Tip

Windows System File Checker helps stop system failures

IT administrators know that things can go horribly wrong with Windows if critical system files are accidentally replaced with incorrect versions or replaced by malicious code. To help reduce the chances of this happening, Microsoft has created the Windows File Protection Service.

When system files are modified, Windows File Protection Service checks to make sure that the modified file is the correct version to protect against system failure. If the version is incorrect, or if Windows can't verify the file's authenticity, Windows displays the following error message:

A file replacement was attempted on the protected system file filename. To maintain system stability, the file has been restored to the correct Microsoft version. If problems occur with your application, please contact the application vendor for support.

Once this error has been triggered, two things happen.

  1. Windows writes an entry to the system log as a means of documenting what just happened.
  2. Windows restores the file to the correct version. Initially, Windows checks the DLL cache to see if it contains a valid copy of the file. Often, though, the DLL cache is too small to contain all of the system files, so Windows may prompt you to insert the Windows XP installation CD or the latest service pack CD instead.

    Requires Free Membership to View

More on preventing system failure

How to detect data corruption in files and folders.

How to ease troubleshooting: View running services in command line.

 As you can imagine, the Windows File Protection Service goes a long way toward protecting a system's integrity. Unfortunately, it only checks system files for authenticity at certain times, and not every time they are accessed. But there is a way you can invoke a system file check manually to verify a file's authenticity.

Note that not every Windows system file is protected. Some files, such as INI files, are regularly updated through the course of normal operations. Windows protects files that use the following extensions: .EXE, .DLL, .SYS, .OCX, .TTF and .FON. Also keep in mind that only files that are a part of Windows are protected. Applications often create files that use these extensions, but such files are not protected.

Scanning protected operating system files involves using Microsoft's command-line tool called the System File Checker. Unlike many other Windows command-line tools, the syntax for using System File Checker is extremely simple. To perform an immediate scan, enter the following command:

SFC /SCANNOW

You can also tell System File Checker to scan your system files at the next reboot by entering this command:

SFC /SCANONCE

Or you can have System File Checker scan the system files at every boot, although doing so significantly slows down the boot process. To do that, enter this command:

SFC /SCANBOOT

The System File Checker initially checks the DLL cache for valid versions of the system files. However, the DLL cache is a favorite target for malicious software. If your system is infected, you can force the System File Checker to completely delete the contents of the DLL cache and then repopulate the cache with known good files from the Windows installation CD. The command to do that is:

SFC /PURGECACHE

Sometimes the DLL cache may be too small to contain all of the system files that you would like to cache. You can, however, use System File Checker to adjust the cache size. To do that, enter this command:

SFC /CACHESIZE=x

In this case, the cache size is entered in megabytes but in hexadecimal format. If you wanted to set the cache size to 200 MB, enter the following command:

SFC /CACHESIZE=C8

The easiest way to convert the cache size from megabytes to a hexadecimal representation is to use the Windows Calculator found on the Programs | Accessories menu. When the calculator opens, select the Scientific option from the View menu. Make sure the DEC option is selected, and then type in the number of megabytes that you would like to use for your cache size. Now, click the Hex button, and the number will be converted to hexadecimal format.

To conclude, when you are manually adjusting the System File Checker's behavior, remember: If you happen to make a mistake, you can fix it. Simply enter the SFC /REVERT command and the System File Checker will return to its default configuration.

About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server, Exchange Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. He writes regularly for SearchWinComputing.com and other TechTarget sites.

This was first published in October 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.