Overview
Windows File Protection works by registering for notification of file changes in Winlogon. If any changes are detected to a protected system file, the modified file is restored from a cached copy located in a compressed folder at %WinDir%\System32\dllcache. Windows Resource Protection works by setting discretionary access control lists (DACLs) and access control lists (ACLs) defined for protected resources. Permission for full access to modify WRP-protected resources is restricted to the processes using the Windows Modules Installer service (TrustedInstaller.exe). Administrators no longer have full rights to system files. Protected resources can be modified or replaced only if administrators take ownership of the resource and add the appropriate Access Control Entries (ACEs). The "Trusted Installer" account is used to secure core operating system files and registry keys. Protected files and registry keys have an access control list applied that prevents other user accounts and programs that execute under any other user account except the TrustedInstaller account from making changes.
Read more about this topic: Windows Resource Protection