You are here:Home»KB»PC»Windows Family»Windows XP»Windows SFC usage and fixes
Tuesday, 10 May 2011 18:00

Windows SFC usage and fixes

Written by

System File Checker is a utility in Microsoft Windows that allows users to scan for and restore corruptions in Windows system files. This utility is available on Windows 98, Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008, although in the Windows NT family of operating systems, it scans files using Windows File Protection.

In Windows Vista, System File Checker is integrated with Windows Resource Protection which protects registry keys and folders too besides critical system files. Under Windows Vista, using Sfc.exe, specific folder paths can be checked, including the Windows folder and the boot folder.

Windows File Protection worked by registering for notification of file changes in Winlogon. If any changes were detected to a protected system file, the modified file was restored from a cached copy located in a compressed folder at %WinDir%\System32\dllcache. In Windows Vista, Windows Resource Protection works by setting discretionary access control lists (DACLs) and access control lists (ACLs) defined for protected resources. Permission for full access to modify WRP-protected resources is restricted to the processes using the Windows Modules Installer service (TrustedInstaller.exe). Administrators no longer have full rights to system files.

 

If it finds a problem, it will attempt to replace the problematic files from the DLL Cache (%WinDir%\System32\Dllcache\). If the file is not in the DLL Cache or the DLL Cache is corrupted, the user will be prompted to insert the Windows installation media or provide the network installation path. In Windows Vista and onwards, files are protected using Access control lists (ACLs), however the above command has not changed.

System File Checker in Windows Vista and later Windows operating systems can scan specific individual files. Also, scans can be performed against an offline Windows installation folder to replace corrupt files, in case the Windows installation is not bootable. For performing offline scans, System File Checker must be run from another working installation of Windows Vista or a later operating system or from the Windows setup DVD which gives access to the Windows Recovery Environment.

 

Here's the list of the different SFC scanning options:

 

sfc /scannow : Scans all protected system files immediately.

sfc /scanonce : Scans all protected system files once.

sfc /scanboot : Scans all protected system files every time the computer is restarted.

sfc /revert : Returns the scan to its default operation.

sfc /purgecache : Purges the Windows File Protection file cache and scans all protected system files immediately.

sfc /cachesize=x : Sets the size, in MB, of the Windows File Protection file cache.

sfc /? : Displays help at the command prompt.

 

 

How to use scannow sfc:
The main reason for using this utility is when you suspect there may be a problem with a Windows XP system file.

 

Perhaps you get a dialog box appear informing you of a problem with a .dll file, or your program will just not load! It is therefore worth checking to see if there are any corrupt system files using sfc scannow.

 

To do this go to the Run box on the Start Menu and type in:

sfc /scannow

 

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem.

The following should appear to give an indication of how long the process is taking.

 

In an ideal world that would be the end of the story... Any corrupt, missing or incorrect files would be replaced by this process.

However, things can go wrong and the following guide should help!

The #1 complaint with sfc scannow is the following dialog box appearing:


Why does this happen?
Well, in your computer's registry, are several settings that are checked when you run scannow sfc.

As mentioned earlier in this article, the Windows File Protection service constantly monitors for any changes to the main system files. Well Windows XP keeps a cache (copy) of these essential files at the following location:

C:WINDOWS\System32\Dllcache (assuming C: is your system root which it probably is.)

NB - The dll cache folder is extremely important so Windows XP hides it from you! To view it go to: My Computer > Tools > Folder Options > View > "uncheck" Hide protected operating system files.

If that's the case on your computer then there is normally no need for the original XP CD to be inserted as your computer has a "copy" it can get hold of in this cache...

But, if the Dll cache folder, or part of it, has become corrupted for some reason then you will be prompted for the XP CD - so your computer can get a clean copy!

Having said that not ALL installations of Windows XP have ALL the system files cached into this folder! You may only have around 50MB of files in this folder under Windows XP depending on the quota settings in the registry. (Under Windows 2003 Server the default is 300MB of system files!)

Annoying, YES!

Is there a workaround YES!

As well as having a cache of all the system files on your PC, I like to have the I386 folder from the XP CD installed on the computer as well. After doing this I then modify the registry to tell it the source path for these files... Why? Well not only does this prevent 99% of request for the the XP CD with Windows File Protection. But the I386 folder also contains many other files that are sometimes needed by the operating system and this stops those requests for the XP CD too!

NB - With today's large hard drives you are not going to notice this 475 MB folder on your computer, but older systems may not have the space for this...

Step 1
You will need to get your XP CD and locate the folder called:

I386

This is a major folder and should be one of the first you see, now copy this onto your hard drive into the system root. For most of you that is going to be C:\ so you should end up with a folder that looks like: C:\I386

Step 2
Now you will need to tell your computer you now have the files on your PC. We do this is the registry (type regedit in the Run box on the start menu) by navigating to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

You will see various entries here on the right hand side. The one we want is called:

SourcePath

It probably has an entry pointing to your CD-ROM drive, and that is why it is asking for the XP CD. All we need to do is change it to:

C:\

Simply double click the SourcePatch setting and a new box will pop up allowing you to make the change.

Now restart your computer and try sfc scannow again!

------------------------------

Other Problems with sfc scannow...


#1
Has the CD Drive's drive letter changed (perhaps by the addition of another hard drive, partition, or removable drive) since Windows XP was first installed?

If so, simply edit the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath

to reflect the changed drive letter.

After you restart the computer, WFP and sfc /scannow uses the new source path instead of prompting for the Windows XP installation CD-ROM

#2
Has the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath got an incorrect entry? The SourcePath entry does NOT include the path location till the I386 folder. It completes one folder ahead to reach the I386 folder.

Example:

If the I386 directory is at C:\I386, the SourcePath value would be C:\

#3
If the problem persists and you have the correct path for your I386 folder then the I386 folder is corrupted. To solve this problem copy I386 folder from the CD-ROM to your system restart the system and then perform sfc /scannow again.

#4
You do not have an XP retail CD with an I386 folder on it. If you have a restore CD from your PC manufacturer then you may have to explore the CD to find the folder.

#5
You still keep being prompted for the XP CD yet you have done all in this article! There is another setting in the registry that may be causing the problem. Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SourcePath

Make sure the entry here is the same path to the I386 folder as used above.

#6
Systems administrators can enforce security policies that may include changes to the Windows File Protection settings. You will need to speak with your network administrator about this, but it is important to bear in mind when Windows starts up, the Windows File Protection service synchronizes (copies) the WFP settings from the following registry key:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection

to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Therefore, if any of the following values are present in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection key, they will take precedence over the same values under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key.

This will not effect sfc scannow so much, but WILL make an impact if any of the other sfc.exe "switches" have been used! (More about these at the end of this article.)

#7
When you run scannow at logon you do not get a progress bar... This can easily be remedied by adding a new DWORD: SFCShowProgress to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

the values available are: 0 = disabled, 1 = enabled

------------------------------------

What about Windows Updates.....
You may be asking yourself how does sfc.exe know how to check for updated Windows system files? Well during OS upgrades, service pack installations etc.. the dllcache folder should be updated with these new files.

As an example the recent Windows XP Hotfix - KB828035 updated the system file wkssvc.dll A new version of the file was placed in C:\WINDOWS\system32 and a copy in the cache: C:\WINDOWS\system32\dllcache A copy of the old system file is archived in: C:\WINDOWS\$NtUninstallKB828035$

There is another location the Windows File protection service uses and that is the I386 folder in C:\WINDOWS\ServicePackFiles When you install a service pack, like SP1. Any new system drivers are cached in this location too.

If you have odd problems with running sfc scannow and nothing else in the article has resolved it, then take a look at the entry in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath

This should be pointing to the location C:\WINDOWS\ServicePackFiles (assuming C:\ is the boot drive.)

-------------------------------------------------------

For those of you who are familiar with sfc.exe under Windows 2000 professional. It is worth noting that the following two options are NOT available under Windows XP.

These are:

sfc /cancel - In Windows 2000, this command immediately cancels all pending scans of protected system files. This option has no effect in Windows XP.

sfc /quiet - In Windows 2000 this sets Windows File Protection to replace any incorrect system files detected with the appropriate version from the dll cache without any user notification. This option has no effect in Windows XP.

Read 1207 times