File Checker is supposed to perform this check in an automated fashion, and
it does for Windows XP (at least on every XP machine I've tested recently).
Unfortunately it fails on every tested Windows 2000 machine, but it does not
provide any detailed information about the failures.
I agree with you. W2K SFC could be more informative.
Maybe you knew this already, but SFC logs information on the file names it
is complaining about in the Windows System Event Log. It does not
necessarily tell you the reason.
I believe SFC on any W2K system will find lots of "missing" and "invalid"
files. The fact that it "finds" these things does not mean your computer is
having a problem that needs to be fixed. This SFC issue is not necessarily
related to any other problem your computers may be experiencing. Also, WFP
and SFC are still helpful in checking your files, it just checks lots of
other files as well.
I believe much of this is not because of missing certificates, but because
the catalog SFC uses might contain lots of extra files by design that are
not needed in your installation, or is incorrect, out of date or needs
refreshing. For example, on my system, it found lots of missing files such
as c:\winnt\system32\agt0804.dll that my system does not seem to need to
function properly. The problem can also occur if your system administrators
have intentionally deleted or put restrictive file ACL permissions on
"unsafe" files like TFTP.EXE from your \system32\dllcache\ folder to prevent
WFP from replacing the files and a hacker from using them, or if methods
other than the approved ones below have been used to distribute updated
Windows files:
http://www.microsoft.com/whdc/winlogo/drvsign/wfp.mspx
How SFC / WFP checks files is described somewhat here:
http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=38776
and here:
http://answers.google.com/answers/threadview?id=8227
"The following files are consulted:
Winnt\System32\CatRoot\SYSMAST.*
Winnt\System32\CatRoot\{F750...295EE}\CATMAST.*
Winnt\System32\CatRoot\{F750...295EE}\HASHMAST.*
Winnt\System32\CatRoot\{F750...295EE}\NT5.CAT "
I believe .CAT files like NT5.CAT contain lists of file hashes, but no file
names. NT5.CAT also mentions "VeriSign Time Stamping Service Root" which
may relate to the "VeriSign Time Stamping CA" cert Windows requires. New
patches install new *.CAT files containing new valid file hashes into the
CatRoot folder, but the article below suggests these are not used by a
manual SFC check:
http://www.winnetmag.com/Article/ArticleID/27471/27471.html
If you are asking how do you fix this issue with SFC finding lots of
"missing" files, I think the answer is you don't. It's an annoyance by
design, but by itself isn't proof that your system is broken or needs
fixing. If you're having other problems besides SFC, remind us of the
details and we can look at those.
Other SFC information and known issues are listed here:
http://labmice.techtarget.com/windows2000/FileMgmt/WFP.htm
The technical question:
How to identify missing security certificates in Windows 2000?
The certificates that could affect SFC are the six certs mentioned in the MS
article you mentioned in your first post, plus the three certs mentioned in
the article I posted.
You seem to think that because that article did not solve your problem, that
there must therefore be other missing certificates that Microsoft is not
telling you about. I believe this is not the case. So, if you have already
confirmed you have no relevant missing certificates, and you don't need to
check for missing certificates, or ask here how to do so. If you are sure
all the certs in that article are in place and have the right dates, then I
don't think your problem is identifying missing certs.
