Windows Startup Troubleshooting


Windows Startup Troubleshooting

This section deals with errors that occur after the non-Windows portion of the boot process is complete, and the Windows startup process begins. Windows XP offers several tools you can use to identify and solve startup problems. Before digging too deep into how to solve problems with Windows startup, it's important that you have a basic understanding of the steps that a Windows XPbased PC follows during startup. This information can be found in Chapter 4, "Windows Startup."

The method you use to solve a Windows startup problem is generally based on one of three criteria:

  • If the problem occurs immediately after you have installed a new device driver, updated an existing driver, or installed a new software application

  • Whether or not you are able to start Windows in Safe mode

  • How valuable the data is on your system

The third bullet point should not be dismissed lightly. Of course, everything you have on your computer's hard disk counts as valuable data. However, in my experience, there comes a time during an extended troubleshooting session where I ask myself , "Is it worth it to continue working on this problem, or would it be better to just wipe the hard disk clean and reinstall everything?"

If you have reliable backups of your critical data, you should not reject the idea of repartitioning , reformatting, and reinstalling Windows just because it seems like too much work, or because it seems like the coward's way out. Rebuilding a nonfunctioning Windows PC is often the best, most time-effective way to bring a system back to a working condition.

Note

The Microsoft System Configuration Utility is a troubleshooting tool that can be used to configure a number of Windows startup options. You will find more information on this utility in the section "Windows XP Troubleshooting Tools" later in this chapter.


Before proceeding, it's worth noting that many of the tools discussed here, the Recovery Console and System Restore in particular, have applications to troubleshooting Windows that go above and beyond pure startup problems.

Windows Advanced Options Menu

If you are unable to start Windows normally, you need to access the Windows Advanced Options menu. As discussed in Chapter 4, this menu is accessed by pressing the F8 key on your keyboard once the POST is completed, and before the Windows splash screen appears.

Once the Windows Advanced Options menu opens, you can choose from the following actions:

Safe Mode

Safe Mode with Networking

Safe Mode with Command Prompt

Last Known Good Configuration

Start Windows Normally

Last Known Good Configuration

Last Known Good Configuration is not the first option listed in the Windows Advanced Options menu, but it is usually the first method you should use to try to repair a Windows startup problem. Specifically, Last Known Good Configuration should be used as the first method of repair if the Windows startup problem began immediately after

  • A new device driver was installed

  • An update to an existing driver was made

  • A new software program was installed

The Last Known Good Configuration option causes Windows to reverse all driver and Registry changes made since the last time you successfully logged on to Windows. This means that if the problem is related to a newly installed driver or program (and you haven't successfully logged on to Windows since the driver or program was installed), you can use Last Known Good Configuration to revert to the original driver or remove the offending program's entries from the Windows Registry.

To initiate Last Known Good Configuration, access the Windows Advanced Options menu, use the arrow keys on your keyboard to scroll down to the Last Known Good Configuration menu item, and press the Enter key. If you are running more than one operating system on your computer, you will need to select the Windows XP installation from the menu that appears next . Windows will then attempt to revert to the previous settings, and will automatically restart.

Using Last Known Good Configuration will reverse every driver and Registry change made since your last successful logon. If you installed more than one driver or program in the last session before Windows startup failed, all of these changes will be wiped out. In this situation, you may end up with software programs that appear in the Start menu that will not run properly because their Registry entries have been removed. To correct this, manually uninstall the program by deleting the appropriate folder(s) in the Program Files directory, and delete the program shortcut located in the < systemdrive :>\Documents and Settings\< username >\Start Menu\Programs folder. Then, reinstall the program.

Tip

If you are positive that you know which driver or program is causing Windows startup to fail, you may want to bypass the Last Known Good Configuration and go straight to trying to start Windows in Safe mode. That way, you can deal with the specific piece of offending software using Device Manager, or through Add/Remove Programs in Control Panel. This allows you to deal directly with the rogue driver or software, instead of reversing all of the driver and Registry changes made since your last logon.


Starting Windows in Safe Mode

If using Last Known Good Configuration does not solve the Windows startup issue, you should try starting Windows in Safe mode. Using Safe mode gives you the ability to load Windows with only the minimal drivers required to start the core operating system. Starting Windows in Safe mode is sometimes the only way to gain access to a system when the problem is related to a software driver or program.

Note

Microsoft recommends that you try using Last Known Good Configuration before you try booting into Safe mode. However, starting Windows in Safe mode does not overwrite the Last Known Good Configuration information; this means that you can still go back and try Last Known Good Configuration even after you have started Windows in Safe mode.


To start Windows in Safe mode, restart the computer and press and hold the F8 key on the keyboard. This will open the Windows Advanced Options menu. From this menu, you can choose to start Windows in Safe mode, with three different options:

  • Safe mode is the standard mode for starting Windows with only the necessary drivers. This is usually the option to choose when you want to start Windows in Safe mode.

  • Safe Mode with Networking starts Windows in Safe mode, but includes the drivers necessary for Windows to load its networking components . This can be useful if you want to access online help, but don't have access to another Internet-enabled computer.

  • Safe Mode with Command Prompt loads the minimum driver set, and then takes you directly to a command prompt rather than loading the Windows GUI interface.

Starting Windows in Safe mode circumvents a number of drivers and settings. For instance, audio drivers aren't loaded, so you will not have sound when in Safe mode. Also, you will usually not be able to access USB or FireWire devices such as external hard drives . However, you can use USB-based keyboards and mice as long as your computer's firmware supports these devices. For more information about using Safe mode, refer to Chapter 4.

If you are able to start Windows in Safe mode, there are a number of tools you can use to diagnose and solve the problem that is preventing Windows from starting normally.

Device Driver Rollback

If the Windows startup problem is related to a new or updated device driver (and you are aware of which driver is causing the problem), you can use the Device Driver Roll Back option to revert to the previous version of the driver.

Every time you install an updated driver, Windows XP stores a copy of the previous driver on your system. When you use the Driver Roll Back function, it looks for the previous version of the driver, and replaces the new driver with the last-used version.

After you have started Windows in Safe mode, open the Control Panel. If you do not have Control Panel configured to appear in Classic view, choose this option in the left-hand sidebar menu, and then double-click on the System applet. Select the Hardware tab and click on the Device Manager button. Expand the hardware category that the device with the offending driver is contained in, and then double-click on the device. Select the Driver tab, and then click Roll Back Driver (see Figure 12.1).

Figure 12.1. Click on the Roll Back Driver button to revert to the previous version of the driver.


You will be asked if you want to overwrite the existing driver. Select Yes to roll back to the previous version. Windows will locate the previous version of the driver, and automatically install it on your system (at the same time it removes the existing driver). In same cases Windows will inform you that the system must be restarted in order for the change to take effect.

There are a few limitations to the Device Driver Roll Back option. You can only revert one iteration of the driver, meaning that if you have used more than two versions, you cannot choose any other version than the one that was installed most recently. Also, due to a quirk with Windows XP, you cannot roll back printer drivers. Installing printers is done through the Printers and Faxes applet in Control Panel, and this applet does not support the Device Driver Roll Back function. Finally, you cannot use the Device Driver Roll Back option to completely uninstall a driver. If you want to uninstall a driver, click Uninstall on the device's property dialog instead of Roll Back Driver (refer to Figure 12.1).

Uninstalling Software Through the Windows Control Panel

If the Windows startup problem is related to a recently installed software program, you can remove the offending program after you have started Windows in Safe mode. To do so, open Control Panel in Classic view and double-click on the Add/Remove Programs applet. Select the program you want to uninstall from the list of installed software that appears, and select Remove.

Although the Add/Remove Programs applet in Control Panel is supposed to remove all traces of a program, this is not always the case. If you remove a program in this fashion and the same problem continues to occur, there is a chance that the program still has data left in the Windows Registry.

In this case, you will need to open the Windows Registry and remove any entries pertaining to the offending program. For more information on how to edit the Windows Registry, refer to Chapter 6, "Tweaking and Tuning Windows," in this book.

Case Study

Here is a real-life example of how a software program can prevent Windows from starting properly, and how the problem was solved .

I was once troubleshooting a corporate laptop that kept crashing during Windows startup. After talking to the employee, I discovered that the problem began immediately after he had loaded a new antivirus program onto the laptop.

I was able to start Windows in Safe mode, and get access to the GUI. I found the antivirus program, and ran its uninstall program. The software uninstalled without a hitch, and I rebooted the laptop, only to discover that it was still crashing during Windows startup.

After puzzling over this for a minute or two, I restarted Windows in Safe mode, went to the Start menu, chose Run, and typed in REGEDIT to open the Windows Registry Editor. I opened up the HKEY_LOCAL_MACHINE key, opened the SOFTWARE item, and looked for the name of the antivirus software's manufacturer. Sure enough, I found a Registry entry for the software that the uninstall program had failed to remove. I deleted this entry, saved the Registry, closed Registry Editor, and restarted the laptop. The Windows splash screen came up, and Windows started without any problems.

In my experience, a large number of Windows-related problems are related to poorly written software. Thankfully, Windows includes a number of tools you can use to remove buggy programs and device drivers.


Using the System Restore Tool

The System Restore tool, as discussed in Chapter 5, "Managing Windows," is included in both the Home and Professional versions of Windows XP. The System Restore service monitors the status of certain key files and settings. Every so often, this service takes a "snapshot" of certain aspects of your computer's current status. These "snapshots" are referred to as restore points. You can use the System Restore tool to roll back your machine to one of the recorded restore points.

Caution

The System Restore tool is not a substitute for an antivirus or spyware solution, nor is it a data backup strategy. System Restore does not save your documents, email, or other such files. It can, however, be used to restore a Windows installation to a previous point in time when it was working properly.


This section takes a look at using System Restore with a system that fails to boot normally.

For more generally information on how System Restore works and how it's configured, see "System Restore," p. 220.



If your Windows XP-based PC will not start normally, there are two alternative methods you can use to access the System Restore tool. One method is used if you are able to start Windows in normal Safe mode, the other should be used if you can only start Windows in Safe Mode with Command Prompt.

System Restore in Safe Mode

If you are able to start Windows in Safe mode and get to the Windows GUI, you can initiate the System Restore tool from the Help and Support option in the Start menu. To do this, follow these steps:

1.
From the Start menu, select Help And Support.

2.
In the Help And Support Center, under Pick a Task, click on Undo Changes to Your Computer with System Restore.

3.
You will now see the Welcome To System Restore screen. Select Restore My Computer to an Earlier Time, and click Next (see Figure 12.2).

Figure 12.2. Select the desired restore point from the calendar and click Next.

4.
You will be asked to choose the restore point you want to use: Restore points are listed with a date and description. Select the restore point you want, and click Next.

5.
This takes you to the Confirm Restore Point Selection page. Ensure that the settings you've chosen are correct and click Next.

The System Restore tool will reinstate the settings and key system files from the restore point you selected, and will then restart the computer. If you decide for whatever reason that the restore did not accomplish what you wanted it to, you can reverse the process by going back into the System Restore tool and selecting the Undo My Last Restoration option.

System Restore in Safe Mode with Command Prompt

If you are unable to start Windows in Safe mode, you can still access the System Restore tool if you are able to start Windows with the Safe Mode with Command Prompt option. The System Restore tool can be launched from the command prompt by using the following syntax:

 %systemroot%\system32\restore\rstrui.exe 

In this instance, %systemroot% is the directory where the Windows installation exists. With Windows XP, this directory is named WINDOWS unless the default selection was changed during the installation process.

After you have launched the rstrui.exe file, the command-line version of the System Restore tool starts. If there is an administrative password for the Windows installation, you will be asked to enter it before you can proceed with the restore. You will then be asked to choose a specific restore point to start the restore process. The restore process begins by passing the command to the System Restore service, which accesses the System Restore change logs. The System Restore service uses the change logs to create a restore map, which enables the service to re-create the specific system state you have selected. The restore map is then processed , the system restarts, and the new registry and dynamic data stores are loaded.

Note

For more information on using environment variables , refer to Chapter 9, "Windows Commands and Scripting."


Caution

In order for the System Restore tool to function, the System Restore service must be enabled in Windows. By default, this service is enabled when Windows is installed. However, the service can be disabled either through the System applet in Control Panel, or via the Services option in the Administrative Tools applet in Control Panel.


The System Restore tool can be the best procedure to use if you are unsure which driver or program may be causing the problem, or if uninstalling the driver or program doesn't solve the problem.

Recovery Console

One of the lesser-known maintenance features of Windows XP and Windows 2000 that's very useful in fixing a Windows system that won't fully boot is the Recovery Console. It's an interesting animalrather than a management tool that you run from Windows, the Recovery Console is a completely independent, standalone, utterly minimal installation of Windows with "plain vanilla " device drivers, a very limited command-line interface, and no GUI. The idea is that no matter how badly messed up your main Windows installation might get, due to bad or incorrect drivers, weird hardware, missing files, or incorrect Registry entries, the Recovery Console should still be able to boot up and work.

Although Microsoft recommends that you try Safe mode first, the Recovery Console gives you a command prompt window from which you may be able to bring a non-bootable system back to life. You can use it to disable a device driver that crashes Windows before it can start up, delete a virus or spyware program, install fresh copies of system files that have become corrupted, and manage disk partitions. Under certain circumstances you can also use the Recovery Console to extract urgently needed files from a nonbootable system without going to the trouble of moving the hard disk to another computer or reinstalling Windows. However, this takes advance preparation.

Recovery Console Access Restrictions

By default, Recovery Console commands can only be used to read, write, and modify files in selected folders of your hard drives:

  • The Windows folder (the %systemroot% folder) and its subfolders

  • The root folders of your hard drives

  • The folder from which the Recovery Console booted ( c:\cmdcons if it was installed on your hard drive)

  • Removable media such as CDs, DVDs, and floppy disks

Thus, using default settings, you cannot use Recovery Console to view, modify, or copy in user profile folders or any other folders; attempts to do so will result in an Access Denied error message.

Furthermore, by default, you can copy files from one hard drive to another (subject to the limitations just mentioned), and from removable media to hard drives, but you cannot copy files from a hard disk to a floppy disk, so you cannot use Recovery Console to salvage user files from a nonbootable computer.

You can configure Recovery Console so that it can access any folder, and can copy files out of the computer to removable media. But the set command, which is used to relax access restrictions, is available only if you make an adjustment to your computer's Security Policy before you boot the Recovery Console, and thus this has to be done before you run into trouble.

If you think you will ever want to be able to use the Recovery Console to copy files out of an unbootable computer to a floppy disk, you should enable the set command now . It's best if you also install the Recovery Console on your hard disk at the same time. You can also make the Security Policy changes without installing to diskthe procedure is described in steps 5 through 11 in the next sectionbut I recommend preinstallation.

Installing Recovery Console on Your Hard Disk

If you plan ahead, you can install Recovery Console on your hard disk, and it will appear as a boottime option. The advantage of doing this is that you won't have to hunt for your Setup CD when you need to use Recovery Console. At the same time, you can choose to enable the set command that relaxes Recovery Console's access restrictions, or you can make it possible to use the Console without having the Administrator password.

Caution

You should not both enable the set command and remove the requirement for the Administrator password. With both of these options enabled, anyone with physical access to your computer would be able to access and view, delete, or take a copy of any file, without having to know any password at all.


Note

If your computer is a member of a domain network, Group Policy settings may be used to override Local Security policy, so your network administrator may prevent your use of the Recovery Console, or your attempt to relax its security restrictions. Likewise, Group Policy can also be used to enable access.


Note

If you have set up software mirrored or RAID disks using the Windows Disk Management console, you must break the mirror before installing the Recovery Console, and you cannot re-create the mirror unless your disks have been converted from Basic to Dynamic disks. See Microsoft Knowledge article support.microsoft.com/kb/229077 for details.


To install the Recovery Console on your hard disk, follow this procedure:

1.
Log on as a Computer Administrator and insert your Windows Setup CD.

On Windows XP, if your Setup CD has the original or Service Pack 1 version of XP, and you have subsequently installed Service Pack 2, you cannot use your original Setup CD. You must find and use an XP Setup CD that has SP2 preinstalled . You might be able to borrow a Setup CD from a friend with a newer computer.

2.
Wait for the Windows Setup window to appear, and close it.

3.
Open a Command Prompt window, and type the following command:

   d  :\i386\winnt32 /cmdcons  

but type the letter corresponding to your CD drive in place of d .

4.
Let Windows Setup complete the installation, and then remove the CD. Close the Command Prompt window.

5.
If you want to enable the set command, which will let you bypass Recovery Console's access restrictions, proceed with step 6. Otherwise , skip ahead to step 8.

6.
To enable the set command, open the Control Panel, select Performance and Maintenance, open Administrative Tools, and then open Local Security Policy.

7.
In the left pane, open Security Settings, Local Policies, and select Security Options. In the right pane, double-click Recovery Console: Allow Floppy Copy. Select Enabled, and then click OK. Repeat with Recovery Console: Access to All Drives and All Folders. Now, skip ahead to step 11.

8.
To eliminate the requirement that you enter the Administrator Password to manage this Windows installation using the Recovery Console, proceed with step 9. Otherwise, skip ahead to step 12.

9.
To disable the Administrator password requirement, open the Control Panel, select Performance and Maintenance, open Administrative Tools, and then open Local Security Policy.

10.
In the left-hand pane, open Security Settings, Local Policies, and select Security Options. In the right pane, double-click Recovery Console: Allow Automatic Administrative Logon. Select Enabled, and then click OK.

11.
Close the Local Security Settings window and the Control Panel.

12.
Click Start, right-click My Computer, and select Properties. Select the Advanced tab, and under Startup and Recovery, click Settings.

13.
Be sure that the default operating system is not Microsoft Windows Recovery Console; if it is, select an appropriate default operating system option.

14.
Ensure that Time to Display List of Operating Systems is checked, and set the number of seconds to 5. Finally, click OK to close the dialog.

Now, the next time you restart your computer, the Windows loader will display a boot menu, as shown in Figure 12.3. If you make no choice, after five seconds Windows will go ahead and start up as usual. If you need to use the Recovery Console, immediately press the down-arrow key to stop the clock, and then highlight Microsoft Windows Recovery Console and press Enter.

Figure 12.3. After installation, the Recovery Console appears as a boot option.

Note

The boot.ini entry for the recovery console is

 C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 

although the drive letter may be different on your installation. This is handy to know in case you accidentally remove it from your boot.ini file or if you delete and have to replace boot.ini .


Caution

If you install Recovery Console on your hard disk and later convert the hard disk from FAT to NTFS format, you must reinstall Recovery Console. Until you do, the bootable version will not work, and you will only be able to start Recovery Console from your Setup CD.


Starting Recovery Console from your Setup CD

If you need to use the Recovery Console to repair a broken Windows installation but you did not preinstall it on your hard disk, you can start it by booting from your Windows Setup CD, using this procedure:

1.
Insert your Windows Setup CD into your CD or DVD drive, and restart your computer. You may need to enter your BIOS Setup program to change the Boot Order setting so that booting from the CD drive is enabled, and the CD drive is checked before the hard drive.

2.
When the Welcome to Setup screen appears, select R to Repair, and if prompted to do so, C to run the Recovery Console.

3.
While the Recovery Console is starting, you will see the prompt Press F6 if you need to install a third party SCSI or RAID driver . If your disk drive interface requires a nonstandard driver, press F6 and follow the same procedure you used during Windows Setup to select an alternate driver.

4.
The Recovery console will ask you to select a Windows installation.

Now, proceed as described in the next section.

Note

If your computer is set up for network booting and your organization uses Remote Installation Services, you can also boot Recovery Console through RIS. See Microsoft Knowledgebase article support.microsoft.com/kb/222478 for instructions.


Using the Recovery Console

To start the Recovery Console, if you have installed the Recovery Console on your hard disk, restart your computer and select Microsoft Windows Recovery Console from the boot options menu. Otherwise, boot from your Windows XP Setup CD as described in the previous section.

When the Recovery Console has loaded, there will be a five-second window in which you can press Enter to select an alternative keyboard layout. The default is US English Qwerty.

The Recovery Console will then examine your hard disks for any Windows installations it can find, and it will display them in a numbered list, even if only one is found, as shown in Figure 12.4. Enter the number corresponding to the Windows installation you want to repair and press Enter.

Figure 12.4. When it starts, Recovery Console lets you select from any detected Windows installations.

If your Windows folder is not displayed, either its disk is inaccessible, or the installation is too corrupted to continue; in this case you need to fix the hardware, or reinstall Windows. You can press Enter to exit the Recovery Console and restart the computer.

Note

If your computer is set up for multibooting into Windows XP, 2000, or NT, be careful. You could damage your Windows installation if you try to use the Windows XP Recovery console on a Windows 2000 installation, or vice versa. Although all Windows installations are listed, work only with installations that match the version of the Recovery Console you're using. Boot from the other OS setup CD to get the right version, if necessary.


If a password is set for your Administrator account, and if you haven't disabled the need for the Administrator logon by modifying Security Policy, as discussed earlier, you will be prompted for the Administrator password.

If you cannot remember the password to the Administrator account, see "Dealing with a Lost Password," p. 191.



The Recovery Console window works almost exactly like the Command Prompt window. You can use the cd command to change directories and dir to list directory contents; many of the usual commands like copy and del are available to let you manage files; and as usual, uppercase and lowercase do not matter when entering commands or options. However, there are also some distinct differences:

  • Command-line editing functions are minimal. Filename completion is not available. You can use the up- and down-arrow keys to recall previously typed commands, but you cannot use the left- and right-arrow keys to move the cursor around in a command line for editing. To make changes, you must use the backspace key to erase characters and then retype the rest of the line.

  • The Recovery Console supports only a small list of built-in commands. No other programs ( .EXE files ) can be run.

  • The input and output redirection operations > and < and the pipeline operator are not supported.

  • Output never scrolls off the screen. If a listing fills the screen it automatically pauses; you can press the spacebar to display the next screen, or Esc to cancel the listing.

  • Most commands that accept a filename argument will not accept wildcard specification using ? or *, unless you use the set command to enable the AllowWildCards option.

  • Spaces are required between arguments. Although the normal command prompt accepts cd\windows as a valid command, Recovery Console doesn'tyou must type cd \windows instead.

  • As mentioned previously, the Recovery Console's default settings prohibit access to folders other than the Windows folder and root folders, and prohibit copying files to floppy disk. If you need to relax these restrictions, use the set command to enable the AllowAllPaths option.

The next sections show some useful examples. After the examples is a reference of all Recovery Console commands.

Repair the Boot Loader

If you install another operating system such as Linux, MS-DOS, or Windows 98 or Me, the OS setup program will overwrite the boot sector and master boot record boot code and you will not be able to load Windows XP. If you want to dual-boot with Linux, you can use LILO, GRUB, or other Linux loaders as the primary loader, so this may be okay, but in most cases, you will want to reinstall the Windows XP loader. To do this, start the Recovery Console and issue the commands fixboot and fixmbr . Then type quit to restart the computer.

Disable a Buggy Driver or Service

If a buggy device driver (or less likely, a service) is preventing Windows from booting, you may be able to boot after disabling it using the Recovery Console. In some cases, the Blue Screen of Death (BSOD), which displays information about the CPU's state at the time of a Windows crash, lists the name of the device driver that caused the problem, and you will know which driver to disable or roll back. Sometimes, however, the BSOD doesn't display the driver name. In this case, you should start by disabling the driver for any newly installed devices first, before proceeding to try disabling nonessential devices one at a time.

Tip

If Windows automatically reboots after a crash so quickly that you can't see what the Blue Screen of Death says, or it reboots over and over, and you have Windows XP Service Pack 2 or later, you're in luck. Press F8 while Windows is starting to display the Advanced Options Startup menu. Select Disable Automatic Restart on System Failure, and then select Start Windows Normally. This should let you see the crash report. You'll need to power the computer off and back on to restart it if the BSOD is displayed. Ctrl+Alt+Del won't budge it.


Before using the Recovery Console, try booting in VGA mode, and then in Safe mode, and then in Last Known Good mode, in that order, using the F8 boot options menu discussed earlier in the chapter. If Windows starts with one of these selections, you can probably disable the problematic device or update its driver using the GUI Device Manager.

If this doesn't help, use the Recovery Console listsvc command to get a listing of all installed device drivers and services. The listing starts like this:

  drivername       startupmode   descriptive name  6to4             Auto     IPv6 Helper Service Abiosdsk         Disabled abp480n5         Disabled ACPI             Boot     Microsoft ACPI Driver ACPIEC           Disabled adpu160m         Disabled aec              Manual     Microsoft Kernel Acoustic Echo Canceller 

Look for device drivers with the Boot or System startup mode. Use the disable startup selection to disable one or two at a time, and write down the name and original startup mode of each driver you disable , so you can later re-enable them if you determine that they are not the ones causing the problem.

Disable Spyware, Adware, or Viruses

Most virus spyware and adware programs go to great lengths to prevent you from uninstalling them. Some of the measures include detecting your attempt to install antivirus or antispyware software and blocking the installation program, keeping executable files open and locked so that they cannot be deleted, monitoring the Registry so that startup entries can be immediately replaced if you delete them, renaming their own executable files to make them more difficult to find, and more.

Usually, if you boot your computer in Safe mode these programs do not start up, and you can then delete them manually, or install antispyware software to delete them.

If these programs continue to thwart you even in Safe mode, boot up the Recovery Console. Locate the executable files for these programs and delete them or rename them so that they will not be started. The commands to use are cd , to change directories, and ren , to rename the executable file. For example, if you found that a program named malware.exe was starting up with Windows, and that it was located in folder \windows\system32 , you could use these commands to thwart it:

 cd \windows\system32 rename  malware.exe  malware.bad quit 

When Windows restarts, the commands used to run malware.exe will not find this file, so it will not start.

Replace a Missing boot.ini

If you inadvertently delete the boot.ini file from the root folder of your first hard drive, Windows will scan through your drives looking for the first Windows installation it can find. If this is not the right folder, Windows will not boot, and you will need to re-create boot.ini before you can start Windows. You can do this with the Recovery console.

Because you have no boot.ini file, you will need start the Recovery Console by booting from your Windows XP Setup CD, as described earlier. On Windows XP, you can type the command

 bootcfg /rebuild 

bootcfg will scan your hard drives for Windows installations. For each located installation, bootcfg will prompt:

  • Add installation to boot list? (Yes/No/All): Press Y to add the Windows folder as a startup selection, N to skip it, or A to add it and all other identified installations. If you press N, bootcfg will search for another installation.

  • Enter Load Identifier: Enter a name for this Windows installation. Whatever you type will appear as a selection in the boot menu. Something like Windows XP Professional on C Drive might be appropriate.

  • Enter OS Load Options: It's safest to simply press Enter and not enter any load options. You can, however, add any of the options listed earlier in the discussion of boot.ini . If you add more than one, put a space between each option. Some useful possibilities include the following:

    /fastdetect

    Speeds up detection of COM ports, helpful for normal home or office workstations, where you are not using the headless-server option.

    /noexecute=optin

    Sets Windows Data Execution Protection to monitor Windows plus explicitly listed applications.

    /SOS

    Makes ntldr print out the name of each device driver it loads, to help identify a failed driver.


After setting up all desired Windows installations, remove your Windows Setup CD and enter the quit command to restart your computer.

On Windows 2000, bootcfg is not available. You will have to use the map command to see a list of all disk drives in ARC format, using the command

 map arc 

Then construct a boot.ini file manually on another computer using the examples shown earlier in this chapter in the discussion of boot.ini , copy it to a floppy disk, and then copy it to the disabled computer using the Recovery Console. First, if the disabled computer has an existing boot.ini file, you can delete it with the commands

 c: cd \ copy boot.ini boot.ini.bak attrib -r boot.ini del boot.ini 

Then copy the new version from the floppy disk:

 copy a:boot.ini c:\ attrib +s oot.ini attrib +h boot.ini attrib +r boot.ini 

Back Up boot.ini

If you are going to use Recovery Console to modify your boot.ini file, you should first make a backup copy by typing these commands:

 c: cd \ copy boot.ini boot.ini.bak 

Then, if you have to revert to the original version, use these commands:

 c: cd \ copy boot.ini.bak boot.ini Overwrite boot.ini (Yes/No/All): y attrib +s boot.ini attrib +h boot.ini attrib +r boot.ini 

Recovery Console Command Summary

This section lists the Recovery Console commands. Each entry includes a syntax description. In the syntax description, several characters are used to indicate optional parts of the command line and are not meant to be typed literally:

[]

Brackets surround optional arguments

A vertical bar separates alternate choices

italics

Indicate placeholder names that are to be replaced with actual names appropriate for your system

boldface

Indicates text to be typed literally


attrib Change Attributes on a File or Directory

Syntax: attrib +r -r +s -s +h -h +c -c filename

The attrib command is used to set or clear file attributes. The + x arguments set attributes, and the - x arguments clear them, where x can be any of the following letters :

r

read only

s

system

h

hidden

c

compressed


You can only specify one + x or - x argument. If you have to change several attributes, you have to issue separate commands for each. Typing the attrib command without a + x or - x argument doesn't display the file's current attributes as you might expect, but results in an error message. To view a file's attributes, use the dir command.

batch Execute Commands from a Text File

Syntax: batch inputfile [ outputfile ]

The batch command instructs the Recovery Console to read the specified file named inputfile and interpret its contents as Recovery Console commands. Because there is no edit command in the Recovery Console, to be useful, you must have prepared a batch input file in advance, or must place it on a floppy disk. The output of the commands will be written to the screen unless the optional outputfile argument is specified. This command is not available in the Windows 2000 Recovery Console.

bootcfg Modify boot.ini Startup and Recovery Options

Syntax:

bootcfg /add

 

bootcfg /rebuild

 

bootcfg /scan

 

bootcfg /list

 

bootcfg /disableredirect

 

bootcfg /redirect [ port baudrate ] [ usebiossettings ]


bootcfg modifies file boot.ini on the boot drive, which contains the list of operating system choices. It's especially helpful with the /rebuild option to replace your boot.ini file if it was inadvertently deleted. This command is not available in the Windows 2000 Recovery Console.

There are six different versions of the command:

/add

Scans all hard disks for Windows installations and prompts for one to be added to boot.ini . Prompts for a Load Identifier (name to display on the boot menu) and OS Load Options, which are arguments like /SOS as described earlier in this chapter; can be left blank.

/rebuild

Scans all hard disks for Windows installations, and prompts for those to be added to boot.ini . The selected installations are added to any already in boot.ini , so this option is best used only to replace a missing boot.ini . Also, see the discussion on backing up boot.ini earlier in this section.

/scan

Displays a list of Windows installations found on your hard disks; does not modify boot.ini .

/list

Lists the boot entries already in your boot.ini file.

/default

Prompts for a boot.ini boot choice to be set as the default boot choice.

/redirect

The /redirect and /disableredirect options apply only to Windows 2003 Server, and are used to manage boot monitoring over a serial port for "headless" servers with no display adapter.


cd and chdir Display or Change Current Directory

Syntax: cd [[ drive : ] path ]

The cd command changes the default directory on the current or specified drive. The path may be specified as an absolute path (starting with \) or a relative path. The name .. stands for the parent directory.

(To change the default drive, enter a command line consisting of just a drive letter followed by a colon , as in d: .)

Without any arguments, cd displays the current drive and directory. With a drive letter but no path, cd displays the default directory for the specified drive.

Use quotation marks around any path name containing spaces. For example, cd "\windows\profiles\username\programs\start menu" .

By default, cd only operates the restricted set of folders listed earlier in this chapter. To permit access to other folders, the set command must have been enabled, and you must have used the set command to enable the AllowAllAPaths option.

chkdsk Check Disk Format for Errors

Syntax: chkdsk [ drive : ] [ / P / R ]

The chkdsk command checks the boot drive or the specified drive for errors and prints a report of unlinked sectors and so on. By default, chkdsk will not run unless a drive is marked as "dirty"; that is, if Windows was shut down without properly dismounting the drive. The /P option forces chkdsk to check the drive even it was correctly dismounted. The /R option makes chkdsk read every sector on the disk and check for errors; this can take quite a long time. The /R option implies /P .

cls Clear the Screen

Syntax: cls

Clears the screen.

copy Copy a File

Syntax: copy sourcefile [ destinationfile ]

The copy command copies a file. The file to be copied , the sourcefile , can be specified using a path and filename, or just a filename, in which case it is located in the current directory.

The destination file can be specified as a full path, a folder name, a filename, or it can be omitted, in which case the file is copied to the current directory using its original name.

The copy command option has some restrictions unless you have used the set command to remove them. The default restrictions are as follows:

  • The source and destination folders must be in the limited list (Windows folder and subfolders, root folders, cmdcons folder, removable media) unless the AllowAllPaths option is enabled.

  • The destination cannot be on removable media, unless the AllowRemovableMedia option has been enabled.

  • The filename must be fully spelled out, unless the AllowWildcards option has been set.

  • If the destination file exists, you will be asked if you want to overwrite it, unless the NoCopyPrompt option is enabled.

Compressed files on the Windows installation CD usually have an underscore as the last character of their filename extension, for example, .EX_ or .DL_ . When copying a compressed file to the hard disk to replace a corrupted file, the recovery console will automatically decompress it as it is copied, but you must specify the desired extension in the destination filename, for example, .EXE or .DLL .

del and delete Delete a File

Syntax: del [ drive : ][ path ] filename

The del or delete command is used to delete a file. You can specify the filename with or without a path. If the path is omitted, the file is deleted from the current directory.

The filename must be fully spelled out, unless the AllowWildcards option has been set. See the set command for more details.

Caution

There is no undelete option and no Recycle Bin available in the Recovery Consoleif you delete a file, it's gone forever. If you want to disable a bad driver or suspected virus program, it might be safer to use the disable command, or rename the file to something like badprogram.exe.xxx, before taking the more drastic step of deleting it.


dir List Files and Subdirectories

Syntax: dir [ drive : ][ path ][ filename ]

The dir command lists all files, including hidden and system files, in the current or specified directory. The listing has five columns , which list the file's modification date, modification time, attributes, size in bytes, and name.

The attributes column uses the following letters:

d

directory

a

archive (changed since backup)

r

read-only

h

hidden

s

system file

c

compressed

e

encrypted

p

reparse point


You can specify wildcards in the filename specification for the dir command. If the list fills the screen, the Recovery Console automatically pauses the listing. Press the spacebar to display the next page or Esc to cancel the listing.

disable Disable a Service or Device Driver

Syntax: disable servicename

The disable command disables a device driver or service by setting its startup mode to SERVICE_ DISABLED . Disable prints the driver or service's previous startup mode before changing it. You should make a note of the old mode, in case you need to enable the drive or service again.

The listsvc command lists the names of all installed drivers and services. Use listsvc to find the correct spelling of the driver or service's name and type it on the disable command line.

diskpart Manage Hard Disk Partitions

Syntax: diskpart [ / add / delete ] [ devicedrivepartition ] [ size ]

diskpart adds partitions to or deletes partitions from a hard disk. You can add or delete partitions based on the disk's device name, drive letter, or partition name (the map command can be used to list device names).

However, unless you need to use diskpart in a Recovery Console batch file, the easiest way to manage partitions in Recovery Console is to type diskpart with no arguments. This displays the interactive partition editor used during Windows Setup, as shown in Figure 12.5.

Figure 12.5. The diskpart command with no arguments displays a simple partition editor.

Caution

Do not use the diskpart command to manage a disk that you have upgraded from a basic disk to a dynamic disk. diskpart could destroy your partition table and make your data inaccessible. To manage the partitions on a dynamic disk, boot Windows and use the Disk Manager.


enable Enable a Service or Device Driver

Syntax: enable servicename [ mode ]

The enable command changes the boot mode of a specified device driver or service. Service and device driver names can be listed using the listsvc command.

With no mode specified, enable displays the service or driver's current startup mode. The mode can be changed by specifying one of the following keywords: SERVICE_BOOT_START, SERVICE_SYSTEM_START, SERVICE_AUTO_START (corresponds to Automatic in the Services Management console), or SERVICE_DEMAND_START (corresponds to Manual).

Be very careful when changing driver or service boot modes. Disable services and drivers with the disable command, and record the original setting in case you must enable it again.

exit Quit the Recovery Console and Reboot

Syntax: exit

The exit command closes the Recovery Console and restarts the computer.

expand Expand or List a Compressed .CAB File

Syntax:

expand sourcefile [ / F: filename ] [ destination ] [ / Y ]

 

expand sourcefile [ / F: filename ] /D


The expand command is used to extract files from .CAB files (Microsoft's version of the .ZIP file, used mainly on installation disks and in the \windows\system32 folder to hold large numbers of installable device drivers).

The sourcefile argument specifies a .CAB file. The command operates on all files in the .CAB file unless the /F option is used to name a specific file. Wildcards can be used in the /F filename specification.

With the /D option, the command lists the files in the .CAB file (or the specified file(s) specified with /F ).

Without /D , the command expands the .CAB file(s) and copies them to the destination folder or file specified in the destination argument. If the destination argument is omitted, the file(s) are copied to the current directory.

If the destination file(s) already exist, expand asks you if it should overwrite them. You can respond with the letter N for no, Y for yes, or A to overwrite all files. Alternatively you can add /Y to the command line, in which case expand will be allowed to overwrite existing files without asking.

The destination path must be in the Windows folder or a root folder unless the AllowAllPaths option has been enabled with the set command. The destination path cannot be on removable media unless the AllowRemovableMedia option has been enabled.

The destination file cannot be read-only. Use the attrib command to remove the read-only attribute before using expand to overwrite a read-only file.

fixboot Rewrite the Boot Sector of the Boot Drive

Syntax: fixboot [ drive : ]

The fixboot command writes the Windows boot loader into first sector on the boot (active) partition, as specified by its drive letter. This is the program that locates and starts ntldr.exe . You can use fixboot if the boot loader gets overwritten by another operating system's installation procedure. If you don't specify a drive letter, the current boot drive is used.

Caution

Damage to your boot sector could have been caused by a virus or hardware problem. Microsoft recommends running an antivirus check before using the fixboot command.


fixmbr Rewrite the Master Boot Record of the Boot Drive

Syntax: fixmbr [ devicename ]

The fixmbr command replaces the boot loader contained in the boot partition's first block, called the Master Boot Record. The boot loader precedes the partition table, which is also stored in the Master Boot Record.

The boot drive can be specified using one of the device names displayed by the map command. If omitted, the current boot drive is used.

If fixmbr detects an invalid or non-standard partition table signature, it will prompt you before rewriting the master boot record (MBR).

Caution

Damage to your Master Boot Record could have been caused by a virus or hardware problem. Microsoft recommends running an antivirus check before using the fixmbr command.


format Format a Disk Volume

Syntax: format [ drive : ] [ / Q ] [ / FS: filesystem ]

The Recovery Console's format command can format hard disk volumes (partitions) but not removable media. You should specify the partition's drive letter and the desired /FS value explicitly. The filesystem value can be FAT (for FAT-16), FAT32 , or NTFS . The /Q option specifies a quick format, which creates an empty file system but does not test every block. It can be used to speed the format process but should be used only on a drive that is known not to have any defects.

Caution

Do not use the format command on a volume on a disk that you have upgraded from a basic disk to a dynamic disk. To manage the partitions on a dynamic disk, boot Windows and use the Disk Manager.


help Print Help Information

Syntax: help [ command ]

Help by itself lists all of the Recovery Console commands (except set! ) To print the syntax and description of a specific command type help followed by the command name.

listsvc List All Device Drivers and Services

Syntax: listsvc

The listsvc command lists all available services and device drivers. The listing will pause when it fills the screen. Press the spacebar to display the next screen or Esc to cancel the listing. You can use the names listed in the left-hand column with the enable and disable commands.

logon Select a Windows Installation

Syntax: logon

The logon command lets you select a different Windows installation to administer. As when the Recovery Console starts, logon lists the detected installations and lets you select one by entering a number. You will be prompted for the Administrator password, if one is set, unless Security Policy for the installation does not require the Administrator password. See the instructions for installing Recovery Console on the hard disk for a mention of this policy setting.

map Display Disk Devices and Drive Letter Mappings

Syntax: map [ arc ]

map lists the drive letter to physical device mappings that are currently active. This is a typical output printout from map :

 C: NTFS     7986MB   \Device\Harddisk0\Partition1 D: FAT32    7993MB   \Device\Harddisk1\Partition1 A:                   \Device\Floppy0 E:                   \Device\CdRom0 

The optional parameter arc tells map to display ARC paths instead of Windows device paths. The output from map arc shows the drive names as they are specified in boot.ini , as in this example:

 C: NTFS     7986MB   multi(0)disk(0)rdisk(0)partition(1) D: FAT32    7993MB   multi(0)disk(0)rdisk(1)partition(1) A:                   \Device\Floppy0 E:                   \Device\CdRom0 

md and mkdir Create a Directory

Syntax: mkdir [ drive : ] path

The mkdir command creates a new folder. By default, mkdir can create folders only within the Windows folder or its subfolders, the root directory of any hard disk partition, or removable media. You can remove this restriction by enabling the AllowAllPaths option with the set command.

more and type Display a Text File on the Screen

Syntax:

more filename

 

type filename


The more and type commands are equivalent in the Recovery Console. Both display a text file on the screen. If the listing fills the screen, the display pauses. Press the spacebar to display the next screen, or Esc to cancel the listing.

net Torment Users with False Hopes

The Windows XP Recovery Console's net use command is described in the help listing and in numerous Microsoft support documents, and like its regular Command Prompt counterpart it is supposed to be able to let you access a network shared folder. However, it doesn't workno network adapter or protocol drivers are loaded with the Recovery Console.

rd and rmdir Delete a Directory

Syntax: rmdir [ drive : ] path

rmdir deletes the specified folder. The folder must be empty. It works only on folders in the system directories of the current Windows installation, the root directory of hard disks, and removable media, unless you have used the set command to enable the AllowAllPaths option.

ren and rename Rename a File

Syntax: rename [ drive : ][ path ] filename newname

You cannot specify a drive or folder PATH as part of the destination filename.

rename works only on files in the system directories of the current Windows installation, the root directory of hard disks, and removable media, unless you have used the set command to enable the AllowAllPaths option.

set Enable or Disable a Recovery Console Option

Syntax:

set AllowWildCards = true

 

set AllowAllPaths = truefalse

 

set AllowRemovableMedia = truefalse

 

set NoCopyPrompt = truefalse


The set command is only available if you edited Local Security Policy or Group Policy for the selected Windows installation prior to booting the Recovery Console, and enabled Recovery Console: Allow floppy copy and access to all drives and all folders , as described earlier in the section "Installing Recovery Console on your Hard Disk."

When enabled, the set command can be used to relax Recovery Console's access restrictions. The default settings for the four options is false . To gain increased access you can set any or all of these values to TRue :

AllowWildCards

If set to true , you can specify wildcards (* and ?) in Recovery Console copy and delete commands.

AllowAllPaths

If set to true , you can access all folders on all drives, rather than just the root and Windows folders.

AllowRemovableMedia

If set to true , you can copy files from the hard drives to floppy disks and other removable media.

NoCopyPrompt

If set to true , Recovery Console will not prompt before overwriting an existing file.


You must separate the words and the equal sign with spaces, otherwise Windows will print "The parameter is not valid," which is a fairly unhelpful remark. A correctly entered command looks like this:

 set allowallpaths = true 

Caution

These options compromise Windows security, so you should be sure you want to make this possible before you enable access to the set command by editing the Registry. You should not enable the set command and allow Recovery Console to open Windows without the Administrator password; otherwise, anyone with physical access to your computer will be able access any file without knowing any passwords.


systemroot Change to the Windows Folder

Syntax: systemroot

Sets the current directory to the Windows folder of the currently selected Windows installation, for example, C:\windows . This is handy if you've changed to another directory and want to get back to the original drive and folder.

Automated System Recovery

If you have exhausted all of the options discussed in the previous sections, there is one final, last resort, a "Break Glass in Case of Emergency" tool you can use to attempt to access a Windows installation that won't start up. Windows XP Professional offers a feature in its Backup tool ( NTBACKUP.EXE ) that can be used to create Windows startup emergency disks that can be used when all other methods have failed. This feature of Windows Backup is known as the Automated System Recovery (ASR) tool. Microsoft created the ASR tool to replace the Emergency Repair Disk that was a part of Windows NT and Windows 2000although Microsoft also recommends that the ASR tool should only be used if there are no other disaster recovery options available to you.

The Automated System Recovery tool is accessed as a wizard within Windows Backup. From the Start menu, go to All Programs, Accessories, System Tools, and then click Backup. Once the Backup program launches, click Advanced Mode, and then click the Automated System Recovery Wizard. The wizard prompts you to provide a floppy disk and removable media, which it uses to create an ASR floppy and ASR backup media set. The ASR media set can consist of backup tapes, recordable CDs or DVDs, or other IDE or SCSI hard disks. You cannot restore an ASR backup set from a network share.

To restore a system by using an ASR backup set, boot your computer from the Windows XP installation CD. You will be presented with an option to select the ASR tool by pressing the F2 key on your keyboard. The tool will ask you to insert the ASR floppy disk, and then prompt you for the backup media set. The tool will then request that you select a destination directory for the restore. You should choose the same directory name you used when you created the ASR backup set; in most instances, this will be C:\Windows . The ASR tool will then proceed to restore the data on the backup set.

Because the ASR tool only backs up and restores the files that are necessary to restore the system state of a Windows installation, it is not a true disaster recovery strategy. It is also important to note that while using the ASR tool may repair a Windows installation to the point that you can start Windows, it can actually overwrite or destroy your personal files on the hard disk during the restore process. It is for that reason that the ASR tool is the last option you should consider when trying to recover a system on which Windows won't start.




Upgrading and Repairing Microsoft Windows
Upgrading and Repairing Microsoft Windows (2nd Edition)
ISBN: 0789736950
EAN: 2147483647
Year: 2005
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net