Tip

Stop them cold

 

Stop them cold
Tom Lancaster

One of the most insidious things attackers can do is replace files on your computer with their own files, containing viruses or Trojan horses and the like. These modified programs might open a backdoor to your PC so that the attacker can access your files, or they might turn your PC into a "zombie" where it waits until triggered and then attacks a 3rd party.

Obviously these are all bad things, but the problem is that these modified files often replace obscure and confusing files that are part of the Windows OS. This makes it very difficult to tell when one has been modified. For the average user, this is nigh impossible! So how can you tell if you're in trouble?

In the newer versions of Microsoft's Windows platforms, there is a feature called System File Checker, or SFC. It is a simple command line tool that checks the versions of all your system files after you restart your PC. The syntax is simple, and because it uses a command line interface, it makes it very easy for system administrators to check all the desktops they're responsible for.

The syntax is

sfc [/scannow] [/scanonce] [/scanboot] [/cancel] [/quiet] [/enable] [/purgecache] [/cachesize=x]

So to check your system right now, you'd type:

sfc /scannow

And to check your system every time you boot, you'd type:

sfc /scanboot

Also, know that if you run sfc and it finds a discrepancy, it will prompt the user to replace the file. This tends to freak users out and generate panicky calls to helpdesks. So consider using the /quiet parameter to have sfc automatically replace files without asking.

WARNING: Like many system utilities, sfc is something of a resource hog and has been known to make some systems unstable. Even on some of our test systems with dual 800 Mhz processors and 1 GB of RAM, sfc took over 10 minutes to complete. So make sure you back up your systems before you try it, and test it on some of your desktops before you include it in automated login scripts.

Moreover, the command replaces damaged system files by getting the appropriate file from the %SystemRoot%System32Dllcache folder. Make sure you have access to that folder before running the utility.


Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in December 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.