Section 6.2. Specific Software Issues

6.2. Specific Software Issues Once you start peeking under the hood of Windows XP, you'll notice some of the tools that have been included to help the system run smoothly. Some of these tools actually work, but it's important to know which ones to use and which ones are simply gimmicks. A good example is System Restore, a feature intended to solve certain file-version conflicts automatically; its brute-force method often ends up causing more problems than it solves. See the discussion of System Restore later in this chapter for details. Here are some software-specific issues that should help you solve most problems with Windows XP and the applications that run on it. 6.2.1. Patching Windows with Windows Update If software manufacturers waited until their products were completely bug-free before releasing them, then we'd all still be using typewriters. Windows XP has a fairly automated update system, wherein patches to the operating system that Microsoft considers to be important are made available on their web site and, by default, automatically downloaded and installed on your computer. Just open Internet Explorer (other web browsers won't work) and visit http://www.windowsupdate.com (or go to Tools Scan for updates to compile a list of the updates you haven't yet installed from which you can selectively download those updates you want or need. This is a fairly straightforward procedure, and one you should do regularly. Here are a few tips to improve your experience with this tool: Disable automatic Windows Update Depending on your settings, Windows XP may routinely activate the Windows Update feature to scan for and download updates to Windows XP automatically. If you have a fast Internet connection and usually don't remember to check for updates yourself, you'll probably want this feature turned on. However, if you already check for updates and would rather not have Windows interrupt you while you work, you'll probably want to disable automatic updating by going to Control Panel

Even if you've enabled full automatic updating, Windows XP may only install critical updates. It's a good idea to check with Windows Update manually to make sure the updates you want are installed.

See the "Block Service Pack 2" sidebar for a way to take advantage of automatic updates without automatically updating Microsoft's Service Packs.

Dealing with missing files

During the installation of updates, Windows may occasionally inform you that it can't find one or more files. This, of course, is a bug in the installer, but the workaround is easy. Open a Search window (see Section 2.2.7), and type the name of the specified file in the All or part of the file name field. If the file is already on your hard disk, it will show up in the search results; just type the full path of the folder containing the file into the Copy files from field, and click OK (or Retry). In most cases, such files will already be on your system, typically in the \Windows\System32 and \Windows\System32\drivers folders.

Whether or not to install Driver Updates

For the most part, it's a good idea to install all of the updates in the Critical Updates and Windows XP categories, but use your judgment when installing items in the Driver Updates category. The drivers recommended in here (typically only for devices already using a Microsoft drivers) may be older than the ones you're using, or may even be inappropriate for your hardware. If Windows Update is recommending a driver update, check with the manufacturer of the corresponding device and install their latest driver instead.

Managing Windows Updates for a large number of computers

If you're a system administrator and are responsible for a large number of Windows XP machines, you may not want your users to have access to Windows Update. Otherwise, you may have to deal with increased network traffic whenever a new update becomes available, and you may have to clean up the mess left behind by a bad update.

The solution lies in Microsoft's Software Update Services (SUS), a system by which administrators can deploy critical updates to their Windows XP and Windows 2000-based systems. More information on SUS can be found at http://www.microsoft.com/windows2000/windowsupdate/sus/.

One other way to prevent your users from accessing the Windows Update site is to set up firewall rules to restrict access to the server. You can also set up the hosts file on each computer to redirect any requests to www.windowsupdate.com and windowsupdate.microsoft.com to a different location, as described in Section 7.4.4.

Download updates for installation on other computers

If you have more than one XP machine to update, you may not want to download the same updates again and again. Start by loading Windows Update, as described earlier. Then, click Personalize Windows Update on the left side and turn on the Display the link to the Windows Update Catalog under See Also option. Finally, click Windows Update Catalog (which should now appear to your left) to enter the catalog and selectively download self-installing updates.

6.2.2. What to Do when Windows Won't Start

Unfortunately, Windows's inability to start is a common problem, usually occurring without an error message or any obvious way to resolve it. Sometimes you'll just get a black screen after the startup logo, or your computer may even restart itself instead of displaying the desktop. Of the many causes of this problem, many deal with hardware drivers, conflicts, or file corruptionall of which are discussed elsewhere in this chapter.

In previous versions of Windows, up until Windows 98, one could start a DOS session before loading Windows, which was a gateway to several effective troubleshooting techniques. In Windows XP, this lifeline is gone, but, fortunately, there are several other tools in place to take up the slack:

Windows Recovery Console

The Windows Recovery Console, discussed later in this chapter, is a way to repair your operating system or boot manager. It also lets you delete or replace system files, something not possible from within Windows. Use the WRC when Windows won't start at all.

Safe Mode with Command Prompt

The Safe Mode with Command Prompt, explained in Section 2.2.6, is somewhat of a hybrid of the Windows Recovery Console and a standard Command Prompt window. (It's also described later.) Use it to effect minor repairs when the Windows Recovery Console is overkill.

In either case, you'll get a Command Prompt interface that allows you to copy, move, rename, or delete files, as well as start certain programs. The specific steps you take depend on what you're trying to accomplish.

If you don't know where to start, you'll probably want to scan your hard disk for errors, since corrupted files can prevent Windows from loading. See Section 6.2.6, later in this chapter, for details.

The other choice you have, instead of using one of these Command Prompt variants, is to use one of Windows's built-in troubleshooting startup modes. Press the F8 key when Windows begins to load (or during the Boot Manager menu, if you're using a dual-boot system, as described in Chapter 1). You'll see a menu with the following choices:

Safe Mode (also with Networking support or Command Prompt)

This forces Windows to start up in a hobbled, semifunctional mode, useful for troubleshooting or removing software or hardware drivers that otherwise prevent Windows from booting normally.

Enable Boot Logging

This starts Windows normally, except that a log of every step is recorded into the ntbtlog.txt file, located in your \Windows folder. If Windows won't start, all you need to do is attempt to start Windows with the Enable Boot Logging option at least once. Then, boot Windows into Safe mode (or Safe mode with Command Prompt) and read the log with your favorite text editor (or Notepad). The last entry in the log is most likely the cause of the problem.

Enable VGA Mode

Start Windows normally, but in 640 480 mode at 16 colors. This is useful for troubleshooting bad video drivers or incorrect video settings by allowing you to boot Windows with the most compatible display mode available.

Last Known Good Configuration

This starts Windows with the last set of drivers and Registry settings known to work. Use this if a recent Registry Change or hardware installation has caused a problem that prevents Windows from starting.

Directory Services Restore Mode

Used only if your computer is a Windows NT domain controller.

Debugging Mode

This option, typically of no use to end-users, sends debug information to your serial port to be recorded by another computer.

Start Windows Normally

Use this self-explanatory option to continue booting Windows normally, as though you never displayed the F8 menu.

Lastly, you should look for error messages, both fleeting ones that quickly disappear, and ones displayed when the Windows startup procedure comes to a screeching halt. See the next section for details.

6.2.3. Error Messages During Startup

You may have seen a strange message when loading Windows, either during the display of the Windows logo screen or after the taskbar appears. Many different things can cause this, but there are a few common culprits. If you're having trouble starting Windows, see Section 6.1.1 earlier in this chapter.

A driver won't load

When Windows starts, it loads all of the installed drivers into memory. A driver may refuse to load if the device for which it's designed isn't functioning or turned on, if there's a hardware conflict, if the driver itself isn't installed properly, or if the driver file is misconfigured or corrupted in some way. If you remove a device, make sure to take out the driver file as welleven if it isn't generating an error message, it could be taking up memory. See Section 6.3 later in this chapter.

A program can't be found

After Windows loads itself and all of its drivers, it loads any programs configured to load at startup. These include screen savers, scheduling utilities, Palm HotSync software, all those icons that appear in your notification area (tray), and any other programs you may have placed in your Startup folder or that may be been configured to load automatically in the system Registry. If you removed an application, for example, and Windows continues to attempt to load one of its components at startup, you'll have to remove the reference manually. See Section 6.2.4 later in this chapter, for details.

A file is corrupt or missing

If one of Windows's own files won't load and you're sure it isn't a third-party driver or application, you may actually have to reinstall Windows to alleviate the problem. I'll take this opportunity to remind you to back up frequently.

An error message of this sort will usually include a filename. To help isolate the problem, write down the filename when you see the error message, and then try searching your hard disk for the reported file, as well as looking for places where the file may be referenced (see Section 6.2.4 later in this chapter for details). If you don't know what the error means exactly, you should definitely do both; a lot can be learned by finding how and where Windows is trying to load a program. However, if you know that the file or files are no longer on your system, you can proceed simply to remove the reference.

Conversely, if you know the file is still on your system and you want to get it working again, you'll probably need to reinstall whatever component or application it came with in order to fix the problem. Once you've located a particular file, it may not be obvious to which program it belongs. You can usually get a good clue by right-clicking on the file, selecting Properties, and choosing the Version tab.

Please wait while Windows updates your configuration files

This isn't an error but rather a message you may see occasionally when Windows is starting. It simply means that Windows is copying certain files that it couldn't otherwise copy while Windows was loaded, most often as a result of software being installed during the last Windows session. For example, if a program you install needs to replace an old DLL in your \Windows\System32 folder with a newer version, but the DLL is in use and can't be overwritten, the program's setup utility will simply instruct Windows to do it automatically the next time it's restarted. The mechanism responsible is discussed in the discussion of the Wininit.ini file in Section 2.2.6.

If the name of a driver, service, or application is specified in the error message, there are three places you can look for more information:

• In the startup log, ntbtlog.txt, located in your \Windows folder. See Section 6.2.2, earlier in this chapter, for details.

• In the Event Viewer (eventvwr.msc); open the System branch, and then sort the listing by clicking the Source column header.

• In one of the places Windows looks for startup programs, discussed in the next section.

6.2.3.1 Silence the error messages altogether

Obviously, the best way to deal with a startup message is to fix the cause. But if you can't locate the problem (or if you just don't want to bother), you can suppress many of the messages completely:

1. Open the Registry Editor (discussed in Chapter 3).

2. Expand the branches to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows.

3. Create a new value by going to Edit

   Double-click the new NoPopupsOnBoot value, enter 1 for the Value data, and click OK.

Note that this solution treats the symptoms rather than the underlying problem and, in doing so, may mean you might miss an important error message later on.

6.2.4. Programs Run by Windows when It Starts

Any driver or program that Windows loads when it boots will be listed in at least one of the following places. Access to these locations is useful not only for adding your own startup programs, but eliminating ones that are either causing problems or are simply unnecessary and slowing down the boot process.

The Startup folder

Your Startup folder (usually \Documents and Settings\{username}\Start Menu\Startup) contains shortcuts for all the standard programs you wish to load every time Windows starts. You should routinely look for and eliminate shortcuts to outdated or unwanted programs. If you're not sure of the application with which the shortcut is associated, right-click it, select Properties, and then click Find Target.

The Registry

There are several places in the Registry (see Chapter 3) in which startup programs are specified. Such programs are specified here for several reasons: to prevent tinkering, for more flexibility, orin the case of viruses, Trojan horses, and spywareto hide from plain view.

These keys contain startup programs for the current user:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

These keys contain startup programs for all users:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

The naming of the keys should be self-explanatory. Programs referenced in either of the Run keys listed above are run every time Windows starts. Likewise, an entry referenced in one of the RunOnce keys is run only once and then removed from the key.

Services

The Services window (services.msc) lists dozens of programs especially designed to run in the background in Windows XP. The advantage of services is that they remain active, even when no user is currently logged in. That way, for example, your web server can continue to serve web pages when the Welcome screen (or Log On dialog) is shown.

By default, some services are configured to start automatically with Windows and others are not; such information is found in the Startup Type column. Double-click any service and change the Startup type option to Automatic to have it start with Windows, or Manual to disable it.

However, changing the Startup type for a service won't load (start) or unload (stop) the service. Use the Start and Stop buttons on the toolbar of the Services window, or double-click a service and click Start or Stop. For an example, see the discussion of Universal Plug and Play in Section 7.6.1.

The WIN.INI file

Although it's uncommon, you may occasionally see a program referenced at the top of the WIN.INI file, on the lines that start with LOAD= or RUN=. See Section 3.3.7 for details on the structure of files of this type.

Although you may want to disable or eliminate unwanted startup programs in an effort to solve a problem or just improve system performance, you should not blindly disable any program you don't immediately recognize. Keep in mind that some of the startup programs referenced in the Registry and some of the services configured to start automatically are there for a reason, and are required for Windows XP to function. See Section 6.2.9, later in this chapter, for a list of programs you should not close with the Task Manager.

In many cases, it should be obvious what a particular startup program is for. If not, try these steps:

1. Search your system for the filename(s) specified. Once you find it, right-click it, select Properties, and choose the Version tab. The manufacturer name, and sometimes the product name, will be listed here. If there's no Version tab, it means the file has no version information, which may suggest that it's a virus or some form of malware (see the next section).

2. Search Google (http://www.google.com) for the filename. In nearly all cases, you'll find a web site that describes what it's for and, in the case of malware, how to remove it.

   Among Google's search results, you'll likely encounter some sites that specialize in cataloging startup programs, both benign and malicious, commonly found on Windows systems. Two of the best are http://www.processlibrary.com/ and http://www.2-spyware.com/files.php, both of which allow you to search their databases by filename.

   
   

3. If you have a hunch it doesn't belong, try temporarily relocating it.

   If it's a shortcut in your Startup folder, move the shortcut to a temporary folder rather than deleting it, allowing easy retrieval if it turns out to be necessary. Likewise, for entries in your Registry, create a Registry patch (see Chapter 3) of the entire Registry key in question before removing the questionable entry. If anything goes wrong, you can reapply the Registry patch to restore the setting.

4. Restart your system, and look for abnormalities (as well as normalities). If all is well, you can probably discard the removed entries.

6.2.5. Viruses, Malware, and Spyware

Malware, or malicious software, is a class of software specifically designed to wreak havoc on a computer. Malware includes such nasty entities as viruses, Trojan horses, worms, and spyware.

If you're experiencing frequent crashing, nonsensical error messages, pop-up advertisements (other than when surfing the Web), or slower-than-normal performance, the culprit may be one of the following types of malware (as opposed to a feature authored by Microsoft):

Viruses

A virus is a program or piece of code that "infects" other software by embedding a copy of itself in one or more executable files. When the software runs, so does the embedded virus, thus propagating the "infection." Viruses can replicate themselves, and some (known as polymorphic viruses) can even change their virus signatures each time to avoid detection by antivirus software.

Unlike worms, viruses cannot infect other computers without assistance from people (aka you), a topic discussed in detail in the next section. One particular type of virus, a Trojan Horse, spreads itself by masquerading as a benign application (as opposed to infecting an otherwise valid file), such as a screensaver or even a virus removal tool.

Worms

A worm^[1] is a special type of virus that can infect a computer without any help from its user, typically through a network or Internet connection. Worms can replicate themselves like ordinary viruses, but do not spread by infecting programs or documents. A common example is the W32.Blaster.Worm, which exploited a bug in Windows (eventually fixed as part of update #824146), causing it to restart repeatedly or simply seize up.

^[1] The term worm is said to have its roots in J.R.R. Tolkien, who described dragons in Middle Earth that were powerful enough to lay waste to entire regions. Two such dragons (Scatha and Glaurung) were known as "the Great Worms." The Great Worm, a virus written by Robert T. Morris in 1988, was particularly devastating, mostly because of a bug in its own code. Source: Jargon File 4.2.0.

Spyware and adware

Spyware is a little different than the aforementioned viruses and worms, in that its intent is not necessarily to hobble a computer or destroy data, but rather something much more insidious. Spyware is designed to install itself transparently on your system, spy on you, and then send the data it collects back to an Internet server. This is sometimes done to collect information about you, but most often to serve as a conduit for pop-up advertisements (known as adware).

Many of these advertisements are pornographic in nature, and will make no exceptions for the age or personal preference of those viewing them. The good news is that this type of attack, whether designed to change your default home page, display pop-up ads, or glean sensitive information from your hard disk, is stoppable and even preventable.

Aside from the ethical implications, spyware can be particularly troublesome because it's typically very poorly written and, as a result, ends up causing error messages, performance slowdowns, and seemingly random crashes. Plus, it uses your computer's CPU cycles and Internet connection bandwidth to accomplish its goals, leaving fewer resources available for the applications you actually want to use.

Now, it's often difficult to tell one type of malicious program from another, and in some ways, it doesn't matter. But if you understand how these programs work how they get into your computer and what they do once they've taken root you can eliminate them and keep them from ever coming back.

6.2.5.1 How malware spreads

Once they've infected a system, viruses and the like can be very difficult to remove. For that reason, your best defense against them is to prevent them from infecting your computer in the first place.

The most useful tool you can use to keep malware off your computer is your cerebral cortex. Just as malware is written to exploit vulnerabilities in computer systems, the distribution of malware exploits the stupidity of users.

Malware is typically spread in the following ways:

Email attachments

One of the most common ways viruses make their way into computers is through spam. Attachments are embedded in these junk email messages, sent by the millions to every email address in existence, which unsuspecting recipients click, open, and execute. But how can people be that dumb, you may ask? Well, consider the filename of a typical Trojan horse:

kittens playing with yarn.jpg .scr

Since Windows, by default, has its filename extensions hidden (see Section 4.3 in Chapter 4), most people wouldn't see that this is an .scr (screensaver) file and not a photo of kittens. (The long space in the filename ensures that it won't be easy to spot, even if extensions are visible.) And since most spam filters and antivirus programs block .exe files, but not .scr files (which are just renamed .exe files, by the way), this innocuous looking file is more than likely to spawn a nasty virus on someone's computer.

So, how do you protect yourself from these? First, don't open email attachments you weren't expecting, and manually scan everything else with an up-to-date virus scanner (discussed later in this section). Note that you may also want to employ a spam filter to throw away most of these messages before they reach your in-box. (If you're worried about valid messages being deleted as well, use a filter that only marks suspected spam instead of deleting it, such as SpamPal, available at http://www.spampal.org/.)

Peer-to-peer (P2P) file sharing

Napster started the P2P file-sharing craze, but file sharing goes far beyond the trading of harmless music files. It's estimated that 40% of the files available on these P2P networks contain viruses, Trojan horses, and other unwelcome guests, but these aren't even the biggest cause of concern.

In order to facilitate the exchange of files, these P2P programs open network ports (Chapter 7) and create gaping holes in your computer's firewall, any of which can be exploited by a variety of worms and intruders. And since people typically leave these programs running all the time (whether they intend to or not), these security holes are constantly open for business.

But wait . . . there's more! If the constant threat of viruses and Trojan horses isn't enough, many P2P programs come with a broad assortment of spyware and adware, intentionally installed on your system along with the applications themselves. Kazaa, one of the most popular file-sharing clients, is also the biggest perpetrator of this, and the likely culprit if your system has become infected with spyware. (Note that other products like Morpheus, BearShare, Imesh, and Limewire do this too, just in case you were thinking there was a completely "safe" alternative.)

There are some spyware-free P2P file-sharing programs out there, although it's a bit of a mixed bag at best. For instance, a group of hackers have released a stripped-down version of the spyware-ridden Kazaa, called Kazaa Lite (http://www.klitesite.com), and there are so-called "lite" versions of other applications as well. But if you want a non-hacked P2P client, try WinMX (http://www.winmx.com) or Shareaza (http://www.shareaza.com), both of which are free and completely spyware-free. Be warned, however, that even without the spyware, P2P software will nonetheless compromise the security of your system.

Infected files

Viruses don't just invade your computer and wreak havoc; they replicate themselves and bury copies of themselves in other files. This means that once your computer has been infected, the virus is likely sitting dormant in any of the applications and even personal documents stored on your hard disk. This not only means that you may be spreading the virus each time you email documents to others, but that others may be unwittingly sharing viruses with you.

As part of a virus's objective to duplicate and distribute itself, many hijack your email program and use it to send infected files to everyone in your address book. In nearly all cases, these viruses are designed to work with the email software most people have on their systems, namely Microsoft Outlook and Outlook Express. If you want to significantly hobble your computer's susceptibility to this type of attack, you'd be wise to use any other email software, such as Eudora (http://www.eudora.com).

One of the most common types of viruses utilizes macros, small scripts (programming code) embedded in documents. By some estimates, roughly 3 of every 4 viruses is actually a macro written for Microsoft Word or Excel. These macros are executed automatically when the documents that contain them are opened, at which point they attach themselves to the global template so that they can infect every document you subsequently open and save. Both Word and Excel have security features that restrict this feature, but these measures are clumsy and most people disable them so they can work on the rest of their documents. In other words, don't rely on the virus protection built into Microsoft Office to eliminate the threat of these types of viruses.

Web sites

It may sound like the rantings of a conspiracy theorist, but even the act of visiting some web sites can infect your system with spyware and adware. Not that it can happen transparently, but many people simply don't recognize the red flags even when they're staring them in the face. Specifically, these are the "add-ins" employed by some web sites that provide custom cursors, interactive menus, and other eye candy. While loading a web page, you may see a message asking you if it's okay to install some ActiveX gadget "necessary" to view the page (e.g. Comet Cursor); here, the answer is simple: no.

Just as many viruses are written to exploit Microsoft Outlook, most spyware and adware is designed to exploit Microsoft Internet Explorer. By merely switching to a different browser, such as Netscape, Mozilla, or Firefox, you can eliminate the threat posted by many of these nasty programs. Plus, Netscape and Mozilla (both of which are free) have built-in features that disable pop-up ads and some of the more malicious (or just annoying) JavaScript features.

Network and Internet connections

Finally, your network connection (both to your LAN and to the Internet) can serve as a conduit for a worm, the special kind of virus that doesn't need your help to infect your system. Obviously, the most effective way to protect your system is to unplug it from the network, but a slightly more realistic solution is to use a firewall. Windows XP comes with a built-in firewall (significantly improved in Service Pack 2), although a router will provide much better protection. See Chapter 7 for details.

6.2.5.2 Protecting and cleaning your computer

The most popular and typically the most effective way to rid your computer of malware is to use dedicated antivirus software and antispyware software. (At the time of this writing, no single product claims to do both.) These programs rely on their own internal databases of known viruses, worms, Trojans, spyware, and adware, and as such must be updated regularly (daily or weekly) to be able to detect and eliminate the latest threats.

Windows XP doesn't come with any antivirus or antispyware software, but Windows XP Service Pack 2 does includes the Security Center utility (found in Control Panel, and shown in Figure 6-1), which can interface with newer third-party software designed to do so.

Figure 6-1. New in Service Pack 2, the Security Center serves as a central interface for Windows Update, Windows's own built-in firewall, and whatever antivirus software you provide

As stated above, you'll need to provide your own antivirus software. Keep in mind that not all antivirus programs are created equal; visit http://www.software-antivirus.com for in-depth reviews and http://www.av-test.org for independent antivirus testing. Among the more popular antivirus products are:

Kaspersky Antivirus Personal (http://www.kaspersky.com)

Very highly-regarded solution with an excellent detection record

McAfee VirusScan (http://www.mcafee.com)

Trusted and well-established all-around virus scanner with an intuitive interface and few limitations

Panda Anti-Virus Titanium & Platinum (http://www.pandasecurity.com)

Lesser-known but capable antivirus software

Symantec Norton AntiVirus (http://www.symantec.com)

Mediocre, slow antivirus program with a well-known name; beware expensive subscription plan to keep virus definitions updated

AntiVir (http://www.free-av.com)

Freeware, with frequent updates but only average detection rates

Avast Home Edition (http://www.asw.cz)

Freeware, with slick interface and good feature set

AVG (http://free.grisoft.com)

Freeware, a popular yet poor-performing antivirus solution

Antispyware software is a newer phenomenon and, as a result, there are fewer offerings. However, they do their job well and complete their scans in only a few minutes (compared with the hours it takes to scan all your files for viruses). The top antispyware products include:

Ad-Aware Personal Edition (http://www.lavasoft.de)

Ad-Aware (Figure 6-2), along with Spybot, is probably the most frequently suggested solution to spyware problems on the Annoyances.org forums, for good reason. The personal edition is free, very slick, and works well.

Figure 6-2. Use Lavasoft's Ad-Aware to rid your system for all sorts of spyware and adware

When using Ad-Aware, make sure you click Check for updates now before running a scan. Also, to turn off the awful, jarring sound Ad-Aware plays when it has found spyware, click the gear icon to open the settings window, click the Tweak button, open the Misc Settings category, and turn off the Play sound if scan produced a result option.

Spybot - Search & Destroy (http://www.spybot.info)

When used along with Ad-Aware, this free software can be counted on to remove virtually all types of spyware and adware from your computer. While both Ad-Aware and Spybot remove tracking cookies (used to deliver ads in web pages) from Internet Explorer, only Spybot supports Mozilla and Firefox as well.

HijackThis (http://www.spychecker.com/program/hijackthis.html)

Use this tool to generate a report listing all the browser add-ons and startup programs installed on your system. You can then either scrutinize the report yourself or send the resulting HijackThis Log to someone else for their help.

Spy Sweeper (http://www.webroot.com)

This highly-regarded antispyware tool, while not free like the first two, is still a welcome addition to any spyware-fighter's toolbox.

SpywareBlaster/SpywareGuard (http://www.javacoolsoftware.com/)

Use these tools to help prevent future malware infestations.

So, armed with proper antivirus and antispyware software, there are four things you should do to protect your computer from malware:

1. Place a router between your computer and your Internet connection, as described in Chapter 7.

2. Scan your system for viruses regularly, and don't rely entirely on your antivirus program's auto-protect feature (see the next section). Run a full system scan at least every two weeks.

3. Scan your system for spyware regularly, at least once or twice a month. Do it more often if you download and install a lot of software.

4. Use your head! See the previous section for ways malware spreads and the next section for some of the things you can do to reduce your exposure to viruses, spyware, adware, and other malware.

   Malware is constantly evolving, perpetually taking on new forms and exploiting new vulnerabilities. To keep tabs on the latest threats, check out Counterexploitation (http://www.cexx.org/) and the Adware Report (http://www.adwarereport.com/). And don't forget to keep your antivirus and antispyware software updated.

   
   

6.2.5.3 The perils of auto-protect

Antivirus software is a double-edged sword. Sure, viruses can be a genuine threat, and for many of us, antivirus software is an essential safeguard. But antivirus software can also be real pain in the neck.

The most basic, innocuous function of an antivirus program is to scan files on demand. When you start a virus scanner and tell it to scan a file or a disk full of files, you're performing a useful task. The problem is that most of us don't remember or want to take the time to routinely perform scans, so we rely on the so-called "auto-protect" feature, where the virus scanner runs all the time. This can cause several problems:

• Loading the auto-protect software at Windows startup can increase boot time; also, because each and every application (and document) you open must first be scanned, load times can increase. In addition, a virus scanner that's always running consumes memory and processor cycles, even though you're not likely to spend most of your time downloading new and potentially hazardous files for it to scan.

• If the antivirus software or virus definitions become corrupted, the application auto-scanner may prevent any application on your system from loading, including the antivirus software itself, making it impossible to rectify the situation without serious headaches. (Yes, this actually happens.)

• Some antivirus auto-protect features include web browser and email plug-ins, which scan all files downloaded and received as attachments, respectively. In addition to the performance hit, these plug-ins sometimes don't work properly, inadvertently causing all sorts of problems with the applications you use to open these files.

• The constant barrage of virus warning messages can be annoying, to say the least. For instance, if your antivirus software automatically scans your incoming email, you may be forced to click through a dozen of these messages warning you of virus-laden attachments, even though your spam filter will likely delete them before you even see them.

• Lastly, and most importantly, having the auto-protect feature installed can give you a false sense of security, reducing the chances that you'll take the precautions listed elsewhere in this section and increasing the likelihood that your computer will become infected. Even if you are diligent about scanning files manually, no antivirus program is foolproof and certainly is no substitute for common sense.

Now, if you take the proper precautions, your exposure to viruses will be minimal, and you will have very little need for the auto-protect feature of your antivirus software. Naturally, whether you disable your antivirus software's auto-protect feature is up to you. If you keep the following practices in mind, regardless of the status of your antivirus autoprotect software, you should effectively eliminate your computer's susceptibility to viruses:

• If you don't download any documents or applications from the Internet, if you're not connected to a local network, if you have a firewalled connection to the Internet, and the only type of software you install is off-the-shelf commercial products, your odds of getting a virus are pretty much zero.

• Viruses can only reside in certain types of files, including application (.exe) files, document files made in applications that use macros (such as Microsoft Word), Windows script files (.vbs), and some types of application support files (.dll, .vbx, .vxd, etc.). And because ZIP files (described in Chapter 2) can contain any of the aforementioned files, they're also susceptible.

  Conventional wisdom holds that plain-text email messages, text files (.txt), image files (.jpg, .gif, .bmp, etc.), video clips (.mpg, .avi, etc.) and most other types of files are benign in that they simply are not capable of being virus carriers. However, things aren't always as they seem. Case in point: a new type of threat discovered in September 2004 involves certain JPG files and a flaw in Internet Explorer (and most other Microsoft products) that can exploited.[2] Fortunately, the bug has been fixed in Service Pack 2, but it's not likely to be the last. [2] For more information, search Google for Exploit-MS04-028 or Bloodhound.Exploit.13.

  
  

• Actually, it is possible to embed small amounts of binary data into image files, which means, theoretically, that an image could contain a virus. However, such data would have to be manually extracted before it could be executed; a virus embedded in an image file would never be able to spontaneously infect your system.

• Don't ever open email attachments sent to you from people you don't know, especially if they are Word documents or .exe files. If someone sends you an attachment and you wish to open it, scan it manually before opening it. Most antivirus software adds a context-menu item to all files (see Section 4.3 in Chapter 4), allowing you to scan any given file by right-clicking on it and selecting Scan for Viruses (or something similar).

• Note that there are some types of viruses that will hijack a user's address book (typically MS Outlook users only) and automatically send an infected email to everyone that person has ever emailed. This means that you may get a virus in an email attachment from someone you know, but it will have a nonsensical filename and a generic, poorly written message body, like "I send you this file in order to have your advice." If you get an email from someone you know, and it doesn't look like something that person would send you, it likely wasn't sent intentionally, and should be deleted. The worst thing that could happen if you're wrong is that the sender will just have to send it again.

If you're on a network, your computer is only as secure as the least secure computer on the network. If it's a home network, make sure everyone who uses machines on that network understands the previous concepts. If it's a corporate network, there's no accounting for the stupidity of your coworkers, so you may choose to leave the auto-protect feature of antivirus software in place.

6.2.6. Check Your Drive for Errors with Chkdsk

The Chkdsk utility (chkdsk.exe, pronounced "check disk") is used to scan your hard disk for errors and optionally fix any that are found. To run Chkdsk, open a Command Prompt window (cmd.exe) by going to Start Enter.

Chkdsk can also be run from either the Windows Recovery Console (discussed later in this chapter) or the Safe Mode with Command Prompt (discussed in Section 2.2.6, respectively).

When you run Chkdsk without any options, you'll get a report that looks something like this:

The type of the file system is NTFS. Volume label is SHOEBOX. WARNING!  F parameter not specified. Running CHKDSK in read-only mode. CHKDSK is verifying files (stage 1 of 3)... File verification completed. CHKDSK is verifying indexes (stage 2 of 3)... Index verification completed. CHKDSK is verifying security descriptors (stage 3 of 3)... Security descriptor verification completed.   87406395 KB total disk space.   26569944 KB in 42010 files.      23844 KB in 896 indexes.          0 KB in bad sectors.     114839 KB in use by the system.      65536 KB occupied by the log file.   60632232 KB available on disk.       4096 bytes in each allocation unit.    4351598 total allocation units on disk.     176942 allocation units available on disk.

If any errors are found, such errors will be listed in the report along with the statistics in the example above. However, unlike the Scandisk utility found in some earlier versions of Windows, Chkdsk doesn't make any changes to your drive (repairs or otherwise) unless you specifically request them. As suggested by the "F parameter" warning in the report, you'll need to type chkdsk /f to effect any necessary repairs on the drive.

The /f parameter is not available in the Windows Recovery Console; instead, you'll need to use the more powerful /r option to effect repairs, as described below. The other exception when Chkdsk is run from the WRC is that it won't usually scan for errors unless you include the /p option (which has no meaning outside the WRC).

The following terms describe most of the different types of problems that Chkdsk might report:

Lost clusters

Lost clusters are pieces of data that are no longer associated with any existing files.

Bad sectors

Bad sectors are actually physical flaws on the disk surface. Use the /r option, below, to attempt to recover data stored on bad sectors. Note that recovery of such data is not guaranteed (unless you have a backup somewhere). Typical symptoms of bad sectors include seeing gibberish when you view the contents of a directory, or your computer crashing or freezing every time you attempt to access a certain file.

Cross-linked files

If a single piece of data has been claimed by two or more files, those files are said to be cross-linked.

Invalid file dates or times

Chkdsk also scans for file dates and times that it considers "invalid," such as missing dates or those before January 1^st, 1980.

By default, Chkdsk will only scan the current drive (shown in the prompt C:> for drive C:). To scan a different drive, include the drive letter as one of the command-line options, like this: chkdsk d: /f.

The other important options available to Chkdsk are the following:

/r

The /r parameter is essentially the same as /f, except that it also scans for and recovers data from bad sectors, as described earlier. When using Chkdsk from within the Windows Recovery Console, the /f option is not available, which means the /r option is your only choice if you need to effect repairs.

/x

Include this option to force the volume to dismount before scanning the drive; otherwise, Windows will have to schedule the drive to be scanned during the next boot. This has the effect of temporarily disconnecting the drive from Explorer and all other programs, and closing any open files stored on the drive. The /x parameter implies the /f option; the /x option is not available in the Windows Recovery Console.

Additionally, the /i and /c options, which are applicable only on NTFS volumes, are used to skip certain checks in order to reduce the amount of time required to scan the disk. There is typically very little reason to use either of these options. Finally, you can run Chkdsk on a specific file (or group of files), but only on FAT or FAT32 disks (not NTFS drives). This is used to check a single file or a specific group of files for fragmentation, subsequently fixed by Disk Defragmenter (dfrg.msc).

To run Chkdsk from Explorer, right-click any drive, select Properties, choose the Tools tab, and click Check Now. Here, the Automatically fix file system errors option corresponds to the /f parameter, and the Scan for and attempt recovery of bad sectors option corresponds to the /r parameter.

6.2.6.1 Special case: dirty drives and automatic Chkdsk

When a volume is marked "dirty," Windows scans it with Chkdsk automatically during the boot process. A drive can become dirty if it's in use when Windows crashes or if Chkdsk schedules a scan when you attempt to check a disk that is in use. A drive not considered dirty is marked "clean."

The Fsutil (Fsutil.exe) utility is used to manage dirty drives. Open a Command Prompt window (cmd.exe) and type fsutil (without any arguments) to display a list of commands that can be used with Fsutil. As you might expect, the dirty command is the one that concerns us here. Here's how it works:

To see if drive G: is currently marked as dirty, type:

fsutil dirty query g:

To mark drive H: as dirty, so it will be scanned by Chkdsk the next time Windows starts, type:

fsutil dirty set h:

Note that Fsutil has been found to be unreliable when used on FAT or FAT32 drives, so you may only wish to use it on NTFS disks.

Another utility, Chkntfs, is used to choose whether or not Windows runs Chkdsk automatically at Windows startup. (It is not used to check NTFS drives, as its name implies, however.) Here's how it works:

To display a dirty/clean report about any drive (say, drive G:), type:

chkntfs g:

To exclude drive H: from being checked when Windows starts (which is not the default), type:

chkntfs /x h:

To include (un-exclude) drive H: in the drives to be checked when Windows starts, type:

chkntfs /c h:

To force Windows to check drive H: the next time Windows starts, type:

chkntfs /c h: fsutil dirty set h:

To include all drives on your system, thereby restoring the defaults, type:

chkntfs /d

Finally, when Windows detects a dirty drive, it starts a timed countdown (10 seconds by default), allowing you to skip Chkdsk by pressing a key. To change the duration of this countdown to, say, five seconds, type:

chkntfs /t:5

The Registry location of the timeout setting is stored in the AutoChkTimeOut value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager key.

You'll have to restart Windows for any of these changes to take effect.

6.2.7. Error Messages and Crashing Applications

There are basically two different types of error messages:

• An error that tells you that you've done something wrong, such as trying to delete or rename an file that is being used by an open application.

  Obviously, the best way to alleviate these problems is to stop doing things wrong. But, of course, what's "wrong" is often a matter of interpretation, so in this case, it typically makes more sense to simply talk about making the resulting error messages less annoying (for example, by turning off the sounds associated with them), or making them go away altogether (by making liberal use of the Don't show this again options that sometimes appear).

• An error that is the result of an application crash, hardware error, or problem with Windows's configuration.

  Such errors are the subject of this section and many of the topics in this chapter. These errors can range from a single error message appearing and then disappearing with no discernible aftereffects, to the more severe Blue Screen of Death (BSoD) errors, discussed later in this chapter.

Now, it's important to realize that error messages of both types are essentially canned responses to predetermined criteria, and any given error message may be used in a variety of instances. This means that error messages are typically verbose, yet rarely helpful. And software developers are rarely English majors.

For example, a message might report that a program has crashed or isn't able to load, but the actual problem may be something completely unrelated to what the message is reporting. For example, you may see a "file not found" error when trying to start an application, if, perhaps, one of the support files has the incorrect file permissions (explained in Chapter 8).

6.2.7.1 Error messages resulting from application crashes

Sometimes, a problem is severe enough to cause an application to close immediately. Fortunately, Windows XP isolates applications from one another, and from the operating system itself, which means that a single application crash is much less likely to bring down the entire system.^[3]

^[3] This is one of the advantages of Windows XP/2000 over its DOS-based predecessors, such as Windows 9x/Me. See Section 2.1.1 for an option to isolate separate instances of Windows Explorer from one another.

When an application crashes, Windows will close it and then, by default, display an error message explaining what happened. Naturally, as you'd expect, this error message doesn't really explain what happened, but rather only informs you that something happened.

Often, this type of error is accompanied by lists of numbers (accessible by clicking Details), although these numbers will never be the least bit helpful for most users. Now, don't be fooled: the Details view also often lists a specific executable, blaming it for the problem. However, this doesn't necessarily mean that the program listed actually caused the problem; it only means that it crashed as a result of the problem.

When you see one of these errors, the first thing to do is determine if any action is necessary. You should expect this to happen occasionally, due to the complexity of today's software, but if it happens more frequently than, say, once a day, it could be the sign of a more serious problem. See if you can reliably reproduce the problem. If it seems to be application- or device-specific, where the same action in a program or the repeated use of a certain device causes the crash, then you've found the culprit.

If the occurrences instead appear to be random and not associated with any piece of hardware or software, there are some remaining possibilities. Errors in your system's memory and on your hard disk can cause these problems as well. To diagnose and repair problems on your hard disk, see Section 6.2.6, earlier in this chapter, or see Section 6.3, later in this chapter, for help with misbehaving devices.

Not only will Windows XP usually display an error message when a program crashes, but will ask you if you wish to report the problem to Microsoft. If you actually believe that Microsoft will use the data you send them to fix bugs in Windows, I have some beachfront property in Wyoming to sell you.

Fortunately, not only can you turn off error reporting, you can disable the error messages entirely. Here's how to control this behavior:

1. Open Control Panel Advanced tab

2. Click Error Reporting, and select the Disable error reporting option.

3. To also turn off the error messages associated with application crashes, turn off the But notify me when critical errors occur option.

   If you turn off these error messages, and a program subsequently crashes, its window will simply disappear. It may be a little disconcerting at first to see programs spontaneously vanish, but you'll quickly grow to appreciate the fact that Windows will no longer add insult to injury by hassling you with unnecessary error messages.

4. Click OK and then OK again when you're done; the change will take effect immediately.

Details on Blue Screen of Death (BSoD) errors, as well as how to stop Windows from restarting immediately after one occurs, can be found later in this chapter.

6.2.8. Closing Hung Applications

Not all programs that crash are closed automatically by Windows. Such applications are said to be "hung," "frozen," or "locked up."

When an application hangs, you have two choices. First, you can wait patiently to see if the application is simply busy and will eventually start responding again. This actually is the case more often than you'd expect, even on very fast computers. For example, if you're using a CD burner, the program may stop responding for up to a minute while it waits for your hardware to respond.

The other choice is to take matters into your own hands and close hung applications yourself. There are two ways to do this:

6.2.8.1 Solution 1: Close the program window

Although the program will not respond normally, Windows will typically still allow you to move or close the window of a hung application. Just click the small [X] button on the application toolbar, or right-click the taskbar button corresponding to the hung application, and select Close.

6.2.8.2 Solution 2: Use the Windows Task Manager

The Windows Task Manager (taskmgr.exe) allows you to close any running process, which includes any visible application or even any program running invisibly in the background.

To start the Task Manager, right-click an empty area of the taskbar, and select Task Manager. Or press Shift-Ctrl-ESC to open the Task Manager more quickly.^[4]

^[4] You can also press Ctrl-Alt-Del to open the Task Manager if you've enabled the Welcome screen, as described in Chapter 8. If the Welcome screen is disabled, you can press Ctrl-Alt-Del to display the Windows Security dialog, at which point you can click the Task Manager to launch it.

To close any program, choose the Processes tab, select the application in the list, and click End Process. To make it easier to find a particular program, click the Image Name column header to sort the programs alphabetically.

See the next section, "Programs Commonly Running in the Background," for a list of programs you should not close with the Task Manager.

6.2.8.3 Special case: Change the "Not Responding" timeout

Windows XP waits a predetermined amount of time before it considers an application to be hung ("Not Responding," in Microsoft vernacular). To change this timeout, follow these steps:

1. Open the Registry Editor (discussed in Chapter 3).

2. Expand the branches to HKEY_CURRENT_USER\Control Panel\Desktop.

3. Double-click the HungAppTimeout value in the right pane, and enter the number of milliseconds for the timeout. For example, type 4000 to set the timeout to 4 seconds.

4. Click OK, and then close the Registry Editor when you're done; you'll have to restart your computer for the change to take effect.

6.2.8.4 Special case: Choose how Windows closes hung applications when you shut down

Windows XP attempts to close all running programs, services, and other background processes before it shuts down. If it encounters an application that does not appear to be responding, it will wait a predetermined amount of time, and then it will force the program to close. You can change this behavior with the following procedure:

1. Open the Registry Editor (discussed in Chapter 3).

2. Expand the branches to HKEY_CURRENT_USER\Control Panel\Desktop.

3. Double-click the AutoEndTasks value in the right pane, and enter 1 (one) to automatically end tasks or 0 (zero) to prompt before ending tasks.

4. Double-click the WaitToKillAppTimeout value, and enter the number of milliseconds for the timeout. For example, type 7000 to set the timeout to 7 seconds. (This setting is also discussed in Section 5.1.5.)

5. Click OK, and then close the Registry Editor when you're done; you'll have to restart your computer for the change to take effect.

6.2.9. Programs Commonly Running in the Background

Windows is basically just a collection of components, and at any given time, some of those components may be loaded into memory and listed as running processes in Task Manager (discussed in the previous topic).

As you might expect, the programs required by one system won't necessarily be the same as those required by another. Table 6-1 lists the those items commonly found on most Windows XP systems.

Naturally, you shouldn't interfere with the components Windows requires to operate while you're looking for errant programs or programs you can get along without. And just because something isn't listed here doesn't mean it isn't required by your system, so use caution when ending a process with which you're not familiar.

tasklist /svc

If you're not familiar with a particular program that is running, there's a relatively easy way to learn more about it. First, right-click the associated .exe file (easily located with the Search tool), and select Properties. Choose the Version tab, and look under the various resources listed in this dialog; typically, the most useful information will be listed under the Company and Product Name entries. If no Version tab is present, it means the file has no version information, and you'll have to use other means to find out what the file is for. For example, if the file is located in a particular application directory, odds are it belongs to that application. Often, you can learn quite a bit by simply searching the Web for the name of the file.

6.2.10. What to Do when Windows Won't Shut Down

Most of the problems that prevent Windows from shutting down properly have to do with power management and faulty drivers, although there are plenty of other causes to consider. The following solutions should help fix most shutdown problems.

6.2.10.1 Part 1: Power management issues

Start by checking out the solutions in Section 5.1.5, which explain the power management settings that can affect shutdown performance, as well as the problems associated with such settings.

Power management settings in Windows XP can be set by going to Control Panel APM, it means Windows correctly identifies your motherboard's APM (Advanced Power Management) support. Choose the APM tab and make sure the Enable Advanced Power Management Support option is enabled.

If the aforementioned APM tab is not present, though, you'll need to check your computer's BIOS setup (see Appendix B) and make sure that APM (Advanced Power Management) or ACPI (Advanced Configuration and Power Interface) support is enabled. You'll also need to make sure you're using the correct HAL (Hardware Abstraction Layer) for your computer.

Next, check these two power-management-related settings in the Registry:

1. Open the Registry Editor (discussed in Chapter 3).

2. Expand the branches to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer.

3. Double-click the CleanShutdown value. The default is 0 (zero) for this value, but you can change it to 1 (one) if you're experiencing shutdown problems, such as your system restarting instead of shutting down.

4. Click OK, and then expand the branches to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. (Note the use of the Windows NT branch here, as opposed to the more common Windows branch).

5. Double-click the PowerdownAfterShutdown value in the right pane, and enter 1 (one) to have Windows power down your computer or 0 (zero) to disable this feature.

6. Click OK, and then close the Registry Editor when you're done; you'll have to restart your computer for the change to take effect.

Finally, the following steps have been known to work on some computers:

1. Open the Device Manager (devmgmt.msc).

2. Select Show Hidden Devices from the View menu. (See "Show Hidden Devices in Device Manager," later in this chapter, for details.)

3. If an entry named APM/NT Legacy Node appears in the System devices category, and there's a red over its icon, right-click it and select Enable. (If the entry isn't there, then this solution doesn't apply to you.)

4. Close the Device Manager when you're done.

6.2.10.2 Part 2: Look for shutdown scripts

If you have a shutdown script configured, it may be preventing Windows from shutting down properly.

1. Open the Group Policy window (gpedit.msc).

2. Expand the branches to Computer Configuration\Windows Settings\Scripts (Startup/Shutdown).

3. Double-click the Shutdown entry in the right-hand pane to show the Shutdown Properties dialog. If there are any entries in the list, make a note of them (in case you need to re-establish them), and then remove them.

4. Click OK and close the Group Policy window when you're done.

6.2.10.3 Part 3: Virtual memory problems

There's a setting in Windows XP that forces the swapfile (paging file) to be cleared when you shut down, which can cause problems on some systems. To disable this, try the following:

1. Open the Group Policy window (gpedit.msc).

2. Expand the branches to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

3. Double-click the Shutdown: Clear virtual memory page entry in the right-hand pane, and select Disabled.

4. Click OK and close the Group Policy window when you're done.

See Section 5.2.3 for more information on virtual memory and your computer's swapfile.

6.2.10.4 Part 4: Other causes

Some other things that can cause Windows XP shutdown problems:

• Antivirus software has been known to prevent Windows from shutting down; see Section 6.2.4, earlier in this chapter, for more information.

• If shutting down results in a Blue Screen of Death (BSoD), see the discussion of the Section 6.2.11 later in this chapter.

• See Section 6.2.8, earlier in this chapter, for solutions concerning the way Windows XP automatically shuts down running programs and processes during shut down.

• Make sure you have the latest XP updates from Microsoft; see Section 6.2.1, earlier in this chapter, for details.

• If you have a desktop computer with at least one network card, try moving the card to a different slot.

• Your power supply could be to blame; see the discussion of power supplies later in this chapter for tips.

• If Windows is allowed to shut down your USB controller to save power, it may prevent Windows from shutting down. See Section 6.4.6, later in this chapter, for details.

Here are some examples of popular products whose early drivers were notorious for causing shutdown problems, fixed, in all cases, by updates available at the manufacturers' web sites:

Adaptec/Roxio Easy CD Creator

http://www.roxio.com

nVidia-based video cards (nVidia Driver Helper Service)

http://www.nvidia.com

Sound Blaster Live! (Devldr32.exe)

http://www.creaf.com

6.2.11. Blue Screen of Death

The Blue Screen of Death (BSoD) is aptly named. It's blue, it fills the screen, and it means death for whatever you were working on before it appeared. Microsoft refers to BSoD errors as "Stop Messages," a euphemism for the types of crashes that are serious enough to bring down the entire system.

A single error is no cause for concern. Only if an error happens a few times, or repeatedly, do you need to pursue any of the solutions listed here.

By default, Windows restarts your computer as soon as the BSoD appears, leaving almost no time to read the error message before it vanishes. To change this, go to Control Panel Settings in the Startup and Recovery section, and turn off the Automatically restart option. (See below for more information on the Write debugging information options.)

However, turning off the Automatically restart option may not really be necessary. Every time you get a BSoD, Windows logs the error, although not in the standard Event Log (eventvwr.msc) as you might expect. Instead, a single .wdl (WatchDog Log) file is created in the \Windows\LogFiles\Watchdog folder for each crash. Just open the most recently dated file in your favorite text editor (or Notepad) to view details of the crash and some related information.

In addition to the .wdl file created for each crash, a .dmp file is created in the \Windows\Minidump folder. These files are known as memory dumps and contain some (or all) of the information in your computer's memory when the crash occurred. Typically only developers will be able to make use of this information, but it might be worth investigating if you're trying to solve a problem. To read the .dmp files, open a Command Prompt window (cmd.exe) and type dumpchk filename, where filename is the full path and filename of the .dmp file. To control how much information is written to the .dmp files, or to disable .dmp file creation altogether, return to the aforementioned Startup and Recovery Settings window.

6.2.11.1 Alphabetical List of BSoD Errors

There are a whole bunch of possible BSoD messages, probably more than 100. However, only about 20 happen frequently enough that they might imply that an actual problem exists. More than likely, you've seen at least one of the following stop messages on your own system:

Attempted Write To Readonly Memory (stop code 0X000000BE)

A faulty driver or service is typically responsible for this error, as is outdated firmware. If the name of a file or service is specified, try uninstalling the software (or rolling back the driver if it's an upgrade).

Bad Pool Caller (stop code 0X000000C2)

Causes and remedies are similar to "Attempted Write To Readonly Memory," above. Additionally, this error might also be the result of a defective hardware device.

If you encounter this message while upgrading to Windows XP (see Chapter 1), it may mean that one or more devices in your system are not compatible with XP. Try disconnecting unnecessary devices, or at least look for updated drivers and firmware. Also, disable any antivirus software you may have running.

Data Bus Error (stop code 0X0000002E)

This can be caused by defective memory (see Section 6.4 later in this chapter), including system RAM, the Level 2 cache, or even the memory on your video card. Other causes of this error include serious hard disk corruption, buggy hardware drivers, or physical damage to the motherboard.

Driver IRQL Not Less Or Equal (stop code 0X000000D1)

Drivers programmed to access improper hardware addresses typically cause this error. Causes and remedies are similar to "Attempted Write To Readonly Memory," earlier.

Driver Power State Failure (stop code 0X0000009F)

This error is caused by an incompatibility between your computer's power management and one or more installed drivers or services, typically when the computer enters the "hibernate" state (discussed at length in Chapter 5). If the name of a file or service is specified, try uninstalling the software (or rolling back the driver if it's an upgrade). Or try disabling Windows support for power management.

Driver Unloaded Without Cancelling Pending Operations (stop code 0X000000CE)

Causes and remedies are similar to "Attempted Write To Readonly Memory," earlier in this section.

Driver Used Excessive PTEs (stop code 0X000000D8)

Causes and remedies are similar to "No More System PTEs," later in this section.

Hardware Interrupt Storm (stop code 0X000000F2)

This error occurs when a hardware device (such as a USB or SCSI controller) fails to release an IRQ, a condition typically caused by a buggy driver or firmware. This error can also appear if two devices are incorrectly assigned the same IRQ (discussed later in this chapter).

Inaccessible Boot Device (stop code 0X0000007B)

You may see this error during Windows startup if Windows cannot read data from the system or boot partitions (described in Chapter 1). Faulty disk controller drivers are often to blame, but this problem can also be caused by hard disk errors, or even a corrupted boot.ini file (also described in Chapter 1).

If all is well with your drivers and your drive and you haven't been messing with the boot.ini file (such as while installing multiple operating systems), check your system BIOS settings (described in Appendix B).

If you encounter this message while upgrading to Windows XP (see Chapter 1), it may mean that one or more devices in your system are not compatible with XP. Try disconnecting unnecessary devices, or at least look for updated drivers and firmware. Also, disable any antivirus software you may have running.

Kernel Data Inpage Error (stop code 0X0000007A)

This error implies a problem with virtual memory (discussed in Chapter 5), often that Windows wasn't able to read data from or write data to the swapfile. Possible causes include bad sectors, a virus, improper SCSI termination, bad memory, or physical damage to the motherboard.

Kernel Stack Inpage Error (stop code 0X00000077)

Causes and remedies are similar to "Kernel Data Inpage Error," earlier in this section.

Kmode Exception Not Handled (stop code 0X0000001E)

A faulty driver or service is sometimes responsible for this error, as are memory and IRQ conflicts and faulty firmware. If the name of a file or service is specified, try uninstalling the software (or rolling back the driver if it's an upgrade).

If the Win32k.sys file is mentioned in the message, the cause may be third-party remote control software (discussed in Chapter 7).

This error can also be caused if you run out of disk space while installing an application or if you run out of memory while using a buggy application with a memory leak. Developers may wish to use the poolmon.exe utility to help isolate the problem, as described in Microsoft Knowledge Base article Q177415.

Mismatched Hal (stop code 0X00000079)

The currently installed Hardware Abstraction Layer (HAL) must match the type of computer on which Windows XP is installed, or you may see this error. For example, if you use a HAL intended for a dual-processor system on a single-processor motherboard, Windows may not start. The best way to correct problems with the HAL is to reinstall Windows XP.

This error can also be caused by out-of-date Ntoskrnl.exe or Hal.dll files, so if you've recently attempted to repair these files on your system, look for backups of the original versions.

No More System PTEs (stop code 0X0000003F)

Page Table Entries (PTEs) are used to map RAM as it is divided into page frames by the Virtual Memory Manager (VMM). This error usually means that Windows has run out of PTEs.

Aside from the usual assortment of faulty drivers and services that can cause all sorts of problems, this error can also occur if you're using multiple monitors.

If you find that you're experiencing this error often, you can increase Windows's allocation of PTEs with this procedure:

1. Open the Registry Editor (discussed in Chapter 3).

2. Expand the Registry branches to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

3. Double-click the PagedPoolSize value, enter 0 for its value data, and click OK.

4. Next, double-click the SystemPages value. If you're using multiple monitors, enter a value of 36000 here. Otherwise, enter 40000 if you have 128MB of system RAM or less, or 110000 if you have more than 128MB of RAM.

5. Click OK and then close the Registry Editor when you're done. The change will take effect when you restart Windows.

NTFS File System (stop code 0X00000024)

This is caused by an problem reported by Ntfs.sys, the driver responsible for reading and writing NTFS volumes (see Chapter 5). If you're using the FAT32 filesystem, you may see a similar message (with stop code 0X00000023).

Causes include a faulty IDE or SCSI controller, improper SCSI termination, an overly aggressive virus scanner, or errors on the disk (try testing it with Chkdsk). See the discussion of SCSI controllers in Section 6.4, later in this chapter.

To investigate further, open the Event Viewer (eventvwr.msc) and look for error messages related to SCSI or FASTFAT (in the System category), or Autochk (in the Application category).

Page Fault In Nonpaged Area (stop code 0X00000050)

Causes and remedies are similar to "Attempted Write To Readonly Memory," earlier in this section.

Status Image Checksum Mismatch (stop code 0Xc0000221)

Possible causes for this error include a damaged swapfile (see the discussion of virtual memory in Chapter 5) or a corrupted driver. See "Attempted Write To Readonly Memory," earlier in this section, for additional causes and remedies.

Status System Process Terminated (stop code 0Xc000021A)

This error indicates a problem with either Winlogon.exe or the Client Server Runtime Subsystem (CSRSS). It can also be caused if a user with administrator privileges has modified the permissions (see Chapter 8) of certain system files such that Windows cannot read them. In order to fix the problem, you'll have to install a second copy of Windows XP (see "Setting up a Dual-Boot System" in Chapter 1) and then repair the file permissions from there.

Thread Stuck In Device Driver (stop code 0X000000EA)

Also known as the infamous "infinite loop" problem, this nasty bug has about a hundred different causes. What's actually happening is that your video driver has essentially entered an infinite loop because your video adapter has locked up. Microsoft has posted a solution on their web site that involves disabling certain aspects of video acceleration, but I've never encountered an instance where this worked. Instead, try the following:

• Try upgrading your computer's power supply. A power supply of poor quality or insufficient wattage will be unable to provide adequate power to all your computer's components and may result in a "brownout" of sorts in your system. Note that newer, more power-hungry video adapters are more susceptible to this problem. See the discussions of power supplies later in this chapter.

• Make sure you have the latest driver for your video card. If you already have the latest driver, try "rolling back" to an older driver to see if that solves the problem.

• Make sure you have the latest driver for your sound card, if applicable. Also, make sure your sound card is not in a slot immediately adjacent to your video card.

• Make sure your video card is properly seated in its AGP or PCI slot. If it's a PCI card, try moving it to a different slot.

• Inspect your video card and motherboard for physical damage.

• Try messing with some of your system's BIOS settings, especially those concerning your AGP slot or video subsystem, as described in Appendix B. For example, if your AGP slot is set to 2x mode and your video adapter only supports 1x AGP mode, then you'll want to change the setting accordingly.

• Make sure your computer and your video card are adequately cooled. Overheating can cause the chipset on your video card to lock up.

• Check with the manufacturer of your motherboard for newer drivers for your motherboard chipset.

  For example, the "infinite loop" problem is common among motherboards with VIA chipsets and nVidia-based video cards. Visit the VIA web site (http://www.viaarena.com/?PageID=64) for updated drivers and additional solutions.

• Try replacing your system's driver for the Processor-to-AGP Controller. Open Device Manager (devmgmt.msc), expand the System devices branch, and double-click the entry corresponding to your Processor-to-AGP Controller. Choose the Driver tab, and click Update Driver to choose a new driver. Unless you can get a newer driver from the manufacturer of your motherboard chipset, try installing the generic "PCI standard PCI-to-PCI bridge" driver shown in the Hardware Update Wizard.

• If your motherboard has an on-board Ethernet adapter, try disabling the "PXE Resume/Remote Wake Up" option in your system BIOS (see Appendix B).

• If you're using a dual-processor motherboard, Windows XP is probably loading a HAL (Hardware Abstraction Layer) for a MPS (Multiple Processor System). Such HALs support the I/O APIC (Advanced Programmable Interrupt Controller), a method of accommodating more than 15 IRQs in a single system. Unfortunately, APIC can cause problems with AGP-based video cards. Try changing your HAL to "Standard PC" to see if that solves the problem.

Unexpected Kernel Mode Trap (stop code 0X0000007F)

Typical causes of this error include defective memory, physical damage to the motherboard, and excessive processor heat due to overclocking (running the CPU faster than its specified clock speed).

Unmountable Boot Volume (stop code 0X000000ED)

This means that Windows was unable to mount the boot volume, which, if you have more than one drive, is the drive containing Windows (see Chapter 1 for more information on the boot and system volumes). This can be caused by using the wrong cable with a high-throughput IDE controller (more than 33 MB/second); try an 80-pin cable instead of the standard 40-pin cable. See also "Inaccessible Boot Device," earlier in this section.