I have two W2K installs in different partitions on the same hard disk,
which I'll call the primary install and alternate install.


In the alternate install, Windows File Protection (WFP) works
normally. If I rename WINMINE.EXE to WINMINE.OLD, the executable will
be restored from DLLCACHE. The following files are consulted (in
chronological order) so that this happens:

Winnt\System32\CatRoot\SYSMAST.*
Winnt\System32\CatRoot\{F750...295EE}\CATMAST.*
Winnt\System32\CatRoot\{F750...295EE}\HASHMAST.*
Winnt\System32\CatRoot\{F750...295EE}\NT5.CAT


In my primary install, WFP only works for files in DLLCACHE that have
been updated since SP2.

Here are some examples. The three files WINMINE.EXE, ACLUI.DLL and
DSQUERY.DLL are in the DLLCACHE of the primary install. The version of
WINMINE.EXE, 5.0.2135.1, is that of the original W2K install. The
version of ACLUI.DLL, 5.0.2195.2488, is that installed by SP2. The
version of DSQUERY.DLL, 5.0.2195.4445, is that of the the post-SP2
SRP1 update.

1. If I rename WINMINE.EXE to WINMINE.OLD, the executable is not found
in DLLCACHE (even though it's there) and WFP calls for the insertion
of the original W2K install CD. The CD's recognized when it's
inserted, but the file isn't replaced.

The following files are consulted while this happens:

Winnt\System32\CatRoot\SYSMAST.*
Winnt\System32\CatRoot\{F750...295EE}\CATMAST.*
Winnt\System32\CatRoot\{F750...295EE}\HASHMAST.*
... but NT5.CAT is never used, though it's present and identical to
NT5.CAT in the alternate install.

2. If I rename ACLUI.DLL to ACLUI.OLD, the file is not found in
DLLCACHE (even though it's there) and WFP calls for the insertion of
the SP2 CD. When inserted, this CD is _not_ recognized and the file is
not replaced.

3. If I rename DSQUERY.DLL to DSQUERY.OLD, the file is replaced
promptly from the copy in DLLCACHE.

IOW, WFP works normally for any file that has been placed in DLLCACHE
*since* SP2.

If DLLCACHE is purged with SFC.EXE, the cache is emptied of
SP2-and-earlier files and WFP behavior does not change.


Why would WFP only work for all files updated *since* SP2? If, as I
suspect, the SYSMAST/CATMAST/HASHMAST files are corrupt, how can they
be regenerated? (I tried an "inplace upgrade via a manual repair" in
the primary install and then reapplied SP2, but it didn't change a
thing.)

regards, Andy

---

Request for Question Clarification by blader-ga on 01 May 2002 14:19 PDT

Dear andaya:

May I have the logged WFP events when you try to replace winmine.exe
in the primary as well as the alternate install?

Best Regards,
blader-ga

---

Clarification of Question by andya-ga on 01 May 2002 16:27 PDT

The alernate install behaves normally. I rename WINMINE.EXE, file
version 5.0.2135.1, to WINMINE.OLD and the file is replaced by WFP
with the copy in system32\dllcache. The following event is added to
the system log (I've omitted the location of the winnt folder):

Source  : Windows File Protection
Category: None
Type    : Information
Event ID: 64002

File replacement was attempted on the protected system file
...\system32\winmine.exe. This file was restored to the original
version to maintain system stability. The file version of the system
file is 5.0.2135.1.


The primary install does not work normally for this file. I rename
WINMINE.EXE, file version 5.0.2135.1, to WINMINE.OLD. The W2K CD is
requested and the CD is inserted. WINMINE.EXE, file version
5.0.2135.1, exists in system32\dllcache, but this file is not used to
replace WINMINE.OLD. The following event is added to the system log:

Source  : Windows File Protection
Category: None
Type    : Information
Event ID: 64004

The protected system file winmine.exe could not be restored to its
original, valid version. The file version of the bad file is unknown
The specific error code is 0x800b0100 [No signature was present in the
subject.].


I then rename WINMINE.OLD to WINMINE.EXE. The W2K CD is requested and
the CD is inserted. The following event is added to the system log:

Source  : Windows File Protection
Category: None
Type    : Information
Event ID: 64004

The protected system file winmine.exe could not be restored to its
original, valid version. The file version of the bad file is
5.0.2135.1 The specific error code is 0x800b0100 [No signature was
present in the subject.].

There is nothing wrong with WINMINE.EXE. Both the copy in system32 and
the copy in dllcache are identical (via "fc.exe /b") to the version in
the alternate install and the game runs in its normal (and totally
boring <g>) manner.

Hope you can help.

---

Request for Question Clarification by blader-ga on 01 May 2002 18:32 PDT

Hi again andya:

From reading up on some articles on the MSKB website, I suspect that
you may have an old or corrupted version of the system file checker
dll (sfc.dll). Could you verify the file on your primary file against
the one on your alternate? Thanks.

Best Regards,
blader-ga

---

Request for Question Clarification by blader-ga on 01 May 2002 18:38 PDT

Oh and also, I probably should have asked you earlier, but is SP2
installed on your alternate installation as well?

---

Clarification of Question by andya-ga on 02 May 2002 02:11 PDT

Yes, SP2 has been applied to both the primary and alternate installs.
I keep each install completely current for hotfixes, as well. HFNetChk
is used to verify that each install is up-to-date.

---

Clarification of Question by andya-ga on 03 May 2002 10:32 PDT

< ... you may have an old or corrupted version of... (sfc.dll). Could
you verify the file on your primary... against the one on your
alternate? >

I compared both SFC.DLL and SFC.EXE via "fc /b" and they are identical
in both installations.

Thanks for the effort.

regards, Andy