If You are Running Windows 2000

Windows 2000, like Windows Millennium, has a protection scheme for system files, though it uses a different mechanism and is called Windows File Protection.

WFP protects system files by running in the background and detecting attempts to replace protected system files. Windows File Protection is triggered after it receives a directory change notification for a file in a directory that’s protected. Once this notice is received, WFP determines which file was changed and if the file is protected, WFP looks up the file’s signature in a catalogue file to determine if the new file is the correct Microsoft version. If it is not correct, WFP replaces the file with the correct version from the dllcache directory (\winnt\system32\dllcache). If the file is not found in the dllcache or if the version in the dllcache doesn’t match what it’s supposed to be according to the catalogue, the user is prompted to insert distribution media (eg. the Windows 2000 CD). If WFP has been triggered, you will find an entry in the System Log in the Event Viewer program.

Protected files can be replaced only in the following manner:


  1. Installing a Windows 2000 Service Pack
  2. Windows Update or Microsoft hot-fixes or redistribution packs
  3. Operating System Upgrades (using winnt32.exe)
  4. Windows 2000 Device Installer

Again, as with Windows ME, this will not detect or prevent files from becoming corrupted. Fortunately, there are a few options in Windows 2000 for replacing files and even a few steps you can take to prevent the unlikely event of a software installation screwing up your system.

System State Backup

The Windows 2000 Backup Utility provides a means to backup the system registry and the system dlls all in one shot, by creating a System State backup. This will require approximately 200-300 Mb of disk space somewhere on your drives, for the backup.bkf file.

To perform this procedure, you need to log on with an account that’s in the Local Administrators group.

First, clear your users’ Temporary Internet Files (I would log on as each user and clear them properly, through Internet Options but you can delete the Temporary Internet Files Folders and they’ll get rebuilt next time the user logs on) and the files in any users’ temp folders (\documents and settings\username\local settings\temp) within the Documents and Settings folder to reduce the clutter. The reason will be apparent in a minute.

Go to Start / Programs / Accessories / System Tools and choose Microsoft Backup. You’ll see a bit of a wizard initially, ignore it for now. Click the Backup tab, and place a checkmark in the System State checkbox. Also place a checkmark beside the Documents and Settings folder (this way you get the users’ registry files and even their documents folder as an added bonus). Choose a location for the backup, any hard disk (I don’t like tape drives or spanning removable media but it’s up to you) or any directory. Proceed with the backup, it’ll take approximately 3-5 minutes.

When it’s done, you’ll have the registry backed up in \winnt\repair\regback and a file backup.bkf, containing important system files and the Documents and Settings folder, wherever you chose to put it. If you can boot Windows 2000 in normal or safe mode, you can restore this System State backup to return your system to that exact state. It will prompt you to restart after restoring the backup.

System File Checker

Yes, Windows 2000 has a System File Checker. I’ll warn you right now though, it’s not the user friendly SFC program that came with Windows 98. This is a command line utility that advanced administrators can use to scan all protected files, and if necessary, repopulate the dllcache if files within it have become corrupted. Type SFC /? in a command prompt window to see the switches and syntax.

SFC.exe scans all protected system files and replaces incorrect versions with correct Microsoft versions. The following shows the syntax:


/SCANNOW Scans all protected system files immediately.
/SCANONCE Scans all protected system files once at boot.
/SCANBOOT Scans all protected system files at every boot.
/CANCEL Cancels all pending scans of protected system files.
/ENABLE – Enables Windows File Protection for normal operation. (it is by default enabled)
/QUIET Replaces all incorrect file versions without prompting the user.
/PURGECACHE Purges the file cache and scans all protected system files immediately.
/CACHESIZE=x Sets the file cache size (in megabytes).

By default, SFC will prompt for action unless you use the /quiet switch (I don’t recommend that). The /SCANNOW option in addition to what it says above, copies all protected system files from the Windows 2000 CD to the dllcache (~200 Mb), so make sure you have plenty of disk space.

Do not play with this tool. It is designed to run automatically, after software installations. Only invoke it manually when there is a reason to.

See the following article for more information on Windows File Protection and SFC:


This still isn’t perfect though – what if you do need to manually extract a file and replace it? Well, fortunately there is the Recovery Console and Expand.exe for manually extracting and replacing files from the original source files.

The Windows 2000 Recovery Console

The Recovery Console is a special command line boot mode that allows limited access to your Windows 2000 System. You can get to the Recovery Console by booting with the Windows 2000 Setup floppy disks or the Windows 2000 CD-ROM and choosing R for repair, then pressing C to start the Recovery Console. Alternatively, and what I would recommend, you can install the Recovery Console to your computer so you can access it from the NTLDR boot menu just like an operating system choice. To install the Recovery Console, use the following command from Start / Run. Do this ahead of time, so it will be ready if you have a problem.


Where X: is your CD-ROM drive letter, or the drive where the i386 directory is saved. Once the Recovery Console is installed, you can choose it from the boot menu.

See the following articles for much more information. Please do read them carefully before proceeding with any of this. If you are expecting to be able to copy files anywhere you like, think again. In order to enable the Recovery Console to allow access to all drives and folders, you will have to effect a policy change, in Local Security Policy (or Domain Security Policy if the machine is a domain controller server) from the Administrative Tools menu, and then use the SET command at the console. The second article in the list below covers the details of that. By default though you will have access to the \winnt and \winnt\system32 directories and the CD-ROM drive which is what you’ll want for extracting system files. Yes, the Recovery Console has CD-ROM drive support.



When you boot to the Recovery Console, type HELP to see a list of all available commands. Type HELP EXPAND to see command specific help. The syntax of the expand command is:


Very simple. Note that the Windows 2000 (and Windows NT) source files are individual compressed files, with the last letter of the file extension replaced with an underscore _

You can use this to replace a system file, in this example, mfc42.dll


Where X: is your CD-ROM drive and C: is the drive where your Win2K installation resides.


– Grogan –

Download this article as a self-extracting text file
View this article in printer-friendly plain-text format
E-mail this article to a friend

Leave a Comment: