When you install an application and unexpectedly cause Windows to crash, it is most likely because the application has rewritten the key Windows system files, causing the system to crash. After the file is modified, the results are often unpredictable. The system may be functioning properly, with some errors, or a complete crash. Fortunately, Windows 2000, XP, and Server 2003 use a mechanism called Windows File Protection (WFP) that prevents critical system files from being overwritten. In this article, I will explain what WFP is and how it works. I also want to tell you how to modify or ignore the behavior of WFP. (Note: Although there is no difference in the operation of WFP on Windows 2000, XP, and Server 2003, the information in this article, including registry related entries and SFC syntax, is for XP.) How Windows File Protection works
WFP is designed to protect the contents of Windows folders. WFP protects specific file types, such as SYS, EXE, DLL, OCX, FON, and TTF, rather than blocking any modifications to the entire folder. The registry key determines the file type protected by WFP. When an application attempts to replace a protected file, WFP checks the digital signature of the replacement file to determine if the file is from Microsoft and is the correct version. If both of these conditions are met, then replacement is allowed. Under normal circumstances, the types of files that are allowed to replace system files include Windows service packs, patches, and operating system upgrades. System files can also be replaced by Windows Updater or Windows Device Manager/Class Installer. If these two conditions are not met at the same time, the protected file will be replaced by the new file, but will soon be replaced by the correct file. When this happens, Windows will copy the correct version of the file from the Windows installation CD or from the DLLCache folder on your computer. Windows File Protection does not only protect files by refusing to modify them, it can also refuse to delete them. Take a look at WFP's approach, open the \\WINDOWS\\SYSTEM32 folder and rename the CALC.EXE file to CALC.OLD. When you do this, a message will prompt you if changing the extension of this file may cause this file to be unavailable. Click the Yes button to confirm this warning. Now, wait a few minutes and press F5 to refresh the view of the file system. It may take some time to complete the replacement. When the file is eventually replaced, Windows will make a corresponding record in the event log. One thing to note about WFP is that it is very tightly integrated with the Windows installer. Whenever the Windows installer needs to install a protected file, it will hand it over to WFP instead of trying to install it. Then WFP determines if the installation is allowed. System File Checking
Although automatic file replacement saves time, there are situations where manual intervention is required. For example, you may not want to wait for WFP to determine if a protected file has been replaced. Fortunately, you can manually control WFP with a tool called System File Check (SFC). SFC is a command line tool that needs to be run from a command prompt window. Its syntax is like this: SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/REVERT] [/PURGECACHE] [/CACHESIZE=x] /SCANNOW option tells the SFC to scan all protected system files immediately. If an incorrect file version is found during the scan, this wrong version will be replaced with the correct version of Microsoft. Of course, this means you may have to have a Windows installation CD, the latest service pack or an upgrade patch. The /SCANONCE parameter tells WFP to scan the protected system files the next time the system boots. Any wrong files will be replaced by the correct version during the scan. As the name of this parameter means, this scan is only done once. After the system startup will return to normal, the SFC will no longer run. The /SCANBOOT parameter is similar to the /SCANONCE option. The difference is that SCANONCE scans protected files only when Windows starts next time, while the SCANBOOT parameter scans system files every time Windows starts. These two parameters will replace the wrong system file if needed, which may require you to provide a copy of the correct file version. The /REVERT option is used to turn off the SFC. For example, suppose you use the SCANBOOT option to scan the protected files each time the system boots. As you can imagine, this does increase the total time the computer starts up. Finally, you may be tired of the long startup time and want to turn off SFC. Simply use SFC /REVERT to shut down the SFC at startup. Be cautious about the /PURGECACHE option. Before that, I explained that Windows uses a cache folder to hold backups of the correct versions of various system files. If you run the SFC /PURGECACHE command, then this file cache will be emptied and those backup files will be deleted. This command will also cause Windows to start scanning various protected files and rebuild the file cache while scanning. Of course, this may mean that you must provide Windows with a copy of the Windows installation CD or system file upgrade. The last SFC command option is /CACHESIZE=x. There are a lot of contradictory information about the default size of the file cache. At the time of this writing, I found that the default size of the file cache specified in the three different Microsoft Knowledge Base articles is different. In one article, the recommended file cache size is 50 MB, while the other recommended size is 300 MB. What's more, the third article points out that this size should be infinite. In fact, the size of the default value is not important, because you can use the CACHESIZE option to change the size of this file cache according to your needs. When using the CACHESIZE option, you must type the command SFC /CACHESIZE=x, which is the number of megabytes you want to allocate to the file cache. After specifying the new file cache size, you must reboot the system and run the SFC /PURGECACHE command. Controlling WFP and SFC through the registry
Before that, I explained that the registry controls the general behavior of WFP. You can modify several different registry keys to control the behavior of WFP. You can operate some of these keys directly each time you run SFC, while others have lower-level features. For example, specify the location of the file cache or the installation file. Modifying the registry can be dangerous. If you make a mistake, it can cause Windows to crash or damage your application, so I highly recommend doing a full backup of the registry before trying any of the techniques described in this section. To access the SFC registry key, type the REFEDIT command in the Run command. This will open the Registry Editor and now browse the registry tree to find the following key: HKEY_LOCAL_MacHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WinLogon Normally, the WinLogon key in the registry is generally used to control various startup options. While many SFC options control whether SFC runs at startup, Microsoft has placed SFC-related registry keys in this section. SFCDisabled
This registry key controls whether the SFC is active or invalid. In fact, you can get four different options simply by changing the value of the DWORD. The default DWord value is 0. This setting activates the SFC. Usually you don't need to change this value. However, you can modify this value between 0 and 4 to activate the SFC but not let it pop up. If you hang the kernel debugger, you'd better turn off the SFC. If you are using a kernel debugger, you can change the DWord value of the registry key to 1, which will close the SFC and will prompt you to activate SFC again each time you start. You can also turn off SFC by setting the DWord value to 2. This option simply turns off the SFC the next time it is started. There is no option to activate the SFC again, as the SFC will be activated automatically when it is started. SFCScan
Prior to this, I explained the SCANONCE, SCANBOOT, and REVERT options for SFC. As long as you use these options, the SFC is actually modifying the SFCScan registry key. You can modify this key by changing its DWord assignment. The default value is 0. This value means that you do not need to scan protected files at startup. This setting is equivalent to running the SFC /REVERT command. Changing the DWord value to 1 means scanning the protected file every time it starts. Setting the SFCScan value to 1 is equivalent to running the SFC /SCANBOOT command. Finally, setting the DWord value to 2 tells the SFC to scan the protected file the next time it starts, but not all of the future startups. This is equivalent to running the SFC /SCANONCE command. SFCQuota
The SFCQuota registry key is used to control the size of the SFC file cache. As you may recall, when I talked about the SFC /CACHESIZE=x command, I mentioned the default size of the file cache, and there are a lot of inconsistencies. However, on my system, the DWord value of the registry key SFCQuota defaults to 0xffffffff. According to the Microsoft Knowledge Base, this value corresponds to a file cache size of 300 MB. The article in the same knowledge base states that by modifying this value to FFFFFFFF, you can buffer all protected system files. SFCDllCacheDir
Before that, I explained that Windows uses the DLLCACHE folder as a place to back up storage system files. Normally, this folder is located in the \\Windows\\SYSTEM32 directory. However, by modifying the SFCDllCacheDir registry key, you can modify the location of the file cache. The file cache folder is usually located in the DLLCACHE directory, but by modifying this registry key, you can modify the location of this folder. The only thing to note is that you must specify an address that already exists on your local hard drive. In Windows 2000, you can specify a network share as the path to DLLCACHE, but this option is not available in Windows XP. SFCShowProgress
Another SFC-related registry key is the SFCShowProgress key. This registry key allows you to set its DWord value to 0, or 1. The default value is 0, which will disable the display of SFC process conditions. Setting a value of 1 will allow the SFC to show progress. Source File Address
Before that, I explained how WFP and SFC work. I pointed out that under certain conditions you may have to provide a copy of the Windows installation CD or a valid source file. However, by modifying the registry, it is entirely possible to specify a source file directory to Windows without asking Windows to ask you these files. This registry key is in another part of the registry. You must find the following key: HKEY_LOCAL_MacHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup Once you have found this location, you can specify the location of the Windows system files by using a drive symbol or path or a UNC. The premise of using this command is that you must place the file in a directory called I386. For example, if your Windows system file is in a directory called C:\\I386, then you only need to specify the path C:\\ in the registry, because Windows assumes that the I386 directory exists. Similarly, if you plan to use a UNC share, the I386 folder must exist in the shared directory. For example, if the directory you plan to share is named FILES, you need to put the I386 folder