Windows maintains an extra copy of critical system files including signed drivers, in the %systemroot%\system32\dllcache subdirectory. If you attempt to delete or modify any of the protected files, system file protection will copy the original version from the dllcache to the driver location.  If you attempt to delete or modify the version of the protected file in the dllcache, it will copy the original into the dllcache.

Note that system file protection isn't perfect - you can copy notepad.exe on ntoskrnl.exe and system file protection will not "fix" your system.  That is because it merely looks to ensure the binary is signed.  This doesn't mean it is the correct binary!

The Windows Debugger provides a mechanism for replacing files on a debugee by using the ".kdfiles" directive.  This is well documented in the debugger documentation, although it doesn't exactly highlight the fact that this feature can be used to bypass system file protection in the process.

If you haven't discovered ".kdfiles" yet, read up on it -- You'll be very glad you did!  This debugger command is one of the best features ever implemented.  It allows you to have the debugger automagically replace an executable image on the target system (the one that you're debugging) with an executable image from your host system (the one from which you're running the debugger).  That means that with this command, there's no longer any need to manually copy you're newly built version of fred.sys (or whatever your driver is) to \windows\system32\drivers\ while you debug.

Plus, as previously mentioned, a bonus feature of .kdfiles is that it will allow you to replace a system file.  Which is very useful for replacing the supplied version of disk.sys with the checked version built from the sources in the DDK, for example, when you're trying to figure out what's going on in the storage stack.