SFC /scannow problem

Stephen · Jul 16, 2007

When I try to run "SFC /scannow" on my daughter's PC, it does not run but
gives the following error message:

"Windows File Protection could not initiate a scan of protected system
files.
The specific error code is 0x000006ba [The RPC server is unavailable]."

Following possible leads from a Google search, I have checked three things
in trying to solve this:

1 That the RPC service is running ("Started, Automatic").
2 That the Verisign certificate is present (KB 296241).
3 That the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is present.

In case it's relevant, I mention that until recently she was connecting to
the internet via her university network. Having now returned home, she is
connecting via our wireless router. We have changed settings (for example,
email proxy server) as appropriate to get this to work. I just wonder if
there is any other setting relevant to RPC that needs changing. (I have no
idea if SFC /scannow worked whilst she was at university.)

Does anyone have any suggestions?

Thanks,
Stephen

C J. · Jul 16, 2007

Steven,

On the off chance you are attempting to run SFC /Scannow in safe mode, it
won't work - and this is by design. Try logging onto her computer as an
administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
welcome screen in legacy Login box type "Administrator" (no quotes) and
press Go (assuming no password has been assigned, by default it should be
blank.) Be sure you have Windows XP CD handy in the event SFC asks for it.
If still no Joy, report back.

Stephen <none> wrote:
> When I try to run "SFC /scannow" on my daughter's PC, it does not run but
> gives the following error message:
>
> "Windows File Protection could not initiate a scan of protected system
> files.
> The specific error code is 0x000006ba [The RPC server is unavailable]."
>
> Following possible leads from a Google search, I have checked three things
> in trying to solve this:
>
> 1 That the RPC service is running ("Started, Automatic").
> 2 That the Verisign certificate is present (KB 296241).
> 3 That the registry key
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is present.
>
> In case it's relevant, I mention that until recently she was connecting to
> the internet via her university network. Having now returned home, she is
> connecting via our wireless router. We have changed settings (for example,
> email proxy server) as appropriate to get this to work. I just wonder if
> there is any other setting relevant to RPC that needs changing. (I have no
> idea if SFC /scannow worked whilst she was at university.)
>
> Does anyone have any suggestions?
>
> Thanks,
> Stephen

Stephen · Jul 17, 2007

Thanks for the attempt to help, C.J. However, I'm not using safe mode. I can
log on as an administrator quite easily, but SFC does not run.
Stephen

"C J." <no.reply@example.invalid> wrote in message
news:e9vr849xHHA.3536@TK2MSFTNGP03.phx.gbl...
>
> Steven,
>
> On the off chance you are attempting to run SFC /Scannow in safe mode, it
> won't work - and this is by design. Try logging onto her computer as an
> administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
> welcome screen in legacy Login box type "Administrator" (no quotes) and
> press Go (assuming no password has been assigned, by default it should be
> blank.) Be sure you have Windows XP CD handy in the event SFC asks for
> it. If still no Joy, report back.
>
>
>
> Stephen <none> wrote:
>> When I try to run "SFC /scannow" on my daughter's PC, it does not run but
>> gives the following error message:
>>
>> "Windows File Protection could not initiate a scan of protected system
>> files.
>> The specific error code is 0x000006ba [The RPC server is unavailable]."
>>
>> Following possible leads from a Google search, I have checked three
>> things
>> in trying to solve this:
>>
>> 1 That the RPC service is running ("Started, Automatic").
>> 2 That the Verisign certificate is present (KB 296241).
>> 3 That the registry key
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is present.
>>
>> In case it's relevant, I mention that until recently she was connecting
>> to
>> the internet via her university network. Having now returned home, she is
>> connecting via our wireless router. We have changed settings (for
>> example,
>> email proxy server) as appropriate to get this to work. I just wonder if
>> there is any other setting relevant to RPC that needs changing. (I have
>> no
>> idea if SFC /scannow worked whilst she was at university.)
>>
>> Does anyone have any suggestions?
>>
>> Thanks,
>> Stephen
>
>

C J. · Jul 17, 2007

Hmmm.. ok Stephen, new options to try:

Perform option 1 and if necessary option 2.

~~ Option 1. ~~

Lets reopen Regedit and then navigate to this key:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\
Winlogon

Look for the SFCDisable key and make sure its value is set to 0 (Zero)

Reboot and try SFC/ Scannow again. If it still doesn't work?

~~ Option 2. ~~

One other thought is: This trouble could be due to possible malware
infestation. See this link http://aumha.org/a/quickfix.htm first to
adequately prepare her PC for scanning.

Scan the PC in first in "safe mode " and then in "Normal mode" using any
combination of Adaware SE www.lavasoftusa.com , SuperAntiSpyware
www.SuperAntiSpyware.com , or Spybot Search and Destroy
www.safer-networking.org.

Download each. Install them and then update their definition files before
rebooting and scanning. Remove anything found by both programs.

Best of luck ... ohh and report back your results.

Stephen <none> wrote:
> Thanks for the attempt to help, C.J. However, I'm not using safe mode. I
> can log on as an administrator quite easily, but SFC does not run.
> Stephen
>
> "C J." <no.reply@example.invalid> wrote in message
> news:e9vr849xHHA.3536@TK2MSFTNGP03.phx.gbl...
>>
>> Steven,
>>
>> On the off chance you are attempting to run SFC /Scannow in safe mode, it
>> won't work - and this is by design. Try logging onto her computer as an
>> administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
>> welcome screen in legacy Login box type "Administrator" (no quotes) and
>> press Go (assuming no password has been assigned, by default it should be
>> blank.) Be sure you have Windows XP CD handy in the event SFC asks for
>> it. If still no Joy, report back.
>>
>>
>>
>> Stephen <none> wrote:
>>> When I try to run "SFC /scannow" on my daughter's PC, it does not run
>>> but gives the following error message:
>>>
>>> "Windows File Protection could not initiate a scan of protected system
>>> files.
>>> The specific error code is 0x000006ba [The RPC server is unavailable]."
>>>
>>> Following possible leads from a Google search, I have checked three
>>> things
>>> in trying to solve this:
>>>
>>> 1 That the RPC service is running ("Started, Automatic").
>>> 2 That the Verisign certificate is present (KB 296241).
>>> 3 That the registry key
>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is present.
>>>
>>> In case it's relevant, I mention that until recently she was connecting
>>> to
>>> the internet via her university network. Having now returned home, she
>>> is connecting via our wireless router. We have changed settings (for
>>> example,
>>> email proxy server) as appropriate to get this to work. I just wonder if
>>> there is any other setting relevant to RPC that needs changing. (I have
>>> no
>>> idea if SFC /scannow worked whilst she was at university.)
>>>
>>> Does anyone have any suggestions?
>>>
>>> Thanks,
>>> Stephen

Stephen · Jul 23, 2007

You are a hero, C.J.!

The value of the SFCDisable key was 0xffffff9d. When I changed this to zero,
SFC worked correctly.

Working on the assumption that this could have been changed by malware, I
scanned with (updated) Spybot, Adaware and SuperAntiSpyware in turn. I found
some tracking cookies (which I deleted) but nothing more sinister. My
daughter did have some trouble a while ago with "things not working
properly" whilst away at university, which were fixed for her by "computer
geek" friends. Could this have been malware of some kind, and the SFCDisable
key value change a legacy of that, I wonder?

Anyway, thanks very much for your help and advice which are much
appreciated.

Stephen

"C J." <no.reply@example.invalid> wrote in message
news:O3RbOPLyHHA.4896@TK2MSFTNGP04.phx.gbl...
> Hmmm.. ok Stephen, new options to try:
>
> Perform option 1 and if necessary option 2.
>
> ~~ Option 1. ~~
>
> Lets reopen Regedit and then navigate to this key:
>
> HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\
> Winlogon
>
> Look for the SFCDisable key and make sure its value is set to 0 (Zero)
>
> Reboot and try SFC/ Scannow again. If it still doesn't work?
>
> ~~ Option 2. ~~
>
> One other thought is: This trouble could be due to possible malware
> infestation. See this link http://aumha.org/a/quickfix.htm first to
> adequately prepare her PC for scanning.
>
> Scan the PC in first in "safe mode " and then in "Normal mode" using any
> combination of Adaware SE www.lavasoftusa.com , SuperAntiSpyware
> www.SuperAntiSpyware.com , or Spybot Search and Destroy
> www.safer-networking.org.
>
> Download each. Install them and then update their definition files before
> rebooting and scanning. Remove anything found by both programs.
>
> Best of luck ... ohh and report back your results.
>
> Stephen <none> wrote:
>> Thanks for the attempt to help, C.J. However, I'm not using safe mode. I
>> can log on as an administrator quite easily, but SFC does not run.
>> Stephen
>>
>> "C J." <no.reply@example.invalid> wrote in message
>> news:e9vr849xHHA.3536@TK2MSFTNGP03.phx.gbl...
>>>
>>> Steven,
>>>
>>> On the off chance you are attempting to run SFC /Scannow in safe mode,
>>> it
>>> won't work - and this is by design. Try logging onto her computer as an
>>> administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
>>> welcome screen in legacy Login box type "Administrator" (no quotes) and
>>> press Go (assuming no password has been assigned, by default it should
>>> be
>>> blank.) Be sure you have Windows XP CD handy in the event SFC asks for
>>> it. If still no Joy, report back.
>>>
>>>
>>>
>>> Stephen <none> wrote:
>>>> When I try to run "SFC /scannow" on my daughter's PC, it does not run
>>>> but gives the following error message:
>>>>
>>>> "Windows File Protection could not initiate a scan of protected system
>>>> files.
>>>> The specific error code is 0x000006ba [The RPC server is unavailable]."
>>>>
>>>> Following possible leads from a Google search, I have checked three
>>>> things
>>>> in trying to solve this:
>>>>
>>>> 1 That the RPC service is running ("Started, Automatic").
>>>> 2 That the Verisign certificate is present (KB 296241).
>>>> 3 That the registry key
>>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is present.
>>>>
>>>> In case it's relevant, I mention that until recently she was connecting
>>>> to
>>>> the internet via her university network. Having now returned home, she
>>>> is connecting via our wireless router. We have changed settings (for
>>>> example,
>>>> email proxy server) as appropriate to get this to work. I just wonder
>>>> if
>>>> there is any other setting relevant to RPC that needs changing. (I have
>>>> no
>>>> idea if SFC /scannow worked whilst she was at university.)
>>>>
>>>> Does anyone have any suggestions?
>>>>
>>>> Thanks,
>>>> Stephen
>
>

Gary S. Terhune · Jul 23, 2007

From http://www.updatexp.com/windows-file-protection.html
"It is interesting to note that the virus "W32/CodeRed.D", that caused so
much mayhem by shutting down Internet Servers in the summer of 2002, used
this very same undocumented setting to stop the Windows File protection
service from running. The virus could then release its Trojan payload to do
damage and replicate itself around the Internet!"

I have no doubt that CodeRed isn't the only malware to do this. Can't
imagine any legit application doing so.

--
Gary S. Terhune
MS-MVP Shell/User
www.grystmill.com

"Stephen" <none> wrote in message
news:u06RRIQzHHA.600@TK2MSFTNGP05.phx.gbl...
> You are a hero, C.J.!
>
> The value of the SFCDisable key was 0xffffff9d. When I changed this to
> zero, SFC worked correctly.
>
> Working on the assumption that this could have been changed by malware, I
> scanned with (updated) Spybot, Adaware and SuperAntiSpyware in turn. I
> found some tracking cookies (which I deleted) but nothing more sinister.
> My daughter did have some trouble a while ago with "things not working
> properly" whilst away at university, which were fixed for her by "computer
> geek" friends. Could this have been malware of some kind, and the
> SFCDisable key value change a legacy of that, I wonder?
>
> Anyway, thanks very much for your help and advice which are much
> appreciated.
>
> Stephen
>
>
> "C J." <no.reply@example.invalid> wrote in message
> news:O3RbOPLyHHA.4896@TK2MSFTNGP04.phx.gbl...
>> Hmmm.. ok Stephen, new options to try:
>>
>> Perform option 1 and if necessary option 2.
>>
>> ~~ Option 1. ~~
>>
>> Lets reopen Regedit and then navigate to this key:
>>
>> HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\
>> Winlogon
>>
>> Look for the SFCDisable key and make sure its value is set to 0 (Zero)
>>
>> Reboot and try SFC/ Scannow again. If it still doesn't work?
>>
>> ~~ Option 2. ~~
>>
>> One other thought is: This trouble could be due to possible malware
>> infestation. See this link http://aumha.org/a/quickfix.htm first to
>> adequately prepare her PC for scanning.
>>
>> Scan the PC in first in "safe mode " and then in "Normal mode" using any
>> combination of Adaware SE www.lavasoftusa.com , SuperAntiSpyware
>> www.SuperAntiSpyware.com , or Spybot Search and Destroy
>> www.safer-networking.org.
>>
>> Download each. Install them and then update their definition files
>> before rebooting and scanning. Remove anything found by both programs.
>>
>> Best of luck ... ohh and report back your results.
>>
>> Stephen <none> wrote:
>>> Thanks for the attempt to help, C.J. However, I'm not using safe mode. I
>>> can log on as an administrator quite easily, but SFC does not run.
>>> Stephen
>>>
>>> "C J." <no.reply@example.invalid> wrote in message
>>> news:e9vr849xHHA.3536@TK2MSFTNGP03.phx.gbl...
>>>>
>>>> Steven,
>>>>
>>>> On the off chance you are attempting to run SFC /Scannow in safe mode,
>>>> it
>>>> won't work - and this is by design. Try logging onto her computer as
>>>> an
>>>> administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
>>>> welcome screen in legacy Login box type "Administrator" (no quotes) and
>>>> press Go (assuming no password has been assigned, by default it should
>>>> be
>>>> blank.) Be sure you have Windows XP CD handy in the event SFC asks
>>>> for
>>>> it. If still no Joy, report back.
>>>>
>>>>
>>>>
>>>> Stephen <none> wrote:
>>>>> When I try to run "SFC /scannow" on my daughter's PC, it does not run
>>>>> but gives the following error message:
>>>>>
>>>>> "Windows File Protection could not initiate a scan of protected system
>>>>> files.
>>>>> The specific error code is 0x000006ba [The RPC server is
>>>>> unavailable]."
>>>>>
>>>>> Following possible leads from a Google search, I have checked three
>>>>> things
>>>>> in trying to solve this:
>>>>>
>>>>> 1 That the RPC service is running ("Started, Automatic").
>>>>> 2 That the Verisign certificate is present (KB 296241).
>>>>> 3 That the registry key
>>>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is present.
>>>>>
>>>>> In case it's relevant, I mention that until recently she was
>>>>> connecting
>>>>> to
>>>>> the internet via her university network. Having now returned home, she
>>>>> is connecting via our wireless router. We have changed settings (for
>>>>> example,
>>>>> email proxy server) as appropriate to get this to work. I just wonder
>>>>> if
>>>>> there is any other setting relevant to RPC that needs changing. (I
>>>>> have
>>>>> no
>>>>> idea if SFC /scannow worked whilst she was at university.)
>>>>>
>>>>> Does anyone have any suggestions?
>>>>>
>>>>> Thanks,
>>>>> Stephen
>>
>>
>
>

Stephen · Jul 24, 2007

Gary,

"I have no doubt that CodeRed isn't the only malware to do this. Can't
imagine any legit application doing so."

Quite so! It just makes me wonder (yet again!) why Microsoft puts into an
operating system such invitations to the bad guys.
Am I the only person who would willingly pay extra for a version of Windows
with fewer "features" - as long as it was solid and reliable?!

Thanks,
Stephen

"Gary S. Terhune" <none> wrote in message
news:u3RwGVUzHHA.484@TK2MSFTNGP06.phx.gbl...
> From http://www.updatexp.com/windows-file-protection.html
> "It is interesting to note that the virus "W32/CodeRed.D", that caused so
> much mayhem by shutting down Internet Servers in the summer of 2002, used
> this very same undocumented setting to stop the Windows File protection
> service from running. The virus could then release its Trojan payload to
> do damage and replicate itself around the Internet!"
>
> I have no doubt that CodeRed isn't the only malware to do this. Can't
> imagine any legit application doing so.
>
> --
> Gary S. Terhune
> MS-MVP Shell/User
> www.grystmill.com
>
> "Stephen" <none> wrote in message
> news:u06RRIQzHHA.600@TK2MSFTNGP05.phx.gbl...
>> You are a hero, C.J.!
>>
>> The value of the SFCDisable key was 0xffffff9d. When I changed this to
>> zero, SFC worked correctly.
>>
>> Working on the assumption that this could have been changed by malware, I
>> scanned with (updated) Spybot, Adaware and SuperAntiSpyware in turn. I
>> found some tracking cookies (which I deleted) but nothing more sinister.
>> My daughter did have some trouble a while ago with "things not working
>> properly" whilst away at university, which were fixed for her by
>> "computer geek" friends. Could this have been malware of some kind, and
>> the SFCDisable key value change a legacy of that, I wonder?
>>
>> Anyway, thanks very much for your help and advice which are much
>> appreciated.
>>
>> Stephen
>>
>>
>> "C J." <no.reply@example.invalid> wrote in message
>> news:O3RbOPLyHHA.4896@TK2MSFTNGP04.phx.gbl...
>>> Hmmm.. ok Stephen, new options to try:
>>>
>>> Perform option 1 and if necessary option 2.
>>>
>>> ~~ Option 1. ~~
>>>
>>> Lets reopen Regedit and then navigate to this key:
>>>
>>> HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\
>>> Winlogon
>>>
>>> Look for the SFCDisable key and make sure its value is set to 0 (Zero)
>>>
>>> Reboot and try SFC/ Scannow again. If it still doesn't work?
>>>
>>> ~~ Option 2. ~~
>>>
>>> One other thought is: This trouble could be due to possible malware
>>> infestation. See this link http://aumha.org/a/quickfix.htm first to
>>> adequately prepare her PC for scanning.
>>>
>>> Scan the PC in first in "safe mode " and then in "Normal mode" using any
>>> combination of Adaware SE www.lavasoftusa.com , SuperAntiSpyware
>>> www.SuperAntiSpyware.com , or Spybot Search and Destroy
>>> www.safer-networking.org.
>>>
>>> Download each. Install them and then update their definition files
>>> before rebooting and scanning. Remove anything found by both programs.
>>>
>>> Best of luck ... ohh and report back your results.
>>>
>>> Stephen <none> wrote:
>>>> Thanks for the attempt to help, C.J. However, I'm not using safe mode.
>>>> I
>>>> can log on as an administrator quite easily, but SFC does not run.
>>>> Stephen
>>>>
>>>> "C J." <no.reply@example.invalid> wrote in message
>>>> news:e9vr849xHHA.3536@TK2MSFTNGP03.phx.gbl...
>>>>>
>>>>> Steven,
>>>>>
>>>>> On the off chance you are attempting to run SFC /Scannow in safe mode,
>>>>> it
>>>>> won't work - and this is by design. Try logging onto her computer as
>>>>> an
>>>>> administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
>>>>> welcome screen in legacy Login box type "Administrator" (no quotes)
>>>>> and
>>>>> press Go (assuming no password has been assigned, by default it should
>>>>> be
>>>>> blank.) Be sure you have Windows XP CD handy in the event SFC asks
>>>>> for
>>>>> it. If still no Joy, report back.
>>>>>
>>>>>
>>>>>
>>>>> Stephen <none> wrote:
>>>>>> When I try to run "SFC /scannow" on my daughter's PC, it does not run
>>>>>> but gives the following error message:
>>>>>>
>>>>>> "Windows File Protection could not initiate a scan of protected
>>>>>> system
>>>>>> files.
>>>>>> The specific error code is 0x000006ba [The RPC server is
>>>>>> unavailable]."
>>>>>>
>>>>>> Following possible leads from a Google search, I have checked three
>>>>>> things
>>>>>> in trying to solve this:
>>>>>>
>>>>>> 1 That the RPC service is running ("Started, Automatic").
>>>>>> 2 That the Verisign certificate is present (KB 296241).
>>>>>> 3 That the registry key
>>>>>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is
>>>>>> present.
>>>>>>
>>>>>> In case it's relevant, I mention that until recently she was
>>>>>> connecting
>>>>>> to
>>>>>> the internet via her university network. Having now returned home,
>>>>>> she
>>>>>> is connecting via our wireless router. We have changed settings (for
>>>>>> example,
>>>>>> email proxy server) as appropriate to get this to work. I just wonder
>>>>>> if
>>>>>> there is any other setting relevant to RPC that needs changing. (I
>>>>>> have
>>>>>> no
>>>>>> idea if SFC /scannow worked whilst she was at university.)
>>>>>>
>>>>>> Does anyone have any suggestions?
>>>>>>
>>>>>> Thanks,
>>>>>> Stephen
>>>
>>>
>>
>>
>
>