question

fernandobonfim-9257 avatar image
0 Votes"
fernandobonfim-9257 asked Dgorter edited

How Exactly Does SFC Fix Corrupt System File?

According to some texts I have read, the System File Checker (```SFC```) is a command-line tool that is used to find corrupt system files, and replace them with healthy copies. |1| These copies would come from what is called Windows component store. In the SFC description on Microsoft it is said that the source is the %systemroot%\system32\dllcache folder, but it seems that this folder is not used anymore, and it doesn’t even appear in my system. |1||2||[3|

Component store is where all system files are located, which is currently in the %windir%/WinSxS. The system files elsewhere are just hard links to the files in the component store. This implies that if we change access a system file using a path outside of WinSxS, the modification would also be present if we access the file from withing WinSxS.|4|

Considering that when SFC finds a corrupt file, it means that its counterpart in WinSxS is also corrupt, where the SFC tool actually find the file it use to replace the defective file detected?






windows-10-general
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

abbodi86-0005 avatar image
0 Votes"
abbodi86-0005 answered fernandobonfim-9257 commented

C:\Windows\WinSxS\Backup

files here are independant from hard links

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi.

Thanks for the answer!

Is there any source I may access to confirm the information provided?

0 Votes 0 ·
abbodi86-0005 avatar image abbodi86-0005 fernandobonfim-9257 ·

I could not find any official source
but i know it's true :)

0 Votes 0 ·

How did you check? Maybe I could follow the same test you used to confirm that it is true...

0 Votes 0 ·
Dgorter avatar image
0 Votes"
Dgorter answered Dgorter edited

Hello,
There are multiple ways the files are replaced.
The files are checked to ensure the correct file is in place.
If not it is checked against the WinSxS folder \Windows\WinSxS or \Windwos\WinSxS\backup
The files in winSxS are the hardlinked to the the Windows Folder such as \Windows or \Windows\System32 to name a couple.
the hardlinks can be broken, files can be replaced. So the WinSxS store is checked first.
if that fails, then the system looks to the Internet where there is a file store on the Microsoft site
files are pulled down from that Store and used to replace the files and generate the hard links again.
Managing the Windows Component Store


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi.
Thanks for your answer.

Trying to understand your answer, I got the following:

You describe the following process as the one performed by SFC :

1 -  Check if the system files are ok;

2 - In case of a negative answer, the tool checks whether there are any problem with the files in WinSxS and WinSxS/backup. In case of a positive result, no action is required

3 - In case the files in the component store are ok, SFC uses them to fix the defective system files . In case the files are not ok, then a "file store" hosted somewhere will provide the appropriate files. -

4 - The healthy versions are then used to replace the files and recreate the hard links.
Considering my interpretation of your answer is correct, I have some comments and questions on it:


I does not make clear how the files are checked in the first step.

When it is said that the feature look inside the WinSxS folder, it seems to suggest that every single file in every single sub-folders ( the folders inside WinSxS) are checked. Is that right?

What do you mean with "the hard link can be broken"?

The steps above are neither described nor may be derived from the text you just linked. Is there some other source you have consulted? How may I check the information provided?

0 Votes 0 ·
Dgorter avatar image Dgorter fernandobonfim-9257 ·

Hello,
Your interpretation of what I answered is correct.
SFC is the primary way to check for file corruption, there are some repair scenarios this is used as well.
It used to look for file directory change notifications (OS file Systems) which would trigger the check automatically, I think they changed that.
It then compares the files against the information in the registry to validate if the file is correct or not.
Registry hive is components (HKEY_Local_Machine\Components)
this hive is only loaded during certain scenarios like servicing or System file Checking.
To see the component hive run sfc /scannow, them open regedit
the registry hive should also help identify the component to be checked under WinSxS so not every folder needs to be checked.
Since the files in System32 for example are mostly hard-linked to the file locations in WinSxS, the file only is in one location
There are some scenarios where the files can be replaced outside of the ability to check. ( boot to another OS on the same machine and replace a file for example.
In that case the hard-link to the file location in system32 to the file is broken to the file in WinSxS, there is a separate file in the system32 folder.
I doubt all the steps are documented, if i recall there was more detail at one point. But there have been a number of changes in this process over the various Windows releases
this is a somewhat simplistic view on the entire process.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello,

Thank you for reaching out.

The SFC process is well explained in below Microsoft article which includes to run DISM first to get files from winsxs.

https://support.microsoft.com/en-us/topic/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e#:~:text=The%20sfc%20%2Fscannow%20command%20will,the%20Windows%20operating%20system%20folder.

Hope this helps.

Thank you,

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Docs-4663 avatar image
0 Votes"
Docs-4663 answered
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.