Protecting the System Files

We are all familiar with the problem of an operating system becoming suspiciously unstable after the installation of a new application or a driver or after a system crash. Microsoft has been painfully aware of this problem for some time, and many a technician (whether a Microsoft employee or not) has been forced to instruct a PC user to "reinstall Windows" as the only solution. We all know how much fun that is. If you think Windows operating systems sometimes seem like a house of cards stacked level upon level, waiting for a single *.DLL or other system file to fail, well, you're right. This kind of vulnerability is wholly unacceptable in mission-critical settings, so Microsoft had to come up with preventive measures.

NOTE

Windows XP also supports a new side-by-side DLL feature. This automatic feature keeps track of the DLL versions used by installed applications. If a system update or an application install attempts to change the version of a DLL that is needed by a service or application, XP automatically places a copy of these necessary DLLs in the \Windows\WinSxS folder. Each time an application is launched, XP checks its list to see what version of each required DLL is needed and loads those DLLs into that application's virtual machine. No more "DLL hell." This feature is completely automatic and invisible to the user.

Windows has means for setting up options that prevent the often-unintentional destabilization of the operating system from applications or driver installations or, in the worst case, the introduction of viruses that intentionally alter or overwrite system files. Windows XP's Security Manager and file system work in symphony to help protect critical system files and drivers. Several areas of system functionality help prevent damage from the installation of untested drivers or from modification of system executables such as dynamic link libraries (DLLs). They are as follows:

• Windows File Protection service This service is a function of the operating system that continually monitors protected system files, standing guard against attack.

• System File Signature Verification tool You can use this command-line executable to check the signatures on your essential system components.

• System File Checker tool You can use this command-line executable to verify that system file versions align properly.

The essential (and automatic) portion of this trio is the first one. Windows XP's file protection system is enabled by default, and it prevents the replacement of the protected system. Windows File Protection runs in the background and protects all files installed by the Windows XP setup program.SYS, .DLL, .OCX, .TTF, .FON, and .EXE files. If one is replaced or altered, by default, a dialog box alerts you that a program is attempting to alter a system file.

In Chapter 25, you learned about setting up the three levels of overwrite protection for Windows File Protection: ignoring, warning, or preventing modification of all system files. Here, I'll talk a bit about a standalone utility supplied with Windows XP that you can use to scan for modified files that may have slipped through the detection process.

Running the File Signature Verification Tool

To verify that system files have a digital signature, follow these steps:

Using the System File Checker

Another program, closely related to the File Signature Verification tool, is the System File Checker. This tool looks for protected system files and verifies that their version numbers link up with the operating system and that they haven't been replaced or trashed accidentally. The System File Checker is a command-line program that you set up using a keyboard-entered command. It then runs the next time you boot.

NOTE

You must be logged in as a system administrator to run this program.

If the System File Checker discovers that a protected file has been overwritten, it retrieves the correct version of the file from the <systemroot>\system32\dllcache folder and then replaces the incorrect file. It uses the following syntax for program execution:

 sfc [/scanonce] [/scanboot] [/cancel] [/quiet] 

The details for these parameters are as follows:

 /scanonce 

The preceding syntax scans all protected system files once.

 /scanboot 

The preceding command scans all protected system files every time the computer is restarted.

 /cancel 

The preceding command cancels all pending scans of protected system files.

 /quiet 

This command replaces all incorrect file versions without prompting the user.

NOTE

What if something or someone has trashed the \system32\dllcache folder? No problem. The sfc /scanonce or sfc /scanboot commands repair the contents of dllcache if it's unreadable.

Windows File Protection, if turned on, normally prevents any kind of intrusion that might result in a corrupted file, at least from an outside source such as a third-party program installation. If all is working as planned, you don't have to worry about running this program or the File Signature Verification program with any regularity. If you want to play it super safe, though, protecting also against microscopic bit loss on the hard disk or crafty hacking, you can use the /scanboot option to check each time you boot. The verification process doesn't take very long to complete.