sfc.exe

  • File Path: C:\WINDOWS\SysWOW64\sfc.exe
  • Description: System Integrity Check and Repair

Hashes

Type Hash
MD5 D332B12CBECC3A0E322956814D823AC0
SHA1 A086B99C3E07EDF5B4AB5A618DDF1D00AE9D6503
SHA256 B39D1B2D76B38D91A6E3A9BE07946B4DF946B8E8E0DCD9FDD282E2D419A3A4C6
SHA384 1CAD276080B85DAE4680FFE669D4E6992447304F4E88772BD34D68395321809D210352E9D6BC1054E25CFDCC011DEE83
SHA512 3B82C302B8EBF3750DEC947767C25C19D5A4E28B5EC02F1F3739FDBECEAED6F9C2F47BF6369606F9BF4BB98594B3284442632C2E1632FB670F237EAA7A8756A3
SSDEEP 768:KP4p/gbInqWSEGhgxWhcrlQlAIMu8uHrXv+8E9c9ThZAcGQP9lMpVltM:ZSEwZhcrlQqru1L/s9c9wcGg9lMB
IMP 0370C0837EA56F1D6FB5A2F8D23AA3A8
PESHA1 8F7DF64CFE643D4E4882793ECD2A97C122971657
PE256 9D560626710EF325B77D9FF8311183EC018E5EDB0F1C97DD7C8DC8FA87B36F78

Runtime Data

Usage (stdout):


Microsoft (R) Windows (R) Resource Checker Version 6.0
Copyright (C) Microsoft Corporation. All rights reserved.

Scans the integrity of all protected system files and replaces incorrect versions with 
correct Microsoft versions.

SFC [/SCANNOW] [/VERIFYONLY] [/SCANFILE=<file>] [/VERIFYFILE=<file>]
    [/OFFWINDIR=<offline windows directory> /OFFBOOTDIR=<offline boot directory> [/OFFLOGFILE=<log file path>]]

/SCANNOW        Scans integrity of all protected system files and repairs files with
                problems when possible.
/VERIFYONLY     Scans integrity of all protected system files. No repair operation is
                performed.
/SCANFILE       Scans integrity of the referenced file, repairs file if problems are
                identified. Specify full path <file>
/VERIFYFILE     Verifies the integrity of the file with full path <file>.  No repair
                operation is performed.
/OFFBOOTDIR     For offline repair, specify the location of the offline boot directory
/OFFWINDIR      For offline repair, specify the location of the offline windows directory
/OFFLOGFILE     For offline repair, optionally enable logging by specifying a log file path

e.g.

        sfc /SCANNOW
        sfc /VERIFYFILE=c:\windows\system32\kernel32.dll
        sfc /SCANFILE=d:\windows\system32\kernel32.dll /OFFBOOTDIR=d:\ /OFFWINDIR=d:\windows
        sfc /SCANFILE=d:\windows\system32\kernel32.dll /OFFBOOTDIR=d:\ /OFFWINDIR=d:\windows /OFFLOGFILE=c:\log.txt
        sfc /VERIFYONLY

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\sfc.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sfc.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.120 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.120
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/b39d1b2d76b38d91a6e3a9be07946b4df946b8e8e0dcd9fdd282e2d419a3a4c6/detection

Possible Misuse

The following table contains possible examples of sfc.exe being misused. While sfc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
signature-base apt_poisonivy.yar $s4 = “\sfc.exe” fullword ascii /* score: ‘11.005’ */ CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


sfc

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Scans and verifies the integrity of all protected system files and replaces incorrect versions with correct versions. If this command discovers that a protected file has been overwritten, it retrieves the correct version of the file from the systemroot\system32\dllcache folder, and then replaces the incorrect file.

[!IMPORTANT] You must be logged on as a member of the Administrators group to run this command.

Syntax

sfc [/scannow] [/verifyonly] [/scanfile=<file>] [/verifyfile=<file>] [/offwindir=<offline windows directory> /offbootdir=<offline boot directory>]

Parameters

Parameter Description
/scannow Scans the integrity of all protected system files and repairs files with problems when possible.
/verifyonly Scans the integrity of all protected system files, without performing repairs.
/scanfile <file> Scans the integrity of the specified file (full path and filename) and attempts to repair any problems if they’re detected.
/verifyfile <file> Verifies the integrity of the specified file (full path and filename), without performing repairs.
/offwindir <offline windows directory> Specifies the location of the offline windows directory, for offline repair.
/offbootdir <offline boot directory> Specifies the location of the offline boot directory for offline repair.
/? Displays help at the command prompt.

Examples

To verify the kernel32.dll file, type:

sfc /verifyfile=c:\windows\system32\kernel32.dll

To set up the offline repair of the kernel32.dll file with an offline boot directory set to D:* and an offline windows directory set to *D:\windows, type:

sfc /scanfile=D:\windows\system32\kernel32.dll /offbootdir=D:\ /offwindir=d:\windows

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.