Windows File Protection (WFP)

Windows File Protection (WFP) is subsystem in Microsoft Windows that debuted in the Windows 2000 operating system to protect and prevent critical system files from modification. Core system programs should not be modified or overwritten as this could cause complications, especially with dynamically link libraries (DLL) and any other applications that could be potentially using them.

Windows File Protection makes use of file signatures and catalog files to check the versions of protected system files. If protected files are modified in an unsupported way, WFP will restore the original version of the program. The core goal of Windows File Protection is to ensure system stability by protecting critical Windows system files (.dll, .ocx,.sys,.exe).

WFP supports the modification of protected files through the following methods:

• Windows Service Pack installation through Update.exe
• Installation of hot fixes it through Hotfix.exe or by Update.exe
• Through Winnt32.exe upgrades to the OS
• A Windows update

WFP will restore an original version of a program that's updated through any other method.

WFP protects critical system files through two mechanisms:

1. A mechanism that runs in the background and informs the system of any change to directories of protected files. WFP then checks the signatures of these files to ensure the version are correct. If they aren't, WFP will restore them from the cache. If WFP can't find the file in the cache, it searches in the network path or prompts other media to restore the correct version of the file.
2. A System File Checker (sfc.exe) tool scans all protected and catalog files to ensure they are not changed. If they are, Windows File Protection retrieves the cached version.