JSI Tip 5133. How can I verify that Windows File Protection is working?

Windows file protection protects all the .sys, .dll, .exe, and ocx files, as well as some TrueType fonts, that were shipped with Windows.

Microsoft ships minesweeper (%systemRoot%\System32\Winmine.exe) with Windows and using it to verify that WFP is running is it's best use:

1. Open Windows Explorer and navigate to %systemRoot%\System32.

2. Right-click the Winmine.exe file and press Rename.

3. Type Winmine.sav and press Enter.

4. Go get a cup of coffee, a coke, or a smoke.

5. Press ALT+V+R to refresh the Windows Explorer display and scroll down to Winmine.sav.

If Winmine.exe is their, WFP is working.

NOTE: If you check your System Event log, you should have:

Source:      Windows File Protection 
Event ID:    64002
Description: File replacement was attempted on the protected system file %SystemRoot%\system32\winmine.exe.
             This file was restored to the original version to maintain system stability.
             The file version of the system file is 5.0.2135.1.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.