hex)> Default: 0xFFFFFFFFh

Specifies the size of the dllcache file cache stored on the system hard drive. If 0xFFFFFFFFh is specified, all system files will be cached in the dllcache directory.

Example: SFCQuota = 0xFFFFFFFFh

SFCDllCacheDir

Value: <location of dllcache directory>

Default: %Systemroot%\system32\dllcache

Specifies the location of the dllcache directory. This path must be a local path.

Example: SFCDllCacheDir = "C:\Winnt\System32\dllcache"

Disabling Windows File Protection

You may disable WFP by setting the value SFCDisable (REG_DWORD) in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon. By default, SFCDisable is set to 0, which means WFP is active. Setting SFCDisable to 1 will disable WFP. Setting SFCDisable to 2 will disable WFP for the next system restart only (without a prompt to re-enable).

Important: You must have a kernel debugger attached to the system via null modem cable (for example:I386kd.exe or Windbg.exe) to use SFCDisable = 1 or SFCDisable = 2.

After WFP is disabled using the SFCDisable = 1 setting, the following message will appear after logon:

Warning! Windows File Protection is not active on this system. Would you like to enable Windows File Protection now? This will enable Windows File Protection until the next system restart. <Yes> <No>.

Clicking Yes will reactivate WFP until the next system restart. This message will appear at every successful logon until SFCDisable is set to 0.

NOTE: The above message will only be presented to Administrators.

Additional Registry Settings

All registry settings for WFP/System File Checker are located in HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon. By default, only Administrators and System will be able to modify these settings.

SFCDisable (REG_DWORD)

0 = enabled (default).

1 = disabled, prompt at boot to re-enable (debugger required).

2 = disabled at next boot only, no prompt to re-enable (debugger required).

SFCScan (REG_DWORD)

0 = do not scan protected files at boot (default).

1 = scan protected files at every boot.

2 = scan protected files once.

SFCQuota (REG_DWORD)

n = size (in megabytes) of dllcache quota.

FFFFFFFF = cache-protected system files on the local hard drive.

SFCShowProgress (REG_DWORD)

0 = System File Checker progress meter is not displayed.

1 = System File Checker progress meter is displayed (default).

SFCDllCacheDir (REG_EXPAND_SZ)

Path = local location of dllcache directory (default is %Systemroot%\system32\dllcache).
Help us help you
Answer questions that we’ll use to make the Dev Center better.
Was this page helpful?
Your feedback about this content is important
Let us know what you think.
Additional feedback?
Thank you!
We appreciate your feedback.
© 2013 Microsoft. All rights reserved.