Windows File Protection

By default, Windows File Protection is always enabled and allows Windows
digitally signed files to replace existing files safely. Currently, signed files are distributed

# Windows Service Packs

# Hotfix distributions

# Operating system upgrades

# Windows Update

# Windows Device Manager

If you introduce a file replacement in any other way, Windows File protection will overwrite your file!

An important part of Windows File Protection is the command line utility:

System File Checker (sfc.exe)

You will often see references to scannow sfc in online newsgroups etc. This is a great tool for troubleshooting Windows XP problems.


How to use scannow sfc...

The main reason for using this utility is when you suspect there may be a problem with a Windows XP system file.

Perhaps you get a dialog box appear informing you of a problem with a .dll file, or your program will just not load! It is therefore worth checking to see if there are any corrupt system files using scannow sfc.

To do this simply go to the Run box on the Start Menu and type in:

sfc /scannow

This command will immediately initiate the Windows File Protection service  to scan all protected files and verify their integrity, replacing any files with which it finds a problem.

The following should appear to give an indication of how long the process is taking.


scannow sfc


In an ideal world that would be the end of the story... Any corrupt, missing or incorrect files would be replaced by this process.

However, things can go wrong and the following guide should help!

The #1 complaint with scannow sfc is the following dialog box appearing:

scannow sfc image

Why does this happen?

Well, in your computer's registry, are several settings that are checked when you run scannow sfc.

As mentioned earlier in this article, the Windows File Protection service constantly monitors for any changes to the main system files. Well Windows XP keeps a cache (copy) of these essential files at the following location:

C:WINDOWS\System32\Dllcache  (assuming C: is your system root which it probably is.)

NB - The dllcache folder is extremely important so Windows XP hides it from you! To view it go to: My Computer > Tools > Folder Options > View > "uncheck" Hide protected operating system files.

If that's the case on your computer then there is normally no need for the original XP CD to be inserted as your computer has a "copy" it can get hold of in this cache...

But, if the Dllcache folder, or part of it, has become corrupted for some reason then you will be prompted for the XP CD - so your computer can get a clean copy!

Having said that not ALL installations of Windows XP have ALL the system files cached into this folder! You may only have around 50MB of files in this folder under Windows XP depending on the quota settings in the registry. (Under Windows 2003 Server the default is 300MB of system files!)

Annoying, YES! 

Is there a workaround YES!

As well as having a cache of all the system files on your PC, I like to have the I386 folder from the XP CD installed on the computer as well. After doing this I then modify the registry to tell it the source path for these files... Why? Well not only does this prevent 99% of request for the the XP CD with Windows File Protection. But the I386 folder also contains many other files that are sometimes needed by the operating system and this stops those requests for the XP CD too!

NB - With today's large hard drives you are not going to notice this 475 MB folder on your computer, but older systems may not have the space for this...

Step 1

You will need to get your XP CD and locate the folder called:


This is a major folder and should be one of the first you see, now copy this onto your hard drive into the system root. For most of you that is going to be C:\  so you should end up with a folder that looks like:  C:\I386



Step 2

Now you will need to tell your computer you now have the files on your PC. We do this is the registry (type regedit in the Run box on the start menu) by navigating to:


You will see various entries here on the right hand side. The one we want is called:


It probably has an entry pointing to your CD-ROM drive, and that is why it is asking for the XP CD. All we need to do is change it to:


Simply double click the SourcePatch setting and a new box will pop up allowing you to make the change.

Now restart your computer and try scannow sfc again!


Other Problems with scannow sfc...


Has the CD Drive's drive letter changed (perhaps by the addition of another hard drive, partition, or removable drive) since Windows XP was first installed? If so, simply edit the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
to reflect the changed drive letter.

After you restart the computer, WFP and sfc /scannow uses the new source path instead of prompting for the Windows XP installation CD-ROM


Has the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
got an incorrect entry? The SourcePath entry does NOT include the path location till the I386 folder. It completes one folder ahead to reach the I386 folder. 


If the I386 directory is at C:\I386, the SourcePath value would be C:\


If the problem persists and you have the correct path for your I386 folder then the I386 folder is corrupted. To solve this problem copy I386 folder from the CD-ROM to your system restart the system and then
perform sfc /scannow again.


You do not have an XP retail CD with an I386 folder on it. If you have a restore CD from your PC manufacturer then you may have to explore the CD to find the folder.


You still keep being prompted for the XP CD yet you have done all in this article! There is another setting in the registry that may be causing the problem. Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SourcePath

Make sure the entry here is the same path to the I386 folder as used above.


Systems administrators can enforce security policies that may include changes to the Windows File Protection settings. You will need to speak with your network administrator about this, but it is important to bear in mind when Windows starts up, the Windows File Protection service synchronizes (copies) the WFP settings from the following registry key:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection

to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Therefore, if any of the following values are present in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection key, they will take precedence over the same values under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key.

This will not effect scannow sfc so much, but WILL make an impact if any of the other sfc.exe "switches" have been used! (More about these at the end of this article.)


When you run scannow at logon you do not get a progress bar... This can easily be remedied by adding a new DWORD:  SFCShowProgress to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

the values available are: 0 = disabled, 1 = enabled


What about Windows Updates.....

You may be asking yourself how does sfc.exe know how to check for updated Windows system files? Well during OS upgrades, service pack installations etc.. the dllcache folder should be updated with these new files.

As an example the recent Windows XP Hotfix - KB828035 updated the system file wkssvc.dll  A new version of the file was placed in C:\WINDOWS\system32 and a copy in the cache: C:\WINDOWS\system32\dllcache  A copy of the old system file is archived in: C:\WINDOWS\$NtUninstallKB828035$

There is another location the Windows File protection service uses and that is the I386 folder in C:\WINDOWS\ServicePackFiles  When you install a service pack, like SP1. Any new system drivers are cached in this location too.

If you have odd problems with running scannow sfc and nothing else in the article has resolved it, then take a look at the entry in:


This should be pointing to the location C:\WINDOWS\ServicePackFiles (assuming C:\ is the boot drive.)


For those of you who are familiar with sfc.exe under Windows 2000 professional. It is worth noting that the following two options are NOT available under Windows XP.

These are:

sfc /cancel - In Windows 2000, this command immediately cancels all pending scans of protected system files. This option has no effect in Windows XP.

sfc /quiet - In Windows 2000 this sets Windows File Protection to replace any incorrect system files detected with the appropriate version from the dll cache without any user notification. This option has no effect in Windows XP.