Does Vista’s Windows Resource Protection protect enough?

I was playing with Vista’s WRP last night and found that it does not completely protect many system files that you would expect it to protect.

Win ME’s System File Protection and 2000 and XP’s Windows File Protection protected about 99% of the files that were installed or upgraded by Windows. Delete, modify, or rename one of the protected files and the file would come right back. SFP and WFP didn’t always restore the file with the correct permissions (it restored the parent permissions), but it indirectly stopped computer viruses from infecting most Windows system files. It stopped hoax virus victims from deleting protected files, and it even helped out last month when one of the popular antivirus programs was going around deleting legitimate Windows files accidentally.

Sadly, on my initial review it appears that WRP isn’t nearly as protective as WFP. I looked forward to WRP because it protects registry keys too, and prevents protected files from being modified in the first place. SFP and WFP allowed the modification, but then undid it.

I demo’d this recovery behavior in WFP all the time in classes and presentations. I’d delete wscript.exe, wait a few seconds, and then watch it “magically” re-appear. Classes and audiences loved it. Linux didn’t have that.

In Vista, it’s much harder to delete a system file because of WFP and because all files are owned by the TrustedInstaller service by default. But if you are an Admin-level person, and Take Ownership of a file, add the appropriate ACE, then you can modify, rename, or delete protected resources.

In Vista last night, I took ownership of wscript.exe and then deleted it. Then I waited for it to re-appear. It never did. My friend Jesper Johansson told me that only Windows system files involved in the start-up are stored in the cache and replaced automatically. And he’s right.

Here’s a list of what WRP protects.

In checking WindowsWinsxsbackup, I found nearly 2000 files (long names, but the file names they represent are in the longer file name). You’d be surprised as to what is and isn’t covered. In WFP, if a protected file wasn’t in the cache, the system would normally prompt you for an installation CD. In WRP, if the file isn’t in the backup cache (and you can’t modify or add to what’s in the backup cache), you’re out of luck.

I’m perplexed. In Vista we have a potentially better mechanism, that prevents modifications and protects registry keys, but it doesn’t replace all modified or deleted system files? What is Windows Resource Protection when it doesn’t fully protect a significant amount of Windows system files?

Yes, it takes a lot to mess with a System file in the first place, but I can see a virus, worm or bot automating what I did manually. Or an updated hoax virus warning with ” removal instructions”.

Ah, I’m just upset that a good demo is gone using a file I didn’t mind losing if it didn’t work in the first place.