Escolar Documentos
Profissional Documentos
Cultura Documentos
The names of actual companies and products mentioned herein may be the
trademarks of their respective owners.
No part of the text or software included in this training package may be reproduced
or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or any information storage and retrieval system, without
permission from Microsoft®. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any information
presented after the date of publication. The names of actual companies and
products mentioned herein may be the trademarks of their respective owners.
To obtain authorization for uses other than those specified above, please visit the
Microsoft Copyright Permissions web page at
http://www.microsoft.com/permission/copyrgt/img-req.htm.
This content is proprietary and confidential, and is intended only for users described
in the content provided in this document. This content and information is provided
to you under a Non-Disclosure Agreement and cannot be distributed. Copying,
disclosing all or any portion of the content and/or information included in this
document is strictly prohibited.
Table of Contents
Introduction .................................................................................. 6
System Restore.............................................................................. 7
What System Restore Does ....................................................................7
System Restore Boundaries....................................................................9
Architecture Overview ..........................................................................10
Summary........................................................................................... 12
System Restore Configuration...............................................................14
Drive Frozen Due to Low Disk Space ..................................................... 15
System Restore Points ..........................................................................18
Data not in a Restore Point .................................................................. 19
System Restore Timeline ..................................................................... 19
Using System Restore ...........................................................................22
System Restore in Safe Mode: .............................................................. 23
Restoring ........................................................................................... 23
Troubleshooting System Restore ..........................................................27
Functionality in Safe Mode Scenarios ..................................................... 29
General Troubleshooting ...................................................................... 30
Resources .......................................................................................... 37
System Restore and Service Pack Installation ......................................39
WFP/SFC ..................................................................................... 41
Windows File Protection and Driver Signing .........................................43
What is WFP? ........................................................................................45
How WFP works .................................................................................. 45
WFP Allowable Updates........................................................................ 47
WFP Utilities ....................................................................................... 48
WFP Configuration............................................................................... 48
Windows File Protection Troubleshooting................................................ 49
Diagnostic Tools .......................................................................... 53
Documentation Resources ....................................................................54
Help and Support................................................................................ 54
Resource Kit....................................................................................... 55
MSDN – Advanced Documentation ........................................................ 55
Windows Hardware and Driver Central................................................... 55
MSConfig...............................................................................................57
MSInfo32 ..............................................................................................61
Event Logs ............................................................................................63
Using Event Logs for Troubleshooting .................................................... 63
MPSReports ..........................................................................................67
Error Reporting .....................................................................................69
Dr. Watson ............................................................................................71
Cacls .....................................................................................................73
Support Tools........................................................................................76
RASDiag ............................................................................................ 76
Windiff............................................................................................... 79
Recovery Console......................................................................... 81
Using Recovery Console ....................................................................... 82
Performing Troubleshooting in Recovery Console .................................... 86
Recovery Console Details ..................................................................... 97
Kernel Errors ............................................................................. 101
Why do you need to know about Kernel Mode error messages? .............. 104
What is a Kernel Mode Error? ............................................................. 104
Stop Messages ................................................................................. 105
Stop Error Troubleshooting .................................................................109
Troubleshooting Information to Gather from Stop Messages ................... 109
Troubleshooting Steps ....................................................................... 109
Disable Automatic Restart on System Failure........................................ 112
Specific Bugcheck Codes .....................................................................114
0x0000000A: IRQL_NOT_LESS_OR_EQUAL .......................................... 114
0x0000001E: KMODE_EXCEPTION_NOT_HANDLED................................114
0x0000007B: INACCESSIBLE_BOOT_DEVICE........................................115
0x0000007E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED .................115
0x0000008E: KERNEL_MODE_EXCEPTION_NOT_HANDLED.....................116
0x000000C2: BAD_POOL_CALLER .......................................................116
STOP: C0000135: {Unable To Locate Component} ................................116
0xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED .......................117
0xC0000221: STATUS_IMAGE_CHECKSUM_MISMATCH..........................118
User Mode Errors ....................................................................... 121
Application Errors............................................................................... 122
User Mode Errors ................................................................................ 123
Why do you need to know about User Mode Error messages? .................124
What is a User Mode Error? ................................................................124
Troubleshooting ................................................................................127
Registry Troubleshooting Techniques ........................................ 131
What Is the Registry?......................................................................... 132
Registry Structure .............................................................................. 134
What Is the Registry Editor? .............................................................. 137
Registry Editor Features .....................................................................137
Registry Troubleshooting Techniques................................................. 140
Prune and Graft.................................................................................140
Monitoring Registry Access .................................................................141
Registry Corruption Troubleshooting.................................................. 144
Considerations ..................................................................................144
Precautions.......................................................................................145
Recovery Steps .................................................................................145
Remote Assistance..................................................................... 153
Using Remote Assistance ................................................................... 154
Creating an invitation.........................................................................154
Send the Invitation ............................................................................154
Using an Invitation ............................................................................156
Taking Control ..................................................................................156
Session Considerations.......................................................................156
Remote Desktop and Remote Assistance Compared ........................... 159
Intended Purpose and Audience ..........................................................159
Obtaining Access Rights .....................................................................160
Initiating a Session ............................................................................160
Comparing the Client Views ................................................................161
Comparing the Remote Consoles .........................................................162
Terminating a Remote Session ............................................................162
Comparing User Control .....................................................................162
Summary .........................................................................................162
Troubleshooting Remote Assistance ................................................... 164
Connections......................................................................................164
Resources........................................................................................... 168
Data Loss/Data Recovery Discussion......................................... 169
Before Any Troubleshooting ................................................................169
Understanding where Data Loss is Possible ...........................................169
Setting Expectations ..........................................................................172
Table of Figures
Figure 1: System Restore Welcome Screen ............................................................................. 7
Figure 2: System Restore Wizard Options ..............................................................................11
Figure 3: Filter Driver Architecture........................................................................................12
Figure 4: System Restore Configuration ................................................................................14
Figure 5: Settings for C: drive..............................................................................................15
Figure 6: Use the DCU to make more space ...........................................................................15
Figure 7: Registry keys .......................................................................................................18
Figure 8: System Restore timeline ........................................................................................19
Figure 9: Filelist.xml ...........................................................................................................20
Figure 10: Accessing System Restore through MSconfig ..........................................................22
Figure 11: Accessing System Restore through MSinfo32 ..........................................................23
Figure 12: System Restore Wizard........................................................................................24
Figure 13: SRDiag ..............................................................................................................27
Figure 14: Successful file restoration logged ..........................................................................45
Figure 15: Prompt for CD ....................................................................................................46
Figure 16: Event cancelled...................................................................................................46
Figure 17: Unsigned drivers .................................................................................................46
Figure 18: Run Sigverif .......................................................................................................50
Figure 19: Unsigned drivers listed by sigverif .........................................................................51
Figure 20: System Configuration Utility .................................................................................57
Figure 21 – Looking for Errors later than Event ID 6005 ..........................................................64
Figure 22 – Event Log Error .................................................................................................65
Figure 23 – Error Reporting .................................................................................................69
Figure 24: Windiff...............................................................................................................79
Figure 25 – Press R to Start Recovery Console .......................................................................83
Figure 26 – Select Installation..............................................................................................83
Figure 27 – Logon and Command Prompt ..............................................................................84
Figure 28 – Fixboot.............................................................................................................88
Figure 29 – Fixboot.............................................................................................................89
Figure 30 – FixMBR.............................................................................................................90
Figure 31 – Diskpart ...........................................................................................................94
Figure 32 – Diskpart ...........................................................................................................96
Figure 33. Kernel Mode Error (Stop Error) ...........................................................................101
Figure 34. Startup and Recovery Settings............................................................................103
Figure 35– Kernel Mode Error - Stop Error ...........................................................................106
Figure 36. User Mode Error ................................................................................................123
Figure 37 - Error Reporting Dialog Box ................................................................................125
Figure 38 – Error Details Dialog box....................................................................................126
Figure 39 – Hives in Regedit ..............................................................................................134
Figure 40 – Keys in Regedit ...............................................................................................135
Figure 41 – Regmon Output ...............................................................................................142
Figure 42 – System Volume Information Security .................................................................148
Figure 43: Select how you want to contact the helper ...........................................................155
Figure 44: Start a Help Session ..........................................................................................156
Figure 45: Remote Desktop client view ...............................................................................161
Figure 46: Remote Assistance client view ............................................................................161
Figure 47: Novice is behind a NAT ......................................................................................165
Figure 48: UPnP NAT.........................................................................................................165
Tools and Troubleshooting Introduction
Introduction
Module Objectives:
Discuss:
● System Restore
● WFP/SFC
● Diagnostic Tools
● RC
● Kernel Errors
● User Errors
● Remote Assistance.
6 Microsoft Partner
System Restore Tools and Troubleshooting
System Restore
If users experience system failure or another significant problem, they can
use System Restore from Safe Mode or Normal Mode to go back to a previous
system state, restoring optimal system functionality. System Restore actively
monitors system file changes and some application file changes in real time to
record or store previous versions before the changes occurred. Restore Points
contain a snapshot of the registry, and may contain key system files that
have been changed. Restore Points are created at the time of significant
system events (such as application or driver install) and periodically (every 10
hours of session time or 24 hours of calendar time.). Additionally, users can
create and name their own Restore Points at any time. This allows the user to
“roll back” the state of the system to a previous time when everything was
working.
Microsoft Partner 7
Tools and Troubleshooting System Restore
The design of System Restore is such that the user never needs to explicitly
take manual snapshots; the backup is done silently in the background.
Windows XP provides meaningful Restore Points that correspond to major
system change events, (e.g. application installation). When a problem occurs,
users can roll back their system to a point in time immediately before a
restore point (e.g. before application XYZ was installed and machine issues
began).
Once the user selects a restore point, System Restore creates a restore map
and conducts the restore by specifying:
Note:
A user can set which drives System Restore will monitor on its Properties
Page, however, it is not possible to disable SR on the System Drive and leave
it on non-system drives. The list of excluded and included files (SFP) is in
%windir%\System32\Restore\filelist.xml.
8 Microsoft Partner
System Restore Tools and Troubleshooting
Note:
System Restore does not back up data and so cannot be used to perform a
backup for purposes of protecting data.
Note:
System Restore can be used to revert Windows XP to before the installation of
Service Pack 1 (SP1). This may cause PPPoE to break in Windows XP
networking as described in Q320558.
Note:
When performing troubleshooting in Windows XP, it is often necessary to
perform a Clean Boot with all services disabled using the MSConfig Utility.
When this is done, the System Restore Service is also switched off, removing
all saved Restore Points. Consider trying System Restore to solve the issue
prior to disabling the service or do a Clean Boot leaving the System Restore
Service running.
Last, System Restore is not a virus protection program. The data archive no
longer restricts access to virus utilities. This means that Anti-Virus programs
can now check the contents of the System Restore .CAB files for infected files.
But the bottom line is System Restore should not be relied upon to fix viruses.
It is possible to restore to a previous point and a virus still be on the system.
Microsoft Partner 9
Tools and Troubleshooting System Restore
Architecture Overview
To track and copy files before changes, System Restore uses a file system
filter driver that is at the kernel level (called Kernel Mode). This kernel level
filter driver monitors file system operations, and, for select file types and
operations, quickly interrupts an operation (for example, DELETE FILE) and
copies or moves the original file before the operation is complete. The file
changes are entered into a log, and the file copies and logs are stored in an
archive on the drive or partition where the original file resided. Change-based
file copying happens once per specific file per system session or for any given
Restore Point.
The list of files or operations that the filter driver will take note of are known
as Interesting operations, and include creation, deletion and modification of
system files. Any of the physical attribute changes or renames of the system
file and any of the ACL changes that are made on the System Restore or the
system files are also interesting operations. The System Restore filter driver
intercepts all of the special calls or operations that are made by the Windows
32 file system. It logs all the changes to a change log and renames or copies
the file to a data store. After this process is logged the operation is passed on
through to the NTFS or file system and allowed—that is—the changes that are
being requested are allowed on the file.
The System Restore Wizard is provided to the user so that a simple interface
can be used to roll back the system. The wizard interface contains the options
to restore the computer back to a previous point, create a new restore point,
or undo a previous restore.
10 Microsoft Partner
System Restore Tools and Troubleshooting
Microsoft Partner 11
Tools and Troubleshooting System Restore
12 Microsoft Partner
System Restore Tools and Troubleshooting
Microsoft Partner 13
Tools and Troubleshooting System Restore
14 Microsoft Partner
System Restore Tools and Troubleshooting
Select the drive that you want to modify and click the Settings button to
change how much space is allotted on each drive for System Restore.
Users see a Non System Drive setting view if a non system drive is
suspended. In this view, the non system drive selected has been frozen or
suspended. There is a link to DCU from this dialog as well, and the data store
slider appears grayed out until SR has resumed functioning (once at least 200
MB of space is created).
Microsoft Partner 15
Tools and Troubleshooting System Restore
When the Multiple Drives suspended (frozen) view appears, all the drives are
suspended or out of disk space so they are frozen. The disk cleanup link in
the case of multiple partitions will be on the setting dialog for each drive. The
settings button will not be active for any non-system drive (but appear
grayed out) until the System Drive is monitoring.
All drives will be suspended or frozen if the system drive is first. When users
close the Settings dialog after DCU on C, all other drives will now show
Monitoring as their status
16 Microsoft Partner
System Restore Tools and Troubleshooting
Microsoft Partner 17
Tools and Troubleshooting System Restore
● Registry settings
● WFP cache
● WMI DB
Note:
The Restore Point folder and file are super hidden files. Customers may need
to change the view options in Windows Explorer in order to see the Restore
Point.
18 Microsoft Partner
System Restore Tools and Troubleshooting
Actions
Restore system
Office 2K Evil App System to before Evil App
Installed installed Checkpoin was installed
Time T
T T T T
Machine State
Microsoft Partner 19
Tools and Troubleshooting System Restore
Figure 9: Filelist.xml
20 Microsoft Partner
System Restore Tools and Troubleshooting
Microsoft Partner 21
Tools and Troubleshooting System Restore
● In the Start menu by choosing All Programs > Accessories > System
Tools
The name of the executable file is RSTRUI.exe and it’s located on the system
drive in the Windows system 32 restore subdirectory.
The indirect ways to run the system restore user interface include running
MSCONFIG.exe, MSINFO32, and the Help and Support user interface. After
running these three, select System Restore from the list of tasks that can be
run from each of these programs.
22 Microsoft Partner
System Restore Tools and Troubleshooting
● If FirstRun key is set and you boot into Safe Mode, Windows will not
initialize SR.
Restoring
In the System Restore wizard interface there are three major choices:
Microsoft Partner 23
Tools and Troubleshooting System Restore
● The user can also restore to roll back system changes of the registry,
key system or application files. Also note that the Recovery Console
which would be used to repair a damaged installation of Windows XP
does not tie into the System Restore restore points and cannot be used
in that way.
● A user can undo a restoration. Undoing can simply roll back or use a
previous snap shot of the system state to roll back system changes that
have rendered the system unusable.
● There is no user data loss—restoring the system will not cause you to
loose changes to personal data files.
● It is automatic & easy for the consumer user, while flexible & powerful
enough for advanced users & administrators.
24 Microsoft Partner
System Restore Tools and Troubleshooting
Microsoft Partner 25
Tools and Troubleshooting System Restore
26 Microsoft Partner
System Restore Tools and Troubleshooting
SRDiag
● Located on <systemdrive>:\windows\system32\restore
● Can also be run from a command line or from the command prompt by
typing: <systemdrive>:\windows\system32\restore\srdiag
● You can also specify the location you want to place the cab, add a
custom name to it or add a file you want to add to the cab file, by
typing the following at the command prompt:
<systemdrive>:\windows\system32\restore\srdiag
[/Cabname:test.cab] [/Cabloc:”c:\temp\”] [/file:”c:\boot.ini”]
where:
/cabname is the full name of the cab file that you wish to use.
/cabloc is pointing to the location to store the cab, this should have a \ on
the end.
/file is the name and path of a file that you wish to add to the cab. This can
be used many times.
Resources
● KB Article: System Restore: Description and Functionality of Srdiag.exe
(Q302343)
Microsoft Partner 27
Tools and Troubleshooting System Restore
Logging
System Restore creates log entries for every file copy it makes. Additionally,
every time a restore point is created System Restore must log it, whether or
not it is exposed to the user. This would include the restore operation in Safe
Mode. Although Windows does not create restore points in Safe Mode, it
makes a log entry when a restore from Safe Mode occurs for troubleshooting
and supportability.
28 Microsoft Partner
System Restore Tools and Troubleshooting
● System Restore does not replace all files of a removed program. For
example, if an application is installed on Microsoft® Windows® XP and
SR takes a system snapshot. At some point later that application is
uninstalled but the user attempts to roll the system back to the state
where the application was installed. While the registry settings and
some of the files may be restored to the application, not necessarily all
of the files will be restored. If the application does not work correctly,
then the application files should be reinstalled from the original media.
● System Restore and auto restore points for unsigned drivers. When a
user creates an automatic or when an automatic restore point is created
for an unsigned driver install, all that is listed in the user interface for
System Restore is “unsigned driver installation.” The name of the driver
is not listed. The behavior is by design.
● System Restore and restore points are missing or deleted. There are
five cases where restore points can become deleted.
Microsoft Partner 29
Tools and Troubleshooting System Restore
General Troubleshooting
There are a number of general troubleshooting steps that can be followed
when a problem is encountered with the System Restore feature.
Lack of disk space can cause System Restore to fail. Check that all drives with
System Restore enabled have the recommended 200MB requirements.
The System Restore service must be running. This can be checked through
Computer Management > Services, or by typing “net start” from the
command prompt. To access Computer Management go to Control Panel >
Administrative Tools > Computer Management > Services and Applications >
Services and look for System Restore Service.
If there are fewer Restore Points than there should be, check to make sure
enough disk space is allocated to System Restore. You can check this by
going to Control Panel > System Properties > System Restore Tab > choose a
drive to check, click on Settings and check the size of the data store.
Information
Potential Issues
Four potential issues have been identified for System Restore:
● Users may also lose downloaded files or files with monitored extensions
that are not saved to specified directories.
The first two are a result of misconceptions about the feature and can be
rectified with user education. The last two are issues which have been
documented in Knowledge Base articles and for which steps to resolution are
available.
30 Microsoft Partner
System Restore Tools and Troubleshooting
System Restore removes only files with monitored extensions, such as .ini,
.exe and .dll. Restoring to a point before an application was installed leaves
behind stray files that unmonitored, which may lead to confusion as to why
the application was removed but some of its files were left behind.
This will typically affect home users, but can impact some businesses and is
of low impact. Various error messages may be received depending on the
application. Most will involve the inability to launch the application or missing
files, dll, etc.
Symptoms
Application files and directories left behind
Impact
Low
Home users
Similarly, removing a program and then Restoring the system to a point prior
to the installation of that program will not restore all of the files of that
program. Some files may be restored, but error messages related to that
program may result. User can then reinstall the application.
Users will have to find out what files related to the application are still on the
system and manually delete them.
Users will have to reinstall the application and then use the Add/Remove
Programs to remove it and its files.
For more information, please see Q286143 - The System Restore Utility Does
Not Replace All the Files of Removed Programs.
Microsoft Partner 31
Tools and Troubleshooting System Restore
Cause
Application was removed by using System Restore to restore the system to a
point where the program was not installed on the system yet.
Resolution
Manually delete applications files remaining on the system.
Reinstall the application and then use the Add/Remove Programs to remove it
and its files.
Information
Q286143 - The System Restore Utility Does Not Replace All the Files of
Removed Programs.
Q293388 - HTML Files with .htm Suffixes and Shortcuts Are Displayed on the
Start Menu After a Restore Operation.
The impact is low and this issue will typically affect home users and
businesses. There are no error messages related to this issue. The resolution
to this issue is to explain how System Restore uses the data store space.
Symptoms
No error message
Allocated Hard Drive space for SR is used as needed and is not a reserved
block of space
Impact
Low; Home users.
Users may be informed that the data store size is not a reserved space and it
is used on demand and always calculated as effective size. For example, if the
data store size was configured to 500MB, of which 200MB has already been
used and the current free hard disk space is only 150MB, then the effective
size is 200+150=350MB, not 500MB. In another words, the data store size is
always limited by the available free hard disk space.
32 Microsoft Partner
System Restore Tools and Troubleshooting
To access the data store, right click on My Computer, choose Properties, click
on the Restore Tab, choose a drive you want to see the data store and then
click on settings. Move the slider to max or min to adjust the data store size.
Information
Cause
Misconception.
Resolution
User education.
Information
The System Restore Tab in the System Properties dialog box may indicate
that System Restore has been suspended across the entire system due to
insufficient free disk space on that drive. Attempts to launch System Restore
will generate an error message:
“System Restore is suspended because there is not enough disk space
available on the system drive (drive letter). To restart System Restore,
ensure at least 200MBs of free disk space are available on this drive. Do
you want to start Disk Cleanup to free more disk space now?
Yes No”
Symptoms
SR suspended; Error message.
Impact
High; All users.
Microsoft Partner 33
Tools and Troubleshooting System Restore
Suspension of System Restore can occur if the disk space on any monitored
drive falls below 50 MB and an interesting event such as the creation,
deletion, or modification of a system file occurs on the drive.
To resolve this, users must free up at least 200MB of disk space on the
partition/drive that is causing System Restore to suspend or turn System
Restore off on that drive. System Restore can be disabled by clicking on the
System Restore Tab on the System Properties dialog box.
It is important to note that if the drive that is low on disk space is the system
drive and System Restore is turned off, it will be disabled on ALL drives.
Information
Cause
Insufficient free disk space (less than 50 MB) when an “interesting” event
occurs.
Resolution
Free up 200MB disk space or disable SR.
Information
Users may lose downloaded files or files with monitored extensions (such as
.exe, .ini, .dll) if they are saved on directories other than the System
Restore’s protected directories, such as My Documents or Downloaded
Program Files or to a partition that has System Restore turned off. For
example, if Susan downloads download.exe from her email into
c:MyComputer\SusanFiles instead of My Documents, she will be unable to
locate her program there after performing a restore.
Although no error message is associated with this issue, users may not be
able to find the files they need.
34 Microsoft Partner
System Restore Tools and Troubleshooting
Symptoms
No error message; Users cannot find files after a restore.
Loss of downloaded files or files with monitored extensions (such as .exe, .ini,
.dll) if saved to directories other than the System Restore’s protected
directories (My Documents, Downloaded Program Files, or to a partition that
has System Restore turned off).
Impact
Low to Medium; Home users.
Loss of files can occur because the user chose to download or save the files
on a directory other than My Documents or Downloaded Program Files or
saved to a partition where System Restore is turned off. If the files use the
extensions in the filelist.xml include list and are downloaded or saved to a
directory other than the ones mentioned above, they will be removed upon
restore when restoring to a point before they were downloaded/saved. This is
by design.
Resolving this issue can be done by a basic user and involves undoing the
restoration to return the missing files. This can be done by launching the
System Restore user interface in Start > All Programs > Accessories >
System Tools > System Restore and choosing “Undo my last restoration.”
Information
Cause
Files with extensions in filelist.xml will be removed upon restore unless saved
to My Documents, Downloaded Program Files, or a partition with SR disabled.
Resolution
Undo the restoration.
Case Study 1
Bob is a programmer and cannot find his Visual Basic project (myproject.vbs)
that he saved under C:\MyProjects. Bob has just used System Restore to
restore his system to a day before he started to work on this project. What
might be causing this issue? What options does Bob have for resolution? What
KB article can be referenced?
Microsoft Partner 35
Tools and Troubleshooting System Restore
Answer
Since Bob restored his system to a day before he started working on his
Visual Basic project and his program has a monitored extension that was not
saved under My Documents, Downloaded Program Files or to a partition with
SR turned off, it was removed on the restoration process.
Resolution
Bob can Undo the restore and save the file to My Documents so it will not be
removed on future restores.
Case Study 2
Maria calls technical support complaining that she is constantly loosing her
Restore Points. She claims when launching System Restore this morning, she
had 5 Restore Points and now she only has 1. What might be causing this
issue? What options does Maria have for resolution? What KB articles can be
referenced?
Answer
When checking on Maria’s system, the support professional discovers that she
has her hard drive partitioned in 3 partitions. One of the partitions where she
saves her MP3s has only 50MB of free disk space. This is causing System
Restore to suspend and purge Restore Points.
Resolution
Advise Maria to either free up 200MB of space on that partition or turn SR off
on it in order to keep from loosing her Restore Points.
Case Study 3
Frank calls technical support stating that under System Restore Properties he
found out that 1.2 GB of Hard Disk space is reserved for System Restore on
his 10GB hard drive. What might be causing this issue? What options does
Frank have for resolution? What KB article can be referenced?
Answer
The space used by the System Restore Data Store to save Restore Points is
not a reserved space and is only used on demand; however, System Restore
will always yield space to the system if needed.
Resolution: User education. The support professional also shows Frank how
to adjust the data store size under the System Restore Tab in System
Properties.
36 Microsoft Partner
System Restore Tools and Troubleshooting
Case Study 4
Jane just used System Restore to remove Application X that she downloaded
from the web. Now she is confused because the application is gone, but she
still can still find some folders related to the application under C:\Program
Files. What might be causing this issue? What options does Jane have for
resolution? What KB article can be referenced?
Answer
System Restore should not be used to remove an application unless the user
cannot do it via Control Panel > Add/Remove Programs. It might leave
unmonitored files and directories behind which will have to be cleaned
manually.
● KB Article: The System Restore Utility Does Not Replace All the Files of
Removed Programs (286143)
Resolution
Jane has 4 options. She can manually delete applications files remaining on
the system, undo the restoration then Use Add/Remove Programs to uninstall
Application X, use Add/Remove Programs to uninstall Application X, or
reinstall the application and then use the Add/Remove Programs to remove it
and its files.
Resources
● Information on System Restore and Password Restoration(Q295050)
Microsoft Partner 37
Tools and Troubleshooting System Restore
38 Microsoft Partner
System Restore Tools and Troubleshooting
Microsoft Partner 39
WFP/SFC Tools and Troubleshooting
WFP/SFC
A common issue with Windows has been the ability for shared system files to
be overwritten by other programs, causing unpredictable system
performance. Windows File Protection (WFP) and Driver Signing prevent the
replacement of certain system files, providing the user with more stability.
Objectives
● Describe the capabilities of Windows File Protection.
● List the 5 processes that can be used to update protected system files.
● Explain the 4 unattended installation setup file switches and what they
do.
Microsoft Partner 41
Tools and Troubleshooting WFP/SFC
42 Microsoft Partner
WFP/SFC Tools and Troubleshooting
● MSI requests for WFP to install the correct file version when it detects
that a requested file is protected
All three features together give greater stability to the Windows XP operating
system by providing a means to verify the source of a system file before it is
installed.
Microsoft Partner 43
Tools and Troubleshooting WFP/SFC
44 Microsoft Partner
WFP/SFC Tools and Troubleshooting
What is WFP?
In some previous versions of Windows, changes made to shared system files
would often cause unpredictable system performance, ranging from
application errors to operating system crashes. This problem usually affects
dynamic link libraries (DLLs) and executable files (EXEs).
First, the list of protected system files is monitored for changes. When a
change is detected to a protected file, WFP determines whether the original
file resides in the dllcache folder. If it does, the incorrect version is
automatically replaced and the replacement attempt is noted in the system
event log.
Microsoft Partner 45
Tools and Troubleshooting WFP/SFC
If the file does not exist in the dllcache, then the user is prompted for the
original CD or network location.
Driver Signing
Driver Signing uses existing digital signature cryptographic technology to
compute a “hash” of every file in the Windows 2000 operating system. These
hashes of the different files and other relevant information are stored in a
“catalog file” (.cat file), and the .cat file is signed with the Microsoft signature.
The binary itself is not touched by the signing process, only a .cat file is
created for each driver package and the .cat file is signed with a Microsoft
digital signature. The relationship between the driver package and its .cat file
is referenced in the driver's INF file and maintained by the system in a
database after the driver is installed.
Windows File Protection uses the signatures and catalog files generated by
Driver Signing to verify if protected system files are the correct Microsoft
versions. WFP does not generate signatures of any type.
46 Microsoft Partner
WFP/SFC Tools and Troubleshooting
● Windows Update
Note
WFP protects files, but it does not block write access to %systemroot% and
its sub-directories. Protected files updated by any other means will result in
the replacement of unauthorized files by Windows File Protection.
Application Installation
The first scenario is the case of an application installation. There are two
cases where an application can cause system files to be replaced, removed or
overwritten. The first is during the initial application installation; some
applications replace a protected system file with an older version than
currently installed. The second case is when an application uninstall deletes a
protected system file. In both of these cases Windows File Protection will
automatically restore the replaced system file.
Microsoft Partner 47
Tools and Troubleshooting WFP/SFC
Replacing protected files by other means than those above will result in the
unauthorized files being replaced by Windows File Protection.
WFP Utilities
The three key utilities in looking at WFP issues are the Signature Verification
Tool, or Sigverif.exe, the Sigverif.txt file, and System file checker. Each of
these utilities can be used to help check WFP issues.
WFP Configuration
The default settings for WFP can be configured through unattended setup
parameters.
48 Microsoft Partner
WFP/SFC Tools and Troubleshooting
Microsoft Partner 49
Tools and Troubleshooting WFP/SFC
Signature Verification
Another useful troubleshooting tool for Windows File Protection is the File
Signature Verification Tool, or “Sigverif.exe.” You can use the Sigverif.exe tool
to identify unsigned drivers on a computer running Windows XP.
50 Microsoft Partner
WFP/SFC Tools and Troubleshooting
Event Viewer
Also, the Event Viewer can be used as a troubleshooting tool. Events are
logged in the System Event log when WFP actions occur. For example, if a
user chooses NOT to restore a protected system file, this event is logged.
Troubleshooting Considerations
Disabling Windows File Protection
There are two methods to disable Windows File Protection. The first method is
to boot Windows XP in Safe Mode. Windows File Protection is disabled when
running in Safe Mode.
The second method to disable WFP is via setting the value SFCDisable
(REG_DWORD) in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon. By default, SFCDisable is set to 0, which means
WFP is active. Setting SFCDisable equal to 1 will disable WFP. Setting
SFCDisable to 2 will disable WFP for the next reboot only (without prompt to
re-enable.) Please note that you are required to have a kernel debugger
attached to the system via the serial port to use SFCDisable = 1 or
SFCDisable = 2.
Cache Issues
The location of the dllcache directory is specified in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\SFCDllCacheDir (REG_EXPAND_SZ). The default
value for SFCDllCacheDir is %systemroot%\system32\dllcache. The
SFCDllCacheDir setting must be a local path.
Microsoft Partner 51
Tools and Troubleshooting WFP/SFC
If a file change is detected by WFP and the affected file in use by the
operating system is not the correct version and/or the file is not cached in the
dllcache directory, WFP will attempt to locate installation media by itself. If
that search fails, WFP will prompt the user to insert the appropriate media to
replace the file and/or dllcache.
Ensure that you have access to install sources for protected system files in
case you are prompted for them.
Summary
In this section we discussed the various troubleshooting tools and
considerations for Windows File Protection.
The troubleshooting tools are System File Checker, File Signature Verification
tool, and the Event view to view system logs. Some considerations include
cleaning out the dllcache to resolve cache issues, ensuring that you have
access to install sources for protected system files in case you are prompted
for them, and disabling windows file protection either by booting in to Safe
Mode or using the registry.
52 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
Diagnostic Tools
Microsoft Partner 53
Tools and Troubleshooting Diagnostic Tools
Documentation Resources
Solid product documentation is one of the most powerful tools you can use
when troubleshooting. The Knowledge Base is the most used single resource
for troubleshooting, but unfortunately other depth sources can be difficult to
find. Below are the key documentation sources you can use to dig deeper into
the Operating System.
Windows help content is better than ever in Windows XP, and it should be one
of the first places you search when seeking information on a product
component. Because of the new Search functionality provided by Help and
Support, when you search in the Help interface, you are also searching the
public Knowledge Base and Resource Kit documentation.
The results of your search on a released operating system are always public
security, and thus can be sent to customers to aid them in tasks that may
require a detailed explanation.
This is just a short list of the tests performed. The results can provide a great
deal of information on the network.
Note that the Network Diagnostics interface does not attempt to ping or
connect to other computers in the home network. As a result it is more
appropriate for Internet connectivity and name resolution testing than File
Share issues.
54 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
Resource Kit
Location: http://www.microsoft.com/windows/reskits/default.asp
http://www.microsoft.com/windows/reskits/default.asp
http://msdn.microsoft.com/library/en-
us/sdkintro/sdkintro/contents_of_the_platform_sdk.asp
Technologies such as ADSI, RPC, TAPI, Win32, WMI and any other features of
Windows with public programmatic interfaces are covered by some
documentation here.
http://www.microsoft.com/whdc/default.mspx
Microsoft Partner 55
Tools and Troubleshooting Diagnostic Tools
56 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
MSConfig
MSConfig.exe is a tool for standard troubleshooting in Windows XP that
provides access to the configuration for normal or diagnostic startup, the
ability to expand files, access System Restore, edit Win.ini and System.ini
configurations, modify your Boot.ini options, configure the startup for
Services, and also disable startup applications.
You will use MSConfig primarily when you can start the computer in Safe
Mode, but normal mode fails. In these cases, you can use MSConfig to
eliminate applications and Services from starting. You can also use it when
startup is not configured the way that you would like it to be. For example, if
you need a specific Boot.ini option, but the person you are working with is
uncomfortable with editing the Boot.ini directly. In these cases, you can add
switches simply by clicking an option in this tool.
Microsoft Partner 57
Tools and Troubleshooting Diagnostic Tools
Considerations
The primary consideration when using MSConfig is that it is not a solution—it
is a troubleshooting tool. You can use MSConfig to determine the cause of the
issue, but you will use other tools to make a permanent fix. To help
customers understand this, MSConfig provides a startup message to tell you
that you are in a diagnostic startup mode. Do not run in this diagnostic
startup mode for regular use; use other troubleshooting tools in order to
provide the permanent solution.
58 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
Microsoft Partner 59
Tools and Troubleshooting Diagnostic Tools
60 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
MSInfo32
The Microsoft System Information tool (msinfo32.exe or winmsd.exe) uses
WMI to provide comprehensive system information. The output from this tool
can be saved to a .NFO file, which is viewed in the System Information
interface. Useful support information includes:
Microsoft Partner 61
Tools and Troubleshooting Diagnostic Tools
62 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
Event Logs
Event Logs provide a structure and storage mechanism for information about
the system and applications on the computer. Within the Event Viewer
(eventvwr.exe) you can view information from the three main logs in a
default configuration:
Application log
The application log contains events logged by applications or programs. For
example, a database program might record a file error in the application log.
Program developers decide which events to monitor.
Security log
The security log records events such as valid and invalid logon attempts, as
well as events related to resource use, such as creating, opening, or deleting
files or other objects. An administrator can specify what events are recorded
in the security log. For example, if you have enabled logon auditing, attempts
to log on to the system are recorded in the security log.
System log
The system log contains events logged by Windows XP system components.
For example, the failure of a driver or other system component to load during
startup is recorded in the system log. The event types logged by system
components are predetermined by Windows XP.
When troubleshooting a startup issue, you can use event log startup entries
to limit your search to events recorded during the current Windows session,
as discussed in the example below.
4. Look in the System log for the most recent Event ID: 6005, Souce:
EventLog. This entry denotes the start of logging for the current
startup.
Microsoft Partner 63
Tools and Troubleshooting Diagnostic Tools
5. Note the Date and Time this event was logged. This will be needed for
comparison with other log entries.
6. Check the System log for Error or Warning entries later than this 6005.
Note the details for any errors found. In the default view the most
recent events are at the top of the viewer, so you should be looking up
in the log as shown below.
64 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
When you find error messages, double-click the event in the log and view the
details, as shown below.
Microsoft Partner 65
Tools and Troubleshooting Diagnostic Tools
66 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
MPSReports
The MPS Reports utility is downloadable tool that collects information on the
configuration and state of the computer. The purpose of MPS Reports is to
help provide Microsoft Support Professionals more information about a
customer’s system configuration with a small and easy to use utility.
For Consumer Windows support, gathering MPS Reports data, when possible,
before escalating a case can help ensure that the second level support
professional has the right information to resolve the case more quickly.
Note: If you cannot easily receive email from the customer, but they have
the ability to run the tool, this is still a good step. They will have the .CAB file
ready for second level support.
Note: MPS Reports does not make any configuration or registry changes to
the computer on which it is run.
Microsoft Partner 67
Tools and Troubleshooting Diagnostic Tools
68 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
Error Reporting
Error Reporting in Windows XP is the mechanism that sends error details to
Microsoft for aggregation and analysis. When receiving an error, you are
presented with the interface shown below, with options to Send Error
Report or Don’t Send.
If you are encountering an error with a clear resolution, the results of these
investigations are provided after sending the report.
Microsoft Partner 69
Tools and Troubleshooting Diagnostic Tools
70 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
Dr. Watson
Dr. Watson generates an error log when an application is terminated
unexpectedly. Dr. Watson for Windows is an error debugging program that
gathers information about your computer when a program generates error (or
user-mode fault). By default, the log file created by Dr. Watson is named
Drwrsn32.log and is saved in the following location: \Documents and
Settings\All Users\Application Data\Microsoft\Dr Watson
For additional information on the Dr. Watson for Windows Tool, please refer to
the following article
KB Article: Description of the Dr. Watson for Windows (Drwtsn32.exe) Tool
(308538)
Scenario
A customer calls in reporting that his/her computer crashed while browsing
websites. However, user was unable to gather the error details.
Dr Watson Details
Drwrsn32.log file includes the following entry, which helps isolate the
application experiencing the problem:
Microsoft Partner 71
Tools and Troubleshooting Diagnostic Tools
72 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
Cacls
Cacls.exe displays or modifies discretionary access control list (DACL) for files
and folders on NTFS volumes. For diagnostic work, cacls is useful in its ability
to output the ACLs applied to an object, as well as for command line ACL
modifications.
Usage
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
W Write
C Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with
/E).
/P user:perm Replace specified user's access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.
Abbreviations:
CI - Container Inherit.
The ACE will be inherited by directories.
OI - Object Inherit.
The ACE will be inherited by files.
IO - Inherit Only.
The ACE does not apply to the current file/directory.
Sample Commands
The first example displays the current ACL for the D:\data folder on the
server:
Cacls D:\data
Microsoft Partner 73
Tools and Troubleshooting Diagnostic Tools
The following command grants the user “abeebe” Change rights to the file
“D:\Data\File.xls”:
74 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
Microsoft Partner 75
Tools and Troubleshooting Diagnostic Tools
Support Tools
The Support Tools are a set of troubleshooting tools that are provided on both
the Windows XP Home Edition and Professional CDs. For information on the
individual Support Tools, see the online help and Readme.htm located in the
Support Tools folder. The Support Tools in Windows XP are provided for
advanced diagnostics and troubleshooting.
Tools Included
The Support Tools contains a wide variety of diagnostic, troubleshooting and
administration tools. Some highlights include the Application Compatibility
Toolkit; the Dependency Walker (Depends.exe), which provides information
about file dependencies for any WIN32 executable or DLL; NetCap.exe, which
is a command line network monitor capture utility; Poolmon.exe, the memory
pool monitor; SPcheck.exe, the Service pack check utility; and XCACLS, which
displays access control lists (ACLs) for files and folders. For more information
on each tool, consult the syntax guide using the /? switch.
Installation
You can install the Support Tools using Setup.exe located in the
\Support\Tools directory on the Windows XP CD-ROM. By default, the tools
are installed to your \Program Files\Support Tools directory, but you can
change this destination using the Custom installation option. In total, the
installation takes about 8 MB of disk space.
RASDiag
Location: RASDiag is included in the Windows XP Support Tools.
Note:
Because RASDiag is a data collection tool, it is only useful when the customer
has a way of sending you the resulting data file. The data file also requires
analysis, so this is not a tool that is useful while on a live call with a
Consumer customer.
76 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
Usage
To start Rasdiag, click Start, click Run, type "cmd" (without the quotation
marks), and then press ENTER. At the command prompt, type "rasdiag.exe"
(without the quotation marks), and then press ENTER. Rasdiag sets various
debug parameters for components related to RAS and VPN connections, and
then prompts the user to perform their test. While the RAS connection is
attempted, RASDiag captures network traffic and saves relevant log
information. When the test is complete you return to the RASDiag command
prompt window and press SPACE to stop the RASDiag. When complete,
Rasdiag saves data to the %userprofile%\Local Settings\Temp\RASDIAG
folder as an .RDG file. Double-clicking this file extracts two types of files:
• Network Monitor capture files for each active network interface for the duration
of the test.
• RASDIAG.TXT, which contains various data:
• Computer name and build number
• Paths to User and System PBK
• Result of network captures (indicates whether 0 bytes were captured on a
particular interface)
• List of RAS devices
• Contents of C:\WINDOWS\TRACING\BAP.LOG
• Contents of C:\WINDOWS\TRACING\RASMAN.LOG
• Contents of C:\WINDOWS\TRACING\EAPOL.LOG
• Contents of C:\WINDOWS\TRACING\IASHLPR.LOG
• Contents of C:\WINDOWS\TRACING\IASRAD.LOG
• Contents of C:\WINDOWS\TRACING\IASSAM.LOG
• Contents of C:\WINDOWS\TRACING\IASSDO.LOG
• Contents of C:\WINDOWS\TRACING\IPMGM.LOG
• Contents of C:\WINDOWS\TRACING\KMDDSP.LOG
• Contents of C:\WINDOWS\TRACING\NDPTSP.LOG
• Contents of C:\WINDOWS\TRACING\RASADHLP.LOG
• Contents of C:\WINDOWS\TRACING\RASDLG.LOG
• Contents of C:\WINDOWS\TRACING\RASPHONE.LOG
• Contents of C:\WINDOWS\TRACING\tapisrv.LOG
• Contents of C:\WINDOWS\TRACING\tapi32.LOG
• Contents of C:\WINDOWS\TRACING\TAPI3.LOG
• Contents of C:\WINDOWS\TRACING\RASTLSUI.LOG
• Contents of C:\WINDOWS\TRACING\RASSPAP.LOG
• Contents of C:\WINDOWS\TRACING\RASSCRIPT.LOG
• Contents of C:\WINDOWS\TRACING\RASTAPI.LOG
• Contents of C:\WINDOWS\TRACING\IPRouterManager.LOG
• Contents of C:\WINDOWS\TRACING\PPP.LOG
• Contents of C:\WINDOWS\TRACING\RASAPI32.LOG
• Contents of C:\WINDOWS\TRACING\RASAUTH.LOG
• Contents of C:\WINDOWS\TRACING\RASBACP.LOG
• Contents of C:\WINDOWS\TRACING\RASCCP.LOG
• Contents of C:\WINDOWS\TRACING\RASCHAP.LOG
• Contents of C:\WINDOWS\TRACING\RASEAP.LOG
Microsoft Partner 77
Tools and Troubleshooting Diagnostic Tools
• Contents of C:\WINDOWS\TRACING\RASIPCP.LOG
• Contents of C:\WINDOWS\TRACING\RASIPHLP.LOG
• Contents of C:\WINDOWS\TRACING\RASNBFCP.LOG
• Contents of C:\WINDOWS\TRACING\RASPAP.LOG
• Contents of C:\WINDOWS\TRACING\RASTLS.LOG
• Contents of C:\WINDOWS\TRACING\Router.LOG
• Contents of Connection Manager Logs
• Contents of C:\WINDOWS\ModemLog*.TXT
• Contents of C:\WINDOWS\DEBUG\oakley.log
• IP Configuration for each interface (IPConfig /all)
• Routing Table (Netstat –r)
• Ethernet Statistics (Netstat –e)
• IP, TCP and UDP Statistics (Netstat –s)
• Active connections (Netstat)
• Contents of System and User PBK
• Last 10 events from the Security log
• Process information (PIDs and a list of Services loaded in each process)
Because it provides such a wide variety of logging, and captures network
traffic on all local interfaces, RASDiag is a key tool for troubleshooting remote
connectivity.
78 Microsoft Partner
Diagnostic Tools Tools and Troubleshooting
Windiff
Windiff.exe is a tool that has been around for a long time and is included in
the Support Tools. It’s designed to highlight the differences between two files
based on a line by line comparison. It is particularly useful for comparing
.REG files and output from command line tools such as sc queryex type= all
state= all to identify differences.
With that information we can interpret the results above to mean that the
Windows Audio service is running on the machine from which Std_SC.txt was
captured, but stopped on the Ent_SC.txt machine.
Microsoft Partner 79
Tools and Troubleshooting Diagnostic Tools
80 Microsoft Partner
Recovery Console Tools and Troubleshooting
Recovery Console
Recovery Console’s purpose is for repairing installations that will no longer
boot into Windows XP normally or with Safe Mode. You can boot into the
Recovery Console to attempt to make modifications that will allow Windows
XP to boot normally. This is not designed as a Data Recovery mechanism.
Safe Mode is the preferable way of accessing Windows XP but there are some
situations where access to Windows XP may not occur even with Safe Mode.
Under these situations use the Recovery Console.
When you use the Windows Recovery Console, you can obtain limited access
to the NTFS file system, FAT, and FAT32 volumes without starting the
Windows graphical user interface (GUI). In the Windows Recovery Console,
you can:
• Enable or disable service or device startup the next time that start your
computer.
• Repair the file system boot sector or the Master Boot Record (MBR).
Secure Access
Recovery Console requires an Administrator password before accessing the
hard drives unless no valid Windows NT based OS is found. In the past, you
selected the Administrator password when Recovery Console was installed,
and the password did not automatically update when it was changed in the
GUI, nor could it be changed from within Recovery Console. This problem has
been corrected. The Administrator password for Recovery Console now
updates automatically when changed from within Windows XP.
By default, users only have access to the \Windows directory for the
installation to which you are logged on, as well as the root directory of the
drive, removable media, and the Recovery Console source – either on the CD
or the \cmdcons directory if it is installed on the hard drive.
Microsoft Partner 81
Tools and Troubleshooting Recovery Console
Note: this document does not present complete coverage of all commands in
Recovery Console. Rather, the focus is on the most common troubleshooting
actions performed. For information on all commands available in Recovery
Console, see the following article:
KB Article: Description of the Windows XP Recovery Console (314058)
• If it is installed on the hard drive, it can be selected from the boot menu
at start up.
82 Microsoft Partner
Recovery Console Tools and Troubleshooting
The next screen offers the option to Repair or Install. You can press ENTER to
set up Windows XP or you can press R to start Recovery Console.
Microsoft Partner 83
Tools and Troubleshooting Recovery Console
After selecting a Windows installation you must log on using the Administrator
password.
If you do not see the Press any key to boot from CD prompt, try the
following:
● If the computer has multiple CD/DVD drives installed, try each drive.
● Check the BIOS POST screen for options to choose the boot device or
enter a boot menu. This is available on some OEM computers. If you do
not see this option, restart the computer and press ESC as soon as you
see the POST screen. This may cause the BIOS to display more
information.
Note: Using the above step is valuable as it does not modify any BIOS
settings.
84 Microsoft Partner
Recovery Console Tools and Troubleshooting
If you are not able to boot the computer from a Windows XP CD, an
alternative is to download the files to create Setup Boot Disks.
Microsoft Partner 85
Tools and Troubleshooting Recovery Console
No Logon Presented
If there is not an installation on the system or the system has been totally
corrupted so that we cannot locate a valid SAM, then you will boot directly to
a C prompt. You will only have access to the root of the drive and the
CMDCONS directory if it exists.
You have very limited access to the drive at this point. However, you can still
run commands such as Chkdsk, Fixboot, and FixMBR. Format, DiskPart to
attempt to repair the drive.
For a complete list of Recovery Console commands, see the following article:
KB Article: Description of the Windows XP Recovery Console (314058)
Repair Functionality
The following commands provide repair functionality for a range of issues
related to hard disks and the boot process. These range from checking the
drive for corruption with chkdsk, to repairing elements of the boot
configuration with bootcfg, fixboot and fixMBR.
Chkdsk
Chkdsk can be run to check the drive for hard drive corruption and the
attempted recoverability of data from bad sectors. It will also display a status
report on the drive. If chkdsk is run without any arguments the drive is
examined dirty markers and if not found will only report on the status of the
drive.
86 Microsoft Partner
Recovery Console Tools and Troubleshooting
Chkdsk c: /r
IMPORTANT: Data loss is a risk whenever using chkdsk to fix problems with
the drive, as in the above example. Before running this command, you should
check with the customer to determine whether there is any critical data on
the drive for which they do not have a backup.
If the data is critical and there is no backup, advise the customer of the risks,
and suggest contacting a data recovery service before proceeding.
Switch Functionality
Note: Additional command line options are available for chkdsk while running
within Windows.
Bootcfg
Bootcfg automatically scans all local disks for Windows installations and
configures and repairs entries in the operating system menu (Boot.ini). To
use this command, run:
Bootcfg /rebuild
This command searches all local drives for Windows installations. Each is
presented so that the customer can select which installation(s) to add to the
Boot.ini.
Microsoft Partner 87
Tools and Troubleshooting Recovery Console
The usage of bootcfg is shown below, with circles around required input.
Figure 28 – Fixboot
As shown in this example, three inputs are required for each Windows
installation found on the computer:
● Enter the Load Identifier – “Windows XP”. This is the text displayed
on the boot menu to identify the installation during the boot process. If
multiple installations are found, be sure to enter unique identifiers for
each, such as by including the drive letter in the name.
Fixboot
Fixboot writes a new Windows XP boot sector onto the system partition. You
can specify the drive, for example:
Fixboot C:
88 Microsoft Partner
Recovery Console Tools and Troubleshooting
The usage of Fixboot is shown below, with circles around required input.
Figure 29 – Fixboot
As shown in this example, the only required input is Y to confirm writing the
new boot sector.
Fixboot can be useful when the boot process fails before you reach the boot
menu. The boot sector is a portion of the active (bootable) partition that
contains information needed to load the operating system boot files – ntldr
and others.
FixMBR
Fixmbr will rewrite the Master Boot Record (MBR). You may also specify
another device name to write the MBR to. If the MBR is detected with
corruption or is invalid you will be warned as follows, and given an option to
cancel before the MBR is rewritten.
Microsoft Partner 89
Tools and Troubleshooting Recovery Console
The usage of FixMBR is shown below, with circles around required input.
Figure 30 – FixMBR
IMPORTANT: This command can damage your partition tables if a virus is
present or if a hardware problem exists. If you use this command, you may
create inaccessible partitions. We recommend that you run antivirus software
before you use this command.
File Commands
The following commands are used to copy files, list files in a directory, access
directories and expand files from the Windows XP installation source.
Copy
Use the copy file to copy files. You may copy the source file from removable
media, any directory under the system directory of the logged in installation,
from the root of any drive, from local installation sources, or from the
cmdcons directory. Compressed files from the CDROM will automatically be
decompressed during the copy process
The destination can be any directory within the system directories of the
logged in installation, the root of any hard drive, the local installation sources
or the cmdcons directory. The destination cannot be removable media. If the
destination is not specified, it will be the current directory that you are in. The
syntax is:
90 Microsoft Partner
Recovery Console Tools and Troubleshooting
Delete
You can only delete files in the system directories of the current installation of
Windows XP, on removable media, in the root directory of a hard drive, or in
the local installation source. The syntax is as follows:
Dir
You can specify the drive, directory and /or files to list. DIR will list all files
including hidden and system files. The syntax is as follows:
D=Directory R=Read-Only
CD / MD / RD
All three commands RD, CD, and MD can only operate within the system
directories of the logged in installation, on removable media, the root
directories of the drives on the system, or on local installation sources.
MD [drive:] path
RD [drive:] path
Microsoft Partner 91
Tools and Troubleshooting Recovery Console
As shown by the optional “ ..” you can use “CD ..” to move up a level in the
path (e.g. from C:\Windows\System32 to C:\Windows). Also, “CD \” specifies
you want to change to the root directory of the drive (e.g. C:\).
Note: there is and needs to be a space between the CD and the two periods,
and between the CD and the backslash.
Ren
The Ren command enables you to rename an existing file. You cannot create
a new path to the file while using rename. Syntax is as shown below:
Expand
Previously, you could use a command in Windows consumer products called
Extract. Extract allowed the extraction of individual files that were
compressed into cabinet files. The Expand command in Windows XP provides
the same functionality as Extract; in addition, it uncompresses individual
installation files. The syntax is as follows:
Source specifies the cab file to extract the files from. It may not include
wildcards; only one cab can be specified at a time.
Destination specifies the directory for the new file. The default is the current
directory, if none is specified.
Switch Functionality
92 Microsoft Partner
Recovery Console Tools and Troubleshooting
Switch Functionality
Examples of usage:
Note the usage of quotes since the directory path contains a space.
This just displays a list of all .SYS file contained within the cab file.
Note: When using expand to expand files the filename should not be specified
as the second parameter only the location. For example:
Drive Commands
Drive commands can be used to manipulate partitions and drives, either to
create partitions, format partitions, or view the partitions on a particular
drive.
Format
You can format hard drives while in Recovery Console, however you cannot
format removable media. The format syntax is similar to format under
Windows XP.
Microsoft Partner 93
Tools and Troubleshooting Recovery Console
Format d: /q /FS:fat32
This formats the D Drive with a quick format using FAT32 as the file system
DiskPart
DiskPart allows you to create or delete partitions. DiskPart can be used
without any arguments and you will be presented with a text mode interface
similar to what you see during in text-mode setup.
Figure 31 – Diskpart
This interface is similar to that shown in Text Mode setup during a clean
installation.
To delete partitions, with the highlight on the partition select D to delete the
partition. If you select to delete the partition, you will be warned that all data
will be lost and to confirm the deletion by pressing L or to return (cancel) by
selecting ESC.
94 Microsoft Partner
Recovery Console Tools and Troubleshooting
Diskpart also offers two command line switches and additional parameters.
These are only recommended for advanced use:
Switch Functionality
Device-name: Device name is used when creating new partitions. You can
use the Map command (described later) to display the existing names in the
system. An example of a device-name would be \device\harddisk0
Drive-Name: You can also use the drive letter associated with an existing
partition to delete that partition. Drive letters are also shown with the map
Command.
Size: This is used when creating a partition to specify the number of MB the
new partition should be.
Map Command
The MAP command displays the existing drive letter mappings to locate hard
drive volumes, removable media and floppy drives that are recognized under
Recovery Console.
Microsoft Partner 95
Tools and Troubleshooting Recovery Console
You can also use the MAP arc argument. This displays the arc path rather
than the device path. This can be useful if the boot.ini file was corrupted or
deleted, although using Bootcfg to repair the boot.ini is preferred.
Other Commands
Several other commands can be useful during troubleshooting in Recovery
Console.
SystemRoot
Systemroot sets the current directory to the systemroot folder of the Windows
installation you are logged on to. This is the equivalent to using the cd
\windows command.
More or Type
These commands can be used to display the contents of a text file without
modifying the file. You are presented with the first page of information. At the
bottom of the page are the commands to page down (Spacebar), scroll line
by line (enter) or stop displaying the file (Esc) as shown below.
Figure 32 – Diskpart
The Type or More command cannot be redirected to a new file.
-or-
96 Microsoft Partner
Recovery Console Tools and Troubleshooting
Exit
Type exit to leave the Recovery Console and reboot the machine.
Registry
There is not any way to edit the registry under Recovery Console. Registry
hives can be replaced but there are no registry editing tools.
Other Considerations
When starting Recovery Console you will be asked which installation to boot
into. Once you select an installation you are prompted for the Administrator
Password for that installation. There is a repair logon where only certain
repair functions can be run. (Fixboot, FixMBR. chkdks). This occurs when a
valid Windows XP installation cannot be found. You boot directly to the hard
drive.
Microsoft Partner 97
Tools and Troubleshooting Recovery Console
To enable the policy: Control Panel > Administrative Tools > Local Security
Settings > Local Policies > Security options. You will see two Recovery
Console policies.
Set Command
You can use the set command to set four different environment variables in
Recovery Console.
● AllowAllPaths = False
● AllWildCards = False
● AllRemovableMedia = False
● NoCopyPrompt = False
Changing the following registry key allows the set command to be used to
change these settings to True.
● AllowAllPaths opens up all the drives for full access. You are no longer
denied access to directories.
98 Microsoft Partner
Recovery Console Tools and Troubleshooting
The default for all commands is False. Changing them in one instance of
Recovery Console only holds true while logged into that install. Logging onto
another install or rebooting back into Recovery Console will change all
settings back to False. There is not a way to save these settings for future
usage. However, a text file could be created using any or all of the four set
commands. Then the Batch could be used to change the settings.
Note the spaces on either side of the equal sign. Once in Recovery Console
use the following command to execute this batch file:
batch fourset.txt.”
Microsoft Partner 99
Kernel Errors Tools and Troubleshooting
Kernel Errors
Kernel Mode is the processor access mode in which the operating system and
privileged programs run. Kernel-mode code has permission to access any part
of the system, and is not restricted like user-mode code. It can gain access to
any part of any other process running in either user mode or kernel mode.
Windows XP displays a STOP error message and halts when the kernel detects
an unrecoverable error or the CPU detects an unrecoverable hardware error.
Figure 33 illustrates a stop error and some of the information it displays
(more details on this type of error follows later in this lesson).
In the case of Kernel Mode Errors, the operating system must shut down to
preserve system integrity. Windows XP automatically restarts your computer
by default when it encounters one of these kernel errors.
You may also see error information on the blue-character screen, including a
message code that provides information about the crash. This is known as the
Stop Error (Figure 33).
Because kernel-mode code has permission to access any part of your system,
it is not restricted like User Mode code. Kernel-mode code can gain access to
any part of any process running in either user mode or kernel mode.
Performance-sensitive operating system components run in kernel mode, so
they can interact with the hardware and with each other.
You can change the behavior during a stop error, such as the automatic
restart, as well as the memory dump type that is created in the Startup and
Recovery settings, available from the Advanced tab of System Properties
as shown below.
The default dump file type is a Small Memory Dump file, also known as a
Minidump. This file contains only basic information about what was in memory
during the fault, rather than the entire contents of memory. Minidump files
are 64 KB in size and are designed to be sent to Microsoft using Error
Reporting.
Other dump file options are Full, which saves the entire contents of RAM,
meaning that the file is just larger than the size of system memory; and
Kernel dump, which saves only the contents of memory used by the kernel.
● Executive
● Kernel
Kernel mode errors occur within these spaces of the operating system
architecture. The possibility of data corruption is much greater with kernel-
mode process errors. When a process erroneously accesses a portion of
memory that is in use by another application or by the system, these lack of
restrictions on kernel-mode processes force Windows to stop the entire
system. Malfunctioning hardware devices or device drivers, which reside in
kernel mode, are often the cause of serious Windows errors or Kernel errors.
For example, a bad SCSI adapter, a malfunctioning drive controller, or
defective memory chips can corrupt memory contents and alter program
pointers, so they attempt to access an incorrect address in memory.
Stop Messages
When Microsoft Windows XP Professional detects a problem from which it
cannot recover, it displays a Stop message, which is a text-mode error
message that reports information about the condition. Stop messages contain
specific information that can help you diagnose and possibly resolve the
problem detected by the Windows kernel. When a Stop message occurs as a
result of a problem, there is certain information you will want to record in
order to effectively troubleshoot the issue and cause.
As shown in Figure 35, a Stop message screen has four major sections, which
display the following information:
● Bugcheck information
● Driver information
Bugcheck Information
This Bugcheck information section includes the Stop error number, also
known as the bugcheck code, followed by up to four developer-defined
parameters (enclosed in parentheses) and the symbolic name of the error.
Stop error codes contain a "0x" prefix, which indicates hexadecimal numerical
format. For example, in Figure 35, the Stop error hexadecimal code is
0x000000D1 and its symbolic name is DRIVER_IRQL_NOT_LESS_OR_EQUAL.
Note: Under certain conditions, the kernel cannot fully display all of the
Stop message content; only the first line is visible. This occurs if the
problem has caused video display services to stop functioning.
Driver Information
The Driver information section identifies the driver associated with the Stop
error. If a file is specified by name, you can use Recovery Console or safe
mode to verify that the driver is signed or has a date stamp that coincides
with other drivers. If necessary, you can replace the file manually, or use
Driver Rollback.
Troubleshooting Steps
Once you have gathered the information indicated above, check the
Knowledge Base for any known issues. This will be your main resource for
specific troubleshooting steps. As a rule however, there are some general
troubleshooting procedures you can use in the absence of specific resolution
steps from the KB.
When searching the KB, start searching using the full information from the
bluescreen, including the full information including the stop error code,
symbolic name, parameters and driver name. If this does not give you good
results, remove the parameters. Then remove the driver name.
Note:
The Last Known Good Configuration is updated at logon. This means that if
the computer successfully loaded the desktop after the problem started, Last
Known Good will not have an earlier configuration.
Note:
Using Last Known Good on the first boot after installing a Service Pack is not
recommended because it will cause a mismatch between the files on the
system and the registry configuration. If this is done, the service pack should
be reinstalled when troubleshooting is complete.
Safe Mode
Safe Mode and Clean Boot Troubleshooting is an essential step when Last
Known Good is not successful. If the computer starts successfully in Safe
Mode, one of the following is causing the problem in Normal Mode:
b. When you locate potentially related updates, note the number for
each, which will be in either KB###### or Q###### format.
d. Repeat the previous step for each update you wish to remove.
f. Use the exit command to restart the computer and check to see if
the issue is resolved. If not, continue troubleshooting.
3. If drivers have been updated recently and the customer knows the
device that was updated, or the driver name installed, you can use the
listsvc and disable commands in Recovery Console to locate and
disable the device.
If only the device name is known, you may need to search the Internet
or search on text in your C:\Windows\Inf folder for clues about the
driver name associated with the device.
Note:
If you still encounter the problem after disabling the driver, check the
\Windows\System32\Drivers folder for drivers with similar names. In
many cases there are related drivers for a component, often these are
filter drivers. If you find drivers with similar names, search the KB and
Internet to make a connection, and then rename or disable that driver
as well.
a. Use the type command to output the text of the setupapi.log file.
b. With the file displayed on screen, hold down the spacebar to scroll
through pages of the file until you reach the end. Examine the last
few lines in the file for clues concerning driver installations.
Note:
This can be a lengthy exercise, which may or may not yield useful
information. Because the setupapi.log file continues to grow in
length after Windows is installed, it may take a while to reach the
end. Also, after reaching the end there is no way to move back up
a page without re-displaying the file and paging down until near
the end.
a. When you find a driver with a recent modified date, search the
Knowledge Base and Internet for clues on what hardware or
software component is supported by the driver.
b. If you want to disable a driver for the next boot, use the disable
command.
6. If you still do not have a clear resolution, you can pursue further
troubleshooting in one of two ways:
This is an option on the F8 boot menu which is new in Windows XP SP2. When
encountering a reboot loop on the computer, use F8 at restart and select the
option to Disable automatic restart on system failure. This causes
Windows XP to halt at a bluescreen error message, rather that automatically
restarting the computer.
Note: It has been reported that in some cases this option may not be
available in the startup menu. To be sure, restart the computer and check
again. This may occur if some of the startup files have not been properly
updated to SP2 level.
Next Steps
When using this option, look for a bluescreen error message. Be sure to
record as much of the detail from the error message in your case notes.
Capturing this data is vital for effective troubleshooting.
Reboots Continue
In the event that the computer continues to reboot in a loop there could be a
more severe hardware issue, or a problem with one or more drivers on the
computer. Use the general troubleshooting procedures provided for stop error
issues, starting with Last Known Good Configuration above.
0x0000000A: IRQL_NOT_LESS_OR_EQUAL
This error message is most often related to one of the following issues:
● Malfunctioning Service
Start the troubleshooting for this issue by attempting to boot to Safe Mode. If
Safe Mode functions properly, continue with the Clean Boot steps in the Error!
Reference source not found.Stop Error Troubleshooting section of this
document. Focus your troubleshooting on Services and Device Drivers.
0x0000001E: KMODE_EXCEPTION_NOT_HANDLED
See the section below on 0x0000007E:
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED. The troubleshooting for
0x0000001E is the same as for a 0x7E error.
0x0000007B: INACCESSIBLE_BOOT_DEVICE
This error is typically caused by a failing or missing driver for the hard disk
controller. It is also possible in the case of a boot sector virus infection, a
hardware failure, or corruption on the hard drive. Driver issues are the most
common cause.
0x0000007E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
These errors typically indicate that a driver or system component encountered
an error that could not be handled by its exception handling routines.
1. Search the Internet and in the Knowledge Base for previous issues
related to that driver. When searching on the Internet, try to discover
what kind of hardware is related to the driver.
2. Also, check your own computer for the driver. If it is on your own
computer, it is likely to be a driver provided with Windows. This would
also suggest that it is not the cause of the problem.
If the above does not provide any change in the behavior, use the Error!
Reference source not found.Stop Error Troubleshooting section earlier in
this module. If the computer starts in Safe Mode, focus your troubleshooting
on Services and device drivers. If the computer does not start in Safe Mode,
remove non-essential hardware from the computer and try again.
0x0000008E: KERNEL_MODE_EXCEPTION_NOT_HANDLED
See the section above on 0x0000007E:
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED. The troubleshooting for
0x0000008E is the same as for a 0x7E error.
0x000000C2: BAD_POOL_CALLER
This error message is commonly encountered when a driver is malfunctioning.
The best first step in these issues is to boot to Safe Mode. Safe Mode will
function properly when the bugcheck is caused by a non-essential driver, such
as for a printer, scanner or other device. See the Error! Reference source not
found.Stop Error Troubleshooting section above for specific
troubleshooting steps.
In this particular case, the write problems to this value are causing multiple
failures in the setup process, resulting in this error at the reboot.
For the latest information on resolving this error message, use the steps
provided in the following article:
KB Article: You receive "Stop: c0000135 and “winsrv was not found” errors
after you install Windows XP Service Pack 2 (885523)
0xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED
Like the issue below, this error message can result from damaged operating
system files. Even though this error is encountered as a bluescreen, it is
actually the result of a problem in user mode. This can make troubleshooting
more difficult. Perform the same troubleshooting as for the 0xC0000221 error
below.
If this issue occurs at the reboot during a service pack installation, also use
the troubleshooting steps below:
Dir ServicePackFiles\i386\ntoskrnl.exe
Dir ServicePackFiles\i386\ntdll.dll
5. If either of these two files is missing, do not proceed with the following
steps. Perform a manual uninstall and use the steps earlier in this
document to Error! Reference source not found..
Exit
The computer should restart after using the Exit command. See if the issue
persists. If the issue is not resolved, use the general troubleshooting
procedures to uninstall SP2 and prepare the computer for a reinstall of SP2.
0xC0000221: STATUS_IMAGE_CHECKSUM_MISMATCH
This error message can occur when a system file is damaged during the file
copy stage of a Windows Update or Service Pack installation. Causes could
include:
The error text should include the name of the file that is damaged. Use the
following steps to recover:
If this does not resolve the issue, see if the error message has changed. If it
has changed, perform troubleshooting appropriate for the new error.
If the error has not changed, it is recommended that you perform the
following steps:
2. Make sure you have also used Add or Remove Programs to remove
the service pack. Failing to perform this step can result in instability or
failures in later steps.
6. Reinstall SP2.
Application Errors
Application errors are encountered while working within an application or
during a process driven by an application. Most applications are programmed
with their own error handling to detect and perform recovery from specific
errors. When an application error occurs, generally only the application is
impacted. Common causes of application errors include working
with/accessing corrupt files or memory allocation problems.
User Mode applications and services can also fail. When these components
fail, the failure is usually limited to the component itself, although if the
component fails, other pieces of the system that rely on that component may
also fail. This could cause some loss of functionality on the system. Windows
XP services, as well as Applications and Subsystems, run in User Mode. This is
the type of error most commonly related to application failure.
When a User Mode error occurs, the Error Reporting service displays an alert
stating that Windows XP encountered a problem, as seen in Figure 36.
You should also note that many applications interact with other user-mode
processes and can be extended by add-on features that can share their
memory space. For example, in the case of Internet Explorer, ActiveX®
controls, Browser Helper Objects, tool bands, and other components can add
their own custom functionality to the browser. These components run in the
same memory space as the browser, and could cause Internet Explorer or one
of its components to experience an exception or fault.
Many applications also interact with other parts of your system. For example,
your display driver, display hardware, and installed fonts are used to display
documents in a word processor program. Your printer driver and hardware are
used to print these documents. Other applications may also interact with your
word processor; for example, to exchange data with a spreadsheet program.
These interactions with other software or services can result in unrecoverable
errors in your word processor program.
You should also note that many applications interact with other user-mode
processes and can be extended by add-on features that can share their
memory space. For example, in the case of Internet Explorer, ActiveX®
controls, Browser Helper Objects, tool bands, and other components can add
their own custom functionality to the browser. These components run in the
same memory space as the browser, and could also cause Internet Explorer
or one of its components to experience an exception or fault.
Many applications also interact with other parts of your system. For example,
your display driver, display hardware, and installed fonts are used to display
documents in a word processor program. Your printer driver and hardware
are used to print these documents. Other applications may also interact with
your word processor: for example, to exchange data with a spreadsheet
program. These interactions with other software or services can also result in
unrecoverable errors in your word processor program. Again, when these
errors occur, the application and associated processes must be closed.
Figure 37 illustrates the Error Reporting dialog that occurs when a user mode
process or application encounters a fault in Windows XP. As you see, you
have the option to either send the error report to Microsoft or not send it. You
can also use the click here link to see the details of the error and what is
being sent to Microsoft.
The details dialog shown below includes the application name, in this case
iexplorer.exe, which is Internet Explorer; the version, which in this case is
6.0; and the module that the fault occurred in, which in this case is
vbscript.dll.
Troubleshooting
Start your troubleshooting by viewing the error details. If the module listed
for ModName is not a Windows file, you may be able to isolate the issue by
removing or disabling any programs, services, or drivers that are associated
with the affected module.
To do so, locate the module file on your hard disk, right-click the file, click
Properties, on the Version tab, and then view the Company box to verify
that the file is a Microsoft file. If not, the Company and Product Version boxes
may indicate which program, service, or driver the file is associated with. If
not, try searching the Internet for information about the file.
When you determine which program, service, or driver the file is associated
with, remove the program, service, or driver to see if the issue is resolved.
For example, to remove a program or service, use the Add or Remove
Programs tool in Control Panel, or contact the manufacturer of the program or
service for information about how to remove it.
If necessary you can also temporarily rename the file to prevent it from being
loaded. This should only be done in cases where you have verified that the file
is not needed by Windows XP, such as by verifying that it is a third party file,
or where the file is not present on your own computer.
Error Reporting
Error Reporting in Windows XP is the mechanism that sends error details to
Microsoft for aggregation and analysis. When receiving an error, you are
presented with the interface shown below, with options to Send Error
Report or Don’t Send.
Sending the error report uploads error details for analysis. When an issue
trend appears, the internal Microsoft team that works with these errors can
then investigate further.
If you are encountering an error with a clear resolution, the results of these
investigations are provided after sending the report.
Dr. Watson
Dr. Watson generates an error log when an application is terminated
unexpectedly. Dr. Watson for Windows is an error debugging program that
gathers information about your computer when a program generates error (or
user-mode fault). By default, the log file created by Dr. Watson is named
Drwrsn32.log and is saved in the following location: \Documents and
Settings\All Users\Application Data\Microsoft\Dr Watson
For additional information on the Dr. Watson for Windows Tool, please refer to
the following article
KB Article: Description of the Dr. Watson for Windows (Drwtsn32.exe) Tool
(308538)
Scenario
A customer calls in reporting that his/her computer crashed while browsing
websites. However, the user was unable to gather the error details.
Dr Watson Details
Drwrsn32.log file includes the following entry, which helps isolate the
application experiencing the problem:
Safe Mode
Safe Mode and Clean Boot Troubleshooting is an essential step when you can
find no clear resolution steps. If the problem does not occur in Safe Mode or
Safe Mode with Networking, one of the following is causing the problem in
Normal Mode:
Machine
The machine-based files, which are the files that store the pieces of the
Registry that define how the operating system is configured, are located in
the following directory: %windir%\System32\Config.
User
User-based Registry files are stored in each user profile under \Documents
and Settings\<username> as an NTUser.dat file.
In addition there are two special user registry files. The NTUser.dat file in
\Documents and Settings\Default User is used to generate new user profiles
on the computer. The first time a new user logs on, this file is copied to
\Documents and Settings\<new username> and used subsequently to store
that user’s settings.
There is also a registry file that contains user settings general to the machine.
While confusing, this means that when no user is logged on, there still must
be user-based configuration settings available, such as desktop background,
screen saver, etc. The default registry file in
%windir%\System32\Config contains these settings.
Registry Structure
The registry consists of top level hives, containing keys, which contain values
and other keys.
Hives
The Registry is based on several top level structures known as hives. These
hives are:
Keys
Registry keys are containers for values and other keys. They have a nested
structure just like a folder structure on a drive. They also have permissions
just like file system objects on an NTFS drive. They are displayed in Registry
Editor as folders. “HKEY_LOCAL_MACHINE” is highlighted, and you can see
the sub-keys beneath it.
Values
Values are containers for value data. Registry values are the terminal
elements in the Registry. They are represented as files in the Registry Editor
and they actually contain value data, which is the element of the Registry that
stores the actual setting. There are some different value types here:
● REG_SZ is a text string. This is commonly used for things like a path to
a file or text that would be represented as a message on screen and
other descriptions.
They are shown in the type column of Registry Editor on the right-hand side
so when you are examining each value, you can see the value type. The types
are important because if you insert a Registry value as the wrong type, it may
not be processed by the component that you are trying to configure.
Use caution when editing the Registry. Changes that you make are made
immediately—there is no Undo feature in Regedit. Incorrectly editing the
Registry can cause your system to become unbootable or cause programs to
be unable to run.
The safest way to edit the Registry is to make a backup first. With a backup,
you can always recover to the situation that you were in before. (You can also
use System Restore to do this. If you save a System Restore Point just before
making a change, you can use System Restore in Safe Mode to restore your
computer, including the Registry, back to the state that you were just in.)
Also, use the techniques for testing and modifying the Registry on a test
computer for troubleshooting.
Search
You can also Search for text within the Registry. Use the Search feature on
the File menu to search for the key you need.
Favorite Keys
You can save Favorite Keys, which are similar to Internet Explorer favorites—
they store a path to a favorite location. If you commonly find yourself
examining a certain key, you can save it in your favorites and then navigate
back to it easily.
Load Hive
You can also load hive. Once you have exported a hive files or if you simply
want to open one of the top level Registry files, you can choose the Load hive
option on the File menu. This is only available when “HKEY_LOCAL_MACHINE”
or “HKEY_CURRENT_USER” are selected.
Connect
You can also connect to a remote Registry. When you connect to a remote
machine in Registry Editor, you only have access to “HKEY_LOCAL_MACHINE”
and “HKEY_USERS” keys.
To import a .REG file, you can either use the Import option from the File
menu in Regedit, or you can double click the .REG file. The .REG file has an
association with Registry Editor that automatically causes the values in that
.REG file to be inserted into the Registry. When you do this with a .REG file, it
imports the settings into the same key as the original. If you have exported,
for example,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion, and
then you import that into another computer, it will be imported to the same
key as the original computer,
HKLM\Software\Microsoft\Windows\CurrentVersion.
The alternative is to use a hive file for import. If you import a hive file, which
can only be done from the Import option in the Registry Editor, it is going to
import that hive to the currently selected key. The advantage here is that if
you want to compare a branch in the Registry from a customer’s computer
with one in a test computer, you can create a new key that is similar in name
to the test key.
When the settings take effect, you will need to be aware that not all Registry
values take effect immediately. Some portions of the Registry are processed
during start up, during user log in or when an application is started. In these
cases, you be aware of when the changes will take effect. To be sure that
everything is takes effect, restart the computer.
Prune and Graft involves exporting part of the Registry of one computer
(Pruning), and applying this to the Registry of a test computer (Grafting).
This can be done to pull a section of the Registry of a failing computer for
application on a test computer to reproduce an issue. In this case, the
process can be helpful for isolating sections of the Registry to determine
where the problem exists. The process can also be done to take a section of
the Registry on a good computer and apply it to a failing computer. In this
case, the test is performed both to isolate where the issue may exist, as well
as to test potential resolutions to the problem.
● Compare keys on the bad computer with known good keys on a test
computer
To use for issue reproduction, you can typically export the keys from a bad
computer as .REG files. These are easily applied to a test computer, and do
not remove any subkeys or values that exist on the test computer but not the
bad computer. This is in contrast with using a hive file, which replaces the
target Registry key on the test computer, removing all keys and values not
present on the bad computer.
If you wish to compare settings side-by-side, export from the bad computer
as a hive file, and then import the hive to an adjacent key on the test
computer. For example, if you are exporting HKLM\System\CurrentControlSet
on the bad computer, create an HKLM\System\CurrentControlSetX on the test
computer. Then import the hive file to this key. This will enable you to
compare settings easily.
When you have identified the affected keys or values, check the failing
computer to determine what type of Registry export will work for the
situation. If you need to delete keys or values, you will need to use a hive file.
Otherwise, using .REG files offers an easier import process.
IMPORTANT: You should not send .REG files from your computer to a
customer for them to import on their own computer. This can lead to
problems because of potential differences between machine configurations. It
is better to use this technique to isolate the specific cause of the problem so
that you can then edit the specific registry keys and values to resolve the
issue.
Registry monitoring tools provide information on the keys and values that
applications modify or read in order to function properly. These come in two
types:
Regmon
Regmon is an application that monitors and displays all Registry activity on a
system in real-time. It has advanced filtering and search capabilities that
make it a powerful tool for exploring the way Windows works, seeing how
applications use the Registry, or tracking down problems in system or
application configurations.
Usage
Simply run the Regmon GUI (Regmon.exe). Windows NT/2000/XP/2003
Note: You must have administrative privilege to run Regmon. Menus, hot-
keys, or toolbar buttons can be used to clear the window, save the monitored
data to a file, and to filter and search output.
As events are printed to the output, they are tagged with a sequence number.
If Regmon’s internal buffers are overflowed during extremely heavy activity,
this will be reflected with gaps in the sequence number.
• Time – Timestamp
• Process – Indicates the Process that has the open handle to the Registry Path
• Request – Action that the Process is undertaking
• Path – Registry Path being accessed
• Result – Result of the request (SUCCESS, ACCDENIED, NOTFOUND, ETC)
• Other – Additional information including Key values, names, and GUID
information
Although Regmon contains its own filtering options, most Regmon logs will be
viewed as log files saved by the Customer. By loading these log files into
Microsoft Excel, you can accomplish the same tasks by using Excel’s filtering
options, using the same methods as applied to reports provided in MPS
Windows could not start because the following file is missing or corrupt:
\Windows\System32\Config\Software
Windows could not start because the following file is missing or corrupt:
\Windows\System32\Config\System
Note that in some cases this message may be garbled due to video display
refresh issues, appearing as:
Windows could not start because the following file is missing or corrupt:
\Windows\System32\Config\Systemced
Considerations
In a typical case of registry corruption the operating system is in a static
condition. With cases of corruption that occur during or after a service pack
installation it is important to ensure that the end-state you reach after
troubleshooting has matched registry and operating system files. Leaving the
customer in a configuration with an SP1 registry, but SP2 files is not
recommended as it could lead to system instability. The following
considerations are vital:
In cases of registry corruption at the reboot during SP2 installation, the files
are in the following state:
● The procedures in this module are sourced from the following article:
KB Article: How to recover from a corrupted registry that prevents
Windows XP from starting (307545)
These steps have been streamlined and adjusted to target recovery scenarios
where the Repair registry does not match the SP level of current operating
system files.
Precautions
Potential for Malware Infection = Medium
There is some risk of infection during this process, because you will be
starting the computer with a registry that does not reflect changes made by
recent security updates. As a result you should take the following precautions
before continuing.
1. Disconnect the computer from the Internet and from any other
Network connection.
Note: If the computer uses a Wireless connection, remove the
wireless network adapter (where possible), or disable it if the
computer has an internal adapter but offers an On/Off switch. In the
event that the adapter cannot be easily removed or disabled, disable
the Access Point for the network until reaching the end of these steps.
2. When all of the recovery steps below are complete, configure all
Network Connections to use Internet Connection Firewall as a
precaution before connecting to the network or Internet.
Recovery Steps
To restore the computer to a stable condition, perform the following actions:
1. Use Repair Hives: Replace current registry hives with those from
%windir%\Repair.
4. Use Restore Point Hives: Replace current registry hives with those
from the folder created in the previous step.
The steps in this section should enable the computer to boot, but applications
installed since the Repair registry hives were last saved will likely not
function. You may also encounter
cd \windows\system32\config
cd \
cd windows\repair
2. This next step checks the date and time on the files in the Repair
folder. It is important to determine how recently these files were
updated. They could be unchanged since Windows XP was originally
installed.
dir
3. Note the date the files were modified for use later.
4. Continue with the copy of files from the Repair folder to the Config
folder using the following commands:
In the event that you cannot log on, use the Administrator account, which
does not have a password set by default.
4. Under Hidden files and folders, click to select Show hidden files and
folders, and then click to clear the Hide protected operating
system files (Recommended) check box.
5. Click Yes when the dialog box that confirms that you want to display
these files appears.
Note: This folder contains one or more _restore {GUID} folders such
as "_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}".
If you receive the following error message, use the steps below to add
the current user to the permissions for the folder. Otherwise proceed
to step 8 below.
b. Click the Security tab, which will display an interface such as that
shown below.
8. In the GUID folder, open a folder that was created recently. You may
need to click Details on the View menu to see when these folders
were created. There may be one or more folders starting with "RP x”
under this folder. These are restore points.
10. From the Snapshot folder, copy the following files to the
C:\Windows\Tmp folder:
_REGISTRY_USER_.DEFAULT
_REGISTRY_MACHINE_SECURITY
_REGISTRY_MACHINE_SOFTWARE
_REGISTRY_MACHINE_SYSTEM
_REGISTRY_MACHINE_SAM
cd system32\config
copy c:\windows\tmp\software
copy c:\windows\tmp\system
copy c:\windows\tmp\sam
copy c:\windows\tmp\security
copy c:\windows\tmp\default
The computer should start in Normal Mode, and the most recent passwords
should be functional again.
Summary
The above steps have ensured that the final state of the computer has
matching files and registry configuration.
Remote Assistance
Remote Assistance is a support feature offered in Windows XP that gives
customers the ability to allow support personnel or another user to assist
them. The Helpee is able to give the Helper control of their machine in real
time. Built on Terminal Services technology, the Remote assistance tool does
this by using a Terminal Services session running on the user machine.
Creating an invitation
The Start a Help Session Wizard starts and collects the following information:
● Messenger
After the User clicks Send the Start a Help Session Wizard uses MAPI calls to
send an email to a Helper’s email address with an attachment. The Password
is not sent in the invitation – it should be sent separately.
Using an Invitation
The attachment will initiate a session-based connection with the User’s
machine when launched on a Windows XP machine. After a Helper executes
the attachment, the User is prompted to allow the Helper to connect. After
the User accepts the connection Help and Support Services opens on the
Helper’s machine and the User’s desktop can be viewed remotely by the
Helper.
Taking Control
The Helper can then click the Take Control button and the User will be
prompted to give control to the Helper. After the User allows the session to
begin the Helper will be able to control the User’s mouse and keyboard similar
to using Terminal Service Client.
Session Considerations
You can use voice communications by clicking on the Start Talking button, or
you can chat using the MSN messenger client. Windows XP automatically
adjusts settings to combat bandwidth issues by changing screen resolution to
800x600x16bit and turning off Wallpaper.
The Offer Remote Assistance feature is not a viable option for most home-
based networks. This feature will be disabled by default and can only be
enabled through unattend.txt or via policy.
This feature requires the computer of the expert user as well as the computer
of the novice user to be members of the same domain, or members of trusted
domains.
If you disable or do not configure this policy setting, users or groups cannot
offer unsolicited remote assistance to this computer. By default this setting is
“Not Configured.”
Can allow input from multiple users in Allows only one user input in the same
the same session. session.
In many ways, Remote Desktop and Remote Assistance are very much alike.
They are both capable of providing a remote control session for a computer
for a user who is not at the physical location of the machine. They are both
built on the Terminal Services architecture. They both require permission to
establish a session, and either session type can be terminated from either
machine. Despite all those similarities, they are quite different.
Remote Desktop
● Remote Desktop is designed for frequent accesses by an individual or
small group of users.
Remote Assistance
● Remote Assistance is intended for one-time or infrequent access for
troubleshooting and resolving a problem, or demonstrating a technique.
With Remote Assistance, the user of the remote machine must create an
access Invitation and send it to the person who is being granted Remote
Assistance rights. This Invitation has a limited life and has a password created
specifically for the invitation. After the life of the invitation expires, a new
invitation is required for launching a session.
Initiating a Session
With Remote Desktop, the customer need only double-click their saved
connection to launch a session. If their account password is correct, the
session is established. No human activity is needed at the remote location.
With Remote Assistance, the customer must execute the invitation they were
sent, and enter the password. The user of the remote machine must then
accept the request for a Remote Assistance session. For that reason, there
are always two people involved with Remote Assistance.
With Remote Assistance, every aspect of the session is visible on the remote
screen. This is by design, since the intent is for a potential stranger to be
manipulating the machine. The owner will want to watch the process, and to
learn by watching how the expert approaches the problem. He may also need
to collaborate with the remote expert, which he can do from the physical
console.
With Remote Assistance, the user at the remote computer can terminate the
session by pressing a key or clicking a button. This provides an increased
level of comfort for persons leery of allowing remote control of their machine.
Remote Assistance
Both users can manipulate mouse and keyboard during the same session.
This could lead to some inefficiencies.
Summary
Remote Assistance is ideal for:
● One-time accesses
Frequent accesses
If you receive error message “The Remote Server machine does not exist or is
unavailable,” check for connectivity on both ends.
If you receive error message “A program could not start. Please try again,”
check that the group policy for Offer Remote Assistance is set on the Novice.
Connections
Network Address Translation devices, or NATs, are a potential source of
connection issues for Remote Assistance.
A NAT acts as an agent for its clients, communicating on the network on their
behalf. It uses its own IP address for all communication, and routes the
session communication of the clients back to them on what’s known as a
“private” network. With this arrangement, the IP addresses and machine
names of the client machines are never exposed on the public side of the
NAT.
If the Expert is behind the NAT, but the Novice is not, the connection will
succeed. Since the Expert initiated the session by traversing outbound
through the NAT, the external Novice machine’s responses will be returned to
the Expert through the session established through the NAT.
In short, it will work if initiated in one direction, but not in the other. If both
machines are behind NATs, Remote Assistance cannot be used.
When we were examining the Invitation creation process, it was noted that
the Novice machine will query for the existence of a UPnP NAT on its network.
We’ll now see why.
If a UPnP NAT is found, Remote Assistance will request the external, or public
side, IP address of the NAT. It will also request that an external port be
routed to port 3389 on the Novice machine. The UPnP NAT sends the IP
address and port number to Remote Assistance, and establishes the port
mapping. Remote Assistance then enters that information into the Invitation.
This was configured automatically. The Novice may not even know he’s
behind a NAT.
If the NAT is not a UPnP device, it will not respond to the configuration
request of the Remote Assistance Invitation creation process. Since it has not
created a mapping or provided its external IP address, that information
cannot be entered into the Invitation.
The connection request will fail since the Novice machine cannot be contacted
from outside the NAT. All is not lost. There are ways around this problem.
Resolving the issue requires creation of a new Invitation and establishing the
Remote Assistance session before logging off or rebooting.
Resources
● KB Article: You Cannot Start a Remote Assistance Session Because the
Start Remote (814337)
● KB Article: Permission Denied Error When You Are Using Offer Remote
Assistance (310629)
Preserving the customer’s data is your top priority. There is nothing more
damaging to a customer’s experience with support, and to their satisfaction
with Windows and with Microsoft, than data loss. As a result, make sure that
you clearly understand the potential consequences of each action before
performing your troubleshooting. If you are not sure whether data loss could
occur from a troubleshooting step, get assistance to verify the safety of that
action before proceeding.
● Faulty hardware is causing the issue, and this could cause data
corruption.
● Customer performs a repair of the O/S and this fails during the repair
process.
● Using Chkdsk to fix issues on the disk. In the event that files are
damaged, they can be deleted or truncated in this process.
○ System Event Event ID: 51 Source: Disk, “An error was detected on
device \Device\Harddisk1\DR1 during a paging operation.”
While the above list is not comprehensive, you can see that there is a range
of issues where the potential for lost or corrupt data is high. Becoming
familiar with the types of issues listed above will help you best advise the
customer on when they may want to stop before further troubleshooting to
ensure that they have a safe backup copy of all critical data on the computer.
Again, the list above is not comprehensive, but it should give you an
indication of the type of issues that carry the potential for lost data. When in
doubt get assistance before proceeding with troubleshooting.
Setting Expectations
When data loss is a potential, we recommend that the customer backup any
data they have before continuing. If they continue and we do indeed lose the
data we recommend that they take the computer to a data recovery
specialist.
Standard Disclaimers
REGISTRY DISCLAIMER:
Modifying REGISTRY settings incorrectly can cause serious problems that may
prevent your computer from booting properly. Microsoft cannot guarantee
that any problems resulting from the configuring of REGISTRY settings can be
solved. Modifications of these settings are at your own risk.
BIOS DISCLAIMER:
Modifying BIOS/CMOS settings incorrectly can cause serious problems that
may prevent your computer from booting properly. Microsoft cannot
guarantee that any problems resulting from the configuring of BIOS/CMOS
settings can e solved. Modifications of the settings are at your own risk.