Hi Andy!
Thank you very much for explaining the file protection mechanism.
I was thinking about viruses infecting both the files in system32 and
the source file, but I can only find one copy of xcopy.exe. Apparently
SFP retrieves the file from another location or from a cab file (the
SFCDllCacheDir registry entry is not in my
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
hive), but SFP seems to work fine.
Now, what if a virus infects both the files in the system32 directory
and in system32\dllcache at the same time? Or it sets
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\SFCDisable to 3 first?
Thank you very much for your reply!
Kindest regards,
Eric van Loon


                Eric,

                You can use the client QUERY SYSTEMINFO command to see
which files are
                protected by Windows system file protection, and are
thus part of the
                system state.

                   dsmc query systeminfo sfp

                will list all system-protected files.

                   dsmc query systeminfo sfp=fully-qualified-file-name
-console

                will tell you whether fully-qualified-file-name is
system-protected.

                For example:

                   dsmc query systeminfo
sfp=c:\windows\system32\xcopy.exe -console

                should indicate that, indeed, this is a protected file.

                Per Microsoft specification, system-protected files are
part of the system
                state, and system state backup and restore is an "all or
nothing"
                proposition. Therefore TSM does not permit backup or
restore of individual
                system state components.

                Now, the question to you is, why do you need to restore
xcopy.exe?

                There should be no need for you to restore xcopy.exe or
any other
                system-protected file. As a test, go into your
c:\windows\system32
                directory. Do a "dir" for xcopy.exe. Then delete the
file. Wait a few
                seconds, then do the "dir" again. You should see the
file restored. (Note:
                you might want to copy xcopy.exe just as a precaution,
but system file
                protection is a standard feature of Windows 2000, XP,
and 2003, and
                something would have to be seriously wrong with your OS
for xcopy.exe to
                not be restored.)

                Regards,

                Andy

                Andy Raibeck
                IBM Software Group
                Tivoli Storage Manager Client Development
                Internal Notes e-mail: Andrew Raibeck/Tucson/[EMAIL
PROTECTED]
                Internet e-mail: [EMAIL PROTECTED]

                IBM Tivoli Storage Manager support web page:
        
http://www-306.ibm.com/software/sysmgmt/products/support/IBMTivoliStorag
eManager.html


                The only dumb question is the one that goes unasked.
                The command line is your friend.
                "Good enough" is the enemy of excellence.


**********************************************************************
For information, services and offers, please visit our web site: 
http://www.klm.com. This e-mail and any attachment may contain confidential and 
privileged material intended for the addressee only. If you are not the 
addressee, you are notified that no part of the e-mail or any attachment may be 
disclosed, copied or distributed, and that any other action related to this 
e-mail or attachment is strictly prohibited, and may be unlawful. If you have 
received this e-mail by error, please notify the sender immediately by return 
e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), 
its subsidiaries and/or its employees shall not be liable for the incorrect or 
incomplete transmission of this e-mail or any attachments, nor responsible for 
any delay in receipt.
**********************************************************************