Windows Resource Protection

Windows Resource Protection is a feature in Windows Vista that replaces Windows File Protection. It protects registry keys and folders in addition to critical system files. The way it protects resources differs entirely from the method used by Windows File Protection.

Overview

Windows File Protection worked by registering for notification of file changes in Winlogon. If any changes were detected to a protected system file, the modified file was restored from a cached copy located in a compressed folder at %WinDir%System32dllcache. Windows Resource Protection works by setting discretionary access control lists (DACLs) and access control lists (ACLs) defined for protected resources. Permission for full access to modify WRP-protected resources is restricted to the processes using the "Windows Modules Installer service" (TrustedInstaller.exe). Administrators no longer have full rights to system files. Protected resources can be modified or replaced only if administrators take ownership of the resource and add the appropriate Access Control Entries (ACEs).

Protected resources

Windows Resource Protection protects a large number of file types:

.dll, .exe, .ocx, .sys, .acm, .ade, .adp, .app, .asa, .asp, .aspx, .ax, .bas, .bat, .bin, .cer, .chm, .clb, .cmd, .cnt, .cnv, .com, .cpl, .cpx, .crt, .csh, .dll, .drv, .dtd, .exe, .fxp, .grp, .h1s, .hlp, .hta, .ime, .inf, .ins, .isp, .its, .js, .jse, .ksh, .lnk, .mad, .maf, .mag, .mam, .man, .maq, .mar, .mas, .mat, .mau, .mav, .maw, .mda, .mdb, .mde, .mdt, .mdw, .mdz, .msc, .msi, .msp, .mst, .mui, .nls, .ocx, .ops, .pal, .pcd, .pif, .prf, .prg, .pst, .reg, .scf, .scr, .sct, .shb, .shs, .sys, .tlb, .tsp, .url, .vb, .vbe, .vbs, .vsmacros, .vss, .vst, .vsw, .ws, .wsc, .wsf, .wsh, .xsd, and .xsl.

WRP also protects several critical folders. A folder containing only WRP-protected files may be locked so that only the Windows trusted installer SID is able to create files or subfolders in the folder. A folder may be partially locked to enable administrators to create files and subfolders in the folder. Essential registry keys installed by Windows Vista are also protected. If a key is protected by WRP, all its sub-keys and values can be protected. Also, WRP copies only those files that are needed to restart Windows to the cache directory located at %WinDir%WinSxSBackup. Critical files that are not needed to restart Windows are not copied to the cache directory, unlike Windows File Protection which cached the entire set of protected file types in the "Dllcache" folder. The size of the cache directory and the list of files copied to cache cannot be modified.

Windows Resource Protection applies stricter measures to protect files. As a result, Windows File Protection is not available under Windows Vista. In order to replace any single protected file, Windows File Protection had to be disabled completely; Windows Resource Protection works on a per-item basis by setting ACLs. Therefore, by taking ownership of any single item, that particular item can be replaced, while other items remain protected.

System File Checker is also integrated with WRP. Under Windows Vista, Sfc.exe can be used to check specific folder paths, including the Windows folder and the boot folder.

See also

*Windows File Protection
*System File Checker
*Access Control List
*Security Identifier

External links

* [http://msdn2.microsoft.com/en-us/library/aa382503.aspx Windows Resource Protection in Windows Vista]
* [http://blogs.msdn.com/cjacks/archive/2007/04/20/windows-resource-protection-wrp-and-activex-control-installation-on-windows-vista.aspx More information on WRP and application compatibility]