I have software that replaces core OS files. Problem is that Microsoft updates replace those files, rendering the program inoperative. How can I detect file replacement at boot time, due to automatic updates?
My idea is a registry watch on some key, what key? Any other ideas?
Boot-time file replacements are done by smss.exe by referring PendingFileRenameOperations value under HKLM\SYSTEM\CurrentControlSet\Control\Session Manager key. Also, AllowProtectedRenames should be set to 1 if files that are protected by Windows File Protection are going to be moved/deleted. Few resources that might be helpful:
http://msdn.microsoft.com/en-us/library/aa365240.aspx
http://www.techbytes.ca/techbyte101.html