System File Checker (SFC[1]) is a utility in Microsoft Windows that allows users to scan for and restore corrupted Windows system files.[2]
Overview
Microsoft ships this utility with Windows 98, Windows 2000 and all subsequent versions of the Windows NT family of operating systems. In Windows Vista, Windows 7 and Windows 10, System File Checker is integrated with Windows Resource Protection (WRP), which protects registry keys and folders as well as critical system files. Under Windows Vista, sfc.exe can be used to check specific folder paths, including the Windows folder and the boot folder.
Windows File Protection (WFP) works by registering for notification of file changes in Winlogon. If any changes are detected to a protected system file, the modified file is restored from a cached copy located in a compressed folder at %WinDir%\System32\dllcache.
Windows Resource Protection (WRP) works by setting discretionary access-control lists (DACLs) and access control lists (ACLs) defined for protected resources. If any changes are detected to a protected system file, the modified file is restored from a cached copy located in a folder at %WinDir%\WinSxS\Backup.[3] Permission for full access to modify WRP-protected resources is restricted to the processes using the Windows Modules Installer service (TrustedInstaller.exe). Administrators no longer have full rights to system files.
History
Due to problems with Windows applications being able to overwrite system files in Windows 95, Microsoft has since implemented a number of security measures to protect system files from malicious attacks, corruptions, or problems such as DLL Hell.
System File Checker was first introduced on Windows 98 as a GUI utility. It offered scanning and restoration of corrupted system files by matching the version number against a database containing the original version number of the files in a fresh Windows 98 installation. This method of file protection was basic. It determined system files by file extension and file path. It was able to restore files from the installation media or a source specified by the user. Windows 98 did not offer real-time system file protection beyond file attributes; therefore, no preventive or reactive measure was available.
All Windows NT-based operating systems since Windows 2000 introduced real-time file protection, called Windows File Protection (WFP).[4]
In addition, the System File Checker utility (sfc.exe) was reimplemented as a more robust command-line utility that integrated with WFP. Unlike the Windows 98 SFC utility, the new utility forces a scan of protected system files using Windows File Protection and allows the immediate silent restoration of system files from the DLLCache folder or installation media.
The System File Checker component included with versions of Windows 2000 earlier than Service Pack 4 overrode patches distributed by Microsoft;[7] this was rectified in Windows 2000 Service Pack 4.
Usage
In Windows NT-based operating systems, System File Checker can be invoked via Windows Command Prompt (with Admin privilege[8]), with the following command:
sfc /scannow (to repair problems)
or sfc /verifyonly (no repair)
If it finds a problem, it will attempt to replace the problematic files from the DLL Cache (%WinDir%\System32\dllcache). If the file is not in the DLL Cache or the DLL Cache is corrupted, the user will be prompted to insert the Windows installation media or provide the network installation path. System File Checker determines the Windows installation source path from the registry values SourcePath and ServicePackSourcePath.[9] It may keep prompting for the installation media even if the user supplies it if these values are not correctly set.[10]
In Windows Vista and onwards, files are protected using access control lists (ACLs), and if it finds a problem, it will attempt to replace the problematic files from the Windows Side-by-side Backup (%WinDir%\WinSxS\Backup).[3] However, the above command has not changed.
System File Checker in Windows Vista and later Windows operating systems can scan specified files. Also, scans can be performed against an offline Windows installation folder to replace corrupt files, in case the Windows installation is not bootable. For performing offline scans, System File Checker must be run from another working installation of Windows Vista or a later operating system or from the Windows setup DVD[11] or a recovery drive which gives access to the Windows Recovery Environment.
In cases where the component store is corrupted, the "System Update Readiness tool" (CheckSUR) can be installed on Windows 7, Windows Vista, Windows Server 2008 R2 or Windows Server 2008, replaced by "Deployment Image Service and Management Tool" (DISM) for Windows 10, Windows 8.1, Windows 8, Windows Server 2012 R2 or Windows Server 2012. This tool checks the store against its own payload and repairs the corruptions that it detects by downloading required files through Windows update.[12]
References
^
Boswell, William (2003). "Using the System File Checker, SFC". Inside Windows Server 2003. Inside Series. p. 860. ISBN9780735711587. Retrieved 2017-07-23. You do not need to hack the Registry to change the WFP settings. A command-line utility comes with Windows Server 2003 to set these values. Called the System File Checker, or SFC, the utility can also rebuild the D11Cache directory files if files are accidentally deleted.
John Paul Mueller (2007). Windows Administration at the Command Line for Windows Vista, Windows 2003, Windows XP, and Windows 2000. John Wiley & Sons. ISBN978-0470165799.