Re: Critical updates after using the Windows System File Checker

From: Michael Waltrip (michaelj_NOSPAM_waltrip_at_hot_HAM_mail.com)
Date: 07/10/04 

Date: Fri, 9 Jul 2004 23:14:38 -0700

Is SFC only for XP? (I have Windows 2000 Pro, all latest
updates/packs, etc).

Note: Microsoft Baseline Security Analyzer failed to
identify the "need" for Critical Update KB870669
(ADODB.Stream). When I saw this in Windows Web Update, I
canceled out, and updated and scaned with MBSA.
Shouldn't the need for this critical update be noted with
this first? (MSBA's xml file, which tells what to look
for, is updated automatically when it starts a scan).

Michael Waltrip
San Diego, California

>-----Original Message-----
>(interleaved reply)
>"Tony" <anonymous@discussions.microsoft.com> wrote in
message
>news:OUJ9vTVYEHA.644@tk2msftngp13.phx.gbl...
>>I am right up to date with the critical updates on my
Windows XP
>> Professional system.
>>
>> However, I've just had some problems with spyware
deleting at least one
>> system file (notepad) and so, following a tip in a
forum, I ran the System
>> File Checker to check whether any other system files
had been deleted or
>> replaced. I used the command:
>>
>> sfc /scannow
>>
>> which called for my original installation CD. Except
for the progress bar,
>> the System File Checker did not report any missing
files, or indicate that
>> it had replaced any file. (Is there a log somewhere of
what it did?)
>
>Not that I'm aware of but I don't think that
notepad.exe is a "protected file".
>E.g. there are plenty of .exe files in my dllcache
but notepad.exe
>isn't one of them. I think you probably could reinstall
that by using
>a different tool. (See below.)
>
><title>KB310747 - Description of Windows XP and Windows
Server 2003 System File Checker (Sfc.exe)</title>
>
>Aha. That article links to KB222193 and it indicates
that any changes
>may be logged in the "system event log". You would use
EventVwr
>to check on that possibility.
>
>
>Wow! msconfig isn't the "different tool" I was
thinking of...
>(Thank you for this bit of serendipity. <g>)
>
><title>KB310435 - Description and Explanation of a
Cabinet File</title>
>
>(MSKB Boolean search of XP articles for
> extract AND missing AND cab
>)
>
>
>>
>> However, it has now occurred to me that, if it did
replace any files, it
>> might have undone some of the critical updates. Might
this be correct?
>
>I doubt it. For example, if that were true for your OS
I suspect there would
>have been another article similar to this one which was
only for preSP4 W2K:
>
><title>KB814510 - The SFC /SCANNOW Command May Overwrite
Hotfix Files</title>
>
>
>> If so, what is the simplest/quickest way of restoring
the critical updates?
>> Although the Windows Update site allows you to view
your installation
>> history, it does not give you the option simply to
reapply the updates.
>
>Actually I think its scan may be smarter than just
looking at your History.
>That is why, for example, so many people are complaining
about seeing
>updates being repeatedly reoffered and reinstalled. If
the modules don't
>get copied to their final destination the update may be
considered not on.
>It is suspected that users' third-party security programs
could be inhibiting
>such final stage copying.
>
>
>>
>> Do I have to uninstall as many of the updates as I can
from Add/Remove
>> programs, and then reinstall them? If I do uninstall
them all, can I use
>> the Windows Update site to reapply them?
>
>That would be one way, though a bit hit or miss.
>
>To double check many of them what you could do is use the
MBSA from
>the command line:
>
><example>
>D:\Program Files\Microsoft Baseline Security
Analyzer>mbsacli /hf -v -z
></example>
>
>That may tell you what it thinks about the situation by
looking at the versions
>of the modules involved (not just the registry values.)
Actually you could
>do both by running it again without the -z switch.
>
><TITLE>303215 - Microsoft Network Security Hotfix Checker
(Hfnetchk.exe) Tool Is Available</TITLE>
>< http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q303215 >
>
>
>There is another tool called the Hotfix.exe utility
which might detect
>other discrepancies but I haven't used it. Many of the
security bulletins
>reference it and apparently it may be installed with some
patches.
>
>Hmm... (more serendipity <g>)
>
><title>KB262841 - Command-Line switches for Windows
software update packages</title>
>
>(MSKB Boolean search for
> "hotfix.exe" AND XP
>)
>
>Drawing inferences from this article supposedly what you
could do
>is find all occurrences of update.exe, sort them by Date
Modified,
>open the newest one's containing folder (e.g. right-
click, i),
>copy the contents of that window's Address bar to
Clipboard,
>switch to a command window, type CD /D
>(Note: there is a trailing space after that /D )
>paste in the path, press Enter, then enter: update /L
>to generate some kind of report about that hotfix.
>
>
>You could also compare those reports with the list
generated
>by the systeminfo command. Since there is already an
article
>which implies that we shouldn't get excited if there
appear to be
>discrepancies between an MBSA report and a Windows
Update
>scan I suppose we also should not get excited about
discrepancies
>among all 3. (The list of hotfixes that systeminfo
lists has been
>superseded by XPsp2RC2 but I suppose that's
understandable. ;)
>
>(ref: MBSA FAQ: "Why am I getting conflicting results
between MBSA and Windows Update?)
>
>
>In case my opinion about all this isn't clear yet I think
fix management
>on the Windows client is still "a work in progress" and
hence the tools
>are ahead of the documentation.
>
>
>HTH
>
>Robert Aldwinckle
>---
>
>
>
>.
>

Relevant Pages

  • Re: Critical updates after using the Windows System File Checker
    ... > I am right up to date with the critical updates on my Windows XP ... > one system file and so, following a tip in a forum, I ran ...
    (microsoft.public.windowsupdate)
  • Re: Cannot Create New User
    ... If User Accounts is OK, ... MS-MVP Windows Shell/User ... I ran the system file checker did throw up some events (looks like 3 pairs ... Windows File Protection scan found that the system file ...
    (microsoft.public.windowsxp.security_admin)
  • Re: mpr.dll
    ... Rick Rogers aka "Nutcase" MS-MVP - Windows ... >>> Wouldn't SFC do this automatically (and replace any ... >>Probably, as long as it is seen as a needed system file, ... >>Associate Expert - WinXP - Expert Zone ...
    (microsoft.public.windowsxp.newusers)
  • Re: Cannot Create New User
    ... I tried rebooting and then double-clicking User Accounts - same old problem. ... this in the Event Viewer under System, listed as Information; Windows File ... File replacement was attempted on the protected system file ... Windows File Protection will be listed under the Source column. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Cannot print from web sites
    ... System File Checker replaces screwed up system files. ... System File Checker tool in Windows XP Home Edition ... I may be side tracked here because of the registering problems. ... but the DllRegisterServer entry point was not ...
    (microsoft.public.windowsxp.general)