sfc.exe

  • File Path: C:\WINDOWS\SysWOW64\sfc.exe
  • Description: System Integrity Check and Repair

Hashes

Type Hash
MD5 F5A1827155AB5D4A8F218436DDBF023A
SHA1 3354D194038ED1FF62FD20873DFB7EA7AEC27055
SHA256 A47A972D2BAC60913A318D34BD3974388B5E2AC4D3C3A58FCC38E3C51E805E02
SHA384 C7E05E02ED3C29987B8C7707F799F3E173D737419277E9879CF2E6C664892DDFFD3E43C626B0802B43942A4E591F644D
SHA512 B9E25B9F0F1B2DF19C0DE7E8190B3B28B6B7F081154820C7821A1CAABBAC4B3FC761D87EB957E4BE9AEFD459231F36C258CD5F084A9D079F3980EB72711E000A
SSDEEP 768:6w4pOi6oiNfqOxt2VHRnLvF7jjS0TaU04yFx5RGKQB6e44/:JRfqpVHZLN7f303RGlB6e44

Runtime Data

Usage (stdout):


You must be an administrator running a console session in order to 
use the sfc utility.

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sfc.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of sfc.exe being misused. While sfc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
signature-base apt_poisonivy.yar $s4 = “\sfc.exe” fullword ascii /* score: ‘11.005’ */ CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


sfc

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Scans and verifies the integrity of all protected system files and replaces incorrect versions with correct versions. If this command discovers that a protected file has been overwritten, it retrieves the correct version of the file from the systemroot\system32\dllcache folder, and then replaces the incorrect file.

[!IMPORTANT] You must be logged on as a member of the Administrators group to run this command.

Syntax

sfc [/scannow] [/verifyonly] [/scanfile=<file>] [/verifyfile=<file>] [/offwindir=<offline windows directory> /offbootdir=<offline boot directory>]

Parameters

Parameter Description
/scannow Scans the integrity of all protected system files and repairs files with problems when possible.
/verifyonly Scans the integrity of all protected system files, without performing repairs.
/scanfile <file> Scans the integrity of the specified file (full path and filename) and attempts to repair any problems if they’re detected.
/verifyfile <file> Verifies the integrity of the specified file (full path and filename), without performing repairs.
/offwindir <offline windows directory> Specifies the location of the offline windows directory, for offline repair.
/offbootdir <offline boot directory> Specifies the location of the offline boot directory for offline repair.
/? Displays help at the command prompt.

Examples

To verify the kernel32.dll file, type:

sfc /verifyfile=c:\windows\system32\kernel32.dll

To set up the offline repair of the kernel32.dll file with an offline boot directory set to D:* and an offline windows directory set to *D:\windows, type:

sfc /scanfile=D:\windows\system32\kernel32.dll /offbootdir=D:\ /offwindir=d:\windows

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.