Windows 2000 WFP

[Jim Nugent]

In all my W2k research, I have never come across what it is (catalog?
database?) that WFP consults to determine if a system file is the "correct
one." Obviously, msi files have to update this information since they are
allowed to replace these files.

But how can I repair it if something goes wrong. For example, if I were to
do an sfc /scannow right now, I believe it would "break" some hot fixes by
undoing some file replacements. I'd like to tell it what I believe to be the
correct files. How do I do that?

 

[Dave Patrick]

When updates are installed the \servicepackfiles and \dllcache folders are
updated with the new versions. SFC pulls from these.

http://www.microsoft.com/resources/...p/all/proddocs/en-us/system_file_checker.mspx
http://www.microsoft.com/resources/...ll/proddocs/en-us/system_file_protection.mspx


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| In all my W2k research, I have never come across what it is (catalog?
| database?) that WFP consults to determine if a system file is the "correct
| one." Obviously, msi files have to update this information since they are
| allowed to replace these files.
|
| But how can I repair it if something goes wrong. For example, if I were to
| do an sfc /scannow right now, I believe it would "break" some hot fixes by
| undoing some file replacements. I'd like to tell it what I believe to be
the
| correct files. How do I do that?
| --
| Jim
| "Be right back... Godot"
|
|

 

[Jim Nugent]

Thanks, Dave.
It sounds like WFP simply consults the dllcache and servicepackfiles
directories. Think that to be rather non-robust I decided on an
experiment -- dropping a replacement file into dllcache. But first I just
wanted to verify that things were working properly: I made a copy of
notepad.exe on my desktop, and renamed it to calc.exe. Then copied and
pasted the "bogus" calc.exe into c:\winnt\system32.

1. It stayed there, and clicking on it brought up notepad.
2. It copied the bogus calc.exe into dllcache!

I noted that if I DELETE the file from system32, it will pull it from
dllcache, but not if I replace it. Assuming malware or a misguided install
tries to replace a system file, I find this behavior analogous to the
following:

1. WFP does not restore modified system file = watchdog is sound asleep.

2. WFP(?) copies modified file into dllcache = watchdog dog comes running to
thief with your wallet in its mouth.

What am I missing? Do you have to run SFC to get WFP to act?
--
Jim
"Be right back... Godot"

When updates are installed the \servicepackfiles and \dllcache folders are
updated with the new versions. SFC pulls from these.

http://www.microsoft.com/resources/...ll/proddocs/en-us/system_file_protection.mspx


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| In all my W2k research, I have never come across what it is (catalog?
| database?) that WFP consults to determine if a system file is the "correct
| one." Obviously, msi files have to update this information since they are
| allowed to replace these files.
|
| But how can I repair it if something goes wrong. For example, if I were to
| do an sfc /scannow right now, I believe it would "break" some hot fixes by
| undoing some file replacements. I'd like to tell it what I believe to be
the
| correct files. How do I do that?
| --
| Jim
| "Be right back... Godot"
|
|

 

[Dave Patrick]

:
<snip>
| 1. It stayed there, and clicking on it brought up notepad.
| 2. It copied the bogus calc.exe into dllcache!
* Never heard this one before. When I h=get some time the weekend I'll check
it out.

<snip>
| What am I missing? Do you have to run SFC to get WFP to act?
* Generally yes


--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect