Microsoft KB Archive/814597

= HOW TO: Verify That Windows File Protection Is Running in Windows Server 2003 =

Article ID: 814597

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



For a Microsoft Windows 2000 version of this article, see the following Microsoft Knowledge Base article:

318767 HOW TO: Verify That Windows File Protection Is Running in Windows 2000

IN THIS TASK

 * SUMMARY
 * How to Verify that Windows File Protection Is Running



SUMMARY
This step-by-step article describes how to verify that the Windows File Protection feature is running and protecting your system files. In Windows Server 2003, Windows File Protection prevents the replacement of protected system files such as .sys, .dll, .ocx, .ttf, .fon, and .exe files. Windows File Protection runs in the background and protects all files that are installed by the Windows Setup program. Windows File Protection detects attempts by other programs to replace or move a protected system file. Windows File Protection checks the file's digital signature to determine if the new file is the correct Microsoft version. If the file is not the correct version, Windows File Protection either replaces the file from the backup that is stored in the Dllcache folder or from the Windows CD. If Windows File Protection cannot locate the appropriate file, it prompts you for the location. Windows File Protection also writes an event to the Event log that notes the file-replacement attempt. By default, Windows File Protection is always enabled and allows Windows digitally-signed files to replace existing files. Currently, signed files are distributed through:
 * Windows Service Packs
 * Hotfix distributions
 * Operating system upgrades
 * Windows Update
 * Windows Device Manager/Class Installer

back to the top

How to Verify that Windows File Protection Is Running

 * 1) Start Windows Explorer, and then open the Windows\System32 folder.
 * 2) Right-click the Calc.exe file, and then click Rename.
 * 3) Type Calc.old to rename the file for the Calculator program.
 * 4) Wait several moments, and then note that Windows replaces the missing Calc.exe file. You may have to refresh the file list to confirm that the file is replaced. If Windows replaces the missing Calc.exe file, the Windows File Protection feature is protecting your files.

Note When Windows File Protection restores a file, a log entry is logged in System Event Viewer that is similar to the following: File replacement was attempted on the protected system file C:\Windows\System32\Calc.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.2.3752.0

back to the top

Keywords: kbwebservices kbappservices kbhowtomaster KB814597

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.