[German]After Microsoft released its Windows Update for July 9, 2019, the system file checker (sfc) command to repair broken files under Windows finds some damaged files, but can't fix them. But an analysis shows, that it's not caused by Windows 10 security updates released in July 2019. It seems that an updated signature file for Windows Defender is causing this issue since July 10, 2019.
Advertising
What is sfc about?
In Windows, you can use an administrative command prompt window to check the system for corrupted files. To do this, simply use the command:
sfc /scannow
If the command finds corrupted files, the System File Checker (sfc) should be able to repair them. However, it happens again and again that this repair isn't successful. And this case happened again, after Microsoft has released the July 9, 2019 updates for Windows.
I already got a comment from German blog reader Marco on July 2, 2019, who posted this to my blog post Windows Server 2016: Mai 2018-Update killt sfc from June 2018 . He found uncorrectable errors with sfc:
Status today July 2019 – just discover more problems with SFC /scannow under Windows Server 2016 1607 (Build 14393.3025) – SFC hangs at 45% (since more than one day) – no improvement even after restart – DISM command ran before without problems – DISM /online /cleanup-image /restorehealth – warnings like "Primitive installers committed for repair" or "Failed to internally open package" appear in CBS.log. HRESULT = 0x800f0805 – CBS_E_INVALID_PACKAGE]" or "Failed to OpenPackage using worker session [HRESULT = 0x800f0805]"".
Is anyone here familiar with anything?
Some hints for Windows 10
Yesterday I noticed also some comments from users at German site deskmodder.de. The comments here and here are claiming issues with sfc. One user tried sfc /cannow after installing the July 9, 2019 update on three Windows 10 V1903 systems and encountered issues. sfc found damaged files, but cannot fix them. Other users confirmed this in follow up comments.
There are also comments within this thread at wildersecurity.com, where several users are also describing this issue. Later I found at askwoody.com this post from Susan Bradley, mentions the same issue:
Advertising
Starting today, Windows 10 users are finding that the /sfc scannow feature is no longer working and that it states it found, but could not fix, corrupted Windows Defender PowerShell files.
Instead, it appears to be related to the latest definition updates for Windows Defender, which were released this morning and are version 1.297.823.0.
Susan wrote, the scan error is caused by the last signature files of Windows Defender (version 1.297.823.0). Susan refers to the article here by colleague Lawrence Abrams on Bleeping Computer (see below).
Also issues in Windows 7?
German blog reader Dennis T. has left this night a comment to my blog post Patchday: Updates für Windows 7/8.1/Server (9. Juli 2019), because he run into a similar issue with Windows 7.
Yesterday I installed KB4507456 (Security Only) for Windows 7 for 32 bit and got an error message after running sfc /scannow. The log contains the files "tsgqec.dll" and "rdvidcrl.dll" which cannot be repaired (hash mismatch). Before installing KB4507456, sfc /scannow and dism /online /Cleanup image /scanhealth ran through cleanly. Here is my question and request: Did or can anyone run sfc /scannow after installing KB4507456 and tell if this is done without error message? I have tested 2 computers, both of them throw out the same error. Many thanks in advance
But I'm not sure, whether this is the same issue.
Analysis: Defender signature file is to blame
MVP colleague Lawrence Abrams has also noticed the comments within this thread at wildersecurity.com. Abrams was then able to reproduce the issue in a virtual machine running Windows 10, if Windows Defender was configured as virus protection. But surprisingly he had not installed the July 2019 security updates on that machine. He described his findings within this article here.
(sfc /scannow error, Source: Bleeping Computer, Click to zoom)
The above screenshot shows the error message. The sfc command stores its error messages in the following file:
C:\Windows\Logs\CBS\CBS.log
An evaluation by Abrams showed that sfc claimed, that the file hashes for the Windows Defender PowerShell component values in the folder
C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender
are not matching the component files in the WinSxS folder. Abrams writes that the component files are referenced via hard link. The error messages on deviating hash values are therefore not plausible.
The colleagues from German site deskmodder.de have also taken up the topic in this article. They write that there might be an error because the 32-bit and 64-bit hash values were wrongly compared.
In another analysis, Abrams writes that the problem is probably caused by the latest definition updates for Windows Defender to version 1.297.823.0, released on July 10, 2019. Some users then managed to repair the damaged files with the following dism commands:
DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth
If that doesn't work, you have to wait and see whether Microsoft will release new definition updates for Windows Defender or otherwise correct them.
Note: At German site deskmodder.de user DK2000 added this comment with his analysis, what happened with defender signature update KB4052623. Cite:
The point is not that 32bit was confused with 64bit, but that KB4052623 directly updates the files in the 64bit package, cirumvents the component store, without updating the catalog. The component store doesn't know anything about the new files and still compares the old files. So sfc expects the old files here as well, just like DISM with RetoreHealth.
Addendum: The issue has been fixed, see Microsoft fixes the Windows Defender sfc bug (August 2019).
Similar articles:
Patchday: Updates for Windows 7/8.1/Server (July 9, 2019)
Patchday Windows 10 Updates (July 9, 2019)
Windows Server 2016: May 2018 Update bricks sfc
Windows 10 V1703: Fix for DISM error 0x800F081F
Advertising
these just came in, guenni
https://www.deskmodder.de/blog/2019/07/16/windows-10-juli-update-sfc-scannow-beschaedigte-dateien-gefunden-die-nicht-repariert-werden-koennen/
https://support.microsoft.com/help/4513240/
I can't confirm for sure if this is what's causing the same issues I'm seeing on Server 2019, but came across this after having to run these repairs for the 3rd time now and trying to find the WHY behind it.
Can confirm that for me, running dism's online repair worked, but that I had to supply source files for it by mounting install.wim from my installation media to get it to work (otherwise DISM remarks that it cannot find the source files, but only AFTER spending 20 minutes runnin…/sigh).
Hopefully a patch will be released that resolves this issue, because I'm fearing that every time a defender update applies, it's likely overwriting these source files causing SFC to report errors again.
It wouldn't be that big of a deal for me except that it also coincides with my backups failing (Datto), and I've had to run these repairs each time to get them working again.