Windows File Protection

Hello all,

Yesterday I logged on to my company's server and recieved this message:

"Windows File Protection
Files that required for Windows to run properly have been replaced by
unrecognized versions. To maintain system stability. Windows must restore the
original versions of these files.
Insert your Windows SBS 2003 CD-ROM now."


When i do so i then recieve this message that my CD rom might not be
functioning...from the event viewer:

Application popup: Windows File Protection : Possible reasons for this
problem:

• You have inserted the wrong CD. (i.e., a different Windows product CD than
the version installed)

• The CD-ROM drive in your system is not functioning



I know my CD drive works fine because when i pop in the SBS cd, the autorun
starts.

I have SP3 on the SBS 2003, i am assuming that the system is pointing to the
SP3 download rather than the CD?

How do i go about correcting this issue? (the WFP message and CD error)



Also, how critical can this be to my system?


Thank you,

Chris

I posted this Question in the wrong group, here were the respones/help I had
so far, just to keep it up to date:

Its a means of protecting the machine..

Logon to server, check the system logs and see for the error code, refer the
below document and perform the activity.

Refer the below microsoft KB article.
http://support.microsoft.com/kb/222193

Start in Safe Mode w/ Command Prompt, then type
sfc /scannow

Just even a reboot may also fix these

This error is not 'normal' and may indicate a virus or some other malware.
This can also occur if you have installed software on the server and it has
overwritten any of the 'protected files' (which would generally require user
interaction to affect the overwrite).

You receive a "Windows File Protection: Files that are required for windows
to run properly have been replaced by unknown versions" error in Windows
Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/kb/904677

Description of the Windows File Protection feature
http://support.microsoft.com/kb/222193

I would start by:

1. Examining the event logs to see when the the overwrites occurred
2. Installing Malwarebtyes (www.malwarebytes.org) on the server, updating
it and then running a full scan (unplug the Internet connection to the
server before running the scan - booting into safe mode and running
Malwarebytes would be even better).

This error is not 'normal' and may indicate a virus or some other malware.
This can also occur if you have installed software on the server and it has
overwritten any of the 'protected files' (which would generally require user
interaction to affect the overwrite).

You receive a "Windows File Protection: Files that are required for windows
to run properly have been replaced by unknown versions" error in Windows
Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/kb/904677

Description of the Windows File Protection feature
http://support.microsoft.com/kb/222193

I would start by:

1. Examining the event logs to see when the the overwrites occurred
2. Installing Malwarebtyes (www.malwarebytes.org) on the server, updating
it and then running a full scan (unplug the Internet connection to the
server before running the scan - booting into safe mode and running
Malwarebytes would be even better).

Which Event log category should I check for the overwritten files? There are
thousands of entries in most categeries(Application, System, Dexterity,
Security, econnect, file replication...etc)

I dont remember having to allow the overwrite, I am new to the company, and
I am not quite sure what the previous IT admin has done.

btw, we will be rolling into the 2008 server edition within the next month
or so...besides that i want to learn from this issue, can this issue bring my
server to a halt any time soon??

Also, when i log in remotely(which is what we mostly do) i never get the
WFP/SFC warning, it happens only when i log in from the terminal itself.

I havent perfomed the malwarebyte solution yet because i need to find the
perfect time, I am sure this is a 2-3 hour deal at minimum and we cant afford
to have it down the majority of the day.

I will post updates as i go through the solutions so everyone can see and
learn :)

(SBS 2003... in your original post, you said you had SBS 2003 SP3
installed. SP3 does not exist for SBS. Maybe this was a typo or maybe you
were referring to XP SP3.)

Event Logs... Probably want to look in the System Event Log for 'Source:
Windows File Protection' (click on the Source heading to arrange by
alphabetically).

So, you're moving to Server 2008 or SBS 2008?

Yes typo, it is SP2 and we will be going to SBS 2008!

I ran SFC yesterday without going into safe mode, we are having some special
events right now and we need full availability to the Server and cant afford
to shut it down just yet!

SFC kept on prompting me every few minutes to pop in the CD as it was
progressing. I can see this activity clealy in the System EVENT log.

The earliest WFP entry was made on 5/27/09:

"File replacement was attempted on the protected system file msftedit.dll.
This file was restored to the original version to maintain system stability.
The file version of the bad file is 5.41.21.2507, the version of the system
file is 5.41.21.2506."

There are 14 entries on the same date(5/27/09) and all the dll files are
different and all have been replaced to their originals, the above is just
the first entry only).

on 6/5/09 the System Events logged WFP again. This time:

1st entry on 6/5/09:

"Windows File Protection file scan was started.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp."

2nd Entry 6/5/09:

"Windows File Protection scan found that the system file
c:\windows\system32\mfc40u.dll has a bad signature. This file was restored to
the original version to maintain system stability. The file version of the
system file is 4.1.0.6141."

3rd Entry on 6/5/09:

"The protected system file c:\windows\system32\mfc40u.dll was not restored
to its original, valid version because the Windows File Protection
restoration process was cancelled by user interaction, user name is XXXXXXX.
The file version of the bad file is 4.1.0.6141."

4th Entry:

"The system file c:\windows\system32\drivers\3cwmcru.sys could not be copied
into the DLL cache. The specific error code is 0x000004c7 [The operation was
canceled by the user.
]. This file is necessary to maintain system stability."

I had to cancel because it kept on asking for the SBS 2003 Instalation CD,
and when i inserted the CD it alerted me that I entered the wrong CD.

all entries beyond this point are listed as me canceling WFP...and the
reason once again is because the CD was prompted as being the wrong CD.

I am puzzled...I dont know how to figure this one out!

Through research i have found some possible solutions and suggestions such as:

1) if I were to replace the I386 folder from the CD into the DLL Cache
folder would that be a solution. Or would this be a total mess up?

2)I was also looking at this article:

http://support.microsoft.com/?kbid=263499 (Its not for SBS 2003 but its
similar to my issue)

3) was told to Refer the below microsoft KB article.
http://support.microsoft.com/kb/222193
and then perform:
Start in Safe Mode w/ Command Prompt, then type
sfc /scannow

Just even a reboot may also fix these

Would you think any of this would resolve the error message i get when i pop
the CD in the drive for when the Windows File Protection asks for it, thus
getting rid of the WFP alert??

For the record, No restart has been done yet, nor the malwarebyte scan! The
only thing I have done is the SFC within the normal state of the server.

I also have a "dummy" server, which i will attempt everything on it before i
approach the active working server!

Thank you for all your help, Please continue with feedback, i really
appriciate it.

If all 14 events say that they were returned to their original files, I
suspect if you reboot the server the WFP prompts may stop. It looks like
the affected files were all DLLs which the system could restore using its
hidden 'dllcache' folder. Clearly though, something or someone was trying
to install new software on your server. I suppose it could be an
'autoupdate' from one of your 3rd party apps on the server (antivirus,
line-of-business, etc.). I would reboot, then run the Mawarebytes scan just
to be safe.

As we go through this i am starting to feel more comfortable and somewhat
relieved!!

Well, I just ran the BPA you suggested and here is the report:

All Issues

Error ClientApps share missing :
ClientApps shared folder is missing for Windows SBS 2003. You may have
stopped sharing of this folder. For instructions on sharing the ClientApps
folder, see http://go.microsoft.com/fwlink/?LinkId=95294.

Error Task Offloading is enabled :
Task Offloading is enabled and should be disabled on Windows Small Business
Server 2003. Change the value of the DisableTaskOffload registry key to 1.
For detailed instructions, see the Knowledge Base article "You experience
intermittent communication failure between computers that are running Windows
XP or Windows Server 2003" at http://go.microsoft.com/fwlink/?LinkId=95149.
If the DisableTaskOffload registry key does not exist, then manually create
this registry key and set its value to 1.

Error The /3GB switch is not supported on Windows SBS 2003 :
Windows SBS 2003 does not support the use of the /3GB boot.ini option. For
more information, see "The Windows Server 2003 /3GB switch is not supported
in Windows SharePoint Services 2.0 or in later versions or in SharePoint
Portal Server 2003 SP2 or in later versions" at
http://go.microsoft.com/fwlink/?LinkId=95155.

Warning Free disk space is very low :
C: has 15% free space remaining (less than 20% of free space available). You
should consider adding more storage or removing unnecessary files. For
information on moving data folders, see "Moving Data Folders for Windows SBS
2003" at http://go.microsoft.com/fwlink/?linkid=49931.

Warning Network interface driver file is more than one year old :
Network Card Driver: E1000 Last Modifed Date: 20041008153444.000000-420

Warning Allocated Memory alert threshold :
The threshold for the Allocated Memory alert is set to the default value.
However the server has more than 2 GB of RAM installed.

Warning Change the functional level of Exchange Server 2003 :
The functional level of your Exchange Server 2003 organization is: Mixed
Mode (can support pre-Exchange 2000 servers). This must be changed to native
mode before attempting to migrate to Windows Small Business Server 2008. Go
to Start/All Programs/Microsoft Exchange/System Manager then right click on
the organization and select Properties

Warning EDNS is enabled :
EDNS is enabled on this server. Some of the routers or firewalls may not
support EDNS. You should disable EDNS on this server. To do so, click Start,
and then click Command Prompt. In the Command Prompt window, type dnscmd
/Config /EnableEdnsProbes 0 and then restart the DNS Server service.

Warning Microsoft Outlook 2003 missing :
Outlook 2003 should exist in the ClientApps folder. To do so, from the
server, click Start, click Control Panel, click Change or Remove Programs,
then click Windows Small Business Server 2003. On the component selection
page, select Microsoft Outlook 2003.

Warning OWA update for Exchange Server is not installed :
You should install the Update for Exchange 2003 (KB911829). Doing so will
ensure that your Outlook Web Access installation is compatible with Windows
Vista. For more information, see the Knowledge Base article "You receive an
error message when you try to perform any editing tasks, or you must click to
enable the compose frame in Outlook Web Access" at
http://go.microsoft.com/fwlink/?LinkId=77013.

Warning POP3 Connector snap-in has not been updated :
POP3 Connector snap-in does not appear to be the version from knowledge base
article "Error message when you use the POP3 Connector Manager with MMC 3.0:
"'MMC has detected an error in a snap-in" " at
http://go.microsoft.com/fwlink/?LinkId=95161.

Warning The server is in a journal wrap condition :
The server is in a journal wrap condition. For more information, see the
Knowledge Base article "Troubleshooting journal_wrap errors on Sysvol and DFS
replica sets" at http://go.microsoft.com/fwlink/?LinkId=143372.

Warning Update for Daylight Savings Time 2007 not installed :
The update for Daylight Savings Time 2007 is not installed for Microsoft
Exchange Server 2003 Service Pack 2. Without this update, calendar items in
CDO-based programs and in Microsoft Outlook Web Access will operate as if the
standard time is in effect during the extra weeks of daylight saving time.
You can download this update at http://go.microsoft.com/fwlink/?LinkId=95430.

Warning Windows SBS 2003 is not compatible with Vista/Outlook 2007 :
You should install the "Update for Windows Small Business Server 2003:
Windows Vista and Outlook 2007 compatibility" at the Microsoft Web site
(http://go.microsoft.com/fwlink/?linkid=78010).

I am unsure if any of these errors/warning are connected with my issue..Very
Informative tool though, thank you!

Yes, all 14 events state that on 5/27/09 were returned to their original
state. However, this is not the case for the later date on 6/5/09...The
events state that the action was canceled by me and they didnt return to
their originl state. I had to cancel because it kept saying i entered the
wrong CD...there were over 60 instances of these cancelations.

I believe i will have a chance to restart the server tonight, when all
employees are gone. They rely on internet connection and the server acts as a
DHCP for them. Hopefully a full retart will correct this!

Once again THANK YOU. :)

You should 'very soon' address the issues presented in your SBS BPA report.
It appears that the server has not be kept up-to-date with some of the
update packages. You need to get your server healthy and with the latest
SPs and security patches before you can attempt a migration to SBS 2008.

I'm curious why the "/3GB" switch was used as this may indicate that the
server was set up by someone who has a certain amount of knowledge of
Exchange and Windows Server but may not be up-to-date with the intricacies
of SBS.

The problem with the "wrong CD' message may be because the original install
of SBS was with non-Windows 2003 SP1 or SP2 media and your current
configuration is Win2003 SP1 or SP2. Therefore, when you insert the old SBS
CD, Windows 2003 SP1 or SP2 cannot find the correct files to restore.

You may be able to download Windows 2003 SP1 or SP2, unzip it to a folder on
your server (or to an external USB drive) and then direct Windows to that
location when it asks you about restoring the file.

I does not give me an option to select a location. In a nut shell, It only
asks me to insert the SBS 2003 cd. Then Hit ok, with a cancel option as well.
Then when the server suggests i have the wrong CD, my only other options are
to Cancel, Retry or more INFO.

Under more info, it says possible causes are the CD is wrong or the CD
drivers dont work.

The OS was installed using The original Install CD for SBS 2003 and
contained no SP's. Now each SP's (SP1 AND SP2) were downloaded via the
windows Update.

3GB SWITCH: Can i safely disable this without worrying my system will crash
since it has been operating with the 3GB switch enabled all this time?

By the way, When we upgrade to SBS 2008, we will also be upgrading to new
hardware, that is a brand new System is being purchased, we are inclined
towards a Dell Poweredge T610. This also means we will probably salvage the
old server hardware(not sure yet on this one).

/3GB... yes, you should be able to disable it without any issues.

SFC... Do you have a folder: C:\windows\ServicePackFiles?

This should contain a 'ServicePackCache' folder with an 'i386' folder in it.
These should be used by SFC to preclude the need for prompting you for a CD
Z(unless they are missing or there is some corruption)

Safe to erase 'Service Pack Files' directory

Yes, I do have C:\windows\ServicePackFiles\ServicePackCache\I386..

So, This means that SFC cannot find what it needs at that location, so it
prompts me for the CD. Apperantly the CD has no SP's, thus alerting me that
the wrong CD is in the drive.

SFC should had been able to find what it is looking for in the I386 folder.

are you suggesting that i should reinstall SP2 ?

From the link you provided:

"you can copy this directory to
CD(C:\windows\ServicePackFiles\ServicePackCache\I386). Then edit the
registry to point
to the new location on CD. Edit this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

Modify the value:
ServicePackSourcePath

to reflect the CD drive such as:
Z:\ServicePackFiles where Z is the drive letter for the CD drive."

I will need to acquire a non-corrupt or an updated I386 folder(perhaps from
sp2 or download it if possible) then perform the above...

Am I on the right track?

Thanks Merv, you are very helpful and I appreciate your prompt responses.

Let's first see if a reboot fixes the WFP issue. Downloading and
reinstalling Windows 2003 SP2 may be the answer if it asks for the CD again
(and then reinstall any security updates released since SP2).

I finnaly was able to resolve the above said issue. I restarted in safemode
and ran the SFC /runnow. I rebooted and did NOT see the message from the
WFP...phew!

Also, I removed the /3GB switch from the Boot.ini file...I as well took care
of the the Task Offloading by editing the registry setting to 1.(the entry
didnt exist, so i had to create one).

Overall pretty simple tasks, now i have to monitor the server to see how the
changes will affect my system.

Thank you very much, you have been very helpful.

Glad you're up and running again Chris!