Guard System Files on Windows 2000

Windows 2000 comes with the ability to monitor its critical system files and protect those files from being changed or deleted. But did you know a Registry key controls the functionality of Win2K's system file checker protection?

Microsoft article Q222473 details five values that reside under the familiar Winlogon key. One of the keys, SFCDisable, controls whether the system file checker is disabled and how the system reacts if it is disabled. The article lists four possible value settings: 0, 1, 2, and 4 (I don't know what a value of 3 does) and defines the effects of setting the SFCDisable value to any of these settings. But there is an undocumented value setting available to users who realize it exists.

Jeremy Collake ([email protected]) recently pointed out on the NTBugTraq mailing list that setting SFCDisable to a value of 0xffffff9d causes Win2K to disable system file checking and not show any prompts on the screen to indicate that status. Be aware that disabling the file system checker in this manner creates a new event in the Event Log. The event has ID 64032 and comes from the "Windows File System" with message text stating "Windows File Protection is not active on this system." Also be sure to check Support Online article Q254563

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.