Windows Resource Protection (WRP)
Feature Impact
High (may block the application from installing or running)
Brief Description
As an initiative to increase system stability, predictability and reliability, Windows Resource Protection (WRP) protects Windows read-only resources: specifically OS files, folders, and registry keys that are non-configurable by design. See Protected Resource List.
WRP enforces this protection using Windows Security by specifying special security descriptors on the resource. Any process, including those running as administrator or system, do not have rights to make changes to WRP resources; they can read and execute. Full access to WRP resources is restricted to Windows Modules Installer service.
As a result, read-only system state is protected from the inadvertent impact of application installs and administrator modifications, which improves system stability.
Manifestation
Applications (typically this happens during application install and uninstall) will not succeed in replacing or modifying protected OS resources, with the following results:
Attempts to replace, modify, or delete OS files and/or registry keys that are protected by WRP may fail with an error message indicating that the resource could not be updated. This is because access to these resources is denied.
Because applications are prevented from making changes to WRP resources, and related errors are suppressed, runtime errors may result.
Remedies
Do not install or update system state (files and registry) on Windows Vista except when using Microsoft-provided redistributable packages designed for Windows Vista.
Do not decompose a Microsoft-provided redistributable designed for Windows Vista and install individual files or registry keys. The redistributable must be installed as provided by Microsoft.
Through code, use SfcIsFileProtected API.
Or use Explorer to check permissions on the file.
Open the folder that contains the file whose properties you want to see.
Right-click the file whose properties you want to see, and then click Properties.
Keys that are WRP will show Trusted Installer with Full Control. SYSTEM, Administrators, and Users will have Read permissions only.
The only way to modify a WRP registry value or WRP protected OS file is to:
. submit the changed file and installer to an Authenticode provider and receive an Authenticode certificate for appliation signing;
. or, submit the changed file and installer to Microsoft for WHQL certification.
____________________________
Users Helping Users