Re: how to check windows system files integrity?
SANTANDER wrote:
| "Bill in Co." <not_really_here@earthlink.net> wrote in message
| news:e4fpUwBTIHA.1164@TK2MSFTNGP02.phx.gbl...
|> Run SFC at the prompt: Start, Run, sfc
|>
|> SANTANDER wrote:
|> > how to check windows system files integrity? (to be sure no files
|> > has been replaced or corrupted, after spyware screensaver
|> > removing).
|> >
|> > thanks.
| ------
| I tried run SFC, it show that plenty of files has been
| changed(replaced), but this due various upgrades, usually for newer
| file version.
To be fairly sure SFC will show only the changes you are interested in,
you'd have to run it immediately before the uninstall is done to prime
it. Accept all the changes & have it update its tables. Then, do the
uninstall & run SFC again-- immediately! The new set of changes is just
what the uninstall did. Here is what I usually post for it...
"START button, Run, SFC"
However, this tool needs a priming, which basically means to accept all
current changes. Its Settings, especially Search Criteria, may need
adjusting. You may look through its log, C:\Windows\SFCLOG.TXT, to see
what it's done. Also, there is a certain amount of confusion involved
with it, under the best of circumstances. For one thing, certain files
(like DrWatson.vxd, if you have it in the system tray) will always seem
to have changed. For another, it does not well handle version numbers
greater than 11 characters. Here are some articles...
http://support.microsoft.com/?kbid=185836 System File Checker
http://support.microsoft.com/?kbid=188186 SFC baseline
http://support.microsoft.com/?kbid=192832 SFC extracts wrong file
http://support.microsoft.com/?kbid=180465 Error Message: The File
Was Not Found. Verify That You Have Selected the
Correct 'Restore from' Location and Try Again
http://www.rickrogers.org/sfc.htm SFC use & problems
http://home.satx.rr.com/badour/html/using_sfc.html SFC use & problems
| I canceled SFC after short time without waiting it finished, since it
| is not possible to verify each file individually, due too many files
| has been changed, so it constantly prompt for action, I always
| clicked 'Ignore'.
Run it again & accept all changes-- or it never will do you any good!
You'll always wonder which changes are new & which are old otherwise!
| (In 'Settings' I've selected check for changed and
| deleted files, both options, and 'Prompt for backup').
| Just noticed for some changed files which SFC has found, that it has
| been changed but not for newer version, but for older. I'm not sure
| why this. for example:
|
| 'hh.exe' previous version - 4.73.8412
| 'hh.exe' current version - 4.72.7286 - older
Somewhere along the line that's what happened-- the newer one was
replaced with the older. You must run SFC before & after each install &
uninstall to know which did what. My own hh.exe shows up in at least 10
SFC reports. Here is the last mention...
[E:\OPTIONS\CABS]
HH.EXE Updated 5.2.3644.0 6/10/02 5.2.3790.30 4/13/05
No
And the actual current version of that file I have is...
5.2.3790.309 (srv03_gdr.050413-1540).
SO... SFC isn't great with that one! The version number is too big!
REALLY, you need something like...
http://www.pcmag.com/ 's InCtrl5 by Neil J. Rubenking. Besides showing
what files are changed during an in/un-install, it will say what
Registry keys have changed. It even can say what lines have changed
inside certain .txt & .ini files.
One also needs to do periodic full system backups. Even SFC doesn't save
files. It is only updating some kind of signature of the files. You
can't go back to an intermediate version of a file. You can only go back
to the original that is in the Windows .cab's. For instance, this is all
I've got for HH.exe...
Cabinet WIN98_45.CAB
04-23-1999 10:22:00p A--- 36,864 hh.exe
That goes way back!
| pidgen.dll, icwscrpt.exe, fixmapi.exe - replaced with the same
| version, but curent vers. is smaller size.
|
| and so on...
--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
Should things get worse after this,
PCR
pcrrcp@netzero.net