System File Protection and Windows Me
A common problem in the history of the Microsoft Windows operating systems has been the ability for shared system files to be overwritten by non-operating-system installation programs. After such changes are made, the user may experience unpredictable system performance, ranging from application errors to operating system crashes. This problem affects several types of files--most commonly dynamic link libraries (.dll) and executable files (.exe).
To improve operating system reliability and stability, Windows 2000/Windows XP and Windows Millennium Edition (Windows Me) prevent the replacement of certain monitored system files. Preventing the replacement of essential system files avoids file version mismatches. From the user's perspective, the operating system protects itself from installing software that might interfere with other applications. In Windows Me, this service is called System File Protection (SFP).
This article provides a general orientation to SFP on Windows Me: How it works, which files are protected, and how protected files are replaced. It also describes how to modify an application or driver installation program to accommodate SFP.
Note: System-file protection is called Windows File Protection (WFP) on Windows XP and Windows 2000. WFP and SFP perform the same service but differ slightly in the way they monitor protected files, which files are protected, and what mechanisms can be used to replace protected files. For information about WFP, see http://www.microsoft.com/whdc/winlogo/drvsign/wfp.mspx.
On This Page
 | About SFP on Windows Me |
| Which Files Are Protected |
| Replacing Protected Files under Windows Me |
About SFP on Windows Me
Historically, many cases of system instability can be traced to applications that either installed older versions of system files over newer versions, or that installed modified versions of system files without renaming them. In both cases, the newly installed application would break other applications that depended on the later or unmodified version of the file.
SFP on Windows Me protects applications and system behavior by restoring the original, correct version of a system file if a newly installed application has replaced it with an incorrect version. In most application compatibility tests, the application works with the newer version of the system file, so it is not necessary for the application to install the older version.
SFP on Windows Me monitors all attempts to change protected system files, such as replacing or renaming the files. End users cannot disable SFP on Windows Me systems.
The System File Monitor detects attempts to overwrite any system file that is designated as protected. When an attempt is made to change such a file, Windows Me does the following:
1. | Stores a copy of the original file. |
2. | Checks a database of catalog files to determine whether the new version of the file is a valid replacement. |
3. | If the new version of the file is a valid replacement, Windows Me allows the new file to replace the old version.
Otherwise, Windows Me restores the original version of the file silently, without alerting the end user. |
The stored copy of the original file is deleted soon after the file is either replaced or restored.
File corruption does not trigger SFP. If a protected system file becomes corrupted, the end user can replace the corrupted version of the file with a valid copy from the distribution media.
Hardware and software vendors who install drivers and applications on Windows Me systems should keep the following in mind:
| • | Later versions of system files are backward compatible with earlier versions.
A later version of a system file will not break an application that is compatible with an earlier version. This means that a third-party installation program should never need to install an earlier version of a system file. |
| • | System files with earlier version numbers must not overwrite system files with later version numbers.
This preserves the stability of applications that are designed to work with the later version of the file. |
| • | A system file that is modified by a third party must also be renamed.
This ensures that the modified file will persist after installation. If a third-party application installs a modified version of the system file under its original name, SFP will restore the original, unmodified version, which could break the application. |
Which Files Are Protected
Approximately 800 files on the Windows Me distribution media have been identified as critical system files. Deleting any of these files or overwriting them incorrectly could adversely affect Windows Me operating system functionality. A list of protected files is included on the Windows Me product CD in the Windows\System\Restore directory.
Most files that are not protected fall into one of the following general categories:
| • | Component files that might be updated during runtime, such as configuration or INI files |
| • | Data files that might be edited by the user at any point |
| • | CHM, TXT, HTML, WAV, BMP, and similar files |
| • | Driver packages that have been digitally signed |
| • | Third-party files that Microsoft is redistributing on the Windows Me distribution media |
| • | Files that third parties are legally allowed to change |
In general, drivers are not protected through SFP. Instead, drivers in designated device classes are digitally signed, which allows the system to ensure that the driver files being installed have not been modified since the files passed testing by WHQL.
However, any driver that is considered part of the core operating system will be protected if it meets the following criteria:
| • | It is shipped through operating system or Microsoft channels only and is never redistributed by third parties. |
| • | It is upgraded only through an INF and never through a class installer or co-installer. |
| • | It is not legally modifiable by third parties. |
Driver signing and SFP are two different mechanisms that both serve the goal of maintaining a stable and reliable operating system. Microsoft strongly encourages vendors to submit all drivers to WHQL for logo testing and digital signing. For information, see: http://www.microsoft.com/whdc/winlogo/drvsign/digitsign.mspx.
Replacing Protected Files under Windows Me
For hardware and software vendors, a significant effect of SFP is that installation programs can no longer simply overwrite a protected system file with a different version. Vendors should replace only files to which they have exclusive ownership.
Protected system files can be replaced only through the following mechanisms:
| • | A new release of Windows Me |
| • | An authorized interim update, or "hot fix," to Windows Me |
| • | An authorized redistribution pack, which has its own installation program that handles the installation of newer versions of protected files |
Attempting to install system files on Windows Me will not cause an installation program to fail, because SFP permits the files to be copied. However, SFP simply restores the correct versions silently, after installation is complete.
Microsoft recommends that hardware and software vendors prepare their installation programs for Windows Me as follows:
| • | Install system files only through an authorized redistribution pack, by calling the redistribution pack's installer from your installation program. |
| • | If your driver or application relies on a modified version of a system file, rename the file to prevent conflicts with the system's version. |
NOTE: An application can install a private copy of a DLL in the directory with the application's program files. When searching for the DLL, Windows Me searches the application's program file directory first and loads any copy it finds there. However, the private copy might not be compatible with the system copy if both are in memory at the same time, and might cause the application and the system to behave in unpredictable ways.
For information about writing drivers for Windows Me, see the Windows DDK at http://www.microsoft.com/whdc/devtools/ddk/default.mspx.
Call to action for SFP:
| • | For Windows Me, modify installation programs to install only files to which you have exclusive ownership. |
| • | If your application depends on a modified version of a system file, rename the file to prevent version conflicts. |
| • | Submit drivers to the Windows Hardware Quality Labs (WHQL) for testing and digital signing. For information, see:
http://www.microsoft.com/whdc/whql/default.mspx.
For information about driver signing in general, see:
|
| • | For information about WFP for Windows 2000 and Windows XP, see http://www.microsoft.com/whdc/winlogo/drvsign/wfp.mspx. |