Windows works very hard to maintain the integrity of the system files on your machine. If you try to replace one of the “protected” files, you may get a message that the operating system has put the old approved version back. Not all files are under system file protection and even for those that are, there are ways around it. Occasionally, system files become corrupt.
Enter the SFC, the System File Checker.
System file protection
The basic premise behind system file protection is that Windows keeps additional information about all of the files that are part of Windows. That additional information could be (but certainly isn’t limited to) the date/time stamp of the file, its size, and its cryptographic hash. When files are “officially” replaced or updated (say by Windows Update), then this database of information is similarly updated to reflect the new files.
Periodically, Windows checks all of those files to make sure that they still match. That means that the time stamp, the size, and that hash value or digital signature are set to what is expected. If they are not … well, then something is wrong.
A digital signature is basically just a very large number that is computed from a digital document to verify both its authenticity and authorship. A document being signed is first hashed which generates a large number. That number is then
... continue reading »
- Malware was originally one of the reasons why system file protection was implemented in the first place. Malicious software would try to inject itself into the system by actually modifying Windows’ own files. System file protection now detects when this happens.
- Improper setup programs. This is on the decline, but software packages would occasionally attempt to replace system components with their own. That’s bad for a number of reasons. Once again, system file protection can swoop in and detect that it’s happened.
- Random other failures.
So, what happens when a problem is found?
Repairing altered files
If you’ve ever searched for a system file on Windows, it’s not uncommon to find several copies:
- The original file currently in use by Windows.
- Previous versions of the file saved by Windows Update so that you can uninstall specific updates, if needed.
- Cached copies of the file as a type of performance enhancement to load the file more quickly, when needed.
- Back-up copies of the file.
It’s that last one that would be used to restore the file to its original state should something happen.
In addition, many systems now come with a copy of Windows on a restore or recovery partition, which can also be used as a source for retrieving original copies of files that need to be restored.
And of course, when all else fails, it’s possible that you might be asked to provide the original Windows installation media, if you have it.
In all cases, the repair process also checks that the copy that it’s restoring is proper. If it fails to have the expected information, then it will be skipped. Because many of those sources are on your hard disk, malware authors will attempt to replace or damage them all to prevent the repair process from working.
SFC – the System File Checker
SFC is nothing more than a command-line tool to check that all of the files covered by Windows system file protection are as they should be and to try to repair those that are not. It’s a good utility to run when you suspect that system files have been somehow corrupted.
SFC requires administrative privileges. The easiest approach is to run a Windows Command Prompt as administrator. On traditional desktop Start menus, click All Programs, Accessories, and then right-click Command Prompt:
Click Run as administrator.
In Windows 8’s tiled Start screen, just type “cmd” and when the Command Prompt appears in the search results, right-click it and select Run as administrator:
After confirming any UAC prompts, type “sfc /scannow” in the Command Prompt and press Enter:
This causes SFC to scan your system immediately. SFC can take a few minutes to run. If you have installation media, such as a CD or DVD, you might have it available just in case SFC wants to replace a damaged file.
While it’s not documented anywhere, I’d reboot your machine if SFC replaces any system files. Why? I just like to be sure that the file replacement actually takes effect.
The Microsoft Knowledge Base has more detailed SFC documentation (for Windows XP, the tool has changed little since then), including more options to check at boot time, control the size of the system file protection cache, and so on. Speaking of which, the Microsoft Knowledge Base also includes System File Protection documentation, covering the mechanism that Windows uses to keep your system files safe automatically.