Microsoft KB Archive/254135

From BetaArchive Wiki
Knowledge Base

How Windows 2000 Feature, Windows File Protection (WFP), Prevents Replacement of Essential Files

PSS ID Number: 254135

Article Last Modified on 10/11/2002

The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional

This article was previously published under Q254135


This article explains how a Microsoft Windows 2000 new feature called Windows File Protection (WFP) prevents the replacement of certain monitored system files.


Preventing the replacement of essential system files avoids file version mismatches. WFP runs in the background on a Windows 2000-based computer. All .sys, .dll, .exe, and .ocx files that come on the Windows 2000 CD are protected.

Installation programs that are not part of the operating system can overwrite shared system files. This has been a common problem in the history of the Microsoft Windows operating systems. Overwriting shared system files can result in unpredictable system performance that ranges from program errors to operating-system crashes. The file types that are most commonly affected by this problem are dynamic-link libraries (.dll) and executable files (.exe).

WFP protects system files by detecting attempts to overwrite protected system files. Windows File Protection is triggered after it receives a directory change notification on a file in a protected directory. Once this notification is received, WFP determines which file was changed. If the file is protected, WFP looks up the file signature in a catalog file to determine whether the new file is the correct Microsoft version. If it is not, the operating system replaces the file with the correct version from the DllCache directory or the distribution media.

After detecting the overwriting of a protected file, WFP searches for the correct files in the following places, in this order:

  1. It searches the DllCache directory.
  2. If the system was installed through a network install, it searches the network installation path.
  3. It searches on the CD.

If the file is found in DllCache or if the install source is auto-located, WFP silently replaces the file and moves on.

WFP also records an event to the system event log, noting the file replacement attempt. If the administrative user cancels the WFP file replacement, an event noting the cancellation is logged.

Additional query words: win2krelnotes

Keywords: kbinfo KB254135
Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000Pro kbwin2000ProSearch kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbWinAdvServSearch