SFC logs when running from a repair disk

oldmuttonhead · 09 May 2011

Hi, everyone!

I have a Dell notebook wiht Win7 64-bit that is getting a BSOD (0xF4) and I'm fairly certain is was caused by a rootkit, although I'm not 100% certain. One debugger shows wininit.exe as the culprit and another shows the kernel itself. At any rate, the system will not boot. It gets to where the login dialog is about to show and gets the BSOD. It will not boot in safemode either.

Anyway, I've tested the hard drive and memory and I'm fairly certain that it is corrupted and/or rootkit files that is the problem. So I've booted to a Win7 repair disk and ran SFC and it tells me that files are corrupted and it can't fix them. Normally I would check the CBS.log file to see what's up, but I'm not sure where the log file is when running SFC from the repair disk. I've searched the "X" drive and the "C" drive, but there's no log files.

Is there anyway I can get to a log or make it create one somewhere so I can see what SFC's problem is and try to manually fix the files or something?

Thanks!

The Howling Wolves · 09 May 2011

Here a start for test and postings to run.
1. https://www.sevenforums.com/crashes-d...tructions.html
2.RAM - Test with Memtest86+
3. SF Diagnostic Tool - Using for Troubleshooting

Post back so the BSOD squad can help you.

oldmuttonhead · 09 May 2011

Ok.. I can't do either of step 1 or 3 because I cannot boot into Windows.

As I mentioned in my previous post, I already checked the RAM. (Actually, I checked it with Memtest86+)

My question really isn't about the BSOD. I already know what the error is and more than likely why I'm getting it. My question was more as a result of the BSOD, I believe I need to replace some system files that may have been corrupted.

I know when running SFC from within Windows it logs it's data to the CBS.log. However, I am running SFC after booting to a Windows 7 Repair Disk by using this command:

"sfc /offbootdir=c:\ /offwindir=c:\windows /scannow"

It is performing the scan and giving me the message:

"Windows Resource Protection found corrupt files but was unable to fix some of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log"

Normally in this case, I would go to the CBS.log file in the above location and look for entries from SFC. However, apparently when you run SFC from the repair disk it does not create a log in that location, or any other location that I can find. I did a "dir CBS.log /s" on the "C:\" drive and on the "X:\" drive that the repair disk creates (I'm assuming it's a RAM drive.) No CBS.log is to be found. (At least not one recently modified.. there is a CBS.log file on the C: drive, but it's not been modified since April.)

So, my question primarily is how do I get a log out of SFC so that I can figure out what files to replace?

Thanks!

markdemich · 07 Jul 2011

Did you ever solve this? I'm having the same issue with a Vista machine. I checked both places for cbs.log and can't find it.

spyderfreek · 20 Nov 2011

For future Googlers, I ran into this same problem and was able to solve it: you can redirect the log by using an environment variable. I'm my case, I did

set WINDOWS_TRACING_LOGFILE=C:\TEMP\CBS.log

Before running sfc. Also the recovery console doesn't have findstr, but you can easily use find instead to extract relevant entries from the log, like so:

find "[SR]" C:\TEMP\CBS.log > C:\TEMP\sfcdetails.txt

There, now you have a log! I hope the hours I spent on this help someone else.

Kaktussoft · 21 Nov 2011

X:\Windows\Logs\CBS\CBS.log
it is a hidden file! start notepad from command prompt and open it