Troubleshooting window systems that don't boot or perhaps have error message during the boot is something that you might have dealt with and while it may be expedient to reinstall in some cases being able to determine The phase of the boot process it's failing and performs some minor adjustment might get the system up and operating more quickly now some of the symptoms that you might Encounter error messages that might appear either during the boot process during the logon process.
Perhaps crashes bluescreens Spontaneous reboots system restarts that don't have any record of a level crash them and also hangs system freeze ups lock ups Also could be error messages during the logon process. These are some of the kinds of issues we're going to discuss in this program so the goal of fixing boot problems is identifying the root cause so that you can deal with it either remove the Component that's causing the problem update it fix it reconfigure it and some of the common causes of boot related problems include third-party drivers That are crashing during the boot applications that interfere with the logon process files that are corrupt on disk system files like operating system files driver files or data files that are used by the operating system to guide the boot and Now we're in viruses are more and more becoming a common reason for the systems to become unbootable or unstable during the logon process Now as I mentioned it might be the right solution to reinstall and that is certainly a reasonable approach especially in an environment Where you have disk images that can be quickly laid back out onto a client or server system But in some cases a lot of time and effort has gone into preparing a system setting up application settings that is not so easy to Repeat or reload? So in that case if you're able to isolate the problem causing the error message or the hang Being able to perform a surgical repair might be a more expedient approach So really the key to being able to troubleshoot boot and startup problems is understanding the boot process And the available tools to address issues during the boot process So we're gonna discuss in the remainder of our program first the boot process The various steps that Windows goes to from when you press the power key all the way up to logging on then we'll look at the main recovery mechanisms provided by the operating system and also A third-party tool written by Mark called ard commander that provides some advanced recovery capabilities not possible with the built-in mechanisms Finally, we'll look at a number of symptoms that can occur during the various stages of the boot process and what the solutions or at least the Plan of attack could be for trying to isolate and repair problems during the startup process Understanding of the boot process really begins first with understanding some of the terminology that Windows uses to describe some of the files and volumes related to the boot Really what you are going to see here is some of the worst Computer terminology ever created and that's if you're familiar with computers and terminology associated with computers and software That's a very big statement to make but I think once you see the definitions here that you'll agree with me the terminology I'm talking about is the description of the system volume and the boot volume that Windows uses the system volume is The label that Windows places on the volume that includes the boot files and boot files include things like the Master Boot Record boot sector The operating system loader where as the boot volume is the volume that windows labels For the volume that contains the system files it's where the windows directory is located and the Associated files underneath there like the operating system Image and system dll's and executables So really the system volume contains boot files the boot volume contains system files the complete opposite of what you would really expect sane terminology to Dictate now the boot process actually begins when you run Windows setup so part of the job of Windows setup is to lay down some foundation information on the volume that Will allow the boot process the various phases of the boot process to discover the system allow collecting various options that affect how the system will start and operate and then proceed to Load the necessary drivers and start the necessary processes So if you look at this graphic here, we've got eight major steps that we're going to examine Starting with a Master Boot Record followed by the boot sector the NT boot loader the operating systems initialization then the first user mode process the session manager the windowing system the logon process and its associated security server process and Service startup.
So let's take a closer. Look at each of these phases starting with the Master Boot Record the firmware of x86 and x64 hardware platforms is programmed to read the first sector of the active disk or the primary physical disk on the system into memory and beginning begin executing some code placed in that sector, which is called the Master Boot Record that code is programmed to What's called the partition table which consists of four entries that can describe the location of volumes on that primary physical disk one of those entries in the partition table is marked as the active partition which in other words is giving it the label the system volume and the Master Boot Record code is programmed to go find the first sector of that volume and Read it into memory and start executing it that first sector being called the boot sector Now the boot sector is the first piece of NT operating specific code involved in the boot process its NT specific because it has enough code in it to understand the NT file systems that are supported for example fat fat32 and NTFS It's a primitive filesystem in that it's read-only and it only understands enough to read locate and read the root directory of the volume and Locate and load a single file into memory called the NT bootloader ntldr Now we can see the NT bootloader the file that's opened by the boot sector code if we bring up a command prompt go to the root of the system volume which on this system also happens to be the boot volume because the windows directory is there and if I do a directory With the switch slash a colon H for looking at hidden files in TL DR There's the NT bootloader that the boot sector is responsible to open And read into memory The first job of the boot sector is to switch the processor from 16-bit mode into 32-bit mode all x86 and x64 Processors boot into a 16-bit mode for backward compatibility with older operating systems such as dos It also turns on the paging hardware Now that doesn't mean that virtual memory is fully enabled in the sense that we think of when Windows is up and running There's no paging file at this point.
There's simply a virtual memory that maps virtual addresses directly to physical addresses so that the system can access all of the routes all of the physical memory present on the system at this point NT loader also checks for the presence of NT boot DD cysts in the root directory of the system volume This particular file will only be present under special circumstances and those circumstances are that the system volume is on a different disk than the boot volume and that boot volume is a scuzzy disc, which is a pretty uncommon scenario in client system more common in server systems and The reason why NT looks for this file in that condition. Is that the firmware of the heart of these? Pcs is programmed only to be able to understand how to read from the primary physical disk scuzzy discs require special drivers to interpret and send commands to the scuzzy hardware and If the disk that the boot volumes on is a different disc and the scuzzy disk Windows during the boot process needs to use the aid of a driver in order to communicate with that disc The next step of boot in E is to or NT loader is to Read booting from the root directory of that that system volume This is a text file up through Windows Vista that contains a list of the operating systems present on the machine along with their associated boot parameters If there's more than one choice at this point You're presented a menu and can make a selection and typically boot dot ini' contains a default timeout value in a default selection so if no users there at a type of key it'll automatically continue with the boot and it's at this point once you've made a selection that NT loader looks to see what Type of operating system you've selected to boot from if it's a 64-bit Windows installation it's at this point that the switch from 32-bit mode to 64-bit is made up to now the boot process for 32-bit systems and 64-bit systems is the same and what this makes possible is a side-by-side installation of 32-bit windows and 64-bit windows on 64-bit platforms Now NT loader at this point pauses briefly to allow you to specify or press a special key To stop the boot process and allow you to make special boot selection options and let's take a look at that special boot options menu We're gonna switch over to a virtual machine Where we've paused the boot of a Windows system We're going to resume that virtual machine So here we see the special boot options menu that was Raised by pressing the f8 key during the boot process and we'll be discussing Safe Mode We'll be talking about last known good and also touching on debugging mode once you've made a selection on the special boot options menu NT loader proceeds to perform BIOS Hardware detection and that means running a program called NT detect comm NT detect comm is another hidden file in the root of the System volume.
So if we go back to the command prompt we can do adder slash a colon h NT detect comm and see this program located in the root directory NT detect comm Stores the information that it finds about the basic hardware Configuration in memory and later when the registry is initialized this appears in the registry key H key local machine hardware description And if you go to the registry editor, you'll see some basic information about the CPU type and other bios detected hardware devices Now speaking of the registry. This is the point where the operating system loader reads in the system hive part of the registry which maps into H key local machine system once the machines up and running It reads in the system hive at this point because there's a lot of information in there that helps guide the boot process there's operating system configuration information as well as the configuration of Drivers that the system needs to start up and get the system booted These types of drivers that have to be in loaded into memory by the operating system loader at this point They're called boot start drivers and they're identified with a certain start values will see in their driver configuration keys in the registry The reason that operating system loader needs to load these things in it the system can't simply wait until the kernel is up and running For the kernel to go load them is that these are drivers that have kind of a chicken-and-egg problem If the kernel had to load them they would the kernel would need to use the surfaces of these drivers themselves to load themselves and that Kind of cyclic dependency is broken by the fact that the NT loader here Gets them into memory so that they're ready to go when the operating system wants to turn them on after getting those drivers loaded in the operating system itself and Tusker noted, eggsy the hal and a couple of other core operating system files that need to be present in memory NT loader calls into the main entry point of anta's kernel and it basically to handoff controlling at the operating system boot started It's at this point that the splash screen appears so if you see the Windows XP logo fade in or the Windows Server 2003 logo fade in You know that you've gotten past the bootloader and NT loader is past control on to the operating system The Windows kernel now proceeds to prepare itself in two phases the first phase is sort of the foundational phase where the system calls key functions in the major subsystems like processes threads memory manager i/o system security and so forth for basic data structures to be set up or prepared for use the second phase which is actually called phase one is when these Internal executive subsystems are called to actually create objects and begin execution of the core support mechanisms in the kernel Part of that phase one initialization is then to invoke the drivers that were loaded by the bootloader? That were labeled as boot start drivers and ask them to initialize So this is obviously a point where the system could have a failure if a boot start driver malfunctions there could be a blue screen at this point after the boot start drivers are initialized then the i/o system goes to Reference the registry again and look for which drivers are marked as system start It's at this point that system start drivers are read in from the disk and also initialize Which means it's another point that drivers during early this early part of the boot process could cause a system failure or hanged Finally when the kernel has finished the phasor and phase one initialization all of the boot and system start drivers have been loaded and initialized the operating systems kernel initialization is complete and it goes to create the first user mode process that you'll see in the process list and That is the session manager or SMSs digsy Before we talk about session manager, let's stop and take a look in the registry at the Location where Windows drivers and services are configured all drivers and services have a registry key under the area HQ local machine system currentcontrolset services If we look at here on this system We can find for example a registry key that corresponds to one of the windows drivers installed on this machine the way that we can recognize it as a Windows driver and how Windows Recognizes in a Windows driver is its type value over here on the right side a type value of one or two? Designates it as a Windows driver Any other type would be that for a Windows service? And so if I scroll down a little bit further Here's an example of a Windows service the alerter service and if we look at its type value it's 32 decimal 20 hex because it's not one or two windows recognizes as a special type of Windows service now Another attribute of each service in the registry is when the service should be started and again service applies to both device drivers and user Mode services that we'll talk about later in the boot process there are Four basic start types zero is a boot start driver one is a system start driver we discussed when those drivers are loaded It's the NT boot loader that loads boot drivers and the kernel that loads system start drivers Automatic start drivers have started much later in the boot process by the service Control Manager there's also a type code for drivers that are marked as manual start and Most plug-and-play drivers have a start type of manual because they're loaded by the plug-and-play manager as devices are discovered Bus drivers are used to enumerate Devices and i/o system buses and the i/o system then working with the plug-and-play Manager loads and calls those drivers to initialize also drivers can be marked as disabled and that's a way to Force a device that may be causing problems not to be loaded or initialized on the system There's one exception where the star type is ignored and that's for the filesystem driver for the system volume.
That's the volume that contains the Boot files or is it the windows files? The system volume is where the boot files are, right? Even I have trouble remembering the terminology and it kind of makes sense that the filesystem driver for the system volume needs to be loaded because that's what The system is going to use to continue to initialize the system in that earlier part of the boot process There's a few different tools. You can use to look at the start order And that what I mean There is the start order of the drivers that are statically configured to start at various places during the boot process as Dave mentioned plug-and-play drivers will have a start type of manual and so it's really difficult to When exactly they're gonna start up it depends on the way that Hardware enumeration takes place during the boot but for those drivers that have statically specified start values one of the tools you can use to look at the Relationship between them in the startup order is lo toward from sysinternals I'm going to launch order load order by going to the sysinternals folder here and selecting it and what this does is just simply scan the registry looking at the start-up information and Calculates itself what order the i/o system would start these drivers up So the broadest category here is the start value on the left and we're looking at the startup order of various boot start drivers these next couple columns are the group name and tag which device drivers developers can use to control their order within a boot phase or within a group is which is what the tag does and the group name itself would be shown next followed by the display name of the particular driver and Something else marked that can affect the start order of statically defined drivers would be dependency Some drivers are defined to depend on another driver or service.
So that would also override some of the static definitions that we talked about Another tool you can look at to see the startup ordering or startup configuration of drivers but without having to go into the registry and look at it there yourself is msinfo32 msinfo32 under its software environment system drivers location lists all of the drivers Configured on this system along with their start. Sorry their start type which we've got to scroll over and see their start mode So this shows you the broad category here boot start drivers disabled drivers or in services manual drivers and System drivers and finally another tool that you can use is driver query which is built into Windows XP specify this /v switch and this basically is the command-line equivalent of what we just saw in msinfo32 Now we were up to the point that the operating system completed the kernel Initialization and had created the first user mode process the session manager.
The session manager is responsible to perform early system initialization that can be done from process context And it is gonna be also the father of the remaining system processes that are started following its birth One of the places that the session manager looks at is a registry key that we're gonna go to under HQ local machine system currentcontrolset Control session manager matching the name of the process and this is an interesting key because it has a number of registry values and sub keys that contain early operating system initialization information for example One of the things the session manager does is initialize the paging files and you can find that underneath the memory management key There's the list of paging files and their size for example on mark system He's got a single paging file on the C volume.
We see its minimum and its maximum size in kilobytes the session manager also Runs any programs that have been configured in the boot execute key So let's go back to the registry editor and find that boot execute key It's actually a value underneath session manager And if I double click on boot execute We can see that there's one entry and this is an entry that you're gonna find on your system And that's the reference to the auto check program auto check eggsy is a native image Native image means that it's calling windows native services because at this point the windowing system has not been initialized it's calling undocumented system calls in the NT kernel to perform a check disk and Every time you boot windows the session manager creates a child process to perform a check disk Now you'll only see evidence of that if check disk finds problems, and you've probably seen during the boot process If you're on XP on the blue part of the screen in the middle some text output might come from check disk on Windows 2000 Was in a black area in the middle of the screen, so that's text output coming from this boot execute program Now this is a place potentially that malicious code could insert itself and I think this is one of the places you've added in your autoruns tool that we're going To use later that if something was inserted into there You're gonna see that as one of the autostar locations righty, the number of places that a malware is finding to insert itself in the boot process is surprising and always expanding but another Job of the session manager is to process what are called pending file move and rename commands and there's a number of files on the system that just can't be replaced while the system is up and running an example is a core system DLL like kernel32 which is going to be mapped into the address faces of all of the processes running on the system you Can't replace an in use image file like that.
And so servicing like hot fixes and service packs has no choice but to perform their replacement the next time the system boots before those files are in use and They can do so very easily using a standard Windows API called move file II X and specify that they want the move or delete Operation to take place the next boot session manager is actually responsible for honoring that Session manager looks in the registry to see where the pending file move and renamed operations have been registered And I think you were telling me and it is I've done this now every time Every time a hotfix is installed or I install any kind of third-party Application and I get the message your system now needs to be restarted It's easy to see why because the restart is happening because entries have been made in this pending filed move or renamed key So I now go to the system journals pin mousse command run that just to see What files couldn't be replaced during the installation of the program that I just completed and what I've done is run pen moves after I installed Windows XP service pack 2 to look at the number of files that service pack 2 had replaced and required a reboot in order to Finish the replacement for and that file is here in XP sp2 Pen moves text and if you look at it, you can see the output of pen moves For example this first line in that output says that the source of the move is this temp DLL and that it's a actually delete Operation so we can surmise that what's happened here is that the service pack has dropped? has renamed the currently used file that one prior to the service pack to this temporary name drop down the new version in its place and Then scheduled the deletion of this old copy at the next reboot the number of by the way Were file replacements and service pack 2 is update that required a reboot in order to complete the replacement You can find using a word counting utility.
So I'm going to run this through word count and Each line in that file or each entry in that file. It takes up 3 lines so if we take the number of lines in that file 1200 and by three we get a rough estimate of the number of Pending file move and renames comes out to about four hundred Well XP service pack 2 was a heavy release ft service pack and a great service pack.
I must say the session manager Finally is responsible to initialize the remainder of the registry remember? It's the bootloader NT loader that opened and read in the system part of the registry HQ local machine system but and that part of the registry was used not only by the bootloader but also by the operating system to locate and load the system start drivers but their other major parts of the registry like the software hive the security hive and the Sam hive so it's at this point that those registry pieces are opened and initialized which means a crash due to a corrupt registry hive at this point is Going to result in no crash dump because this is done before the paging file is open and in the crash section We'll get to later.
We'll see that Crashes prior to the page file being open are not recorded because crashes are recorded in the paging file We haven't talked about the windows subsystem being up and running yet And this is the point where session manager starts to get that going the windowing subsystem consists of two components a kernel mode driver called win32 KSS even on 64-bit Windows Ironically that session manager loads and starts at this point Win32 ketosis implements the GDI at part of Windows and the user Park so the graphical party and the windowing and windows message part The next step of session managers to launch another user mode process the second one on the system Csr SS which stands for client server runtime subsystem csr SS is the user mode part of the windows subsystem and Now that that's up and running we've got windows api available for use by other processes So the first Windows application they get started is win logon, which is the interactive logon manager Now you'll have a visual cue that the windowing system was initialized because that's when the system flips from the black Start up screen or in Windows 2000 the white screen into GUI mode the hourglass cursor appears So if you see the system switch to GUI mode with the hourglass cursor You know that you've got through the kernel initialization session manager and the initialization of the windowing system when logon takes over next And its first job is to launch the local security authority subsystem else a sexy else a sexy is responsible for local Authentication to the Machine.
So whether somebody's logging on interactively through Through win logon or somebody's logging in through the network through a file network share L SAS is the one that ultimately makes the call as to whether they're allowed to connect to this machine When logon also gets ready for accepting an interactive logon, it doesn't present the UI itself though It relies on a plug-in called a genome or graphical identification in authentication DLL The built-in Geena in Windows is called MSG No DLL, and it presents the UI that we're all familiar with that ask for your username password and domain So this is when the logon dialog box would appear when logon then starts the serving control manager services eggsy Let's talk about that the service Control Manager or it's affectionately known at Microsoft lease cum SCM is responsible to make one more pass through the system part of the registry HP local machine system currentcontrolset Services and look for services that are marked as a start type of – that was an automatic start service.
This is mostly a set of user mode Components some of which run in their own process context like the spooler service some of which are dll's that load inside to shared service hosting processes like the SVC host out XD that you'll see running on your system However, there may be configured kernel mode drivers in your system marked as a start type of – automatic start for example Cd-rom burner software or even virus scanners or have kernel mode drivers that are started by the service Control Manager So the service Control Manager is not just necessarily starting processes It may also be loading kernel mode drivers This service startup by the way continues asynchronous to the ability to log on to the system So while the logon prompt may have appeared the service Control Manager may still be initializing some of these automatic start services One of the core mechanisms provided with Windows since Windows 2000 to repair and try to resolve boot start issues is the recovery console It's a kind of a basic repair tool.
It provides only a command line environment It has a limited set of repair commands, but it is available on every Windows CD since Windows 2000 it's I find underutilized because if you're not aware of its presence that you can boot off the CD since that was not their present and Windows NT from the Start you might not have heard of it Also, it can be used to repair installations other than Windows 2000 and later For example an NT for disk could be accessed and repaired by the recovery console the recovery console is actually built on a minimal Windows OS so if you in if you're booting the Windows XP Cd-rom you're running a little mini Windows XP installation if you're booting Windows Server 2003 Cd-rom you're gonna be running on top of the windows 2003 server kernel Actually the the boot process that we just described that takes you all the way to session manager session manager on the recovery console The boot process goes the same to the same position But the session manager image is the recovery console user interface that presents the environment that we'll see in a second now I've learned the hard way of the wisdom of installing the recovery console on your hard drive I had a situation where I had a blue screen due to a bug and a driver a video driver I won't mention the manufacturer and when I tried to remove my laptop The system wouldn't boot.
In fact the root directory of the C partition was corrupt. So it couldn't even find NT loader or booted any I Didn't have my recovery console Installed locally, so I had to go find a Windows CD which wasn't readily available to boot since then I've always made of the practice to install the recovery console on the hard drive and the way to do that Is to run off the Windows installation CD win in T 32 with a switch CMD Khans and That's something that's documented in the help file for win in T 32 so let's pull up the recovery console and take a look at what it how it appears when you boot a system into it and What we've done is we got a window system here at the boot menu that NT loaders presented us There's an entry in the boot dot ini' for the recovery console because we've already installed it locally under this hard disk And I'm going to select it And like we've said this goes through the same virtually the same boot process that a normal Windows boot up would take In A second.
We're going to see the recovery console scan the hard disk looking for Windows installations of which we have one And it will ask us to select which one in this case, there's only one we've got to enter the number This is something that's bitten me before pressing enter and having the system spontaneously reboot Recovery console is now asking us for the local administrative password to the system and it does this as security precaution enterprise Microsoft enterprise customers feel uncomfortable with the fact that end-users might be able to boot in the recovery console and then access the system unchecked and so Microsoft's made the recovery console require that they enter the admin password so that only authorized users can get in and Muck around with the system If we type help we can see that there's an extensive list of commands supported by the cover recovery console For example, there's commands that you're familiar with in a window standard command line environment For deleting files for doing directory listings for copying files There's also a number of other commands that are focused specifically on Fixing broken window systems, for example, we'll see there's commands related to fixing the MBR or fixing the boot sector There's also commands related to enabling and disabling drivers or services that might be causing problems We've seen that one of the limitations of the recovery console is the need to know the administrator password and that's something that sometimes The user might forget or there may not be a record oven so later we're gonna see that marks ERD commander which is like a super recovery console on steroids doesn't have that limitation Also for security reasons the recovery console by default and less system policies have been changed Limits the directories and the files that can be accessed by someone who is able to boot into the recovery console We can see that if we go back to the recovery console The default directory that were set at right now is the Installation we chose to repair and I can do a directory.
I can CD into other subfolders I can see knee to the root directory to a directory but if I try to CD into some other folder like the temp folder I get access denied and That's true of any folder except for the root the windows directory and one special folder. We're going to talk about later system volume information Which is where Windows? XP restore points are stored The reason for this restriction is so that somebody who votes the recovery console would not have the ability to go and look at sensitive files that are protected by Windows permissions list because in the recovery console environment The permissions lists are basically being bypassed here now It is possible using group policies and using the local security policy editor To enable the ability to navigate to directories.
Other than those three the root the windows and the system volume information directory Mark, why don't you bring up that? Policy editor and let's take a look at the – setting changes that you can make that affect the recovery console okay, I'm gonna bring up the local security policy editor by going to this dark menu going to run and Typing Sec Paul dot MSC which is the MMC snap-in shortcut for the local security policy editor here under security settings local policy security options You can find a lot of the group policy local security policy settings if we scroll down there's a couple down here that are related to the recovery console one is allow automatic administrative log on and that's disabled by default and the Second if I spread this up in a little bit so we can see the full text Says allow floppy copy and Access to all drives and folders because another one of the restrictions is that you can copy data on to the system But you can't copy it off.
And again this is to try to prevent people from taking sensitive information off the machine Now one of the other limitations of the recovery console Is there's no network environment? So there's no way to connect other UNC shares you can't edit files. There's no basic text editor There's no registry edit or other than the enable and disable commands which go in to let you manually enable or disable services It's also a command line environment Which is just frankly not as easy to use as the GUI environment that most of us are familiar with So I'm going to talk for a few minutes about erd command or a tool that's part of the window internals administrator pack Ard commander is a full-blown Graphical environment that runs on top of special version of Windows called Windows PE or print pre-installation environment Microsoft originally developed the windows with only ohms like Dell and Compaq in mind so that they could create a factory floor Imaging system that was built on top of Windows itself. People could write Windows applications to work as part of the imaging process Traditionally these yemm's used other environments like das as part of their imaging process, which makes laying down NTFS volumes for example a challenge when Eternals was the first is v2 licensed Windows PE and We licensed it to build this recovery environment on top of it to give you a familiar Windows look and feel for your recovery Operations now I've booted this VM into erd commander.
I'm going to go into full-screen mode And what we're looking at is the boot screen or the logon screen that when your D commander presents after you've booted the system off of a CD containing you ready commander Like the recovery console it scans the disk looking for Windows installations. It's identified one on this system I'm going to go ahead and log into it But you'll notice I haven't had to type in an administrative password to get access to that installation a difference between the ARD commander And the recovery console when we log in nearly commander displays a desktop that looks a lot like the Windows XP desktop So you can see that there's a task bar. There's a Start menu. There's icon shortcuts on the desktop from my computer and Network neighborhood and If we go up in the Start menu We can start to see some of the advanced recovery and repair capabilities that ship with this product. For example There's a command prompt It's a little bit different than the standard command prompt and that it shows you the mapping of Drive letters here in this environment Which might be different than when this system is booted normally there's a a Private version or erd commander specific version of notepad.
There's file search There's its own browser so that you can go to the web and troubleshoot problems By searching the Microsoft knowledgebase for example or download drivers to the system to repair. So the network is actually active at this point So the network is active at this point and that's another key difference between this and a recovery console is that networking is fully enabled? Not only that if we go into networking tools, you can share the fault volumes of this system out to other systems So for example, if you have a virus scanner they can work on Remote file mapped drives you would be able to reduce fire scans of this offline Windows installation through that Facility, you can also map the drives of other systems on your network using the map drive Wizard and of course you can change the tcp/ip configuration settings which are by default configure to boot this thing for DHCP If we go to the Administrative Tools You'll see that there's a private version or erd command or specific version of the assistant eternals autoruns utility there's a copy of the disk management tool that looks and feels a lot like the disk management tool that ships with Windows and That is the point is to make a recovery environment feel as comfortable and familiar as possible So you can see just like the standard Windows disk administrator You can do things like format delete partitions create partitions here in computer management which is a mimics the standard computer management MMC snap-in within Windows you get system information so you can look at attributes of the Operating system you're trying to repair including what hot fixes.
It has installed you get access to the event logs So this is something you can check for to look for problems that might have be related to the reason that the systems not Not booting like I mentioned autoruns is in here so you can look at the auto runs for different Administrators or different users that have logged onto this machine and it has a nice Familiar interface for starting drivers and services or disabling and enabling them Of course, you're not going to be manipulating the drivers of services of E or D commander's environment But that of the installation you're repairing. So the next time you boot that installation these changes will take effect it has its own registry editor, but this registry editor targets the registry of the offline installation and if we go into system tools We're going to see a crash analyzer So if your systems crashed this tool you can use to have it automatically analyze the dump Analyzing your crash dump is actually relatively straightforward Operation we cover that on our crash analysis video This thing takes even the minimal work associated with that out of your hands and does it for you? This commander is a tool that you can use to restore Volumes that have become totally corrupted corrupted such that Windows doesn't even recognize their presence or to undelete files on those volumes, so this will do a optionally a low-level scan of your system looking for Volumes that have been deleted and allow you to repair them and to copy data off of them It's kind of a very advanced disk recovery tool When you're ready to take a PC and repurpose it maybe Give it away throw it away or give it to another user It's good to wipe the disk to get rid of any sensitive information that can be obtained and disk wipe the disk Wipe applet here does a Department of Defense compliant for pass overwrite of the disk? Which the DoD considers sufficient for its own purposes in scrubbing a disk? So that information can't be gleaned from people even using advanced electronic methods to try to get data off of the disk mark that makes me kind of wonder what kind of customers that you're selling that to Well, I think it's prudent in any corporate environment.
If you're gonna repurpose a machine to wipe the disks first, okay Forget a system tools there's a file restore utility which is a lightweight file and a leader So it's not able to tolerate corruption of volumes or missing volumes like disk commander is but it provides a nice little search interface for looking for deleted files and deleting undulating files by the way is something you should probably be performing in an offline environment when you've deleted a file and It's a file that you know that you've got a critical file you want to get the contents back for shut down the machine as quickly as possible get into a already commander and use file restore because what you don't want to do is Cause the file system or cause out or let applications continue to change the disk and possibly overwrite the sectors that contain the data that That file used to occupy Sometimes companies are afraid of in supplying service packs or hot fixes because they're not sure if their driver configuration that they've got on their systems is incompatible with the hotfix or service pack if Your system becomes unbootable because of such a change the hotfix and install wizard lets you Enumerate the hot fixes or service packs stored on the system and then undo them So you can simply select them off, press next and it will de install them We talked about admin passwords the recovery console requires one er D Commander doesn't require one to log on air D commander goes one step further using the locksmith wizard.
You can change the local password of any or the password of any local account including the local administrator account Mark, this is one that I know saved me personally I had a Window System in the office that I forgot in the Evan password I needed to do some maintenance So I booted er D commander ran the locksmith wizard and was able to safely Reset the admin password and I think safely is the key here, isn't it? Because there are tools in the internet that lets you do this but there Really risking the integrity of the security Davie aye-aye, sir they actually reach into the registry hives and try to manipulate the data within this er D commander uses a Supported mechanism believe it or not to change the admin password the next tool we'll mention is system compare if you've got a bunch of Computers that are identically configured on your network and one of them is behaving erratically You can use system compare to compare the state of the system state of this system with another one.
That should be the same We're very quickly lets you zoom in on changes that might be relevant to causing the problems system file repair windows keeps backup of many core system files and what's called the DLL cache system file protection uses this backup cache and the System file repair tool Relies on that background cache of information to go scan what system files are currently configured on the machine Will report any differences and let you replace those with backup files so we're going to talk about dealing with system file corruption a little bit later and What our? Recommendation if you not don't have a year to commander you can do those these steps manually but already commander will automate it for you and Finally system restore system restore is a recovery facility built into Windows P where the system takes snapshots of the system state periodically And if you've got a system that's become unstable because you've installed a driver and application System Restore might not be available at least the Windows System Restore because to get access to the Windows System Restore you need their need to be Able to boot normally or boot into safe mode and if the driver that's causing the problem or therefore the system Corruption that's causing.
The problem is stopping the system from booting in those ways The we already commander can come to the rescue here giving you an offline System restore wizard so you can get access to the system restored Even if this is if computer you're trying to repair just won't bit into Windows it under other circumstances so mark if people want more information about ER d commander Where at where can they go with w w internals comm let me just go there we internals comm it's my second-favorite website sysinternals, of course being the first And here we see the home page for wind turtles So if you go down to system tools ok and There's the administrators pack as we mentioned. He already commander is part of it He already came it also comes in an emergency download version. So if you've got a Problem and you need to have it fixed right away You don't want to wait for the administrator spec to be shipped for you.
You can purchase Temporary version while you're waiting for the full admin admin pack to get to you so you can fix the problem and get up on Your feet again actually I was a customer of the emergency version myself and got a license key shipped to me although mark did give me a good discount My favorite recovery option in Windows is Last known good why because last known good? Simply requires you to press a button and see if the problem will resolve itself You get two last known good by pressing the f8 key during the boot process which we saw earlier So let's pull up the boot menu here in a VM You can see last known Goods option is right here last known good configuration your most recent settings.
That worked Last known good is an option. That doesn't work if your files have become corrupt It only replaces the core system settings that the windows uses to guide its boot process With the versions that were used last to boot your machine successfully yeah, and we're gonna see what the definition of boot successfully is in a little bit so When you choose last-known good What are you getting the last known good copy of? You're selecting a previously saved control set a control set is a subset of the information in a subset of the registry it's under H key local machine system and What is on the running system currentcontrolset? It's the core startup information the list of drivers to be loaded in core operating system settings Let's take a look at this part of the registry by going to the registry editor Going to HP local machine system And here we see what looks like three control sets control set one control set two and current control set so there's actually two one of these is the current and the other is the last known good if we go to the Select key underneath still under HP local machine system We'll see on the right the definition of current and the definition of last known good Current is one and last known good is two So the current control set is really control set one and the last known good control set is control set two So when you press the f8 boot option and choose last-known good in this system It would use the settings underneath control set zero zero two to boot the system If you look at this display of the registry there on the left you can see that the control set Really is a subset of the registry.
For example booting from last known good will not help if the software hive has had corruptions or invalid data or if the security hive or the Sam the security account manager database has corruption so booty from laughs no good relies not only on the registry system hive being intact and usable but also the rest of the registry hives being available and intact as well the Kind of scenarios where last known good will help you Include the cases where you install a new driver and the new driver starts up early during the boot process and crashes the machine Or you change the configuration settings of an existing driver, for example, you open the control panel? Applet to modify driver settings that are the video adapter settings and you set them in such a way That that triggers a bug in the driver and the system crashes during the boot or hangs during the boot also, if you go into the registry that part of the registry where system or operating system Configuration information stored we saw under session manager There's actually a key under there called memory management where you can go in and tweak the parameters of the memory manager system in kernel Mode you can actually tweak those in such a way that the system becomes unbootable And if you make a change to a location like that Simply going back to the last version of the control set that doesn't reflect those changes will get you out of that Jam Now some cases where last known good is not going to help is first of all If you've updated an existing driver that was loaded in the previous control set Then that driver is still going to be loaded if you boot from last known good also, if you have a driver that has a latent bug that all of a sudden has been activated something else in the system has Changed that causing a problem in a driver to surface Moody verb last-known goods not going to help because that driver is still going to be loading and as I mentioned also If there are core system files or in particular the registry Files that are missing a corrupt last-known Goods not going to help Another situation are less than good actually won't help is if the system is proceeded far enough into the boot that the system considers It a successful boot and there's two things that have to happen for the system to consider The boot good and for it to make a copy of the current control set and label it is the last known good control set one somebody's had to logged into the system interactively and Second all of the automatic services have to start it up successfully One of the cases that can bite people is if their automatic services aren't starting up successfully because on professional systems Windows is configured not to pop up the one or more drivers failed to start one or more drivers or services failed to start dialogue Which it does pop up by default on server systems so client systems can actually be running and booting without ever getting a last-known good so basically, it's a good practice to check the event log on your client systems to make sure that all the services are starting successfully otherwise You may not be getting a copy of the current control set that you could later select using last known good Now if you pick last known good and it works and the system becomes bootable that means that there's some data in the control set that was stopping Windows from booting successfully and What you should probably do as a systems administrator to make sure that that problem doesn't occur on other machines or to fully Understand what caused that problem? You should compare the control set that failed with the one that got your machine booted successfully When you choose last known good it takes that control set that you're avoiding and labels it as the failed control set on my machine I've never actually had to use last no good.
So if we go look at what it's got configured for the failed control set It's zero Which is no control set what you can do to find out what the difference is is to export Using regedit the failed control set and the current control set once you've got the system booted to dot reg files Load them into a text editor I recommend avoiding notepad and doing a global search and replace of the part of the registry key names that are different so you would want to change current control set to control zero zero and wherever n matches failed control set Then use a simple file comparison utility or text comparison utility to see what the changes might be There's going to be lots of innocuous changes or differences but a quick scan through those and you should immediately be able to recognize those changes that aren't relevant versus those that might be significant with respect to a boot problem The reason I say stay away from notepad, by the way is its global search and replace you is a very inefficient algorithm So it can literally take an hour for it to do a global search and replace of one of those dot reg text files The recovery mechanism to try if last known good isn't able to help is safe mode Safe mode actually requires that you go in and diagnose the problem in most cases But it's a version of Windows that might actually be able to boot successfully when the normal boot won't It's actually a mechanism that was based on Windows 95 windows 95 introduced this concept of safe mode Which is a version of the boot process that avoids honest non-essential drivers and services Hopefully the problem that's causing or the driver service that's causing Your boot problem is one of those third-party drivers or services or one of those non non essential components that Windows avoids when its booting into safe mode however Safe mode does require that those core components that are involved in the safe mode boot be consistent in and non corrupt So in order to activate safe mode you go to you press f8 during the boot process NT loader stops the boot process and lets you select the various options from the special boot options menu Let's switch over to our virtual machine and take a look at that menu again And we can see that the first three options relate to safe mode the first one safe mode Boots windows without any networking environment in a GUI in a GUI mode.
So if you log in Or when you sign in the explorer will come up you'll have access to the full explore GUI environment safe mode with networking Also starts the GUI environment but loads the windows networking components. So the default safe mode the network is not up the third option is safe mode with command prompt and the only difference is that the Logon process will run the command prompt instead of explored at eggsy. The windowing system is still started So you're actually still booting a good part of Windows. The whole windowing system is initialized from that command prompt For example, you could run Explorer you could run other GUI applications. It's just that CMD is run instead of Explored at eggsy and we'll see that when we look into the internals of safe mode next Windows is actually not hard-coded to define what safe mode is. It's guided by registry values specifically location under H key local machine I'm gonna pull up the registry editor here HQ local machine system currentcontrolset control safe Boot you'll see that there's two keys under that main key one minimal and the other one network the minimal key guides Safe boot with command prompt err Save mode with command prompt and network guides safe mode with networking And set minimal by the way also guides normal safe mode if we open up one of those keys and look at what's underneath them We see something that looks very similar to what we saw under the services sub key where drivers and services are registered The way that Safe Mode processes this is the i/o system For example early in the boot when it's going to load draw it boot start drivers or system start drivers Checks to see if that drivers listed by its group value or by Explicitly by name here in the appropriate safe.
Boot key only if it's present there Will it actually start the driver the same thing applies to the service Control Manager later in the boot process, which looks in here? To see if it's to start the drive service if we look in the network node it has all the same contents as minimal except it has networking drivers like AF D which is the Windows kernel mode sockets driver What distinguishes safe mode from? Safe mode with command prompt is the value here alternate shell and you can see the default here is command prompt So instead of running Explorer you bit with safe mode with command prompt and it will actually load whatever programs listed there So you could replace that with something else for example attack in one of our labs We just for fun change that to sol that eggsy We wrote press f8 choose safe mode with command prompt and out comes solitaire now I have to mention that there's one exception to the way that say flic processes drivers and the i/o system Automatically ignores safe mode these safe mode keys when it's going to load boot start drivers the Thought behind that is that if it's marked as a boot start driver it's necessary for it to start for the system to even boot in the first place and Omitting it you'd be left with a none bootable system So it's going to not even look to see if draw referenced in these keys is simply going to start it I've had a couple of cases marked where Some friends had their systems infected with spyware and they had to boot in safe mode actually to remove the Auto Start locations They were able to run your auto runs tool to disinfect or remove some of the malware that was starting what's a scary thought is that malicious software could actually modify the safe boot key and configure itself to be loaded in the minimal or network setting right Well, all it has to do is if it's a driver component Which we're seeing a lot of root kits now configure themselves as drivers or have kernel-mode rootkits They configure them themselves now as boots start drivers specifically so that you can't get rid of them by booting into safe mode and you need to do an Offline clean from an environment like the recovery console or the early commander.
So basically safe mode may not be that safe anymore That's at least not when it comes to an hour now once you start safe mode whether you chose safe mode with command prompt with networking or just the regular default safe mode if it's A Windows XP system and you had System Restore enable the message box will appear asking you. Would you like to enter Safe Mode? or would you like to invoke system restore and Invoking system restore may be the quickest way to get your system back to a working condition because system restore will undo As we're gonna explain later changes made to various registry hives including user profiles Files that have been replaced that may be affecting applications proper functioning will be restored So that's one option if you're using System Restore just to go ahead and press no Bring up the system restore dialog pick a date in the past That you knew that the system was working properly and let windows go ahead and roll your system back to a known working point on the other hand if you've made a number of changes that you Don't want to rollback.
You need to perform some manual analysis then press Yes, and you're going to then basically sign in Explorer is going to come up where the command prompt if you chose safe mode with command prompt System Restore was introduced in Windows XP to provide an easy way to undo a set of changes to the system that may have involved files other than the core Windows operating system files, for example, third-party applications or third-party dll's one of the things that System Restore is good for is being able to quickly and easily pick a point in time in the past where you knew the system was working properly and roll that system state back System Restore, however requires that the basic system files be bootable So if you're having a completely unmovable system Then you're not going to be able to start Windows XP in Safe Mode to do a system restore now That's one of the things that you're erd commander mark provides access to so if you have a none bootable system You can boot erd commander from wind tunnels and choose its system restore wizard to rollback to a known good point System Restore is not included with Windows Server systems and an XP.
It is enabled by default You can find the configuration for system restore if you go to the Start menu right click on my computer go to properties and you'll see the system restore tab and Marked you have the default which is that system restore is not turned off. So there's a checkbox to disable it one of the settings you can set on sister missed or if we click on the Settings button is How much disk space? Can be assigned for system restore points because each time a restore point is taken There's a certain amount of disk space used and then as files are replaced Windows has to keep the original version so that it can perform a rollback So it we do min on this it looks like you've allowed mark 12 percent of the volume which I believe is the default maximum So about 3.5 gigs of your main C Drive C volume Restore points are created by default every 24 hours They're also created on some software installs depending on the software installation mechanism that used for example The Microsoft software installer will automatically take a restore point So that if you've installed the software program and it's caused other Applications to fail you'll be able to roll back to what the system is like before you install that application another trigger for taking a restore point is installing an unsigned driver or you might explicitly request a restore point yourself if you're about to make some changes to files or settings in the registry you might want to take a restore point so you could go back to the good point and you can do that by invoking the system restore wizard which is accessed through the Start button help bringing up the standard Windows XP help and support.
So I'm clicking on help and support and Right on the main page. There's an option that says Undo changes to your computer with system restore again that's available on XP client systems not on servers, so I'm clicking that option and This brings up the system restore wizard and I basically got two choices I can do a restore to an earlier time, or I can create a restore point So here's how I would if I wanted to take a manual snapshot At a point that I'm about to make some setting changes now Let's go ahead and choose restore my computer to an earlier time, and don't worry mark I won't actually do a rollback if I click Next Now we can see a little calendar that shows By the days highlighted in bold the dates that there were restore points. So for example, if we look at yesterday on the 19th There was a restore point because mark you installed a Windows support tools if we go back to the 18th You must have had some software updates Windows XP hot fixed as I believe Same with the 16th and the 14th You installed the debugging tools.
You installed I can see the latest version of the Microsoft anti-spyware So it looks like Mark you're taking pretty good care of your laptop Good job mark, so when you take a system restore point windows automatically snapshots a number of databases Including the registry hives the com+ registration database and user profiles it also takes copies of certain files not protected by windows file protection and then it starts monitoring a number of file extensions across all the volumes on your system specifically 569 file types are Monitored and when system restore sees a change about to take place to a file with one of these extensions It makes a backup copy that it can later restore to The list is actually documented in the platform SDK and it includes things like dot exe and OC x and dot sis dot dll files that you would think of when you think of system files it Explicitly ignores or omits the extensions that are associated with data type files like dot txt and dot doc dot PPT because What you don't want to have happen is when you are rolling back your system to fix a system Reliability problem you don't want your data to get lost in the process.
And so those file types are excluded from that list So when System Restore is active System Restore When one of these registered known file types is changed replaced or deleted a Copy is made of the original version in the restore point folder representing the current snapshot of the system And this is a folder a couple levels deep underneath a hidden system folder called system volume information That's a folder that if you bring up Windows Explorer I'm going to bring up the Explorer dialog now and I look in the root of the C Drive There is a folder called system volume information Interestingly enough Explorer says folder is empty and that's because if I try to click on it I get access tonight this is a folder that Administrators don't even have access to mark.
So it's something that is meant just for the operating system to access However, we're able to navigate into that folder using your PS exec tool because PS exec allows me to start a command Prompt running under the system account and it's the built-in system account the local system account that does have access to that folder So I'm gonna do a PS exec – s which means run the command under the system account cmd.exe I've now started – command prompt running under the system account and if I go to the root directory I now can see D into system volume information into adder Now no file show up because the files are hidden and system So I do at dura slash a : haitch and now I see a subfolder beginning with underscore restore I'm gonna CD to underscore re st asterisk, and now du adder and here we see the restore points Dating back some months that were taken over the course of the life of this laptop the most recent restore point RP 92 CDR p ninety two is the restore point that was created when you last installed that those windows support tools so if I do a directory of this folder these files that begin with a Represent files that match the special file type list that you refer to for example Here's a dot sis file that must have replaced and deleted an MSI file some links some shortcuts So these are again files that are considered protected that this is a copy of the names have been changed The original file names are in a database and if I were to roll back to the previous or store point Here's the original versions that the system restore Wizard can then taken and put back onto the system and if you go into the snapshot directory, Dave That's where you'll find the backup copies of those various database files including the registry hobs there This is a very important point because every time a restore point is taken Windows makes a copy of the core Windows operating system registry hives the security account manager database security Database software and system hive in addition to all of the user profiles defined on the system So we're gonna see later for troubleshooting This is the best place to go in the recovery console if you're looking for an up-to-date Registry hype to replace if on the rare case you've experienced hard registry corruptions System Restore is implemented as both service and Driver the services Responds to your request to create system restore points and then tells the driver to create a system restore point directory That service snapshots the various databases into that directory and the driver starts monitoring for changes to files It's a type of driver called a file system filter driver File system filter drivers can see all changes to any file or directory as they take place because they layer themselves above the file system drivers that come on the system like NTFS if you've got a non access virus scanner, for example It is also implemented as a file system filter driver Which stops file opens in their product in their? Tracks scans the file for virus and only if the file is clean Does it let the open through to the underlying file system file mines another example? And the system restore filter driver simply looks to see if the file that's about to be modified matches the special criteria including the file extension C's if it's already made a backup that file in the system restore point directory and if it hasn't Then makes a backup of a copy of the file before it lets the modification proceed into the file system driver When you choose to rollback It's at that point the system restore wizard then will reach into the restore point directories copy the files back out to their original locations Restore the registry hives and you're always forced In order to apply those change and make them active now beyond just using System Restore for its native capabilities to roll the system state back to a known good point We mentioned System Restore is invaluable when it comes to dealing with systems.
That won't boot due to Registry corruptions and it's in that restore point subfolder You'll find a copy of the registry hives at the point that the restore point was taken you'll need to use some kind of offline tool like ER D commander or the recovery console to go replace that file and we're going To talk about how to do that in the registry corruption section Let's take a look at a couple of problems that might be preventing your system from booting there associated symptoms and how you Fix these kinds of problems starting with Master Boot Record corruption This type of problem can manifest itself in different ways depending on how corrupt the Master Boot Record has become for example You reboot the machine they see the black screen that comes after the BIOS post message and the system hangs or you see a white text message appear on the screen that says invalid partition table error loading operating system or Missing operating system the cause of this could be Master Boot Record corruption So if you are suspecting that the Master Boot Record may be corrupt.
You can boot the recovery console and use the fixmbr command I'm gonna go bring up the virtual machine running the recovery console here We've already booted into it and I'm gonna go ahead and type fixmbr And it's giving me a caution. Do I want to rewrite the MBR? This is coming because likely this is a virtual machine Let's go ahead and write the Master Boot Record. It's now been written And now when I exited the recovery console, it would reboot and hopefully that would fix the the boot problem there's actually a limitation to that command though that you should be aware of and that's that it only write rewrites the code portion the Master Boot Record the partition table that leaves alone. So if the corruption is extensive enough to corrupt the partition table area and the Master Boot Record that Command won't fix the problem And what you need is a third party disk fixing utility like disk commander inside of a or D commander which knows how to go and rewrite master boot records including for the rebuilding of those partition tables Another problem that can manifest itself in some ways similarly to Master Boot Record corruption is corruption of boot sector the first sector on the System volume that the Master Boot Record actually reads in and tries to execute symptoms here can include the black screen again that would come up after the BIOS post where the system hangs or Message on the black screen like a disc read error has occurred NT loaders missing or NT loaders compressed the cause might be boot sector corruption and the solutions in this case include Similarly to what Dave just showed you putting the recovery console and executing the fix buuut command The fixboot command actually is much more reliable than the fixmbr command because it knows how to completely restore The boot sector of the volume until I try and fix the boot sector let's let's go ahead and fix it All right.
I'm talking just in case there's something wrong with it. Are you sure you want to write a new boot sector? I'm not sure but we'll go ahead and buy it and Notice it says the filesystem on the startup petition is NTFS that's relevant because the boot sector code as we described in the boot process Has to be able to interpret the filesystem on the on that volume rebooting from so there's a primitive NTFS file system That is able to then locate the root directory and read in the bootloader. There's one thing else I'd like to point out whenever you have a boot problem and you're going to boot in the recovery console it's always a good thing or just a safe thing to check disk the volumes first because the problem might manifest itself as a symptom that you connect with another type of problem when it's actually Corruption of the disk or corruption of some file like NT loader. For example, we saw some messages they could show up as Causes of boots or as the result of boot sector corruption that might actually be the result of NT loader corruption.
So it's always The best practice to boot no recovery console run a check disk first And by the way, that saved me the night before presentation, it was a Sunday night in Norway Actually, I had tried to boot my laptop. This was also after a blue screen from a video driver and Was enabled to boot this time. I did have the Windows CD with me I had not installed the recovery console on the hard drive ahead and learned that lesson yet booted the Recovery console type check disk rebooted the system was up and worked fine. So it really does work Another phase in the boot process where a file could prevent the successful Boot of the system is if the boot dot ini' file is corrupt boot dead Any is a text file that as we discussed in the boot process section earlier Lists the various windows system volumes and the Directories where Windows operating system files are located along with various switches that may affect the load and startup of the system If boot dot any is somehow corrupt You may get boot devices inaccessible or internal that Egizi missing there couldn't be located now in Windows XP and later The NT bootloader is smart enough if boot Denis is missing or corrupt to actually by default go look for a directory called windows on the volume of your booting from And in most cases that's going to work but in earlier versions of Windows if who did any was missing or somehow malformed? The system boot would be halted at that point some of the causes for this could be The file as I mentioned being missing some how corrupted or out of date for example because boot at any refers to partition numbers On the volumes your booting from the distribution from if the disk configuration Changed you made some hardware configuration changes References to partition and and disk hardware dis numbers may have changed such that it's not able to locate the Windows installation so the solution would be boot into the recovery console and Perhaps first to a check disk which mark mentioned earlier reboot if that doesn't work, you can use the boot CFG slash rebuild command Let's go take a look at what that command does So we're going back to the virtual machine running the recovery console and I'm going to type boot CFG Slash rebuild Says it's scanning all the distro in DOS installations And now it's completed at scan and we can see that it found one Windows installation C colon backslash Windows And it asked me if I'd like to add that installation to the boot list So this is going to be rebuilding my boot dead-ending from scratch.
I'll say yes It gives me a load identifier I could give it a name for example Windows XP and then I could here at this point adds some of the load options like Debugging mode or some of the other switches. You can pass to boot at any. I'm going to press ENTER and now I'm going to type boot dot ini' and this is the boot at any that's been modified if you notice it added if you look at the line that says Windows XP I'm circling it now That's the line that was added by the boots efg didn't replace the file. It added another boot entry to the existing boot at any The next class a problem we'll look at is your system registry hives become corrupt in this hive is or another registry hive has become corrupt like your software hive these hives are critical to the operation of windows even Hives other than the system hive like the software hives org or even User Profile hubs that are loaded later Can cause the system to not boot successfully the One of the symptoms that can be exhibited by a corrupt registry Hive is that you get a blue screen during the boot process and if you've got the default configuration for how the system responds to a crash you might not even see the blue screen because the default Configuration has the system automatically reboot.
And if that you don't have the system configured to take a kernel mode or Full system crash the reboot is so fast that unless you're sitting there watching the screen intently You could miss it so in that case You're gonna be kind of in an endless reboot scenario because it's gonna reboot crash Reboot and crash reboot and crash right and some of the causes of corrupt registry hive or the disk itself is corrupt So it's not the internal data within the hive that's become corrupt although data can become corrupt in the hive if you for instance have a Driver that's running in corrupt memory in the kernel before it goes out to the registry hives that could of course Cause your registry hives to become corrupt So the solution to this kind of problem is to boot the recovery console and again first run a check disk Because that might repair the volume sufficiently to be able to access the registry hives If the system still fails to boot at this point you will need to go locate a good copy of the corrupted or inaccessible registry hive and there's basically Three choices or three places.
You should go the first place You should go if it's available is the most recent system restore point folder. That's only going to be available on Windows XP systems and Again, only if that's been enabled it is enabled by default. Although some systems administrators turn it off if that's not available, then you can go to a recent system backup get the file and Using the recovery console restore that file and the last choice is the windows repair folder the reason the windows repair folder is the last choice is that's a copy of the the registry hives that were made when you initially installed windows and I learned the hard way the importance of updating the registry hives in that folder.
I had a Windows 2000 system So there was no system restore point folder. I had done no backups so I had to go to my Windows repair folder to get a software hive my software hive had been corrupt and While it did allow me to remove my system, which was a good thing I had to basically reinstall all my applications and make all my application setting changes again It is possible to update the copy of the registry hives and the windows repair folder And on Windows XP and later you can do that with the NT backup tool actually Windows 2000 and later the built-in backup tool has an option to Windows 2000 explicitly update or backup the registry on Windows XP if you choose a System state backup which is one of the options in the windows backup One of the first things it does is update the copy of the registry hives in the windows Repair backup subfolder, so that's a good practice once you've set up your system fire up Windows XP backup do a system state backup just to get a fresh snapshot of the system registry hives in that windows repair backup subfolder Let's take a look at how you would get those backup system restore hives and replace the hive locations that windows references as it boots the first step would be of course to boot into the recovery console then what you have to do is CD in to the location where system restore places those backup registry hives I'm going to navigate into that directory on a live system by using PS exec to launch a command prompt in the local system account because by default the system volume information directory under which system restore points are stored is Inaccessible to any account other than the local system account the PS exec Command comes from sysinternals in the DES S which says to run the specified command under the local system account So now I have a command prompt running as local system.
I'm going to CD up to system Star which is enough to match the system volume information directory due adder slash. Aah and underneath I can see the restore System restore subdirectory which begins with underscore restore? So I'm going to type CD res star now I'm in the restore point directory You're going to want to navigate of course into the most recent one which is to be the one with the highest index number in this case 90 to Do it during there and there's a snapshot subdirectory where this registry hives are stored so now I'm gonna sitting into the snapshot directory if we do a dira here are the system hives for example we can see their registry machine System which is the backup version of the system. Hi visited existed at the time of that restore point So the goal now is to get one of these hives the same high security software System hive depending on which one we believe is corrupt to the location in Windows Where it will reference it the next time the system boots and that location is under the windows system32 Config directory if I do it during here We can see the actual live System hive now I can't replace that hive in a live window system because that files in use but if we were in the recovery console I'd be Able to copy a registry machine system backup file Over to this directory and rename it system and try rebooting the machine and see if the problem had corrected itself You know, this actually worked for my dad who had a none bootable system the software hive was corrupt He had a blue screen.
He called me up and He was able to see the blue screen that read to me that the software hive was corrupt so over the phone I had in boot the recovery console and Painfully CD into the system volume information folder. There's no shortcuts or wild cards Read out to me. The restore point folder name CD there found the most recent restore point went to the subfolder snapshot Executed that copy command and rebooted the system and everything works. That was a satisfying work Now if system restore is not available and you have hard registry corruptions again boot the recovery console You're gonna have to fall back to a potentially Old copy of the registry hives that were put in the windows repair folder when the system was originally set up Let's go take a look Mark on your system. I'm going to navigate to your see Windows repair folder and let's take a look at the date of the files and it looks like June 2005 mark doesn't look like you've done any kind of update of your Registry arrives. You're right. I better go to a system state Backup, actually, you're okay with this one because you have System Restore, but were this a Windows 2000 system? doing a backup of the registry would have been would be helpful and That auction that was another case that happened on a laptop of mine.
I Had a software hive corruption due to a bug and a driver This was a little complicated though mark Because this laptop had no bootable optical drive so I couldn't move the recovery console to replace the software. Hi back in the windows System32 config folder and I have to say once again one of your tools saved my hide and that was NTFS dos Professional I did have a floppy on this older laptop, but no cd-rom. It was an ultra light with no optical drive So I booted das floppy which I hadn't done in a while loaded NTFS das professional which Marc graciously gave me a free license for and I was able to CD right to the windows repair folder and copy the software file into windows system32.
Configure My laptop was booting. So thanks Marc appreciated If the boot process has gotten to the point where the bootloader is loaded is able to load and process the system hive and Then goes to load some of the core system files and they're corrupt this may cause a problem in the boot process you may see this as an error message from NT loader that One of the core operating system files like in toss journal that eggsy held a dll or other files are missing or corrupt You could also have a blue screen with a reference to a corrupt file For example, if kernel32.dll is corrupt that's going to be a blue screen later in the boot process The cause is for system file corruption could be actual disc corruption or the file is actually missing Or an individual file has been corrupted So the first step in troubleshooting this kind of problem, of course is to boot in the recovery console and run a check disk Hopefully it's just dis corruption and it's able to repair itself so that you put the Machine and get up and running again However, if check this reports, no errors, then you probably do have corruption just one or more system files So the goal here is to get a backup replacement for the identical system file Fortunately Windows keeps backups of many of the core system files in a directory under windows system32 called dll cache Let's navigate into that directory on my system here I'm going to open up a command prompt and navigate to system 32 DLL cache and You can see that there's a whole lot of directories files in there.
For example Kernel32.dll one of the core Windows System DLLs, there's a backup version right there So if that file identified as being one that was corrupt, I could simply copy that out to the original location which is under that parent folder system 32 however, if you repent end up repairing one executable or one DLL Try rebooting the machine to get the same kind of error that indicates that the system has become Still has more corrupted files then what you'll need to do is Go find More replacements or be able to replace Entire batches of files and one way you can do this is to go to another system and simply Configure it and simply copy the files from that system onto your local system Say copy them to some kind of media like a an optical disc and then get into the recovery console or another offline environment Copy those files over if you can't find another system that has files that are this of the same hotfix and service patch level Last kind of fallback step before you fall back on reinstalling all together is to do a setup repair install When you do a setup repair install, which is one of the options you get when you boot off the Windows setup CD windows will pull the files off of the setup CD for all the system files and Replace those that are on the live system And the reason that I say that this is a last fallback and one you should approach with some caution is That the Windows registry is not affected and so the Windows registry might believe that you've got several hot fixes or service packs installed where the Files that come off of the setup CD don't reflect those more recent updates and Sonia now You've got kind of a system that's in a weird state where it believes It's got hot fixes and there's service packs installed, but you've actually lost them in the process of the setup repair install The next class of problems we'll look at are those that occur later in the boot process than the ones we've just discussed for Example a Hank that happens after you log in or a crash that happens right after the splash screen occurs And again want to emphasize that if your systems configured in the default configuration, you're running Windows XP or higher It's set to automatically reboot in the face of a crash and so you might not be aware that your system is out any network or even rebooting after crashes because an end user might not even be Seeing the crashes and these machines can end up caught in an infinite reboot cycle some of the causes that will see that it Responds ofor symptoms like this include buggy drivers hardware problems or bugs in windows itself now if you're getting a crash or a hang during the boot your first step would be to choose last-known good so reboot the system press f8 get the SPECIAL Boot Options menu and Try booting from the last node good control set and perhaps that will by using a previously known good copy of the system settings Be able to boot the system successfully However, if that still fails then try booting in safe mode if the system boots in safe mode you're still faced with the problem determining why safe mode worked when booting normally did not and That's going to require some investigation that we covered in the safe mode section if you can determine the faulty driver Which might mean analyzing a crash dump or looking at the drivers that are not configured to load in safe mode? you may be able to repair that driver updated replace it or try rolling the system back to the previous known good restore point if you have Windows XP with a system restore enabled Finally if safe mode still fails to boot the system it crashes or hangs on boot Then you're going to need to boot the recovery console or perhaps Mark C or D commander force a manual offline repair safe mode works and where normal boot might not work because it Relies on just a core set of drivers or services to get the system up and running Hopefully the problem lies in one of those third party or add-on drivers or services that windows doesn't consider essential if the system was crashing what you should do at this point is go find the crash dump file or Configure the system degenerate crashed on file and reboot the Machine and generate one that you can get to from safe mode Copy that crashed on file off the machine or even analyze it right there from within the safe mode environment Assuming you voted booted with that networking so that you can access Symbols that are related to the files on that system from Microsoft symbol server If you're able to determine the driver that's causing the problem you can try to roll back the driver to a previous version if you have Windows XP and Mark's gonna explain in a moment how the driver rollback feature works If it's not if there's no backup copy available, or it's an early version of Windows Then try disabling the driver and you can do that in safe mode by bringing Up the registry editor manually disabling the service or perhaps in the hardware device manager My computer properties go to the hardware tab and click device manager for a non plug-and-play driver.
You can disable devices from there So if you can determine what drivers causing the system to fail during the boot either through it being obvious because you had just installed some new device Then the driver associated with it is the one causing the problem or you're able to analyze the crash dump and identify the buggy driver the next step is to Repair that driver or fix the problem and there's a couple of options usually to do this one if it's a driver that you have recently updated and that update now is the Problem. You can in Windows XP and higher roll back to a previous version of that driver Otherwise, you need to either update the driver with a new version or disable it altogether Drive a rollback recovery feature added in Windows XP Causes the i/o system to keep a backup copy of drivers that have been updated that were previously installed in the windows system32 Reinstall backups folder. Let's bring up the command prompt to navigate to that folder We're in windows system32. We're gonna CD down to the reinstall backups folder into a directory and here we see Sub folders that contain updated drivers at various points in time We'll go to the most recent one Go to the drivers file subfolder, and here are a set of drivers that were updated that we could roll back.
Now the way to Activate the driver rollback is to go to my computer Properties Go to the hardware tab click on Device Manager Choose the device that you'd like to rollback. Let's take for example your sound device Well pick sorry the one of the network drivers right click properties on the device and Go to the driver tab And you'll see the roll back driver button and as the text says on the bottom if the device fails after updating the driver rolled Back to the previous version. This is something you can perform in safe mode. So if the system Is not booting because the updated driver is causing the crash or a hang boot in safe mode and roll back to a previously known Good copy of the driver now If you don't have a previous version It's a driver that you just installed or hasn't changed since you first installed it and you've gotten through several reboots so that there's no backup version of it to roll back to your Alternative then is to go check the vendor site for an update If there is none and you've determined that this driver does have a bug in it and you care your system can run ok without it The next step is to disable the driver altogether and you do that from the same place the device manager that dave was just showing you I'm gonna pull up the device manager again and Double click or take a look at the properties for that same network driver and you can see on the general tab it says device usage down here at the bottom use this device or enable that Turns into a drop down where the other choice is to delete disable the device.
And so that's what you want to pick Now certain types of device drivers don't show up in this list because this device manager by default will only show you plug-and-play related or Hardware related device drivers to see those other types of drivers that aren't related to plug and play devices that could still be responsible for problems during the boot process Go to the View menu and select show hidden devices and what you get is a new node there that appear is called non plug-and-play Drivers open up that node and you'll see the entries for device drivers that don't have any associated physical Hardware For example, the windows mount manager and when you open the properties for that You still get the ability to enable or disable those devices or those drivers if you're talking about? Rootkit based malware that installs itself as a driver that you want to disable Those will almost always show up in this part of the device manager If you can't determine the faulty driver So you're getting crashes that don't have a repeatable pattern or reporting off as the culprit being Windows core system file system drivers Then you want to try enabling driver verifier driver verifier was a tool added in Windows 2000 it's present on all Windows systems client and server since Windows 2000 and It permits you to enable some rigorous checking such that if a driver performs an illegal operation It will be caught more likely at the point it performs that legal operation so that the crash more directly points at the culprit If driver verifier doesn't produce a useful crash Then you may be left with looting the system in Safe Mode and try disabling drivers that you don't need so that You arrive finally at a system that boots so disabled drivers that Aren't being loaded in the safe mode subset one by one go boot normally if the system boots then you've now isolated the driver and Really as a last resort system of store because System Restore means you're going to undo changes And software installations that you'll have to go repeat in some Circumstances safe mode might fail the same way that normal boot does and that would occur if safe mode includes the same problematic driver that the normal boot does safe mode for example will automatically load all boot start drivers those drivers that are considered essential to the system even getting up and running and If a problem occurs in one of those drivers safe modes also going to fail malware for example rootkit kernel mode based malware often times now marks itself as a boot start Driver Specifically so that it can also interfere with the operation of safe mode and prevent you from cleaning the malware from safe mode So if you're having a situation like this you could boot into the recovery console and Look at the last line of a file that you can generate using the special boot options menu called a Windows boot log Windows boot logging is an option if we go If we which we saw earlier on the special boot options menu That causes the system when it's booting to record a list of all the drivers loaded in a file called NT boot log Text in the windows directory So if you enable boot logging boot the system, normally it's gonna crash or hang then reboot the system in safe mode I'm sorry reboot in the recovery console Look at that look at the boot log Text file that was generated and tried to determine what the last driver Loaded was or perhaps look at inspect that file for a list of the drivers being loaded and maybe you're gonna see one Something malicious or suspicious that shouldn't be there If you find the driver that's loading that you suspect is causing the problem You can disable it from the recovery console with the disabled command so a final alternative to troubleshooting a crash that's occurring in normal boot and safe mode is to connect to that machine with the kernel debugger so that you can Connect with that machine and look at the state of it at the time of the crash because crashes that happen early in the boot process won't generate crash dumps, even if you've configured them to do so and one of the ways that you can configure the target system the one that's exhibiting the problem to boot in a way that causes the kernel debugger part of the kernel to activate and wait for Connection from another machine is to boot it into one of the two debugging mode which you can get to through that special f8 boot menu If we go back to our VM that's ready sitting there at the the boot menu.
You can see debugging mode down here now this is not the preferred way of booting a machine into kernel debugging because Debugging mode here chooses default conservative boot options or debugging options for example It chooses a serial port on the system serial port 2 and it chooses a very low baud rate 19200 Which is painfully slow to debug over. So what we recommend instead is that you get into the recovery console for example edit boot dot ini' and Add an entry into the boot dot ini' that adds the correct the debug parameters that are Enable faster debugging for example specifies that you debug over a I Triple E firewire if the system supports firewire and you're winning running Windows XP or later at the minimum Specified serial port in the maximum supported baud rate which is 115 200 which is significantly faster than the default At the time of the crash you'll be able to Access the machine and then take a look around to see what the cause might be So if you've booted the target system in debugging mode Whether you chose to just press f8 and choose the defaults or you've configured the boot dot ini' in the target machine To use one of the more advanced options or a faster baud rate.
You're going to then bring a host computer Perhaps a laptop with a Windows debugging tools installed connected to the target computer using the appropriate interconnect serial, no modem cable or firewire for using it in Windows Vista USB 2 o is going to be supported and You're gonna start the debugger and choose in the windy B win debug menu the option to connect to the target Specifying the proper connection and let's go take a look at that option. We're going to go to the Start menu all programs debugging tools for Windows windbg and on the file menu the option to connect to remote kernel debugger is file kernel debug and You can see there's several tabs. The default tab is using a serial comport then we have firewire USB 2 o So for example, if I pick the comm one on this system, we can see the debugger then is now waiting to connect if the system had crashed and we were connecting to an already crashed system that was booted in debugging mode the connection would occur and We would see actually the bug check code the reason for the crash displayed If we were trying to connect to a system that was hung we would have to at this point click debug break which would send the appropriate commands over the interconnect to break into the kernel debugger on the target system and Allow us to then go inspect and see what was what was going on at the time of the crash or the hang Once you've connected windbg to the target You can use Wendy BG's built-in crash dump analysis.
Command bang analyze – V windbg will present to you the reason for the crash and The potential culprit and it will say probably caused by and give a driver name and it may or may not be that driver There's some other advanced techniques that we cover in our question of analysis video that will Help you to take the output from windbg interpret it and decide whether you need to take further steps Like enabling driver verifier to try to get a better crash If at this point, you're not able to solve the crash But you'd like to make a copy of the crash so that somebody else could work on it You can make a copy of the system's State by using the dot dump command to save the dump file for later analysis on the host machine Keep in mind that that's going to be a slow operation If you're doing a full memory dump copy over a serial cable You could choose for example very quickly to make a mini dumb dock dump /in Makes a mini dump and that's gonna be a quick operation even even using the slow baud rate default settings So we've just briefly touched on crash dump analysis using windbg to analyze crash dumps connecting host and target systems together You're gonna find a lot more details about that in the debugging tools help file The debugging tools are a free download from Microsoft comm just go to the Microsoft home page and search for debugging tools Make sure that you have the latest copy because they update the tools quite frequently you can also find more details in our book Windows internals the last chapter covers crash dump analysis techniques and Our video on crash dump analysis will walk you through many of these scenarios and more including advanced techniques for manual crash dump analysis Let's talk about some of the errors you can count or after the system's booted and you're going through the logon process and these types of errors can manifest themselves as hangs as Error messages that windows or other applications present to you or as a crash One of the errors that might be occurring on your system that you might not even ever realize Is that one of the automatic start services or auto start drivers is failing to start and you're not Knowing about that because by default Windows on client systems professional systems And home systems is configured not to pop up a dialog box that tells you one or more Drivers or services have failed to start that by default will only show up on server systems so what we recommend you do to see if you're actually encountering that kind of error and might not be aware of it is to go into your Windows system event log and you can do that by going under the Administrative Tools Event Viewer and Going into the system event log looking for a red Indicator that there's an error like that although I don't have seem to have any one or more drivers or services failed to start errors and identifying the cause the particular driver service that might be encountering or Investigating the cause of the error and then fixing the error now It's helpful in diagnosing problems during the logon process to understand exactly what happens when you do log in so when you press control Delete on the keyboard that keystroke sequence is processed by win logon the logon process which then presents the logon dialog and The default logon dialog captures user name and password could also be using smart card authentication Sends that password and user name to the local security authentication Server process LS a SS on your system now LS a SS may have to perform further Operations like pass that on to a remote domain controller for authentication so whether it's a local account or a domain login else asks If the proper password and user name combination was entered Returns back to win logon a data structure called the access token the security credentials that represent the user logging in Win logon uses those credentials to create your initial process and from that initial process all the rest of the processes come to life That initial process is user renege many think that it's explored at eggsy.
In fact user in it That eggsy is what by default runs explorer. Now if we go to the registry key HK local machine software Microsoft Windows NT Current version win logon will find a registry value underneath called user in it. So let's go look at the registry editor And we'll go up to H key local machine software Go down to Windows HG local machine software Microsoft Windows NT current version win logon and on the right We see a number of registry values that affect the logon process the one that's referenced first by win. Logon is user in it which if we zoom in we can see is set to user in it XE there is a comma if you look closely following user in eggsy and it is possible that other programs can be added to this key in that case when logon will create user in it as A child process followed by the other processes listed there Once user and it starts it performs some setup runs the logon script if configured and then eventually runs the shell if you go up if we look back at The registry editor there's a registry value called shell and the default shell of course is explored eggsy By the way, you can reconfigure the shell if you don't like the Explorer GUI You can run CMD you could run a UNIX shell you could even run solitaire as a shell for that matter explored that exit the default shell then starts and explored at eggsy has yet another set of registry locations that it looks at for things to start and also folders like the start startup folder there are literally dozens of locations where when called windows extension points where The current the operating system or add-on components to windows like explorer or other applications.
Go look to see if There's other things that they should load or run Most of you are probably familiar with the tool that was introduced in Windows XP called MS. Config. I'm gonna run Emma's config by going to the start run menu and typing MS config and The tab that's related to startup problems is over here on the far right startup what you see here is a list of some of the Components that are configured to run automatically when I log into this machine Unfortunately ms.
Config doesn't give us a whole lot of information about the items that it does show us here. For example a Gr. M msg. It doesn't even tell us where that image is located much less who made it and what it's for so Ms. Config stops a little short, and that's where a tool from sysinternals code called auto runs picks up I'm going to launch Auto runs here and What outer ones does is scan any of an wide number of locations looking for? entries that specify automatic start items it categorizes the various auto start locations and places the items that Belong in that category under various tabs so you can see if organs instance Here's the logon category and the logon category corresponds more most directly to what you see NMS config if we go to the Explorer Tab we see items that are configured to add on to Internet Explorer like protocol filters or protocol handlers Set up installed components if we're go to Internet Explorer For example, we see the infamous browser helper objects that are configured on this system They're scheduled tasks auto start services Any driver that's not disabled is shown here items that execute in boot time by session manager We talked about that earlier in this presentation that Auto Check is one of the default configured Images here Auto Check is the boot time check test utility image hijacks a pin it's known dll's win log on UI host and notification dll's windsock providers print monitors and LSA providers and I wish auto runs didn't have to show you so many locations but the fact is malware is getting very sneaky and Tricky about where it configures itself to automatically launch Hoping that you're using a tool like MS config for example to go look for them because you're not going to see them For example here on the everything tab.
Where a Where auto runs consolidates all of the other tabs into one view You can see an entry that we didn't see when we were looking at the auto starts and MS config an entry that Looks 12 it's identifies itself as a virus. It looks like it's built in part of Windows It's got actually a icon That is similar to another component inside of Windows and even identifies itself as Windows NT logon helper application from Microsoft Corporation well, the fact that malware these days is trying to pretend to be from Microsoft to blend into the background and that this view is just an overwhelming amount of information Autoruns has a couple of options to help you zoom in on Things that might have been added after the system was installed and might include malware that is causing you problems Those two options are here first verify code signatures and hide sign Microsoft entries And if I do us another scan with those options in place Autoruns will only show us items that haven't been digitally signed by Microsoft We can see unfortunately that on this system that includes a number of items that are from Microsoft and I verified our legitimate Microsoft images like these Protocol filters that are part of the.net runtime Microsoft has not digitally signed these yet I'm hoping that they will at some point but now the list is a little bit more manageable Now here this definitely stands out as problematic and it's not verified for Microsoft Just like these other locations that are not verified by Microsoft But we know to be from Microsoft What we can do to investigate this further because we might not be familiar with it or I've ever seen it you can right click and then Do a web search to see if any other people have come across it or an A virus company has identified it as being malicious By default the search engines Google and what Dave and I do before we go to Microsoft is we be politically correct? So we go to the options menu and change the search engine to MSN search So that when we show up on campus to do a demonstration here that they don't start throwing stones at us Another way that to look more closely at one of these auto start locations is to look at the properties which Process Explorer shows you a subset of down here at the bottom of the display You can see that tells you the time stamp on the image file and what the version number with it the size which might be relevant to distinguishing this a malicious image from one that's legitimate and You can even go to the location where this item is configured in the registry or the file system So if I select jump to this is going to open regedit up which we've got running already.
So let me pull Regedit and it's going to have taken us right to that registry value where logon help is configured so we could go in there and see if maybe there's command-line arguments that might Distinguish this as a malicious application Finally Just like an MS config. You can both delete items or you can disable them So if you're not sure or you believe that an item might be interfering with the logon process or the boot process You don't want to get rid of it altogether. You can simply disable it Try rebooting or REE logging on and seeing if the problem goes away And one way to keep track of changes to your autostart configurations is to save the list To a file and once you've saved the list and you subsequently do scans You can compare the current scan with the previously previously saved scan by going to the file menu and doing a compare compare will ask you to point it at a previous scan and any items that are new and As of the current scan will show up highlighted in green Allowing you to zoom in on stuff that's changed since the last time you might have done a scan This is just a great tool mark and it's really amazing to see how much information that it exposes an auto start locations and windows But this GUI tool Isn't really usable in a network environment where a system administrator Might want to go scan all these Auto Start locations across all the workstations or servers on the network.
Is that possible? Yes That's possible because when you go download Auto runs from sysinternals the zip package actually contains within it this GUI and a equivalent Command-line tool called Auto runs see auto run see has command line switches that let you specify which of these auto start Categories you want it to dump information for to omit the assign Microsoft entries and check for signatures. For example And you could even run this on remote systems using the PS exact tool from sysinternals, which we've seen and used in this Presentation to launch applications in the local system account PS exec was really designed to launch applications on other machines so you would specify a remote machine specify auto run C and Specify switch that causes PS exec to copy Auto and C to the remote system capture that back to the local system in a file for example, and the file you can even specify auto run C to Specify in tab-delimited format so you could then Pull that information to into a database and then keep a collection of your auto start locations across machines in your enterprise Run sequel queries against them to look for malicious applications or signs of Abnormal activity and I know one of the things you out of the PS exec a while ago is the ability to specify a text File with a list of computer names so you could develop your own in-house list of computers workstations And/or servers to scan and in single PS exec command go run auto run see on all the workstations and servers in your enterprise So With a tool like Auto runs, we can see that if you're facing errors during the logon process This will be one of the first things you're going to want to run to try to do an inspection Do you recognise everything that is starting when you sign in is everything explainable should everything be there? if not try disabling the auto start locations that you think might be causing the problems to isolate the issue and if that solves the issue you've You've eliminated an error during the logon process however, if you're still having errors that are not explainable by simply inspecting the auto start locations You may want to engage another pair of sysinternals tools That are considered the Swiss Army knives for application troubleshooting and that's file Mon and regimen file mano regimen our tracing tools file montre Singh file IO regiment Racing registry accesses and in many many cases It's either file miss configuration or missing files or registry data that's missing or misconfigured That is the root cause for strange error messages or failures in any application including ones that may be started during the logon process One very common issue is permissions problems files folders or registry Keys that are locked down so that they can't be accessed by an application This has been such a common problem that mark and I've run into that when we use file.
Mana, regimen I get a capture of IO activity will first look at the log for access denied errors before we go then try to interpret what's actually going on in File Mon you might look for file not found there's files that are missing somehow or Accesses to files that are occurring in a strange way reading at strange points in the file be on end to file all of these Could be clues to corrupt files that are causing other applications to fail Now one of the problems with running file mana regimen to try to diagnose problems that are occurring during the logon process Is that it might not be possible? Using the standard auto start locations to configure them to launch early enough to capture what's going on If you simply run them as well and then log off and try to log back in and hope that they're running They won't survive the logon process because like all other processes that are running on the interactive desktop Windows terminates them During the log on log off rather so to get file mana regime' on running such that they can survive the log off and then monitor through the subsequent logon You need to run them in a different security context One security context that PS exact makes it very easy to run.
These tools in is the local system account So I'm going to open a command prompt and show you the launching of Reg Mon, for example in the local system account. So I'm going to launch PS exec Type – s – have it launched in the local system account Type – I to have its GUI appear on the interactive desktop if I omitted the – I Regimen would still run but we wouldn't be able to see it because it would be on the services non interactive desktop and Type – D to have PS exact launch the process and then return immediately to the command prompt without waiting for that process to exit I'm going to specify the path to red Mon And enter the command and Now reg Mons appeared on my desktop, but it's actually not running in my security context It's running in the local system account.
And if I bring up process explorer, we can verify that by Finding reg Mon here in the process tree, which is down here. Double-clicking Going to the image tab and singing Down here that it's running as anti Authority system. The local says the local system account so now if I were to log off at this point Regt would remain running would disappear from the desktop But when I log back in it would reappear and have captured everything in the in the meantime And then I could diagnose the cause of the problem that I was after one other Slight variant of what Mark said is configuring fom on a reg Mon to start at system boot time so versus using PS exact Configuring file on a regiment as a service an interactive service so that when the system starts they begin running that could be useful to perhaps Track down errors during the boot process later parts of the boot process as well It's a login process that could be done first by using the Cerveny service Which is part of the windows resource kit tools or you could manually create a service to run the command prompt to launch file mono regimen and The command prompt process will exit fom on a regimen will remain and in that way you've got file mana and regimen running even before the first logon