Prevent SFC and DISM Automatic Repairs


Sheikh

Software Developer
Power User
VIP
Local time
9:06 PM
Posts
738
Location
Tehran, IRAN.
OS
Windows 11 Pro 25H2
Hi everyone!

I'm working on another highly customized version of Windows, and I want to prevent both automatic SFC and DISM repair operations, as they would restore the original system files and overwrite my modifications.

I also want to block users from running SFC and DISM repair commands manually. What would be the best way to achieve this?
 
Windows Build/Version
26H1

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2Ryzen 5 3500U8GBVega 8
    OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Huawei MateBook D15
    CPU
    Ryzen 5 3500U
    Memory
    8GB
    Graphics Card(s)
    Vega 8
    Screen Resolution
    FHD
    Hard Drives
    256GB Samsung SSD + 1TB HDD
    Browser
    Microsoft Edge
    Antivirus
    ESET Smart Security Premium
  • At a glance

    Windows 10 Enterprise LTSC 21H2intel core i7 6700HQ16GBNvidia Geforce GTX1060 (6GB)
    Operating System
    Windows 10 Enterprise LTSC 21H2
    Computer type
    Laptop
    Manufacturer/Model
    MSI GS73 6RF Stealth Pro
    CPU
    intel core i7 6700HQ
    Memory
    16GB
    Graphics card(s)
    Nvidia Geforce GTX1060 (6GB)
    Screen Resolution
    FHD
    Hard Drives
    128GB SSD + 1TB HDD
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
Disconnect from the internet or use Linux.
 

My Computer My Computer

At a glance

win 10amd ryzen 5-2600ng skill sniper x 16gbnvidea gtx 1050
OS
win 10
Computer type
PC/Desktop
Manufacturer/Model
home built
CPU
amd ryzen 5-2600
Motherboard
gigabyte b450m-ds3h
Memory
ng skill sniper x 16gb
Graphics Card(s)
nvidea gtx 1050
Monitor(s) Displays
benq fp 92
Hard Drives
samsung 860 evo 500gb m2 ssd
PSU
antec ea550g
Case
nzxt noctis 450
Browser
edge

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2Ryzen 5 3500U8GBVega 8
    OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Huawei MateBook D15
    CPU
    Ryzen 5 3500U
    Memory
    8GB
    Graphics Card(s)
    Vega 8
    Screen Resolution
    FHD
    Hard Drives
    256GB Samsung SSD + 1TB HDD
    Browser
    Microsoft Edge
    Antivirus
    ESET Smart Security Premium
  • At a glance

    Windows 10 Enterprise LTSC 21H2intel core i7 6700HQ16GBNvidia Geforce GTX1060 (6GB)
    Operating System
    Windows 10 Enterprise LTSC 21H2
    Computer type
    Laptop
    Manufacturer/Model
    MSI GS73 6RF Stealth Pro
    CPU
    intel core i7 6700HQ
    Memory
    16GB
    Graphics card(s)
    Nvidia Geforce GTX1060 (6GB)
    Screen Resolution
    FHD
    Hard Drives
    128GB SSD + 1TB HDD
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
Presumably with the customisation choice you've made, you will have Windows update completely disabled.

As for blocking specific exe files, as you have Pro, consider using Group Policy:

1.webp

Note: all customisations I've made are done specifically so as not to have implications for repairs, updates or upgrades.
I use Vista icons, pastel backgrounds, translucent titlebars, Open Shell with a Win 7 Orb, and of course a taskbar arranged as per Win 10.
 
Last edited:

My Computer My Computer

At a glance

Windows 11 Proi7-8650U16GBIntel UHD 620
OS
Windows 11 Pro
Computer type
Laptop
Manufacturer/Model
Lenovo t480s
CPU
i7-8650U
Memory
16GB
Graphics Card(s)
Intel UHD 620
Screen Resolution
1920x1080
Hard Drives
C SN810 SDCPNRY-512G-1006
Browser
Edge, Firefox
Antivirus
Defender
The best way to prevent users from running DISM and SFC is to just not give them admin rights. Second best, I guess, would be to deny them access to the executables by adding a deny entry to the ACL for each.
 

My Computer My Computer

At a glance

Windows 11 Pro 25H212th Gen Core i7-1260P64 GB Micron PC4-25600Intel Iris Xe Graphics
OS
Windows 11 Pro 25H2
Computer type
PC/Desktop
Manufacturer/Model
Intel NUC12WSHi7
CPU
12th Gen Core i7-1260P
Motherboard
NUC12WSBi7
Memory
64 GB Micron PC4-25600
Graphics Card(s)
Intel Iris Xe Graphics
Sound Card
on-board Realtek HD Audio
Monitor(s) Displays
Dell U3219Q
Screen Resolution
3840 x 2160
Hard Drives
Samsung SSD 990 PRO 1TB
Crucial MX500 2 TB
Keyboard
CODE 104-Key mechanical with Cherry MX Clears
Antivirus
Microsoft Defender
Remove WinSXS. Problem solved!

But seriously, if you're afraid that a component-based repair will clobber the DLL files you've replaced on the filesystem, then you must be afraid of getting Monthly Updates. Because those can introduce patched files, which may end up overwriting your custom files.

A better solution is to keep track of the handful of DLL files you're replacing, and have a script to copy those files back from a backup folder.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Back
Top Bottom