Windows File Protection message

[basis_consultant]

Hi,

On a Windows XP SP3 system, the following Windows message appears;
The user indicates that the error appeared after a recent (Past month
or two)
update. No system files were recently replaced manually.

"Files that are required for Windows to run properly have been
replaced
by unrecognized versions. To maintain system stability, Windows must
restore
the original versions of these files".

The event viewer indicates the following:

"The protected system file oembios.sig (Or oembios.bin or
oembios.dat)
was not restored to its original, valid version because the Windows
File
Protection restoration process was cancelled by user interaction,
user
name is <Username>. The file version of the bad file is 0.0.0.1."

oembios.sig, oembios.bin and oembios.dat are in C:\i386, and
have a timestamp of 03/09/2002

Do we restore these files from the system disk, or do something else?

What do these files do?



Thanks,
QZ

 

[Paul]

Hi,

On a Windows XP SP3 system, the following Windows message appears;
The user indicates that the error appeared after a recent (Past month
or two)
update. No system files were recently replaced manually.

"Files that are required for Windows to run properly have been
replaced
by unrecognized versions. To maintain system stability, Windows must
restore
the original versions of these files".

The event viewer indicates the following:

"The protected system file oembios.sig (Or oembios.bin or
oembios.dat)
was not restored to its original, valid version because the Windows
File
Protection restoration process was cancelled by user interaction,
user
name is <Username>. The file version of the bad file is 0.0.0.1."

oembios.sig, oembios.bin and oembios.dat are in C:\i386, and
have a timestamp of 03/09/2002

Do we restore these files from the system disk, or do something else?

What do these files do?

Thanks,
QZ

http://www.pcbuyerbeware.co.uk/ProductActivation.htm

"Many OEM copies installed by the major manufacturers (Dell, HP, Packard Bell,
etc.) use a system called System Locked Pre-Installation (SLP) that doesn't
match any hardware on start-up.

It looks for a special signature in the BIOS setup program instead.
If the computer's installation Windows XP has a file called oembios.bin,
then it has SLP-activated OEM copy.

If a BIOS-locked copy of Windows XP is installed on a motherboard and the
BIOS lock fails, the system will go through the normal Product Activation
process at startup.

However, note well that from March 1, 2005, the Product Key supplied on a
label by the computer manufacturer, and used for the initial installation,
won't be accepted for activation. A new copy of Windows XP, with a licence
allowing installation on a different computer, will be needed. This means
that any replacement motherboard, or upgrade to its BIOS, must be supplied
by the original manufacturer in order to ensure that the BIOS lock is put
into effect."

So the purpose of the files, seems to be related to a BIOS lock. and the
files are protected by Windows File Protection.

I can find an instance, back in 2008 or so, where an antivirus product got
a "false positive" on those files, and quarantined and deleted them. But that
might not be what has happened in this case.

*******

There are some examples here, of tools for disabling Windows File Protection.
You might need something like this, when putting the files back. (That is, if
these still work...)

http://www.bitsum.com/aboutwfp.asp

*******

The question remains though, how to interpret what has happened.

Is it malware ? Was it caused by an update ? I can't find anything
to explain it.

Something sorta similar, happened here. But why would malware choose
to attack those files ? I don't see the motivation. What good is
breaking activation ?

http://en.community.dell.com/support-forums/virus-spyware/f/3521/p/19307875/19609574.aspx#19609574

Paul

 

[Mayayana]

Are you sure they haven't disabled System File
Protection? I always completely remove SFP/PCHealth
and get similar dire messages whenever I delete
system files. Since I also delete the SFP backup
store there's no place for SFP to get the replacement
files, anyway. But for some reason the SFP warnings
still operate. I dismiss them and they don't come back.
(The log entry saying that SFP "was cancelled by user"
also sounds like a sign of SFP being disabled.)

I don't know what reason there might be for replacing
the oem* files, but I wonder if you've been told the
whole story.

If the message doesn't come back you probably don't
need to worry about it. If it keeps coming back...I don't
know much about oem* but I wonder if you might risk
disabling activation by replacing those files. In case it helps,
you can uninstall PCHealth like so, and SFP is disabled with it.
(Put this line in the Run textbox. Watch out fo wordwrap. The
"132" has a space on either side.)

rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132
C:\WINDOWS\INF\PCHealth.inf

To reinstall PCHealth:

rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 132
C:\WINDOWS\INF\PCHealth.inf

Note that Help is pretty much removed by removing
PCHealth. Losing Windows help is not much of a loss,
but some people may use it. I'm not sure whether you
can get it back when re-installing PCHealth. I guess you'd
have to at least have your install CABs/XP CD handy.



--
--
| Hi,
|
| On a Windows XP SP3 system, the following Windows message appears;
| The user indicates that the error appeared after a recent (Past month
| or two)
| update. No system files were recently replaced manually.
|
| "Files that are required for Windows to run properly have been
| replaced
| by unrecognized versions. To maintain system stability, Windows must
| restore
| the original versions of these files".
|
| The event viewer indicates the following:
|
| "The protected system file oembios.sig (Or oembios.bin or
| oembios.dat)
| was not restored to its original, valid version because the Windows
| File
| Protection restoration process was cancelled by user interaction,
| user
| name is <Username>. The file version of the bad file is 0.0.0.1."
|
| oembios.sig, oembios.bin and oembios.dat are in C:\i386, and
| have a timestamp of 03/09/2002
|
| Do we restore these files from the system disk, or do something else?
|
| What do these files do?
|
|
|
| Thanks,
| QZ
|
|
|

 

[Roy]

Hi,

On a Windows XP SP3 system, the following Windows message appears;
The user indicates that the error appeared after a recent (Past month
or two)
update. No system files were recently replaced manually.

"Files that are required for Windows to run properly have been
replaced
by unrecognized versions. To maintain system stability, Windows must
restore
the original versions of these files".

The event viewer indicates the following:

"The protected system file oembios.sig (Or oembios.bin or
oembios.dat)
was not restored to its original, valid version because the Windows
File
 Protection restoration process was cancelled by user interaction,
user
name is <Username>.  The file version of the bad file is 0.0.0.1."

oembios.sig, oembios.bin and oembios.dat are in C:\i386, and
have a timestamp of 03/09/2002

Do we restore these files from the system disk, or do something else?

What do these files do?

Thanks,
QZ

==
Bing or Google the three file names...there is info there.
==

 

[Peter Foldes]

Run WFP

Start\Run\sfc /scannow and see what happens. Notice the space between sfc and /

--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/protect