| |
Windows NT Startup and Recovery
Introduction to startup and
recovery
Key Topics
Windows NT Startup Process Step1
Windows NT Startup Process Step 2
Windows NT Startup Process Step 3
Loading VGA Mode
Startup Process Kernel Loaded
Startup Process Windows NT
Initialization
Startup Process User Login
Windows NT Initial Boot Files
Windows NT Initial Boot Files
Important Files
Windows NT Memory Dump
Drwatson
Windows NT Diagnostic Tool
Introduction to the Event Viewer
Enabling the Security Log
Event Viewer Logs
Event Viewer Events
Event Viewer Logs Files
Security Log Events
Creating The Setup Boot Disks
Introduction to the Emergency
Repair Disk (ERD)
What Is The Best ERD
When To Create An ERD
Generating The ERD
Updating the ERD
Creating an ERD
CONFIG.NT And AUTOEXEC.NT Files
Using The ERD To Recover Windows NT
Questions
|
Windows
NT
Startup
and Recovery
-
Windows NT
has provided administrators
with a number of monitoring and recovery
tools including Last known
good, Dr Watson
, Event Viewer and the ERD
.
-
The startup
process of Windows NT
provides you with the ability
of loading Windows NT normally, loading Windows NT in VGA
mode, loading the previous OS,
and finally recovering our system.
|
-
Windows NT
Memory Dump
-
Dr Watson
-
Windows NT
Diagnostic Tool
-
Event Viewer
-
Creating The Startup
Disks
-
The
Emergency Repair Disk
|
Windows NT
Startup
Process Step1
-
After the system Power
On Self Test (POST
) the Master Boot Record (MBR
) is loaded which means the boot files
are loaded.
-
The Windows NT
loader NTLDR
is loaded obtaining
information
on system hardware and
required drivers
Windows NT
Startup
Process Step 2
Windows NT
Startup
Process Step 3
-
NTDETECT
.COM
is loaded if Windows NT
is selected which performs
hardware scan and sets up certain hardware in windows NT.
-
BOOTSECT
.DOS
is loaded which begins the
second operating system
if Windows NT
is not selected.
-
Since windows NT is selected
the NTLDR
now loads the NTOSKRNL.EXE
from the c:\WINNT\System32
directory
and passes control to the
kernel .
-
The Hardware
Abstract Layer (HAL
) component of the registry
is now also examined and
loaded for the required hardware.
-
HAL
is the core hardware within a
system which includes the processor, chipset
, system board
ECT.
-
Now the Windows NT
kernel will start to load the
GUI environment
completing the boot process.
-
This phase of the startup
process also load
-
Loads the registry
-
Loads the system services
and processes
-
Activates all the hardware
devices
defined by loading the
required drivers
-
Finally bring up windows
explorer.
-
To complete the startup
process the user must login to
the system successfully. This initiates the creation of the backup of the
registry
for the last known good
configuration
option of Windows NT
.
-
The last known good
configuration
is required for system
recovery
incase something catastrophic
happens to the operating system
.
-
Windows NT
has a total of five files
located on the root directory
designed to initiate the boot
process.
-
These files
include NTLDR
, BOOT.INI
, NTDETECT
.COM
, NTBOOTDD
.SYS
, and BOOTSECT
.DOS
.
-
The NTBOOTDD
.SYS
file is required in Windows NT
systems, which contain SCSI
hard drive
drivers
. This file provides a route for the NTLDR
to access the rest of the
operating system
files
stored on the SCSI drives.
-
is only required in dual boot
systems when booting in DOS.
-
Windows NT
stores a backup copy of the
registry
, which contains the working hardware configuration
on every normal system startup
called the last known good
configuration
.
-
If the system completes the
startup
process and the user logs into
the environment then the previous backup registry
will be automatically
overwritten.
-
The key within the registry
which contains the last known
good configuration
is HKEY_LOCAL_MACHINE\HARDWARE
-
When a Windows NT
stop occurs during startup
a you can see the famous blue
screen of death, a memory
dump file can be generated if
the create crash dump file option was checked previously.
-
The generated dump file is
called MEMORY.DMP
that contains coded binary
errors
to be investigated by the
system debugger and is stored in the windows folder.
-
Programmers and specialized
personal can use any of the two utilities Dumpchk.exe
or Dumpexam.exe
to examine the memory
dump file MEMORY.DMP
in a diagnostic
investigation.
-
The DR Watson utility is a tool
that a window automatically activates on application errors
. DR Watson generates a dump file with coded errors for farther
investigation.
-
The log file generated is
called Drwtsn32.log and is stored inside the Document and settings\All
users\Documents\Drwatson folder.
-
The properties of Drwatson can
be changed from the registry
key Hkey_Local_machine\Software\Microsoft\Drwatson.
-
The Windows NT
diagnostic
tool WinMSD
allows the user to inspect the
different components of Windows NT and is equivalent to the system
information
on windows 98.
-
The WinMSD
program can view system
information
on the computer including
system version, display, drives, memory
, services
, resources
, environment, and network
.
-
The WinMSD
program can be accessed from
the administrative tools
.
-
System log
: Records general and coded information
about the system components
load success and failure during Windows NT
boot up
and routine activity.
-
Application Log
: Records general and coded information
about the application
components load success and failure during application startup
.
-
Security
Log: Needs to be
activated to monitor login activity and auditing particular user activity
on files
and folders
.
-
Event viewer generally produces
3 types of responses Information
, Warning
, and error
-
Information
: The successful achievement of an operation e.g. loading drivers
, starting and stopping processes.
-
Warning
: This event is not harmful as yet but may become an error if ignored e.g.
not obtaining IP
addresses from DHCP
or limited disk space.
-
Error
: failed services
and applications
, data loss events all will cause an error event
-
The log files
can be saved for future
reference if required. All the log files have different size limitations,
which are configurable for each log ranging in size from 64KB to 4GB with
a default size of 512KB.
-
When the log files
reach their size limitation
you can either overwrite the events as needed, overwrite the events older
then a certain number of days, or clear the logs manually
.
-
Windows NT
is provided with 3 startup
disks, which can be used
during installation
.
-
These disks can be created
using the installation
CDROM
by viewing the contents of the
CDROM.
-
Change
directories in to the I386
folder by typing cd I386
-
You need type the command
Winnt.exe/ox in a DOS
based environment or
Winnt32.exe/ox in Windows NT
environment.
-
You must provide the location
of the installation
files
which is D:\I386
-
You are finally prompted to
insert three disks starting from disk 3 to disk1.
-
IF your windows NT or windows
2000 system runs in to serious problems booting up. One method of
recovering your system might be to use the ERD
.
-
The ERD
contains minimal information
that can be used to recover
your system including the some
registry
information and some files
location information etc.
-
The backup of the registry
can be found in the %SYSTEMROOT%\Repair
directory
that can also be used to
recover
your system.
-
You must try and generate ERD
when your system is
functioning correctly so that when we recover
the system after using the ERD
we will attain the best working system.
-
The ERD
is not a substitute for making
regular backups because it only stores registry
and system configuration
information
and not personal data.
-
It is advised that the ERD
should be generated after the
installation
, after any upgrades such as service packs, and finally after any major
hardware configuration
changes such as add new
devices
etc.
-
To generate or update an ERD
you can use the RDISK.EXE
file located in the system32
folder.
-
This utility has two options:
-
Update the repair information
.
-
Create a new repair disk.
·
The system hive
·
The software
hive
·
The security hive
·
The default hive
·
The system SAM
·
CONFIG.NT
and AUTOEXEC.NT
Exercise
(Creating an emergency repair disk ERD
in windows NT)
-
Click on startàrunà
then type command and press enter
-
In the command prompt
window type the
command CD
C:\WINNT\SYSTEM32
-
Make sure you have a
formatted floppy disk in the A: drive.
-
After the change in
directory
type the command RDISK/s
and press enter
-
Using the S option
ensures the SAM
, the Registry, and the system security is updated before the
creation of ERD
|
Exercise
(Recovering Windows NT
using the ERD
)
-
Use either the
three-startup
disk of Windows NT
or the installation
CD
of Windows NT at the
boot process.
-
On the second disk the
system will provide you with a repair option
-
Press R to select the
repair option
-
The system will perform
the following tasks that can be deselected.
-
a) Inspect the registry
files
, b) Inspect the startup
environment, c) verify
windows NT system files and finally d) inspect the boot sector and
then press enter.
|
CONFIG.NT
And
AUTOEXEC.NT
Files
-
The ERD
contains only three files
used to recover
the system that are
AUTOEXEC.NT
, CONFIG.NT
and finally Setup.Log
.
-
The AUTOEXEC.NT
file and the CONFIG.NT
file can be used to bring up
the DOS
environment and are copied
from the %SYSTEMROOT%\SYSTEM32\ directory
where the original files
exist.
-
To recover
your system you must use the
boot disks starting from disk 1.
-
The second disk will prompt you
with a menu where you can use the R option to repair the system.
-
You will now be able to perform
certain recovery
tasks including
-
Verify Windows NT
system files
, Inspect registry
files
-
Inspect startup
environment, Inspect boot
sector
-
The system will replace the
hives in the registry
from the repair directory
, replace the SAM
, and finally replaces all non-original files
.
-
What are features of the
BOOT.INI
file? (Choose all that apply)
-
It is a text file
-
It contains boot order
information
-
It contains the location of
the Windows NT
boot files
-
It generates a boot menu
-
It is a binary
file
-
What are the names of the
windows NT boot files
located on the root directory?
(Choose all that apply)
-
AUTOEXEC.BAT
-
NTLDR
-
CONFIG.SYS
-
NTDETECT
.COM
-
COMMAND.COM
-
What are the names of the
Windows NT boot files
located on the root directory?
(Choose all that apply)
-
BOOTSECT
.SYS
-
NTLDR
-
CONFIG.SYS
-
NTBOOTDD
.SYS
-
COMMAND.COM
-
What are features of the last
known good configuration? (Choose all that apply)
-
It contains a backup of the
registry
-
It contains a backup of the
last 5 registries
-
It is the configuration of
the last time your system loaded without problems
-
Its options can be edited in
the safe mode
.
-
It is overwritten every time
your system load normally
-
What are the features of the
memory
dump file MEMORY.DMP? (Choose
all that apply)
-
Generated after the blue
screen of death
-
Generated as virtual memory
-
Slow compared to normal RAM
-
Contains information
regarding system failure
-
Can be examined using
Dumpchk.exe
-
Can be examined using
Dumpexam.exe
-
What are the features of the Dr
Watson
utility? (Choose all that
apply)
-
Automatically activated by
system errors
-
Generates a coded dump file
-
Can be run from the control
panel
-
Generates the Drwtsn32.log
file
-
Its options can be changed
from the Drwatson window
-
It options can be changed
from the registry
-
What are the features of the
event viewer? (Choose all that apply)
-
Generates log of system
events
-
Generates a log file of
system crash
-
Generates log of application
events
-
Generates log of Security
events
-
Allows the user to monitor
and tweak running applications
-
What are the features of the
event viewer? (Choose all that apply)
-
Produces an information
response
-
Produces an event response
-
Produces a data response
-
Produces a warning response
-
Produces an error response
-
What are the features of the
event viewer? (Choose all that apply)
-
The security log needs to be
activated before logging begins
-
The system log need to be
activated before logging begins
-
Log files
can reach a maximum size of
4MB
-
Log files
can reach a maximum size of
4GB
-
The event viewer
is automatically activated
by windows NT at startup
-
How are the features of an ERD?
(Choose all that apply)
-
Used to recover
your windows NT OS
-
Repairs the user personal
files
-
Must be generated when the
system is functioning without problems
-
Must be updated after any
major hardware changes
-
Can be generated by the
installation
CD
-
How
are the features of an ERD? (Choose all that apply)
-
Must be generated by the
administrator
-
Can be generated using the
RDISK command
-
Can be generated using the
FDISK command
-
Makes a backup of important
system information
%SYSTEMROOT/Repair directory
-
Must be updated after a
service pack
-
What information
does the ERD
backup? (Choose all that
apply)
-
Dos hive
-
System hive
-
Files hive
-
Software hive
-
Default hive
-
What information
does the ERD
backup? (Choose all that
apply)
-
Folder hive
-
Data hive
-
Graphics hive
-
Security
hive
-
System SAM
-
What is contained inside the
ERD? (Choose all that apply)
-
AUTOEXEC.NT
-
CONFIG.NT
-
COMMAND.NT
-
NTLDR
-
SETUP.LOG
Answers
1.
A,B,C,D
2.
B.D
3.
A,B,D
4.
A,C,E
5.
A,D,E,F
6.
A,B,D,F
7.
A,C,D
8.
A,D,E
9.
A,C,E
10.
A,C,D,E
11.
A,B,D,E
12.
B,D,E
13.
D,E
14.
A,B,E
|
| |
|