Third-Party Disk and Virus Tools

< Day Day Up >

Built-in Diagnostic and Repair Tools

With a complex operating system like Tiger, things can sometimes go wrong, and the user is left with little recourse for solving the problem. Thankfully, operations such as repairing damaged operating system installations, resetting the root password, and fixing damaged disks can all be performed even if your machine is not properly booting into the operating system.

Verbose Boot

Mac OS 8 and 9, although they hid much of the system operation from the user, gave a clearer picture of what was going on during a system boot. When Tiger starts, dozens of support processes and drivers are loaded at the same time. If something fails, it is left to the imagination of the user to guess exactly what has gone wrong. In many cases, a user might not even be aware that there are problems with the system configuration because the boot process hides behind a simple GUI startup screen.

To view exactly what is happening as the system boots, you can hold down Command-V at power-on to force a verbose startup. The verbose boot displays all status and error messages while the computer starts. This can be a bit startling to many Mac users because instead of the usual blue or gray background present during startup, the screen will be black and filled with text. Windows and Linux users will feel right at home.

The verbose startup messages are similar to those contained in /var/log/system.log. For example:

Jun 29 17:30:30 localhost mach_kernel: .Display_RADEON: i2cPower 1 Jun 29 17:30:30 localhost mach_kernel: .Display_RADEON: user ranges num:1 start:9c008000

size:640080 Jun 29 17:30:30 localhost mach_kernel: .Display_RADEON: using (1600x1024@0Hz,32 bpp) Jun 29 17:30:30 localhost mach_kernel: AirPortDriver: Ethernet address 00:30:65:11:37:15 Jun 29 17:30:30 localhost mach_kernel: ether_ifattach called for en Jun 29 17:30:30 localhost mach_kernel: kmod_create: com.apple.nke.ppp (id 58), 6 pages

loaded at 0xc20, header size 0x1000 Jun 29 17:30:30 localhost mach_kernel: kmod_create: com.apple.nke.SharedIP (id 59), 5

pages loaded at 0x0, header size 0x0 Jun 29 17:30:30 localhost mach_kernel: kmod_create: IPFirewall (id 60), 5 pages loaded at

0xc292000, header size 0x1000 Jun 29 17:30:30 localhost mach_kernel: ipfw_load Jun 29 17:30:30 localhost mach_kernel: IP packet filtering initialized, divert enabled,

rule-based forwardingenabled, default to accept, logging disabled Jun 29 17:30:31 localhost sharity[161]: [0] Sharity daemon version 2.4 started Jun 29 17:30:39 localhost ntpdate[204]: ntpdate 4.0.95 Sat Feb 17 02:38:39 PST 2001 (1) Jun 29 17:30:43 localhost ntpdate[204]: no server suitable for synchronization found Jun 29 17:30:43 localhost ntpd[206]: ntpd 4.0.95 Thu Apr 26 13:40:11 PDT 2001 (1) Jun 29 17:30:43 localhost ntpd[206]: precision = 7 usec Jun 29 17:30:43 localhost ntpd[206]: frequency initialized 0.000 from /var/run/ntp.drift Jun 29 17:30:43 localhost ntpd[206]: server 128.146.1.7 minpoll 12 maxpoll 17

This small sample of the verbose output shows the Apple Radeon driver loading, followed by the AirPort software, Classic SharedIP driver, firewall, Sharity, and ntp (network time protocol) software.

Interestingly enough, in capturing this example, I ascertained what I had suspected for several weeks: The ntpdate utility, which is responsible for automatically contacting a remote time server for synchronization, has been failing:

 Jun 29 17:30:39 localhost ntpdate[204]: ntpdate 4.0.95 Sat Feb 17 02:38:39 PST 2001 (1) Jun 29 17:30:43 localhost ntpdate[204]: no server suitable for synchronization found

Similar feedback is provided for almost all the services on the computer, from low-level device drivers to Apache and Postfix. If your computer hangs during boot, you can use the Verbose startup mode to determine exactly where the sequence has gone amiss.

TIP

If you want to boot into Verbose mode at every startup, you can (as root) use the command nvram boot-args="-v" to set the boot arguments to always include the verbose boot flag. You can disable this by unsetting the flag with nvram boot-args="".

TIP

You can use the dmesg command on a booted system to show the current contents of the system message buffer at any time, including error messages.

Getting Access to Your Drive on a Damaged System

The original Mac OS versions (7/8/9) allowed you to disable extensions by holding down the Shift key while booting your computer. This simplified the process of debugging by providing a way in to your computer so that you could figure out what software had been installed that was messing things up and then remove it.

Performing a Safe Boot

In Mac OS X, the "Classic" Extensions Off mode has been replaced with Safe Boot mode. In Safe Boot mode, only the components necessary to get your Mac booted and running are loaded. Additional software, even networking, is disabled.

When you're running in Safe Boot mode, you can manually remove any software you've added and perform most basic repair tasks from within the GUI. To start your computer in Safe Boot mode, hold down the Shift key while starting up, until the Tiger startup screen appears with the words Safe Boot. You can then release the Shift key and allow your Mac to finish booting.

NOTE

You might notice that startup takes longer than usual when in Safe Boot mode. This is because Safe Boot forces your Mac to run the disk check and repair processes on the system volume during startup.

Entering Single-User Mode

Another modification to the startup process is booting into Single-User mode. Holding down Command-S starts Tiger in Single-User mode, enabling an administrator to directly access the system through a command-line interface. This is a last-resort method of booting your computer that should be used only if absolutely necessary.

Single-User mode boots in a text-only fashion, just like the Verbose startup mode. The process finishes by dropping the user to a shell:

 Singleuser boot -- fsck not done Root device is mounted read-only If you want to make modifications to files, run '/sbin/fsck -yk' first and them '/sbin/mount -uw /' localhost#

CAUTION

Be aware that the Single-User mode command prompt carries with it full root access. This is not a place for playing games or learning Unix.

Repairing Filesystems: `fsck`

Using the fsck command, you can repair local filesystems from the command line. To fix a damaged filesystem, type fsck -fy at the single-user prompt. This is equivalent to running the First Aid Disk Utility:

 brezup:root jray # fsck -fy ** /dev/rdisk0s9 ** Root file system ** Checking HFS Plus volume ** Checking Extents Overflow file. ** Checking Catalog file. ** Checking multi-linked files. ** Checking Catalog heirarchy. ** Checking volume bitmap. ** Checking volume information. ** The volume Shakey appears to be OK.

If an error occurs during this process, you might have to tell the system that it is okay to perform repairs. Table 29.10 lists additional command-line arguments for fsck.

Table 29.10. `fsck` Command-Line Options
Option	Purpose
`-d`	Debugging mode. Displays the commands that `fsck` will execute without actually carrying them out.
`-f`	Forces a check of the filesystems, even if they are considered clean.
`-l` `<max parallel processes>`	Sets the number of scans that `fsck` will run in parallel. Usually defaults to one scan per disk.
`-n`	Assumes that the answer to all interactive questions is no.
`-p`	Preens (cleans) the filesystems marked as dirty.
`-y`	Answers yes to all interactive questions.

TIP

If you just want to run a disk repair, the easiest way to do it is to start in Safe Boot mode, which forces a repair automatically.

Alternatively, you can boot from the Tiger installation disk and then choose Disk Utility from the Utilities menu. Chapter 4 discusses the use of Disk Utility for repairing volumes.

When booted into Single-User mode, the filesystem is mounted as read-only as a precaution. If you've installed a new daemon or script that is stalling the system at startup, it would be useful to be able to edit files from within single-user mode. To mount the filesystem with write permissions, use /sbin/mount -uw /.

Again, be aware that changes made while in Single-User mode are made as the root user.

TIP

Starting in Tiger, you can boot from the System Install CD and choose Terminal from the Utilities menu to have command-line interface access to volumes that might not be booting correctly.

Logging In to the Console

If your problem lies not with the boot process, but with logging in, you might want to try a standard boot followed by a non-GUI login. To do this, you must have username and password fields enabled in the login window. If you do, allow the system to boot to a standard login window; then type >console as your username and click the Login button.

Your screen goes black, and you see a prompt similar to

 Darwin/BSD (brezup.poisontooth.com) (console) login:

Type your username and password to log in and use the system via the console. Logging out of the console restarts the window manager and takes you back to a GUI login screen.

Mounting a Disk Using Target Disk Mode

A final option if your machine isn't booting at all is to use a second computer and attempt to access your drive through Target Disk mode. When a computer is placed into Target Disk mode, it can be connected via FireWire to another machine and will present its drive just like any other removable disk, enabling you to run repairs on the drive or at least copy critical information from the volume.

To start a computer in Target Disk mode, simply hold down the T key while turning on the machine. After a few seconds, a FireWire symbol will appear onscreen and the machine will be ready to be connected to another Macintosh computer for diagnostics, repair, or recovery.

Identifying Software Conflicts

When dealing with stalled startups, take the same approach as with extensions and control panels under Mac OS 8 and 9: Remove the last item to load before the system failure and then reboot.

Assuming that you haven't found what is crashing the machine in your system.log or by running a verbose boot, disable any new software that runs with root privileges or drivers for add-on devices. After you've gained access to your system (either through Safe Boot mode, Single User mode, or Console login), search the list of usual suspects to find newly installed files.

As you already know, both the /Library/Startupitems and /System/Library/ Startupitems directories contain the services that are started at boot time. If software in your auto-launch Login Items list is causing the problem, it's stored in ~/Library/ Preferences/loginwindow.plist. /Library/Components and /System/Library/ Extensions provide two more common hiding places for installed drivers and kernel extensions.

In addition, the /etc/hostconfig and /private/var/db/SystemConfiguration/_preferences.xml files hold information on your machine's network configuration and boot parameters. Although editing these files isn't a guaranteed cure for any problem, it's a good place to start.

Testing Kernel Extensions

If you suspect an extension is causing a problem but aren't sure, you can use the capability of Tiger to dynamically load and unload kernel extensions to test your hypothesis.

To list the currently loaded extensions, use the utility kextstat with the argument -k to hide kernel components (which you wouldn't want to touch):

 brezup:jray jray $ kextstat -k Index Refs Address    Size       Wired      Name (Version) <Linked Against>    16   11 0x402000   0xa000     0x9000     com.apple.iokit.IOPCIFamily (1.6)    17    0 0x40c000   0x8000     0x7000     com.apple.driver.AppleCore99PE     18    1 0x854000   0x4000     0x3000     com.apple.driver.IOPlatformFunction    20    0 0x49d000   0x7000     0x6000     com.apple.driver.AppleI2C (3.4.5d2)    21    2 0x43f000   0x3d000    0x3c000    com.apple.iokit.IOHIDFamily (1.4)    23    0 0x984000   0x3000     0x2000     com.apple.driver.AppleCore99NVRAM (1.1)    24    0 0x918000   0x9000     0x8000     com.apple.driver.AppleMacRiscPCI     25    1 0x84f000   0x5000     0x4000     com.apple.iokit.IOKeyLargo (1.6.0d4)    26    0 0x858000   0x7000     0x6000     com.apple.driver.AppleKeyLargo  ...    79    1 0x594000   0x291000   0x290000   com.apple.NVDAResman (3.3.8) <78 76 16>    80    0 0x9a6000   0x82000    0x81000    com.apple.nvidia.nv10hal (3.3.8)     81    0 0x85f000   0x33000    0x32000    com.apple.GeForce (3.3.8) <79 78 76 16>

A normal system should have roughly 60 90 extensions loaded.

Each line contains the name of the extension and information about where it is loaded in memory. The fields you'll be most interested in are the Name field (such as com.apple.GeForce) and the Ref field. The Name field contains the name by which the system refers to the loaded extension and is what you will need to use to unload it. The Ref field contains the number of active references to that extension. If other components are using an extension, it cannot be unloaded. For example, the com.apple.NVDAResman extension has a reference count of 1, (which I happen to know is because it is being used by the com.apple.GeForce extension), so it cannot be unloaded without first unloading com.apple.GeForce.

Unloading an Extension: `kextunload`

To unload a kernel extension, you must be root (or use sudo) and issue the command kextunload -b <extension name>. For example, in the kextstat listing we looked at previously, to unload the com.apple.NVDAResman extension, you would type:

 brezup:jray jray $ sudo kextunload -b com.apple.NVDAResman  unload id com.apple.NVDAResman failed (result code 0xe00002c2)

This is syntactically correct, but the unload failed because of the reference count. To unload the extension, you must first unload com.apple.GeForce and then com.apple.NVDAResman:

 brezup:jray jray $ sudo kextunload -b com.apple.GeForce unload id com.apple.GeForce succeeded (any personalities also unloaded) brezup:jray jray $ sudo kextunload -b com.apple.NVDAResman unload id com.apple.NVDAResman succeeded (any personalities also unloaded)

TIP

You can also unload a kernel extension based on its filesystem name by simply typing kextunload <full path to extension>.

Loading an Extension: `kextload`

Loading an extension is virtually identical to unloading but uses the command kextload instead: kextload <path to extension>. For example, to reload the GeForce extension, you would type

 brezup:jray jray $ sudo kextload /System/Library/Extensions/GeForce.kext kextload: /System/Library/Extensions/GeForce.kext loaded successfully

Reinstalling the Operating System

Most Windows users are familiar with the word reinstall. I've listened in on many support calls, only to hear the technician give up and tell the end user to reinstall. Unfortunately, Mac OS X users might find themselves doing the same thing. The difference, however, is that reinstalling Tiger does not replace your system accounts, information, or configuration.

I have found on numerous occasions that rerunning the Installer is the fastest and easiest way to return to a viable system. There are, however, a few drawbacks most notably, the system updates are replaced by the original version of the operating system. After running the Tiger Installer to recover a damaged system, be sure to open the /Library/Receipts folder, throw away any receipt files stored by system updates, and then manually force a software update to reinstall the latest versions of system updates and other support software.

Another anomaly is that if you've moved or removed any of the system-installed applications, they will be restored during the install process.

Restoring the Administrator Password

If an administrator password is forgotten or misplaced, Apple has provided a facility for restoring a password. Boot your computer from the Tiger install media (hold down the C key while turning on your computer with the media in the CD-ROM/DVD drive). When the Installer application starts, choose Reset Password from the Utilities menu. Figure 29.13 shows the interface to the Password Reset facility.

Figure 29.13. Use the boot media and Password Reset application to ease your forgetful head.

Detected bootable volumes are listed along the top of the window. Click the main boot drive to load the password database for that volume.

Next, use the pop-up menu to choose the user account that you want to reset. Fill in the new password in both of the password fields provided. Finally, click Save to store the new password.

This really isn't useful for much beyond resetting the administrator password. As long as there is access to the administrator account from the command line, you can easily use passwd <username> to reset the named user's password:

 brezup:jray jray % sudo passwd jackd Changing password for jackd. New password: Retype new password:

TIP

It is not possible to recover a password that has been forgotten it is only possible to reset it. Tiger passwords are encrypted and can only be decrypted using the user's own password. If you're setting up a large-scale network with dozens of accounts, it's a good idea to develop a default password policy. Several organizations that I've worked for base the user's passwords on a combination of their initials and the last four digits of the user's Social Security number. This enables the administrators to reset passwords to a safe default value that the user can remember.