A. Windows Resource Protection does more than just restore files that are changed by a setup process. It also protects those files from being changed in the first place by allowing only trusted installation procedures to change key files or registry settings. This protection is achieved through the TrustedInstaller access control target that’s placed on key resources.
The only processes that can access the files as TrustedInstaller via the Windows Modules Installer service are TrustedInstaller-installed Windows service packs, hotfixes, OS upgrades, and Windows Update files. Any other process that attempts to change a Windows Resource Protection-protected file will fail with an Access Denied error message, except for legacy applications or installations by an administrator, which will still fail but will suppress the error message.