Ask Dr. Bob - 20 Dec 2000

I've inherited a Windows NT environment that includes four BDCs and a trusting PDC. Manually monitoring security on this network is frustrating. Can I automate the detection of logon failures or account lockouts across the domain?

The Microsoft Windows NT Server 4.0 Resource Kit includes dumpel .exe, a fascinating applet that you can use to accomplish such automation. After you install the resource kit, use the following sample code, which creates a batch file that dumps each domain member's event logs to a text file:

@echo off
dumpel.exe -s bdc1 -l security
 -m security -e 529 539 >> 
dumpel.exe -s bdc2 -l security
 -m security -e 529 539 >> 
dumpel.exe -s bdc3 -l security
 -m security -e 529 539 >> 
dumpel.exe -s bdc4 -l security
 -m security -e 529 539 >> 
dumpel.exe -s pdc1 -l security
 -m security -e 529 539 >> 
dumpel.exe -s workstation1 -l security
 -m security -e 529 539 >> 

The batch file filters the event logs on only failure-event IDs. This sample code appends all event ID 529 and event ID 539 occurrences to the securityevent.txt file, where you can examine them for logon problems. (Event ID 529 refers to logon failure as a result of an unknown username or bad password, and event ID 539 refers to logon failure because of a locked-out account.)

Can you define Windows NT's user and kernel modes?

Any OS needs to separate applications from OS services. The reason is obvious—you want the OS to remain functional if an application crashes. In NT, Microsoft assigned each application its own processes and memory space, adding the restriction that no application can read or write outside of that space.

User mode and kernel mode describe privilege levels associated with the processor. In simple terms, a process running in user mode can't read or write directly to OS memory. The Virtual Memory Manager, which runs in kernel mode, maintains this isolation.

Microsoft defines a user-mode service as protected (in memory space), and the OS starts the service at boot time. Two types of these protected subsystems exist in NT 4.0: environmental, a service that supports applications written for or native to another OS (e.g., DOS), and integral, a service that performs an OS-related function (e.g., security).

The NT core subsystems also run in user mode, but they don't provide hosting to non-native NT applications. NT core subsystems perform OS-related rather than application-related tasks. Basic core subsystems are Winlogon, Local Security Authority (LSA), the SAM, and Service Control Manager (SCM).

As you might guess, applications run in user mode, whereas OSs run in kernel mode. Kernel mode has access to all user-mode applications, but the reverse isn't true. Many people refer to this type of access as Ring 0. (You can equate user mode with Ring 3 access.) Any crash in Ring 0 is generally fatal to system function. The three major aspects of NT that run in kernel mode are the NT Kernel, the NT Executive, and the hardware abstraction layer (HAL).

In short, user mode and kernel mode refer to the basic overall privileges that a process has to the hardware. The closer to the hardware, the more sensitive the system is to provoking system failure. Because NT isolates applications from the hardware, NT is called a protective-mode environment. For more information about user and kernel mode, see Mark Russinovich, NT Internals, "Windows NT Architecture, Part 1," March 1998, and "Windows NT Architecture, Part 2," April 1998.

My company is installing a new enterprise resource planning (ERP) solution that runs on Oracle 8 i Release 3. Many ERP vendors claim that Oracle runs OK on Windows NT but that we might experience better stability and performance on Hewlett-Packard's HP-UX or Sun Solaris. What do you recommend?

Oracle 8i Release 3 runs equally well on NT and UNIX. Because companies such as SAP, Oracle, and PeopleSoft deal with midsized companies (i.e., $75 million in annual revenue) and larger, many of these companies are still tied to Solaris and HP-UX for some of their larger application back ends. The result is that many enterprise-application providers are more comfortable with UNIX than NT.

Although Oracle does a fine job on either platform, keep in mind that Oracle 8i Release 3 is a monstrous application that is extremely demanding of machine resources. In fact, Oracle's size has helped propagate the myth that Oracle runs better on Solaris than NT. I know of a few companies that have purchased an inadequate Wintel machine to run Oracle, only to spend six times as much for a Sun Microsystems box after they come to the conclusion that "Oracle doesn't run well on NT."

Notoriously, Oracle doesn't run well on a RAID 5 data set. For Oracle to run well in a large-scale environment, you need to be running RAID 1 or RAID 0+1. I attempted to run Oracle 8i Release 3 on an EMC CLARiiON FC5300 with a RAID 5 volume, and performance was merely adequate. On the advice of my DBA, I moved Oracle to a RAID 1 volume and immediately saw a 60 percent performance increase. When I spread Oracle across two RAID 1 volumes, I saw an additional 15 percent performance gain. I probably could have increased performance by spreading Oracle across a few RAID 5 volumes, or by attempting RAID 50, but I didn't have time to explore further.

Although Oracle runs fine on NT, you might be better off taking the UNIX plunge if your solution provider or integration partner tells you that you need to run Oracle on UNIX. An essential component of any ERP solution is support. Unless you want to take support into your own hands, go with your vendor's platform of choice.

I recently upgraded my Toshiba notebook from Windows NT 4.0 to Windows 2000. Under NT, the Hibernate and Standby functions worked fine. Under Win2K, I receive the following error message: The device driver for the 'PC/AT Enhanced PS/2 Keyboard (101/102-Key)' device is preventing the machine from entering hibernation. Please close all applications and try again. If the problem persists, you may need to update this driver. Do you know what is causing this error?

The problem you're experiencing can occur when an application installs a driver that attaches to your keyboard driver. Applications such as Adobe Type Manager (ATM) and PGP are infamous for causing such problems under Win2K. To solve the problem, simply upgrade the application that is the cause. For more information about this problem, see the Microsoft article "Device Driver Error Message Is Displayed When the Computer Enters Standby or Hibernate Mode" ( support/kb/articles/q257/1/99.asp).

I'm thinking about purchasing an EMC CLARiiON or Symmetrix storage solution. However, EMC has informed me that I need to purchase the company's Storage Area Network (SAN) switches to run these arrays on a SAN. Is EMC's assertion correct?

EMC sells a redundant switch solution produced by Brocade. The switches, in conjunction with the necessary EMC software, cost about $70,000. EMC maintains that the Brocade switch solution is what you need to run with EMC arrays simply because EMC has fully tested this configuration and knows for certain that it works. Additionally, keep in mind that EMC provides the same support (i.e., 24 * 7 onsite service) for its switches as it does for the array; such support certainly adds to the cost. Brocade makes an impressive switch, so unless you're trying to avoid the up-front cost, I would go with the recommended solution.

The EMC arrays that I've used work with other SAN switches—for example, I currently have one plugged into a Gadzoox switch—but obviously EMC won't actively support such a configuration. If you're looking for a less expensive SAN solution, check out Hewlett-Packard (HP) or Hitachi.

I have an IBM ThinkPad 600 running Windows NT 4.0. I tried using the Control Panel Add/Remove Programs applet to remove the SystemSoft CardWizard power-management software that ships with the notebook, but the uninstallation failed. Now I can't reinstall the application because the installation procedure claims that another version is present. According to the registry, I've cleared all traces of CardWizard. Worse, IBM won't support me because the notebook originally came with Windows 95. Can you help?

I've been impressed with CardWizard's capabilities in NT 4.0. The product primarily enables Plug and Play (PnP) PC Card capability in Windows 2000 and NT 4.0 but also provides a power-management solution called PowerProfiler.

Although you can't find evidence of CardWizard in your registry, I would nevertheless guess that lingering registry entries are causing the problem. As a test, I tried deleting the CardWizard directory without performing an uninstallation. I then tried a reinstallation. The reinstallation process failed, citing an existing version that I must remove before continuing with the new installation.

I contacted SystemSoft and obtained a utility called RegUpdt. After running the utility, which completely removed CardWizard from my registry, I reinstalled CardWizard without a hitch. To obtain RegUpdt, contact SystemSoft technical support at l-2/l-3/support-request.htm.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.