System File Checker (SFC) incorrectly flags Windows Defender PowerShell module files as corrupted
This article describes an issue where System File Checker incorrectly flags Windows Defender PowerShell module files as corrupted.
Applies to: Windows Client
Original KB number: 4513240
The System File Checker (SFC) tool flags files that are located in the %windir%\System32\WindowsPowerShell\v1.0\Modules\Defender folder as corrupted or damaged. When this issue occurs, you see error entries that resemble the following:
Hashes for file member do not match.
This is a known issue in Windows 10, version 1607 and later versions, and Windows Defender version 4.18.1906.3 and later versions up to version 4.8.1908.
The files for the Windows Defender PowerShell module that are located in %windir%\System32\WindowsPowerShell\v1.0\Modules\Defender ship as part of the Windows image. These files are catalog-signed. However, the manageability component of Windows Defender has a new out-of-band (OOB) update channel. This channel replaces the original files with updated versions that are signed by using a Microsoft certificate that the Windows operating system trusts. Because of this change, SFC flags the updated files as "Hashes for file member do not match."
Future releases of Windows will use the updated files in the Windows image. After this change is implemented, SFC will no longer flag the files.
This issue is fixed in the version 4.8.1908 update of Windows Defender. After this update is applied, PowerShell files that are part of the Windows image are not changed, and the SFC tool no longer flags these files. Internet-connected computers that subscribe to the Windows Update channel automatically download and install this update.
To repair the Windows image files on computers that have been affected by this issue, use the DISM tool. To do this, open a Command Prompt window on the affected computer, and run the following commands:
dism /online /cleanup-image /restorehealth sfc /scannow
If these commands fail and generate an error message that resembles "File not found," make sure that the Install.wim file is accessible, and then run the following commands:
DISM /Online /Cleanup-Image /RestoreHealth /Source:WIM:c:\install.wim:1 /LimitAccess sfc /scannow
For more information about repair commands, see Repair a Windows image.