Ok, agreed. File system integrity checking is a good thing. Some good utilities (like ) are available. But the way MS does it makes me go "huh?".

Yesterday my friend deleted a system driver file from Win2003 machine. When he did a "dir" immediately, he found that file there again! We checked the eventlog and found that something called as is constantly looking for some changes in the system files and if the user (or hacker) tries to delete or modify these files, it will immediately replace it with the correct files from the cache or CD.

It is an event driven thing. Something like DNOTIFY in linux. (on a side node: they have INOTIFY in 2.6 kernel for the same purpose.) Checking for the file is ok but replacing it looks wierd to my Linux brain. If you dont want users to modify/delete this particular file, just make it read-only or protect it with NTFS equivalant attributes. And even after that if someone manages to change it then tell the admin about it rather than silently replacing it.

I dont know. Maybe I am too linuxified to understand this thing. :)