Q: Do Windows OSs include a mechanism to block malware from overwriting important system files?

A: Yes, Windows includes a mechanism that can prevent the intentional or unintentional replacement of important system files, though it's interesting to note that this mechanism was originally meant to assure OS integrity and to increase the robustness of the Windows OS, rather than for security. The mechanism, called Windows File Protection (WFP), was introduced in Windows 2000. In Windows Me, WFP was called System File Protection. In Windows Vista and Windows Server 2008, Microsoft replaced WFP with a similar protection mechanism called Windows Resource Protection (WRP).

The primary purpose of WRP remains the same as WFP: to prevent third-party installers from modifying resources that are critical to the Windows OS’s stability. But WRP is more powerful than WFP, because in addition to critical system files it also protects important registry keys and folders.

The logic underlying WRP is different from the logic used by WFP. Windows File Protection uses a service called the System File Protection service. When this service detects changes to critical system files, it automatically restores the modified file from a cached copy located in a compressed folder in the Windows directory, \System32\dllcache. WRP doesn't use System File Protection service. Instead it uses Windows’ access control engine and Windows resources’ ACLs to detect changes to critical system resources.

Like WFT, WRP keeps copies of files that are critical to system stability and automatically restores these files when they are changed. The location of the critical files cache under WRP is \WinSxS\Backup in the Windows directory.

The only processes that can access a WRP-protected resource are TrustedInstaller-installed Windows service packs, hotfixes, OS upgrades, and Windows Update files. These processes get access because full access permission to WRP-protected resources is given only to processes using the Windows Modules Installer service (TrustedInstaller.exe). Other processes that attempt to change a WRP-protected file will fail with an access denied error message.

A side effect of WRP is that in Vista and Server 2008, administrators no longer have full rights to system files. Administrators can only modify or replace protected resources if they take ownership of the resources and add the appropriate Access Control Entries. By default, the local Administrators group has the SeTakeOwnership right.

WFP and WRP also offer a command line utility called System File Checker (sfc.exe) that allows administrators to check the integrity of system files and repair modified files. To use System File Checker, use the following commands at an elevated command prompt. To check the integrity of system files without repairing modified files, run

Sfc /verifyonly

To scan for and repair modified system files in a single run, use

Sfc /scannow
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.