1 2

Added by Steve Fullmer July 14, 2014

With the recent (May 2014) occurrence of a significant Windows Internet Explorer bug, we are reminded of the potential for Windows OS intrusion and damage. No matter how proactive we become, cyber criminals will continue to pursue efforts to intrude, destroy, or disrupt system performance. Vigilance is important. Both scheduled and random reviews of the operating system must be elements of our vigilance.

In Windows 7 and Windows 8, Microsoft schedules Disk Defragmenter to launch at 1 AM every Wednesday morning. A sound practice that proactively addresses file access efficiency and therefore system performance.

My recommendation: create a weekly Task Scheduler task that runs the System File Checker (SFC) with the /scannow switch.

LexisNexis offers a detailed step by step process for creating scheduled command line Task Scheduler entries.

My goal in this blog is to emphasize the value and importance of scheduling the SFC /scannow operation, and preparing yourself for its use in response to suspected (or actual) damage to your Windows 7 or Windows 8 operating systems.

Microsoft introduced the Windows Image File (.wim) as a deployment, boot and OS management, and security component with Windows Vista. The Windows Automated Installation Kit (WAIK – Win 7) and Windows Assessment and Deployment Kit (ADK – Win 8) continue to evolve support and options available using the Image file.

Associated enhancements to SFC create one of the most powerful, proactive and reactive security tools embedded within both the Pre-Execution/Recovery and Operating System environments.

Running SFC with the scannow switch compares the files installed on the operating system with the files deployed with or added to the .wim file, incorporating the digital signature element of the .wim file that assures file integrity. And the /scannow switch automatically goes one step further, replacing any damaged/corrupted files on the system with clean files from the .wim set.

Did you get that? Without having to perform a full system analysis or restore, you can at least effect the recovery of critical system files in about 15 minutes so that you can boot to the OS for additional diagnostic or recovery efforts. I would recommend isolating any potentially corrupted system during recovery and diagnostic efforts. SFC is available and embedded in most of recovery environments for just this purpose.

We emphasize the use of the System File Checker in our Windows 7 and Windows 8 classes and I am continually amazed at how few students are aware of this tool. Several have offered subsequent feedback that SFC enabled them to recover systems or retrieve user data from a failing system when the only option prior to an understanding of SFC would have required re-imaging the system – and the associated full loss of data.

Give it a try on your system now. It won’t hurt, and might even repair a marginal issue of which you are unaware.

Launch a command prompt, running as administrator. (Don’t forget to launch the command line tool as an administrator, since SFC requires administrative rights to affect the repair.) Then type SFC /scannow at the command prompt. Depending on .wim file size and disk I/O rates, the scan and repair could take between 5 and 20 minutes.

Or take a look at the full range of SFC switches by typing SFC /?

You can also use the System File checker from the Windows 7 or Windows 8 recovery environments (using the command line interface). SFC is present, although not well documented as an available system tool. You may also use SFC from the Recovery/Repair environment found on the installation DVD, or from within a Pre-Execution boot disk created using the CopyPE tool found within the WAIK/ADK toolset. You might also want to check out other Windows PE environment command line Windows PE Tools and Settings.

If you use SFC from one of the aforementioned pre-boot environments, you will want to use the /Offbootdir and /Offwindir switches in order to repair the operating system files that would be ‘offline’ relative to boot image loaded in RAM. An example of the syntax follows:

SFC /SCANNOW /OFFBOOTDIR=C: /OFFWINDIR=C:WINDOWS

Juke Chou, Microsoft (MCC, MSFT CSG) also references the use of SFC to repair offline Windows installations, including the use of ImageX to extract and mount the install.wim file from the install DVD if you believe that the install.wim file on your system disk may also be corrupted. In his post, he references an article that points to a Windows Vista BSoD stop code suggesting installed system corruption. A component of the resolution identifies the use of the .wim image file on the install DVD and the use of imageX to extract/replace the .wim file before repair using the System File Checker (and an automated xml file).

Other than this article, I had to search extensively to find references to use of the System File Checker.

SFC is listed as a minor component of the Microsoft Diagnostic and Recovery Toolset (DaRT). Information about DaRT suggests other possibilities for incorporating SFC along with other tools into a recovery and repair process. DaRT is free, so you might want to acquire a copy of additional tools not found by default in the Windows Recovery Environment.

Help to share the potential of the System File Checker, a powerful system diagnostic and recovery tool. Please?

I look forward to sharing with many of you in the classroom or online.

Steven Fullmer
Interface Technical Training Staff Instructor