Hi Andy! Thank you very much for explaining the file protection mechanism. I was thinking about viruses infecting both the files in system32 and the source file, but I can only find one copy of xcopy.exe. Apparently SFP retrieves the file from another location or from a cab file (the SFCDllCacheDir registry entry is not in my HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon hive), but SFP seems to work fine. Now, what if a virus infects both the files in the system32 directory and in system32\dllcache at the same time? Or it sets HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable to 3 first? Thank you very much for your reply! Kindest regards, Eric van Loon
Eric, You can use the client QUERY SYSTEMINFO command to see which files are protected by Windows system file protection, and are thus part of the system state. dsmc query systeminfo sfp will list all system-protected files. dsmc query systeminfo sfp=fully-qualified-file-name -console will tell you whether fully-qualified-file-name is system-protected. For example: dsmc query systeminfo sfp=c:\windows\system32\xcopy.exe -console should indicate that, indeed, this is a protected file. Per Microsoft specification, system-protected files are part of the system state, and system state backup and restore is an "all or nothing" proposition. Therefore TSM does not permit backup or restore of individual system state components. Now, the question to you is, why do you need to restore xcopy.exe? There should be no need for you to restore xcopy.exe or any other system-protected file. As a test, go into your c:\windows\system32 directory. Do a "dir" for xcopy.exe. Then delete the file. Wait a few seconds, then do the "dir" again. You should see the file restored. (Note: you might want to copy xcopy.exe just as a precaution, but system file protection is a standard feature of Windows 2000, XP, and 2003, and something would have to be seriously wrong with your OS for xcopy.exe to not be restored.) Regards, Andy Andy Raibeck IBM Software Group Tivoli Storage Manager Client Development Internal Notes e-mail: Andrew Raibeck/Tucson/[EMAIL PROTECTED] Internet e-mail: [EMAIL PROTECTED] IBM Tivoli Storage Manager support web page: http://www-306.ibm.com/software/sysmgmt/products/support/IBMTivoliStorag eManager.html The only dumb question is the one that goes unasked. The command line is your friend. "Good enough" is the enemy of excellence. ********************************************************************** For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. **********************************************************************