Starting today, Windows 10 users are finding that the /sfc scannow feature is no longer working and that it states it found, but could not fix, corrupted Windows Defender PowerShell files.
The Windows System File Checker tool, commonly known as SFC, has a /scannow argument that will check the integrity of all protected Winodws system files and repair any issues that are found.
As of this morning, users in a wildersecurity.com thread have started reporting that when they run sfc /scannow, the program is stating that "Windows Resource Protection found corrupt files but was unable to fix some of them." I too was able to reproduce this issue on a virtual machine with Windows Defender configured as the main antivirus program.
The full text of what users are seeing when they run this command can be read below:
Beginning system scan. This process will take some time.
Beginning verification phase of system scan.
Verification 100% complete.
Windows Resource Protection found corrupt files but was unable to fix some of them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.
According to the CBS.log file, SFC is stating that the hashes for the Windows Defender PowerShell components located in the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender are not matching their corresponding files in the WinSxS folder.
The strange thing, though, is that when checking with the fsutil hardlink list command, it is reporting that these files are properly linked, so the hashes should be the same.
While yesterday was the July 2019 Patch Tuesday updates, this does not appear to be related to the latest Windows 10 1903 KB4507453 cumulative update or the Windows 10 KB4507469 update as I do not have those installed.
Instead, it appears to be related to the latest definition updates for Windows Defender, which were released this morning and are version 1.297.823.0.
Some users have reported being able to fix the error by running the following DISM commands:
DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth
For those who do not wish to use these commands, you can wait for Microsoft ro resolve the issue.
Update 7/16/19: Microsoft released a support bulletin explaining that this was caused by a out-of-band update that is causing hash mismatches.
"The files for the Windows Defender PowerShell module that are located in %windir%\System32\WindowsPowerShell\v1.0\Modules\Defender ship as part of the Windows image. These files are catalog-signed. However, the manageability component of Windows Defender has a new out-of-band update channel. This channel replaces the original files with updated versions that are signed by using a Microsoft certificate that the Windows operating system trusts. Because of this change, SFC flags the updated files as "Hashes for file member do not match."
Future releases of Windows will use the updated files in the Windows image. After that, SFC will no longer flag the files."
Thx Opera for the tip and stapp for provided info!
Comments
badtoad - 5 years ago
What do you guys do at Microsoft? We break stuff.
jmwoods - 5 years ago
Build definitions are now up to 1.297.843.0
Just ran sfc /VERIFYONLY and same issue.
Windows 10 1903 fully patched.
lolasdad - 5 years ago
and yet another reason to not trust micrshaft.
and to not to force updates more like a small child does.
waaaa.
jmwoods - 5 years ago
I found posts about this issue on Microsoft Community from 6 days ago, so it's been around for almost a week.
I was finally able to fix it by running SFCFix from Sysnative, and then running sfc /SCANNOW.
YMMV
DiamondsAreForever - 5 years ago
Some times ago, Windows updates seemed to be more reliable than Ubuntu updates because Microsoft guys was better. But now, with almost the same update schedule, I see this is not true.
jmwoods - 5 years ago
I found I was unable to run SFCFix on one of our installs (1809 - fully patched).
I mounted the Windows 10 installation ISO, ran Dism /Online /Cleanup-Image /RestoreHealth /Source:esd:E:\sources\install.esd:6 /limitaccess (where E: was my drive letter and 6 was my index* for Win 10 Pro).
* Note: Depending on whether you have install.esd or install.wim in the sources folder, you can get the index for your install by doing either of the following (E: was my drive letter)...
dism /Get-WimInfo /WimFile:E:\Sources\install.wim
dism /Get-WimInfo /WimFile:E:\Sources\install.esd
I then ran sfc /SCANNOW and it did not find any errors.
GBCounter - 5 years ago
Spent the better part of two weekends ago clean-reinstalling Windows over this. Could find nothing on it at the time, only to find issue returns after updating the new installation.
Even after fixing it (as follows) issue returns (I believe when Defender definitions update), so the OCD in me has to do it again:
* from elevated command prompt
sfc /scannow
[identifies "corrupted" Defender files that apparently aren't really corrupted]
DISM /Online /Cleanup-Image /RestoreHealth
[restores system file library so scannow can repair "corrupted" files]
sfc /scannow
[sfc now able to repair "corrupted" files when it finds them due to restored system file library]
sfc /scannow
[sfc should now run with no errors]
Good ol' Microsoft. THINK before you DO. ZERO respect for other people's time.
Rajvoh - 5 years ago
Did Microsoft post any patches for this issue? I have the same problem running server 2016 (ver 1607) - wanted to avoid using the DISM solution
ForestShadow - 4 years ago
Let me just say one thing.. I been a sys admin for 17 years and not ONE time has SFC /scannow EVER fixed anything with windows! It is complete BS. Why do you you all suggest it fixes anything? It NEVER does! I have spent hours on end analyzing the tool and going through logs. IT DOESN'T DO ANYTHING EVER!!!!!! So don't waste your time with it. And the guy that suggested "SFCFix from Sysnative"... What a JOKE! that S**T doesn't work either! I've had 3 Windows 2016 Servers suffer from spinning dot at boot and everyone... and I mean everyone says run sfc /scannow and that will fix it.. Does not ever do anything.. This tool was dead from the start and you are a sucker if you try it! DON"T WASTE YOUR TIME LIKE I HAVE!!!!!!