Re: SFC and WFP information / help

From: Jim Carlock (anonymous_at_127.0.0.1)
Date: 04/16/04 

Date: Fri, 16 Apr 2004 14:49:57 -0400

LOL

It doesn't work the way you think. It never asks for a CD.

;-)

::The Unknown P... wrote:::::
> If you go>start\run and type in sfc /scannow

I run it from the Command prompt. No need for the extra clicking.

> the system will do a System File Check.

Well, what does it check? I ran sfc /purgecache first. That is one
question that needs an answer.

> You will need your XP CD or your Recovery CD if an
> OEM of XP.

That is untrue. It does not ask for a CD anymore.

> This compares the present os files with the originals

That is untrue, the originals are themselves and there is nothing to
compare against. I'm not sure "what" YOU are referring to. Why
compare an ntdll.dll thats been updated 2 or 3 times, with an
original ntdll.dll on a CD that is 3 years outdated? There is no use
in such behaviors. And it doesn't ask for a CD or even look for
a CD anymore. :-)

> and replaces any missing or corrupt files with the ones found
> on the disk.

It is NOT doing what you say it should do. I don't think it likes
you. :-)

> If you need any other parameters you go>start\run and type in
> cmd and hit ok.

I just click on the Cmd.exe shortcut. You know how you can
place a cmd.exe shortcut in the right click menu? I have done
similar things in the past, but I really would like to place it at
the top of the Explorer list for right clicks. That way I don't
have to move down to the taskbar.

> Now type in sfc /? and you will get all the parameters

LOL Really? See my previous post about pulling functions out
of sfc.dll. Very interesting. Take a look at this:

File Name: SFC.EXE
File Type: EXECUTABLE IMAGE
Section Examined: IMPORTS
  Section contains the following imports:
    msvcrt.dll
      77C33632 98 __set_app_type
      77C1EB68 85 __p__fmode
      77C1EB4A 80 __p__commode
      77C5D388 B6 _adjust_fdiv
      77C48F60 9A __setusermatherr
      77C379DB 13A _initterm
      77C1E8AF A4 __wgetmainargs
      77C5C9EC A5 __winitenv
      77C33EB0 ED _except_handler3
      77C37B00 C8 _cexit
      77C31269 4E _XcptFilter
      77C37AEE F6 _exit
      77C37B11 C5 _c_exit
      77C31F83 2F3 setlocale
      77C426B8 228 _wcsicmp
      77C4299A 22C _wcsnicmp
      77C1D7F9 338 wcstoul
      77C5AC80 13E _iob
      77C3CD6E 323 vswprintf
      77C37ADC 28F exit
      77C4A658 D6 _controlfp
      77C43DBC 32C wcslen
      77C3EE11 320 vfwprintf

    ADVAPI32.dll
      77DD609C DF FreeSid
      77DD1EB4 38 CheckTokenMembership
      77DD60A2 1D AllocateAndInitializeSid

    KERNEL32.dll
      77F5157D 15A GetLastError
      77E7F295 E1 FormatMessageW
      77E79A45 238 LocalFree
      77E707A7 275 ProcessIdToSessionId
      77E78406 150 GetFileType
      77E76052 375 WriteConsoleW
      77E80656 130 GetCurrentProcessId
      77E79F93 167 GetModuleHandleA
      77E79881 234 LocalAlloc
      77E79C3D 19E GetStdHandle

    RPCRT4.dll
      77D28400 7A NdrClientCall2

    USER32.dll
      77D4A92C 2D9 wsprintfW

    sfc_os.dll
               10010AC Import Address Table
               1001CE8 Import Name Table
              FFFFFFFF time date stamp
              FFFFFFFF Index of first forwarder reference

      76C693D6 Ordinal 4
      76C69471 Ordinal 6
      76C69395 Ordinal 3

  Header contains the following bound import information:
    Bound to msvcrt.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
    Bound to ADVAPI32.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
    Bound to KERNEL32.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
      Contained forwarders bound to NTDLL.DLL [3B7DE01E] Fri Aug 17 23:25:18
2001
    Bound to RPCRT4.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
    Bound to USER32.dll [3B7DFE0E] Sat Aug 18 01:33:02 2001
    Bound to sfc_os.dll [3B7DFE12] Sat Aug 18 01:33:06 2001

'-----------------------------------------------
It is very interesting to note that it is bound to sfc_os.dll. And it is
not bound to sfc.dll, which holds the two functions that I previously
was inquiring about. And I don't see the connections to sfc_os.dll.

So the connections are hidden? Do you know what the deal is with
that? I'm wondering if it is plain data that is held in that file?

I see the following for sfc_os.dll:

File Name: sfc_os.dll
File Type: DLL
Section contains the following exports for sfc_os.dll
         0 characteristics
  3D6D9F5D time date stamp Thu Aug 29 00:13:17 2002
      0.00 version
         1 ordinal base
        11 number of functions
         4 number of names
   ordinal hint RVA name
        8 0 00009736 SfcGetNextProtectedFile
        9 1 00009841 SfcIsFileProtected
       10 2 00012D40 SfcWLEventLogoff
       11 3 000137F9 SfcWLEventLogon
        1 0000EB10 [NONAME]
        2 0000E9CE [NONAME]
        3 00009345 [NONAME]
        4 00009386 [NONAME]
        5 000093A0 [NONAME]
        6 00009421 [NONAME]
        7 00009463 [NONAME]

That is very interesting there, as well. I will need to explore what
is in the NONAME things.

:-) Oh, it looks like they are internally called functions, maybe
jumped to through certain conditions. T

> I hope this is what you want. Welcome to the eXPeriance. {:~)

Thanks, but you were way off target. Feel free to read along. I
meant to post this information to the VB newsgroup, but had a
little too much too drink last night. ;-)

By the way, the list of files that are protected by the system is
contained inside sfcfiles.dll.

There is one exported function inside sfcfiles.dll:
SfcGetFiles

And there is no documentation about it in the Platform SDK.
There is documentation about the other two functions which
is found in both sfc.dll and sfc_os.dll.

The sfc.dll is a small wrapper. It holds the functions listed in
sfc_os.dll and forwards those function calls to sfc_os.dll.

There are also a couple extra functions inside sfc.dll which
forward the calls to sfc_os.dll:

SfcGetNextProtectedFile (forwarded to sfc_os.SfcGetNextProtectedFile)
SfcIsFileProtected (forwarded to sfc_os.SfcIsFileProtected)
SfcWLEventLogoff (forwarded to sfc_os.SfcWLEventLogoff)
SfcWLEventLogon (forwarded to sfc_os.SfcWLEventLogon)

And the functions inside of sfc.dll that are NOT forwarded:

SRSetRestorePoint
SRSetRestorePointA
SRSetRestorePointW
SfpVerifyFile

I still have to did deeper unless someone else knows more.

Thanks for your comments! 

-- 
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.

Relevant Pages

  • Re: SBS 2008 NAT/Firewall Requirements, please
    ... Usenet is distributed, but not necessarily public. ... I did advocate that you exercise some self discipline and try reading some documentation before asking for free handouts. ... I doubt you'd be so open-minded if other newsgroup users started soliciting your customers. ... And 30 implementation documents Plenty of sBS documentation that does apply to all SBS implementers. ...
    (microsoft.public.windows.server.sbs)
  • Re: word 2010 beta problems
    ... Did you rely on the documentation to tell you want the page is ... Please post all follow-ups to the newsgroup. ... in the public forum. ... the beta forums when you got your invitation. ...
    (microsoft.public.word.docmanagement)
  • Re: Can I use a friends computer out of town and connect to mycom
    ... called VNC. ... There are two separate pieces of software: a "server" that you run on your ... This, too, is covered in the VNC documentation. ... please post all follow-ups to the newsgroup so ...
    (microsoft.public.word.docmanagement)
  • Re: ADMT "under the hood" documentation?
    ... might know if the documentation I'm looking for exists. ... finding ADMT "under the hood" documentation. ... This is why I made this NEW post in this public newsgroup. ...
    (microsoft.public.windows.server.migration)
  • Re: I came here for information and advice
    ... I get my spiritual guidance in church on ... interfering with my finding the information and advice that I ... Another ironic thing is that this newsgroup was organized mostly by medical ... diseases (though the language of the documentation is clear that non-medical ...
    (sci.med.cardiology)
Loading