System File Checker (SFC)
Catastrophic failure isn’t the
only risk to a system. You have to have a plan for recovery if you ever
become concerned that your computer has become compromised by bad guys.
Bad guys often gain access to computers through vulnerabilities in the
programs that are running on a computer. It is estimated that
approximately 1% of all software code written, even today, has
vulnerabilities. With Windows Vista having in the ballpark of
100,000,000 lines of code, that says there are approximately 1,000,000
vulnerabilities in the operating system alone. These are the doorways
that bad guys use to break into your computer.
Bad guys can also gain access
to a computer by having you run malware, like when your browser connects
to a website, or when you download and run that free copy of
Whack-a-mole from the Internet.
After a bad guy breaks into a
computer, one of the first things he tries to accomplish is to
strengthen his hold by having your computer download his collection of
malware. When the bad guy successfully implants his cocktail of Trojaned
software that runs at startup, your computer is said to be “rooted.”
The bad guy’s software that
gets installed on your computer is usually composed of several of the
operating systems files that he has “Trojaned” by including additional
software to them. This additional software allows him to connect to your
computer without going through the standard access controls, like
logging in. These access control bypass mechanisms are called backdoors.
The
bad guy uses the operating system files because the operating system
needs these programs running and launches them automatically at system
bootup. They are always available for the bad guy to use.
That’s the bad news.
The good news is that
Microsoft includes a command-line tool to help detect and repair
operating system files on your computer when they appear to be different
from the files that Microsoft releases. This tool is called the System File Checker (SFC); the executable is SFC.exe. It compares the following attributes of the system files on your computer to those that should be on your system:
Alert
SFC has several switches that it can use. Type SFC /? at a command prompt to view them.
SFC /scannow— Scans protected system files and repairs files that appear damaged.
SFC /verifyonly— Scans protected system files and reports on files that appear damaged. No repair is performed.
SFC /scanfile— Scans specified protected system files and repairs files that appear damaged.
SFC /verifyfile— Scans specified protected system files and reports on files that appear damaged. No repair is performed.
SFC /offbootdir— Performs offline scan of the boot directory protected system files and repairs files that appear damaged.
SFC /offwindir— Performs offline scan of Windows directory protected system files and repairs files that appear damaged.
One Last “Oops...” to Deal With—Convert x: /FS:NTFS
Windows Vista (still) supports the FAT and NTFS file systems. Table 1 shows which Microsoft operating systems support which file systems.
Table 1. Supported File Systems in Windows Operating Systems
| OS | File Systems Supported |
|---|
| Windows NT 4.x | FAT16, NTFS |
| Windows 9x | FAT16, FAT32 |
| Windows ME | FAT16, FAT32 |
| Windows 2000 | FAT16, FAT32, NTFS |
| Windows XP | FAT16, FAT32, NTFS |
| Windows Server 2003 | FAT16, FAT32, NTFS |
| Windows Vista | FAT16, FAT32, NTFS |
| Windows Server 2008 | FAT16, FAT32, NTFS |
FAT actually is the
acronym for its File Allocation Table, which is how FAT file systems
keep track of the files, their location on the hard drive, and their
basic attributes. The basic attributes are
File name
File size
Read Only
Archive
System
Hidden
Directory (versus file object)
Time stamp (of last save)
Date stamp (of last save)
The FAT table is a linked
list table that is read sequentially when a file has been requested.
Floppy disks use FAT12. Hard disks can use FAT16 or FAT32. FAT16
partitions are limited to 4GB, whereas FAT32 partitions are limited to
2TB typically; however, Vista limits FAT32 partitions to 32GB.
Of course, NTFS
is substantially superior to FAT in many ways. NTFS is faster for large
volumes and file counts. NTFS is managed by something called the Master
File Table (MFT), which is similar in structure to a relational database
that holds all information about a file. NTFS volumes are limited to
16TB and can contain over 4 billion individual entries.
NTFS is the default file
system for all Windows Vista editions. It is the suggested file system
for all newly created volumes due to all the support features added to
NTFS.
NTFS volumes support all the basic attributes, plus additional extended attributes that include
It is possible to convert a
FAT partition into NTFS to be able to take advantage of all the great
bells and whistles that NTFS has to offer.
The command to accomplish this is
where x: is the drive
letter of the FAT partition you want to convert to NTFS. This is
supposedly risk free, with no data loss. Practicality and common sense
both scream “Back up your system and data before converting the file
system!”
Note
How Do You Move Back to FAT?
It is not possible to convert or, more correctly, revert from NTFS back
to FAT. This is a destructive process. If you need to do this, you must
back up all data on the NTFS volume, delete the NTFS volume, create a
new partition, format the new partition with FAT, and then restore your
data from the backup onto the new FAT partition.
If the OS can dismount
the partition that you’re converting from FAT to NTFS, the conversion
could happen during your live session on the Windows Vista computer.
Typically, though, you receive a message that indicates the OS cannot
dismount the partition, and the conversion will occur at the next
reboot. When this happens, a flag gets set in the Registry to trigger
the conversion process when the OS is starting up.
If you execute the Convert x: /FS:NTFS
command on a computer and then change your mind for any reason, you
must edit the Registry to remove the flag that signals the file system
conversion.
To do this, launch the Registry Editor utility, Regedit.exe. Change the Registry setting from
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\Session
Manager\BootExecute\autoconv\DosDevices\x: /FS:NTFS
to
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\Session
Manager\BootExecute\autocheck autochk *
as shown in Figure 13.
