What's Windows File Protection?

What is the Windows File Protection (WFP) in Windows 2000/XP/2003?

A major cause of incompatibility and crashes in W2K/XP is the fact that an application might overwrite dynamic link library (DLL) files with a similar name belonging to other applications. Often, these are DLL files that get placed in the %systemroot%\System32 folder during an application’s installation.

Windows File Protection (WFP) prevents programs from replacing critical Windows system and DLL files. Programs must not overwrite these files because they are used by the operating system and by other programs. Protecting these files prevents problems with programs and the operating system.

WFP protects critical system files that are installed as part of Windows (for example, files with a .dll, .exe, .ocx, and .sys extension and some True Type fonts). WFP uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct Microsoft versions. Replacement of protected system files is supported only through the following mechanisms:

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

  • Windows Service Pack installation using Update.exe
  • Hotfixes installed using Hotfix.exe or Update.exe
  • Operating system upgrades using Winnt32.exe
  • Windows Update

If a program uses a different method to replace protected files, WFP restores the original files. The Windows Installer adheres to WFP when installing critical system files and calls WFP with a request to install or replace the protected file instead of trying to install or replace a protected file itself.

Protected System files are backed up each time you perform a System State backup.

How the WFP Feature Works

The WFP feature provides protection for system files using two mechanisms. The first mechanism runs in the background. This protection is triggered after WFP receives a directory change notification for a file in a protected directory. After WFP receives this notification, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine if the new file is the correct version. If the file is not the correct version, WFP replaces the new file with the file from the cache folder (if it is in the cache folder) or from the installation source. WFP searches for the correct file in the following locations, in this order:

  1. The cache folder (by default, %systemroot%\system32\dllcache).
  2. The network install path, if the system was installed using network install.
  3. The Windows CD-ROM, if the system was installed from CD-ROM.

If WFP finds the file in the cache folder or if the installation source is automatically located, WFP silently replaces the file. If WFP cannot automatically find the file in any of these locations, you receive one of the following messages, where file_name is the name of the file that was replaced and product is the Windows product you are using:

Windows File Protection Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your product CD-ROM now.

Windows File Protection Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. The network location from which these files should be copied, \\server\share, is not available. Contact your system administrator or insert product CD-ROM now.

Note: If an administrator is not logged on, WFP cannot display either of these dialog boxes. In this case, WFP displays the dialog box after an administrator logs on. WFP also records an event to the system event log, noting the file replacement attempt. If an administrator cancels the WFP file replacement, an event noting the cancellation is logged. Note that WFP is not a replacement for having properly restricted user accounts and appropriate security policies.

The second protection mechanism that is provided by the WFP feature is the System File Checker (Sfc.exe) tool. At the end of GUI-mode Setup, the System File Checker tool scans all the protected files to make sure that they are not modified by programs that were installed by using an unattended installation. The System File Checker tool also checks all the catalog files that are used to track correct file versions. If any of the catalog files are missing or damaged, WFP renames the affected catalog file and retrieves a cached version of that file from the cache folder. If a cached copy of the catalog file is not available in the cache folder, the WFP feature requests the appropriate media to retrieve a new copy of the catalog file.

The System File Checker tool gives an administrator the ability to scan all the protected files to verify their versions. The System File Checker tool also checks and repopulates the cache folder (by default, %SystemRoot%\System32\Dllcache). If the cache folder becomes damaged or unusable, you can use either the sfc /scanonce command or the sfc /scanboot command at a command prompt to repair the contents of the folder.

The SfcScan value in the following registry key has three possible settings:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The settings for the SfcScan value are:

  • 0x0 = do not scan protected files after restart. (Default value)
  • 0x1 = scan all protected files after every restart (set if sfc /scanboot is run).
  • 0x2 = scan all protected files one time after a restart (set if sfc /scanonce is run).

By default, all system files are cached in the cache folder, and the default size of the cache is 400 MB. Because of disk space considerations, it may not be desirable to maintain cached versions of all system files in the cache folder. To change the size of the cache, change the setting of the SFCQuota value in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

WFP stores verified file versions in the Dllcache folder on the hard disk. The number of cached files is determined by the setting of the SFCQuota value (the default size is 0xFFFFFFFF, or 400 MB). The administrator can make the setting for the SFCQuota value as large or small as needed. Note that if you set the SFCQuota value to 0xFFFFFFFF, the WFP feature caches all protected system files (approximately 2,700 files).

There are two cases in which the cache folder may not contain copies of all protected files, regardless of the SFCQuota value:

  1. Not enough disk space – Under Windows XP, WFP stops populating the Dllcache folder when less than (600 MB + maximum size of the page file) of space is available on the hard disk. Under Windows 2000, WFP stops populating the Dllcache folder when less than 600 MB of space is available on the hard disk.
  2. Network Install – When Windows 2000 or Windows XP is installed over the network, files in the i386\lang directory are not populated in the Dllcache folder. Additionally, all drivers in the file are protected, but they are not populated in the Dllcache folder. WFP can restore these files from the file directly without prompting the user for the source media. However, running the sfc /scannow command does populate the files from the file into the Dllcache folder.

If WFP detects a file change and the affected file is not in the cache folder, WFP examines the version of the changed file that the operating system is currently using. If the file that is currently in use is the correct version, WFP copies that version of the file to the cache folder. If the file that is currently in use is not the correct version, or if the file is not cached in the cache folder, WFP tries to locate the installation source. If WFP cannot find the installation source, WFP prompts an administrator to insert the appropriate media to replace the file or the cached file version.

The SFCDllCacheDir value (REG_EXPAND_SZ) in the following registry key specifies the location of the Dllcache folder:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The default value data for the SFCDllCacheDir value is %SystemRoot%\System32. The SFCDllCacheDir value can be a local path. By default, the SFCDllCacheDir value is not listed in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key. To modify the cache location, you must add this value.


Description of the Windows 2000 System File Checker (Sfc.exe) – 222471

Description of Windows XP and Windows Server 2003 System File Checker (Sfc.exe) – 310747

Description of the Windows File Protection Feature – 222193

Related Topics:

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: