Stop them cold

Use SFC to make sure your OS is undisturbed.

 

Stop them cold
Tom Lancaster

One of the most insidious things attackers can do is replace files on your computer with their own files, containing viruses or Trojan horses and the like. These modified programs might open a backdoor to your PC so that the attacker can access your files, or they might turn your PC into a "zombie" where it waits until triggered and then attacks a 3rd party.

Obviously these are all bad things, but the problem is that these modified files often replace obscure and confusing files that are part of the Windows OS. This makes it very difficult to tell when one has been modified. For the average user, this is nigh impossible! So how can you tell if you're in trouble?

In the newer versions of Microsoft's Windows platforms, there is a feature called System File Checker, or SFC. It is a simple command line tool that checks the versions of all your system files after you restart your PC. The syntax is simple, and because it uses a command line interface, it makes it very easy for system administrators to check all the desktops they're responsible for.

The syntax is

sfc [/scannow] [/scanonce] [/scanboot] [/cancel] [/quiet] [/enable] [/purgecache] [/cachesize=x]

So to check your system right now, you'd type:

sfc /scannow

And to check your system every time you boot, you'd type:

sfc /scanboot

Also, know that if you run sfc and it finds a discrepancy, it will prompt the user to replace the file. This tends to freak users out and generate panicky calls to helpdesks. So consider using the /quiet parameter to have sfc automatically replace files without asking.

WARNING: Like many system utilities, sfc is something of a resource hog and has been known to make some systems unstable. Even on some of our test systems with dual 800 Mhz processors and 1 GB of RAM, sfc took over 10 minutes to complete. So make sure you back up your systems before you try it, and test it on some of your desktops before you include it in automated login scripts.

Moreover, the command replaces damaged system files by getting the appropriate file from the %SystemRoot%System32Dllcache folder. Make sure you have access to that folder before running the utility.


Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in December 2001

Dig deeper on Network intrusion detection and prevention and malware removal

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close