Gandalf_The_Grey

Level 21
Verified
Starting today, Windows 10 users are finding that the /sfc scannow feature is no longer working and that it states it found, but could not fix, corrupted Windows Defender PowerShell files.

The Windows System File Checker tool, commonly known as SFC, has a /scannow argument that will check the integrity of all protected Winodws system files and repair any issues that are found.

As of this morning, users in a wildersecurity.com thread have started reporting that when they run sfc /scannow, the program is stating that "Windows Resource Protection found corrupt files but was unable to fix some of them." I too was able to reproduce this issue on a virtual machine with Windows Defender configured as the main antivirus program.

sfc /scannow error

sfc /scannow error

The full text of what users are seeing when they run this command can be read below:
Beginning system scan. This process will take some time.​
Beginning verification phase of system scan.​
Verification 100% complete.​
Windows Resource Protection found corrupt files but was unable to fix some of them.​
For online repairs, details are included in the CBS log file located at​
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline​
repairs, details are included in the log file provided by the /OFFLOGFILE flag.​

According to the CBS.log file, SFC is stating that the hashes for the Windows Defender PowerShell components located in the C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender are not matching their corresponding files in the WinSxS folder.

CBS Log

CBS Log

The strange thing, though, is that when checking with the fsutil hardlink list command, it is reporting that these files are properly linked, so the hashes should be the same.

While yesterday was the July 2019 Patch Tuesday updates, this does not appear to be related to the latest Windows 10 1903 KB4507453 cumulative update or the Windows 10 KB4507469 update as I do not have those installed.

Instead, it appears to be related to the latest definition updates for Windows Defender, which were released this morning and are version 1.297.823.0.

Current Windows Defender Definitions

Current Windows Defender Definitions

Some users have reported being able to fix the error by running the following DISM commands:
Code:
DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth
For those who do not wish to use these commands, you can wait for Microsoft ro resolve the issue.