Manage boot volume space consumed by Windows 2000 Windows File Protection dllcache

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows 2000 takes up more hard drive space. Much of the additional space is consumed by the Windows File Protection (WFP) feature which stores copies of system files in the Dllcache folder on the boot volume. Windows 2000 prevents the replacement or loss of essential system files. See section of chapter on System File Protection for more background. Specifically this will make Windows 2000 Professional a dream for workstation support personnel. How many times have you had a problem call where the user hadn't done anything but a necessary dll or executable was missing or replaced with the wrong version? All .sys, .dll, .exe, and .ocx files that are included on the Windows 2000 CD-ROM are protected along with true-type fonts Micros.ttf, Tahoma.ttf, and Tahomabd.ttf. All files critical to the functions of Windows 2000 are protected, up to the limits of the file protection cache size. Windows 2000 Professional has a default file protection cache size of 4294967295MB. Got that much space? The default cache size can be modified through the Computer Configuration\Administrative Templates\System\Windows File Protection\Limit Windows File Protection cache size policy. Protected files have backup copies located in the %systemroot%\system32\dllcache folder. If a protected file is deleted, modified, renamed, or moved, the Windows File Protection feature restores the copy of the original file to the proper location. Typing %systemroot%\system32\dllcache in the Run box will open an Explorer window in the cache folder.

I was wondering how Windows 2000 Service Packs would overcome WFP. During the service pack install, update.exe installs a new catalog file that contains the updated information for all the protected system files that have changed since W2K was released. The program updates the location of the installation media to point to the service pack media for these files. Then, when the service pack updates the protected files, if the old version of those files resides in the .dll cache, WFP replaces the cache with the new versions of the files.

There is a manual method to overcome the WFP, lets say you want to replace notepad.exe with your own text editor. If you replace the NOTEPAD.EXE file in the %systemroot%\system32\dllcache folder, you can delete the system file %systemroot%\NOTEPAD.EXE and it will be replaced by the modified version from the DLLCACHE folder. Keep in mind that changing files in this manner could cause system instability; the files are protected for a reason.

Another method if its an installed program is to simply use the Add/Remove Programs applet of the Control Panel. Remove the application. If you simply delete it, WFP will put it right back.

SFC.exe , the System File Checker, will scan protected files and repopulate the Dllcache . If the %systemroot%\system32\dllcache becomes corrupted or is deleted, run either sfc /scannow,sfc /scanonce, or sfc /scanboot. In fact, its a good troubleshooting tactic to run sfc /scannw if your system starts acting up. System File Checker Tool Syntax:

Sfc.exe : Scans all protected system files and replaces incorrect versions with correct Microsoft versions.

Parameter: 
 /Cachesize=n - Sets the file cache size.
 /Cancel      - Cancels all pending scans of protected system files.
 /Enable      - Enables WFP to default status.  Users will be prompted to restore 
                any files that are overwritten.
 /Purgecache  - Purges the file cache and scans all protected system files.
 /Quiet       - Scans and replaces all incorrect file versions without prompting the user.
 /Scanonce    - Scans all protected system files once.
 /Scannow     - Immediately scans all protected system files.
 /Scanboot    - Scans all protected system files every time you start your computer.
You can control how much space is consumed using the command-line

sfc /cachesize=xx

where xx represents the maximum size in MB for the Dllcache folder. sfc sets the SFCQuota value shown in the following registry data:

Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: SFCQuota
Type: REG_DWORD
Value: xx

If FFFFFFFF is specified, all protected system files will be cached until free space falls to 150 MB. The default is 0x32h or 50MB for Windows 2000 Professional and 300MB for Server. I would not recommend setting the dllcache to less than the default since you will be turning off much of Windows 2000 ability to protect itself.

If you have major hard drive space problems on a laptop, you can disable WFP using the following Windows 2000 registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: SFCDisable
Type: REG_DWORD
Value: 0 enabled, default for Professional
Value: 1 disabled, prompt at boot to re-enable
Value: 2 disabled for next boot only, no prompt to re-enable
Value: 4 enabled, with popups disabled which is default on Server, Advanced Server, and Datacenter Server

Value: 0ffffff9d When booting with this value in the SFCDisable value in the WinLogon key (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon), an event is written to the system log, ID 64032 from Windows File Protection, with the description: "Windows File Protection is not active on this system. ". The 0ffffff9d value is not documented by Microsoft by was discovered by Jeremy Collake disassembing sfc.dll. See SetSFC utility based on this value.

Note: For options 1 and 2 - these settings require a kernel debugger to be hooked up to become useable. If a kernel debugger is not hooked up, Windows File Protection is not disabled.

To control scan mode, use the following Windows 2000 registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: SFCScan
Type: REG_DWORD
Value: 0 default, do not scan protected files at boot
Value: 1 scan protected files at every boot
Value: 2 scan protected files once

To contol whether the System File Checker progress meter is displayed or not, use the following Windows 2000 registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: SFCShowProgress
Type: REG_DWORD
Value: 0 default, System File Checker progress meter is not displayed
Value: 1 System File Checker progress meter is displayed

To control the location of the dllcache folder, use the following Windows 2000 registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: SFCDllCacheDir
Type: REG_EXPAND_SZ
Value: %SystemRoot%\System32 default

Featured Links