Take An In-Depth Look At XP’s Windows File Protection
- 0
- Add a Comment
How Windows File Protection works
WFP is designed to protect the contents of the Windows folder. Rather than preventing any modifications to the entire folder, WFP protects specific file types, such as SYS, EXE, DLL, OCX, FON, and TTF. Registry entries control the file types that WFP protects.
When an application attempts to replace a protected file, WFP checks the replacement file’s digital signature to see if Microsoft signed the file and to see if the file is the correct version. If both of these conditions check out, then the replacement is allowed. Normally, the only types of files that are allowed to replace system files are those included with Windows service packs, hot fixes, and operating system upgrades. System files can also be replaced by Windows Update or by the Windows Device Manager/Class Installer.
If the two conditions are not met, the protected file will be replaced by the new file, but will soon be overwritten by the correct version. When this happens, Windows pulls the correct version of the file either from the Windows installation CD or from the computer’s DLLCache folder.
Windows File Protection doesn’t just protect files against modification—it also protects them against deletion. To see WFP in action, navigate to the \WINDOWS\SYSTEM32 folder and rename the CALC.EXE file to CALC.OLD. When you do, you’ll see a message indicating that changing the file’s extension may make the file unusable. Acknowledge the warning by clicking the Yes button. Now, wait a few minutes and press the F5 key to refresh your view of the file system. It can take some time for the replacement to be made. When the file is eventually replaced, Windows will let you know by making an entry into the Event Logs.
An interesting side note about WFP is that it actually works closely with the Windows installer program. Any time that the Windows Installer needs to install a protected file, it hands the file off to WFP rather than attempting to install the file itself. WFP then makes the judgment call as to whether to allow the installation. [Continued...] [ Brien M. Posey, MCSE ]
