Improving system stability.
In order to prevent malware from compromising critical system components, Windows works hard to maintain the integrity of its files. If you try to replace one of the “protected” files, you may get a message that the operating system has put the old approved version back. That’s “Windows File Protection”, now called “Windows Resource Protection”.
Unfortunately, there are occasionally ways around automated protection. Sometimes it’s as simple as a hard disk error causing a system file to be damaged.
As a result, automated checking is nice, but sometimes you need to take matters into your own hands.
Enter the SFC, the System File Checker.
Become a Patron of Ask Leo! and go ad-free!
SFC: System File Checker
SFC scans your system files and confirms they have not been compromised or replaced with unofficial versions. If an unexpected version is found SFC attempts to restore it from overhead copies or original installation media. Run SFC by entering “SFC /scannow” in an admin Command Prompt or PowerShell.
System file protection
The premise behind system file protection is that Windows keeps additional information possibly including, but not limited to, the date/time stamp of the file, its size, and its cryptographic hash. When files are “officially” updated this information is also updated to reflect the new official files.
Every so often, Windows checks all those files to make sure they still match, meaning the time stamp, size, and hash value all match what is expected. If they don’t something is wrong, and Windows will likely report the error.
Unfortunately, “wrong” can be the result of many different things:
- Malware is the primary reason system file protection exists. Malicious software can inject itself into the system by modifying Window’s own files. System file protection detects when this happens and repairs the damage.
- Set-up programs often replace system components with their own, sometimes breaking things. System file protection notices when this happens.
- Random other failures.
So, what happens when a problem is found?
Repairing altered files
If you’ve ever searched for a system file on Windows, it’s not uncommon to find several copies:
- The original file, used by Windows.
- Previous versions of the file saved by Windows Update, so you can uninstall specific updates if needed.
- Cached copies of the file, kept as a performance enhancement that loads the file more quickly when needed.
- Back-up copies of the file.
It’s typically the first that’s used when system file protection needs to restore a file.
In addition, many systems include a copy of Windows on a restore or recovery partition, and when all else fails, the original Windows installation media might be used.
In all cases, the repair process also checks that the copy it’s restoring is correct. If it fails to have the expected information, it will be skipped. Because many of those sources are on your hard disk, malware authors attempt to replace or damage them all to prevent the repair process from working.
SFC: the System File Checker
SFC is a command-line tool that checks that all of the files covered by system file protection are as they should be, and that tries to repair those that are not. It’s a good utility to run when you suspect system files have been somehow corrupted, or even if you just think there’s “something wrong” with your system.
SFC requires administrative privileges. Right click on the start button, and click on Command Prompt (Admin), Windows PowerShell (Admin), or Windows Terminal (Admin).
After confirming any UAC prompts, type “sfc /scannow” (that’s “sfc”, a space, “/scannow”) at the prompt and press Enter.
SFC scans your system immediately. It can take several minutes to run.
If you have installation media, such as a DVD, you might have it available, just in case SFC needs it to replace a damaged file.
While it’s not documented as being required, I’d reboot your machine if SFC replaces any system files. I like to be sure the file replacement actually takes effect.
Microsoft has more detailed SFC documentation, including more options to check at boot time, control the size of the system file protection cache, and so on. There is also Windows Resource Protection documentation, which covers the mechanism Windows uses to keep your system files (and a few other things) safe automatically.