- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= WINDOWS 2000 Windows File Protection Explained =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ------------------------------------ 1. What is Windows File Protection? ------------------------------------ WFP protects system files by running in the background and detecting any changes to system files that are actively being protected. If changes occur Windows 2000 will prompt you and inform you that it has been overwritten by a obscure file and will ask you for your Windows 2000 CDROM. ------------------ 2. How WFP Works ------------------ WFP actively runs in the background and compares installed system files with ones found in its backup directory (Dllcache) If a file is overwritten by another program, WFP will search for replacement copies in this order: - dllcache directory (C:\WINNT\System32\DllCache) - Search network path (if installed via network) - Search Windows 2000 CD If the file is already found in the dllcache directory, or a network path, then Windows 2000 will NOT prompt you it will simply replace the file and move on. If however, it can't be detected on either two, it will prompt you for your windows 2000 disk. WFP will make logs of what tried to replace the file as well. ------------------------------------------- 3. Disabling WFP (Service Pack 1 or Gold) ------------------------------------------- Since WFP is actively monitoring files all the time, it does take some CPU time away from you, not much but it may count for some computer guru. If you are using Windows 2000 Service Pack 1, or the Gold Edition follow the indications below: - Open the registry editor (start - run.. - regedit - ok) - go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ Winlogon - Create a new DWORD value in the right-pane, and name it "SFCDisable" - Give it a value of "2" - Reboot your machine. ----------------------------------- 4. Disabling WFP (Service Pack 2) ----------------------------------- Service Pack 2 either intentionally disables SFCDisable dword, or accidently. In either event you CANNOT disable WFP using the registry entry provided above, until now. - Run a Hex Editor (can find one at download.com) - Open file sfc.dll in system32 directory - Go to offset 6211/6212 - Change '8B C9' to read '90 90' - Save file - Now make the SFCDisable value in the registry. --------------------------- 5. Replacing System Files --------------------------- You can disable System File Protection, then just replace files like you normally would. Or you could keep your System File Protection still active and replace files. Heres how: - Modify the file of your choosing - Save it to C:\WINNT\ServicePackFiles, C:\WINNT\System32\Dllcache - Save it to its orignal directory File should now be replaced, with WFP functioning normal. ------------------------- 6. Run A File Check (SFC) ------------------------- If you'd like to verify your files right now, you can do so. - Click Start - Run.. - type command - click ok - type sfc /scannow - press enter - Windows will now verify your files ------------------- 7. Rebuild Dllcache ------------------- Rebuilding the Dllcache is useful if you decided to LIMIT the amount of space WFP is allowed to use, to purge the cache do this: - Click Start - Run.. - type command - click ok - type sfc /purgecache - WFP will now REBUILD the cached directory, make sure you have your windows cd available when this happens! --------------------- 8. Limit Cache size --------------------- Cache taking up too much room? Limit it! - Click start - run.. - type command - click ok - type sfc /cachesize=x (where 'x' is the amount in megabytes WFP is limited to) - press enter This concludes the tutorial on System File Protection in Windows 2000. Written by: ParanoidXE (nemesisera@yahoo.com) Dated: 05/16/02