|This is a follow-on from my previous reply also here http://www.computing.net/answers/wi...|
You renamed Cmd.exe to Logon.scr so it seems Logon.scr was created with the same protections as Cmd.exe and a new version of Cmd.exe was copied to the System32 folder from the Protected Files cache..
If this has happened Logon.scr would have been recognized by WFP as not being included in the Protected Files cache and automatically copied to the cache. You now have Logon.scr in both the System32 folder and in the PF cache so that if you delete/rename/alter Logon.scr in System32 a new version will be automatically copied from the PF cache.
So what can you do now? My suggestion is to leave things alone. Having Logon.scr in either location is doing no harm whereas the alterations being made to the Registry may cause one or more headaches. Just hope that the system administrator (if that's not you) doesn't decide to investigate why alterations to the system are being made.
Anyone else care to advise please?