- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
WINDOWS 2000 Windows File Protection Explained
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
------------------------------------
1. What is Windows File Protection?
------------------------------------
WFP protects system files by running in the background and detecting any
changes to system files that are actively being protected. If changes
occur Windows 2000 will prompt you and inform you that it has been
overwritten by a obscure file and will ask you for your Windows 2000
CDROM.
------------------
2. How WFP Works
------------------
WFP actively runs in the background and compares installed system
files with ones found in its backup directory (Dllcache) If a
file is overwritten by another program, WFP will search for replacement
copies in this order:
- dllcache directory (C:\WINNT\System32\DllCache)
- Search network path (if installed via network)
- Search Windows 2000 CD
If the file is already found in the dllcache directory, or a network
path, then Windows 2000 will NOT prompt you it will simply replace the
file and move on. If however, it can't be detected on either two, it
will prompt you for your windows 2000 disk. WFP will make logs of what
tried to replace the file as well.
-------------------------------------------
3. Disabling WFP (Service Pack 1 or Gold)
-------------------------------------------
Since WFP is actively monitoring files all the time, it does take some
CPU time away from you, not much but it may count for some computer guru.
If you are using Windows 2000 Service Pack 1, or the Gold Edition follow
the indications below:
- Open the registry editor (start - run.. - regedit - ok)
- go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon
- Create a new DWORD value in the right-pane, and name it "SFCDisable"
- Give it a value of "2"
- Reboot your machine.
-----------------------------------
4. Disabling WFP (Service Pack 2)
-----------------------------------
Service Pack 2 either intentionally disables SFCDisable dword, or accidently.
In either event you CANNOT disable WFP using the registry entry provided above,
until now.
- Run a Hex Editor (can find one at download.com)
- Open file sfc.dll in system32 directory
- Go to offset 6211/6212
- Change '8B C9' to read '90 90'
- Save file
- Now make the SFCDisable value in the registry.
---------------------------
5. Replacing System Files
---------------------------
You can disable System File Protection, then just replace files like you
normally would. Or you could keep your System File Protection still active
and replace files. Heres how:
- Modify the file of your choosing
- Save it to C:\WINNT\ServicePackFiles, C:\WINNT\System32\Dllcache
- Save it to its orignal directory
File should now be replaced, with WFP functioning normal.
-------------------------
6. Run A File Check (SFC)
-------------------------
If you'd like to verify your files right now, you can do so.
- Click Start - Run.. - type command - click ok
- type sfc /scannow
- press enter
- Windows will now verify your files
-------------------
7. Rebuild Dllcache
-------------------
Rebuilding the Dllcache is useful if you decided to LIMIT the amount of
space WFP is allowed to use, to purge the cache do this:
- Click Start - Run.. - type command - click ok
- type sfc /purgecache
- WFP will now REBUILD the cached directory, make sure you have your
windows cd available when this happens!
---------------------
8. Limit Cache size
---------------------
Cache taking up too much room? Limit it!
- Click start - run.. - type command - click ok
- type sfc /cachesize=x (where 'x' is the amount in megabytes WFP is limited to)
- press enter
This concludes the tutorial on System File Protection in Windows 2000.
Written by: ParanoidXE (
[email protected])
Dated: 05/16/02
� paranoidxe 2002-2003
