What file does "FileProtection" want to change?

Hi,

In my stupid curiosity I clicked on a dubious link in an e-mail and promptly landed on a **** page. I still noticed a quick opening of a window and closed Firefox to see the pop-up. When there was no window, I quickly hit Reset, suspecting something happening in the background.

The boot came up with pci.sys corrupted or missing. I inserted the XP CD and started a prompt to check the file. While running up in safe mode, XP informed me that a file had been replaced and, once in DOS, I found the file in the drivers directory. Whether it is the correct size I don't know, but the date matches that of the other .sys files.

Just to be sure, I read up on this and started WFP (Windows File Protection). After a few minutes it told me to insert the XP CD to copy some files to the DLL Cache.

Since I can't find any pci.sys in DLLCache I am a bit worried that XP might want to overwrite a totally legitimate file, which does not match its list. And maybe this file was modified by SP2 and XP wants to revert to the original.

My question: how can I identify, which file the File Protection utility is trying to modify or thinks it is in error?

Any ideas how to catch this?

Thanks.

 

Nothing that I can see in Event Viewer.

In System I get some Service Control Manager Errors, but I don't have the experience to read them. Event 7000 or 7036 don't mean much to me. There are also quite some "Service Control Manager" errors with Event numbers 7035 and 7036. In Security and Application there are no unusual entries as far as I can see.

And no hint on what file the FileProtection utility wants to modify. Only that Windows File Protection started and opened a popup.

Pity.

Am I missing something????

Thanks

 

I've never had SFC to replace a new file with an older one. I don't think it can do that since it is programmed to search and verify all versions for the correct signature.

If it does replace anything, you'll see a report in the Eventvwr.msc under System. It won't tell you in advance what it intends to replace.

I've also never had SFC do me any good but that's another story.

 

Thanks for the support.

As I've said before: I do not trust Microsoft.

And definitely not with programming. So I'll let this one blow by. To have a change made and then find later that it replaced something valid and valuable - no thank you.

And now that I am on a rant: a good OS would tell you what and why it wants to replace. Along with version info and reasons for the suggested change. But then, that would be a good OS.