IT administrators know that things can go horribly wrong with Windows if critical system files are accidentally replaced with incorrect versions or replaced by malicious code. To help reduce the chances of this happening, Microsoft has created the Windows File Protection Service.
When system files are modified, Windows File Protection Service checks to make sure that the modified file is the correct version to protect against system failure. If the version is incorrect, or if Windows can't verify the file's authenticity, Windows displays the following error message:
A file replacement was attempted on the protected system file filename. To maintain system stability, the file has been restored to the correct Microsoft version. If problems occur with your application, please contact the application vendor for support.
Once this error has been triggered, two things happen.
- Windows writes an entry to the system log as a means of documenting what just happened.
Windows restores the file to the correct version. Initially, Windows checks the DLL cache to see if it contains a valid copy of the file. Often, though, the DLL cache is too small to contain all of the system files, so Windows may prompt you to insert the Windows XP installation CD or the latest service pack CD instead.
As you can imagine, the Windows File Protection Service goes a long way toward protecting a system's integrity. Unfortunately, it only checks system files for authenticity at certain times, and not every time they are accessed. But there is a way you can invoke a system file check manually to verify a file's authenticity.
Note that not every Windows system file is protected. Some files, such as INI files, are regularly updated through the course of normal operations. Windows protects files that use the following extensions: .EXE, .DLL, .SYS, .OCX, .TTF and .FON. Also keep in mind that only files that are a part of Windows are protected. Applications often create files that use these extensions, but such files are not protected.
Scanning protected operating system files involves using Microsoft's command-line tool called the System File Checker. Unlike many other Windows command-line tools, the syntax for using System File Checker is extremely simple. To perform an immediate scan, enter the following command:
You can also tell System File Checker to scan your system files at the next reboot by entering this command:
Or you can have System File Checker scan the system files at every boot, although doing so significantly slows down the boot process. To do that, enter this command:
The System File Checker initially checks the DLL cache for valid versions of the system files. However, the DLL cache is a favorite target for malicious software. If your system is infected, you can force the System File Checker to completely delete the contents of the DLL cache and then repopulate the cache with known good files from the Windows installation CD. The command to do that is:
Sometimes the DLL cache may be too small to contain all of the system files that you would like to cache. You can, however, use System File Checker to adjust the cache size. To do that, enter this command:
In this case, the cache size is entered in megabytes but in hexadecimal format. If you wanted to set the cache size to 200 MB, enter the following command:
The easiest way to convert the cache size from megabytes to a hexadecimal representation is to use the Windows Calculator found on the Programs | Accessories menu. When the calculator opens, select the Scientific option from the View menu. Make sure the DEC option is selected, and then type in the number of megabytes that you would like to use for your cache size. Now, click the Hex button, and the number will be converted to hexadecimal format.
To conclude, when you are manually adjusting the System File Checker's behavior, remember: If you happen to make a mistake, you can fix it. Simply enter the SFC /REVERT command and the System File Checker will return to its default configuration.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. He writes regularly for SearchWinComputing.com and other TechTarget sites.
This was first published in October 2007