Re: SFC /scannow problem

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From http://www.updatexp.com/windows-file-protection.html
"It is interesting to note that the virus "W32/CodeRed.D", that caused so
much mayhem by shutting down Internet Servers in the summer of 2002, used
this very same undocumented setting to stop the Windows File protection
service from running. The virus could then release its Trojan payload to do
damage and replicate itself around the Internet!"

I have no doubt that CodeRed isn't the only malware to do this. Can't
imagine any legit application doing so.

--
Gary S. Terhune
MS-MVP Shell/User
www.grystmill.com

"Stephen" <none> wrote in message
news:u06RRIQzHHA.600@xxxxxxxxxxxxxxxxxxxxxxx
You are a hero, C.J.!

The value of the SFCDisable key was 0xffffff9d. When I changed this to
zero, SFC worked correctly.

Working on the assumption that this could have been changed by malware, I
scanned with (updated) Spybot, Adaware and SuperAntiSpyware in turn. I
found some tracking cookies (which I deleted) but nothing more sinister.
My daughter did have some trouble a while ago with "things not working
properly" whilst away at university, which were fixed for her by "computer
geek" friends. Could this have been malware of some kind, and the
SFCDisable key value change a legacy of that, I wonder?

Anyway, thanks very much for your help and advice which are much
appreciated.

Stephen


"C J." <no.reply@xxxxxxxxxxxxxxx> wrote in message
news:O3RbOPLyHHA.4896@xxxxxxxxxxxxxxxxxxxxxxx
Hmmm.. ok Stephen, new options to try:

Perform option 1 and if necessary option 2.

~~ Option 1. ~~

Lets reopen Regedit and then navigate to this key:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\
Winlogon

Look for the SFCDisable key and make sure its value is set to 0 (Zero)

Reboot and try SFC/ Scannow again. If it still doesn't work?

~~ Option 2. ~~

One other thought is: This trouble could be due to possible malware
infestation. See this link http://aumha.org/a/quickfix.htm first to
adequately prepare her PC for scanning.

Scan the PC in first in "safe mode " and then in "Normal mode" using any
combination of Adaware SE www.lavasoftusa.com , SuperAntiSpyware
www.SuperAntiSpyware.com , or Spybot Search and Destroy
www.safer-networking.org.

Download each. Install them and then update their definition files
before rebooting and scanning. Remove anything found by both programs.

Best of luck ... ohh and report back your results.

Stephen <none> wrote:
Thanks for the attempt to help, C.J. However, I'm not using safe mode. I
can log on as an administrator quite easily, but SFC does not run.
Stephen

"C J." <no.reply@xxxxxxxxxxxxxxx> wrote in message
news:e9vr849xHHA.3536@xxxxxxxxxxxxxxxxxxxxxxx

Steven,

On the off chance you are attempting to run SFC /Scannow in safe mode,
it
won't work - and this is by design. Try logging onto her computer as
an
administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
welcome screen in legacy Login box type "Administrator" (no quotes) and
press Go (assuming no password has been assigned, by default it should
be
blank.) Be sure you have Windows XP CD handy in the event SFC asks
for
it. If still no Joy, report back.



Stephen <none> wrote:
When I try to run "SFC /scannow" on my daughter's PC, it does not run
but gives the following error message:

"Windows File Protection could not initiate a scan of protected system
files.
The specific error code is 0x000006ba [The RPC server is
unavailable]."

Following possible leads from a Google search, I have checked three
things
in trying to solve this:

1 That the RPC service is running ("Started, Automatic").
2 That the Verisign certificate is present (KB 296241).
3 That the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is present.

In case it's relevant, I mention that until recently she was
connecting
to
the internet via her university network. Having now returned home, she
is connecting via our wireless router. We have changed settings (for
example,
email proxy server) as appropriate to get this to work. I just wonder
if
there is any other setting relevant to RPC that needs changing. (I
have
no
idea if SFC /scannow worked whilst she was at university.)

Does anyone have any suggestions?

Thanks,
Stephen






.

Relevant Pages

  • Re: SFC /scannow problem
    ... "I have no doubt that CodeRed isn't the only malware to do this. ... The value of the SFCDisable key was 0xffffff9d. ... can log on as an administrator quite easily, but SFC does not run. ... "Windows File Protection could not initiate a scan of protected ...
    (microsoft.public.windowsxp.general)
  • Re: BITS - saving status during reboot
    ... Event Source: Windows File Protection ... Windows File Protection scan found that the system file ... the problem be 'this' server or all servers in this domain. ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows File Protection
    ... suspect if you reboot the server the WFP prompts may stop. ... different and all have been replaced to their originals, ... "Windows File Protection file scan was started. ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows File Protection
    ... I can see this activity clealy in the System EVENT log. ... "Windows File Protection file scan was started. ... I had to cancel because it kept on asking for the SBS 2003 Instalation CD, ... only thing I have done is the SFC within the normal state of the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: System File Checker question
    ... Event Source: Windows File Protection ... ServicePackSourcePath at that location is already ... re-ran SFC but it made no difference, I still have the same System Event ... If you use Registry Editor incorrectly, ...
    (microsoft.public.windowsxp.help_and_support)