Dangers of sfc.exe

SFC (a.k.a.) System File Checker is a built-in tool, checking Windows binaries, and identifying if any of them were manipulated (modified, replaced, broken, etc.). Sfc.exe will clearly tell you if someone replaces utilman.exe with cmd.exe or if file corruption happened due to disk errors.

For many administrators, sfc.exe is the first tool to use if anything goes wrong. It does not matter if it’s about a BSOD, hangs, strange behaviors or a suspected attack. The approach seems to be easy to justify and understand: the integrity of Windows files is critical and should never be abused.
​
According to the common belief: sfc.exe will never hurt you, especially as it has handy self-explaining "/verifyonly" parameter allowing to check files, without touching them even if something is clearly wrong. At the same time, sfc.exe is one of tools allowing to be run only as admin.

There is no workaround, privileges check, secret options etc. The tool checks if the DOMAIN_ALIAS_RID_ADMINS group is present in the token and exits if not, not even displaying any help etc. I suppose it could work with SeBackup/SeRestore privileges combo, but it’s just my imaginary ideal tool, and not the real SFC.

One of the interesting features of the SFC is its ability to check not only the running system, but also the offline one. If you connect a suspected disk to your machine, you can scan it without booting the system you believe is broken or hacked. Theoretically it would require SFC "understanding" every single Windows OS, including past ones, and future ones as well. How did Microsoft achieve it? Sfc.exe loads not only its own DLLs, but also some DLLs (such as SSShim.dll) from the system being diagnosed. It means each modern Windows system is fitted with built-in self-diagnostics mechanisms, and sfc.exe calls them regardless of the offline or online state of a diagnosed system. It seems to be very smart in all possible scenarios related to errors, bugs, random data corruptions, etc.

And what if the SFC is used to diagnose a system after an attack to check if an adversary replaced some files? It could work, if diagnostic DLLs remained intact. Sfc.exe reports replaced files, admin gets more information about attack path, IoCs are identified, remediation prepared, and the world is safe again. If you face a smart attacker, your sfc.exe (even on a perfectly sane, fresh Windows installation) will load malicious DLLs dropped on an infected volume. The checking machine is now infected as well, which is exceptionally productive, as SFC runs only as admin as mentioned before.

Does it mean sfc.exe should not be used? Of course not. The value of this tool is great, and it really helps admins around the world. But if you want to use it as a weapon against skilled threat actor, it may easily turn against you. You have been warned.