My understanding is that on windows 2008 r2 the windows resource protection is on by default and will restore the tampered files within a few minutes of tampering.
testing shows this isn't happening though. we have to run sfc /scannow manually in order to detect the tampering.
As far as I know, we need to run system file checker manually to repair the system files. If the files cannot be fixed automatically, we need to replace it after reviewing the log file manually.
The CBS.log file contains entries that some files are not repaired even after you successfully run the SFC utility on a Windows Server 2008-based computer
For more information, please refer to the following Microsoft KB article:
Description of the Windows File Protection feature
TechNet Community Support
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.
Would you like to participate?