Ask Dr. Bob Your NT Questions - 01 Apr 1998

Send us your tips and questions. You can also visit Bob Chronister's online Tricks & Traps at http://www.winntmag.com/forums/index.html.

Q: How can I protect Windows NT's Registry so that I don't accidentally corrupt it?

The Registry is an integral part of NT because it stores all user information and software and hardware configurations. To start, back up your system on a regular basis. In my experience, a daily backup of an active workstation or server is mandatory, particularly if you use that system to store important information.

I suggest you run at least two working copies of NT on each of your active systems. On most of my machines, I install a primary copy of NT Server or NT Workstation and a minimum install copy of NT Workstation so that I can still boot to NT if I damage my primary copy.

Always keep a current Emergency Repair Disk (ERD) on hand. You need this disk during the repair process. To use your ERD in the repair process, you boot into the install process, and instead of installing NT, you choose to repair an installation and specifically to repair the Registry. Use this option only if you diligently keep your ERD up to date. To keep your ERD current, run the rdisk /s utility at the command prompt whenever you install new software or update existing software. This utility writes a complete copy of your Registry to a disk. You need to run rdisk /s from the command prompt; otherwise, if you run rdisk from the NT Explorer or My Computer, the utility won't fully update the default, Security Accounts Manager (SAM), and security files on your ERD.

If the size of your Registry exceeds the size of the disk (i.e., the ERD), you can successfully recover your Registry using the regback and regrest utilities from Microsoft Windows NT Server 4.0 Resource Kit and Microsoft Windows NT Workstation 4.0 Resource Kit. Unfortunately, the documentation for these utilities isn't very helpful. To back up the full Registry to a hard disk, you can type

regback <c:\config>

at the command prompt, where <c:\config> is the name of the directory where you want to store the Registry backup (you must create this directory before you use this command).

I suggest you back up your Registry to a \config directory on the same hard disk where the Registry resides (e.g., if you install NT on the C drive, back up your Registry to c:\config). Regardless of which directory you use, for regrest to work, you must back up the Registry to the same drive where the operating system resides. Be aware that you can't back up your Registry to a \config directory and overwrite previous backups with regback. However, you can overcome this problem by using a simple batch file to delete the files in the directory before you perform the backup. The following batch file works with my c:\config example:

c:
cd \config
del *.* /q
regback c:\config

The /q switch on the third line of the batch file tells the command processor to delete the files in quiet mode (i.e., without asking the user for permission). Screen 1, page 220, shows the files regback saves. When you use regback, the utility doesn't save specific user information. Instead, you must save this information manually, as you see in the message in Screen 2, page 220.

Restoring a Registry that you've backed up with regback is far from intuitive. I find that the Registry restore utility, regrest, works best with the \config directory. I recommend that you restore the Registry hives one at a time to maintain complete control of the restore. For example, you can type

regrest c:\config\system c:\config\system.sav machine system

to restore the Registry from my previous example. All regrest restores are made to either user or machine (system is part of machine). After you execute the regrest command, you must reboot your system for the changes to take effect, as you see in Screen 3. Be aware that performing such backup and restore procedures can be lethal to your system.

Q: What steps can I take if I can't boot into Windows NT?

If you can't set up or boot into NT, you probably have a corrupt boot sector, which is most likely the result of a virus. To work around this problem, you need an NT boot disk, a mandatory resource for most users' NT toolkits. An NT boot disk (not a DOS disk) made on any Intel-based NT machine will work on any other Intel-based NT machine, assuming the boot.ini file is correct (you can always edit the boot.ini file with any standard text editor, such as the DOS Edit command).

An NT boot disk lets you bypass your hard disk's boot sectors. The NT boot disk contains all necessary boot files, except the necessary system files, which stay on the appropriate hard disk. For both Intel- and RISC-based machines, you must format the NT boot disk in NT. On Intel-based machines, copy ntldr, ntdetect.com, and boot.ini to the boot disk. For RISC-based machines, copy osloader.exe and hal.dll to the boot disk. After you copy the files to the NT boot disk, you can protect the disk from viruses by making it read only (i.e., slide the plastic protective button to the lock position). On Intel-based machines, the NT boot disk will load ntldr and ntdetect.com, which will call on boot.ini to find the appropriate location of the \winnt directory and find all other essential files. I always use such a disk to determine whether my boot sector is corrupt. If you can boot to NT with the NT boot disk, you can probably repair the damaged boot sector without much trouble. To repair the boot sector, try one of the following methods.

1. If you need to repair the boot sector on an NTFS drive, you can use the emergency repair procedure. To begin this process, insert your NT setup disk #1 and reboot your machine. (Use the disk-based installation procedure for all emergency repairs. If you lose your three NT setup disks, you can re-create them by booting to any system that has access to the NT CD-ROM, and running winnt /ox or winnt32 /ox.) Carefully follow the instructions on screen, and press R for Repair when prompted. Select only the options to Inspect startup environment and Inspect boot sector, and clear the other two option check boxes for the system files and the Registry. (Note that you don't need to have recently updated your emergency repair information when you choose only these first two options.) The repair procedure will then attempt to fix the startup environment. If it doesn't fix the problem, try the next method.
2. The DOS Fdisk command is perhaps the fastest and simplest way to fix or replace the Master Boot Record (MBR), but Microsoft doesn't endorse using Fdisk because it can be risky. You can use Fdisk to repair either the MBR or the partition tables, but don't use it if you run third-party partition applications.

On a DOS (version 5.0 or later) machine, make a system disk by running sys.com from the DOS directory or by formatting the disk with the format /s command. After you create the system disk, copy fdisk.exe, format.com, and sys.com to the disk.

Boot to the boot disk you just created, and type

fdisk /mbr

at the disk command prompt. This command replaces the MBR but doesn't alter the partition tables at the end of the sector. As I stated before, this procedure is very fast and doesn't provide you with a message or response. I've used this simple approach to recover numerous corrupted boot sectors, but the process doesn't always work. Interestingly, fdisk will remove any NT signature written onto the drive by Disk Administrator. This problem surfaces only when the disk or partitions on the disk are part of a stripe or volume set. When fdisk removes the NT signature, Disk Administrator places a new one on the disk when you boot into NT and run the Disk Administrator applet.

Q: My hard disk is so corrupt that I can't boot into Windows NT. When I try, I get the message, Windows NT could not start because the following file is missing or corrupt <%SYSTEMROOT%>\SYSTEM32\NTOSKRNL.EXE. When I run the emergency repair process, I get the message, Setup has determined that your file system is corrupt, and fdisk /mbr doesn't resolve the problem. What options do I have?

If your system isn't displaying the message, invalid media for drive C, which is a sure sign that your hard disk is corrupt to the point that it's dead, you have a few options to repair the damage. First, you can send your hard disk to DriveSavers (http://www.drivesavers.com) or Ontrack (http://www.ontrack.com). Both companies can retrieve the data from your hard disk for you. Assuming that neither company has to open your hard disk in a special dust-free environment (i.e., a clean room), prices for retrieval can range from approximately $600 to $1500, depending on how fast you need your hard disk returned. After the data retrieval company has recovered your data, it might restore the data to the original hard disk, to a tape, or to another hard disk, depending on the status of the original hard disk.

If you can't send your hard disk to a data retrieval company, you do have another option, but it is just short of a new format and installation. The purpose of the following procedure is to let you access the hard disk for data retrieval. After you retrieve the data from your hard disk, I recommend that you perform a fresh format and installation.

The following procedure describes the process of recovering an NTFS partition on a Quantum 1080S hard disk (you don't need to load any SCSI drivers, and this procedure is very similar for other types of hard disks).

1. Boot to a DOS disk that contains a copy of the Symantec's Norton Utilities diskedit.exe application and a copy of your mouse driver. I usually prevent DOS from loading other drivers during this procedure by pressing F5 when DOS starts. Then I type

   a:\mouse
   

   and press Return to load the mouse driver.

2. Run diskedit.exe, and select Configuration from the Tools menu. Clear the read only check box, and click OK.
3. Select Drive from the Object menu. Choose the Physical disk option, and select the hard disk in question. Click OK. Diskedit.exe will read the hard disk you selected and display data from Cyl 0, Side 0, Sector 1.
4. Select Physical Sector from the Object menu. The primary NTFS boot sector is at Cyl 0, Side 1, Sector 1. Enter these coordinates, and click OK. Diskedit.exe will display a screen similar to what you see in Figure 1, for a good NTFS partition (I gathered this data for a Quantum 1080S, and your data may not exactly match this information). The information in Figure 1 represents a valid NTFS boot sector. The offset (the first column on the left) is 00000000. Now that you've found the original NTFS boot sector, note the location (in this case, Cyl 0, Side 1, Sector 1). Next, you need to find the backup copy of the boot sector, which is at the end of the drive.
5. Select Physical Sector from the Object menu again to see the possible values for cylinders, sides, and sectors. For the Quantum 1080S hard disk, the maximum number of cylinders is 130, the maximum number of sides is 254, and the maximum number of sectors is 6. Input the ending cylinder, side, and sector, and select only one sector to read (this setting shouldn't cause you any problems because you will be looking at the end of the drive). When you click OK, diskedit.exe places you at the backup NTFS boot sector, which looks identical to the primary boot sector you just saw in Step 4 (i.e., Figure 1).
6. Select Mark from the Edit menu, and use the mouse (or arrow keys) to select the whole sector.
7. Select Write To from the Tools menu, and input the location of the original boot sector (as noted in Step 4­Cyl 0, Side 1, Sector 1). When you click OK, diskedit.exe will ask you whether you are sure. Click OK again to write the backup sector to the original boot sector.
8. Quit diskedit.exe, and restart your computer.

Q: How can I perform an unattended installation of Service Pack 3 (SP3)?

You can perform an unattended installation of SP3 using a batch file or a rollout utility such as Systems Management Server (SMS). If you have the SP3 CD-ROM, copy all the files to your network share location. Users who download SP3 from the Web must start by unzipping the large .exe file by running nt4sp3_i.exe with the /x switch. When the software asks you where you want to unzip the files, specify your network share location. By unzipping this file, you have access to the update utility (update.exe). From this point, you can run the update in silent mode and create a file containing a line that runs only once (i.e., the command won't run again during subsequent boots). Before you begin, you need to understand how to log on automatically and run a program. Let's look at four methods for performing the SP3 unattended installation.

Method 1. With this method, you use Windows NT's Auto Admin Logon feature and Run Once feature to automatically log on as the administrator after the NT 4.0 installation is complete. After you log on as the administrator, you run a custom command, update.cmd, at this logon.

1. Start by running edit.exe from the command line (edit doesn't use Uni-code characters, which is important to remember when you're creating runtime scripts) to create an autolog.reg file with the following information:

   REGEDIT4
   \[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\]
   "DefaultUserName"="Administrator"
   "AutoAdminLogon"="1"
   "DefaultPassword"=""
   

   Setting up autolog.reg with a blank for the DefaultPassword is essential because NT disables the AutoAdminLogon feature after it runs once. Standard NT LAN Manager authentication occurs on subsequent logons.

2. Use edit.exe to create a runonce.reg file with the following information:

   REGEDIT4
   \[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\]
   "RunThis"="c:\\batch\\update.cmd"
   (This assumes the batch directory is on the C drive)
   

3. To perform an automated installation, you need to have the $oem$ directory set up on your installation share. Copy autolog.reg, runonce.reg, and regedit.exe to the $oem$ directory (NT places regedit.exe in the %systemroot% directory by default).
4. Use edit.exe to create the update.cmd file to include the following line:

    \\"share point for service pack files"\UPDATE.EXE /U /Z 
   

   (The share point is a reference to the network share containing the unzipped SP3 files.)

5. Create an $oem$\c\batch directory on your distribution share, and copy your update.cmd file into this directory with the command lines you need to automate your customizations for NT 4.0.
6. Use edit.exe to add the following lines to cmdlines.txt:

   \[Commands\]
   ".\REGEDIT.EXE /S .\AUTLOG.REG"
   ".\REGEDIT.EXE /S .\RUNONCE.REG"
   

   If a cmdlines.txt file does not exist, create it and add the two new lines. You can have only one \[Commands\] section.

7. Make certain that you set the OemPreinstall = yes in your unattended script.

Method 2. Method 2 is similar to Method 1, and deciding which method to use is a matter of personal preference. With Method 2, you begin by automatically logging on as the administrator, just as you did in Method 1. After you log on, you use NT's RunOnce feature to run the NT SP installation program, update.exe, in silent mode. The key to this approach is to add the following command line for running update.exe in silent mode to the same RunOnce key in the NT Registry that I used in Method 1:

\\"share point for service pack files"\UPDATE.EXE /U /Z

Method 3. To use this method, you need to modify the reference to the unattend.txt file in either winnt.exe or winnt32.exe to include the /E switch. This switch tells setup to run a command at the end of the GUI setup mode. For example, the modified reference might look like

WINNT.EXE /U:UNATTEND.TXT /S:X:\ /E:" \\"share point for service pack files"\UPDATE.EXE /U /Z "

The share must follow DOS recognition rules, so keep the share name short.

Method 4. If you're using disk duplication, you must copy all SP3 files to the network share.

1. Copy the SP3 source files to your $oem$ network distribution point.
2. Edit or create a cmdlines.txt file, and add the following line to the \[Commands\] section

   ".\update /u /z"
   

3. Enable OemPreinstall = yes in the unattended script file.