Microsoft Enterprise Platforms Support: Windows Server Core Team
Both Windows Vista and Windows Server 2008 include the System File Checker (SFC) tool. Previous operating systems included this tool also. This discussion is specific to Windows Vista and Windows Server 2008. If you would like more information on previous operating systems see the following KB article: http://support.microsoft.com/kb/310747.
SFC scans and checks all Windows Resource Protected (WRP) resources. Windows Vista adds the following new functionality to the SFC tool:
Common SFC Command Line Options
Here are some of the common commands you would use with SFC. Note you need to run SFC from a elevated command prompt
Scan entire system SFC.EXE /scannow
Scan a specific file SFC.EXE /scanfile=c:\windows\system32\kernel32.dll
Verify. This scans all protected files but does not repair them SFC.EXE /verifyonly
Help for Sfc.exe SFC.EXE /?
One of the new features of SFC in Windows Vista/2008 is the ability to run SFC against a offline windows directory. This is most useful when you are unable to start Windows and suspect file corruption. Generally you should always try safe mode first before doing this to see if Windows can start. To use SFC in offline mode you do the following
Advanced users may want to see what SFC is repairing on a system. When SFC runs it logs it's actions to C:\WINDOWS\LOGS\CBS\CBS.LOG. You can find SFC specific entries by searching on [SR]. See http://support.microsoft.com/default.aspx/kb/928228 for more information.
Example of How SFC Can Fix Issues
The following is a example of how the system file checker was able to resolve a issue on my own computer. The issue I encountered was that When I would go into disk management my disks would show up but none of the information such as the type of disk, size, active/boot/system, healthy, etc... would show up. I checked the system event log and found the following
FMIFS.DLL is obviously a file used by disk management to display this information. If I look up the error code C1 it resolves to ERROR_BAD_EXE_FORMAT. So at this point I suspect that this file is corrupt. From within Windows I run the following command:
It runs and says that it has repaired files. To verify I look in the C:\WINDOWS\LOGS\CBS\CBS.LOG and see the following entries
From this you can tell that SFC compared the hash for fmifs.dll and found it wasn't correct. It restored the backup from c:\windows\WinSxS\x86_microsoft-
windows-fmifs_31bf3856ad364e35_6.0.6000.16386_none_54d7af8934ac24f1. After running SFC I was now able to open disk management and see my disk information.
Hopefully this helps explain how SFC can help you resolve problems on your computer and shows how Microsoft is committed to making Windows easier to fix when issues do occur.
Author: Scott McArthur Support Escalation Engineer Enterprise Platforms Support
PingBack from http://www.ditii.com/2007/12/18/fixing-issues-with-system-file-checker/
What I'm most interested in is how SFC in Windows Vista handles files which have been updated by hotfixes/service packs, ESPECIALLY, when checking an offline Windows installation. Do the original unpatched files from the Windows DVD get restored or the updated ones from some backup? Where is the backup made?
When a hotfix, service pack or any other update is made to Windows Vista or Windows 2008, those changes are added to the component store located in %windir%\winsxs. The files that were updated are switched to an "off" state, and the new files are switched to an "on" state. The older files are never removed in the event that the driver, file, etc needs to be removed at a later date or in the event of an installation failure that requires the OS to rollback the changes made.
What happens when you run SFC is that we initially check the component store in %windir%\winsxs to ensure that a link to the file is correct based on the checksum of the file. If those checksums dont match, that file is projected back to the proper location in the %windir% directory. In the event that you are servicing the installation offline, such as in WinRE, you must specify the location of the Windows directory using the /offbootdir and /offwindir switches when running the SFC command, this allows us to find the component store and initiate a repair. Because Vista and 2008 are shipped in the .WIM format, there is no way for us to extract files from media as we did in downlevel operating systems. So you specify where you want files to be restored from and where they should be restored to with those switches.
NOTE: Only /scanfile and /scannow are considered repair operations, if you use /verifyfile or /verifyonly, no changes to the system will be made.
In the event that the component store file becomes corrupted, there is a backup for the ones marked boot critical in the %windir%\winsxs\backup directory and an attempt is made to rebuild the component store file and reproject it. If the files both the component store and the backup locations become corrupted, then a reinstallation or CompletePC backup would be the preferred method of resolving that issue.
Please change your command line:
SFC.EXE /scannow /offbootdir:c:\ /offwindir=c:\windows
to a correct command line, like:
sfc /scannow /offbootdir=c:\ /offwindir=c:\windows
Please notice the : vs. = in the middle of the command. (This still assumes of course OS on C, etc.)
It's probably futile to comment on such an old post, but I want to point out that the following statement is incorrect:
"From this you can tell that SFC compared the hash for fmifs.dll and found it wasn't correct. It restored the backup from c:\windows\WinSxS\x86_microsoft-windows-gmifs_31bf3856ad364e35_6.0.6000.16386_none_54d7af8934ac24f1
You missed the %Windir%\winsxs\BACKUP\.... part in the pathname.
If a system had corruption of the Component Based Servicing stack, the type of corruption that the System Update Readiness Tool might fix or at least find, would this affect the operation of a command like 'sfc /scannow' ? Presumably SURT cannot be run offline, limiting the capacity of SFC to fix errors offline.
In general, would it be a good idea to run SURT and check %SYSTEMROOT%\Logs\CBS\CheckSUR.log, before running SFC.exe?