This chapter covers the System File Checker (SFC) utility, specifically the `sfc /scannow` command, a critical tool for repairing corrupted Windows system files. For the CompTIA A+ 220-1102 exam, this topic falls under Domain 3.0 (Software Troubleshooting), Objective 3.1. While not a high-frequency topic, you can expect 1-2 questions that test your knowledge of SFC syntax, its relationship with DISM, and its limitations. Mastery of SFC is essential for a technician's troubleshooting toolkit.
Jump to a section
Imagine a large museum with thousands of exhibits. Every item has a master blueprint stored in a fireproof, locked vault. This vault is the Windows Component Store (C:\Windows\WinSxS). When an exhibit gets damaged—a statue chips, a painting fades—the museum's repair crew (System File Checker) consults the master blueprint. The crew runs a comparison: they look at the damaged item and compare it to the blueprint. If the item matches, they leave it alone. If it doesn't match—say the statue's arm is broken—they note the exact discrepancy. The crew then retrieves a pristine copy of the blueprint from the vault and fabricates a perfect replacement part. They remove the damaged item and install the new one. The museum remains open during repairs (Windows continues running). However, if the vault itself is damaged—say the blueprint for the statue is missing or corrupted—the crew cannot repair it. They need a fresh set of blueprints from the original architect (Windows installation media or a known-good source). This is when you need to run DISM before SFC. The repair crew is methodical: they check each file one by one, logging every action in a repair report (CBS.log). They never guess—they only replace when the blueprint clearly shows a mismatch.
What is System File Checker (SFC)?
System File Checker (SFC) is a built-in Windows utility that scans protected system files and replaces corrupted or missing versions with correct copies from a cached location. It was first introduced in Windows 98 and Windows 2000 and remains a cornerstone of Windows system repair. The primary executable is sfc.exe, located in C:\Windows\System32. SFC operates by comparing the current file against a known-good version stored in the Windows Component Store, also known as the side-by-side (WinSxS) folder.
Why Does SFC Exist?
Windows protects critical system files from accidental or malicious modification. However, over time, files can become corrupted due to disk errors, improper shutdowns, malware, or faulty driver installations. SFC provides a mechanism to restore these files to their original state without requiring a full OS reinstallation. It is the first line of defense in system file integrity.
How SFC Works Internally
When you run sfc /scannow, the following process occurs:
Initialization: SFC reads the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon to determine the location of the Component Store. The default path is %SystemRoot%\WinSxS.
File Enumeration: SFC enumerates all protected system files. The list of protected files is defined in the Windows File Protection (WFP) catalog, which is stored in %SystemRoot%\System32\CatRoot. Each catalog file is digitally signed by Microsoft.
Integrity Check: For each protected file, SFC calculates a hash (SHA-1 or SHA-256) and compares it to the hash stored in the catalog. If the hashes match, the file is considered intact. If they differ, the file is flagged as corrupted.
Repair Process: For corrupted files, SFC attempts to copy a fresh version from the Component Store. The Component Store contains multiple versions of each file (hence "side-by-side"). SFC selects the version that matches the current OS build and service pack level.
Fallback: If the Component Store copy is also corrupted, SFC will prompt the user to insert Windows installation media. In modern Windows (8 and later), SFC can also use Windows Update to download a clean copy.
Logging: All actions are logged in %SystemRoot%\Logs\CBS\CBS.log. This log file is verbose and can be examined to determine which files were repaired and which could not be repaired.
Key SFC Command Syntax and Options
The primary command is:
sfc /scannowOther useful options include:
/verifyonly: Scans but does not repair. Useful for checking integrity without making changes.
/scanfile=<path>: Scans and repairs a specific file.
/verifyfile=<path>: Verifies a specific file without repair.
/offbootdir=<path>: Specifies the boot directory for offline repair (used from Windows Recovery Environment).
/offwindir=<path>: Specifies the Windows directory for offline repair.
Example of offline repair:
sfc /scannow /offbootdir=C:\ /offwindir=C:\WindowsSFC and Windows Resource Protection (WRP)
Windows Resource Protection (WRP) is the mechanism that prevents unauthorized modification of system files. SFC works hand-in-hand with WRP. WRP protects files by setting ACLs that deny write access to all processes including administrators. SFC has special privileges to bypass these ACLs when performing repairs.
SFC Failures and the Role of DISM
SFC can fail to repair a file if the Component Store itself is corrupted. In such cases, you must repair the Component Store first using Deployment Image Servicing and Management (DISM). The recommended sequence is:
Run DISM /Online /Cleanup-Image /RestoreHealth
Then run sfc /scannow
DISM repairs the Component Store by downloading fresh files from Windows Update or from a specified source (e.g., installation media). Without a healthy Component Store, SFC cannot perform repairs.
SFC in Windows 10/11 vs. Earlier Versions
In Windows Vista and 7, SFC used a different component store structure. The behavior is largely the same, but the underlying file protection mechanism evolved. In Windows 8 and later, the Component Store is more robust and includes self-healing capabilities.
Running SFC from Windows Recovery Environment (WinRE)
If Windows cannot boot normally, you can run SFC from the Recovery Environment. Boot from installation media, select "Repair your computer," then navigate to Troubleshoot > Advanced Options > Command Prompt. Use the offline switches:
sfc /scannow /offbootdir=C:\ /offwindir=C:\WindowsNote that drive letters in WinRE may differ. Use diskpart to confirm the correct letters.
SFC Log File Analysis
The CBS.log file can be overwhelming. To filter for only SFC entries, use:
findstr /c:"[SR]" %windir%\logs\cbs\cbs.log > sfcdetails.txtThis creates a file with only SFC-related entries. Look for lines containing "Cannot repair member file" or "Repairing 1 components".
Common SFC Return Codes
0: No integrity violations found.
1: Integrity violations were found and repaired.
2: Integrity violations were found but some could not be repaired.
3: Repair required a reboot.
Performance Impact
SFC runs at low priority and is designed not to interfere with user operations. However, on large systems with many files, a full scan can take 15-30 minutes. You can interrupt it with Ctrl+C, but this leaves the system in an unknown state.
SFC and Third-Party Antivirus
Some antivirus software may interfere with SFC by locking files. Disable real-time protection temporarily if SFC repeatedly fails on the same files.
SFC Limitations
SFC only repairs files that are in the protected list. It does not fix user data, registry corruption, or driver issues.
SFC cannot repair files if the Component Store is corrupt.
SFC requires administrative privileges. Run as Administrator.
SFC does not check file permissions or ownership.
Best Practices
Always run SFC from an elevated Command Prompt.
Run DISM first if SFC fails to repair files.
Check CBS.log to identify specific failures.
Use sfc /verifyonly for a quick health check without making changes.
For offline repairs, ensure you have the correct drive letters.
Open Elevated Command Prompt
To run SFC, you must have administrative privileges. Click Start, type 'cmd', right-click 'Command Prompt' and select 'Run as administrator'. If you are not an administrator, the command will fail with 'You must be an administrator running a console session in order to use the sfc utility'. This step ensures SFC can access protected files and the Component Store.
Run sfc /scannow
Type `sfc /scannow` and press Enter. SFC immediately begins scanning all protected system files. It first reads the registry to locate the Component Store. Then it iterates through each file in the protection catalog, calculates its hash, and compares it to the stored hash. For each mismatch, it logs the file and attempts repair by copying from the Component Store. The process may take 15-30 minutes. A progress bar shows the percentage complete.
Interpret the Results
After completion, SFC displays one of four messages: 'Windows Resource Protection did not find any integrity violations' (exit code 0), 'Windows Resource Protection found corrupt files and successfully repaired them' (exit code 1), 'Windows Resource Protection found corrupt files but was unable to fix some of them' (exit code 2), or 'Windows Resource Protection found corrupt files and successfully repaired them. Details are included in the CBS.Log' (exit code 3 requiring reboot). If repairs were made, a reboot is often required.
Check CBS.log for Details
If SFC reports unfixable files, examine the CBS.log file. Open an elevated Command Prompt and run `findstr /c:"[SR]" %windir%\logs\cbs\cbs.log > sfcdetails.txt`. Open `sfcdetails.txt` in Notepad. Look for lines containing 'Cannot repair member file'. These lines indicate files that could not be repaired because the Component Store copy is also corrupt. Note the exact file paths.
Run DISM to Repair Component Store
If SFC cannot repair files, the Component Store likely needs repair. Run `DISM /Online /Cleanup-Image /RestoreHealth`. This command connects to Windows Update to download fresh copies of system files. If you have no internet, specify a source using `/Source` parameter with installation media. After DISM completes, run `sfc /scannow` again. This two-step process resolves most corruption issues.
In a large enterprise environment, System File Checker is a standard tool for troubleshooting mysterious system crashes, application failures, or security alerts. For example, a financial firm experiences random Blue Screen of Death (BSOD) errors on several workstations. The helpdesk runs sfc /scannow on each machine. On one machine, SFC reports corrupt ntoskrnl.exe and win32k.sys. The technician runs DISM to repair the Component Store, then SFC again, and the BSODs stop. In another scenario, a hospital's electronic health records system fails to launch. The IT team suspects a corrupted system file. They run sfc /verifyonly remotely via PowerShell to check integrity before making changes. The scan reveals multiple corrupted files in C:\Windows\System32. They then schedule an offline SFC scan during maintenance windows to avoid disrupting operations. In cloud environments with virtual machines, SFC can be run from the host using offline repair if the VM fails to boot. For instance, an Azure VM becomes unresponsive. The administrator attaches the OS disk to a recovery VM, runs sfc /scannow /offbootdir=D:\ /offwindir=D:\Windows, and repairs the system. Performance considerations: On a typical workstation with 100,000+ protected files, SFC uses minimal CPU and disk I/O (low priority). However, on servers with heavy I/O, it's best to run during off-peak hours. Common misconfigurations: Running SFC without administrative privileges, failing to run DISM first when SFC fails, and ignoring the CBS.log details. Also, some technicians mistakenly believe SFC can fix registry or driver issues—it cannot. SFC only repairs protected system files.
The CompTIA A+ 220-1102 exam tests SFC under Objective 3.1: 'Given a scenario, use Microsoft Windows operating system features and tools to troubleshoot Windows issues.' Specifically, you need to know:
The correct syntax: sfc /scannow (not sfc /scan or sfc /repair).
That SFC requires an elevated command prompt.
The relationship between SFC and DISM: DISM repairs the Component Store, SFC repairs files.
The three main exit messages (no violations, repaired, some not repaired).
That SFC can be run offline via /offbootdir and /offwindir.
Common wrong answers:
1. 'Run sfc /scannow from a standard command prompt' – SFC requires admin rights.
2. 'SFC can repair any corrupted file' – It only repairs protected system files.
3. 'If SFC fails, run it again immediately' – The correct step is to run DISM first.
4. 'SFC can fix registry errors' – No, it only checks system files.
Exam traps:
The question might describe a scenario where a user cannot boot Windows. The correct answer is to boot into Recovery Environment and run SFC with offline switches.
The question might list multiple tools: SFC, DISM, CHKDSK. Know which tool addresses which problem: SFC for system files, DISM for Component Store, CHKDSK for file system errors.
The exam may ask for the log file location: %windir%\Logs\CBS\CBS.log.
The exam may test that SFC cannot repair files if the Component Store is corrupt.
To eliminate wrong answers, focus on the underlying mechanism: SFC compares hashes and replaces from a local cache. If the cache is corrupt, DISM must fix it first. Any answer that skips this dependency is wrong.
SFC scans and repairs protected Windows system files using the local Component Store.
Always run SFC from an elevated Command Prompt.
If SFC fails, run DISM /Online /Cleanup-Image /RestoreHealth first, then SFC again.
SFC logs are located at %windir%\Logs\CBS\CBS.log.
Use sfc /verifyonly to check integrity without making changes.
For offline repairs, use sfc /scannow /offbootdir=C:\ /offwindir=C:\Windows.
SFC cannot repair registry errors, drivers, or user data.
SFC exit codes: 0 (no violations), 1 (repaired), 2 (some not repaired), 3 (reboot required).
These come up on the exam all the time. Here's how to tell them apart.
SFC (System File Checker)
Scans and repairs protected system files only.
Uses local Component Store (WinSxS) as source.
Command: sfc /scannow
Log file: CBS.log
Cannot repair Component Store itself.
DISM (Deployment Image Servicing and Management)
Repairs the Component Store and system image.
Can use Windows Update or a /Source as source.
Command: DISM /Online /Cleanup-Image /RestoreHealth
Log file: DISM.log
Must be run before SFC if Component Store is corrupt.
Mistake
SFC can fix any Windows problem.
Correct
SFC only repairs protected system files. It cannot fix registry corruption, driver issues, malware, or user data.
Mistake
Running sfc /scannow from a standard command prompt works.
Correct
SFC requires administrative privileges. Without them, it returns 'You must be an administrator running a console session in order to use the sfc utility'.
Mistake
If SFC fails, running it again will eventually succeed.
Correct
If SFC fails because the Component Store is corrupt, repeated runs will fail. The correct step is to run DISM /RestoreHealth first.
Mistake
SFC repairs files by downloading them from Windows Update.
Correct
SFC only uses the local Component Store. DISM is the tool that downloads files from Windows Update.
Mistake
SFC can be run without rebooting after repairs.
Correct
Some repairs require a reboot. SFC will indicate if a reboot is needed (exit code 3).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
It scans all protected Windows system files and replaces corrupted or missing versions with correct copies from the Component Store (WinSxS). It runs at low priority and logs results to CBS.log.
This usually means the Component Store copy is also corrupted. Run DISM /Online /Cleanup-Image /RestoreHealth to repair the Component Store, then run sfc /scannow again.
No. SFC requires administrative privileges. Right-click Command Prompt and select 'Run as administrator'.
The log is at %windir%\Logs\CBS\CBS.log. To extract only SFC entries, use: findstr /c:"[SR]" %windir%\logs\cbs\cbs.log > sfcdetails.txt
Boot from Windows installation media, select 'Repair your computer', then Troubleshoot > Advanced Options > Command Prompt. Use sfc /scannow /offbootdir=C:\ /offwindir=C:\Windows (adjust drive letters as needed).
No. SFC only repairs system files. For registry issues, use System Restore, registry backup, or other tools.
SFC repairs system files using the local Component Store. DISM repairs the Component Store itself, often by downloading fresh files from Windows Update. Run DISM first if SFC fails.
You've just covered System File Checker (sfc /scannow) — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?