Module Tools and Troubleshooting

Tools and Troubleshooting
Microsoft Windows® XP New Hire
Microsoft Confidential – Provided Under NDA

© 2004 Microsoft Corporation. All rights reserved.
Microsoft, Internet Explorer, and Windows are either registered trademarks or

trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
THE CONTENTS OF THIS PACKAGE ARE FOR INFORMATIONAL AND

TRAINING PURPOSES ONLY AND ARE PROVIDED "AS IS" WITHOUT
WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
No part of the text or software included in this training package may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or any information storage and retrieval system, without
permission from Microsoft®. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication. The names of actual companies and
products mentioned herein may be the trademarks of their respective owners.
To obtain authorization for uses other than those specified above, please visit the
Microsoft Copyright Permissions web page at
http://www.microsoft.com/permission/copyrgt/img-req.htm.
This content is proprietary and confidential, and is intended only for users described
in the content provided in this document. This content and information is provided
to you under a Non-Disclosure Agreement and cannot be distributed. Copying,
disclosing all or any portion of the content and/or information included in this
document is strictly prohibited.
Table of Contents
Introduction .................................................................................. 6
System Restore.............................................................................. 7
What System Restore Does ....................................................................7
System Restore Boundaries....................................................................9
Architecture Overview ..........................................................................10
Summary........................................................................................... 12
System Restore Configuration...............................................................14
Drive Frozen Due to Low Disk Space ..................................................... 15
System Restore Points ..........................................................................18
Data not in a Restore Point .................................................................. 19
System Restore Timeline ..................................................................... 19
Using System Restore ...........................................................................22
System Restore in Safe Mode: .............................................................. 23
Restoring ........................................................................................... 23
Troubleshooting System Restore ..........................................................27
Functionality in Safe Mode Scenarios ..................................................... 29
General Troubleshooting ...................................................................... 30
Resources .......................................................................................... 37
System Restore and Service Pack Installation ......................................39
WFP/SFC ..................................................................................... 41
Windows File Protection and Driver Signing .........................................43
What is WFP? ........................................................................................45
How WFP works .................................................................................. 45
WFP Allowable Updates........................................................................ 47
WFP Utilities ....................................................................................... 48
WFP Configuration............................................................................... 48
Windows File Protection Troubleshooting................................................ 49
Diagnostic Tools .......................................................................... 53
Documentation Resources ....................................................................54
Help and Support................................................................................ 54
Resource Kit....................................................................................... 55
MSDN – Advanced Documentation ........................................................ 55
Windows Hardware and Driver Central................................................... 55
MSConfig...............................................................................................57
MSInfo32 ..............................................................................................61
Event Logs ............................................................................................63
Using Event Logs for Troubleshooting .................................................... 63
MPSReports ..........................................................................................67
Error Reporting .....................................................................................69
Dr. Watson ............................................................................................71
Cacls .....................................................................................................73
Support Tools........................................................................................76
RASDiag ............................................................................................ 76
Windiff............................................................................................... 79
Recovery Console......................................................................... 81
Using Recovery Console ....................................................................... 82
Performing Troubleshooting in Recovery Console .................................... 86
Recovery Console Details ..................................................................... 97
Kernel Errors ............................................................................. 101
Why do you need to know about Kernel Mode error messages? .............. 104
What is a Kernel Mode Error? ............................................................. 104
Stop Messages ................................................................................. 105
Stop Error Troubleshooting .................................................................109
Troubleshooting Information to Gather from Stop Messages ................... 109
Troubleshooting Steps ....................................................................... 109
Disable Automatic Restart on System Failure........................................ 112
Specific Bugcheck Codes .....................................................................114
0x0000000A: IRQL_NOT_LESS_OR_EQUAL .......................................... 114
0x0000001E: KMODE_EXCEPTION_NOT_HANDLED................................114
0x0000007B: INACCESSIBLE_BOOT_DEVICE........................................115
0x0000007E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED .................115
0x0000008E: KERNEL_MODE_EXCEPTION_NOT_HANDLED.....................116
0x000000C2: BAD_POOL_CALLER .......................................................116
STOP: C0000135: {Unable To Locate Component} ................................116
0xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED .......................117
0xC0000221: STATUS_IMAGE_CHECKSUM_MISMATCH..........................118
User Mode Errors ....................................................................... 121
Application Errors............................................................................... 122
User Mode Errors ................................................................................ 123
Why do you need to know about User Mode Error messages? .................124
What is a User Mode Error? ................................................................124
Troubleshooting ................................................................................127
Registry Troubleshooting Techniques ........................................ 131
What Is the Registry?......................................................................... 132
Registry Structure .............................................................................. 134
What Is the Registry Editor? .............................................................. 137
Registry Editor Features .....................................................................137
Registry Troubleshooting Techniques................................................. 140
Prune and Graft.................................................................................140
Monitoring Registry Access .................................................................141
Registry Corruption Troubleshooting.................................................. 144
Considerations ..................................................................................144
Precautions.......................................................................................145
Recovery Steps .................................................................................145
Remote Assistance..................................................................... 153
Using Remote Assistance ................................................................... 154
Creating an invitation.........................................................................154
Send the Invitation ............................................................................154
Using an Invitation ............................................................................156
Taking Control ..................................................................................156
Session Considerations.......................................................................156
Remote Desktop and Remote Assistance Compared ........................... 159
Intended Purpose and Audience ..........................................................159
Obtaining Access Rights .....................................................................160
Initiating a Session ............................................................................160
Comparing the Client Views ................................................................161
Comparing the Remote Consoles .........................................................162
Terminating a Remote Session ............................................................162
Comparing User Control .....................................................................162
Summary .........................................................................................162
Troubleshooting Remote Assistance ................................................... 164
Connections......................................................................................164
Resources........................................................................................... 168
Data Loss/Data Recovery Discussion......................................... 169
Before Any Troubleshooting ................................................................169
Understanding where Data Loss is Possible ...........................................169
Setting Expectations ..........................................................................172
Table of Figures
Figure 1: System Restore Welcome Screen ............................................................................. 7
Figure 2: System Restore Wizard Options ..............................................................................11
Figure 3: Filter Driver Architecture........................................................................................12
Figure 4: System Restore Configuration ................................................................................14
Figure 5: Settings for C: drive..............................................................................................15
Figure 6: Use the DCU to make more space ...........................................................................15
Figure 7: Registry keys .......................................................................................................18
Figure 8: System Restore timeline ........................................................................................19
Figure 9: Filelist.xml ...........................................................................................................20
Figure 10: Accessing System Restore through MSconfig ..........................................................22
Figure 11: Accessing System Restore through MSinfo32 ..........................................................23
Figure 12: System Restore Wizard........................................................................................24
Figure 13: SRDiag ..............................................................................................................27
Figure 14: Successful file restoration logged ..........................................................................45
Figure 15: Prompt for CD ....................................................................................................46
Figure 16: Event cancelled...................................................................................................46
Figure 17: Unsigned drivers .................................................................................................46
Figure 18: Run Sigverif .......................................................................................................50
Figure 19: Unsigned drivers listed by sigverif .........................................................................51
Figure 20: System Configuration Utility .................................................................................57
Figure 21 – Looking for Errors later than Event ID 6005 ..........................................................64
Figure 22 – Event Log Error .................................................................................................65
Figure 23 – Error Reporting .................................................................................................69
Figure 24: Windiff...............................................................................................................79
Figure 25 – Press R to Start Recovery Console .......................................................................83
Figure 26 – Select Installation..............................................................................................83
Figure 27 – Logon and Command Prompt ..............................................................................84
Figure 28 – Fixboot.............................................................................................................88
Figure 29 – Fixboot.............................................................................................................89
Figure 30 – FixMBR.............................................................................................................90
Figure 31 – Diskpart ...........................................................................................................94
Figure 32 – Diskpart ...........................................................................................................96
Figure 33. Kernel Mode Error (Stop Error) ...........................................................................101
Figure 34. Startup and Recovery Settings............................................................................103
Figure 35– Kernel Mode Error - Stop Error ...........................................................................106
Figure 36. User Mode Error ................................................................................................123
Figure 37 - Error Reporting Dialog Box ................................................................................125
Figure 38 – Error Details Dialog box....................................................................................126
Figure 39 – Hives in Regedit ..............................................................................................134
Figure 40 – Keys in Regedit ...............................................................................................135
Figure 41 – Regmon Output ...............................................................................................142
Figure 42 – System Volume Information Security .................................................................148
Figure 43: Select how you want to contact the helper ...........................................................155
Figure 44: Start a Help Session ..........................................................................................156
Figure 45: Remote Desktop client view ...............................................................................161
Figure 46: Remote Assistance client view ............................................................................161
Figure 47: Novice is behind a NAT ......................................................................................165
Figure 48: UPnP NAT.........................................................................................................165
Tools and Troubleshooting Introduction
Introduction
Module Objectives:
Discuss:
● System Restore
● WFP/SFC
● Diagnostic Tools
● RC
● Kernel Errors
● User Errors
● Registry Tshoot Techniques
● Remote Assistance.
6 Microsoft Partner
System Restore Tools and Troubleshooting
System Restore
If users experience system failure or another significant problem, they can
use System Restore from Safe Mode or Normal Mode to go back to a previous
system state, restoring optimal system functionality. System Restore actively
monitors system file changes and some application file changes in real time to
record or store previous versions before the changes occurred. Restore Points
contain a snapshot of the registry, and may contain key system files that
have been changed. Restore Points are created at the time of significant
system events (such as application or driver install) and periodically (every 10
hours of session time or 24 hours of calendar time.). Additionally, users can
create and name their own Restore Points at any time. This allows the user to
“roll back” the state of the system to a previous time when everything was
working.
Figure 1: System Restore Welcome Screen
What System Restore Does

System Restore monitors key application and system files during installation
of new programs or new driver files thus keeping the version information of
the system files in the restore point. It also creates a snapshot of the restore
registry keys, HKey local machine and HKey user, and works in conjunction
with the Windows File Protection to record and store the versions of the
system files that were on the system when the snapshot was created. System
Restore is supported in Safe Mode and normal mode. The only difference
between restoring in Safe Mode and in normal mode is that in Safe Mode it
does not create an Undo Restore Point. By contrast, Normal mode creates an
Undo Restore Point, and has the ability in to revert from a failed restore, or to
Undo the restoration.
Microsoft Partner 7
Tools and Troubleshooting System Restore
The design of System Restore is such that the user never needs to explicitly
take manual snapshots; the backup is done silently in the background.
Windows XP provides meaningful Restore Points that correspond to major
system change events, (e.g. application installation). When a problem occurs,
users can roll back their system to a point in time immediately before a
restore point (e.g. before application XYZ was installed and machine issues
began).
Twenty-four-hour real-time or ten-hour session time Restore Points cover

those system events which are not tracked. System Restore does NOT
monitor user data (i.e. anything in My Documents or known extensions such
as .doc, .xls, .mdb, .pst, etc.). This prevents the user from losing data when a
restore is performed.
System Restore actively monitors and records changes to a select group of

system and application files specified in an “include list.” These file copies are
logged, compressed and stored locally in a protected directory, or data
archive. For every restore point created, System Restore takes a full registry
snapshot. These registry snapshots are also logged and stored within the
data-archive.
When a customer needs to revert his/her PC to a time before a destructive

change occurred, the System Restore UI presents a restore point catalog
which displays the restore options for a selected day.
Restore Points can take the following forms:
● Periodic (called “system checkpoints”)
● Application installs with friendly names
● Manually created, user-named Restore Points
● Restore operation providing undo capabilities
Once the user selects a restore point, System Restore creates a restore map
and conducts the restore by specifying:
● The ultimate file operations necessary to revert the system to its

selected point
● The identification of the original registry to replace
Note:
A user can set which drives System Restore will monitor on its Properties
Page, however, it is not possible to disable SR on the System Drive and leave
it on non-system drives. The list of excluded and included files (SFP) is in
%windir%\System32\Restore\filelist.xml.
The combination of a wizard-like step-by-step restore UI with meaningful

restore point choices is intuitive and non-intimidating to enable even the most
novice customers to undo system changes without assistance.
8 Microsoft Partner
Note:
System Restore does not back up data and so cannot be used to perform a
backup for purposes of protecting data.
Note:
System Restore can be used to revert Windows XP to before the installation of
Service Pack 1 (SP1). This may cause PPPoE to break in Windows XP
networking as described in Q320558.
Note:
When performing troubleshooting in Windows XP, it is often necessary to
perform a Clean Boot with all services disabled using the MSConfig Utility.
When this is done, the System Restore Service is also switched off, removing
all saved Restore Points. Consider trying System Restore to solve the issue
prior to disabling the service or do a Clean Boot leaving the System Restore
Service running.
System Restore Boundaries

System Restore is meant to be a system stability recovery tool. It has many
limitations that make its use for other tasks undesirable. For instance, System
Restore does not monitor or restore contents of redirected folders. System
Restore does not monitor any settings associated with roaming user profiles.
IE Specific items such as cookies, favorites, and the browser history will not
be restored. In addition, System Restore is not an uninstall utility. For
applications, if you create a System Restore snapshot, install four applications
on your system, and then want to use the System Restore to simply remove
one of the applications; that is not possible. If you do a rollback to a previous
system state you get a complete snapshot of the system before the four
programs were installed.
System Restore is not designed to Backup or Restore personal data. Many of

the common data types used on the PC are not covered by System Restore.
This means that if you have one version of a word document, then restore to
a time two weeks prior to that, you still have the same version of the Word
document on the system. System Restore is not meant to be a replacement
for a full backup because only incremental changes to the operating system
and application files (not personal data) are saved. A complete or ASR backup
and restore is required to recover from problems that cause your system to
become unbootable.
Last, System Restore is not a virus protection program. The data archive no
longer restricts access to virus utilities. This means that Anti-Virus programs
can now check the contents of the System Restore .CAB files for infected files.
But the bottom line is System Restore should not be relied upon to fix viruses.
It is possible to restore to a previous point and a virus still be on the system.
Microsoft Partner 9
Architecture Overview
To track and copy files before changes, System Restore uses a file system
filter driver that is at the kernel level (called Kernel Mode). This kernel level
filter driver monitors file system operations, and, for select file types and
operations, quickly interrupts an operation (for example, DELETE FILE) and
copies or moves the original file before the operation is complete. The file
changes are entered into a log, and the file copies and logs are stored in an
archive on the drive or partition where the original file resided. Change-based
file copying happens once per specific file per system session or for any given
Restore Point.
The list of files or operations that the filter driver will take note of are known
as Interesting operations, and include creation, deletion and modification of
system files. Any of the physical attribute changes or renames of the system
file and any of the ACL changes that are made on the System Restore or the
system files are also interesting operations. The System Restore filter driver
intercepts all of the special calls or operations that are made by the Windows
32 file system. It logs all the changes to a change log and renames or copies
the file to a data store. After this process is logged the operation is passed on
through to the NTFS or file system and allowed—that is—the changes that are
being requested are allowed on the file.
The System Restore Wizard is provided to the user so that a simple interface
can be used to roll back the system. The wizard interface contains the options
to restore the computer back to a previous point, create a new restore point,
or undo a previous restore.
10 Microsoft Partner
Figure 2: System Restore Wizard Options
Microsoft Partner 11
Figure 3: Filter Driver Architecture

Figure 3 shows the architecture of the System Restore filter driver. In Step
One, the Windows 32 file system makes a call or takes an action on one of
the protected system files. In Step Two, the system’s Restore Filter Driver
intercepts the call and then makes a change-log entry and copies the file to
the data store on the restore point. In Step Four, the call goes through to the
system file either NTFS of FAT. It copies the files on first write and handles
files open for exclusive access.
SummarySystem Restore is a real-time-change monitor-and-restore feature in

Windows XP. It uses a Filter Driver architecture to track changes to the
system, and provides a simple User Interface to the user for restoring and
creating Restore Points. System Restore automatically creates Restore Points
and also allows the manual creation of Restore Points. The Restore Points
themselves allow the user to restore the system to a previous point in time,
restore access to the system, and return the system to a stable state.
System Restore Configuration

This section covers the configuration of System Restore as well as status
indicators and storage management. System Restore is configured on the
System Restore Tab of the System Properties dialog box. Access it via Control
Panel > System > System Restore Tab.
Figure 4: System Restore Configuration

The first option on the System Restore tab is to turn System Restore on or off
for all drives. Select this option if you do not want to use System Restore.
Turn off System Restore for each drive individually by selecting the drive and
clicking the Settings button.
Select the drive that you want to modify and click the Settings button to
change how much space is allotted on each drive for System Restore.
Figure 5: Settings for C: drive

Move the slider to modify how much space is available for saving restore
points. Disk Space Thresholds start at Min = 200 MB for a system disk or 50
MB for other disks and Max out at 12%. The default is the larger of 400 MB or
12%. When the space is filled, Restore Points are deleted on a FIFO (first in
first out) basis: at 90% max FIFO to 75% to create space for new restore
points. At a Low Disk notification (50 MB), all restore points-freeze.
Figure 6: Use the DCU to make more space
Drive Frozen Due to Low Disk Space

Users see a Single Partition SR Frozen (suspended) view due to low disk
space if SR has been frozen due to low disk space. They can still turn off SR
(whether they clean up space or not) but they cannot change the data store
size. There is a link directly to the Disk Clean up utility from this screen to
clean up space in order for SR to automatically resume (if desired).
Users see a Non System Drive setting view if a non system drive is
suspended. In this view, the non system drive selected has been frozen or
suspended. There is a link to DCU from this dialog as well, and the data store
slider appears grayed out until SR has resumed functioning (once at least 200
MB of space is created).
When the Multiple Drives suspended (frozen) view appears, all the drives are
suspended or out of disk space so they are frozen. The disk cleanup link in
the case of multiple partitions will be on the setting dialog for each drive. The
settings button will not be active for any non-system drive (but appear
grayed out) until the System Drive is monitoring.
All drives will be suspended or frozen if the system drive is first. When users
close the Settings dialog after DCU on C, all other drives will now show
Monitoring as their status
System Restore Points

A Restore Point is a snapshot of system files and registry settings. It is
created either automatically or manually before key changes are made to
allow users to choose previous system states. File Compression is enabled
only on NTFS. The data is stored in Folder Path <Drive letter>:\System
Volume Information; the Globally Unique Identifier (GUID) information is
stored in MachineGUID.TXT. The data in a Restore Point includes:
● Registry settings
● Profiles (local only—roaming user profiles not impacted by restore)
● COM+ Database (DB)
● WFP cache
● WMI DB
● Internet Information Server (IIS) Metabase
● Files with extensions listed in the <include> portion of the Monitored

File Extensions list in the System Restore section of the Platform
Software Development Kit (SDK)
Note:
The Restore Point folder and file are super hidden files. Customers may need
to change the view options in Windows Explorer in order to see the Restore
Point.
Figure 7: Registry keys
Data not in a Restore Point

Since information in a restore point is either the system registry files or a key
application and system files, neither user-created data files nor user profile
settings nor contents of redirected folders are placed in a restore point. Other
key things that are not stored in a restore point are the Digital Rights
Manager or Windows Media Rights Manager or Windows media rights
manager information which keeps track of a license's state—expiration date,
number of plays allowed—by creating a signed hash of the license file and
storing it in a registry key. It also keeps key license information in file format
in the Documents and Settings\All Users\DRM directory. Restore points also
will not store anything about the security account manager or SAM hives
(does not restore passwords) or any Windows product activation settings.
Directories or files listed as <exclude> in the filelist.xml are excluded, as are
any files with an extension not listed as <included> in the filelist.xml file.
Items listed in both Filesnottobackup and KeysnottoRestore (hklm->system-
>controlset001->control->backuprestore->filesnottobackup and
keysnottorestore) are not restored.
System Restore Timeline

Look at the following timeline to see how System Restore works.
Actions
Restore system
Office 2K Evil App System to before Evil App
Installed installed Checkpoin was installed
Time T
T T T T
Machine State
Office 2K Office 2K Office 2K Office 2K

Evil App Evil App
Changes
between T2
& T3
Figure 8: System Restore timeline
Figure 9: Filelist.xml
Using System Restore

There are three common ways to start the System Restore user interface.
● Start it directly by clicking on the shortcut icon
● In the Start menu by choosing All Programs > Accessories > System
Tools
● Clicking the System Restore icon
The name of the executable file is RSTRUI.exe and it’s located on the system
drive in the Windows system 32 restore subdirectory.
The indirect ways to run the system restore user interface include running
MSCONFIG.exe, MSINFO32, and the Help and Support user interface. After
running these three, select System Restore from the list of tasks that can be
run from each of these programs.
Figure 10: Accessing System Restore through MSconfig
Figure 11: Accessing System Restore through MSinfo32

The last way to be prompted to run the System Restore user interface is
when booting into Safe Mode. Booting into Safe Mode for the first time
automatically generates a dialog box that asks if you want to run the System
Restore user interface to recover a previously created snapshot of System
Restore.
System Restore in Safe Mode:

In Safe Mode, you can restore to any point, but you cannot create a restore
point (even a restore point associated with a restore itself). If you choose to
restore to a previous restore point in Safe Mode, there will be no Undo
operation for it since that would require creating a restore point for that
restore operation to be undone. Some points to remember about SR in Safe
Mode:
● If FirstRun key is set and you boot into Safe Mode, Windows will not
initialize SR.
● If the FIFO condition is met, it will work as in protect mode.
● Freeze and Thaw should happen similar to protect mode (except no

restore point is created for a Thaw).
● File changes are monitored and recorded in Safe Mode as in protect

mode.
● There is no option to boot from a Emergency Boot Disk and undo a

restoration. Users will have to work with the Recovery Console (F8) and
use the Last Known Good functionality to get back on the GUI and go
back to the previous state.
Restoring
In the System Restore wizard interface there are three major choices:
● The user can create a restore point.
● The user can also restore to roll back system changes of the registry,
key system or application files. Also note that the Recovery Console
which would be used to repair a damaged installation of Windows XP
does not tie into the System Restore restore points and cannot be used
in that way.
● A user can undo a restoration. Undoing can simply roll back or use a
previous snap shot of the system state to roll back system changes that
have rendered the system unusable.
Figure 12: System Restore Wizard

Some useful things to know about System Restore:
● It creates a restore point when a point is restored to allow the undo of

the restore.
● It can restore a system to a state closer to when the problem started -

versus ship image.
● It causes minimal impact on performance and disk space cost.
● “It just works:” no interaction is necessary until the user needs to

restore.
● There is no user data loss—restoring the system will not cause you to
loose changes to personal data files.
● It is automatic & easy for the consumer user, while flexible & powerful
enough for advanced users & administrators.
● It works in conjunction with WFP so that when the system is restored,

the WFP crypto DB will be rebuilt to represent the same state it was at
the time the restore point was created. WFP protected file versions
which are also restored, are checked against the database as it was at
the time the restore point was taken.
● Ensure System Restore works in a tiered approach with both Last

Known Good and Driver Rollback.
Troubleshooting System Restore

Two of the tools needed to troubleshoot System Restore are SRDIAG.exe and
the event viewer system log. SRDIAG, which is located in the Windows
system32 restore folder is a tool used to collect and cab information for
System Restore in Windows File Protection. In the event viewer, a user can
look for event source of SR service. Within the event log are evident such
entries as low disk space conditions and when System Restore is enabled or
disabled on particular drives.
Figure 13: SRDiag
SRDiag
● Located on <systemdrive>:\windows\system32\restore
● When you run the tool, it creates a cab file on:

<systemdrive>:\Documents and Settings\<username>\Local
Settings\Temp\<computername>_mmddyy_nnnnnn.cab
● Can also be run from a command line or from the command prompt by
typing: <systemdrive>:\windows\system32\restore\srdiag
● You can also specify the location you want to place the cab, add a
custom name to it or add a file you want to add to the cab file, by
typing the following at the command prompt:
<systemdrive>:\windows\system32\restore\srdiag
[/Cabname:test.cab] [/Cabloc:”c:\temp\”] [/file:”c:\boot.ini”]
where:
/cabname is the full name of the cab file that you wish to use.
/cabloc is pointing to the location to store the cab, this should have a \ on
the end.
/file is the name and path of a file that you wish to add to the cab. This can
be used many times.
Resources
● KB Article: System Restore: Description and Functionality of Srdiag.exe
(Q302343)
Logging
System Restore creates log entries for every file copy it makes. Additionally,
every time a restore point is created System Restore must log it, whether or
not it is exposed to the user. This would include the restore operation in Safe
Mode. Although Windows does not create restore points in Safe Mode, it
makes a log entry when a restore from Safe Mode occurs for troubleshooting
and supportability.
Functionality in Safe Mode Scenarios

Listed are six System Restore scenarios that customers experience when
trying to troubleshoot System Restore failures.
● System Restore does not record changes in compression nor does it

undo them. This is because changes in compression do not cause the
system to fail.
● System Restore does not replace all files of a removed program. For
example, if an application is installed on Microsoft® Windows® XP and
SR takes a system snapshot. At some point later that application is
uninstalled but the user attempts to roll the system back to the state
where the application was installed. While the registry settings and
some of the files may be restored to the application, not necessarily all
of the files will be restored. If the application does not work correctly,
then the application files should be reinstalled from the original media.
● System Restore and auto restore points for unsigned drivers. When a
user creates an automatic or when an automatic restore point is created
for an unsigned driver install, all that is listed in the user interface for
System Restore is “unsigned driver installation.” The name of the driver
is not listed. The behavior is by design.
● How System Restore handles password restores. In Windows XP and

Microsoft® Internet Explorer® the passwords are not restored to
prevent rolling back to an older password that a user has forgotten.
However, application passwords and domain passwords are restored.
● System Restore is suspended on the system drive although there is

enough free space available. The situation that occurs here is that on
one of the non-system drives there’s less than 15 mega bytes of free
disk space available. To get the System Restore to enable the user must
either disable it on the drive with less than 15 mega bytes or free up at
least 200 mega bytes on a drive so that the suspend mode will cease.
● System Restore and restore points are missing or deleted. There are
five cases where restore points can become deleted.
○ If there is an out of disk space condition.
○ If the System Restore is turned off on a drive.
○ If you upgrade to a new operating system.
○ If you run the disk clean up utility.
○ When 90% of the maximum space is taken up in which case the

System Restore algorithm will free up enough space to get to 75%
free.
General Troubleshooting
There are a number of general troubleshooting steps that can be followed
when a problem is encountered with the System Restore feature.
Most System Restore problems will produce an error message with a

description of the problem and suggestions to resolve it. When an error
message related to System Restore is received, recording it and following the
instructions is the first step in troubleshooting the problem.
Lack of disk space can cause System Restore to fail. Check that all drives with
System Restore enabled have the recommended 200MB requirements.
The System Restore service must be running. This can be checked through
Computer Management > Services, or by typing “net start” from the
command prompt. To access Computer Management go to Control Panel >
Administrative Tools > Computer Management > Services and Applications >
Services and look for System Restore Service.
System Restore must be enabled on each drive.
If necessary, System Restore can be started in Safe Mode. Proceed with

restore process.
If there are fewer Restore Points than there should be, check to make sure
enough disk space is allocated to System Restore. You can check this by
going to Control Panel > System Properties > System Restore Tab > choose a
drive to check, click on Settings and check the size of the data store.
Information
See Q302796 - Troubleshooting System Restore in Windows XP for more

details.
Potential Issues
Four potential issues have been identified for System Restore:
● Users may experience confusion between the functions of SR and

Add/Remove Programs.
● Space allocated for System Restore is only used if needed.
● SR freezing due to low disk space.
● Users may also lose downloaded files or files with monitored extensions
that are not saved to specified directories.
The first two are a result of misconceptions about the feature and can be
rectified with user education. The last two are issues which have been
documented in Knowledge Base articles and for which steps to resolution are
available.
SR is not Add/Remove Programs

The first potential issue with System Restore is a misconception regarding the
functions of the SR and Add/Remove Programs features.
System Restore removes only files with monitored extensions, such as .ini,
.exe and .dll. Restoring to a point before an application was installed leaves
behind stray files that unmonitored, which may lead to confusion as to why
the application was removed but some of its files were left behind.
This will typically affect home users, but can impact some businesses and is
of low impact. Various error messages may be received depending on the
application. Most will involve the inability to launch the application or missing
files, dll, etc.
Symptoms
Application files and directories left behind
Only monitored extensions are removed (.ini, .exe, .dll)
Possible error message regarding the unsuccessful launch of the application
Impact
Low
Home users
If System Restore is used to remove a program instead of Add/Remove

Programs, after the Restore, some files related to the program/application
may remain. Users should always try to use Add/Remove Program utility to
uninstall an application and not System Restore.
Similarly, removing a program and then Restoring the system to a point prior
to the installation of that program will not restore all of the files of that
program. Some files may be restored, but error messages related to that
program may result. User can then reinstall the application.
Steps to resolve this issue involve the following:
Users will have to find out what files related to the application are still on the
system and manually delete them.
Users will have to undo the Restoration.
Users will have to use the Add/Remove Programs to uninstall/install

applications and not SR.
Users will have to reinstall the application and then use the Add/Remove
Programs to remove it and its files.
For more information, please see Q286143 - The System Restore Utility Does
Not Replace All the Files of Removed Programs.
Cause
Application was removed by using System Restore to restore the system to a
point where the program was not installed on the system yet.
Resolution
Manually delete applications files remaining on the system.
Use Add/Remove Programs to uninstall/install applications.
Reinstall the application and then use the Add/Remove Programs to remove it
and its files.
Information
Q286143 - The System Restore Utility Does Not Replace All the Files of
Removed Programs.
Q293388 - HTML Files with .htm Suffixes and Shortcuts Are Displayed on the
Start Menu After a Restore Operation.
Space not Reserved for SR

Another possible issue involves the Hard Disk space that the System Restore’s
data store uses to save Restore Points. Users may believe that the space
allocated to the System Restore data store is not dynamic. In fact, the
allocated Hard Drive space for System Restore is used as needed and is not a
reserved block of space.
The impact is low and this issue will typically affect home users and
businesses. There are no error messages related to this issue. The resolution
to this issue is to explain how System Restore uses the data store space.
Symptoms
No error message
Users may believe space allocated to SR data store is not dynamic
Allocated Hard Drive space for SR is used as needed and is not a reserved
block of space
Impact
Low; Home users.
User education is the best action to take.
Users may be informed that the data store size is not a reserved space and it
is used on demand and always calculated as effective size. For example, if the
data store size was configured to 500MB, of which 200MB has already been
used and the current free hard disk space is only 150MB, then the effective
size is 200+150=350MB, not 500MB. In another words, the data store size is
always limited by the available free hard disk space.
It is important to note that if disk space utilization encroaches on the data

store size, with non monitored files for example, System Restore's data store
size will always yield to the system.
To access the data store, right click on My Computer, choose Properties, click
on the Restore Tab, choose a drive you want to see the data store and then
click on settings. Move the slider to max or min to adjust the data store size.
Information
Q300044 – System Restore and Disk Space.
Cause
Misconception.
Resolution
User education.
Data store size is not a reserved space.
It’s used on demand.
It’s always calculated as effective size.
Information
Q301224 – System Restore: Restore Points are Missing or Deleted.
SR Freezes with Low Disk Space

Another potential support issue encountered with System Restore relates to
low disk space. When there is insufficient disk space System Restore can
suspend itself, affecting monitoring on all drives. These issues can be
encountered by anyone.
The System Restore Tab in the System Properties dialog box may indicate
that System Restore has been suspended across the entire system due to
insufficient free disk space on that drive. Attempts to launch System Restore
will generate an error message:
“System Restore is suspended because there is not enough disk space
available on the system drive (drive letter). To restart System Restore,
ensure at least 200MBs of free disk space are available on this drive. Do
you want to start Disk Cleanup to free more disk space now?
Yes No”
Symptoms
SR suspended; Error message.
Impact
High; All users.
Suspension of System Restore can occur if the disk space on any monitored
drive falls below 50 MB and an interesting event such as the creation,
deletion, or modification of a system file occurs on the drive.
To resolve this, users must free up at least 200MB of disk space on the
partition/drive that is causing System Restore to suspend or turn System
Restore off on that drive. System Restore can be disabled by clicking on the
System Restore Tab on the System Properties dialog box.
It is important to note that if the drive that is low on disk space is the system
drive and System Restore is turned off, it will be disabled on ALL drives.
Information
Q299904 - System Restore Suspended on System Drive Although Enough

Space.
Cause
Insufficient free disk space (less than 50 MB) when an “interesting” event
occurs.
Resolution
Free up 200MB disk space or disable SR.
If SR is disabled on system drive it will be disabled on all drives.
Information
Q299904 – System Restore Suspended on System Drive Although Enough

Space.
Q301224 – System Restore: Restore Points are Missing or Deleted.
Downloaded Files Lost after Restore

The last support issue predicted for System Restore involves downloaded
files. After performing a restore, users might find that downloaded files or
applications with certain extensions are missing. These issues could be
encountered by any user.
Users may lose downloaded files or files with monitored extensions (such as
.exe, .ini, .dll) if they are saved on directories other than the System
Restore’s protected directories, such as My Documents or Downloaded
Program Files or to a partition that has System Restore turned off. For
example, if Susan downloads download.exe from her email into
c:MyComputer\SusanFiles instead of My Documents, she will be unable to
locate her program there after performing a restore.
Although no error message is associated with this issue, users may not be
able to find the files they need.
Symptoms
No error message; Users cannot find files after a restore.
Loss of downloaded files or files with monitored extensions (such as .exe, .ini,
.dll) if saved to directories other than the System Restore’s protected
directories (My Documents, Downloaded Program Files, or to a partition that
has System Restore turned off).
Impact
Low to Medium; Home users.
Loss of files can occur because the user chose to download or save the files
on a directory other than My Documents or Downloaded Program Files or
saved to a partition where System Restore is turned off. If the files use the
extensions in the filelist.xml include list and are downloaded or saved to a
directory other than the ones mentioned above, they will be removed upon
restore when restoring to a point before they were downloaded/saved. This is
by design.
Resolving this issue can be done by a basic user and involves undoing the
restoration to return the missing files. This can be done by launching the
System Restore user interface in Start > All Programs > Accessories >
System Tools > System Restore and choosing “Undo my last restoration.”
In the future, if users want files with monitored extensions to remain

untouched (not restored or monitored) they can save/download them either
to My Documents, Downloaded Program Files, or to a partition with System
Restore disabled.
Information
Q261716 – System Restore Removed Files After a Restore Procedure.
Cause
Files with extensions in filelist.xml will be removed upon restore unless saved
to My Documents, Downloaded Program Files, or a partition with SR disabled.
Resolution
Case Study 1
Bob is a programmer and cannot find his Visual Basic project (myproject.vbs)
that he saved under C:\MyProjects. Bob has just used System Restore to
restore his system to a day before he started to work on this project. What
might be causing this issue? What options does Bob have for resolution? What
KB article can be referenced?
Answer
Since Bob restored his system to a day before he started working on his
Visual Basic project and his program has a monitored extension that was not
saved under My Documents, Downloaded Program Files or to a partition with
SR turned off, it was removed on the restoration process.
● KB Article: System Restore Removed Files After a Restore Procedure

(261716)
Resolution
Bob can Undo the restore and save the file to My Documents so it will not be
removed on future restores.
Case Study 2
Maria calls technical support complaining that she is constantly loosing her
Restore Points. She claims when launching System Restore this morning, she
had 5 Restore Points and now she only has 1. What might be causing this
issue? What options does Maria have for resolution? What KB articles can be
referenced?
Answer
When checking on Maria’s system, the support professional discovers that she
has her hard drive partitioned in 3 partitions. One of the partitions where she
saves her MP3s has only 50MB of free disk space. This is causing System
Restore to suspend and purge Restore Points.
● Q Article: Q299904 – System Restore Suspended on System Drive

Although Enough Space
● Q301224 – System Restore: Restore Points are Missing or Deleted
Resolution
Advise Maria to either free up 200MB of space on that partition or turn SR off
on it in order to keep from loosing her Restore Points.
Case Study 3
Frank calls technical support stating that under System Restore Properties he
found out that 1.2 GB of Hard Disk space is reserved for System Restore on
his 10GB hard drive. What might be causing this issue? What options does
Frank have for resolution? What KB article can be referenced?
Answer
The space used by the System Restore Data Store to save Restore Points is
not a reserved space and is only used on demand; however, System Restore
will always yield space to the system if needed.
Resolution: User education. The support professional also shows Frank how
to adjust the data store size under the System Restore Tab in System
Properties.
Case Study 4
Jane just used System Restore to remove Application X that she downloaded
from the web. Now she is confused because the application is gone, but she
still can still find some folders related to the application under C:\Program
Files. What might be causing this issue? What options does Jane have for
resolution? What KB article can be referenced?
Answer
System Restore should not be used to remove an application unless the user
cannot do it via Control Panel > Add/Remove Programs. It might leave
unmonitored files and directories behind which will have to be cleaned
manually.
● KB Article: The System Restore Utility Does Not Replace All the Files of
Removed Programs (286143)
Resolution
Jane has 4 options. She can manually delete applications files remaining on
the system, undo the restoration then Use Add/Remove Programs to uninstall
Application X, use Add/Remove Programs to uninstall Application X, or
reinstall the application and then use the Add/Remove Programs to remove it
and its files.
Resources
● Information on System Restore and Password Restoration(Q295050)
● Non-administrator user is unable to start System Restore utility

(Q283252)
● System Restore Tool Displays a Blank Calendar in Windows XP

(Q313853)
● The System Restore service does not work correctly (Q841568)
System Restore and Service Pack Installation

One of the things to note with the installation of SP2 is that a restore point is
created when SP2 is installed. This restore point, however, is not a typical
restore point. This specific restore point is a very robust restore point and will
be significantly larger than the restore points that are generated when
created by an application install (for example, Office creates a restore point
during installation) or by manually creating a restore point. If it is necessary
to use a restore point after the installation of a Service Pack, only those
created with the install of the SP or those created after should be used.
WFP/SFC Tools and Troubleshooting
WFP/SFC
A common issue with Windows has been the ability for shared system files to
be overwritten by other programs, causing unpredictable system
performance. Windows File Protection (WFP) and Driver Signing prevent the
replacement of certain system files, providing the user with more stability.
Objectives
● Describe the capabilities of Windows File Protection.
● List the 5 processes that can be used to update protected system files.
● Describe the interaction between Windows File Protection and Driver

Signing.
● Explain the 4 unattended installation setup file switches and what they
do.
Tools and Troubleshooting WFP/SFC
Windows File Protection and Driver Signing

Driver Signing is the means of tracking a file’s version and creator. Windows
File Protection is the enforcement mechanism that uses Driver Signing
signatures and catalog files to keep system files at their correct versions. The
Microsoft installer works with Windows File Protection to install the correct file
version when needed.
Windows File Protection, Driver Signing, and MSI are complementary

technologies included in Windows XP.
● Driver Signing tracks file versions
● WFP uses Driver Signing to enforce file versions
● MSI requests for WFP to install the correct file version when it detects
that a requested file is protected
All three features together give greater stability to the Windows XP operating
system by providing a means to verify the source of a system file before it is
installed.
What is WFP?
In some previous versions of Windows, changes made to shared system files
would often cause unpredictable system performance, ranging from
application errors to operating system crashes. This problem usually affects
dynamic link libraries (DLLs) and executable files (EXEs).
Windows File Protection is a Windows XP technology that detects changes to

protected system files and restores them to the correct version. This prevents
DLL duplication and conflicts. Windows File Protection is either Automatic (if
the file is located in the cache), or the user can be prompted for the Windows
XP CD for the proper files. In addition, WFP has a number of utilities to check
WFP issues.
How WFP works

WFP runs in the background on a Windows XP system detecting when a file
replacement is attempted on a protected system file.
First, the list of protected system files is monitored for changes. When a
change is detected to a protected file, WFP determines whether the original
file resides in the dllcache folder. If it does, the incorrect version is
automatically replaced and the replacement attempt is noted in the system
event log.
Figure 14: Successful file restoration logged
If the file does not exist in the dllcache, then the user is prompted for the
original CD or network location.
Figure 15: Prompt for CD

If the administrative user cancels the WFP file restore, an event noting the
cancel will be logged, and the following dialog box will appear.
Figure 16: Event cancelled
Driver Signing
Driver Signing uses existing digital signature cryptographic technology to
compute a “hash” of every file in the Windows 2000 operating system. These
hashes of the different files and other relevant information are stored in a
“catalog file” (.cat file), and the .cat file is signed with the Microsoft signature.
The binary itself is not touched by the signing process, only a .cat file is
created for each driver package and the .cat file is signed with a Microsoft
digital signature. The relationship between the driver package and its .cat file
is referenced in the driver's INF file and maintained by the system in a
database after the driver is installed.
Windows File Protection uses the signatures and catalog files generated by
Driver Signing to verify if protected system files are the correct Microsoft
versions. WFP does not generate signatures of any type.
Figure 17: Unsigned drivers
Microsoft Installer (MSI)

If a Microsoft Installer package needs to have a protected file installed, the
Microsoft Installer (or MSI) will detect that the requested file is protected and
request for WFP to install the correct file version. Once WFP locates the
necessary file, it installs the file and returns success to MSI. If the file is not
located, WFP will return failure to MSI, which often times will cause MSI to
rollback the installation. (An MSI rollback will uninstall any files and settings
created by the MSI package up to that point.).
WFP Allowable Updates

There are four top Windows File Protection scenarios. Two of these scenarios,
application installation and ad-hoc file replacement, are examples of
situations where system files will be protected by Windows File Protection.
The other two situations are service pack installations and hot fix
installations. These are examples of allowed system file updates. Replacement
of protected system files will be supported via the following mechanisms:
● Windows XP Service Pack installation (UPDATE.EXE)
● Windows XP hot fixes installed via HOTFIX.EXE
● Operating system upgrade (WINNT32.EXE)
● Windows Update
● Windows XP Device Manager/Class Installer
Note
WFP protects files, but it does not block write access to %systemroot% and
its sub-directories. Protected files updated by any other means will result in
the replacement of unauthorized files by Windows File Protection.
Application Installation
The first scenario is the case of an application installation. There are two
cases where an application can cause system files to be replaced, removed or
overwritten. The first is during the initial application installation; some
applications replace a protected system file with an older version than
currently installed. The second case is when an application uninstall deletes a
protected system file. In both of these cases Windows File Protection will
automatically restore the replaced system file.
Service Pack Installation

The second scenario is the case of the service pack installation. Windows File
Protection allows for protected system files to be updated when using the
update.exe program during a service pack installation. What this means is
that the service pack installations may copy newer files of protected system
files during installation and that they may remove files during an uninstall of a
service pack.
Replacing protected files by other means than those above will result in the
unauthorized files being replaced by Windows File Protection.
Hot Fix Installation

The third scenario is the case of a hot fix installation. Just like a service pack
installation, Windows File Protection allows for the updating of protected
system files using the hotfix.exe program. What this means is that hot fix
installations may copy newer versions of protected system files during
installation and then they may also remove files during an uninstall of a hot
fix.
Ad-Hoc File Replacements

The final scenario is the case of ad-hoc file replacements. An ad-hoc file
replacement is when a user either deletes or renames a protected operating
system file. As a general rule all SYS, DLL, EXE and OCX files that ship on the
Windows XP CD ROM are protected. Any user attempt to modify or delete
these files will result in the Windows File Protection replacing the incorrect
version.
WFP Utilities
The three key utilities in looking at WFP issues are the Signature Verification
Tool, or Sigverif.exe, the Sigverif.txt file, and System file checker. Each of
these utilities can be used to help check WFP issues.
The Signature Verification tool (SIGVERIF.EXE) identifies unsigned files on a

computer. Using the Signature Verification log (SIGVERIF.TXT), it creates a
log of all signed and unsigned drivers. System File Checker (SFC.EXE) scans
system files to verify/restore correct versions.
WFP Configuration
The default settings for WFP can be configured through unattended setup
parameters.
The [SystemFileProtection] section of the unattended setup information file

contains parameters for the Windows File Protection service. If this section is
missing or empty, Setup will install Windows File Protection using default
values.
Windows File Protection Troubleshooting

Windows File Protection (WFP) prevents the replacement of certain monitored
system files. This section, discusses how to troubleshoot WFP using System
File Checker (SFC) and Signature Verification (sigverif) and some
troubleshooting considerations.
System File Checker (SFC)

A command-line utility called System File Checker (SFC.EXE) will allow an
Administrator to scan all protected files to verify their versions.
SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/CANCEL] [/QUIET]

[/PURGECACHE] [/CACHESIZE=x]
Table 1: SFC.EXE Switches
SFC.EXE Switch Function Performed
/SCANNOW Scans all protected system files immediately.
/SCANONCE Scans all protected system files once.
/SCANBOOT Scans all protected system files every time the

system is restarted.
/CANCEL Cancels all pending scans of protected system files.
/QUIET Replaces all incorrect file versions without

prompting the user.
/ENABLE Enables Windows File Protection for normal

operation.
/PURGECACHE Purges the Windows File Protection file cache and

scans all protected system files immediately.
/CACHESIZE=x Sets the size of the Windows File Protection file

cache.
System File Checker will also check and repopulate the

%systemroot%\system32\dllcache directory. In the event the dllcache
directory becomes corrupted or unusable, SFC /SCANNOW, /SCANONCE
/SCANBOOT or /PURGECACHE can be used to fix the contents of the dllcache
directory.
Signature Verification
Another useful troubleshooting tool for Windows File Protection is the File
Signature Verification Tool, or “Sigverif.exe.” You can use the Sigverif.exe tool
to identify unsigned drivers on a computer running Windows XP.
SIGVERIF.EXE tool supports the following command-line option to run the

default scan without user interaction:
sigverif.exe /defsca
Figure 18: Run Sigverif

When you use this command, a Sigverif.txt log file is created, which contains
the following information:
● The file's name
● The file's location
● The file's modification date
● The file type
● The file's version number
All Windows XP files on the Windows XP CD-ROM are signed by Microsoft

Windows XP Publisher. The log file will contain a list of all signed and
unsigned drivers, third-party drivers that are unsigned are displayed as “Not
signed.”
Figure 19: Unsigned drivers listed by sigverif
Event Viewer
Also, the Event Viewer can be used as a troubleshooting tool. Events are
logged in the System Event log when WFP actions occur. For example, if a
user chooses NOT to restore a protected system file, this event is logged.
Troubleshooting Considerations
Disabling Windows File Protection
There are two methods to disable Windows File Protection. The first method is
to boot Windows XP in Safe Mode. Windows File Protection is disabled when
running in Safe Mode.
The second method to disable WFP is via setting the value SFCDisable
(REG_DWORD) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon. By default, SFCDisable is set to 0, which means
WFP is active. Setting SFCDisable equal to 1 will disable WFP. Setting
SFCDisable to 2 will disable WFP for the next reboot only (without prompt to
re-enable.) Please note that you are required to have a kernel debugger
attached to the system via the serial port to use SFCDisable = 1 or
SFCDisable = 2.
Cache Issues
The location of the dllcache directory is specified in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\SFCDllCacheDir (REG_EXPAND_SZ). The default
value for SFCDllCacheDir is %systemroot%\system32\dllcache. The
SFCDllCacheDir setting must be a local path.
If a file change is detected by WFP and the affected file in use by the
operating system is not the correct version and/or the file is not cached in the
dllcache directory, WFP will attempt to locate installation media by itself. If
that search fails, WFP will prompt the user to insert the appropriate media to
replace the file and/or dllcache.
Ensure that you have access to install sources for protected system files in
case you are prompted for them.
Summary
In this section we discussed the various troubleshooting tools and
considerations for Windows File Protection.
The troubleshooting tools are System File Checker, File Signature Verification
tool, and the Event view to view system logs. Some considerations include
cleaning out the dllcache to resolve cache issues, ensuring that you have
access to install sources for protected system files in case you are prompted
for them, and disabling windows file protection either by booting in to Safe
Mode or using the registry.
Diagnostic Tools Tools and Troubleshooting
Diagnostic Tools
Tools and Troubleshooting Diagnostic Tools
Documentation Resources
Solid product documentation is one of the most powerful tools you can use
when troubleshooting. The Knowledge Base is the most used single resource
for troubleshooting, but unfortunately other depth sources can be difficult to
find. Below are the key documentation sources you can use to dig deeper into
the Operating System.
Help and Support

Location: Help and Support on the Start menu.
Windows help content is better than ever in Windows XP, and it should be one
of the first places you search when seeking information on a product
component. Because of the new Search functionality provided by Help and
Support, when you search in the Help interface, you are also searching the
public Knowledge Base and Resource Kit documentation.
The results of your search on a released operating system are always public
security, and thus can be sent to customers to aid them in tasks that may
require a detailed explanation.
Help and Support Tools

In addition to documentation resources, Help and Support provides a variety
of tools to gather information about the computer, perform diagnostic tasks,
and walk through troubleshooting recommendations.
Network Diagnostics is one example of a tool in Help and Support. This

interface provides an automated method for troubleshooting TCP/IP
connectivity and name resolution issues. With this interface you will see a
simple pass/fail indication for the various tests performed so that you can
walk a customer through those results, rather than typing a great deal of
troubleshooting commands to gather the same information.
Tests performed include:
• Ping the local IP address
• Ping the default gateway
• Ping the DNS server
• Test connection to mail servers
This is just a short list of the tests performed. The results can provide a great
deal of information on the network.
Note that the Network Diagnostics interface does not attempt to ping or
connect to other computers in the home network. As a result it is more
appropriate for Internet connectivity and name resolution testing than File
Share issues.
Resource Kit
Location: http://www.microsoft.com/windows/reskits/default.asp
The Resource Kit provides documentation targeted at system and network

administrators. It has a definite slant toward Networking and Distributed
Systems, but this is a good thing, as some of the other resources identified
below fill in the other gaps for particular product technology areas such as
Setup and Performance.
Because of the tremendous usefulness of this documentation, and the

increasing complexity of Windows, the full Resource Kit documentation is now
available on the web at:
http://www.microsoft.com/windows/reskits/default.asp
The free availability of this documentation online is tremendously important

for support, as it enables both SPs and customers to locate product guidance
easily.
MSDN – Advanced Documentation

Location: http://msdn.microsoft.com/library/default.asp
The Microsoft Developer Network (MSDN) Library provides documentation for

Windows and Internet developers and can aid in troubleshooting when a
technology or feature may not be well understood by Support.
Of particular interest to Windows Support, the Platform SDK documentation is

a valuable resource for Windows components, including detailed information
on changes from one version of Windows to the next. The Platform SDK
documentation is located at:
http://msdn.microsoft.com/library/en-
us/sdkintro/sdkintro/contents_of_the_platform_sdk.asp
Technologies such as ADSI, RPC, TAPI, Win32, WMI and any other features of
Windows with public programmatic interfaces are covered by some
documentation here.
Windows Hardware and Driver Central

This is a resource primarily intended for hardware and driver developers, but
it provides a great deal of information about Windows support for a variety of
technologies, including USB, PCI, Power Management and Networking.
http://www.microsoft.com/whdc/default.mspx
MSConfig
MSConfig.exe is a tool for standard troubleshooting in Windows XP that
provides access to the configuration for normal or diagnostic startup, the
ability to expand files, access System Restore, edit Win.ini and System.ini
configurations, modify your Boot.ini options, configure the startup for
Services, and also disable startup applications.
You will use MSConfig primarily when you can start the computer in Safe
Mode, but normal mode fails. In these cases, you can use MSConfig to
eliminate applications and Services from starting. You can also use it when
startup is not configured the way that you would like it to be. For example, if
you need a specific Boot.ini option, but the person you are working with is
uncomfortable with editing the Boot.ini directly. In these cases, you can add
switches simply by clicking an option in this tool.
Figure 20: System Configuration Utility

The general use of MSConfig is to do additional troubleshooting if a Safe Mode
startup functions properly, but normal startup fails. It can help eliminate
applications, Services, and System.ini, or Win.ini options from being loaded
during startup or application initialization to allow further troubleshooting.
One startup configuration that is not provided in MSConfig is for devices.
Access to device drivers at startup is not available because the system uses
Device Manager to configure, disable, and uninstall devices.
Considerations
The primary consideration when using MSConfig is that it is not a solution—it
is a troubleshooting tool. You can use MSConfig to determine the cause of the
issue, but you will use other tools to make a permanent fix. To help
customers understand this, MSConfig provides a startup message to tell you
that you are in a diagnostic startup mode. Do not run in this diagnostic
startup mode for regular use; use other troubleshooting tools in order to
provide the permanent solution.
For example, a customer calls because he is receiving an error at boot. Using

MSConfig to narrow down the scope of your search, you discover that a third
party application is causing the error. MSConfig gives you the run key to this
one Registry value; you then use Regedit to remove or modify this value so
that it works properly. Or, you may need to reinstall the application or even
uninstall it until an update is available. Editing the registry and uninstalling
the application cannot be done with MSConfig because MSConfig is a
diagnostic tool. Once you diagnose the problem, you can choose the proper
tool to fix.
MSInfo32
The Microsoft System Information tool (msinfo32.exe or winmsd.exe) uses
WMI to provide comprehensive system information. The output from this tool
can be saved to a .NFO file, which is viewed in the System Information
interface. Useful support information includes:
• System Summary – includes OS Version, BIOS Version/Date, Windows

Directory, Boot Device, User Name, Time Zone, Total and Available memory,
Total and Available virtual memory, Page File location and free space.
• Hardware Resources – DMA, I/O Port addresses, IRQs and Memory ranges used
by devices on the system.
• Component Information – For each device in the system MSInfo32 identifies the
Type, Status, Driver in use, PnP Device ID, and other device class-specific
information such as Transfer rate, INF used to install the driver, and others.
• Storage Information – Drives in the system, Capacity, File System, Disk
Controller information.
• Currently Installed Drivers – With driver name, path, driver type, state, startup
mode.
• Signed Driver report
• Environment Variables
• Loaded Modules – Lists all currently loaded modules with their version, size,
date, manufacturer and path.
• Services – Identifies the name, state, startup mode, path, error control and
account name.
• Startup Programs – including path and startup location.
• Windows Error Reporting History
• Internet Settings
• Office Application configuration data
MSInfo32 provides a good general snapshot of the system configuration that
can be useful for data gathering when diagnosing issues on a system.
Systeminfo.exe is a new command line tool that makes a subset of this

information available from a command prompt. This can be useful for general
data gathering on a machine, either local or remote. Significant information
includes:
• Operating System Version

• System manufacturer and model information
• Page File sixe, available space and location(s)
• Hotfixes installed
• Network adapters, with IP configuration
This is a compact set of key system parameters that can be useful when
performing data gathering to investigate an issue.
Event Logs
Event Logs provide a structure and storage mechanism for information about
the system and applications on the computer. Within the Event Viewer
(eventvwr.exe) you can view information from the three main logs in a
default configuration:
Application log
The application log contains events logged by applications or programs. For
example, a database program might record a file error in the application log.
Program developers decide which events to monitor.
Security log
The security log records events such as valid and invalid logon attempts, as
well as events related to resource use, such as creating, opening, or deleting
files or other objects. An administrator can specify what events are recorded
in the security log. For example, if you have enabled logon auditing, attempts
to log on to the system are recorded in the security log.
System log
The system log contains events logged by Windows XP system components.
For example, the failure of a driver or other system component to load during
startup is recorded in the system log. The event types logged by system
components are predetermined by Windows XP.
Using Event Logs for Troubleshooting

Event Logs are useful when troubleshooting problems with Windows XP. When
a customer issue does not have a clear resolution, it is always a good policy
to check the Event Logs for errors and warnings. Searching the Knowledge
Base on errors and event IDs found can lead to resolution steps.
When troubleshooting a startup issue, you can use event log startup entries
to limit your search to events recorded during the current Windows session,
as discussed in the example below.
Example: Check for Errors Logged during Startup

To check for errors, use the Event Viewer to examine the System and
Application event logs.
1. Restart the computer.
2. Click Start and then click Run.
3. In the Open box, type eventvwr to open the Event Viewer

interface.
4. Look in the System log for the most recent Event ID: 6005, Souce:
EventLog. This entry denotes the start of logging for the current
startup.
5. Note the Date and Time this event was logged. This will be needed for
comparison with other log entries.
6. Check the System log for Error or Warning entries later than this 6005.
Note the details for any errors found. In the default view the most
recent events are at the top of the viewer, so you should be looking up
in the log as shown below.
Figure 21 – Looking for Errors later than Event ID 6005

7. Look for and note any Errors or Warnings in the Application logs
entered after the date and time of the ID 6005 event noted above.
When you find error messages, double-click the event in the log and view the
details, as shown below.
Figure 22 – Event Log Error

Use the content of those messages to further troubleshoot the issue.
Searching the Knowledge Base and the Internet can provide information to
help resolve the problem.
MPSReports
The MPS Reports utility is downloadable tool that collects information on the
configuration and state of the computer. The purpose of MPS Reports is to
help provide Microsoft Support Professionals more information about a
customer’s system configuration with a small and easy to use utility.
For Consumer Windows support, gathering MPS Reports data, when possible,
before escalating a case can help ensure that the second level support
professional has the right information to resolve the case more quickly.
The utility is available from the Download Center by going to

http://www.microsoft.com/downloads and then searching on
“mpsreports”. The downloads are called “Microsoft Product Support's
Reporting Tools”. There are several versions available, but the
MPSRPT_SETUPPerf.EXE version provides the best general information
about the computer.
The tool is executed on the customer’s computer. When complete it provides

a .CAB file that can be sent in email to be attached to the case.
Note: If you cannot easily receive email from the customer, but they have
the ability to run the tool, this is still a good step. They will have the .CAB file
ready for second level support.
Note: MPS Reports does not make any configuration or registry changes to
the computer on which it is run.
Error Reporting
Error Reporting in Windows XP is the mechanism that sends error details to
Microsoft for aggregation and analysis. When receiving an error, you are
presented with the interface shown below, with options to Send Error
Report or Don’t Send.
Figure 23 – Error Reporting

Sending the error report uploads error details for analysis. When an issue
trend appears, the internal Microsoft team that works with these errors can
then investigate further.
If you are encountering an error with a clear resolution, the results of these
investigations are provided after sending the report.
When working with customers experiencing application errors or system faults

(bluescreen errors), recommend that they upload one or more error reports.
If content is available they will be directed to a web page providing more
information.
Dr. Watson
Dr. Watson generates an error log when an application is terminated
unexpectedly. Dr. Watson for Windows is an error debugging program that
gathers information about your computer when a program generates error (or
user-mode fault). By default, the log file created by Dr. Watson is named
Drwrsn32.log and is saved in the following location: \Documents and
Settings\All Users\Application Data\Microsoft\Dr Watson
For additional information on the Dr. Watson for Windows Tool, please refer to
the following article
KB Article: Description of the Dr. Watson for Windows (Drwtsn32.exe) Tool
(308538)
Note: If the customer is unable to note the error message because it

disappears too quickly or computer shuts down immediately after the fault, it
is essential to gather the Drwrsn32.log. The error message will be registered
in this log.
Here is an example of how Drwrsn32.log can be a useful for troubleshooting.
Scenario
A customer calls in reporting that his/her computer crashed while browsing
websites. However, user was unable to gather the error details.
Dr Watson Details
Drwrsn32.log file includes the following entry, which helps isolate the
application experiencing the problem:
“Application exception occurred:

App: C:\Program Files\Real\RealOne Player\RealPlay.exe (pid=1624)
When: 7/7/2002 @ 12:42:27.524
Exception number: c0000005 (access violation)”
Cacls
Cacls.exe displays or modifies discretionary access control list (DACL) for files
and folders on NTFS volumes. For diagnostic work, cacls is useful in its ability
to output the ACLs applied to an object, as well as for command line ACL
modifications.
Usage
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with
/E).
/P user:perm Replace specified user's access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.
Abbreviations:
CI - Container Inherit.
The ACE will be inherited by directories.
OI - Object Inherit.
The ACE will be inherited by files.
IO - Inherit Only.
The ACE does not apply to the current file/directory.
Note: The /E switch is particularly important to understand. By default, cacls

replaces the ACL of the specified object. This can be destructive when you
simply want to grant one user or group access to an object that already has a
complex ACL. If you use /E you will simply add an entry, rather than creating
a new ACL.
Sample Commands
The first example displays the current ACL for the D:\data folder on the
server:
Cacls D:\data
The following command grants the user “abeebe” Change rights to the file
“D:\Data\File.xls”:
Cacls D:\data\file.xls /e /g abeebe:C

To remove a user or group from the ACL, use the /R switch as shown below:
Cacls D:\data /R mycorp\salesgroup
Support Tools
The Support Tools are a set of troubleshooting tools that are provided on both
the Windows XP Home Edition and Professional CDs. For information on the
individual Support Tools, see the online help and Readme.htm located in the
Support Tools folder. The Support Tools in Windows XP are provided for
advanced diagnostics and troubleshooting.
Tools Included
The Support Tools contains a wide variety of diagnostic, troubleshooting and
administration tools. Some highlights include the Application Compatibility
Toolkit; the Dependency Walker (Depends.exe), which provides information
about file dependencies for any WIN32 executable or DLL; NetCap.exe, which
is a command line network monitor capture utility; Poolmon.exe, the memory
pool monitor; SPcheck.exe, the Service pack check utility; and XCACLS, which
displays access control lists (ACLs) for files and folders. For more information
on each tool, consult the syntax guide using the /? switch.
Installation
You can install the Support Tools using Setup.exe located in the
\Support\Tools directory on the Windows XP CD-ROM. By default, the tools
are installed to your \Program Files\Support Tools directory, but you can
change this destination using the Custom installation option. In total, the
installation takes about 8 MB of disk space.
RASDiag
Location: RASDiag is included in the Windows XP Support Tools.
This is an advanced tool that collects diagnostic information about dial-up,

VPN and PPPoE connections and places that information in a file. Customers
can use this tool to work with Product Support Services to troubleshoot
remote connection issues by taking a snapshot of the configuration data and
capturing an attempted remote connection.
Note:
Because RASDiag is a data collection tool, it is only useful when the customer
has a way of sending you the resulting data file. The data file also requires
analysis, so this is not a tool that is useful while on a live call with a
Consumer customer.
Usage
To start Rasdiag, click Start, click Run, type "cmd" (without the quotation
marks), and then press ENTER. At the command prompt, type "rasdiag.exe"
(without the quotation marks), and then press ENTER. Rasdiag sets various
debug parameters for components related to RAS and VPN connections, and
then prompts the user to perform their test. While the RAS connection is
attempted, RASDiag captures network traffic and saves relevant log
information. When the test is complete you return to the RASDiag command
prompt window and press SPACE to stop the RASDiag. When complete,
Rasdiag saves data to the %userprofile%\Local Settings\Temp\RASDIAG
folder as an .RDG file. Double-clicking this file extracts two types of files:
• Network Monitor capture files for each active network interface for the duration
of the test.
• RASDIAG.TXT, which contains various data:
• Computer name and build number
• Paths to User and System PBK
• Result of network captures (indicates whether 0 bytes were captured on a
particular interface)
• List of RAS devices
• Contents of C:\WINDOWS\TRACING\BAP.LOG
• Contents of C:\WINDOWS\TRACING\RASMAN.LOG
• Contents of C:\WINDOWS\TRACING\EAPOL.LOG
• Contents of C:\WINDOWS\TRACING\IASHLPR.LOG
• Contents of C:\WINDOWS\TRACING\IASRAD.LOG
• Contents of C:\WINDOWS\TRACING\IASSAM.LOG
• Contents of C:\WINDOWS\TRACING\IASSDO.LOG
• Contents of C:\WINDOWS\TRACING\IPMGM.LOG
• Contents of C:\WINDOWS\TRACING\KMDDSP.LOG
• Contents of C:\WINDOWS\TRACING\NDPTSP.LOG
• Contents of C:\WINDOWS\TRACING\RASADHLP.LOG
• Contents of C:\WINDOWS\TRACING\RASDLG.LOG
• Contents of C:\WINDOWS\TRACING\RASPHONE.LOG
• Contents of C:\WINDOWS\TRACING\tapisrv.LOG
• Contents of C:\WINDOWS\TRACING\tapi32.LOG
• Contents of C:\WINDOWS\TRACING\TAPI3.LOG
• Contents of C:\WINDOWS\TRACING\RASTLSUI.LOG
• Contents of C:\WINDOWS\TRACING\RASSPAP.LOG
• Contents of C:\WINDOWS\TRACING\RASSCRIPT.LOG
• Contents of C:\WINDOWS\TRACING\RASTAPI.LOG
• Contents of C:\WINDOWS\TRACING\IPRouterManager.LOG
• Contents of C:\WINDOWS\TRACING\PPP.LOG
• Contents of C:\WINDOWS\TRACING\RASAPI32.LOG
• Contents of C:\WINDOWS\TRACING\RASAUTH.LOG
• Contents of C:\WINDOWS\TRACING\RASBACP.LOG
• Contents of C:\WINDOWS\TRACING\RASCCP.LOG
• Contents of C:\WINDOWS\TRACING\RASCHAP.LOG
• Contents of C:\WINDOWS\TRACING\RASEAP.LOG
• Contents of C:\WINDOWS\TRACING\RASIPCP.LOG
• Contents of C:\WINDOWS\TRACING\RASIPHLP.LOG
• Contents of C:\WINDOWS\TRACING\RASNBFCP.LOG
• Contents of C:\WINDOWS\TRACING\RASPAP.LOG
• Contents of C:\WINDOWS\TRACING\RASTLS.LOG
• Contents of C:\WINDOWS\TRACING\Router.LOG
• Contents of Connection Manager Logs
• Contents of C:\WINDOWS\ModemLog*.TXT
• Contents of C:\WINDOWS\DEBUG\oakley.log
• IP Configuration for each interface (IPConfig /all)
• Routing Table (Netstat –r)
• Ethernet Statistics (Netstat –e)
• IP, TCP and UDP Statistics (Netstat –s)
• Active connections (Netstat)
• Contents of System and User PBK
• Last 10 events from the Security log
• Process information (PIDs and a list of Services loaded in each process)
Because it provides such a wide variety of logging, and captures network
traffic on all local interfaces, RASDiag is a key tool for troubleshooting remote
connectivity.
Windiff
Windiff.exe is a tool that has been around for a long time and is included in
the Support Tools. It’s designed to highlight the differences between two files
based on a line by line comparison. It is particularly useful for comparing
.REG files and output from command line tools such as sc queryex type= all
state= all to identify differences.
The following example shows Windiff results of a comparison between SC.EXE

output from two different machines. The first change identified is the state of
the Windows Audio Service.
Figure 24: Windiff

The results in Expanded view display common contents with a white
background. Entries that are in the Left side file (the first file opened) but not
the Right side file are displayed with a Red background. Entries that are in
the Right hand file but not the Left hand file are displayed with a Yellow
background.
With that information we can interpret the results above to mean that the
Windows Audio service is running on the machine from which Std_SC.txt was
captured, but stopped on the Ent_SC.txt machine.
Windiff is most useful for the following type of comparison:
● Compare exported registry branch from working machine and broken

machine.
● Compare diagnostic command text output from multiple computers to

identify deltas.
● Compare File System Directory contents to identify file differences.
Recovery Console Tools and Troubleshooting
Recovery Console
Recovery Console’s purpose is for repairing installations that will no longer
boot into Windows XP normally or with Safe Mode. You can boot into the
Recovery Console to attempt to make modifications that will allow Windows
XP to boot normally. This is not designed as a Data Recovery mechanism.
Safe Mode is the preferable way of accessing Windows XP but there are some
situations where access to Windows XP may not occur even with Safe Mode.
Under these situations use the Recovery Console.
When you use the Windows Recovery Console, you can obtain limited access
to the NTFS file system, FAT, and FAT32 volumes without starting the
Windows graphical user interface (GUI). In the Windows Recovery Console,
you can:
• Use, copy, rename, or replace operating system files and folders.
• Enable or disable service or device startup the next time that start your
computer.
• Repair the file system boot sector or the Master Boot Record (MBR).
• Create and format partitions on drives.
Note Only an administrator can obtain access to the Windows Recovery

Console so that unauthorized users cannot use any NTFS volume.
Secure Access
Recovery Console requires an Administrator password before accessing the
hard drives unless no valid Windows NT based OS is found. In the past, you
selected the Administrator password when Recovery Console was installed,
and the password did not automatically update when it was changed in the
GUI, nor could it be changed from within Recovery Console. This problem has
been corrected. The Administrator password for Recovery Console now
updates automatically when changed from within Windows XP.
Limited Access to the Drive

To further alleviate security concerns, once the administrator is logged on to
the system they do not have full access to the drive and are not allowed to
copy files from the drives to removable media.
By default, users only have access to the \Windows directory for the
installation to which you are logged on, as well as the root directory of the
drive, removable media, and the Recovery Console source – either on the CD
or the \cmdcons directory if it is installed on the hard drive.
Removable media access is read-only by default. Policy settings are available,

which can modify the behavior of removable and local drive access rules.
Tools and Troubleshooting Recovery Console
For more information, please refer to the following article.

KB Article: How to add more power to Recovery Console by using Group
Policy in Windows XP Professional (310497)
Note: This article is only applicable to Windows XP Professional as the

functionality of Group Policy is NOT available in Home Edition.
Recovery Console vs. Safe Mode

Safe Mode is the preferable way to do repairs to the system; however, there
will be occasions when none of the Safe Mode options will allow access to the
system. This can be on systems with NTFS drives as the system and boot
volumes, where a critical device driver has been removed, overwritten, or
corrupted and needs to be replaced before the system will boot.
Using Recovery Console

To use Recovery Console, you should be familiar with the process for starting
Recovery Console, logging on to an installation, and performing key
troubleshooting actions.
Note: this document does not present complete coverage of all commands in
Recovery Console. Rather, the focus is on the most common troubleshooting
actions performed. For information on all commands available in Recovery
Console, see the following article:
KB Article: Description of the Windows XP Recovery Console (314058)
Starting Recovery Console

Recovery Console can be started three ways:
• From the Windows XP CD
• From the Boot Floppies
• If it is installed on the hard drive, it can be selected from the boot menu
at start up.
From the CD-ROM

Boot to the CD-ROM. Press a key when you see the message to “Press any
key to boot from CD.” If this message does not appear, the BIOS boot order
may need to be changed.
The next screen offers the option to Repair or Install. You can press ENTER to
set up Windows XP or you can press R to start Recovery Console.
Figure 25 – Press R to Start Recovery Console

The above step should not be confused with the Repair installation step. To
run a Repair installation you would press ENTER at the above prompt, and
then press R to run Repair.
Recovery Console starts by listing Windows installations found on the drives

available on the computer. This list will not include Windows 95/98/Me. Select
an installation by entering the number listed to the left as shown below.
Figure 26 – Select Installation
After selecting a Windows installation you must log on using the Administrator
password.
Figure 27 – Logon and Command Prompt

At this point you are at a C:\WINDOWS> prompt and can continue with
troubleshooting.
Boot from CD Notes:
The computer must also be configured to boot from a CD. This is a

configuration option in the BIOS for most computers capable of running
Windows XP. Try by inserting the Windows XP CD in the drive and restarting.
If you do not see the Press any key to boot from CD prompt, try the
following:
● If the computer has multiple CD/DVD drives installed, try each drive.
● Check the BIOS POST screen for options to choose the boot device or
enter a boot menu. This is available on some OEM computers. If you do
not see this option, restart the computer and press ESC as soon as you
see the POST screen. This may cause the BIOS to display more
information.
Note: Using the above step is valuable as it does not modify any BIOS
settings.
● Check the manufacturer’s web site for information on configuring the

computer to boot from CD.
● While you cannot walk a customer through the process of configuring

the BIOS boot order, you can indicate to them what kind of setting they
can look for. This setting is typically listed as “Boot Device”, “Boot
Priority”, “Boot Order”, or similar text. The customer should set the CD-
ROM device as first in the boot order.
IMPORTANT: It is important to set the customer’s expectations that

you cannot guide them through this process, and that they perform
these steps at their own risk.
Risks include: misconfiguration of the hard disk settings resulting in no
ability to access the drive, and other boot failures. While unlikely, data
loss is also a remote possibility.
If you are not able to boot the computer from a Windows XP CD, an
alternative is to download the files to create Setup Boot Disks.
From the boot Floppies

If you are unable to configure the computer to boot from the Windows XP CD,
you can use information in the following article to download the Setup Boot
floppy disk images as an alternative:
KB Article: How to obtain Windows XP Setup boot disks (310994)
http://support.microsoft.com/default.aspx?scid=KB;[LN];310994
Note: Creation of the boot disks requires a functioning computer with an

Internet connection. This may not be an option for customers with only one
computer. This procedure requires six formatted floppy diskettes. If no other
computer is available the customer may be able to use a local library or
collage campus computer.
From the Boot Menu

Turn on the computer and press the F8 key while it is trying to boot. The boot
menu should appear, and if the Recovery Console is installed, it will be one of
the options. Selecting the option starts Recovery Console and enables you to
select an installation. The logon process continues, as shown above in the
Boot from CD section.
Installing Recovery Console

The Recovery Console can be installed to the hard drive so it appears as a
Boot Menu selection. To set up Recovery Console, run winnt32 /cmdcons from
the i386 directory or your installation source. This will create about a 7 MB
directory on the hard drive labeled cmdcons with system, hidden, read-only
attributes. This will become the last Windows XP entry in the boot.ini. For
example Boot.ini entry: C:\cmdcons\bootsect.dat = “Windows NT 5.0
Command Console” /cmdcons
Logon to Recovery Console

You are required to logon to access the drive. When you select Recovery
Console you are presented with the list of Windows XP installations and asked
to select the one you wish to log into. You have three attempts to logon. If
the wrong password is entered on the third attempt, the computer is
restarted.
No Logon Presented
If there is not an installation on the system or the system has been totally
corrupted so that we cannot locate a valid SAM, then you will boot directly to
a C prompt. You will only have access to the root of the drive and the
CMDCONS directory if it exists.
You have very limited access to the drive at this point. However, you can still
run commands such as Chkdsk, Fixboot, and FixMBR. Format, DiskPart to
attempt to repair the drive.
Performing Troubleshooting in Recovery Console

Troubleshooting in Recovery Console can be broken down into several
categories:
● Repair Commands – these features are related to the boot process.
● File Commands – these commands enable you to copy, rename and

perform other file manipulation.
● Drive Commands – these commands enable you to create/delete

partitions, format, and run chkdsk.
For a complete list of Recovery Console commands, see the following article:
KB Article: Description of the Windows XP Recovery Console (314058)
Repair Functionality
The following commands provide repair functionality for a range of issues
related to hard disks and the boot process. These range from checking the
drive for corruption with chkdsk, to repairing elements of the boot
configuration with bootcfg, fixboot and fixMBR.
Chkdsk
Chkdsk can be run to check the drive for hard drive corruption and the
attempted recoverability of data from bad sectors. It will also display a status
report on the drive. If chkdsk is run without any arguments the drive is
examined dirty markers and if not found will only report on the status of the
drive.
When encountering errors related to potential disk corruption, use the

following command, replacing “c:” with the drive letter that needs to be
checked:
Chkdsk c: /r
IMPORTANT: Data loss is a risk whenever using chkdsk to fix problems with
the drive, as in the above example. Before running this command, you should
check with the customer to determine whether there is any critical data on
the drive for which they do not have a backup.
If the data is critical and there is no backup, advise the customer of the risks,
and suggest contacting a data recovery service before proceeding.
Table 2: Chkdsk switches
Switch Functionality
/P Forces the drive to do an exhaustive search even if the

volume is not marked dirty.
/R Locates bad Sectors and recovers/relocates readable

information. /R always includes the /P argument
Note: Additional command line options are available for chkdsk while running
within Windows.
Bootcfg
Bootcfg automatically scans all local disks for Windows installations and
configures and repairs entries in the operating system menu (Boot.ini). To
use this command, run:
Bootcfg /rebuild
This command searches all local drives for Windows installations. Each is
presented so that the customer can select which installation(s) to add to the
Boot.ini.
The usage of bootcfg is shown below, with circles around required input.
Figure 28 – Fixboot
As shown in this example, three inputs are required for each Windows
installation found on the computer:
● Add installation to the boot list – “Y” for yes
● Enter the Load Identifier – “Windows XP”. This is the text displayed
on the boot menu to identify the installation during the boot process. If
multiple installations are found, be sure to enter unique identifiers for
each, such as by including the drive letter in the name.
● Enter OS Load Options – “/fastdetect”. This adds switches to the boot

entry in the boot.ini file. The default option for a Windows XP installation
is “/fastdetect”.
Fixboot
Fixboot writes a new Windows XP boot sector onto the system partition. You
can specify the drive, for example:
Fixboot C:
The usage of Fixboot is shown below, with circles around required input.
Figure 29 – Fixboot
As shown in this example, the only required input is Y to confirm writing the
new boot sector.
Fixboot can be useful when the boot process fails before you reach the boot
menu. The boot sector is a portion of the active (bootable) partition that
contains information needed to load the operating system boot files – ntldr
and others.
FixMBR
Fixmbr will rewrite the Master Boot Record (MBR). You may also specify
another device name to write the MBR to. If the MBR is detected with
corruption or is invalid you will be warned as follows, and given an option to
cancel before the MBR is rewritten.
Warning: “You appear to have a non-standard or invalid Master Boot Record.

FIXMBR may damage your partition table if you proceed. This could cause all
the partitions on the current hard disk to become inaccessible. If you are not
having problems accessing your drive, you should not continue. Are you sure
you want to write a new MBR?”
The usage of FixMBR is shown below, with circles around required input.
Figure 30 – FixMBR
IMPORTANT: This command can damage your partition tables if a virus is
present or if a hardware problem exists. If you use this command, you may
create inaccessible partitions. We recommend that you run antivirus software
before you use this command.
Additionally, if there is a 3rd party partitioning tool installed, such as Partition

Magic, it overwrites the existing Windows MBR. Executing the FixMBR
command may damage the 3rd party partitions and inhibit the user from
accessing the drives. Therefore, backup data before proceeding with this
command.
File Commands
The following commands are used to copy files, list files in a directory, access
directories and expand files from the Windows XP installation source.
Copy
Use the copy file to copy files. You may copy the source file from removable
media, any directory under the system directory of the logged in installation,
from the root of any drive, from local installation sources, or from the
cmdcons directory. Compressed files from the CDROM will automatically be
decompressed during the copy process
The destination can be any directory within the system directories of the
logged in installation, the root of any hard drive, the local installation sources
or the cmdcons directory. The destination cannot be removable media. If the
destination is not specified, it will be the current directory that you are in. The
syntax is:
Copy Source [destination]
Source specifies the file to be copied. Destination specifies the directory

and new filename for the file. Destination is optional. If not specified the file is
copied to the current directory.
Wildcards such as * or ? are not supported. If the destination file already

exists you will be prompted before it is overwritten.
Delete
You can only delete files in the system directories of the current installation of
Windows XP, on removable media, in the root directory of a hard drive, or in
the local installation source. The syntax is as follows:
Del [path] filename
Dir
You can specify the drive, directory and /or files to list. DIR will list all files
including hidden and system files. The syntax is as follows:
Dir [drive:] [path][filename]
Example of a Directory listing
11/09/98 02:39p -a-h---- 29550 bootlog.txt

11/23/98 05:00p d-rhs--- 0 cmdcons
Date Time Attrib size filename
The attributes listed for each file are as follows:
D=Directory R=Read-Only
H=Hidden Files A=Archive Files
S=System Files C=Compressed
E=Encrypted P=Reparse Point
DIR does support Wildcards such as * and ?.
CD / MD / RD
All three commands RD, CD, and MD can only operate within the system
directories of the logged in installation, on removable media, the root
directories of the drives on the system, or on local installation sources.
MD enables you to create a new directory:
MD [drive:] path
RD enables you to delete an existing directory:
RD [drive:] path
CD changes to the directory specified:
CD [path] [ ..] [drive:]
As shown by the optional “ ..” you can use “CD ..” to move up a level in the
path (e.g. from C:\Windows\System32 to C:\Windows). Also, “CD \” specifies
you want to change to the root directory of the drive (e.g. C:\).
Note: there is and needs to be a space between the CD and the two periods,
and between the CD and the backslash.
Note: Spaces are treated as delimiters so you need to surround a

subdirectory name that contains a space with quotes. Example:
CD “\winnt\profiles\administrator\programs\start menu”)
Ren
The Ren command enables you to rename an existing file. You cannot create
a new path to the file while using rename. Syntax is as shown below:
ren [drive:][path] filename1 filename2
The parameters [drive:][path] filename1 specifiy the location and name of

the file you want to rename. The parameter filename2 specifies the new
name for the file. Note that you cannot use wildcard characters or specify a
new drive or path when renaming files.
Expand
Previously, you could use a command in Windows consumer products called
Extract. Extract allowed the extraction of individual files that were
compressed into cabinet files. The Expand command in Windows XP provides
the same functionality as Extract; in addition, it uncompresses individual
installation files. The syntax is as follows:
Expand source [/F:filespec] [destination] [/y] [/D]
Source specifies the cab file to extract the files from. It may not include
wildcards; only one cab can be specified at a time.
Destination specifies the directory for the new file. The default is the current
directory, if none is specified.
Table 3: Expand syntax
/Y Do not prompt before overwriting
/f:filespec If the source contains more than one file, this

parameter is required to identify the specific file(s) to
be expanded. May include wild cards.
/D Do not expand; only display a directory of the files

which are contained in the source.
Limitations include the following:
● The destination must be a directory that is allowed access. For example

the root directories, the systemroot, the cmdcons directory are allowed
access. The Program Files directory is not allowed access.
● The destination cannot be a floppy or removable media.
● The destination file cannot be read-only.
Examples of usage:
Expand “c:\winnt\driver cache\i386\driver.cab” /f:atapi.sys

c:\winnt\system32\drivers /Y
Note the usage of quotes since the directory path contains a space.
Expand “c:\winnt\driver cache\i386\driver.cab” /f:*.sys

c:\winnt\system32\drivers /Y
This expands all .SYS files
Expand “c:\winnt\driver cache\i386\driver.cab” /f:*.sys

c:\winnt\system32\drivers /d
This just displays a list of all .SYS file contained within the cab file.
Note: When using expand to expand files the filename should not be specified
as the second parameter only the location. For example:
Expand e:\i386\atapi.sy_ c:\winnt\system32\drivers
Note: Within the full Windows interface, Expand is available as a command

line utility, and there is also a graphical interface that accomplishes the same
task in the MSConfig utility. This is available using the Expand File button.
Drive Commands
Drive commands can be used to manipulate partitions and drives, either to
create partitions, format partitions, or view the partitions on a particular
drive.
Format
You can format hard drives while in Recovery Console, however you cannot
format removable media. The format syntax is similar to format under
Windows XP.
Format [Drive:] [/Q] [/FS:file-system]
● Drive: specifies the drive to format (hard drive only)
● /Q specifies a quick format
● /FS:file-system is used to specify Fat, Fat32, or NTFS for file-systems to

format.
If you do not specify a file system NTFS is used. For example:
Format d: /q /FS:fat32
This formats the D Drive with a quick format using FAT32 as the file system
DiskPart
DiskPart allows you to create or delete partitions. DiskPart can be used
without any arguments and you will be presented with a text mode interface
similar to what you see during in text-mode setup.
Typing DiskPart will present a screen allowing you to select an existing

partition or existing free space and create or delete partitions on it. You will
be presented a list that you can use the UP and DOWN arrows to highlight the
space that you want to delete or create a partition in as shown below.
Figure 31 – Diskpart
This interface is similar to that shown in Text Mode setup during a clean
installation.
To delete partitions, with the highlight on the partition select D to delete the
partition. If you select to delete the partition, you will be warned that all data
will be lost and to confirm the deletion by pressing L or to return (cancel) by
selecting ESC.
To create partitions, select Unpartitioned space and press C. If you select to

create a partition you will be prompted for the size you wish to make the
partition. The default will be the entire amount of free space remaining on the
drive.
Diskpart also offers two command line switches and additional parameters.
These are only recommended for advanced use:
Diskpart [/add|/delete] [Device-name|drive-name|partition-

name] [size]
Table 4: DiskPart Switches
/add Creates a partition
/delete Deletes an existing partition
Device-name: Device name is used when creating new partitions. You can
use the Map command (described later) to display the existing names in the
system. An example of a device-name would be \device\harddisk0
Partition-name: Partition-Name is only used for deleting an existing

partition. Again these can be determined by using the Map command
(explained later). An Example of Partition-name would be
\Device\hardDisk0\partition4
Drive-Name: You can also use the drive letter associated with an existing
partition to delete that partition. Drive letters are also shown with the map
Command.
Size: This is used when creating a partition to specify the number of MB the
new partition should be.
Note: Diskpart is also available while running in Windows. This version

provides many more command line switches.
Map Command
The MAP command displays the existing drive letter mappings to locate hard
drive volumes, removable media and floppy drives that are recognized under
Recovery Console.
Example of the MAP Command display:
C: FAT32 2102MB \device\harddisk0\Partition1

D: NTFS 2102MB \device\harddisk0\partition2
E: NEW 1098MB \device\harddisk0\partition3 (unformatted)
F: FAT16 847MB \device\harddisk0\partition4
A: \device\floppy0
D: \device\Cdrom0
You can also use the MAP arc argument. This displays the arc path rather
than the device path. This can be useful if the boot.ini file was corrupted or
deleted, although using Bootcfg to repair the boot.ini is preferred.
Other Commands
Several other commands can be useful during troubleshooting in Recovery
Console.
SystemRoot
Systemroot sets the current directory to the systemroot folder of the Windows
installation you are logged on to. This is the equivalent to using the cd
\windows command.
More or Type
These commands can be used to display the contents of a text file without
modifying the file. You are presented with the first page of information. At the
bottom of the page are the commands to page down (Spacebar), scroll line
by line (enter) or stop displaying the file (Esc) as shown below.
Figure 32 – Diskpart
The Type or More command cannot be redirected to a new file.
more [drive:][path] filename
-or-
type [drive:][path] filename
The parameter [drive:][path] filename specifies the location and name of

the file that you want to view. If you are using an NTFS drive, and the file
name contains spaces, you must enclose the file name within quotation marks
(").
Examples: More setuplog.txt or Type setuplog.txt
Exit
Type exit to leave the Recovery Console and reboot the machine.
Recovery Console Details

Limitations
There is not any editing capability built into Recovery Console. You cannot
modify a file like Boot.ini in Recovery Console. Even the Copy Con (Copy from
the Console) is not supported to create new files.
Registry
There is not any way to edit the registry under Recovery Console. Registry
hives can be replaced but there are no registry editing tools.
Other Considerations
When starting Recovery Console you will be asked which installation to boot
into. Once you select an installation you are prompted for the Administrator
Password for that installation. There is a repair logon where only certain
repair functions can be run. (Fixboot, FixMBR. chkdks). This occurs when a
valid Windows XP installation cannot be found. You boot directly to the hard
drive.
Needs Access to the Sam

In order to log on the Recovery Console needs access to the SAM of the
installation that you are trying to access. The SAM needs to be located so the
Administrator password can be used to have access to the drives. On Domain
Controllers, this will be Local SAM. At boot, after selecting Recovery Console,
all hard drives are scanned for %systemdrive%\system32\config\sam entries.
This is not dependent on the boot.ini. It is only looking for a SAM at those
directory path locations. If this is not found then you are booted to a C
prompt. You are not allowed to any subdirectories after this.
Limited Access to Files

You will only have access to files in the root drives, the cmdcons directory if
installed to the local drive, and to files plus subdirectories under the \windir
directory that you are logged into. You do not have access to other Windows
XP installations nor do you have access to other subdirectories not under the
\windir directory. For security reasons, you cannot copy files from the hard
drive to removable media. This is not designed nor intended to be used as a
backup mechanism. There is a Global Policy setting that allows this to be
changed and full access to the drives will then be allowed.
System and Software

After the login, Recovery Console needs to access the Software Hive to check
for policy settings. It will need to access the System hive if Listsvc, Enable, or
Disable is used to check the services and devices.
Recovery Console Security Configuration

The Administrator logon for Recovery Console can be modified either by
editing the registry or through a policy to allow automatic logging on without
a prompt for a password. Once you select the install you want to enter you
are logged on.
The registry key to disable the administrator password is:

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Setup\RecoveryConsole
Securitylevel:REG_DWORD:0x1 = Allow Administrative logon without
prompting for a password.
To enable the policy: Control Panel > Administrative Tools > Local Security
Settings > Local Policies > Security options. You will see two Recovery
Console policies.
Set Command
You can use the set command to set four different environment variables in
Recovery Console.
To view, type set once in Recovery Console.
● AllowAllPaths = False
● AllWildCards = False
● AllRemovableMedia = False
● NoCopyPrompt = False
Changing the following registry key allows the set command to be used to
change these settings to True.
● AllowAllPaths opens up all the drives for full access. You are no longer
denied access to directories.
● AllWildCards allows Wild Cards to be used with other commands.
● AllRemovableMedia allows file to be copied to removable media such as

Floppy drives or Jazz drives.
● NoCopyPrompt overwrites files with the same name without a prompt.
The default for all commands is False. Changing them in one instance of
Recovery Console only holds true while logged into that install. Logging onto
another install or rebooting back into Recovery Console will change all
settings back to False. There is not a way to save these settings for future
usage. However, a text file could be created using any or all of the four set
commands. Then the Batch could be used to change the settings.
For Example Create a file Fourset.txt. In it place the four lines:
Set AllowAllPaths = True
Set AllWildCards = True
Set AllRemovableMedia = True
Set NoCopyPrompt = True
Note the spaces on either side of the equal sign. Once in Recovery Console
use the following command to execute this batch file:
batch fourset.txt.”
The registry setting to allow the use of the Set command is

SetCommand:REG_DWORD:0X1 = Allows all the SET environment variables
to be changed from FALSE to TRUE.
Kernel Errors Tools and Troubleshooting
Kernel Errors
Kernel Mode is the processor access mode in which the operating system and
privileged programs run. Kernel-mode code has permission to access any part
of the system, and is not restricted like user-mode code. It can gain access to
any part of any other process running in either user mode or kernel mode.
Kernel mode errors involve software components that reside in Kernel or

System Memory. This usually means drivers, file Systems, and operating
system components. When a Kernel Mode component fails, it can cause the
most catastrophic of problems since it is a “trusted” component with access to
all of the system resources. Kernel Mode failures are the types of failures that
can generate what is known as the Stop Screen or Blue Screen in Windows
XP.
Windows XP displays a STOP error message and halts when the kernel detects
an unrecoverable error or the CPU detects an unrecoverable hardware error.
Figure 33 illustrates a stop error and some of the information it displays
(more details on this type of error follows later in this lesson).
Figure 33. Kernel Mode Error (Stop Error)

Note: Program errors in processes running in User Mode should not
be able to crash XP, that is, generate a Stop Error. Only device drivers
and other kernel level programs cause Stop Errors, so you can
determine whether an error occurred in user mode or kernel mode.
Kernel mode errors display Stop Errors or blue screens. User mode
errors display Dr. Watson alerts. Hardware failures are displayed as
failures of the Kernel. The real problem is that the Kernel is no longer
able to properly communicate with the hardware, not that the Kernel
is bad.

Tools and Troubleshooting Kernel Errors
In the case of Kernel Mode Errors, the operating system must shut down to
preserve system integrity. Windows XP automatically restarts your computer
by default when it encounters one of these kernel errors.
Note: Allowing the system to continue operating (even if it is

possible) after a Kernel Error will more than likely result in further
corruption of data, which is why Windows shuts the system down.
This process should not be altered.
You may also see error information on the blue-character screen, including a
message code that provides information about the crash. This is known as the
Stop Error (Figure 33).
Because kernel-mode code has permission to access any part of your system,
it is not restricted like User Mode code. Kernel-mode code can gain access to
any part of any process running in either user mode or kernel mode.
Performance-sensitive operating system components run in kernel mode, so
they can interact with the hardware and with each other.
The possibility of data corruption is much greater with kernel-mode process

errors. When a process erroneously accesses a portion of memory that is in
use by another application or by the system, these lack of restrictions on
kernel-mode processes force Windows to stop the entire system.
Malfunctioning hardware devices or device drivers, which reside in kernel
mode, are often the cause of serious Windows errors or Kernel errors. For
example, a bad SCSI adapter, a malfunctioning drive controller, or defective
memory chips can corrupt memory contents and alter program pointers, so
they attempt to access an incorrect address in memory.

You can change the behavior during a stop error, such as the automatic
restart, as well as the memory dump type that is created in the Startup and
Recovery settings, available from the Advanced tab of System Properties
as shown below.
Figure 34. Startup and Recovery Settings

Memory Dump files are copies of the contents of memory that the kernel
writes to the pagefile while the bluescreen error is displayed. On the next
boot this data is then written to a .dmp file which can be used for later
analysis.
The default dump file type is a Small Memory Dump file, also known as a
Minidump. This file contains only basic information about what was in memory
during the fault, rather than the entire contents of memory. Minidump files
are 64 KB in size and are designed to be sent to Microsoft using Error
Reporting.
Other dump file options are Full, which saves the entire contents of RAM,
meaning that the file is just larger than the size of system memory; and
Kernel dump, which saves only the contents of memory used by the kernel.

Why do you need to know about Kernel Mode error messages?

The many variables and unforeseen conditions in the software world make it
possible for errors to occur. The best coded software cannot anticipate all the
problems which may cause an error to arise. As a user of a program you have
to deal with errors. As a support professional you resolve errors by identifying
the root cause of the error and removing the obstacle (or providing a
workaround).
What is a Kernel Mode Error?

Before looking into Kernel Mode errors, let’s review the Kernel architecture.
Because kernel-mode code has permission to access any part of your system,
it's not restricted like user-mode code, so kernel-mode code can gain access
to any part of any other process running in either user mode or kernel mode.
Performance-sensitive operating system components run in kernel mode, so
they can interact with the hardware and with each other.
All of the kernel-mode components in Windows XP are fully protected from

applications running in user mode, and these kernel-mode components can
be grouped into several categories:
● Executive
● Kernel
● Hardware Abstraction Layer
● Window and Graphics Subsystem
The Executive is basically the base operating system components that

handle memory management, process and thread management, security,
input/output routines, and routines that handle communication between
processes.
The Kernel performs low-level functions, such as thread scheduling, interrupt

and exception dispatching, and multiprocessor synchronization.
The Hardware Abstraction Layer handles all direct interfaces to hardware

devices and isolates the Kernel, device drivers, and the Executive from
platform-specific hardware differences.
Finally, the Window and Graphics Subsystem implements the graphical

user interface functions that create icons, windows, and other items that are
displayed, for example, on your screen or printer.

Kernel mode errors occur within these spaces of the operating system
architecture. The possibility of data corruption is much greater with kernel-
mode process errors. When a process erroneously accesses a portion of
memory that is in use by another application or by the system, these lack of
restrictions on kernel-mode processes force Windows to stop the entire
system. Malfunctioning hardware devices or device drivers, which reside in
kernel mode, are often the cause of serious Windows errors or Kernel errors.
For example, a bad SCSI adapter, a malfunctioning drive controller, or
defective memory chips can corrupt memory contents and alter program
pointers, so they attempt to access an incorrect address in memory.
Note: Program errors in processes running in User Mode should not be

able to crash XP, that is, generate a Stop Error. Only device drivers and
other kernel level programs cause Stop Errors, so you can determine
whether an error occurred in user mode or kernel mode. Kernel mode
errors display Stop Errors or blue screens. User mode errors display Dr.
Watson alerts. Hardware failures are displayed as failures of the Kernel.
The real problem is that the Kernel is no longer able to properly
communicate with the hardware, not that the Kernel is bad.
Stop Messages
When Microsoft Windows XP Professional detects a problem from which it
cannot recover, it displays a Stop message, which is a text-mode error
message that reports information about the condition. Stop messages contain
specific information that can help you diagnose and possibly resolve the
problem detected by the Windows kernel. When a Stop message occurs as a
result of a problem, there is certain information you will want to record in
order to effectively troubleshoot the issue and cause.
Important: The information contained within a Stop message may be

lost after you initiate a reboot. It is important that you record this
information from the customer before restarting.
Before looking at a checklist of what information to record, let’s look at the

sections which make up a Stop message.
As shown in Figure 35, a Stop message screen has four major sections, which
display the following information:
● Bugcheck information
● Recommended user action
● Driver information
● Debug port and dump status information

Figure 35– Kernel Mode Error - Stop Error
Bugcheck Information
This Bugcheck information section includes the Stop error number, also
known as the bugcheck code, followed by up to four developer-defined
parameters (enclosed in parentheses) and the symbolic name of the error.
Stop error codes contain a "0x" prefix, which indicates hexadecimal numerical
format. For example, in Figure 35, the Stop error hexadecimal code is
0x000000D1 and its symbolic name is DRIVER_IRQL_NOT_LESS_OR_EQUAL.
As shown in Figure 35, the Bugcheck information section frequently includes a

line that lists the specific hexadecimal memory address of the Stop error's
source, along with the name of the driver or device.
Note: Under certain conditions, the kernel cannot fully display all of the
Stop message content; only the first line is visible. This occurs if the
problem has caused video display services to stop functioning.
Recommended User Action

The Recommended user action section provides a list of suggestions for
recovery. In some cases, restarting the computer might be sufficient because
the problem is not likely to recur. But if the Stop error persists even after you
restart the system, you must determine the root cause to return the system
to an operable state. This might involve undoing recent changes, replacing
hardware, or updating drivers to eliminate the cause of the problem.

Driver Information
The Driver information section identifies the driver associated with the Stop
error. If a file is specified by name, you can use Recovery Console or safe
mode to verify that the driver is signed or has a date stamp that coincides
with other drivers. If necessary, you can replace the file manually, or use
Driver Rollback.
IMPORTANT: Drivers mentioned by name on a bluescreen do not

necessarily indicate the problem component. In many cases a
bluescreen will show the name of a driver which was not at fault. As a
result, be cautious of drawing firm conclusions based on such a listing
unless the KB indicates a more direct connection.
Debug Port and Status Information

While beyond the scope of this discussion, the Debug port and status
information section lists COM port parameters that a kernel debugger uses if
enabled. If you have enabled memory dump file saves, this section also
indicates whether one was successfully written.


Stop Error Troubleshooting

Troubleshooting for kernel errors varies depending on the type of error you
are receiving, as well as the circumstances leading up to the problem.
Troubleshooting Information to Gather from Stop Messages

Use the information from the Stop message in your troubleshooting (such as
when querying the KB or for your incident records). Record the following:
1. Bugcheck information – The Stop error number and the Symbolic

name. Example:
- 0x000000D1
- DRIVER_IRQL_NOT_LESS_OR_EQUAL
2. The four parameters of the error message – these parameters often

provide indications of specific error conditions or causes of the error
message. Example:
- (0x00000000, 0xF72031AE, 0xC0000008, 0xC0000000)
3. Recommended user action. Make general notes of the recommended

actions.
4. Driver information, from Figure 35 as an example:

- WXYZ.SYS
Note that the driver information may not always be available and may
not always point to the root cause of the problem.
Troubleshooting Steps
Once you have gathered the information indicated above, check the
Knowledge Base for any known issues. This will be your main resource for
specific troubleshooting steps. As a rule however, there are some general
troubleshooting procedures you can use in the absence of specific resolution
steps from the KB.
When searching the KB, start searching using the full information from the
bluescreen, including the full information including the stop error code,
symbolic name, parameters and driver name. If this does not give you good
results, remove the parameters. Then remove the driver name.
Last Known Good Configuration

Last Known Good Configuration is an option on the F8 boot menu that
restores the registry settings in HKLM\System\CurrentControlSet to the
version used the last time the computer started successfully. If the Stop error
is the result of a new driver installation, this is the quickest method for
restoring functionality.

Note:
The Last Known Good Configuration is updated at logon. This means that if
the computer successfully loaded the desktop after the problem started, Last
Known Good will not have an earlier configuration.
Note:
Using Last Known Good on the first boot after installing a Service Pack is not
recommended because it will cause a mismatch between the files on the
system and the registry configuration. If this is done, the service pack should
be reinstalled when troubleshooting is complete.
Safe Mode
Safe Mode and Clean Boot Troubleshooting is an essential step when Last
Known Good is not successful. If the computer starts successfully in Safe
Mode, one of the following is causing the problem in Normal Mode:
● Driver for a device not loaded in Safe Mode
● Services loading on startup
● Applications loading on startup
Safe Mode Fails

If Safe Mode fails, continue troubleshooting as follows:
1. Turn off the computer, disconnect non-essential hardware from the

computer and restart.
2. Determine if there have been recent updates installed. If so, use

Recovery Console to uninstall the updates. To uninstall recent
updates:
a. If the user has recently installed Windows Updates prior to the

problem beginning, remove those updates first. To check for
recently installed updates, using the following command from a
C:\Windows prompt in Recovery Console:
dir $NTU*.*
This command will return a list of the Windows Update package

uninstall folders. Check for folders created on or near the date
when the problem occurred.
b. When you locate potentially related updates, note the number for
each, which will be in either KB###### or Q###### format.
c. For each update you want to remove, change to the SPUININST

directory within the folder for the update and then execute the
uninstall script using the batch command:
cd $NTUninstallKB######$\spuninst
dir spuninst (this shows you whether to use .txt or .bat below)
batch spuninst.txt (or “batch spuninst.bat”)
cd \windows

d. Repeat the previous step for each update you wish to remove.
e. Before starting the computer, disconnect any network cable to the

computer to prevent connecting to the Internet. If one of the
updates removed was a security update, the machine could be at
risk. Only reconnect after resolving the issue and verifying a
firewall is configured.
f. Use the exit command to restart the computer and check to see if
the issue is resolved. If not, continue troubleshooting.
3. If drivers have been updated recently and the customer knows the
device that was updated, or the driver name installed, you can use the
listsvc and disable commands in Recovery Console to locate and
disable the device.
If only the device name is known, you may need to search the Internet
or search on text in your C:\Windows\Inf folder for clues about the
driver name associated with the device.
Note:
If you still encounter the problem after disabling the driver, check the
\Windows\System32\Drivers folder for drivers with similar names. In
many cases there are related drivers for a component, often these are
filter drivers. If you find drivers with similar names, search the KB and
Internet to make a connection, and then rename or disable that driver
as well.
4. If no information is known about the device or driver, but you suspect

a recently installed driver is the cause of the issue, you can check the
end of the C:\Windows\setupapi.log file for clues:
a. Use the type command to output the text of the setupapi.log file.
b. With the file displayed on screen, hold down the spacebar to scroll
through pages of the file until you reach the end. Examine the last
few lines in the file for clues concerning driver installations.
Note:
This can be a lengthy exercise, which may or may not yield useful
information. Because the setupapi.log file continues to grow in
length after Windows is installed, it may take a while to reach the
end. Also, after reaching the end there is no way to move back up
a page without re-displaying the file and paging down until near
the end.
5. If none of the above steps resolve the issue or provide useful

information you can next look in the C:\Windows\System32\Drivers
folder in Recovery Console. Use dir *.sys to check this folder for new
drivers.
a. When you find a driver with a recent modified date, search the
Knowledge Base and Internet for clues on what hardware or
software component is supported by the driver.

b. If you want to disable a driver for the next boot, use the disable
command.
6. If you still do not have a clear resolution, you can pursue further
troubleshooting in one of two ways:
a. Troubleshoot as you would for a Registry Corruption issue. If you

can boot properly with the Repair registry hives, use recent
Restore Point hives to recover.
b. If this is not successful, or if deemed too time consuming by the

customer when you set their expectations, consider performing a
repair installation of Windows XP.
Note:
Review the documentation on Repair installations for important
considerations on potential for data loss or malware infection.
Disable Automatic Restart on System Failure

Reboot Loop? Use this option to see what is actually happening.
This is an option on the F8 boot menu which is new in Windows XP SP2. When
encountering a reboot loop on the computer, use F8 at restart and select the
option to Disable automatic restart on system failure. This causes
Windows XP to halt at a bluescreen error message, rather that automatically
restarting the computer.
This is the same setting as in System Properties, Advanced, Startup and

Recovery Settings, Automatically restart.
Note: It has been reported that in some cases this option may not be
available in the startup menu. To be sure, restart the computer and check
again. This may occur if some of the startup files have not been properly
updated to SP2 level.
Next Steps
When using this option, look for a bluescreen error message. Be sure to
record as much of the detail from the error message in your case notes.
Capturing this data is vital for effective troubleshooting.
Reboots Continue
In the event that the computer continues to reboot in a loop there could be a
more severe hardware issue, or a problem with one or more drivers on the
computer. Use the general troubleshooting procedures provided for stop error
issues, starting with Last Known Good Configuration above.


Specific Bugcheck Codes

The following sections provide specific guidance for troubleshooting particular
bluescreen error messages. This is not an exhaustive list. It provides a few
examples, along with a couple of bluescreens that have special
troubleshooting considerations, notably the 0x7B error and the 0xC000021A
error.
IMPORTANT: Unless otherwise indicated below, drivers mentioned by name

on a bluescreen do not necessarily indicate the problem component. In many
cases a bluescreen will show the name of a driver which was not at fault. As a
result, be cautious of drawing firm conclusions based on such a listing unless
the KB or text below indicates a more direct connection.
0x0000000A: IRQL_NOT_LESS_OR_EQUAL
This error message is most often related to one of the following issues:
● Malfunctioning driver or hardware device
● Malfunctioning Service
● Issue with the BIOS on the computer
Start the troubleshooting for this issue by attempting to boot to Safe Mode. If
Safe Mode functions properly, continue with the Clean Boot steps in the Error!
Reference source not found.Stop Error Troubleshooting section of this
document. Focus your troubleshooting on Services and Device Drivers.
For more information see the following article:

KB Article: Troubleshooting a Stop 0x0000000A error in Windows XP
(314063)
0x0000001E: KMODE_EXCEPTION_NOT_HANDLED
See the section below on 0x0000007E:
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED. The troubleshooting for
0x0000001E is the same as for a 0x7E error.

0x0000007B: INACCESSIBLE_BOOT_DEVICE
This error is typically caused by a failing or missing driver for the hard disk
controller. It is also possible in the case of a boot sector virus infection, a
hardware failure, or corruption on the hard drive. Driver issues are the most
common cause.
To troubleshoot this issue, gather as much information as possible on the

hardware, particularly the motherboard make and model in the case of a
custom-built computer. The motherboard make and model will give you
information about the hard disk controller in use on the computer. It is the
driver for this device that should be investigated.
For more information on this issue, see:

KB Article: How to troubleshoot "Stop 0x0000007B" errors in Windows XP
(324103)
0x0000007E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
These errors typically indicate that a driver or system component encountered
an error that could not be handled by its exception handling routines.
When a driver is listed on this bluescreen it is a good first point for

investigation. Perform the following troubleshooting:
1. Search the Internet and in the Knowledge Base for previous issues
related to that driver. When searching on the Internet, try to discover
what kind of hardware is related to the driver.
2. Also, check your own computer for the driver. If it is on your own
computer, it is likely to be a driver provided with Windows. This would
also suggest that it is not the cause of the problem.
3. If you discover that the driver is related to a particular device and it is

not present on your machine, determine if it is an external/removable
device. If so, try to start the computer with the device removed.
If the above does not provide any change in the behavior, use the Error!
Reference source not found.Stop Error Troubleshooting section earlier in
this module. If the computer starts in Safe Mode, focus your troubleshooting
on Services and device drivers. If the computer does not start in Safe Mode,
remove non-essential hardware from the computer and try again.

0x0000008E: KERNEL_MODE_EXCEPTION_NOT_HANDLED
See the section above on 0x0000007E:
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED. The troubleshooting for
0x0000008E is the same as for a 0x7E error.
0x000000C2: BAD_POOL_CALLER
This error message is commonly encountered when a driver is malfunctioning.
The best first step in these issues is to boot to Safe Mode. Safe Mode will
function properly when the bugcheck is caused by a non-essential driver, such
as for a printer, scanner or other device. See the Error! Reference source not
found.Stop Error Troubleshooting section above for specific
troubleshooting steps.
STOP: C0000135: {Unable To Locate Component}

This error message, displayed without the “0x” preceeding the bugcheck code
as shown above, can occur at the reboot during SP2 installation when there
has been a problem with the file copy process.
The full error message is as follows:
STOP: c0000135 {Unable To Locate Component}

This application has failed to start because winsrv was not found. Re-
installing the application may fix this problem.
This issue is typically related to software that is installed which is causing

problems writing to the PendingFileRenames registry value in
HKLM\System\CurrentControlSet\Control\SessionManager. This value is used
by the SP installer so that files which cannot be updated during the setup
process can be updated at the next restart.
In this particular case, the write problems to this value are causing multiple
failures in the setup process, resulting in this error at the reboot.
For the latest information on resolving this error message, use the steps
provided in the following article:
KB Article: You receive "Stop: c0000135 and “winsrv was not found” errors
after you install Windows XP Service Pack 2 (885523)

0xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED
Like the issue below, this error message can result from damaged operating
system files. Even though this error is encountered as a bluescreen, it is
actually the result of a problem in user mode. This can make troubleshooting
more difficult. Perform the same troubleshooting as for the 0xC0000221 error
below.
If this issue occurs at the reboot during a service pack installation, also use
the troubleshooting steps below:
1. Check the version of both NTOSKRNL.EXE and NTDLL.DLL. If these

files have been modified the system may fail with the 0xC000021A
error. To verify this before uninstalling SP2, try the following steps:
2. Boot using a Windows XP CD and select R at the first step to start

Recovery Console.
3. Select the Windows installation and enter the administrator password

when prompted. The default for Windows XP is no administrator
password, so if the customer is not sure, leave it blank and press
ENTER.
4. At the C:\Windows> prompt type the following command to verify that

the SP2 files are available in the ServicePackFiles folder:
Dir ServicePackFiles\i386\ntoskrnl.exe
Dir ServicePackFiles\i386\ntdll.dll
5. If either of these two files is missing, do not proceed with the following
steps. Perform a manual uninstall and use the steps earlier in this
document to Error! Reference source not found..
Ren system32\ntoskrnl.exe ntoskrnl.old
Ren system32\ntdll.dll ntdll.old
Copy servicepackfiles\i386\ntoskrnl.exe system32
Copy servicepackfiles\i386\ntdll.dll system32
Exit
The computer should restart after using the Exit command. See if the issue
persists. If the issue is not resolved, use the general troubleshooting
procedures to uninstall SP2 and prepare the computer for a reinstall of SP2.

0xC0000221: STATUS_IMAGE_CHECKSUM_MISMATCH
This error message can occur when a system file is damaged during the file
copy stage of a Windows Update or Service Pack installation. Causes could
include:
● Interruption of the service pack installation process resulting in file

corruption.
● Application or driver in memory during the installation that caused the

corruption.
● Failure of RAM or disk hardware that caused corruption.
The error text should include the name of the file that is damaged. Use the
following steps to recover:
1. Note the filename referenced on the bluescreen.
2. Boot to Safe Mode (if possible) or Recovery Console.
3. Rename the current file to <filename>.err
4. Copy a good SP2 version of the file from

%windir%\ServicePackFiles\i386 to the proper location on disk
(typically %windir%\system32).
Note: In the event that the %windir%\ServicePackFiles folder does

not exist, the service pack may have been installed from a network
location. This is only common in corporate environments. In such a
case you will need to copy the file from another computer to a floppy
disk and use that floppy in Recovery Console. In the event the file is
too large for a floppy, burn it to a CD on another machine and use that
CD to copy the file in Recovery Console.
5. Copy the same file to %windir%\system32\dllcache
6. Restart the computer
If this does not resolve the issue, see if the error message has changed. If it
has changed, perform troubleshooting appropriate for the new error.
If the error has not changed, it is recommended that you perform the
following steps:
1. Remove the service pack in Recovery Console using Spuninst.txt. For

steps, see:
How to remove Windows XP Service Pack 2 from your computer
(875350)
2. Make sure you have also used Add or Remove Programs to remove
the service pack. Failing to perform this step can result in instability or
failures in later steps.

3. Use the System File Checker (SFC.EXE) to verify Windows Operating

System file versions are in place. The command to use is sfc
/scannow Resolve any issues reported. For more information on SFC,
see the following:
KB Article: Description of Windows XP and Windows Server 2003
System File Checker (Sfc.exe) (310747)
Note: SFC requires access to the Windows XP installation media.
4. Verify sufficient disk space on the computer. The absolute minimum

disk space for installing SP2 is 1GB free. At least 1.5 GB free is
recommended.
Use the Disk Cleanup Wizard to free additional space, if needed.
Description of the Disk Cleanup Tool in Windows XP (310312).
5. Take the customer to Windows Update and install critical updates.

Also, check for driver updates. Installing the latest driver versions
available at this point could resolve driver issues that resulted in the
original issue.
6. Reinstall SP2.

User Mode Errors Tools and Troubleshooting
User Mode Errors

When dealing with User Mode error messages, it is important to first
determine if the error is being returned by a particular application, or if it is a
user mode error message, such as an Access Violation.

Tools and Troubleshooting User Mode Errors
Application Errors
Application errors are encountered while working within an application or
during a process driven by an application. Most applications are programmed
with their own error handling to detect and perform recovery from specific
errors. When an application error occurs, generally only the application is
impacted. Common causes of application errors include working
with/accessing corrupt files or memory allocation problems.
Specific troubleshooting steps for application errors vary depending on the

application. In the absence of specific steps from the application vendor or
the Knowledge Base, using standard Safe Mode and Clean Boot
troubleshooting is advised. It is also useful to test the application while logged
on as an alternate user to see if there is a user profile or permissions
problem.

User Mode Errors

User Mode is the processor access mode in which applications run.
Applications and subsystems run on the computer in user mode. Processes
that run in user mode do so within their own virtual address spaces. They are
restricted from gaining direct access to many parts of the system, including
system hardware, memory that was not allocated for their use, and other
portions of the system that might compromise system integrity. Because
processes that run in user mode are effectively isolated from the system and
other user-mode processes, they cannot interfere with these resources.
User Mode applications and services can also fail. When these components
fail, the failure is usually limited to the component itself, although if the
component fails, other pieces of the system that rely on that component may
also fail. This could cause some loss of functionality on the system. Windows
XP services, as well as Applications and Subsystems, run in User Mode. This is
the type of error most commonly related to application failure.
When a User Mode error occurs, the Error Reporting service displays an alert
stating that Windows XP encountered a problem, as seen in Figure 36.
Figure 36. User Mode Error

Applications like Microsoft Word or Internet Explorer run on your computer in
what is called user mode. Processes that run in user mode do so within their
own virtual address space, and are restricted from gaining direct access to
hardware or memory that was not allocated to them. Because of this, they are
effectively isolated from the system and other user mode processes, so they
cannot interfere with these resources and compromise the integrity of your
system. For example, if a process attempts to read or write to a memory
location that has not been allocated to it, the result is an exception, or a user-
mode fault. When these errors occur, only the affected application or processes
are closed. Again, this is to maintain system integrity.

You should also note that many applications interact with other user-mode
processes and can be extended by add-on features that can share their
memory space. For example, in the case of Internet Explorer, ActiveX®
controls, Browser Helper Objects, tool bands, and other components can add
their own custom functionality to the browser. These components run in the
same memory space as the browser, and could cause Internet Explorer or one
of its components to experience an exception or fault.
Many applications also interact with other parts of your system. For example,
your display driver, display hardware, and installed fonts are used to display
documents in a word processor program. Your printer driver and hardware are
used to print these documents. Other applications may also interact with your
word processor; for example, to exchange data with a spreadsheet program.
These interactions with other software or services can result in unrecoverable
errors in your word processor program.
Why do you need to know about User Mode Error messages?

The many variables and unforeseen conditions in the software world make it
possible for errors to occur. The best coded software cannot anticipate all the
problems which may cause an error to arise. As a user of a program you have
to deal with errors. As a support professional you resolve errors by identifying
the root cause of the error and removing the obstacle (or providing a
workaround).
What is a User Mode Error?

While working within applications, one type of error you can encounter is the
“unrecoverable application error”, which are also called user mode errors,
"user-mode faults", or exceptions. Applications like Microsoft Word, Internet
Explorer, and portions of Windows XP setup run on your computer in what is
called user mode or Ring 3. Processes that run in user mode do so within
their own virtual address space, and are restricted from gaining direct access
to hardware or memory that was not allocated to them. Because of this, they
are effectively isolated from the system and other user mode processes. So
they cannot interfere with these resources and compromise the integrity of
your system. For example, if a process attempts to read or write to a memory
location that has not been allocated to it, the result is an exception, or a user-
mode fault. When these errors occur, only the affected application or
processes are closed. Again, this is to maintain system integrity.
Note: Some common “user-mode errors” or “exceptions” include access

violations, division-by-zero errors, and numeric overflows as well as
problems caused by third party applications and third party DLLs loaded
in another application’s processes.

You should also note that many applications interact with other user-mode
processes and can be extended by add-on features that can share their
memory space. For example, in the case of Internet Explorer, ActiveX®
controls, Browser Helper Objects, tool bands, and other components can add
their own custom functionality to the browser. These components run in the
same memory space as the browser, and could also cause Internet Explorer
or one of its components to experience an exception or fault.
Many applications also interact with other parts of your system. For example,
your display driver, display hardware, and installed fonts are used to display
documents in a word processor program. Your printer driver and hardware
are used to print these documents. Other applications may also interact with
your word processor: for example, to exchange data with a spreadsheet
program. These interactions with other software or services can also result in
unrecoverable errors in your word processor program. Again, when these
errors occur, the application and associated processes must be closed.
Figure 37 illustrates the Error Reporting dialog that occurs when a user mode
process or application encounters a fault in Windows XP. As you see, you
have the option to either send the error report to Microsoft or not send it. You
can also use the click here link to see the details of the error and what is
being sent to Microsoft.
Figure 37 - Error Reporting Dialog Box

The details dialog shown below includes the application name, in this case
iexplorer.exe, which is Internet Explorer; the version, which in this case is
6.0; and the module that the fault occurred in, which in this case is
vbscript.dll.
Figure 38 – Error Details Dialog box

Troubleshooting
Start your troubleshooting by viewing the error details. If the module listed
for ModName is not a Windows file, you may be able to isolate the issue by
removing or disabling any programs, services, or drivers that are associated
with the affected module.
To do so, locate the module file on your hard disk, right-click the file, click
Properties, on the Version tab, and then view the Company box to verify
that the file is a Microsoft file. If not, the Company and Product Version boxes
may indicate which program, service, or driver the file is associated with. If
not, try searching the Internet for information about the file.
When you determine which program, service, or driver the file is associated
with, remove the program, service, or driver to see if the issue is resolved.
For example, to remove a program or service, use the Add or Remove
Programs tool in Control Panel, or contact the manufacturer of the program or
service for information about how to remove it.
If necessary you can also temporarily rename the file to prevent it from being
loaded. This should only be done in cases where you have verified that the file
is not needed by Windows XP, such as by verifying that it is a third party file,
or where the file is not present on your own computer.
Error Reporting
Error Reporting in Windows XP is the mechanism that sends error details to
Microsoft for aggregation and analysis. When receiving an error, you are
presented with the interface shown below, with options to Send Error
Report or Don’t Send.
Sending the error report uploads error details for analysis. When an issue
trend appears, the internal Microsoft team that works with these errors can
then investigate further.
If you are encountering an error with a clear resolution, the results of these
investigations are provided after sending the report.
When working with customers experiencing user mode errors recommend

that they upload one or more error reports. If content is available they will be
directed to a web page providing more information.

Dr. Watson
Dr. Watson generates an error log when an application is terminated
unexpectedly. Dr. Watson for Windows is an error debugging program that
gathers information about your computer when a program generates error (or
user-mode fault). By default, the log file created by Dr. Watson is named
Drwrsn32.log and is saved in the following location: \Documents and
Settings\All Users\Application Data\Microsoft\Dr Watson
For additional information on the Dr. Watson for Windows Tool, please refer to
the following article
KB Article: Description of the Dr. Watson for Windows (Drwtsn32.exe) Tool
(308538)
Note: If the customer is unable to note the error message because it

disappears too quickly or computer shuts down immediately after the fault, it
is essential to gather the Drwrsn32.log. The error message will be registered
in this log.
Here is an example of how Drwrsn32.log can be a useful for troubleshooting.
Scenario
A customer calls in reporting that his/her computer crashed while browsing
websites. However, the user was unable to gather the error details.
Dr Watson Details
Drwrsn32.log file includes the following entry, which helps isolate the
application experiencing the problem:
“Application exception occurred:

App: C:\Program Files\Real\RealOne Player\RealPlay.exe (pid=1624)
When: 7/7/2002 @ 12:42:27.524
Exception number: c0000005 (access violation)”
Safe Mode
Safe Mode and Clean Boot Troubleshooting is an essential step when you can
find no clear resolution steps. If the problem does not occur in Safe Mode or
Safe Mode with Networking, one of the following is causing the problem in
Normal Mode:
● Driver for a device not loaded in Safe Mode
● Services loading on startup
● Applications loading on startup
● Third party components loaded in system processes, such as browser

helper objects


Registry Troubleshooting Techniques Tools and Troubleshooting
Registry Troubleshooting Techniques

Knowing Registry concepts will help you understand what the Registry is, how
it works, and how you can use it to resolve issues. It is important to
understand how to manipulate the Registry and what tools are available to
troubleshoot these issues.

Tools and Troubleshooting Registry Troubleshooting Techniques
What Is the Registry?

The Registry is a system-defined database in which applications and system
components store and retrieve configuration data. In other words, individual
applications and the Operating System write settings to the Registry which
tell the system how to run programs. Hardware settings are also stored in the
Registry.
Machine
The machine-based files, which are the files that store the pieces of the
Registry that define how the operating system is configured, are located in
the following directory: %windir%\System32\Config.
User
User-based Registry files are stored in each user profile under \Documents
and Settings\<username> as an NTUser.dat file.
In addition there are two special user registry files. The NTUser.dat file in
\Documents and Settings\Default User is used to generate new user profiles
on the computer. The first time a new user logs on, this file is copied to
\Documents and Settings\<new username> and used subsequently to store
that user’s settings.
There is also a registry file that contains user settings general to the machine.
While confusing, this means that when no user is logged on, there still must
be user-based configuration settings available, such as desktop background,
screen saver, etc. The default registry file in
%windir%\System32\Config contains these settings.


Registry Structure
The registry consists of top level hives, containing keys, which contain values
and other keys.
Hives
The Registry is based on several top level structures known as hives. These
hives are:
● “HKEY_CLASSES_ROOT” which stores information about file types on

the computer commonly known as file associations.
● “HKEY_CURRENT_USER” which stores settings for the currently logged-

on user
● “HKEY_LOCAL_MACHINE” which stores machine-based settings
● “HKEY_USERS” which stores information about the currently logged-on

user and also the default user profile, which corresponds to the
%windir%\system32\config\default registry file.
● “HKEY_CURRENT_CONFIG” which is information about the hardware

profile that’s currently in use on the computer
Figure 39 – Hives in Regedit

Not all of these hives exist as separate files; some are also shown as sub-
keys in other hives. For example, “HKEY_CLASSES_ROOT” is really a sub-
branch of “HKEY_LOCAL_MACHINE” under \Software\Classes, but they are
represented in the Registry Editor as top-level hives for convenience.
Keys
Registry keys are containers for values and other keys. They have a nested
structure just like a folder structure on a drive. They also have permissions
just like file system objects on an NTFS drive. They are displayed in Registry
Editor as folders. “HKEY_LOCAL_MACHINE” is highlighted, and you can see
the sub-keys beneath it.

Figure 40 – Keys in Regedit
Values
Values are containers for value data. Registry values are the terminal
elements in the Registry. They are represented as files in the Registry Editor
and they actually contain value data, which is the element of the Registry that
stores the actual setting. There are some different value types here:
● REG_SZ is a text string. This is commonly used for things like a path to
a file or text that would be represented as a message on screen and
other descriptions.
● REG_BINARY stores raw binary data.
● REG_DWORD is a four-byte number. These are represented typically as

a hex number.
● REG_MULTI_SX is a multiple string value. This contains multiple strings.
● REG_EXPAND_SZ is a variable length string. So they may contain

variables.
They are shown in the type column of Registry Editor on the right-hand side
so when you are examining each value, you can see the value type. The types
are important because if you insert a Registry value as the wrong type, it may
not be processed by the component that you are trying to configure.


What Is the Registry Editor?

The Registry Editor or RegEdit.exe is the tool in Windows XP that is used for
editing the Registry. In previous versions in Windows 2000 and Windows NT4,
RegEdt32 was used to edit the Registry because it provided advanced
features like Permissions. In Windows XP, RegEdt32 just calls RegEdit.exe, so
you can use Regedit for all your Registry editing needs.
Use caution when editing the Registry. Changes that you make are made
immediately—there is no Undo feature in Regedit. Incorrectly editing the
Registry can cause your system to become unbootable or cause programs to
be unable to run.
The safest way to edit the Registry is to make a backup first. With a backup,
you can always recover to the situation that you were in before. (You can also
use System Restore to do this. If you save a System Restore Point just before
making a change, you can use System Restore in Safe Mode to restore your
computer, including the Registry, back to the state that you were just in.)
Also, use the techniques for testing and modifying the Registry on a test
computer for troubleshooting.
Registry Editor Features

Import and Export
Some of the features of the Registry Editor include Import and Export. This is
on the File menu. It enables you to save or Export .REG files, which are
portable Registry files that can be imported into either another computer or
into the same computer after making changes. You can also export files as
hive files. These are files with no extension that maintain the native format of
the Registry rather than being converted to a text file, as in the case of a
.REG file.
IMPORTANT: Export is a key feature for support. Before making changes to

the registry on a customer’s computer, always export the parent key so that
you can import the saved file later should problems arise.
Search
You can also Search for text within the Registry. Use the Search feature on
the File menu to search for the key you need.
Favorite Keys
You can save Favorite Keys, which are similar to Internet Explorer favorites—
they store a path to a favorite location. If you commonly find yourself
examining a certain key, you can save it in your favorites and then navigate
back to it easily.

Load Hive
You can also load hive. Once you have exported a hive files or if you simply
want to open one of the top level Registry files, you can choose the Load hive
option on the File menu. This is only available when “HKEY_LOCAL_MACHINE”
or “HKEY_CURRENT_USER” are selected.
Connect
You can also connect to a remote Registry. When you connect to a remote
machine in Registry Editor, you only have access to “HKEY_LOCAL_MACHINE”
and “HKEY_USERS” keys.
Importing Registry Files

There is more to importing Registry files than just understanding how to
Import and Export. There are two Export formats and which affect how
Imports take effect.
To import a .REG file, you can either use the Import option from the File
menu in Regedit, or you can double click the .REG file. The .REG file has an
association with Registry Editor that automatically causes the values in that
.REG file to be inserted into the Registry. When you do this with a .REG file, it
imports the settings into the same key as the original. If you have exported,
for example,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, and
then you import that into another computer, it will be imported to the same
key as the original computer,
HKLM\Software\Microsoft\Windows\CurrentVersion.
The alternative is to use a hive file for import. If you import a hive file, which
can only be done from the Import option in the Registry Editor, it is going to
import that hive to the currently selected key. The advantage here is that if
you want to compare a branch in the Registry from a customer’s computer
with one in a test computer, you can create a new key that is similar in name
to the test key.
In the previous example, if you export

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion on the
test computer, you can create a CurrentVersionTest key under Windows.
When you import the hive with that key selected, instead of being imported to
the proper directory, they will be imported to the current version test key.
You can compare CurrentVersion with CurrentVersionTest side by side to look
for differences. Alternatively, if you want to import a hive file just for simple
examination, you can use the Load Hive option even if it is not a complete
Registry hive.
When the settings take effect, you will need to be aware that not all Registry
values take effect immediately. Some portions of the Registry are processed
during start up, during user log in or when an application is started. In these
cases, you be aware of when the changes will take effect. To be sure that
everything is takes effect, restart the computer.


Registry Troubleshooting Techniques

Understanding Registry troubleshooting is more than just understanding
Regedit. There are many other tools that are useful when troubleshooting the
Registry!
Prune and Graft

Prune and Graft is one of the fundamental Registry troubleshooting
techniques used to reproduce failures on a test computer, or to test a
Registry fix on computers with a Registry problem.
Prune and Graft involves exporting part of the Registry of one computer
(Pruning), and applying this to the Registry of a test computer (Grafting).
This can be done to pull a section of the Registry of a failing computer for
application on a test computer to reproduce an issue. In this case, the
process can be helpful for isolating sections of the Registry to determine
where the problem exists. The process can also be done to take a section of
the Registry on a good computer and apply it to a failing computer. In this
case, the test is performed both to isolate where the issue may exist, as well
as to test potential resolutions to the problem.
Bad Keys on a Good Machine

When grafting Registry keys from a bad computer to a test computer, you
may want to accomplish one of two goals:
● Reproduce the problem on the test computer
● Compare keys on the bad computer with known good keys on a test
computer
To use for issue reproduction, you can typically export the keys from a bad
computer as .REG files. These are easily applied to a test computer, and do
not remove any subkeys or values that exist on the test computer but not the
bad computer. This is in contrast with using a hive file, which replaces the
target Registry key on the test computer, removing all keys and values not
present on the bad computer.
If you wish to compare settings side-by-side, export from the bad computer
as a hive file, and then import the hive to an adjacent key on the test
computer. For example, if you are exporting HKLM\System\CurrentControlSet
on the bad computer, create an HKLM\System\CurrentControlSetX on the test
computer. Then import the hive file to this key. This will enable you to
compare settings easily.
Good Keys on a Bad Machine

Applying Registry keys from a good computer to a test computer that is
experiencing a failure, you should first identify the affected Registry keys.
This may involve Registry monitoring techniques discussed later in this
section.

When you have identified the affected keys or values, check the failing
computer to determine what type of Registry export will work for the
situation. If you need to delete keys or values, you will need to use a hive file.
Otherwise, using .REG files offers an easier import process.
IMPORTANT: You should not send .REG files from your computer to a
customer for them to import on their own computer. This can lead to
problems because of potential differences between machine configurations. It
is better to use this technique to isolate the specific cause of the problem so
that you can then edit the specific registry keys and values to resolve the
issue.
Monitoring Registry Access

In many cases you cannot use the prune and graft technique because you do
not know what part of the Registry is related to an issue. You may also be
experiencing a problem running an application that is not easily diagnosed.
For these situations, Registry monitoring tools can be helpful.
Registry monitoring tools provide information on the keys and values that
applications modify or read in order to function properly. These come in two
types:
● Tools that monitor access to the Registry in real-time
● Tools that identify changes to the Registry based on a comparison of

two Registry states
Regmon
Regmon is an application that monitors and displays all Registry activity on a
system in real-time. It has advanced filtering and search capabilities that
make it a powerful tool for exploring the way Windows works, seeing how
applications use the Registry, or tracking down problems in system or
application configurations.
Location: Regmon is a freeware tool available from:

http://www.sysinternals.com.
Usage
Simply run the Regmon GUI (Regmon.exe). Windows NT/2000/XP/2003
Note: You must have administrative privilege to run Regmon. Menus, hot-
keys, or toolbar buttons can be used to clear the window, save the monitored
data to a file, and to filter and search output.
As events are printed to the output, they are tagged with a sequence number.
If Regmon’s internal buffers are overflowed during extremely heavy activity,
this will be reflected with gaps in the sequence number.
There are 7 major columns in Regmon that are displayed:
• # - Specifies the log row number

• Time – Timestamp
• Process – Indicates the Process that has the open handle to the Registry Path
• Request – Action that the Process is undertaking
• Path – Registry Path being accessed
• Result – Result of the request (SUCCESS, ACCDENIED, NOTFOUND, ETC)
• Other – Additional information including Key values, names, and GUID
information
Figure 41 – Regmon Output
Techniques for Reviewing Logs

In most cases, the information collected from the customer will need to be
sent back to a PSS engineer for examination. Interpreting this data is
extremely important in determining where the problem lies.
Although Regmon contains its own filtering options, most Regmon logs will be
viewed as log files saved by the Customer. By loading these log files into
Microsoft Excel, you can accomplish the same tasks by using Excel’s filtering
options, using the same methods as applied to reports provided in MPS


Registry Corruption Troubleshooting

Corrupt registry files will result in messages such as any of the following:
Windows could not start because the following file is missing or corrupt:
\Windows\System32\Config\Software
\Windows\System32\Config\System
Note that in some cases this message may be garbled due to video display
refresh issues, appearing as:
\Windows\System32\Config\Systemced
Considerations
In a typical case of registry corruption the operating system is in a static
condition. With cases of corruption that occur during or after a service pack
installation it is important to ensure that the end-state you reach after
troubleshooting has matched registry and operating system files. Leaving the
customer in a configuration with an SP1 registry, but SP2 files is not
recommended as it could lead to system instability. The following
considerations are vital:
● The state of registry hives in %windir%\Repair
● The state of registry hives in the most recent Restore Point
● The state of operating system files on the drive
In cases of registry corruption at the reboot during SP2 installation, the files
are in the following state:
● \Repair folder: Contains pre-SP2 registry hives
● Restore Point: Contains registry hives prior to SP2
● Operating System Files: SP2 files are installed
In order to get back to a stable configuration, the SP installation must be

rolled back to restore pre-SP files, and the registry must be restored from a
reliable pre-SP set of hives – typically those contained in the most recent
Restore Point.
● The procedures in this module are sourced from the following article:
KB Article: How to recover from a corrupted registry that prevents
Windows XP from starting (307545)

These steps have been streamlined and adjusted to target recovery scenarios
where the Repair registry does not match the SP level of current operating
system files.
Precautions
Potential for Malware Infection = Medium
There is some risk of infection during this process, because you will be
starting the computer with a registry that does not reflect changes made by
recent security updates. As a result you should take the following precautions
before continuing.
1. Disconnect the computer from the Internet and from any other
Network connection.
Note: If the computer uses a Wireless connection, remove the
wireless network adapter (where possible), or disable it if the
computer has an internal adapter but offers an On/Off switch. In the
event that the adapter cannot be easily removed or disabled, disable
the Access Point for the network until reaching the end of these steps.
2. When all of the recovery steps below are complete, configure all
Network Connections to use Internet Connection Firewall as a
precaution before connecting to the network or Internet.
Recovery Steps
To restore the computer to a stable condition, perform the following actions:
1. Use Repair Hives: Replace current registry hives with those from
%windir%\Repair.
2. Boot the Computer to Safe Mode: boot to Safe Mode in order to

access the Restore Point registry files easily.
3. Obtain Restore Point Hives: Retrieve registry hive files from a

recent Restore Point and place them in a folder under %windir%.
4. Use Restore Point Hives: Replace current registry hives with those
from the folder created in the previous step.
The steps for each of these actions are provided below.
1 Use Repair Hives

The best currently accessible registry files are in the %windir%\repair
directory. These need to be copied to the %windir%\system32\config folder,
after renaming the files currently in place.

The steps in this section should enable the computer to boot, but applications
installed since the Repair registry hives were last saved will likely not
function. You may also encounter
Use the following steps:
1. At the Recovery Console command prompt, type the following lines,

pressing ENTER after you type each line:
cd \windows\system32\config
ren system system.old
ren software software.old
ren SAM SAM.old
ren security security.old
ren default default.old
cd \
cd windows\repair
2. This next step checks the date and time on the files in the Repair
folder. It is important to determine how recently these files were
updated. They could be unchanged since Windows XP was originally
installed.
dir
3. Note the date the files were modified for use later.
4. Continue with the copy of files from the Repair folder to the Config
folder using the following commands:
copy system C:\windows\system32\config\system
copy software C:\windows\system32\config\software
copy sam C:\windows\system32\config\sam
copy security C:\windows\system32\config\security
copy default C:\windows\system32\config\default
Continue troubleshooting using the exit command to restart the computer.

2 Boot the Computer to Safe Mode

You may be unable to log on to the computer in Normal Mode at this point.
This can occur because the local user account passwords have been reset to
the point at which the Repair registry hives were last saved.
In the event that you cannot log on, use the Administrator account, which
does not have a password set by default.
3 Obtain Restore Point Hives

After gaining access to Windows, you can now make copies of the more
recent registries from the Restore Point folders created by System Restore. To
do this, use the following steps:
1. Start Windows Explorer.
2. On the Tools menu, click Folder options.
3. Click the View tab.
4. Under Hidden files and folders, click to select Show hidden files and
folders, and then click to clear the Hide protected operating
system files (Recommended) check box.
5. Click Yes when the dialog box that confirms that you want to display
these files appears.
6. Double-click the drive where you installed Windows XP to display a list

of the folders. If is important to click the correct drive.
7. Open the System Volume Information folder. This folder is

unavailable and appears dimmed because it is set as a super-hidden
folder.
Note: This folder contains one or more _restore {GUID} folders such
as "_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}".
If you receive the following error message, use the steps below to add
the current user to the permissions for the folder. Otherwise proceed
to step 8 below.
C:\System Volume Information is not accessible. Access is denied.
a. Open My Computer, right-click the System Volume Information

folder, and then click Properties.
b. Click the Security tab, which will display an interface such as that
shown below.

Figure 42 – System Volume Information Security

c. Click Add, and then type the name of the current user. This is the
account with which you are logged on.
d. Click OK, and then click OK.
e. Double-click the System Volume Information folder to open it.
8. In the GUID folder, open a folder that was created recently. You may
need to click Details on the View menu to see when these folders
were created. There may be one or more folders starting with "RP x”
under this folder. These are restore points.
9. Open one of these folders to locate a Snapshot subfolder. The

following path is an example of a folder path to the Snapshot folder.
Also see for an image of a Snapshot folder:
C:\System Volume Information\_restore{D86480E3-73EF-47BC-

A0EB-A81BE6EE3ED8}\RP1\Snapshot
10. From the Snapshot folder, copy the following files to the
C:\Windows\Tmp folder:
_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM

_REGISTRY_MACHINE_SAM
11. Rename the files in the C:\Windows\Tmp folder as follows:
Rename _REGISTRY_USER_.DEFAULT to DEFAULT
Rename _REGISTRY_MACHINE_SECURITY to SECURITY
Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
Rename _REGISTRY_MACHINE_SAM to SAM
Continue with the steps below to put these files to use.
4 Use Restore Point Hives

Now these registry hive files can be copied to the proper location for use by
the system. To do this, return to Recovery Console.
1. Start Recovery Console.
2. At the command prompt, type the following lines, pressing ENTER

after you type each line:
cd system32\config
ren sam sam.rep
ren security security.rep
ren software software.rep
ren default default.rep
ren system system.rep
copy c:\windows\tmp\software
copy c:\windows\tmp\system
copy c:\windows\tmp\sam
copy c:\windows\tmp\security
copy c:\windows\tmp\default
3. Type exit to quit Recovery Console. Your computer restarts.
The computer should start in Normal Mode, and the most recent passwords
should be functional again.

Summary
The above steps have ensured that the final state of the computer has
matching files and registry configuration.


Remote Assistance Tools and Troubleshooting
Remote Assistance
Remote Assistance is a support feature offered in Windows XP that gives
customers the ability to allow support personnel or another user to assist
them. The Helpee is able to give the Helper control of their machine in real
time. Built on Terminal Services technology, the Remote assistance tool does
this by using a Terminal Services session running on the user machine.

Tools and Troubleshooting Remote Assistance
Using Remote Assistance

Remote Assistance is available in Help and Support, which is accessible from
the Start Menu. To start using Remote Assistance, use the Invite a friend to
connect to your computer with Remote Assistance link on the home
page in Help and Support.
Creating an invitation
The Start a Help Session Wizard starts and collects the following information:
● Email address of the Helper
● Whether or not to use a Password
● Number of hours until the request expires
Send the Invitation

The invitation can be sent via:
● Messenger
● E-mail
● Save invitation to a file

After the User clicks Send the Start a Help Session Wizard uses MAPI calls to
send an email to a Helper’s email address with an attachment. The Password
is not sent in the invitation – it should be sent separately.
Figure 43: Select how you want to contact the helper

Using an Invitation
The attachment will initiate a session-based connection with the User’s
machine when launched on a Windows XP machine. After a Helper executes
the attachment, the User is prompted to allow the Helper to connect. After
the User accepts the connection Help and Support Services opens on the
Helper’s machine and the User’s desktop can be viewed remotely by the
Helper.
Figure 44: Start a Help Session
Taking Control
The Helper can then click the Take Control button and the User will be
prompted to give control to the Helper. After the User allows the session to
begin the Helper will be able to control the User’s mouse and keyboard similar
to using Terminal Service Client.
Session Considerations
You can use voice communications by clicking on the Start Talking button, or
you can chat using the MSN messenger client. Windows XP automatically
adjusts settings to combat bandwidth issues by changing screen resolution to
800x600x16bit and turning off Wallpaper.

Offer Remote Assistance

Offer Remote Assistance, also called Unsolicited Remote Assistance is
available in Enterprise settings. By setting up this option, administrators can
determine whether or not a support person, IT Administrator or any other
user, can offer remote assistance to a specific computer, without a user
explicitly requesting it first via a channel method such as e-mail or Windows
Messenger.
Both machines must be running Windows XP or higher. This option is not

available on Windows XP Home Edition. The Novice's and Expert's computer
must be connected to the Internet or LAN.
The Offer Remote Assistance feature is not a viable option for most home-
based networks. This feature will be disabled by default and can only be
enabled through unattend.txt or via policy.
This feature requires the computer of the expert user as well as the computer
of the novice user to be members of the same domain, or members of trusted
domains.
By enabling this setting, you configure the machine to accept Remote

Assistance offers. When you configure this setting, you can make two
choices: you can select either “Allow helpers to only view the computer” or
“Allow helpers to remotely control the computer.”
If you disable or do not configure this policy setting, users or groups cannot
offer unsolicited remote assistance to this computer. By default this setting is
“Not Configured.”
For More Information: KB Article: How to Use Offer Remote Assistance

(308013)
Disabling Solicited Remote Assistance

Administrators can force their users to be able only to receive offers of
Remote Assistance and not have the ability of requesting RA. In order to do
that, Administrators should enable the Offer Remote Assistance policy and
disable the following group policy: Local Computer Policy\Computer
Configuration\Administrative Templates\System\Remote Assistance.


Remote Desktop and Remote Assistance Compared

Microsoft® Windows® XP includes both Remote Desktop and Remote
Assistance. They are similar in appearance, but quite different in
implementation and intent. This section describes the differences.
Table 5: RA and RD compared
Remote Assistance Remote Desktop
(Home Edition and Professional) (Professional Only)
Users receive assistance from a Users connect to their own computer

“helper” who can take control of their from a remote location
desktop
Uses Terminal Server “Shadow Uses regular Terminal services.

Session.”
Can allow input from multiple users in Allows only one user input in the same
the same session. session.
Requires a user be present at the Allows full control of remote computer

remote computer. without having a user present.
In many ways, Remote Desktop and Remote Assistance are very much alike.
They are both capable of providing a remote control session for a computer
for a user who is not at the physical location of the machine. They are both
built on the Terminal Services architecture. They both require permission to
establish a session, and either session type can be terminated from either
machine. Despite all those similarities, they are quite different.
Intended Purpose and Audience

Remote Desktop is targeted at a user who has a desktop machine containing
his applications and data files. Remote Desktop allows him to connect from a
variety of remote locations and operate the machine as if he were there.
Remote Desktop is designed for potential everyday use.
Remote Assistance is targeted at a user who needs assistance from a support

organization or friend. This may be for resolving a problem, or demonstrating
a technique. It is likely to be used only infrequently.
Remote Desktop
● Remote Desktop is designed for frequent accesses by an individual or
small group of users.

● Remote Desktop is generally designed for a user to remotely operate

his/her own machine from another location.
● Remote Desktop and Remote Assistance are available on Windows XP

Professional.
Remote Assistance
● Remote Assistance is intended for one-time or infrequent access for
troubleshooting and resolving a problem, or demonstrating a technique.
● Remote Assistance is intended for a helpdesk, friend, or other support

person to access the machine of an end-user.
● Remote Assistance is available on the Windows XP Home Edition
Obtaining Access Rights

With Remote Desktop, the user is granted rights to access the machine
remotely at any time. It is likely that the same user will access the machine
many times, and can do so without any additional authorization.
With Remote Assistance, the user of the remote machine must create an
access Invitation and send it to the person who is being granted Remote
Assistance rights. This Invitation has a limited life and has a password created
specifically for the invitation. After the life of the invitation expires, a new
invitation is required for launching a session.
Initiating a Session
With Remote Desktop, the customer need only double-click their saved
connection to launch a session. If their account password is correct, the
session is established. No human activity is needed at the remote location.
With Remote Assistance, the customer must execute the invitation they were
sent, and enter the password. The user of the remote machine must then
accept the request for a Remote Assistance session. For that reason, there
are always two people involved with Remote Assistance.

Comparing the Client Views

With Remote Desktop, if the session is run in full screen mode, the client view
is exactly as it would be if the user were at the physical console of the remote
machine.
Figure 45: Remote Desktop client view

With Remote Assistance, there are multiple application windows open that
relate to the session itself. These include the local chat window, the remote
chat window, and the remote session control dialog.
Figure 46: Remote Assistance client view

Comparing the Remote Consoles

With Remote Desktop, the remote console is locked. All that is visible is the
logon screen.
With Remote Assistance, every aspect of the session is visible on the remote
screen. This is by design, since the intent is for a potential stranger to be
manipulating the machine. The owner will want to watch the process, and to
learn by watching how the expert approaches the problem. He may also need
to collaborate with the remote expert, which he can do from the physical
console.
Terminating a Remote Session

It is not likely that a Remote Desktop session will be terminated from the
remote machine, but it is possible. A user logging on to the physical console
will terminate the remote session.
With Remote Assistance, the user at the remote computer can terminate the
session by pressing a key or clicking a button. This provides an increased
level of comfort for persons leery of allowing remote control of their machine.
Comparing User Control

Remote Desktop
One user manipulates all controls on both machines. He can use the remote
machine as if he were at its location.
Remote Assistance
Both users can manipulate mouse and keyboard during the same session.
This could lead to some inefficiencies.
Summary
Remote Assistance is ideal for:
● Collaboration between users
● Remotely performing technical support
● One-time accesses
● The Windows XP Home Edition
Remote Desktop is ideal for:
● Using one’s primary machine from a remote location
Frequent accesses


Troubleshooting Remote Assistance

If you receive a “Permission denied” error on the expert machine when using
Offer Remote Assistance to connect to Novice computer, check to make sure
the account trying to connect is added to the Helpers group under Offer
Remote Assistance group policy, and the group policy setting that the
Everyone acct or the Domain User accts are configured to “Access this
computer from the network,” on the Novice machine. Set the policy under
Windows Settings\Security Settings\Local Policies\User Rights
Assignment\Access the computer from the network.
If you receive error message “The Remote Server machine does not exist or is
unavailable,” check for connectivity on both ends.
If you receive error message “A program could not start. Please try again,”
check that the group policy for Offer Remote Assistance is set on the Novice.
Connections
Network Address Translation devices, or NATs, are a potential source of
connection issues for Remote Assistance.
A NAT acts as an agent for its clients, communicating on the network on their
behalf. It uses its own IP address for all communication, and routes the
session communication of the clients back to them on what’s known as a
“private” network. With this arrangement, the IP addresses and machine
names of the client machines are never exposed on the public side of the
NAT.
This becomes an issue when the IP address of a Novice is masked behind a

NAT. The Expert executing an Invitation file from outside the NAT cannot find
the Novice machine by its name or IP address, and therefore cannot make a
Remote Assistance connection.
If the Expert is behind the NAT, but the Novice is not, the connection will
succeed. Since the Expert initiated the session by traversing outbound
through the NAT, the external Novice machine’s responses will be returned to
the Expert through the session established through the NAT.

In short, it will work if initiated in one direction, but not in the other. If both
machines are behind NATs, Remote Assistance cannot be used.
Figure 47: Novice is behind a NAT

There are some ways to make the seemingly impossible inbound connection
through a NAT.
When we were examining the Invitation creation process, it was noted that
the Novice machine will query for the existence of a UPnP NAT on its network.
We’ll now see why.
If a UPnP NAT is found, Remote Assistance will request the external, or public
side, IP address of the NAT. It will also request that an external port be
routed to port 3389 on the Novice machine. The UPnP NAT sends the IP
address and port number to Remote Assistance, and establishes the port
mapping. Remote Assistance then enters that information into the Invitation.
Figure 48: UPnP NAT

When the Expert executes the Invitation, it sends the connection request to
the external IP address of the NAT, specifying the port number that was
provided in the Invitation. Due to the port routing configured on the NAT, the
request is sent to port 3389 on the Novice machine. The Novice accepts the
connection request, and the Remote Assistance session is established.
This was configured automatically. The Novice may not even know he’s
behind a NAT.

If the NAT is not a UPnP device, it will not respond to the configuration
request of the Remote Assistance Invitation creation process. Since it has not
created a mapping or provided its external IP address, that information
cannot be entered into the Invitation.
The connection request will fail since the Novice machine cannot be contacted
from outside the NAT. All is not lost. There are ways around this problem.
How to Make RA Work (The hard way)

It is possible to perform the UPnP steps manually. The Invitation can be
created and saved as a file. It can then be edited in notepad to add the
external IP address of the NAT and the forwarded port information. The
Novice will need to know how to configure port forwarding on his NAT and the
NAT’s external IP address. The Invitation can then be sent to the Expert. If
there are no file editing errors, or NAT configuration errors, this will work.
Few end-users would find this a friendly process. There is another way.
How to Make RA Work (The easy way)

The easiest workaround is to use the Windows Messenger connection process.
Windows Messenger connection process initially sends a reverse connection
request. This means it is sent from the Novice to the Expert. In the case with
the Novice hidden behind the NAT, it will connect when the other methods
fail. Additionally, if the initial connection attempt fails, the Windows
Messenger method tries the connection from the other direction. This way,
either of the machines can be behind a NAT and the connection will succeed.
Remote Assistance & DHCP

Since Remote Assistance makes its connections by IP address, if the Novice’s
IP address has changed, the connection will fail. Many TCP/IP connections use
DHCP, so there is no guarantee that a machine’s IP address will remain the
same from connection to connection. If the Novice has logged off the
network, or restarted the machine since creating a Remote Assistance
Invitation, it is possible that the Invitation is no longer valid.
Resolving the issue requires creation of a new Invitation and establishing the
Remote Assistance session before logging off or rebooting.
Another resolution is to use the Windows Messenger connection method.

Since it connects in real time, there is little possibility that the IP address
could be changed.


Resources
● KB Article: You Cannot Start a Remote Assistance Session Because the
Start Remote (814337)
● KB Article: Attempt to offer Remote assistance returns "A program could

not start (330489)
● KB Article: You Cannot Start a Remote Assistance Session Because the

Start Remote (814337)
● KB Article: Cannot Establish a Remote Assistance Connection (311889)
● KB Article: Permission Denied Error When You Are Using Offer Remote
Assistance (310629)
● KB Article: Remote Assistance Invitation Does Not Work After Being

Disconnected from (310612)
● KB Article: Remote Assistance Session Cannot Connect (306045)

Data Loss/Data Recovery Discussion Tools and Troubleshooting
Data Loss/Data Recovery Discussion

IMPORTANT: In order to ensure Microsoft is doing all it can to prevent data
loss, you must provide adequate guidance to our customers when data loss is
possible. Use the following considerations and warnings to help ensure our
customers
Before Any Troubleshooting

Before proceeding with troubleshooting it is important to establish whether
the customer has critical data on the machine that is not backed up.
Preserving the customer’s data is your top priority. There is nothing more
damaging to a customer’s experience with support, and to their satisfaction
with Windows and with Microsoft, than data loss. As a result, make sure that
you clearly understand the potential consequences of each action before
performing your troubleshooting. If you are not sure whether data loss could
occur from a troubleshooting step, get assistance to verify the safety of that
action before proceeding.
Understanding where Data Loss is Possible

The following two sections highlight some symptoms and troubleshooting
steps that could indicate or cause data loss. The troubleshooting steps
discussed, such as a Parallel installation of Windows XP, are not typically
dangerous. The risk of data loss comes from two possible problems:
● Faulty hardware is causing the issue, and this could cause data
corruption.
● Errors during the troubleshooting could cause data to be overwritten.
Because of these risks it is critical that you understand the potential

consequences of your troubleshooting
Potential for Data Loss = High

The following scenarios carry a high risk of data loss – either because they
are symptomatic of possible hardware failure, or because of a strong potential
for accidentally overwriting data. Using chkdsk to fix disk issues, for example,
can cause files to be removed or truncated. If the customer does not have a
backup, it would be better to make and verify a backup or take the computer
to a data recovery specialist first to be sure all possible data is retrieved.
Because of the risks it is critical to warn customers before proceeding with

troubleshooting to ensure they have a good backup.
● Upgrade to Windows XP from a previous version of Windows.

Tools and Troubleshooting Data Loss/Data Recovery Discussion
● Reinstalling Windows XP from OEM media. These installations are often

a full system restore from a disk image, which replaces the contents of
the hard disk.
● In any situations where In-place Upgrade/Repair/Reinstall/Parallel install

FAILS during the text-based or GUI-based setup process.
● Customer is unable to access safe or normal mode. Troubleshooting for

such severe issues can result in data loss.
● Customer performs a repair of the O/S and this fails during the repair
process.
● Computer is stuck in a reboot loop with no access to safe or normal

mode.
● Circumstances that require troubleshooting to be performed from

Recovery Console (i.e. fixmbr, fixboot), yet customer is unable to access
the console.
● Unable to access the hard drive(s) from safe or normal mode.
● Unable to see data (files & folders) within the drive(s).
● Using Chkdsk to fix issues on the disk. In the event that files are
damaged, they can be deleted or truncated in this process.
● Performing a manual uninstall of Windows XP.
● Encountering any of the following errors can indicate a hardware issue

with the potential to cause data loss:
○ Stop 0x00000023: FAT_FILE_SYSTEM

This error can indicate corruption in the file system, as well as disk,
disk controller or cabling failures. When you encounter this issue,
some data on the drive may already be corrupt or inaccessible.
○ Stop 0x00000024: NTFS_FILE_SYSTEM

This error can indicate corruption in the file system, as well as disk,
disk controller or cabling failures. When you encounter this issue,
some data on the drive may already be corrupt or inaccessible.
○ Stop 0x00000050: PAGE_FAULT_IN_NONPAGED_AREA

This Stop error can be related to faulty RAM or a device driver on the
system that is corrupting memory. As a result corrupt data could be
written to the disk, causing file corruption.
○ Stop 0x0000007B: INACCESSIBLE_BOOT_DEVICE

This error indicates that the driver for the disk controller is failing to
load, or that the disk controller or disk has failed.

Data Loss/Data Recovery Discussion Tools and Troubleshooting
○ Stop 0x000000ED: UNMOUNTABLE_BOOT_VOLUME

This error indicates that while the disk controller driver is loading, the
partition containing Windows cannot be mounted. This can indicate a
problem with the hard disk, as well as cabling issues.
○ System Event ID 7: Source: Disk, “The device, \Device\Harddisk1,

has a bad block.”
○ System Event ID 50: Source: Disk, “Delayed write failed. Windows

was unable to save all the data for the file x. The data has been lost.”
This error can also indicate cabling problems.
○ System Event Event ID: 51 Source: Disk, “An error was detected on
device \Device\Harddisk1\DR1 during a paging operation.”
While the above list is not comprehensive, you can see that there is a range
of issues where the potential for lost or corrupt data is high. Becoming
familiar with the types of issues listed above will help you best advise the
customer on when they may want to stop before further troubleshooting to
ensure that they have a safe backup copy of all critical data on the computer.
Potential for Data Loss = Moderate or Low

The following scenarios carry a lower risk of data loss – typically related to
improper selections during one of these steps. A Parallel Installation, for
example, can cause data loss if you accidentally select the wrong partition
during Text Mode setup.
Because of the risks it is advisable to warn customers before proceeding with

troubleshooting to ensure they have a good backup.
● Changing BIOS configuration settings.
● Editing the registry.
● Performing a Clean Installation of Windows.
● Performing a Repair or In-Place Upgrade Installation of Windows.
● Performing a Parallel Installation of Windows.
● Troubleshooting registry corruption using the steps in KB article

307545.
● Performing a manual uninstall of Service Pack 2 for Windows XP.
Again, the list above is not comprehensive, but it should give you an
indication of the type of issues that carry the potential for lost data. When in
doubt get assistance before proceeding with troubleshooting.

Tools and Troubleshooting Data Loss/Data Recovery Discussion
Setting Expectations
When data loss is a potential, we recommend that the customer backup any
data they have before continuing. If they continue and we do indeed lose the
data we recommend that they take the computer to a data recovery
specialist.
Standard Disclaimers
REGISTRY DISCLAIMER:
Modifying REGISTRY settings incorrectly can cause serious problems that may
prevent your computer from booting properly. Microsoft cannot guarantee
that any problems resulting from the configuring of REGISTRY settings can be
solved. Modifications of these settings are at your own risk.
BIOS DISCLAIMER:
Modifying BIOS/CMOS settings incorrectly can cause serious problems that
may prevent your computer from booting properly. Microsoft cannot
guarantee that any problems resulting from the configuring of BIOS/CMOS
settings can e solved. Modifications of the settings are at your own risk.
THIRD PARTY SOFTWARE DISCLAIMER:

Using Third Party Software, including hardware drivers can cause serious
problems that may prevent your computer from booting properly. Microsoft
cannot guarantee that any problems resulting from the use of Third Party
Software can be solved. Using Third Party Software is at your own risk.
FORMAT/CLEAN INSTALL DISCLAIMER:

Formatting the hard drive will wipe out ALL data, programs and user settings
that you have on the computer. If there is any information on this computer
that you do not want to lose, or is not backed up, you will need to make
backups before proceeding with the FORMAT/CLEAN INSTALL.

Module Tools and Troubleshooting

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Module Tools and Troubleshooting

Enviado por

Direitos autorais:

Formatos disponíveis

Tools and Troubleshooting

Microsoft Windows® XP New Hire

Microsoft Confidential – Provided Under NDA

Microsoft, Internet Explorer, and Windows are either registered trademarks or

THE CONTENTS OF THIS PACKAGE ARE FOR INFORMATIONAL AND

● Registry Tshoot Techniques

Figure 1: System Restore Welcome Screen

What System Restore Does

Twenty-four-hour real-time or ten-hour session time Restore Points cover

System Restore actively monitors and records changes to a select group of

When a customer needs to revert his/her PC to a time before a destructive

Restore Points can take the following forms:

● Periodic (called “system checkpoints”)

● Application installs with friendly names

● Manually created, user-named Restore Points

● Restore operation providing undo capabilities

● The ultimate file operations necessary to revert the system to its

● The identification of the original registry to replace

The combination of a wizard-like step-by-step restore UI with meaningful

System Restore Boundaries

System Restore is not designed to Backup or Restore personal data. Many of

Figure 2: System Restore Wizard Options

Figure 3: Filter Driver Architecture

SummarySystem Restore is a real-time-change monitor-and-restore feature in

System Restore Configuration

Figure 4: System Restore Configuration

Figure 5: Settings for C: drive

Figure 6: Use the DCU to make more space

Drive Frozen Due to Low Disk Space

System Restore Points

● Profiles (local only—roaming user profiles not impacted by restore)

● COM+ Database (DB)

● Internet Information Server (IIS) Metabase

● Files with extensions listed in the <include> portion of the Monitored

Figure 7: Registry keys

Data not in a Restore Point

System Restore Timeline

Office 2K Office 2K Office 2K Office 2K

Figure 8: System Restore timeline

Using System Restore

● Start it directly by clicking on the shortcut icon

● Clicking the System Restore icon

Figure 10: Accessing System Restore through MSconfig

Figure 11: Accessing System Restore through MSinfo32

System Restore in Safe Mode:

● If the FIFO condition is met, it will work as in protect mode.

● Freeze and Thaw should happen similar to protect mode (except no

● File changes are monitored and recorded in Safe Mode as in protect

● There is no option to boot from a Emergency Boot Disk and undo a

● The user can create a restore point.

Figure 12: System Restore Wizard

● It creates a restore point when a point is restored to allow the undo of

● It can restore a system to a state closer to when the problem started -

● It causes minimal impact on performance and disk space cost.

● “It just works:” no interaction is necessary until the user needs to

● It works in conjunction with WFP so that when the system is restored,

● Ensure System Restore works in a tiered approach with both Last

Troubleshooting System Restore

Figure 13: SRDiag

● When you run the tool, it creates a cab file on:

Functionality in Safe Mode Scenarios

● System Restore does not record changes in compression nor does it

● How System Restore handles password restores. In Windows XP and