During an investigation, your company's file-integrity monitoring platform flags multiple protected operating-system files on a Windows Server 2022 file server. The security team instructs you to verify whether any protected system files have been altered without making changes to the server so that potential evidence is preserved. Which built-in Windows command should you run?
Running sfc /verifyonly launches the System File Checker in read-only mode. It calculates the hashes of every Windows Resource Protection file and compares them with the catalog stored in %WinDir%\WinSxS, but it does not attempt to repair or replace files. This satisfies the requirement to confirm integrity while leaving forensic evidence intact.
sfc /scannow also checks hashes but immediately repairs discrepancies, which could overwrite evidence.
DISM /Online /Cleanup-Image /RestoreHealth repairs the component store rather than simply reporting integrity status.
chkdsk /scan (or any variant of chkdsk) inspects the NTFS file system and metadata, not the integrity of protected Windows binaries.