Microsoft KB Archive/286797

= Windows File Protection and Alternative Data Streams =

PSS ID Number: 286797

Article Last Modified on 12/18/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q286797



SUMMARY
This article describes Windows File Protection (WFP), System File Checker (SFC), and the use of Alternative Data Streams (ADS).



MORE INFORMATION
WFP is an active component of Windows 2000 that monitors attempts to make changes to protected system files. If a file change occurs, WFP uses digital signatures to determine if the file is the correct Microsoft version. The System File Checker (SFC) program is a command-line utility that can be used in conjunction with WFP to perform a real-time scan of protected system files to verify their versions.

WFP protects the main data stream of a protected system file and any alternate data streams that Microsoft specifies. If a protected system file contains streams that are critical to the system or document of the file, WFP protects those streams as well as the file itself. WFP does not protect against adding or altering other streams. Additional data streams that WFP does not protect may be altered or added to as long as the proper permissions to the file are present. Additional data streams do not affect the intended performance of the main data stream and thus do not break any rules that WFP establishes. The SFC utility also does not detect any ADS that are associated with a protected system file.

The original file bits protected by WFP are not modified when an ADS is added. If the bits of the original file were modified, then WFP would detect the change. An ADS file does not modify the execution of the original file, therefore, there is no risk that the actual file itself can be trojaned or deleted without notification.

Additional query words: multiple data streams

Keywords: kbinfo kbWFP KB286797

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000DataServ kbwin2000DataServSearch kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch kbWinDataServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.