Win XP and SFC

I recently used DISKKEEPER to defrag my system, and alarmingly found that Outlook express no longer worked having provided the usual Microsoft esoteric error. Without panicing, I ran the System File Checker (SFC.EXE), which as expected fixed the problem. The problem is that in Win 98, SFC would give you to option of viewing what files were found corrupted or replaced, and offered the option of skipping over the replacement. Apparently in XP, that is not the case. SFC seemed to run rampant, possibly replacing files that were patched legitimately? by microsoft in their effort to keep XP running safely and smoothly. What scares me is that SFC my have replaced patches that were security based, and I may now have original versions which are not security enhanced. As far as XP is concerned, the catalog indicates that all these patches were sucessfully accomplished and that I have the latest versions of these files which I may not have as a result of having run SFC.

Does anyone know if an SFC log is kept indicating what files were replaced as a function of corruption or non-original? And if those files were indeed replaced, how can I know what patches were affected, and how do I institute the patch again if XP thinks it's already been accomplished sucessfully?

Thanks,
Jabiru

 

Hello jabiru

Look at this thread to see what sfc replaced:

http://www.windowsbbs.com/showthread.php?s=&threadid=24663

*SFC seemed to run rampant, possibly replacing files that were patched legitimately?*

That problem occured with WK2. I have to track those references down, its a MS kb document.

Regards - Charles

 

I do not know about SFC in XP but in 98 I NEVER allowed it to fly on Auto Pilot. Other than the first time ONLY which took me the better part of a day to repair problems. Once any changes, additions, upgrades etc. are made the original OS files ( which SFC uses at least the first time ) are already out of date.

After the first run it uses its own stored file reference for comparison.

jabiru

Your thinking may be quite correct. If allowed to SFC may replace what IT THINKS is wrong whether it is actually wrong or not. And it may overwrite newer stuff.

Are you saying that with SFC in XP you have no choice as to how it runs ? If this is true then remind me to NEVER run it.

In 98 the ONLY way SFC could be fully trusted was to make sure it was run IMMEDIATELY and UPDATED after each and every change to the system. That includes installing or removing software/patches etc. Other wise it could be trouble.

And I would suspect that the same would be true in XP.

BillyBob

 

BB - the only way XP's SFC will run is auto-pilot. You can tell it when but not what.

Should be safe enough though. Unlike 9X/ME, XP will not allow 3rd party apps to write system files to windows. And the system is supposed to track updates you've done. If the newest version is part of an update, SFC is supposed to pull a copy from the cache on your hard drive rather than using an older file from CD.

There was a problem with this in 2K but that was supposed to have been fixed with SP4. I can't find any mention that XP has the problem at all.

Details about the operation of SFC are Here with links to additional info.

 

Charles (et al),

I checked the system event log for the SFC event and found several entries as follows:

Windows File Protection scan found that the system file c:\windows\system32\oembios.bin has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 0.0.0.1.

Windows File Protection scan found that the system file c:\windows\system32\riched20.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.30.23.1211.

Windows File Protection scan found that the system file c:\windows\system32\riched20.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.30.23.1211.

Windows File Protection scan found that the system file c:\windows\system32\setupapi.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.1106.

Windows File Protection scan found that the system file c:\windows\system32\setupapi.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.1106.

Windows File Protection scan found that the system file c:\windows\system32\comsvcs.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 2001.12.4414.46.

Windows File Protection scan found that the system file c:\windows\system32\comsvcs.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 2001.12.4414.46.

Windows File Protection scan found that the system file c:\windows\system32\iepeers.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2800.1106.

Windows File Protection scan found that the system file c:\windows\system32\shell32.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2800.1233.

Windows File Protection scan found that the system file c:\windows\system32\shell32.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2800.1106.

And then there were several entries like this for the following files (all indicate the same error code):

The system file c:\windows\system32\drivers\vmodem.sys could not be copied into the DLL cache. The specific error code is 0x0000000d [The data is invalid.
]. This file is necessary to maintain system stability.

c:\windows\system32\drivers\vpctcom.sys
c:\windows\system32\drivers\vvoice.sys
c:\windows\system32\drivers\w840nd.sys
c:\windows\system32\drivers\w926nd.sys
c:\windows\system32\drivers\w940nd.sys
c:\windows\system32\drivers\wadv01nt.sys
c:\windows\system32\drivers\wadv02nt.sys
c:\windows\system32\drivers\wadv05nt.sys
c:\windows\system32\drivers\watv01nt.sys
c:\windows\system32\drivers\watv02nt.sys
c:\windows\system32\drivers\watv03nt.sys
c:\windows\system32\drivers\watv04nt.sys
c:\windows\system32\drivers\wceusbsh.sys
c:\windows\system32\drivers\wch7xxnt.sys
c:\windows\system32\drivers\wdhaalba.sys
c:\windows\system32\wiafbdrv.dll
c:\windows\system32\wiamsmud.dll
c:\windows\system32\drivers\winacisa.sys

I guess I have several problems with this, not the least of which is not knowing what if any of these files were part of security patches subsequent to the original cold load of Win XP. I can only guess that the shell files were part of the Outlook Express problem, but I don't know why the bios file was replaced and I don't know what the other files are, although I could guess. I also don't know why the list of files above could not be copied to the dll cache, any ideas on that?

 

Hi jabiru,

Link to a MS command line tool to check hot fixes http://support.microsoft.com/defaul...port/kb/articles/Q282/7/84.ASP&NoWebContent=1

Just downloaded it, haven't used it yet.

Regards - Charles

 

SFC & QFECheck.exe

Charles,

I downloaded and ran the hot fix checker and got some interesting results. I compared the log generated by the QFECheck.exe program with the Windows Update site installation history log that has all the updates I've downloaded and installed.

I found several entries in the QFECheck log that do not show up in the Windows Update installation history log, and several entries in the Windows Update Installation History Log that don't show up in the registry.

This begs even more questions.

Does running SFC alter the registry key in question HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates?

Why is there a disparity between the two logs?

Interestingly enough, I found that the list in the control panel (ADD/REMOVE programs) also contains all the hotfixes that show up in the QFECheck log. In fact, I found two hotfixes in there that do not show up in either the Windows Update Installation History log or the QFECheck log. Now I have a 3rd source of confusion.

For the items in the Windows Update Installation History log that do not show up in the QFECheck log, I will attempt to hit a couple of the KB & hotfix webpages and manually run the fix to see if they show up in the QFECheck log. If they don't, I'll have to turn this whole thing over to Microsoft to see if they can answer the original question: What vulnerabilities are caused by running SFC?

This might not seem to be all that important, but supporting a network of machines that are supposed to be "fixed" and aren't becomes a big deal if they're exploited by a fix that was supposed to be there and wasn't.

Thanks, comments and insights are welcome.

Jabiru

 

Hi jabiru,

Thanks for the post and the questions. I'm going to go thru the execise that you went thru over the weekend and see what I can see.

What I can assure you of based on my experience with sfc in XP is that it does not go "wild" in BillyBob's phrase. I ran sfc on my own system, with proper safeguards. I did this not because I had a problem, but wanted to see what affects it had in a situation where there were no problems.

like any problem solving tool, it seems to have consequences beyond solving the immediate problem. If sfc resolves a problem that had to do with a hotfix, logically it would use a problem free version of that file from the cache first which is an updated version of the file, and then from the install disc, which obviously may or may not be. Thats the order of file repair in reading the documentation.

The alternative is to repair the installation another way which will have the consequence of re-installs of the hotfixes.

I understand the importance of this in your situation. Would appreciate keeping us informed on this issue.

Regards - Charles

 

Charles,

I did re-run some of the hotfixes and patches that were found in the Windows Update Installed Programs Log to see if they would show up in the QFECheck log after re-running QFECheck. They did not. I wonder why? It seems some fixes show up and some don't. I don't know what the criteria would be for something to show up in the logs.

The problem I'm having is on a Gateway laptop under XP Home, and because it's an OEM version, Microsoft sent me to Gateway for help (like that's going to work). I sent the whole text of our thread to them and I got back a solution for fixing Outlook Express which means they didn't even read the text of what I sent them. I don't think they will be of any help here.

Do you think maybe Brian Livingston from InfoWorld or one of the magazines like PC World might be interested?

Jabiru

 

Well I guess I can't find out about SFC in XP cause it will not even run.

BillyBob

 

Hey jabiru,

The Add/Remove applet only contains the hotfixes that can be uninstalled. The uninstall files are in /Windows/ $NtUnistall...

*update site installation* listings - did you by chance ever download patches from the catalog site http://v4.windowsupdate.microsoft.com/en/default.asp?corporate=true and then install them yourself?

My apologies if you know all this already, trying to get at a pattern here.

Asking others: try Fred Langa of Langa News Letter fame as well.
Haven't the link to his home page, should be easy enough to find.

Regards - Charles

 

BillyBob,

Are you running it from a command prompt window? Open a command prompt window and type sfc.exe /scannow. It will ask you for your original Windows XP CD to be in the drive. Then stand back and wait until it does it's thing. Then check the log as referenced above.

Jabiru

 

jabiru

Thanks for the info.

But as of this moment I am not having ANY PROBLEMS and have no intentions of going looking for any.

And by asking for the XP CD tells me that it may well replace some existing file(s) with originals that could possibley cause problems.

If SFC in XP has an UPDATE feature the same as 98 did then I MIGHT consider it. Other wise forget it.

If and when I run into problems I might give SFC a go.

But before I do I will make DAM sure that I have a recent System Restore file. And hope I can get to it if I mess up with SFC.

If nothing else I have learned one thing about Microsoft and Windows.

"They DO NOT always know best "

The way my system behaves ( or mis-behaves ) tells me whether things are right or wrong.

And another thing that may or may not come into play for me is the fact that I believe some software may be using 98SE files. I say this because I see a files with the date of 4/23/99.And for sure XP SFC would see them as wrong. And they are in several folder under Windows.

If XP Pro had been but in clean it might be a different story.

No thank you. Right now I have no problems so for my own sanity ( if nothing else ) I will think I will leave well enough alone.

BillyBob

 

XP Upgrade from 98SE & 2K

BillyBob,

There is merit in what you say. If it ain't broke don't fix it.

I'm curious. You say that you think there may be legacy 98SE files on the system. If you have "upgraded" to XP from a 98SE "system" that is probably true as XP will not overwrite files that are already on the system and are compatiable with it. I recently had to do a "cold load" of XP Pro on another system after losing a disk, and didn't want to load Win 2K first, so during the load, all it did was ask me to put the 2K CD in the drive to verify I owned it and the load went fine. I knew then I'd have all new files instead of legacy 2K files. I thought everything was fine until I ran SPYBOT which cropped up with all kinds of problems. After investigating the errors, I found errors in the registry where XP thought certain legacy 2K files should be on the system and weren't. This sort of proves that using "upgrade" CDs don't always provide the necessary files for the system to run in a stable condition. I commented out the entries which were mostly modem related (and I don't use), SPYBOT didn't complain, but I'll always wonder if I have a truly stable system.

Jabiru

 

XP Upgrade from 98SE & 2K

BillyBob,

There is merit in what you say. If it ain't broke don't fix it.

I'm curious. You say that you think there may be legacy 98SE files on the system. If you have "upgraded" to XP from a 98SE "system" that is probably true as XP will not overwrite files that are already on the system and are compatiable with it. I recently had to do a "cold load" of XP Pro on another system after losing a disk, and didn't want to load Win 2K first, so during the load, all it did was ask me to put the 2K CD in the drive to verify I owned it and the load went fine. I knew then I'd have all new files instead of legacy 2K files. I thought everything was fine until I ran SPYBOT which cropped up with all kinds of problems. After investigating the errors, I found errors in the registry where XP thought certain legacy 2K files should be on the system and weren't. This sort of proves that using "upgrade" CDs don't always provide the necessary files for the system to run in a stable condition. I commented out the entries which were mostly modem related (and I don't use), SPYBOT didn't complain, but I'll always wonder if I have a truly stable system.

Jabiru

 

Patch downloads

Charles,

I haven't been to that particular site. I do all my downloads from the windows update site. The manual downloads I did were done by going to the support.microsoft.com site and querying on the specific patch QXXXXX, or KBXXXXX and downloading from there. I assume it's the same patch.

jabiru

 

Hi All,

It would be interesting to run Belarc Advisor if in doubt about which hotfixes are still installed on any machine. Not only does the Adviser list all the installed hotfixes, it also verifies that they are correct, and marks any that can not be verified. Presumably this would indicate if any vital files had been removed.

 

jabiru

They are the same, I save them so if I have to re-do in case of reload, can be done off-line instead of having to go out to the MS site for them; haven't had to reload. But the biggiest reason is if something happens to my connection during an update - it would be a matter of redoing a file download. Lost connection during an update, happened to me prior to this site (started in 10/01 ) with 9X. Took a while and a lot of trouble to get that fixed.

Regards - Charles

 

Hi jabiru,

The pattern of reporting for the Qfecheck MS hotfix checker:

It lists hotfixes only, leaving out any security patches for IE - media player/directX. On my system it lists post SP1 only, including SP1 itself - Q324720.

The Belarc list is essentially the same but it includes the ones for IE and the others.

Niether one list all the updates that I've installed. Belarc leaves out the non-security patches as well.

BTW: in this thread http://www.windowsbbs.com/showthread.php?s=&threadid=25045 the original poster asked the same question you asked in the beginning of this one: whether sfc overwrites updates, just in case you forgot

Regards - Charles