Stop them cold
One of the most insidious things attackers can do is replace files on your computer with their own files, containing viruses or Trojan horses and the like. These modified programs might open a backdoor to your PC so that the attacker can access your files, or they might turn your PC into a "zombie" where it waits until triggered and then attacks a 3rd party.
Obviously these are all bad things, but the problem is that these modified files often replace obscure and confusing files that are part of the Windows OS. This makes it very difficult to tell when one has been modified. For the average user, this is nigh impossible! So how can you tell if you're in trouble?
In the newer versions of Microsoft's Windows platforms, there is a feature called System File Checker, or SFC. It is a simple command line tool that checks the versions of all your system files after you restart your PC. The syntax is simple, and because it uses a command line interface, it makes it very easy for system administrators to check all the desktops they're responsible for.
The syntax is
sfc [/scannow] [/scanonce] [/scanboot] [/cancel] [/quiet] [/enable] [/purgecache] [/cachesize=x]
So to check your system right now, you'd type:
And to check your system every time you boot, you'd type:
Also, know that if you run sfc and it finds a discrepancy, it will prompt the user to replace the file. This tends to freak users out and generate panicky calls to helpdesks. So consider using the /quiet parameter to have sfc automatically replace files without asking.
WARNING: Like many system utilities, sfc is something of a resource hog and has been known to make some systems unstable. Even on some of our test systems with dual 800 Mhz processors and 1 GB of RAM, sfc took over 10 minutes to complete. So make sure you back up your systems before you try it, and test it on some of your desktops before you include it in automated login scripts.
Moreover, the command replaces damaged system files by getting the appropriate file from the %SystemRoot%System32Dllcache folder. Make sure you have access to that folder before running the utility.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
This was first published in December 2001