Smooth crash recovery with sfc.exe

Troubleshoot boot problems more effectively with Safe Mode and Sfc.exe.

Recovering from a system crash is never an enjoyable experience, but Windows 2000/XP goes a long way to lessen the pain. The latest version of Windows Safe Mode allows you to troubleshoot boot problems more effectively than ever before, Sfc.exe finally allows you to restore protected system files. These two handy tools can be real lifesavers.

Warning disclaimer:
The following involves editing your system registry. Using the Windows Registry Editor incorrectly can cause some very serious problems requiring the re-installation of your operating system and possible loss of data. I can not be held responsible for problems that arise from incorrect use and from editing your registry. Use the Registry Editor and the following directions listed on this page at your own risk.


Windows File Protection
By default, Windows File Protection is always enabled and allows Windows digitally signed files to replace existing files safely. Currently, signed files are distributed through:

- Windows Service Packs
- Hotfix distributions
- Operating system upgrades
- Windows Update
- Windows Device Manager

If you introduce a file replacement in any other way, Windows File protection will overwrite your file!

An important part of Windows File Protection is the command line utility:

System File Checker (sfc.exe) You will often see references to scannow sfc in online newsgroups etc. This is a great tool for troubleshooting Windows XP problems.


Working in safe mode
If there is a problem with a driver or some other glitch preventing Windows 2000/XP from booting normally (which is frequent right?) , Windows can automatically boot in Safe Mode. You may even want to manually boot to Safe Mode.

For example, say you install a new video driver that's buggy or isn't compatible with Windows 2000/XP, and you can't see the desktop properly to log on. Boot to Safe Mode (which loads a standard VGA driver), remove the other driver, and restart. When the system begins to boot, press [F8] in order to display the boot menu, which offers the Safe Mode options.

You can find a list of services that Windows 2000/XP starts in Safe Mode in this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot

The Minimal key lists the services that Windows 2000/XP starts if you select the Safe Mode or Safe Mode With Command Prompt boot options. The Networking key lists the services that start when you select Safe Mode With Networking from the boot menu.
Although it's possible to modify these keys to add or remove services, it's not advisable. The service you add could eventually turn out to be the reason why Windows doesn't start.

You also need to know that Safe Mode sets an environment variable named SAFEBOOT_OPTION, which specifies the current Safe Mode. You can use this environment in a batch file or script to perform tasks based on the mode in which you start Windows. If you boot using Safe Mode or Safe Mode With Command Prompt, the variable is set to Minimal. If you start Windows with Start Mode With Networking, the variable is set to Network.

Use Sfc.exe to restore protected system files
Operating systems previous to Windows 2000 don't provide protection for shared system files such as dynamic link libraries (DLLs). That makes it possible for an application to install an older version of a DLL or executable and cause hung applications or problems with the OS. Windows 2000 (and XP), on the other hand, provides a level of protection against system changes through the Windows File Protection (WFP) feature. WFP maintains a signature catalog of protected files. WFP checks the file's version when a protected file is modified (typically through an application installation). If the file isn't the correct version, WFP restores the correct file from the Dllcache folder or distribution media as needed, prompting you to provide the source file (such as the Windows install CD).

At the completion of the GUI-mode portion of Setup, Windows 2000 uses a tool called System File Checker (Sfc.exe) to scan all protected system files and verify the existence of the appropriate signature catalog files. If a catalog is corrupted or doesn't exist, SFC restores the catalog from the cache or from the distribution media, again prompting you for the CD if necessary.

Use SFC at any time to scan the system for protected system file changes and to re-create the Dllcache folder if it's damaged or corrupted. Here are several specific SFC commands:

- SFC /SCANONCE scans the files a single time and repairs them if it's required.

- SFC /SCANBOOT scans the files each time you boot the system.

- SFC /CANCEL cancels all pending scans.

- SFC /? allows you to see additional available parameters you can use with SFC.


How to use Scannow sfc
The main reason for using this utility is when you suspect there may be a problem with a Windows XP system file.

Perhaps you get a dialog box appear informing you of a problem with a .dll file, or your program will just not load! It is worth checking to see if there are any corrupt system files using scannow sfc.

To do this simply go to the Run box on the Start Menu and type in:



This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem.

The following should appear to give an indication of how long the process is taking.

In an ideal world that would be the end of the story... Any corrupt, missing or incorrect files would be replaced by this process.

However, things can go wrong (and usually do right?) and the following should help!

The biggest complaint is the following dialog box while using sfc.exe


Why does this happen???

Well, in your computer's registry, are several settings that are checked when you run scannow sfc.

As I mentioned earlier, the Windows File Protection service constantly monitors for any changes to the main system files.
Well Windows XP keeps a cache (copy) of these essential files at the following location:

C:WINDOWS\System32\Dllcache (assuming C: is your system root which it probably is... some people have it as drive D:)

- The dllcache folder is extremely important so Windows XP hides it from you! To view it go to:
My Computer > Tools > Folder Options > View > now "uncheck" Hide protected operating system files.

If that's the case on your computer then there is normally no need for the original XP CD to be inserted as your computer has a "copy" it can get hold of in this cache...

But, if the Dllcache folder, or part of it, has become corrupted for some reason then you will be prompted for the XP CD - so your computer can get a clean copy!

Having said that, not ALL installations of Windows XP have ALL the system files cached into this folder! You may only have around 50MB of files in this folder under Windows XP depending on the quota settings in the registry. (Under Windows 2003 Server the default is 300MB of system files!)

Is it annoying? YES!

Is there a workaround? YES!

As well as having a cache of all the system files on your PC, I like to have the I386 folder from the XP CD installed on the computer as well. After doing this I then modify the registry to tell it the source path for these files... Why? Not only does this prevent 99% of request for the the XP CD with Windows File Protection. But the I386 folder also contains many other files that are sometimes needed by the operating system and this stops those requests for the XP CD too!

- With today's large hard drives you are not going to notice this 475 MB folder on your computer, but older systems may not have the space for this...

Step 1:

You will need to get your XP CD and locate the folder called:
I386

This is a major folder and should be one of the first you see, now copy this onto your hard drive into the system root. For most people, that is going to be C:\ so you should end up with a folder that looks like: C:\I386

Step 2:

Now you will need to tell your computer that you now have the files on your PC. Do this is the registry by typing regedit in the Run box on the start menu then navigating to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

You will see various entries here on the right hand side. The one you want is called:

SourcePath

It probably has an entry pointing to your CD-ROM drive, and that is why it is asking for the XP CD. All you need to do is change it to:

C:\

Simply double click the SourcePatch setting and a new box will pop up allowing you to make the change.

Now restart your computer and try scannow sfc again!

Other problems with scannow sfc.exe

1- Has the CD Drive's drive letter changed (perhaps by the addition of another hard drive, partition, or removable drive) since Windows XP was first installed? If so, simply edit the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath to reflect the changed drive letter.

After you restart the computer, WFP and sfc /scannow uses the new source path instead of prompting for the Windows XP installation CD-ROM

2 - Has the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath got an incorrect entry? The SourcePath entry does NOT include the path location till the I386 folder. It completes one folder ahead to reach the I386 folder.

For example: If the I386 directory is at C:\I386, the SourcePath value would be C:\

3 - If the problem persists and you have the correct path for your I386 folder then the I386 folder is corrupted. To solve this problem copy I386 folder from the CD-ROM to your system restart the system and then perform sfc /scannow again.

4 - You do not have an XP retail CD with an I386 folder on it. If you have a restore CD from your PC manufacturer then you may have to explore the CD to find the folder.

5 - You still keep being prompted for the XP CD yet you have done all in this article! There is another setting in the registry that may be causing the problem. Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SourcePath

Make sure the entry here is the same path to the I386 folder as used above.

6 - Systems administrators can enforce security policies that may include changes to the Windows File Protection settings. You will need to speak with your network administrator about this, but it is important to bear in mind when Windows starts up, the Windows File Protection service synchronizes (copies) the WFP settings from the following registry key:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection

to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Therefore, if any of the following values are present in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection key, they will take precedence over the same values under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key.

This will not effect scannow sfc so much, but WILL make an impact if any of the other sfc.exe "switches" have been used!

7 - When you run scannow at logon you do not get a progress bar... This can easily be remedied by adding a new DWORD: SFCShowProgress to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

the values available are: 0 = disabled, 1 = enabled

What about Windows Updates?
You may be asking yourself (silently? out loud?) "how does sfc.exe know how to check for updated Windows system files?" during OS (operating system) upgrades, service pack installations etc.. the dllcache folder should be updated with these new files.

As an example, the r Windows XP Hotfix - KB828035 updated the system file wkssvc.dll A new version of the file was placed in C:\WINDOWS\system32 and a copy in the cache: C:\WINDOWS\system32\dllcache A copy of the old system file is archived in: C:\WINDOWS\$NtUninstallKB828035$

There is another location the Windows File protection service uses and that is the I386 folder in C:\WINDOWS\ServicePackFiles When you install a service pack, like SP1. Any new system drivers are cached in this location too.

If you have odd problems with running scannow sfc and nothing else here has resolved it, then take a look at the entry in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath

This should be pointing to the location C:\WINDOWS\ServicePackFiles (again, assuming C:\ is the boot drive.)

For those of you who are familiar with sfc.exe under Windows 2000 professional. It is worth noting that the following two options are NOT available under Windows XP.

These are:

sfc /cancel - In Windows 2000, this command immediately cancels all pending scans of protected system files. This option has no effect in Windows XP.

sfc /quiet - In Windows 2000 this sets Windows File Protection to replace any incorrect system files detected with the appropriate version from the dll cache without any user notification. This option has no effect in Windows XP.

sfc.exe is a great tool that can get you out of some huge jams and ease some huge headaches and possibly even save you from suffering a mental breakdown due to your pc!

Anyone have any other tips with regards to sfc.exe? any horror stories? share them!