Windows Resource Protection
Encyclopedia
Windows Resource Protection is a feature in Windows Vista
that replaces Windows File Protection
. It protects registry
keys and folders in addition to critical system files. The way it protects resources
differs entirely from the method used by Windows File Protection
.
. If any changes are detected to a protected system file, the modified file is restored from a cached copy located in a compressed folder at %WinDir%\System32\dllcache. Windows Resource Protection works by setting discretionary access control lists (DACLs) and access control list
s (ACLs) defined for protected resources. Permission for full access to modify WRP-protected resources is restricted to the processes using the Windows Modules Installer service (TrustedInstaller.exe). Administrators no longer have full rights to system files. Protected resources can be modified or replaced only if administrators take ownership of the resource and add the appropriate Access Control Entries (ACEs). The "Trusted Installer" account is used to secure core operating system files and registry
keys. Protected files and registry keys have an access control list
applied that prevents other user accounts and programs that execute under any other user account except the TrustedInstaller account from making changes.
WRP also protects several critical folders. A folder containing only WRP-protected files may be locked so that only the Windows trusted installer SID
is able to create files or subfolders in the folder. A folder may be partially locked to enable administrators to create files and subfolders in the folder. Essential registry
keys installed by Windows Vista are also protected. If a key is protected by WRP, all its sub-keys and values can be protected. Also, WRP copies only those files that are needed to restart Windows to the cache directory located at %WinDir%\WinSxS\Backup. Critical files that are not needed to restart Windows are not copied to the cache directory, unlike Windows File Protection which cached the entire set of protected file types in the Dllcache folder. The size of the cache directory and the list of files copied to cache cannot be modified.
Windows Resource Protection applies stricter measures to protect files. As a result, Windows File Protection is not available under Windows Vista. In order to replace any single protected file, Windows File Protection had to be disabled completely; Windows Resource Protection works on a per-item basis by setting ACLs. Therefore, by taking ownership of any single item, that particular item can be replaced, while other items remain protected.
System File Checker
is also integrated with WRP. Under Windows Vista, Sfc.exe can be used to check specific folder paths, including the Windows folder and the boot folder.
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
that replaces Windows File Protection
Windows File Protection
Windows File Protection , a sub-system included in Microsoft Windows operating systems of the Windows 2000 and Windows XP era, aims to prevent programs from replacing critical Windows system files. Protecting core system files mitigates problems such as DLL hell with programs and the operating system...
. It protects registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
keys and folders in addition to critical system files. The way it protects resources
Resource (Windows)
In Microsoft Windows, resources are read-only data embedded in EXE, DLL, CPL or MUI files.The Windows API provides for easy access to all applications' resources.-Types:...
differs entirely from the method used by Windows File Protection
Windows File Protection
Windows File Protection , a sub-system included in Microsoft Windows operating systems of the Windows 2000 and Windows XP era, aims to prevent programs from replacing critical Windows system files. Protecting core system files mitigates problems such as DLL hell with programs and the operating system...
.
Overview
Windows File Protection works by registering for notification of file changes in WinlogonWinlogon
In computing, Winlogon is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, and optionally locking the computer when a screensaver is running...
. If any changes are detected to a protected system file, the modified file is restored from a cached copy located in a compressed folder at %WinDir%\System32\dllcache. Windows Resource Protection works by setting discretionary access control lists (DACLs) and access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
s (ACLs) defined for protected resources. Permission for full access to modify WRP-protected resources is restricted to the processes using the Windows Modules Installer service (TrustedInstaller.exe). Administrators no longer have full rights to system files. Protected resources can be modified or replaced only if administrators take ownership of the resource and add the appropriate Access Control Entries (ACEs). The "Trusted Installer" account is used to secure core operating system files and registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
keys. Protected files and registry keys have an access control list
Access control list
An access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
applied that prevents other user accounts and programs that execute under any other user account except the TrustedInstaller account from making changes.
Protected resources
Windows Resource Protection protects a large number of file types:
- .dll, *.exe, *.ocx, *.sys, *.acm, *.ade, *.adp, *.app, *.asa, *.asp, *.aspx, *.ax, *.bas, *.bat, *.bin,
- .cer, *.chm, *.clb, *.cmd, *.cnt, *.cnv, *.com, *.cpl, *.cpx, *.crt, *.csh, *.dll, *.drv, *.dtd, *.exe,
- .fxp, *.grp, *.h1s, *.hlp, *.hta, *.ime, *.inf, *.ins, *.isp, *.its, *.js, *.jse, *.ksh, *.lnk, *.mad,
- .maf, *.mag, *.mam, *.man, *.maq, *.mar, *.mas, *.mat, *.mau, *.mav, *.maw, *.mda, *.mdb, *.mde, *.mdt,
- .mdw, *.mdz, *.msc, *.msi, *.msp, *.mst, *.mui, *.nls, *.ocx, *.ops, *.pal, *.pcd, *.pif, *.prf, *.prg,
- .pst, *.reg, *.scf, *.scr, *.sct, *.shb, *.shs, *.sys, *.tlb, *.tsp, *.url, *.vb, *.vbe, *.vbs, *.vss,
- .vsmacros, *.vst, *.vsw, *.ws, *.wsc, *.wsf, *.wsh, *.xsd, and *.xsl
WRP also protects several critical folders. A folder containing only WRP-protected files may be locked so that only the Windows trusted installer SID
Security Identifier
In the context of the Microsoft Windows NT line of operating systems, a Security Identifier is a unique name which is assigned by a Windows Domain controller during the log on process that is used to identify a subject, such as a user or a group of users in a network of NT/2000...
is able to create files or subfolders in the folder. A folder may be partially locked to enable administrators to create files and subfolders in the folder. Essential registry
Windows registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
keys installed by Windows Vista are also protected. If a key is protected by WRP, all its sub-keys and values can be protected. Also, WRP copies only those files that are needed to restart Windows to the cache directory located at %WinDir%\WinSxS\Backup. Critical files that are not needed to restart Windows are not copied to the cache directory, unlike Windows File Protection which cached the entire set of protected file types in the Dllcache folder. The size of the cache directory and the list of files copied to cache cannot be modified.
Windows Resource Protection applies stricter measures to protect files. As a result, Windows File Protection is not available under Windows Vista. In order to replace any single protected file, Windows File Protection had to be disabled completely; Windows Resource Protection works on a per-item basis by setting ACLs. Therefore, by taking ownership of any single item, that particular item can be replaced, while other items remain protected.
System File Checker
System File Checker
System File Checker is a utility in Microsoft Windows that allows users to scan for and restore corruptions in Windows system files. This utility is available on Windows 98, Windows 2000, Windows XP, and Windows Server 2003...
is also integrated with WRP. Under Windows Vista, Sfc.exe can be used to check specific folder paths, including the Windows folder and the boot folder.
See also
- Windows File ProtectionWindows File ProtectionWindows File Protection , a sub-system included in Microsoft Windows operating systems of the Windows 2000 and Windows XP era, aims to prevent programs from replacing critical Windows system files. Protecting core system files mitigates problems such as DLL hell with programs and the operating system...
- System File CheckerSystem File CheckerSystem File Checker is a utility in Microsoft Windows that allows users to scan for and restore corruptions in Windows system files. This utility is available on Windows 98, Windows 2000, Windows XP, and Windows Server 2003...
- Access Control ListAccess control listAn access control list , with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. Each entry in a typical ACL specifies a subject...
- Security IdentifierSecurity IdentifierIn the context of the Microsoft Windows NT line of operating systems, a Security Identifier is a unique name which is assigned by a Windows Domain controller during the log on process that is used to identify a subject, such as a user or a group of users in a network of NT/2000...