SFC /scannow problem

S

Stephen

When I try to run "SFC /scannow" on my daughter's PC, it does not run but
gives the following error message:

"Windows File Protection could not initiate a scan of protected system
files.
The specific error code is 0x000006ba [The RPC server is unavailable]."

Following possible leads from a Google search, I have checked three things
in trying to solve this:

1 That the RPC service is running ("Started, Automatic").
2 That the Verisign certificate is present (KB 296241).
3 That the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is present.

In case it's relevant, I mention that until recently she was connecting to
the internet via her university network. Having now returned home, she is
connecting via our wireless router. We have changed settings (for example,
email proxy server) as appropriate to get this to work. I just wonder if
there is any other setting relevant to RPC that needs changing. (I have no
idea if SFC /scannow worked whilst she was at university.)

Does anyone have any suggestions?

Thanks,
Stephen
 
C

C J.

Steven,

On the off chance you are attempting to run SFC /Scannow in safe mode, it
won't work - and this is by design. Try logging onto her computer as an
administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
welcome screen in legacy Login box type "Administrator" (no quotes) and
press Go (assuming no password has been assigned, by default it should be
blank.) Be sure you have Windows XP CD handy in the event SFC asks for it.
If still no Joy, report back.
 
S

Stephen

Thanks for the attempt to help, C.J. However, I'm not using safe mode. I can
log on as an administrator quite easily, but SFC does not run.
Stephen

C J. said:
Steven,

On the off chance you are attempting to run SFC /Scannow in safe mode, it
won't work - and this is by design. Try logging onto her computer as an
administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
welcome screen in legacy Login box type "Administrator" (no quotes) and
press Go (assuming no password has been assigned, by default it should be
blank.) Be sure you have Windows XP CD handy in the event SFC asks for
it. If still no Joy, report back.



Stephen said:
When I try to run "SFC /scannow" on my daughter's PC, it does not run but
gives the following error message:

"Windows File Protection could not initiate a scan of protected system
files.
The specific error code is 0x000006ba [The RPC server is unavailable]."

Following possible leads from a Google search, I have checked three
things
in trying to solve this:

1 That the RPC service is running ("Started, Automatic").
2 That the Verisign certificate is present (KB 296241).
3 That the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is present.

In case it's relevant, I mention that until recently she was connecting
to
the internet via her university network. Having now returned home, she is
connecting via our wireless router. We have changed settings (for
example,
email proxy server) as appropriate to get this to work. I just wonder if
there is any other setting relevant to RPC that needs changing. (I have
no
idea if SFC /scannow worked whilst she was at university.)

Does anyone have any suggestions?

Thanks,
Stephen
 
C

C J.

Hmmm.. ok Stephen, new options to try:

Perform option 1 and if necessary option 2.

~~ Option 1. ~~

Lets reopen Regedit and then navigate to this key:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\
Winlogon

Look for the SFCDisable key and make sure its value is set to 0 (Zero)

Reboot and try SFC/ Scannow again. If it still doesn't work?

~~ Option 2. ~~

One other thought is: This trouble could be due to possible malware
infestation. See this link http://aumha.org/a/quickfix.htm first to
adequately prepare her PC for scanning.

Scan the PC in first in "safe mode " and then in "Normal mode" using any
combination of Adaware SE www.lavasoftusa.com , SuperAntiSpyware
www.SuperAntiSpyware.com , or Spybot Search and Destroy
www.safer-networking.org.

Download each. Install them and then update their definition files before
rebooting and scanning. Remove anything found by both programs.

Best of luck ... ohh and report back your results.

Stephen said:
Thanks for the attempt to help, C.J. However, I'm not using safe mode. I
can log on as an administrator quite easily, but SFC does not run.
Stephen

C J. said:
Steven,

On the off chance you are attempting to run SFC /Scannow in safe mode, it
won't work - and this is by design. Try logging onto her computer as an
administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
welcome screen in legacy Login box type "Administrator" (no quotes) and
press Go (assuming no password has been assigned, by default it should be
blank.) Be sure you have Windows XP CD handy in the event SFC asks for
it. If still no Joy, report back.



Stephen said:
When I try to run "SFC /scannow" on my daughter's PC, it does not run
but gives the following error message:

"Windows File Protection could not initiate a scan of protected system
files.
The specific error code is 0x000006ba [The RPC server is unavailable]."

Following possible leads from a Google search, I have checked three
things
in trying to solve this:

1 That the RPC service is running ("Started, Automatic").
2 That the Verisign certificate is present (KB 296241).
3 That the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is present.

In case it's relevant, I mention that until recently she was connecting
to
the internet via her university network. Having now returned home, she
is connecting via our wireless router. We have changed settings (for
example,
email proxy server) as appropriate to get this to work. I just wonder if
there is any other setting relevant to RPC that needs changing. (I have
no
idea if SFC /scannow worked whilst she was at university.)

Does anyone have any suggestions?

Thanks,
Stephen
 
S

Stephen

You are a hero, C.J.!

The value of the SFCDisable key was 0xffffff9d. When I changed this to zero,
SFC worked correctly.

Working on the assumption that this could have been changed by malware, I
scanned with (updated) Spybot, Adaware and SuperAntiSpyware in turn. I found
some tracking cookies (which I deleted) but nothing more sinister. My
daughter did have some trouble a while ago with "things not working
properly" whilst away at university, which were fixed for her by "computer
geek" friends. Could this have been malware of some kind, and the SFCDisable
key value change a legacy of that, I wonder?

Anyway, thanks very much for your help and advice which are much
appreciated.

Stephen


C J. said:
Hmmm.. ok Stephen, new options to try:

Perform option 1 and if necessary option 2.

~~ Option 1. ~~

Lets reopen Regedit and then navigate to this key:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\
Winlogon

Look for the SFCDisable key and make sure its value is set to 0 (Zero)

Reboot and try SFC/ Scannow again. If it still doesn't work?

~~ Option 2. ~~

One other thought is: This trouble could be due to possible malware
infestation. See this link http://aumha.org/a/quickfix.htm first to
adequately prepare her PC for scanning.

Scan the PC in first in "safe mode " and then in "Normal mode" using any
combination of Adaware SE www.lavasoftusa.com , SuperAntiSpyware
www.SuperAntiSpyware.com , or Spybot Search and Destroy
www.safer-networking.org.

Download each. Install them and then update their definition files before
rebooting and scanning. Remove anything found by both programs.

Best of luck ... ohh and report back your results.

Stephen said:
Thanks for the attempt to help, C.J. However, I'm not using safe mode. I
can log on as an administrator quite easily, but SFC does not run.
Stephen

C J. said:
Steven,

On the off chance you are attempting to run SFC /Scannow in safe mode,
it
won't work - and this is by design. Try logging onto her computer as an
administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
welcome screen in legacy Login box type "Administrator" (no quotes) and
press Go (assuming no password has been assigned, by default it should
be
blank.) Be sure you have Windows XP CD handy in the event SFC asks for
it. If still no Joy, report back.



Stephen <none> wrote:
When I try to run "SFC /scannow" on my daughter's PC, it does not run
but gives the following error message:

"Windows File Protection could not initiate a scan of protected system
files.
The specific error code is 0x000006ba [The RPC server is unavailable]."

Following possible leads from a Google search, I have checked three
things
in trying to solve this:

1 That the RPC service is running ("Started, Automatic").
2 That the Verisign certificate is present (KB 296241).
3 That the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is present.

In case it's relevant, I mention that until recently she was connecting
to
the internet via her university network. Having now returned home, she
is connecting via our wireless router. We have changed settings (for
example,
email proxy server) as appropriate to get this to work. I just wonder
if
there is any other setting relevant to RPC that needs changing. (I have
no
idea if SFC /scannow worked whilst she was at university.)

Does anyone have any suggestions?

Thanks,
Stephen
 
G

Gary S. Terhune

From http://www.updatexp.com/windows-file-protection.html
"It is interesting to note that the virus "W32/CodeRed.D", that caused so
much mayhem by shutting down Internet Servers in the summer of 2002, used
this very same undocumented setting to stop the Windows File protection
service from running. The virus could then release its Trojan payload to do
damage and replicate itself around the Internet!"

I have no doubt that CodeRed isn't the only malware to do this. Can't
imagine any legit application doing so.

--
Gary S. Terhune
MS-MVP Shell/User
www.grystmill.com

Stephen said:
You are a hero, C.J.!

The value of the SFCDisable key was 0xffffff9d. When I changed this to
zero, SFC worked correctly.

Working on the assumption that this could have been changed by malware, I
scanned with (updated) Spybot, Adaware and SuperAntiSpyware in turn. I
found some tracking cookies (which I deleted) but nothing more sinister.
My daughter did have some trouble a while ago with "things not working
properly" whilst away at university, which were fixed for her by "computer
geek" friends. Could this have been malware of some kind, and the
SFCDisable key value change a legacy of that, I wonder?

Anyway, thanks very much for your help and advice which are much
appreciated.

Stephen


C J. said:
Hmmm.. ok Stephen, new options to try:

Perform option 1 and if necessary option 2.

~~ Option 1. ~~

Lets reopen Regedit and then navigate to this key:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\
Winlogon

Look for the SFCDisable key and make sure its value is set to 0 (Zero)

Reboot and try SFC/ Scannow again. If it still doesn't work?

~~ Option 2. ~~

One other thought is: This trouble could be due to possible malware
infestation. See this link http://aumha.org/a/quickfix.htm first to
adequately prepare her PC for scanning.

Scan the PC in first in "safe mode " and then in "Normal mode" using any
combination of Adaware SE www.lavasoftusa.com , SuperAntiSpyware
www.SuperAntiSpyware.com , or Spybot Search and Destroy
www.safer-networking.org.

Download each. Install them and then update their definition files
before rebooting and scanning. Remove anything found by both programs.

Best of luck ... ohh and report back your results.

Stephen said:
Thanks for the attempt to help, C.J. However, I'm not using safe mode. I
can log on as an administrator quite easily, but SFC does not run.
Stephen


Steven,

On the off chance you are attempting to run SFC /Scannow in safe mode,
it
won't work - and this is by design. Try logging onto her computer as
an
administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
welcome screen in legacy Login box type "Administrator" (no quotes) and
press Go (assuming no password has been assigned, by default it should
be
blank.) Be sure you have Windows XP CD handy in the event SFC asks
for
it. If still no Joy, report back.



Stephen <none> wrote:
When I try to run "SFC /scannow" on my daughter's PC, it does not run
but gives the following error message:

"Windows File Protection could not initiate a scan of protected system
files.
The specific error code is 0x000006ba [The RPC server is
unavailable]."

Following possible leads from a Google search, I have checked three
things
in trying to solve this:

1 That the RPC service is running ("Started, Automatic").
2 That the Verisign certificate is present (KB 296241).
3 That the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is present.

In case it's relevant, I mention that until recently she was
connecting
to
the internet via her university network. Having now returned home, she
is connecting via our wireless router. We have changed settings (for
example,
email proxy server) as appropriate to get this to work. I just wonder
if
there is any other setting relevant to RPC that needs changing. (I
have
no
idea if SFC /scannow worked whilst she was at university.)

Does anyone have any suggestions?

Thanks,
Stephen
 
S

Stephen

Gary,

"I have no doubt that CodeRed isn't the only malware to do this. Can't
imagine any legit application doing so."

Quite so! It just makes me wonder (yet again!) why Microsoft puts into an
operating system such invitations to the bad guys.
Am I the only person who would willingly pay extra for a version of Windows
with fewer "features" - as long as it was solid and reliable?!

Thanks,
Stephen

Gary S. Terhune said:
From http://www.updatexp.com/windows-file-protection.html
"It is interesting to note that the virus "W32/CodeRed.D", that caused so
much mayhem by shutting down Internet Servers in the summer of 2002, used
this very same undocumented setting to stop the Windows File protection
service from running. The virus could then release its Trojan payload to
do damage and replicate itself around the Internet!"

I have no doubt that CodeRed isn't the only malware to do this. Can't
imagine any legit application doing so.

--
Gary S. Terhune
MS-MVP Shell/User
www.grystmill.com

Stephen said:
You are a hero, C.J.!

The value of the SFCDisable key was 0xffffff9d. When I changed this to
zero, SFC worked correctly.

Working on the assumption that this could have been changed by malware, I
scanned with (updated) Spybot, Adaware and SuperAntiSpyware in turn. I
found some tracking cookies (which I deleted) but nothing more sinister.
My daughter did have some trouble a while ago with "things not working
properly" whilst away at university, which were fixed for her by
"computer geek" friends. Could this have been malware of some kind, and
the SFCDisable key value change a legacy of that, I wonder?

Anyway, thanks very much for your help and advice which are much
appreciated.

Stephen


C J. said:
Hmmm.. ok Stephen, new options to try:

Perform option 1 and if necessary option 2.

~~ Option 1. ~~

Lets reopen Regedit and then navigate to this key:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\
Winlogon

Look for the SFCDisable key and make sure its value is set to 0 (Zero)

Reboot and try SFC/ Scannow again. If it still doesn't work?

~~ Option 2. ~~

One other thought is: This trouble could be due to possible malware
infestation. See this link http://aumha.org/a/quickfix.htm first to
adequately prepare her PC for scanning.

Scan the PC in first in "safe mode " and then in "Normal mode" using any
combination of Adaware SE www.lavasoftusa.com , SuperAntiSpyware
www.SuperAntiSpyware.com , or Spybot Search and Destroy
www.safer-networking.org.

Download each. Install them and then update their definition files
before rebooting and scanning. Remove anything found by both programs.

Best of luck ... ohh and report back your results.

Stephen <none> wrote:
Thanks for the attempt to help, C.J. However, I'm not using safe mode.
I
can log on as an administrator quite easily, but SFC does not run.
Stephen


Steven,

On the off chance you are attempting to run SFC /Scannow in safe mode,
it
won't work - and this is by design. Try logging onto her computer as
an
administrator in normal mode by tapping Ctrl-Alt-Del keys twice on the
welcome screen in legacy Login box type "Administrator" (no quotes)
and
press Go (assuming no password has been assigned, by default it should
be
blank.) Be sure you have Windows XP CD handy in the event SFC asks
for
it. If still no Joy, report back.



Stephen <none> wrote:
When I try to run "SFC /scannow" on my daughter's PC, it does not run
but gives the following error message:

"Windows File Protection could not initiate a scan of protected
system
files.
The specific error code is 0x000006ba [The RPC server is
unavailable]."

Following possible leads from a Google search, I have checked three
things
in trying to solve this:

1 That the RPC service is running ("Started, Automatic").
2 That the Verisign certificate is present (KB 296241).
3 That the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs is
present.

In case it's relevant, I mention that until recently she was
connecting
to
the internet via her university network. Having now returned home,
she
is connecting via our wireless router. We have changed settings (for
example,
email proxy server) as appropriate to get this to work. I just wonder
if
there is any other setting relevant to RPC that needs changing. (I
have
no
idea if SFC /scannow worked whilst she was at university.)

Does anyone have any suggestions?

Thanks,
Stephen
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top