Quelle (wenn nicht anders angegeben):
TipWorld -- http://www.tipworld.com - The Internet's #1 Source for Computer Tips, News, and Gossip

Die Tips von TipWorld sind eine Ergänzung unsere Dienste an unsere Nutzer; sie werden von uns jedoch nicht supported, näher erläutert usw. Sie sind auch nur teilweise von uns getestet worden. Bitte haben Sie hierfür Verständnis. - Bitte sehen Sie hierzu unbedingt unsere Anmerkung!)



Tips Windows NT: März 2003

Learn to use Windows File Protection - part 2
By Bryan Muehlberger

Last week we talked about the Windows File Protection (WFP) service and
the associated utility System File Checker (SFC) utility.  The SFC
utility is part of the Windows 2000/XP and Server 2003 platform and must
be used in conjunction with the WFP service. This week we'll discuss
some of the associated registry settings and command line parameters
that allow you to optimize and better control the functionality of the
SFC utility.

One of the most important components of the SFC utility is the DLLCache
folder. This folder contains the verified (via driver signing) system
files that your system maintains.  If this folder becomes corrupt, you
can run "sfc /purgecache". This purges the existing, but corrupted
DLLCache folder and automatically begins a scan of the system.

Some administrators may want to control what files are contained in the
DLLCache folder. This may be necessary in an FDA-qualified environment
at a pharmaceutical or healthcare organization. To maintain a copy of
the DLLCache folder on shared network share for all users, you must
modify the following registry key on all of the machines that you want
to be using the shared location:

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
Key = SFCDllCacheDir (REG_EXPAND_SZ)
Path = local or network location of the Dllcache folder (default is the
%SystemRoot%\System32\Dllcache folder)

NOTE:  Modify the registry at your own risk.  Incorrect modifications
can cause your system to fail.

The only caveat to doing this is that if a machine cannot access the
shared folder (i.e. a laptop user who is traveling), then they will not
be able to run the SFC utility until they are connected to the LAN

Another useful registry setting is the SFCShowProgress registry key:

Key = SFCShowProgress (REG_DWORD)
0 = Do not display the System File Checker progress meter (default)
1 = Display the System File Checker progress meter

This registry setting allows you to show a progress meter while SFC is
running so that you know its status.

Last, due to the number of system files that WFP is monitoring for you,
you may want to increase the size of the DLLCache folder. You can do
this by setting the registry key:

Key = SFCQuota (REG_DWORD)
n = size (in megabytes) of the Dllcache folder quota
ffffffff = (default) cache all protected system files on the local hard

The default size of the DLLCache folder is approximately 250M-bytes.

Using the dump event log utility
By Bryan Muehlberger

Have you ever needed to look for a certain event with the Event Viewer
logs? If you did, you probably went through the normal method - opening
the Event Log viewer, and performing a filter on the event ID you were
looking for. What if you had to do this on 100 servers?  What would you
do?  The solution would be to use the dump event log (dumpel.exe)
utility, which is included in the Windows 2000 Resource Kit. 

This handy utility allows a systems administrator to dump the entire
event log or only portions of the event log.  Recently I needed to find
out all instances of the Windows File Protection service within the
system log within the Event Viewer. The Windows File Protection (WFP)
service is activated when an application or user tries to replace a file
that is protected by the WFP service.  I wanted to know when the WFP
service was activated and what files were being attempted to be
replaced. To do this, I issued the following command line inside of a
batch file against all of the servers I wanted to report on:

Dumpel.exe -l system -m "Windows File Protection" -s serverName -t >>

This dumped all of the events from the system log on serverName that
were generated by the source "Windows File Protection".  By using the -t
option, I was able to export the data in tab-delimited format for easy
import into Excel. I was then able to sort the data and manipulate what
I was looking for. 

One thing to note is that if you use the -f <filename> option, you can't
perform the dumpel.exe command on multiple servers because the file will
get overwritten each time.  To get around this, I redirected the
standard output to a file by using the command line redirection syntax
'>>', which appends each command's output to the existing file.

Learn to use Windows File Protection
By Bryan Muehlberger

Windows File Protection (WFP) is a service that constantly monitors
protected system files in a Windows 2000/XP or Windows Server 2003
environment. If an application or user inadvertently attempts to replace
a protected system file, WFP is activated to prevent it from occurring.
WFP captures the attempt and then looks inside of its cache of protected
system files to find the approved version of the file.

WFP protects all .sys, .exe, .dll, and .ocx files that ship with Windows
2000/XP or are upgraded as part of a system update and/or service pack
released by Microsoft. The protected file will be replaced by the file
stored in the DLLCache folder, CD-ROM, or a network share.

To take control of the WFP service, you can run the System File Checker
(sfc.exe) utility.  The SFC utility is part of the Windows 2000/XP and
Server 2003 platform and must be used in conjunction with the Windows
File Protection service. This command line utility allows you to scan
your system files, update your protected system files, and update the
DLLCache folder.

For example, to force a scan, you can run the following command:

sfc.exe /scannow

This will cause SFC to scan all of your files immediately and prompt you
to update any files that it finds that do not match the ones that SFC
expects to find.

If you want SFC to scan the system every time you reboot, then you would
use the following command:

sfc.exe /scanboot

Now SFC will run every time you reboot your machine.  If you don't want
SFC to run anymore, run the following command:

sfc.exe /revert

which will revert SFC back to its default settings.

Next week I will discuss some of the additional registry settings that
you can take advantage of to optimize the WFP service and the SFC


Log event utility will log an event to the event viewer
By Bryan Muehlberger

I often need to set up scripts or scheduled routines to run on our
servers, and have wanted a way to easily log an event to the event
viewer upon starting and completing the script. Now, I think I have
found the utility that will help me do this.

The log event(logevent.exe) utility is in the Windows 2000 Resource Kit
and it gives you the ability to easily add events to the Windows
2000/NT/XP application log. You can log errors, warnings and
informational events as part of your daily routine. This makes tracking
and monitoring much easier.

Here's how it works. I want to enter an informational event into the
application log of the event viewer every time a scheduled process
started and completed. In my script, I had a command line similar to the

logevent.exe" -m \\serverName -s I -c 1 -r "Routine Process Started" -e
500 "Script scriptname.exe has successfully started."


logevent.exe" -m \\serverName -s I -c 1 -r "Routine Process Completed"
-e 501 "Script scriptname.exe has successfully completed."

Whenever my scheduled process starts, I get an event in the application
log with event ID 500.  When it's finished, I get another event in the
application log with event ID 501. All I need to do is monitor the event
log on serverName and watch for event ID's 500 and 501.  If I ever see a
500, but not a 501, I know there's a problem. The process may not have
completed, or it ran into some sort of error. 

I've barely touched on the functionality and usefulness of this cool
utility, so download and explore it for yourself.



Tips abonnieren!

TipWorld(TM) is a trademark of IDG Newsletter Corporation. ©1996, All rights reserved.


Ganz nach oben...
nach oben
Zurück zur vorigen Seite... zurück

Logy by Frank Müller, K'ing Fehler entdeckt? Unbekannte Begriffe? Fragen zu dieser Webseite?
Bitte Mail an Systemverwalter (
Copyright © 1996-2007 Web Team,
CC1 UdS.