Windows File Protection prevents changes from being made to certain protected system files. In the event one of these files is changed, a backup copy of the file is restored from a special repository. The exact list of files that are protected, however, can be a bit mysterious.
The freeware program WFPQuery.exe (available from
Wildcards need to use a full path to be effective. For instance, if you pass the command
you would see a report that contained all files that matched that wildcard, and an indication of whether or not they were protected by WFP. The program does not traverse directories, however, so you cannot pass a pathname and have the program check everything that matches that wildcard under that folder.
Aside from simply providing a manifest of all protected files, the program can be used to determine if files known to be harmful—viruses or spyware—have been tagged as protected. Some such programs force themselves to be tagged as protected system files to avoid being removed automatically. To delete such a protected file, the user needs to boot into Safe Mode and delete the file from both the system directory and the Windows File Protection repository (the %SYSTEMROOT%System32DllCache directory.) The backup file in the cache should be removed first.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out his Windows 2000 blog for his latest advice and musings on the world of Windows network administrators – please share your thoughts as well!
This was first published in September 2004