Windows Resource Checker
Windows Resource Checker, also known as System File Checker (sfc.exe), is a command-line tool that scans and verifies protected system files. If it detects any missing or incorrect files, it attempts to replace them from the DLL cache or the Windows installation source files. An SFC scan can help you troubleshoot crashes related to missing or corrupted operating system files. In addition, if executed regularly, it will help maintain system health by detecting problematic files early on.
The following command executes a scan and attempts to repair any incorrect files:
> sfc /scannow
The sfc.exe tool creates logging of its verification process in the CBS.log
file under the %systemroot%\Logs\CBS
directory.
It logs an entry for each operation it executes, including successful and unsuccessful attempts to replace incorrect files.
The Windows Modules Installer (WMI) service also writes logging to CBS.log
; however, SFC logging can be identified by the [SR]
tag.
With a simple NXLog Agent configuration, you can process this log file to extract SFC logs and parse records into structured data.
For more information on interpreting SFC log entries, see Analyze the log file entries that SFC.exe generates in Windows in the Microsoft documentation.
This configuration uses the im_file input module to read the CBS.log
file.
The Exec block defined in the input module instance evaluates each log line against a regular expression.
If the log line matches, it parses the $EventTime
field using the parsedate() function and converts the record to JSON format by calling the to_json() procedure of the xm_json module.
Otherwise, the log record is dropped.
This configuration will read logs written after the NXLog Agent service is started. To process existing logs, take a look at the ReadFromLast and SavePos directives of the im_file input module.
<Extension json>
Module xm_json
</Extension>
<Input sfc_log>
Module im_file
File 'C:\Windows\Logs\CBS\CBS.log'
<Exec>
if $raw_event =~ /(?<EventTime>\d{4}-\d\d-\d\d \d\d:\d\d:\d\d), (?<Level>\w+)\s+CSI\s+(?<ActionId>.+) \[SR\] (?<Message>.+)/
{
$EventTime = parsedate($EventTime);
to_json();
}
else
{
drop();
}
</Exec>
</Input>
2022-03-03 16:00:00, Info CSI 0000032c [SR] Cannot repair member file [l:18{9}]"MSDTC.LOG" of Microsoft-Windows-COM-DTC-Runtime, Version = 1607.1439.693, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing
{
"EventReceivedTime": "2022-03-03T16:00:05.491905+01:00",
"SourceModuleName": "sfc_log",
"SourceModuleType": "im_file",
"ActionId": "0000032c",
"EventTime": "2022-03-03T16:00:00.000000+01:00",
"Level": "Info",
"Message": "Cannot repair member file [l:18{9}]\"MSDTC.LOG\" of Microsoft-Windows-COM-DTC-Runtime, Version = 1607.1439.693, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral in the store, file is missing"
}