NXLog Legacy Documentation

Windows Resource Checker

Windows Resource Checker, also known as System File Checker (sfc.exe), is a command-line tool that scans and verifies protected system files. If it detects any missing or incorrect files, it attempts to replace them from the DLL cache or the Windows installation source files. An SFC scan can help you troubleshoot crashes related to missing or corrupted operating system files. In addition, if executed regularly, it will help maintain system health by detecting problematic files early on.

The following command executes a scan and attempts to repair any incorrect files:

> sfc /scannow

The sfc.exe tool creates logging of its verification process in the CBS.log file under the %systemroot%\Logs\CBS directory. It logs an entry for each operation it executes, including successful and unsuccessful attempts to replace incorrect files. The Windows Modules Installer (WMI) service also writes logging to CBS.log; however, SFC logging can be identified by the [SR] tag. With a simple NXLog configuration, you can process this log file to extract SFC logs and parse records into structured data.

For more information on interpreting SFC log entries, see Analyze the log file entries that SFC.exe generates in Windows in the Microsoft documentation.

Example 1. Collecting and parsing Windows Resource Checker logs

This configuration uses the im_file input module to read the CBS.log file. The Exec block defined in the input module instance evaluates each log line against a regular expression. If the log line matches, it parses the $EventTime field using the parsedate() function and converts the record to JSON format by calling the to_json() procedure of the xm_json module. Otherwise, the log line is dropped.

This configuration will read logs written after the NXLog service is started. To process existing logs, take a look at the ReadFromLast and SavePos directives of the im_file input module.

nxlog.conf
<Extension json>
    Module    xm_json
</Extension>

<Input sfc_log>
    Module    im_file
    File      'C:\Windows\Logs\CBS\CBS.log'
    <Exec>
        if $raw_event =~ /(?<EventTime>\d{4}-\d\d-\d\d \d\d:\d\d:\d\d), (?<Level>\w+)\s+CSI\s+(?<ActionId>.+) \[SR\] (?<Message>.+)/
        {
            $EventTime = parsedate($EventTime);
            to_json();
        }
        else
        {
            drop();
        }
    </Exec>
</Input>
Input sample
2022-03-03 16:00:00, Info                  CSI    0000032c [SR] Cannot repair member file [l:18{9}]"MSDTC.LOG" of Microsoft-Windows-COM-DTC-Runtime, Version = 1607.1439.693, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
Output sample
{
  "EventReceivedTime": "2022-03-03T16:00:05.491905+01:00",
  "SourceModuleName": "sfc_log",
  "SourceModuleType": "im_file",
  "ActionId": "0000032c",
  "EventTime": "2022-03-03T16:00:00.000000+01:00",
  "Level": "Info",
  "Message": "Cannot repair member file [l:18{9}]\"MSDTC.LOG\" of Microsoft-Windows-COM-DTC-Runtime, Version = 1607.1439.693, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing"
}
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

Windows Server 2016 Standard
NXLog version 5.4.7431

Last revision: 3 March 2022