Jump to content

Windows File Protection

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by 221.128.147.150 (talk) at 06:35, 7 October 2007 (+ Windows components template). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Windows File Protection (WFP) is a technology included in all Microsoft Windows operating systems beginning with Windows 2000 to prevent programs from replacing critical Windows system files. Protecting core system files prevents problems such as DLL hell with programs and the operating system. Windows 2000, Windows XP and Windows Server 2003 include it under the name of Windows File Protection, Windows Me includes it as System File Protection, whereas Windows Vista includes Windows Resource Protection which expands the technology to protect core registry keys and values and prevent potentially damaging system configuration changes.

When Windows File Protection is active, replacing or deleting a system file that has no file lock to prevent it from being overwritten, causes Windows to immediately and silently restore the original copy of the file. The original version of the file is restored from a cached folder which contains backup copies of these files. For the Windows NT family, the cached folder is located at %WinDir%\System32\Dllcache. Windows Me stores the cache at a different location.

Windows File Protection protects critical system files that are installed as part of Windows (for example, files with a .dll, .exe, .ocx, and .sys extension and some TrueType fonts). Windows File Protection uses the file signatures and catalog files that are generated by code signing to verify if protected system files are the correct versions. Replacement of protected system files is supported only through the following mechanisms:

If a program uses a different method to replace protected files, Windows File Protection restores the original files. The Windows Installer adheres to Windows File Protection when installing critical system files and calls Windows File Protection with a request to install or replace the protected file instead of trying to install or replace a protected file itself. If Windows File Protection cannot automatically find the file in the cached folder, it searches the network path or prompts the user for the Windows installation disc to restore the appropriate version of the file.

Windows Resource Protection

In Windows Vista, Windows Resource Protection replaces Windows File Protection. It protects registry keys and folders too besides critical system files. System File Checker is also integrated with WRP. Under Windows Vista, using Sfc.exe, specific folder paths can be checked, including the Windows folder and the boot folder.

Windows File Protection worked by registering for notification of file changes in Winlogon. If any changes were detected to a protected system file, the modified file was restored from a cached copy located in a compressed folder at %WinDir%\System32\dllcache. In Windows Vista, Windows Resource Protection works by setting discretionary access control lists (DACLs) and access control lists (ACLs) defined for protected resources. Permission for full access to modify WRP-protected resources is restricted to the processes using the Windows Modules Installer service (TrustedInstaller.exe). Administrators no longer have full rights to system files. Protected resources can be modified or replaced if administrators take ownership of the resource and add the appropriate Access Control Entries (ACEs).

Protected resources

Windows Resource Protection protects a large number of file types:

.dll, .exe, .ocx, .sys, .acm, .ade, .adp, .app, .asa, .asp, .aspx, .ax, .bas, .bat, .bin, .cer, .chm, .clb, .cmd, .cnt, .cnv, .com, .cpl, .cpx, .crt, .csh, .dll, .drv, .dtd, .exe, .fxp, .grp, .h1s, .hlp, .hta, .ime, .inf, .ins, .isp, .its, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .man, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msi, .msp, .mst, .mui, .nls, .ocx, .ops, .pal, .pcd, .pif, .prf, .prg, .pst, .reg, .scf, .scr, .sct, .shb, .shs, .sys, .tlb, .tsp, .url, .vb, .vbe, .vbs, .vsmacros, .vss, .vst, .vsw, .ws, .wsc, .wsf, .wsh, .xsd, and .xsl.

WRP also protects critical folders. A folder containing only WRP-protected files may be locked so that only the Windows trusted installer SID is able to create files or subfolders in the folder. A folder may be partially locked to enable Administrators to create files and subfolders in the folder. It protects essential registry keys installed by Windows Vista. If a key is protected by WRP, all its sub-keys and values can be protected. Also, WRP copies only those files that are needed to restart Windows to the cache directory located at %WinDir%\WinSxS\Backup. Critical files that are not needed to restart Windows are not copied to the cache directory, unlike Windows File Protection which cached the entire set of protected file types. The size of the cache directory and the list of files copied to cache cannot be modified.

Windows Resource Protection applies stricter measures to protect files, as a result, Windows File Protection is not available under Windows Vista. In order to replace any single protected file, Windows File Protection had to be disabled completely; Windows Resource Protection works on a per-item basis by setting ACLs, therefore by taking ownership of any single item, that particular item can be replaced, while other items remain protected. Also, Windows File Protection required a considerable amount of disk space to maintain cached versions of the protected files, which Windows Resource Protection does not require.

See Also

Retrieved from "https://en.wikipedia.org/w/index.php?title=Windows_File_Protection&oldid=162816654"