Re: Windows File Protection

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hi Chris,

If all 14 events say that they were returned to their original files, I
suspect if you reboot the server the WFP prompts may stop. It looks like
the affected files were all DLLs which the system could restore using its
hidden 'dllcache' folder. Clearly though, something or someone was trying
to install new software on your server. I suppose it could be an
'autoupdate' from one of your 3rd party apps on the server (antivirus,
line-of-business, etc.). I would reboot, then run the Mawarebytes scan just
to be safe.

--
Merv Porter [SBS-MVP]
============================
"Chris" <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7347736D-7583-45E1-957D-5E8F727C85EC@xxxxxxxxxxxxxxxx
Yes typo, it is SP2 and we will be going to SBS 2008!

I ran SFC yesterday without going into safe mode, we are having some
special
events right now and we need full availability to the Server and cant
afford
to shut it down just yet!

SFC kept on prompting me every few minutes to pop in the CD as it was
progressing. I can see this activity clealy in the System EVENT log.

The earliest WFP entry was made on 5/27/09:

"File replacement was attempted on the protected system file msftedit.dll.
This file was restored to the original version to maintain system
stability.
The file version of the bad file is 5.41.21.2507, the version of the
system
file is 5.41.21.2506."

There are 14 entries on the same date(5/27/09) and all the dll files are
different and all have been replaced to their originals, the above is just
the first entry only).

on 6/5/09 the System Events logged WFP again. This time:

1st entry on 6/5/09:

"Windows File Protection file scan was started.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.";

2nd Entry 6/5/09:

"Windows File Protection scan found that the system file
c:\windows\system32\mfc40u.dll has a bad signature. This file was restored
to
the original version to maintain system stability. The file version of
the
system file is 4.1.0.6141."

3rd Entry on 6/5/09:

"The protected system file c:\windows\system32\mfc40u.dll was not restored
to its original, valid version because the Windows File Protection
restoration process was cancelled by user interaction, user name is
XXXXXXX.
The file version of the bad file is 4.1.0.6141."

4th Entry:

"The system file c:\windows\system32\drivers\3cwmcru.sys could not be
copied
into the DLL cache. The specific error code is 0x000004c7 [The operation
was
canceled by the user.
]. This file is necessary to maintain system stability."

I had to cancel because it kept on asking for the SBS 2003 Instalation CD,
and when i inserted the CD it alerted me that I entered the wrong CD.

all entries beyond this point are listed as me canceling WFP...and the
reason once again is because the CD was prompted as being the wrong CD.

I am puzzled...I dont know how to figure this one out!

Through research i have found some possible solutions and suggestions such
as:

1) if I were to replace the I386 folder from the CD into the DLL Cache
folder would that be a solution. Or would this be a total mess up?

2)I was also looking at this article:

http://support.microsoft.com/?kbid=263499 (Its not for SBS 2003 but its
similar to my issue)

3) was told to Refer the below microsoft KB article.
http://support.microsoft.com/kb/222193
and then perform:
Start in Safe Mode w/ Command Prompt, then type
sfc /scannow

Just even a reboot may also fix these

Would you think any of this would resolve the error message i get when i
pop
the CD in the drive for when the Windows File Protection asks for it, thus
getting rid of the WFP alert??


For the record, No restart has been done yet, nor the malwarebyte scan!
The
only thing I have done is the SFC within the normal state of the server.

I also have a "dummy" server, which i will attempt everything on it before
i
approach the active working server!

Thank you for all your help, Please continue with feedback, i really
appriciate it.

Chris

"Merv Porter [SBS-MVP]" wrote:

(SBS 2003... in your original post, you said you had SBS 2003 SP3
installed. SP3 does not exist for SBS. Maybe this was a typo or maybe
you
were referring to XP SP3.)

Event Logs... Probably want to look in the System Event Log for 'Source:
Windows File Protection' (click on the Source heading to arrange by
alphabetically).

So, you're moving to Server 2008 or SBS 2008?

can this issue bring my server to a halt any time soon?
Possibly. Windows is telling you that some of it's core files have been
replaced and it needs your attention now.


I would also install, update and run a scan with the SBS 2003 BPA.

Microsoft Windows Small Business Server 2003 Best Practices Analyzer
http://www.microsoft.com/downloads/details.aspx?familyid=3874527A-DE19-49BB-800F-352F3B6F2922&displaylang=en

--
Merv Porter [SBS-MVP]
============================

"Chris" <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6D286FEC-94EE-4189-9730-4AAEBBDBFA7D@xxxxxxxxxxxxxxxx
Hi Merv,

Which Event log category should I check for the overwritten files?
There
are
thousands of entries in most categeries(Application, System, Dexterity,
Security, econnect, file replication...etc)

I dont remember having to allow the overwrite, I am new to the company,
and
I am not quite sure what the previous IT admin has done.

btw, we will be rolling into the 2008 server edition within the next
month
or so...besides that i want to learn from this issue, can this issue
bring
my
server to a halt any time soon??

Also, when i log in remotely(which is what we mostly do) i never get
the
WFP/SFC warning, it happens only when i log in from the terminal
itself.

I havent perfomed the malwarebyte solution yet because i need to find
the
perfect time, I am sure this is a 2-3 hour deal at minimum and we cant
afford
to have it down the majority of the day.

I will post updates as i go through the solutions so everyone can see
and
learn :)



Thank you so much for your insight...

Chris

"Merv Porter [SBS-MVP]" wrote:

This error is not 'normal' and may indicate a virus or some other
malware.
This can also occur if you have installed software on the server and
it
has
overwritten any of the 'protected files' (which would generally
require
user
interaction to affect the overwrite).

You receive a "Windows File Protection: Files that are required for
windows
to run properly have been replaced by unknown versions" error in
Windows
Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/kb/904677

Description of the Windows File Protection feature
http://support.microsoft.com/kb/222193

I would start by:

1. Examining the event logs to see when the the overwrites occurred
2. Installing Malwarebtyes (www.malwarebytes.org) on the server,
updating
it and then running a full scan (unplug the Internet connection to the
server before running the scan - booting into safe mode and running
Malwarebytes would be even better).

--
Merv Porter [SBS-MVP]
============================

"Chris" <Chris@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BEBB872E-7C4B-4C13-8A5D-B202B91A72F4@xxxxxxxxxxxxxxxx
Hello all,

Yesterday I logged on to my company's server and recieved this
message:

"Windows File Protection
Files that required for Windows to run properly have been replaced
by
unrecognized versions. To maintain system stability. Windows must
restore
the
original versions of these files.
Insert your Windows SBS 2003 CD-ROM now."


When i do so i then recieve this message that my CD rom might not be
functioning...from the event viewer:

Application popup: Windows File Protection : Possible reasons for
this
problem:

. You have inserted the wrong CD. (i.e., a different Windows product
CD
than
the version installed)

. The CD-ROM drive in your system is not functioning



I know my CD drive works fine because when i pop in the SBS cd, the
autorun
starts.

I have SP3 on the SBS 2003, i am assuming that the system is
pointing
to
the
SP3 download rather than the CD?

How do i go about correcting this issue? (the WFP message and CD
error)



Also, how critical can this be to my system?


Thank you,

Chris









.

Relevant Pages

  • Re: BITS - saving status during reboot
    ... Event Source: Windows File Protection ... Windows File Protection scan found that the system file ... the problem be 'this' server or all servers in this domain. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows File Protection
    ... I can see this activity clealy in the System EVENT log. ... "Windows File Protection file scan was started. ... I had to cancel because it kept on asking for the SBS 2003 Instalation CD, ... only thing I have done is the SFC within the normal state of the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: SFC /scannow problem
    ... SFCDisable key value change a legacy of that, ... can log on as an administrator quite easily, but SFC does not run. ... "Windows File Protection could not initiate a scan of protected system ... The specific error code is 0x000006ba [The RPC server is ...
    (microsoft.public.windowsxp.general)
  • Re: Lost network connection
    ... Maybe an hardware failure on the network card? ... Verify That Windows File Protection Is Running in Windows Server ...
    (microsoft.public.windows.server.networking)
  • Re: Next openSUSE
    ... You apparently have absolutely no clue to what you are talking about. ... server I can connect to, ... If you talk about pictures on a website, ... Keeping the originals is also possible with a database. ...
    (alt.os.linux.suse)