The latest Windows 10 update, version 1903, seems to be causing the sfc/scannow feature to crash.
According to many Windows 10 users, the sfc/scannow feature has stopped working. It is reported that after a recent Windows Defender update, it was unable to recover corrupted files.
What is sfc/scannow?
Sfc/scannow is a Windows system file scanning tool integrated into Windows 10. Its function is to scan Windows for missing or corrupt files and restore them. The SFC/scannow function is performed when some Windows features stop working or fail.
Although it works quite well at the beginning of the scan, it eventually stops with the error message “Windows Resource Protection detected corrupt files, but could not restore them“.
For online repairs, the details are in the CBS log file located at windirLogsCBSCBS.log. For example, C:WindowsLogsCBSCBS.log. When repairing offline, parts are included in the log file using the “/OFFLOGFILE” flag.
Apparently, SFC indicates in the CB.log file that the hashes of the Windows Defender PowerShell components do not match the corresponding files in the WinSxS folder.
The hashes are stored in the folder C:WindowsSystem32WindowsPowerShellv1.0ModulesDefender
Surprisingly, some users have reported that when scanning with the command: fsutil hardlink list, everything is fine with the links, and the hashes are also correct.
Getting to the root, the problem seems to be related to the latest Windows Defender update, version 1.297.823.0.
What is the meaning of this error?
This error means that the SFC has found corrupted files, but has been unable to repair them. For more information, Windows recommends checking the SFC log files. Using CBS log files, users can see that the problem may be due to a hash mismatch.
The full text of what users see when they run this command can be read below:
Start checking the system. This process will take some time.
Beginning of the system scan check phase.
The scan is 100% complete.
Windows Resource Protection detected corrupted files, but was unable to repair some of them.
For online repairs, details are included in the CBS log file, which can be found at
windir\Logs\CBS.log. For example, C:\Windows\Logs\CBS.log. For offline
repair details are included in the log file with the /OFFLOGFILE flag.
Specifically, the hashes of Windows Defender PowerShell components (in C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender) do not match the corresponding files in the WinSxS folder.
But strangely, when Windows checks with the fsutil hardlist command, it indicates that these files are correctly linked. So the hashes should match. One user reported that he didn’t install the cumulative Windows 10 1903 updates KB4507453 and KB4507469, but there is still an SFC scan in Windows 10 that can’t fix the files.
Microsoft confirms SFC problem
Microsoft has now drafted a support document confirming the issue. Microsoft claims that SFC incorrectly marks Windows Defender PowerShell module files as corrupt or damaged, resulting in the “Hashes for file element does not match” error message. In fact, the SFC scanner is not broken.
According to the support document, this is a known problem in Windows 10 version 1607 and above, Windows Defender version 4.18.1906.3 and above. According to Microsoft, the problem — Windows SFC now scans files that can’t be recovered — also affects the May 2019 update.
In the document, Microsoft provides a technical explanation :
“The Windows Defender PowerShell module files located in %windir%\System32\WindowsPowerShell\v1.0\Modules\Defender come with the Windows image. These files are signed by directory. However, the Windows Defender management component has a new out-of-band update channel. This channel replaces the original files with updated versions that are signed with a Microsoft certificate trusted by the Windows operating system. Due to this change, the SFC reports file updates as “Hashes for file items do not match“.
How did users fix the bug?
Users have indicated that they can fix the error by running the following DISM commands:
DISM /Online /CleanupImage /CheckHealth
DISM /Online /CleanupImage /ScanHealth
DISM /Online /CleanupImage /CheckHealth
If you don’t want to use these commands, you can wait for Microsoft to fix the problem.
Frequently Asked Questions
- Click the "Search" button on your Windows computer. Enter CMD, then right-click on the command line and select Run as Administrator.
- Type SFC /scannow and press Enter.
- Wait for this process to complete.
- Click Start.
- Enter the command line in the search box.
- Right-click the first entry in the list of search results: Command Prompt.
- Click Run as administrator.
- In the UAC Alert window, click Next or Yes to allow this action.
- When the command prompt appears, type the command: sfc /scannow.
- Press Enter.
If there are errors on your hard drive, SFC Scannow may also be malfunctioning. In this situation, you can try to check the hard drive and solve the problem: Windows Resource Protection was unable to perform the requested operation.
The sfc /scannow command scans all protected system files and replaces corrupted files with a cached copy located in a folder compressed to %WinDir%\System32\dllcache. The filling symbol %WinDir% represents the folder of the Windows operating system.