Upload
alluse
View
230
Download
0
Embed Size (px)
Citation preview
8/8/2019 Module Tools and Troubleshooting
1/172
Tools and Troubleshooting
Microsoft Windows XP New Hire
Microsoft Confidential Provided Under NDA
8/8/2019 Module Tools and Troubleshooting
2/172
8/8/2019 Module Tools and Troubleshooting
3/172
Table of Contents
Introduct ion ..................................................................................6 System Res tore..............................................................................7
What System Restore Does ....................................................................7System Restore Boundaries....................................................................9
Arch itec ture Overview ..........................................................................10 Summary........................................................................................... 12
System Restore Con figurat ion...............................................................14 Drive Frozen Due to Low Disk Space .....................................................15
System Restore Points ..........................................................................18Data not in a Restore Point ..................................................................19System Restore Timeline .....................................................................19
Using System Restore ...........................................................................22 System Restore in Safe Mode: .............................................................. 23Restoring ........................................................................................... 23
Troubleshooting System R estore ..........................................................27Functionality in Safe Mode Scenarios.....................................................29General Troubleshooting......................................................................30Resources .......................................................................................... 37
System Restore and Servi ce Pack Installa tion ......................................39 WFP/ SFC .....................................................................................41
Window s F ile Protect ion and Driver Sign ing .........................................43What is WFP ? ........................................................................................45
How WFP works .................................................................................. 45WFP Allowable Updates........................................................................ 47WFP Utilities ....................................................................................... 48WFP Configuration............................................................................... 48Windows File Protection Troubleshooting................................................49
Diagnost ic Tools .......................................................................... 53 Documentat ion Resources ....................................................................54
Help and Support ................................................................................ 54Resource Kit ....................................................................................... 55MSDN Advanced Documentation ........................................................55Windows Hardware and Driver Central...................................................55
MSConf ig ...............................................................................................57
MSInfo32 ..............................................................................................61 Event Logs ............................................................................................63
Using Event Logs for Troubleshooting....................................................63MPSReports ..........................................................................................67 Erro r Report ing .....................................................................................69 Dr. Watson ............................................................................................71 Cac ls .....................................................................................................73 Support Tool s........................................................................................76
RASDiag ............................................................................................76Windiff............................................................................................... 79
Recovery Console......................................................................... 81 Using Recovery Console ....................................................................... 82Performing Troubleshooting in Recovery Console ....................................86Recovery Console Details .....................................................................97Kernel Errors ............................................................................. 101 Why do you need to know about Kernel Mode error messages? .............. 104What is a Kernel Mode Error? ............................................................. 104Stop Messages ................................................................................. 105
Stop Error Troubleshooting .................................................................109Troubleshooting Information to Gather from Stop Messages................... 109Troubleshooting Steps ....................................................................... 109Disable Automatic Restart on System Failure........................................ 112
Speci fi c Bugcheck Codes .....................................................................114 0x0000000A: IRQL_NOT_LESS_OR_EQUAL.......................................... 114
8/8/2019 Module Tools and Troubleshooting
4/172
0x0000001E: KMODE_EXCEPTION_NOT_HANDLED................................1140x0000007B: INACCESSIBLE_BOOT_DEVICE........................................1150x0000007E: SYSTEM_THREAD_EXCEPTION_NOT_HANDLED .................1150x0000008E: KERNEL_MODE_EXCEPTION_NOT_HANDLED.....................1160x000000C2: BAD_POOL_CALLER .......................................................116STOP: C0000135: {Unable To Locate Component}................................1160xC000021A: STATUS_SYSTEM_PROCESS_TERMINATED .......................1170xC0000221: STATUS_IMAGE_CHECKSUM_MISMATCH..........................118
User Mode Erro rs .......................................................................121 Appl icat ion Erro rs ............................................................................... 122User Mode Errors ................................................................................123
Why do you need to know about User Mode Error messages? .................124What is a User Mode Error? ................................................................124Troubleshooting ................................................................................127
Reg istry Troubleshoot ing Techniques ........................................131 What Is the Regis try? .........................................................................132Registry Str uctu re .............................................................................. 134What Is the Regi stry Ed itor? .............................................................. 137
Registry Editor Features .....................................................................137Registry Troub leshooting Techniques ................................................. 140
Prune and Graft.................................................................................140Monitoring Registry Access .................................................................141
Registry Corruption Troubleshooting .................................................. 144Considerations ..................................................................................144Precautions.......................................................................................145 Recovery Steps .................................................................................145
Remote Ass is tance..................................................................... 153 Using Remote Assistance ................................................................... 154
Creating an invitation.........................................................................154Send the Invitation............................................................................154Using an Invitation ............................................................................156Taking Control ..................................................................................156Session Considerations.......................................................................156
Remote Desktop and Remote Assistance Compared ........................... 159Intended Purpose and Audience ..........................................................159Obtaining Access Rights .....................................................................160Initiating a Session ............................................................................160Comparing the Client Views ................................................................161Comparing the Remote Consoles .........................................................162Terminating a Remote Session ............................................................162Comparing User Control .....................................................................162Summary .........................................................................................162
Troubleshooting Remote Assistance ................................................... 164Connections......................................................................................164
Resources ........................................................................................... 168 Data Loss/ Data Recovery Discussion ......................................... 169
Before Any Troubleshooting ................................................................169Understanding where Data Loss is Possible ...........................................169Setting Expectations ..........................................................................172
8/8/2019 Module Tools and Troubleshooting
5/172
Table of Figures
Figure 1: System Restore Welcome Screen............................................................................. 7Figure 2: System Restore Wizard Options ..............................................................................11Figure 3: Filter Driver Architecture........................................................................................12Figure 4: System Restore Configuration ................................................................................14Figure 5: Settings for C: drive..............................................................................................15Figure 6: Use the DCU to make more space...........................................................................15Figure 7: Registry keys .......................................................................................................18Figure 8: System Restore timeline ........................................................................................19Figure 9: Filelist.xml ...........................................................................................................20Figure 10: Accessing System Restore through MSconfig ..........................................................22Figure 11: Accessing System Restore through MSinfo32..........................................................23Figure 12: System Restore Wizard........................................................................................24Figure 13: SRDiag ..............................................................................................................27Figure 14: Successful file restoration logged ..........................................................................45Figure 15: Prompt for CD ....................................................................................................46Figure 16: Event cancelled...................................................................................................46Figure 17: Unsigned drivers.................................................................................................46Figure 18: Run Sigverif .......................................................................................................50Figure 19: Unsigned drivers listed by sigverif .........................................................................51Figure 20: System Configuration Utility .................................................................................57Figure 21 Looking for Errors later than Event ID 6005 ..........................................................64Figure 22 Event Log Error .................................................................................................65Figure 23 Error Reporting .................................................................................................69Figure 24: Windiff...............................................................................................................79Figure 25 Press R to Start Recovery Console .......................................................................83Figure 26 Select Installation..............................................................................................83Figure 27 Logon and Command Prompt ..............................................................................84Figure 28 Fixboot.............................................................................................................88Figure 29 Fixboot.............................................................................................................89Figure 30 FixMBR.............................................................................................................90Figure 31 Diskpart ...........................................................................................................94Figure 32 Diskpart ...........................................................................................................96Figure 33. Kernel Mode Error (Stop Error) ...........................................................................101Figure 34. Startup and Recovery Settings............................................................................103Figure 35 Kernel Mode Error - Stop Error........................................................................... 106Figure 36. User Mode Error................................................................................................123Figure 37 - Error Reporting Dialog Box................................................................................125Figure 38 Error Details Dialog box....................................................................................126Figure 39 Hives in Regedit ..............................................................................................134Figure 40 Keys in Regedit ...............................................................................................135Figure 41 Regmon Output...............................................................................................142Figure 42 System Volume Information Security .................................................................148Figure 43: Select how you want to contact the helper ...........................................................155Figure 44: Start a Help Session ..........................................................................................156Figure 45: Remote Desktop client view ...............................................................................161Figure 46: Remote Assistance client view ............................................................................ 161Figure 47: Novice is behind a NAT ......................................................................................165Figure 48: UPnP NAT.........................................................................................................165
8/8/2019 Module Tools and Troubleshooting
6/172
Tools and Troubleshooting Introduction
6 Microsoft Partner
Introduction
Module Objectives:
Discuss:
System Restore WFP/SFC Diagnostic Tools RC Kernel Errors User Errors Registry Tshoot Techniques Remote Assistance.
8/8/2019 Module Tools and Troubleshooting
7/172
System Restore Tools and Troubleshooting
Microsoft Partner 7
System Restore
If users experience system failure or another significant problem, they canuse System Restore from Safe Mode or Normal Mode to go back to a previoussystem state, restoring optimal system functionality. System Restore actively
monitors system file changes and some application file changes in real time torecord or store previous versions before the changes occurred. Restore Pointscontain a snapshot of the registry, and may contain key system files that
have been changed. Restore Points are created at the time of significant
system events (such as application or driver install) and periodically (every 10hours of session time or 24 hours of calendar time.). Additionally, users cancreate and name their own Restore Points at any time. This allows the user to
roll back the state of the system to a previous time when everything wasworking.
Figure 1: System Restore Welcome Screen
What System Restore Does
System Restore monitors key application and system files during installation
of new programs or new driver files thus keeping the version information of
the system files in the restore point. It also creates a snapshot of the restoreregistry keys, HKey local machine and HKey user, and works in conjunction
with the Windows File Protection to record and store the versions of the
system files that were on the system when the snapshot was created. SystemRestore is supported in Safe Mode and normal mode. The only differencebetween restoring in Safe Mode and in normal mode is that in Safe Mode it
does not create an Undo Restore Point. By contrast, Normal mode creates an
Undo Restore Point, and has the ability in to revert from a failed restore, or toUndo the restoration.
8/8/2019 Module Tools and Troubleshooting
8/172
Tools and Troubleshooting System Restore
8 Microsoft Partner
The design of System Restore is such that the user never needs to explicitly
take manual snapshots; the backup is done silently in the background.
Windows XP provides meaningful Restore Points that correspond to majorsystem change events, (e.g. application installation). When a problem occurs,users can roll back their system to a point in time immediately before a
restore point (e.g. before application XYZ was installed and machine issues
began).
Twenty-four-hour real-time or ten-hour session time Restore Points coverthose system events which are not tracked. System Restore does NOTmonitor user data (i.e. anything in My Documents or known extensions such
as .doc, .xls, .mdb, .pst, etc.). This prevents the user from losing data when a
restore is performed.
System Restore actively monitors and records changes to a select group of
system and application files specified in an include list. These file copies arelogged, compressed and stored locally in a protected directory, or dataarchive. For every restore point created, System Restore takes a full registry
snapshot. These registry snapshots are also logged and stored within the
data-archive.
When a customer needs to revert his/her PC to a time before a destructivechange occurred, the System Restore UI presents a restore point catalog
which displays the restore options for a selected day.
Restore Points can take the following forms:
Periodic (called system checkpoints) Application installs with friendly names
Manually created, user-named Restore Points
Restore operation providing undo capabilitiesOnce the user selects a restore point, System Restore creates a restore mapand conducts the restore by specifying:
The ultimate file operations necessary to revert the system to itsselected point
The identification of the original registry to replaceNote:
A user can set which drives System Restore will monitor on its PropertiesPage, however, it is not possible to disable SR on the System Drive and leaveit on non-system drives. The list of excluded and included files (SFP) is in
%windir%\System32\Restore\filelist.xml.
The combination of a wizard-like step-by-step restore UI with meaningfulrestore point choices is intuitive and non-intimidating to enable even the most
novice customers to undo system changes without assistance.
8/8/2019 Module Tools and Troubleshooting
9/172
System Restore Tools and Troubleshooting
Microsoft Partner 9
Note:
System Restore does not back up data and so cannot be used to perform a
backup for purposes of protecting data.
Note:
System Restore can be used to revert Windows XP to before the installation of
Service Pack 1 (SP1). This may cause PPPoE to break in Windows XPnetworking as described in Q320558.
Note:When performing troubleshooting in Windows XP, it is often necessary to
perform a Clean Boot with all services disabled using the MSConfig Utility.
When this is done, the System Restore Service is also switched off, removingall saved Restore Points. Consider trying System Restore to solve the issue
prior to disabling the service or do a Clean Boot leaving the System Restore
Service running.
System Restore Boundaries
System Restore is meant to be a system stability recovery tool. It has many
limitations that make its use for other tasks undesirable. For instance, SystemRestore does not monitor or restore contents of redirected folders. System
Restore does not monitor any settings associated with roaming user profiles.IE Specific items such as cookies, favorites, and the browser history will not
be restored. In addition, System Restore is not an uninstall utility. Forapplications, if you create a System Restore snapshot, install four applications
on your system, and then want to use the System Restore to simply remove
one of the applications; that is not possible. If you do a rollback to a previoussystem state you get a complete snapshot of the system before the fourprograms were installed.
System Restore is not designed to Backup or Restore personal data. Many ofthe common data types used on the PC are not covered by System Restore.This means that if you have one version of a word document, then restore to
a time two weeks prior to that, you still have the same version of the Worddocument on the system. System Restore is not meant to be a replacementfor a full backup because only incremental changes to the operating system
and application files (not personal data) are saved. A complete or ASR backup
and restore is required to recover from problems that cause your system tobecome unbootable.
Last, System Restore is not a virus protection program. The data archive no
longer restricts access to virus utilities. This means that Anti-Virus programs
can now check the contents of the System Restore .CAB files for infected files.But the bottom line is System Restore should not be relied upon to fix viruses.It is possible to restore to a previous point and a virus still be on the system.
8/8/2019 Module Tools and Troubleshooting
10/172
Tools and Troubleshooting System Restore
10 Microsoft Partner
Architecture Overview
To track and copy files before changes, System Restore uses a file system
filter driver that is at the kernel level (called Kernel Mode). This kernel levelfilter driver monitors file system operations, and, for select file types and
operations, quickly interrupts an operation (for example, DELETE FILE) andcopies or moves the original file before the operation is complete. The file
changes are entered into a log, and the file copies and logs are stored in anarchive on the drive or partition where the original file resided. Change-basedfile copying happens once per specific file per system session or for any given
Restore Point.
The list of files or operations that the filter driver will take note of are known
as Interesting operations, and include creation, deletion and modification ofsystem files. Any of the physical attribute changes or renames of the system
file and any of the ACL changes that are made on the System Restore or the
system files are also interesting operations. The System Restore filter driverintercepts all of the special calls or operations that are made by the Windows
32 file system. It logs all the changes to a change log and renames or copiesthe file to a data store. After this process is logged the operation is passed on
through to the NTFS or file system and allowedthat isthe changes that arebeing requested are allowed on the file.
The System Restore Wizard is provided to the user so that a simple interfacecan be used to roll back the system. The wizard interface contains the optionsto restore the computer back to a previous point, create a new restore point,
or undo a previous restore.
8/8/2019 Module Tools and Troubleshooting
11/172
System Restore Tools and Troubleshooting
Microsoft Partner 11
Figure 2: System Restore W izard Options
8/8/2019 Module Tools and Troubleshooting
12/172
Tools and Troubleshooting System Restore
12 Microsoft Partner
Figure 3: Filter Driver Architecture
Figure 3 shows the architecture of the System Restore filter driver. In StepOne, the Windows 32 file system makes a call or takes an action on one of
the protected system files. In Step Two, the systems Restore Filter Driver
intercepts the call and then makes a change-log entry and copies the file tothe data store on the restore point. In Step Four, the call goes through to the
system file either NTFS of FAT. It copies the files on first write and handles
files open for exclusive access.
SummarySystem Restore is a real-time-change monitor-and-restore feature in
Windows XP. It uses a Filter Driver architecture to track changes to thesystem, and provides a simple User Interface to the user for restoring and
creating Restore Points. System Restore automatically creates Restore Pointsand also allows the manual creation of Restore Points. The Restore Points
themselves allow the user to restore the system to a previous point in time,restore access to the system, and return the system to a stable state.
8/8/2019 Module Tools and Troubleshooting
13/172
System Restore Tools and Troubleshooting
Microsoft Partner 13
8/8/2019 Module Tools and Troubleshooting
14/172
Tools and Troubleshooting System Restore
14 Microsoft Partner
System Restore Configuration
This section covers the configuration of System Restore as well as status
indicators and storage management. System Restore is configured on theSystem Restore Tab of the System Properties dialog box. Access it via Control
Panel > System > System Restore Tab.
Figure 4: System Restore Configuration
The first option on the System Restore tab is to turn System Restore on or offfor all drives. Select this option if you do not want to use System Restore.Turn off System Restore for each drive individually by selecting the drive and
clicking the Settings button.
8/8/2019 Module Tools and Troubleshooting
15/172
System Restore Tools and Troubleshooting
Microsoft Partner 15
Select the drive that you want to modify and click the Settings button to
change how much space is allotted on each drive for System Restore.
Figure 5: Settings for C: drive
Move the slider to modify how much space is available for saving restore
points. Disk Space Thresholds start at Min = 200 MB for a system disk or 50MB for other disks and Max out at 12%. The default is the larger of 400 MB or
12%. When the space is filled, Restore Points are deleted on a FIFO (first infirst out) basis: at 90% max FIFO to 75% to create space for new restore
points. At a Low Disk notification (50 MB), all restore points-freeze.
Figure 6: Use the DCU to make more space
Drive Frozen Due to Low Disk Space
Users see a Single Partition SR Frozen (suspended) view due to low disk
space if SR has been frozen due to low disk space. They can still turn off SR(whether they clean up space or not) but they cannot change the data store
size. There is a link directly to the Disk Clean up utility from this screen toclean up space in order for SR to automatically resume (if desired).
Users see a Non System Drive setting view if a non system drive is
suspended. In this view, the non system drive selected has been frozen orsuspended. There is a link to DCU from this dialog as well, and the data store
slider appears grayed out until SR has resumed functioning (once at least 200MB of space is created).
8/8/2019 Module Tools and Troubleshooting
16/172
Tools and Troubleshooting System Restore
16 Microsoft Partner
When the Multiple Drives suspended (frozen) view appears, all the drives are
suspended or out of disk space so they are frozen. The disk cleanup link in
the case of multiple partitions will be on the setting dialog for each drive. Thesettings button will not be active for any non-system drive (but appeargrayed out) until the System Drive is monitoring.
All drives will be suspended or frozen if the system drive is first. When usersclose the Settings dialog after DCU on C, all other drives will now show
Monitoring as their status
8/8/2019 Module Tools and Troubleshooting
17/172
System Restore Tools and Troubleshooting
Microsoft Partner 17
8/8/2019 Module Tools and Troubleshooting
18/172
Tools and Troubleshooting System Restore
18 Microsoft Partner
System Restore Points
A Restore Point is a snapshot of system files and registry settings. It is
created either automatically or manually before key changes are made toallow users to choose previous system states. File Compression is enabled
only on NTFS. The data is stored in Folder Path :\SystemVolume Information; the Globally Unique Identifier (GUID) information is
stored in MachineGUID.TXT. The data in a Restore Point includes:
Registry settings Profiles (local onlyroaming user profiles not impacted by restore) COM+ Database (DB) WFP cache WMI DB Internet Information Server (IIS) Metabase Files with extensions listed in the portion of the Monitored
File Extensions list in the System Restore section of the PlatformSoftware Development Kit (SDK)
Note:The Restore Point folder and file are super hidden files. Customers may need
to change the view options in Windows Explorer in order to see the RestorePoint.
Figure 7: Registry keys
8/8/2019 Module Tools and Troubleshooting
19/172
System Restore Tools and Troubleshooting
Microsoft Partner 19
Data not in a Restore Point
Since information in a restore point is either the system registry files or a keyapplication and system files, neither user-created data files nor user profilesettings nor contents of redirected folders are placed in a restore point. Other
key things that are not stored in a restore point are the Digital Rights
Manager or Windows Media Rights Manager or Windows media rightsmanager information which keeps track of a license's stateexpiration date,number of plays allowedby creating a signed hash of the license file and
storing it in a registry key. It also keeps key license information in file formatin the Documents and Settings\All Users\DRM directory. Restore points alsowill not store anything about the security account manager or SAM hives
(does not restore passwords) or any Windows product activation settings.
Directories or files listed as in the filelist.xml are excluded, as areany files with an extension not listed as in the filelist.xml file.Items listed in both Filesnottobackup and KeysnottoRestore (hklm->system-
>controlset001->control->backuprestore->filesnottobackup andkeysnottorestore) are not restored.
System Restore Timeline
Look at the following timeline to see how System Restore works.
Figure 8: System Restore timeline
TimeT T
Office 2K
Installed
T
Evil App
installed
T
System
Checkpoin
T
Restore system
to before Evil App
was installed
Actions
Machine State
Office 2K Office 2K
Evil A
Office 2K
Evil App
Changesbetween T2& T3
Office 2K
8/8/2019 Module Tools and Troubleshooting
20/172
Tools and Troubleshooting System Restore
20 Microsoft Partner
Figure 9: Filelist.xml
8/8/2019 Module Tools and Troubleshooting
21/172
System Restore Tools and Troubleshooting
Microsoft Partner 21
8/8/2019 Module Tools and Troubleshooting
22/172
Tools and Troubleshooting System Restore
22 Microsoft Partner
Using System Restore
There are three common ways to start the System Restore user interface.
Start it directly by clicking on the shortcut icon In the Start menu by choosing All Programs > Accessories > System
Tools
Clicking the System Restore iconThe name of the executable file is RSTRUI.exe and its located on the systemdrive in the Windows system 32 restore subdirectory.
The indirect ways to run the system restore user interface include running
MSCONFIG.exe, MSINFO32, and the Help and Support user interface. Afterrunning these three, select System Restore from the list of tasks that can be
run from each of these programs.
Figure 10: Accessing System Restore through MSconfig
8/8/2019 Module Tools and Troubleshooting
23/172
System Restore Tools and Troubleshooting
Microsoft Partner 23
Figure 11: Accessing System Restore throu gh MSinfo32
The last way to be prompted to run the System Restore user interface iswhen booting into Safe Mode. Booting into Safe Mode for the first time
automatically generates a dialog box that asks if you want to run the System
Restore user interface to recover a previously created snapshot of SystemRestore.
System Restore in Safe Mode:
In Safe Mode, you can restore to any point, but you cannot create a restorepoint (even a restore point associated with a restore itself). If you choose torestore to a previous restore point in Safe Mode, there will be no Undo
operation for it since that would require creating a restore point for thatrestore operation to be undone. Some points to remember about SR in SafeMode:
If FirstRun key is set and you boot into Safe Mode, Windows will notinitialize SR.
If the FIFO condition is met, it will work as in protect mode. Freeze and Thaw should happen similar to protect mode (except no
restore point is created for a Thaw).
File changes are monitored and recorded in Safe Mode as in protectmode.
There is no option to boot from a Emergency Boot Disk and undo arestoration. Users will have to work with the Recovery Console (F8) anduse the Last Known Good functionality to get back on the GUI and goback to the previous state.
Restoring
In the System Restore wizard interface there are three major choices:
The user can create a restore point.
8/8/2019 Module Tools and Troubleshooting
24/172
Tools and Troubleshooting System Restore
24 Microsoft Partner
The user can also restore to roll back system changes of the registry,key system or application files. Also note that the Recovery Console
which would be used to repair a damaged installation of Windows XPdoes not tie into the System Restore restore points and cannot be usedin that way.
A user can undo a restoration. Undoing can simply roll back or use aprevious snap shot of the system state to roll back system changes thathave rendered the system unusable.
Figure 12: System Restore W izard
Some useful things to know about System Restore:
It creates a restore point when a point is restored to allow the undo ofthe restore.
It can restore a system to a state closer to when the problem started -versus ship image.
It causes minimal impact on performance and disk space cost. It just works: no interaction is necessary until the user needs to
restore.
There is no user data lossrestoring the system will not cause you toloose changes to personal data files.
It is automatic & easy for the consumer user, while flexible & powerfulenough for advanced users & administrators.
8/8/2019 Module Tools and Troubleshooting
25/172
8/8/2019 Module Tools and Troubleshooting
26/172
Tools and Troubleshooting System Restore
26 Microsoft Partner
8/8/2019 Module Tools and Troubleshooting
27/172
8/8/2019 Module Tools and Troubleshooting
28/172
8/8/2019 Module Tools and Troubleshooting
29/172
System Restore Tools and Troubleshooting
Microsoft Partner 29
Functionality in Safe Mode Scenarios
Listed are six System Restore scenarios that customers experience whentrying to troubleshoot System Restore failures.
System Restore does not record changes in compression nor does itundo them. This is because changes in compression do not cause the
system to fail.
System Restore does not replace all files of a removed program. Forexample, if an application is installed on Microsoft Windows XP and
SR takes a system snapshot. At some point later that application isuninstalled but the user attempts to roll the system back to the state
where the application was installed. While the registry settings and
some of the files may be restored to the application, not necessarily allof the files will be restored. If the application does not work correctly,then the application files should be reinstalled from the original media.
System Restore and auto restore points for unsigned drivers. When auser creates an automatic or when an automatic restore point is created
for an unsigned driver install, all that is listed in the user interface forSystem Restore is unsigned driver installation. The name of the driver
is not listed. The behavior is by design.
How System Restore handles password restores. In Windows XP andMicrosoft Internet Explorer the passwords are not restored to
prevent rolling back to an older password that a user has forgotten.
However, application passwords and domain passwords are restored.
System Restore is suspended on the system drive although there isenough free space available. The situation that occurs here is that onone of the non-system drives theres less than 15 mega bytes of free
disk space available. To get the System Restore to enable the user must
either disable it on the drive with less than 15 mega bytes or free up atleast 200 mega bytes on a drive so that the suspend mode will cease.
System Restore and restore points are missing or deleted. There arefive cases where restore points can become deleted.
If there is an out of disk space condition. If the System Restore is turned off on a drive. If you upgrade to a new operating system. If you run the disk clean up utility. When 90% of the maximum space is taken up in which case the
System Restore algorithm will free up enough space to get to 75%free.
8/8/2019 Module Tools and Troubleshooting
30/172
8/8/2019 Module Tools and Troubleshooting
31/172
System Restore Tools and Troubleshooting
Microsoft Partner 31
SR is not Add/Remove Programs
The first potential issue with System Restore is a misconception regarding thefunctions of the SR and Add/Remove Programs features.
System Restore removes only files with monitored extensions, such as .ini,.exe and .dll. Restoring to a point before an application was installed leaves
behind stray files that unmonitored, which may lead to confusion as to whythe application was removed but some of its files were left behind.
This will typically affect home users, but can impact some businesses and is
of low impact. Various error messages may be received depending on theapplication. Most will involve the inability to launch the application or missingfiles, dll, etc.
Symptoms
Application files and directories left behind
Only monitored extensions are removed (.ini, .exe, .dll)
Possible error message regarding the unsuccessful launch of the application
Impact
Low
Home users
If System Restore is used to remove a program instead of Add/RemovePrograms, after the Restore, some files related to the program/application
may remain. Users should always try to use Add/Remove Program utility to
uninstall an application and not System Restore.
Similarly, removing a program and then Restoring the system to a point priorto the installation of that program will not restore all of the files of that
program. Some files may be restored, but error messages related to that
program may result. User can then reinstall the application.
Steps to resolve this issue involve the following:
Users will have to find out what files related to the application are still on the
system and manually delete them.
Users will have to undo the Restoration.
Users will have to use the Add/Remove Programs to uninstall/installapplications and not SR.
Users will have to reinstall the application and then use the Add/RemovePrograms to remove it and its files.
For more information, please see Q286143 - The System Restore Utility Does
Not Replace All the Files of Removed Programs.
8/8/2019 Module Tools and Troubleshooting
32/172
Tools and Troubleshooting System Restore
32 Microsoft Partner
Cause
Application was removed by using System Restore to restore the system to apoint where the program was not installed on the system yet.
Resolution
Manually delete applications files remaining on the system.
Undo the restoration.
Use Add/Remove Programs to uninstall/install applications.
Reinstall the application and then use the Add/Remove Programs to remove itand its files.
Information
Q286143 - The System Restore Utility Does Not Replace All the Files of
Removed Programs.
Q293388 - HTML Files with .htm Suffixes and Shortcuts Are Displayed on theStart Menu After a Restore Operation.
Space not Reserved for SR
Another possible issue involves the Hard Disk space that the System Restores
data store uses to save Restore Points. Users may believe that the space
allocated to the System Restore data store is not dynamic. In fact, theallocated Hard Drive space for System Restore is used as needed and is not areserved block of space.
The impact is low and this issue will typically affect home users and
businesses. There are no error messages related to this issue. The resolution
to this issue is to explain how System Restore uses the data store space.
Symptoms
No error message
Users may believe space allocated to SR data store is not dynamic
Allocated Hard Drive space for SR is used as needed and is not a reservedblock of space
Impact
Low; Home users.
User education is the best action to take.
Users may be informed that the data store size is not a reserved space and itis used on demand and always calculated as effective size. For example, if the
data store size was configured to 500MB, of which 200MB has already beenused and the current free hard disk space is only 150MB, then the effectivesize is 200+150=350MB, not 500MB. In another words, the data store size is
always limited by the available free hard disk space.
8/8/2019 Module Tools and Troubleshooting
33/172
System Restore Tools and Troubleshooting
Microsoft Partner 33
It is important to note that if disk space utilization encroaches on the data
store size, with non monitored files for example, System Restore's data store
size will always yield to the system.
To access the data store, right click on My Computer, choose Properties, clickon the Restore Tab, choose a drive you want to see the data store and then
click on settings. Move the slider to max or min to adjust the data store size.
Information
Q300044 System Restore and Disk Space.
Cause
Misconception.
Resolution
User education.
Data store size is not a reserved space.
Its used on demand.
Its always calculated as effective size.
Information
Q300044 System Restore and Disk Space.
Q301224 System Restore: Restore Points are Missing or Deleted.
SR Freezes with Low Disk Space
Another potential support issue encountered with System Restore relates tolow disk space. When there is insufficient disk space System Restore can
suspend itself, affecting monitoring on all drives. These issues can beencountered by anyone.
The System Restore Tab in the System Properties dialog box may indicate
that System Restore has been suspended across the entire system due toinsufficient free disk space on that drive. Attempts to launch System Restore
will generate an error message:System Restore is suspended because there is not enough disk space
available on the system drive (drive letter). To restart System Restore,
ensure at least 200MBs of free disk space are available on this drive. Do
you want to start Disk Cleanup to free more disk space now?
Yes No
Symptoms
SR suspended; Error message.
Impact
High; All users.
8/8/2019 Module Tools and Troubleshooting
34/172
Tools and Troubleshooting System Restore
34 Microsoft Partner
Suspension of System Restore can occur if the disk space on any monitored
drive falls below 50 MB and an interesting event such as the creation,
deletion, or modification of a system file occurs on the drive.
To resolve this, users must free up at least 200MB of disk space on thepartition/drive that is causing System Restore to suspend or turn System
Restore off on that drive. System Restore can be disabled by clicking on theSystem Restore Tab on the System Properties dialog box.
It is important to note that if the drive that is low on disk space is the systemdrive and System Restore is turned off, it will be disabled on ALL drives.
Information
Q299904 - System Restore Suspended on System Drive Although EnoughSpace.
Cause
Insufficient free disk space (less than 50 MB) when an interesting event
occurs.
Resolution
Free up 200MB disk space or disable SR.
If SR is disabled on system drive it will be disabled on all drives.
Information
Q299904 System Restore Suspended on System Drive Although EnoughSpace.
Q300044 System Restore and Disk Space.
Q301224 System Restore: Restore Points are Missing or Deleted.
Downloaded Files Lost after Restore
The last support issue predicted for System Restore involves downloadedfiles. After performing a restore, users might find that downloaded files orapplications with certain extensions are missing. These issues could be
encountered by any user.
Users may lose downloaded files or files with monitored extensions (such as.exe, .ini, .dll) if they are saved on directories other than the System
Restores protected directories, such as My Documents or DownloadedProgram Files or to a partition that has System Restore turned off. Forexample, if Susan downloads download.exe from her email into
c:MyComputer\SusanFiles instead of My Documents, she will be unable tolocate her program there after performing a restore.
Although no error message is associated with this issue, users may not beable to find the files they need.
8/8/2019 Module Tools and Troubleshooting
35/172
8/8/2019 Module Tools and Troubleshooting
36/172
8/8/2019 Module Tools and Troubleshooting
37/172
System Restore Tools and Troubleshooting
Microsoft Partner 37
Case Study 4
Jane just used System Restore to remove Application X that she downloaded
from the web. Now she is confused because the application is gone, but shestill can still find some folders related to the application under C:\ProgramFiles. What might be causing this issue? What options does Jane have for
resolution? What KB article can be referenced?
Answer
System Restore should not be used to remove an application unless the usercannot do it via Control Panel > Add/Remove Programs. It might leaveunmonitored files and directories behind which will have to be cleaned
manually.
KB Article: The System Restore Utility Does Not Replace All the Files ofRemoved Programs (286143)
Resolution
Jane has 4 options. She can manually delete applications files remaining on
the system, undo the restoration then Use Add/Remove Programs to uninstallApplication X, use Add/Remove Programs to uninstall Application X, or
reinstall the application and then use the Add/Remove Programs to remove itand its files.
Resources
Information on System Restore and Password Restoration(Q295050) Non-administrator user is unable to start System Restore utility
(Q283252)
System Restore Tool Displays a Blank Calendar in Windows XP(Q313853)
The System Restore service does not work correctly (Q841568)
8/8/2019 Module Tools and Troubleshooting
38/172
8/8/2019 Module Tools and Troubleshooting
39/172
System Restore Tools and Troubleshooting
Microsoft Partner 39
System Restore and Service Pack Installation
One of the things to note with the installation of SP2 is that a restore point is
created when SP2 is installed. This restore point, however, is not a typicalrestore point. This specific restore point is a very robust restore point and will
be significantly larger than the restore points that are generated whencreated by an application install (for example, Office creates a restore point
during installation) or by manually creating a restore point. If it is necessaryto use a restore point after the installation of a Service Pack, only thosecreated with the install of the SP or those created after should be used.
8/8/2019 Module Tools and Troubleshooting
40/172
8/8/2019 Module Tools and Troubleshooting
41/172
WFP / SFC Tools and Troubleshooting
Microsoft Partner 41
WFP/SFC
A common issue with Windows has been the ability for shared system files tobe overwritten by other programs, causing unpredictable systemperformance. Windows File Protection (WFP) and Driver Signing prevent the
replacement of certain system files, providing the user with more stability.
Objectives
Describe the capabilities of Windows File Protection. List the 5 processes that can be used to update protected system files. Describe the interaction between Windows File Protection and Driver
Signing.
Explain the 4 unattended installation setup file switches and what theydo.
8/8/2019 Module Tools and Troubleshooting
42/172
Tools and Troubleshooting WFP / SFC
42 Microsoft Partner
8/8/2019 Module Tools and Troubleshooting
43/172
8/8/2019 Module Tools and Troubleshooting
44/172
Tools and Troubleshooting WFP / SFC
44 Microsoft Partner
8/8/2019 Module Tools and Troubleshooting
45/172
WFP / SFC Tools and Troubleshooting
Microsoft Partner 45
What is WFP?
In some previous versions of Windows, changes made to shared system files
would often cause unpredictable system performance, ranging fromapplication errors to operating system crashes. This problem usually affects
dynamic link libraries (DLLs) and executable files (EXEs).
Windows File Protection is a Windows XP technology that detects changes toprotected system files and restores them to the correct version. This prevents
DLL duplication and conflicts. Windows File Protection is either Automatic (ifthe file is located in the cache), or the user can be prompted for the Windows
XP CD for the proper files. In addition, WFP has a number of utilities to checkWFP issues.
How WFP works
WFP runs in the background on a Windows XP system detecting when a file
replacement is attempted on a protected system file.
First, the list of protected system files is monitored for changes. When achange is detected to a protected file, WFP determines whether the original
file resides in the dllcache folder. If it does, the incorrect version isautomatically replaced and the replacement attempt is noted in the system
event log.
Figure 14: Successful file restoration logged
8/8/2019 Module Tools and Troubleshooting
46/172
8/8/2019 Module Tools and Troubleshooting
47/172
WFP / SFC Tools and Troubleshooting
Microsoft Partner 47
Microsoft Installer (MSI)
If a Microsoft Installer package needs to have a protected file installed, the
Microsoft Installer (or MSI) will detect that the requested file is protected andrequest for WFP to install the correct file version. Once WFP locates thenecessary file, it installs the file and returns success to MSI. If the file is not
located, WFP will return failure to MSI, which often times will cause MSI to
rollback the installation. (An MSI rollback will uninstall any files and settingscreated by the MSI package up to that point.).
WFP Allowable Updates
There are four top Windows File Protection scenarios. Two of these scenarios,
application installation and ad-hoc file replacement, are examples ofsituations where system files will be protected by Windows File Protection.
The other two situations are service pack installations and hot fixinstallations. These are examples of allowed system file updates. Replacement
of protected system files will be supported via the following mechanisms:
Windows XP Service Pack installation (UPDATE.EXE) Windows XP hot fixes installed via HOTFIX.EXE Operating system upgrade (WINNT32.EXE) Windows Update Windows XP Device Manager/Class Installer
Note
WFP protects files, but it does not block write access to %systemroot% andits sub-directories. Protected files updated by any other means will result in
the replacement of unauthorized files by Windows File Protection.
Application Installation
The first scenario is the case of an application installation. There are twocases where an application can cause system files to be replaced, removed or
overwritten. The first is during the initial application installation; some
applications replace a protected system file with an older version thancurrently installed. The second case is when an application uninstall deletes aprotected system file. In both of these cases Windows File Protection will
automatically restore the replaced system file.
Service Pack Installation
The second scenario is the case of the service pack installation. Windows File
Protection allows for protected system files to be updated when using theupdate.exe program during a service pack installation. What this means isthat the service pack installations may copy newer files of protected system
files during installation and that they may remove files during an uninstall of aservice pack.
8/8/2019 Module Tools and Troubleshooting
48/172
Tools and Troubleshooting WFP / SFC
48 Microsoft Partner
Replacing protected files by other means than those above will result in the
unauthorized files being replaced by Windows File Protection.
Hot Fix Installation
The third scenario is the case of a hot fix installation. Just like a service packinstallation, Windows File Protection allows for the updating of protected
system files using the hotfix.exe program. What this means is that hot fixinstallations may copy newer versions of protected system files during
installation and then they may also remove files during an uninstall of a hotfix.
Ad-Hoc File Replacements
The final scenario is the case of ad-hoc file replacements. An ad-hoc file
replacement is when a user either deletes or renames a protected operatingsystem file. As a general rule all SYS, DLL, EXE and OCX files that ship on the
Windows XP CD ROM are protected. Any user attempt to modify or deletethese files will result in the Windows File Protection replacing the incorrect
version.
WFP Utili ties
The three key utilities in looking at WFP issues are the Signature VerificationTool, or Sigverif.exe, the Sigverif.txt file, and System file checker. Each ofthese utilities can be used to help check WFP issues.
The Signature Verification tool (SIGVERIF.EXE) identifies unsigned files on acomputer. Using the Signature Verification log (SIGVERIF.TXT), it creates a
log of all signed and unsigned drivers. System File Checker (SFC.EXE) scanssystem files to verify/restore correct versions.
WFP Configuration
The default settings for WFP can be configured through unattended setup
parameters.
The [SystemFileProtection] section of the unattended setup information filecontains parameters for the Windows File Protection service. If this section is
missing or empty, Setup will install Windows File Protection using defaultvalues.
8/8/2019 Module Tools and Troubleshooting
49/172
WFP / SFC Tools and Troubleshooting
Microsoft Partner 49
Windows File Protection Troubleshooting
Windows File Protection (WFP) prevents the replacement of certain monitoredsystem files. This section, discusses how to troubleshoot WFP using System
File Checker (SFC) and Signature Verification (sigverif) and some
troubleshooting considerations.
System File Checker (SFC)
A command-line utility called System File Checker (SFC.EXE) will allow an
Administrator to scan all protected files to verify their versions.
SFC [/SCANNOW] [/SCANONCE] [/SCANBOOT] [/CANCEL] [/QUIET][/PURGECACHE] [/CACHESIZE=x]
Table 1 : SFC.EXE Swit ches
SFC.EXE Switch Function Per formed
/SCANNOW Scans all protected system files immediately.
/SCANONCE Scans all protected system files once.
/SCANBOOT Scans all protected system files every time the
system is restarted.
/CANCEL Cancels all pending scans of protected system files.
/QUIET Replaces all incorrect file versions without
prompting the user.
/ENABLE Enables Windows File Protection for normal
operation.
/PURGECACHE Purges the Windows File Protection file cache and
scans all protected system files immediately.
/CACHESIZE=x Sets the size of the Windows File Protection file
cache.
System File Checker will also check and repopulate the%systemroot%\system32\dllcache directory. In the event the dllcachedirectory becomes corrupted or unusable, SFC /SCANNOW, /SCANONCE
/SCANBOOT or /PURGECACHE can be used to fix the contents of the dllcache
directory.
8/8/2019 Module Tools and Troubleshooting
50/172
Tools and Troubleshooting WFP / SFC
50 Microsoft Partner
Signature Verification
Another useful troubleshooting tool for Windows File Protection is the File
Signature Verification Tool, or Sigverif.exe. You can use the Sigverif.exe toolto identify unsigned drivers on a computer running Windows XP.
SIGVERIF.EXE tool supports the following command-line option to run the
default scan without user interaction:sigverif.exe / defsca
Figure 18: Run Sigverif
When you use this command, a Sigverif.txt log file is created, which containsthe following information:
The file's name The file's location The file's modification date The file type The file's version number
8/8/2019 Module Tools and Troubleshooting
51/172
8/8/2019 Module Tools and Troubleshooting
52/172
Tools and Troubleshooting WFP / SFC
52 Microsoft Partner
If a file change is detected by WFP and the affected file in use by the
operating system is not the correct version and/or the file is not cached in the
dllcache directory, WFP will attempt to locate installation media by itself. Ifthat search fails, WFP will prompt the user to insert the appropriate media toreplace the file and/or dllcache.
Ensure that you have access to install sources for protected system files incase you are prompted for them.
Summary
In this section we discussed the various troubleshooting tools and
considerations for Windows File Protection.
The troubleshooting tools are System File Checker, File Signature Verification
tool, and the Event view to view system logs. Some considerations include
cleaning out the dllcache to resolve cache issues, ensuring that you haveaccess to install sources for protected system files in case you are prompted
for them, and disabling windows file protection either by booting in to Safe
Mode or using the registry.
8/8/2019 Module Tools and Troubleshooting
53/172
8/8/2019 Module Tools and Troubleshooting
54/172
Tools and Troubleshooting Diagnostic Tools
54 Microsoft Partner
Documentation Resources
Solid product documentation is one of the most powerful tools you can use
when troubleshooting. The Knowledge Base is the most used single resourcefor troubleshooting, but unfortunately other depth sources can be difficult to
find. Below are the key documentation sources you can use to dig deeper intothe Operating System.
Help and Suppor t
Location: Help and Support on the Start menu.
Windows help content is better than ever in Windows XP, and it should be oneof the first places you search when seeking information on a productcomponent. Because of the new Search functionality provided by Help and
Support, when you search in the Help interface, you are also searching thepublic Knowledge Base and Resource Kit documentation.
The results of your search on a released operating system are always public
security, and thus can be sent to customers to aid them in tasks that mayrequire a detailed explanation.
Help and Support Tools
In addition to documentation resources, Help and Support provides a varietyof tools to gather information about the computer, perform diagnostic tasks,
and walk through troubleshooting recommendations.
Network Diagnostics is one example of a tool in Help and Support. This
interface provides an automated method for troubleshooting TCP/IP
connectivity and name resolution issues. With this interface you will see asimple pass/fail indication for the various tests performed so that you can
walk a customer through those results, rather than typing a great deal oftroubleshooting commands to gather the same information.
Tests performed include:
Ping the local IP address Ping the default gateway Ping the DNS server Test connection to mail servers
This is just a short list of the tests performed. The results can provide a greatdeal of information on the network.
Note that the Network Diagnostics interface does not attempt to ping or
connect to other computers in the home network. As a result it is more
appropriate for Internet connectivity and name resolution testing than FileShare issues.
8/8/2019 Module Tools and Troubleshooting
55/172
8/8/2019 Module Tools and Troubleshooting
56/172
Tools and Troubleshooting Diagnostic Tools
56 Microsoft Partner
8/8/2019 Module Tools and Troubleshooting
57/172
Diagnostic Tools Tools and Troubleshooting
Microsoft Partner 57
MSConfig
MSConfig.exe is a tool for standard troubleshooting in Windows XP that
provides access to the configuration for normal or diagnostic startup, theability to expand files, access System Restore, edit Win.ini and System.ini
configurations, modify your Boot.ini options, configure the startup forServices, and also disable startup applications.
You will use MSConfig primarily when you can start the computer in Safe
Mode, but normal mode fails. In these cases, you can use MSConfig toeliminate applications and Services from starting. You can also use it when
startup is not configured the way that you would like it to be. For example, ifyou need a specific Boot.ini option, but the person you are working with is
uncomfortable with editing the Boot.ini directly. In these cases, you can addswitches simply by clicking an option in this tool.
Figure 20: System Configuration Utility
The general use of MSConfig is to do additional troubleshooting if a Safe Mode
startup functions properly, but normal startup fails. It can help eliminate
applications, Services, and System.ini, or Win.ini options from being loadedduring startup or application initialization to allow further troubleshooting.One startup configuration that is not provided in MSConfig is for devices.
Access to device drivers at startup is not available because the system uses
Device Manager to configure, disable, and uninstall devices.
8/8/2019 Module Tools and Troubleshooting
58/172
Tools and Troubleshooting Diagnostic Tools
58 Microsoft Partner
Considerations
The primary consideration when using MSConfig is that it is not a solutionit
is a troubleshooting tool. You can use MSConfig to determine the cause of theissue, but you will use other tools to make a permanent fix. To helpcustomers understand this, MSConfig provides a startup message to tell you
that you are in a diagnostic startup mode. Do not run in this diagnostic
startup mode for regular use; use other troubleshooting tools in order toprovide the permanent solution.
For example, a customer calls because he is receiving an error at boot. Using
MSConfig to narrow down the scope of your search, you discover that a third
party application is causing the error. MSConfig gives you the run key to thisone Registry value; you then use Regedit to remove or modify this value so
that it works properly. Or, you may need to reinstall the application or evenuninstall it until an update is available. Editing the registry and uninstalling
the application cannot be done with MSConfig because MSConfig is adiagnostic tool. Once you diagnose the problem, you can choose the proper
tool to fix.
8/8/2019 Module Tools and Troubleshooting
59/172
Diagnostic Tools Tools and Troubleshooting
Microsoft Partner 59
8/8/2019 Module Tools and Troubleshooting
60/172
Tools and Troubleshooting Diagnostic Tools
60 Microsoft Partner
8/8/2019 Module Tools and Troubleshooting
61/172
Diagnostic Tools Tools and Troubleshooting
Microsoft Partner 61
MSInfo32
The Microsoft System Information tool (msinfo32.exe or winmsd.exe) uses
WMI to provide comprehensive system information. The output from this toolcan be saved to a .NFO file, which is viewed in the System Information
interface. Useful support information includes:
System Summary includes OS Version, BIOS Version/Date, WindowsDirectory, Boot Device, User Name, Time Zone, Total and Available memory,Total and Available virtual memory, Page File location and free space.
Hardware Resources DMA, I/O Port addresses, IRQs and Memory ranges usedby devices on the system.
Component Information For each device in the system MSInfo32 identifies theType, Status, Driver in use, PnP Device ID, and other device class-specific
information such as Transfer rate, INF used to install the driver, and others.
Storage Information Drives in the system, Capacity, File System, DiskController information.
Currently Installed Drivers With driver name, path, driver type, state, startupmode.
Signed Driver report Environment Variables Loaded Modules Lists all currently loaded modules with their version, size,
date, manufacturer and path.
Services Identifies the name, state, startup mode, path, error control andaccount name.
Startup Programs including path and startup location. Windows Error Reporting History Internet Settings Office Application configuration data
MSInfo32 provides a good general snapshot of the system configuration thatcan be useful for data gathering when diagnosing issues on a system.
Systeminfo.exe is a new command line tool that makes a subset of this
information available from a command prompt. This can be useful for generaldata gathering on a machine, either local or remote. Significant informationincludes:
Operating System Version System manufacturer and model information Page File sixe, available space and location(s) Hotfixes installed Network adapters, with IP configuration
This is a compact set of key system parameters that can be useful when
performing data gathering to investigate an issue.
8/8/2019 Module Tools and Troubleshooting
62/172
8/8/2019 Module Tools and Troubleshooting
63/172
8/8/2019 Module Tools and Troubleshooting
64/172
8/8/2019 Module Tools and Troubleshooting
65/172
Diagnostic Tools Tools and Troubleshooting
Microsoft Partner 65
When you find error messages, double-click the event in the log and view the
details, as shown below.
Figure 22 Event Log Error
Use the content of those messages to further troubleshoot the issue.Searching the Knowledge Base and the Internet can provide information tohelp resolve the problem.
8/8/2019 Module Tools and Troubleshooting
66/172
Tools and Troubleshooting Diagnostic Tools
66 Microsoft Partner
8/8/2019 Module Tools and Troubleshooting
67/172
8/8/2019 Module Tools and Troubleshooting
68/172
8/8/2019 Module Tools and Troubleshooting
69/172
Diagnostic Tools Tools and Troubleshooting
Microsoft Partner 69
Error Reporting
Error Reporting in Windows XP is the mechanism that sends error details to
Microsoft for aggregation and analysis. When receiving an error, you arepresented with the interface shown below, with options to Send Error
Report or Dont Send.
Figure 23 Error Reporting
Sending the error report uploads error details for analysis. When an issuetrend appears, the internal Microsoft team that works with these errors can
then investigate further.
If you are encountering an error with a clear resolution, the results of these
investigations are provided after sending the report.
When working with customers experiencing application errors or system faults
(bluescreen errors), recommend that they upload one or more error reports.
If content is available they will be directed to a web page providing moreinformation.
8/8/2019 Module Tools and Troubleshooting
70/172
Tools and Troubleshooting Diagnostic Tools
70 Microsoft Partner
8/8/2019 Module Tools and Troubleshooting
71/172
Diagnostic Tools Tools and Troubleshooting
Microsoft Partner 71
Dr. Watson
Dr. Watson generates an error log when an application is terminated
unexpectedly. Dr. Watson for Windows is an error debugging program thatgathers information about your computer when a program generates error (or
user-mode fault). By default, the log file created by Dr. Watson is namedDrwrsn32.log and is saved in the following location: \Documents and
Settings\All Users\Application Data\Microsoft\Dr Watson
For additional information on the Dr. Watson for Windows Tool, please refer to
the following articleKB Article: Description of the Dr. Watson for Windows (Drwtsn32.exe) Tool(308538)
Note: If the customer is unable to note the error message because it
disappears too quickly or computer shuts down immediately after the fault, it
is essential to gather the Drwrsn32.log. The error message will be registeredin this log.
Here is an example of how Drwrsn32.log can be a useful for troubleshooting.
Scenario
A customer calls in reporting that his/her computer crashed while browsing
websites. However, user was unable to gather the error details.
Dr Watson Details
Drwrsn32.log file includes the following entry, which helps isolate the
application experiencing the problem:
Application exception occurred:
App: C:\Program Files\Real\RealOne Player\RealPlay.exe (pid=1624)
When: 7/7/2002 @ 12:42:27.524
Exception number: c0000005 (access violation)
8/8/2019 Module Tools and Troubleshooting
72/172
Tools and Troubleshooting Diagnostic Tools
72 Microsoft Partner
8/8/2019 Module Tools and Troubleshooting
73/172
Diagnostic Tools Tools and Troubleshooting
Microsoft Partner 73
Cacls
Cacls.exe displays or modifies discretionary access control list (DACL) for files
and folders on NTFS volumes. For diagnostic work, cacls is useful in its abilityto output the ACLs applied to an object, as well as for command line ACL
modifications.
UsageCACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
filename Displays ACLs.
/T Changes ACLs of specified files in
the current directory and all subdirectories.
/E Edit ACL instead of replacing it.
/C Continue on access denied errors.
/G user:perm Grant specified user access rights.
Perm can be: R Read
W WriteC Change (write)
F Full control
/R user Revoke specified user's access rights (only valid with
/E).
/P user:perm Replace specified user's access rights.
Perm can be: N None
R Read
W Write
C Change (write)
F Full control
/D user Deny specified user access.
Wildcards can be used to specify more that one file in a command.
You can specify more than one user in a command.
Abbreviations:
CI - Container Inherit.
The ACE will be inherited by directories.
OI - Object Inherit.
The ACE will be inherited by files.
IO - Inherit Only.
The ACE does not apply to the current file/directory.
Note: The/ E switch is particularly important to understand. By default, cacls
replaces the ACL of the specified object. This can be destructive when you
simply want to grant one user or group access to an object that already has a
complex ACL. If you use/ E you will simply add an entry, rather than creatinga new ACL.
Sample Commands
The first example displays the current ACL for the D:\data folder on the
server:
Cacls D:\ data
8/8/2019 Module Tools and Troubleshooting
74/172
Tools and Troubleshooting Diagnostic Tools
74 Microsoft Partner
The following command grants the user abeebe Change rights to the file
D:\Data\File.xls:
Cacls D:\ data\ file.xls / e / g abeebe:C
To remove a user or group from the ACL, use the/ R switch as shown below:
Cacls D:\ data / R mycorp\ salesgroup
8/8/2019 Module Tools and Troubleshooting
75/172
Diagnostic Tools Tools and Troubleshooting
Microsoft Partner 75
8/8/2019 Module Tools and Troubleshooting
76/172
Tools and Troubleshooting Diagnostic Tools
76 Microsoft Partner
Support Tools
The Support Tools are a set of troubleshooting tools that are provided on both
the Windows XP Home Edition and Professional CDs. For information on theindividual Support Tools, see the online help and Readme.htm located in the
Support Tools folder. The Support Tools in Windows XP are provided foradvanced diagnostics and troubleshooting.
Tools Included
The Support Tools contains a wide variety of diagnostic, troubleshooting and
administration tools. Some highlights include the Application CompatibilityToolkit; the Dependency Walker (Depends.exe), which provides informationabout file dependencies for any WIN32 executable or DLL; NetCap.exe, which
is a command line network monitor capture utility; Poolmon.exe, the memory
pool monitor; SPcheck.exe, the Service pack check utility; and XCACLS, whichdisplays access control lists (ACLs) for files and folders. For more information
on each tool, consult the syntax guide using the /? switch.
Installation
You can install the Support Tools using Setup.exe located in the\Support\Tools directory on the Windows XP CD-ROM. By default, the tools
are installed to your \Program Files\Support Tools directory, but you canchange this destination using the Custom installation option. In total, the
installation takes about 8 MB of disk space.
RASDiag
Location: RASDiag is included in the Windows XP Support Tools.
This is an advanced tool that collects diagnostic information about dial-up,VPN and PPPoE connections and places that information in a file. Customerscan use this tool to work with Product Support Services to troubleshoot
remote connection issues by taking a snapshot of the configuration data and
capturing an attempted remote connection.
Note:
Because RASDiag is a data collection tool, it is only useful when the customer
has a way of sending you the resulting data file. The data file also requires
analysis, so this is not a tool that is useful while on a live call with aConsumer customer.
8/8/2019 Module Tools and Troubleshooting
77/172
8/8/2019 Module Tools and Troubleshooting
78/172
Tools and Troubleshooting Diagnostic Tools
78 Microsoft Partner
Contents of C:\WINDOWS\TRACING\RASIPCP.LOG Contents of C:\WINDOWS\TRACING\RASIPHLP.LOG Contents of C:\WINDOWS\TRACING\RASNBFCP.LOG Contents of C:\WINDOWS\TRACING\RASPAP.LOG Contents of C:\WINDOWS\TRACING\RASTLS.LOG Contents of C:\WINDOWS\TRACING\Router.LOG Contents of Connection Manager Logs Contents of C:\WINDOWS\ModemLog*.TXT Contents of C:\WINDOWS\DEBUG\oakley.log IP Configuration for each interface (IPConfig /all) Routing Table (Netstat r) Ethernet Statistics (Netstat e) IP, TCP and UDP Statistics (Netstat s) Active connections (Netstat) Contents of System and User PBK Last 10 events from the Security log
Process information (PIDs and a list of Services loaded in each process)Because it provides such a wide variety of logging, and captures networktraffic on all local interfaces, RASDiag is a key tool for troubleshooting remoteconnectivity.
8/8/2019 Module Tools and Troubleshooting
79/172
Diagnostic Tools Tools and Troubleshooting
Microsoft Partner 79
Windiff
Windiff.exe is a tool that has been around for a long time and is included inthe Support Tools. Its designed to highlight the differences between two files
based on a line by line comparison. It is particularly useful for comparing
.REG files and output from command line tools such as sc queryex type= allstate= all to identify differences.
The following example shows Windiff results of a comparison between SC.EXEoutput from two different machines. The first change identified is the state of
the Windows Audio Service.
Figure 24: Windiff
The results in Expanded view display common contents with a white
background. Entries that are in the Left side file (the first file opened) but notthe Right side file are displayed with a Red background. Entries that are in
the Right hand file but not the Left hand file are displayed with a Yellow
background.
With that information we can interpret the results above to mean that theWindows Audio service is running on the machine from which Std_SC.txt wascaptured, but stopped on the Ent_SC.txt machine.
Windiff is most useful for the following type of comparison:
Compare exported registry branch from working machine and brokenmachine.
8/8/2019 Module Tools and Troubleshooting
80/172
8/8/2019 Module Tools and Troubleshooting
81/172
Recovery Console Tools and Troubleshooting
Microsoft Partner 81
Recovery Console
Recovery Consoles purpose is for repairing installations that will no longerboot into Windows XP normally or with Safe Mode. You can boot into theRecovery Console to attempt to make modifications that will allow Windows
XP to boot normally. This is not designed as a Data Recovery mechanism.Safe Mode is the preferable way of accessing Windows XP but there are somesituations where access to Windows XP may not occur even with Safe Mode.
Under these situations use the Recovery Console.
When you use the Windows Recovery Console, you can obtain limited access
to the NTFS file system, FAT, and FAT32 volumes without starting theWindows graphical user interface (GUI). In the Windows Recovery Console,
you can:
Use, copy, rename, or replace operating system files and folders. Enable or disable service or device startup the next time that start your
computer.
Repair the file system boot sector or the Master Boot Record (MBR). Create and format partitions on drives.
Note Only an administrator can obtain access to the Windows Recovery
Console so that unauthorized users cannot use any NTFS volume.
Secure Access
Recovery Console requires an Administrator password before accessing the
hard drives unless no valid Windows NT based OS is found. In the past, you
selected the Administrator password when Recovery Console was installed,and the password did not automatically update when it was changed in the
GUI, nor could it be changed from within Recovery Console. This problem has
been corrected. The Administrator password for Recovery Console nowupdates automatically when changed from within Windows XP.
Limited Access to the Drive
To further alleviate security concerns, once the administrator is logged on to
the system they do not have full access to the drive and are not allowed to
copy files from the drives to removable media.
By default, users only have access to the \Windows directory for the
installation to which you are logged on, as well as the root directory of thedrive, removable media, and the Recovery Console source either on the CD
or the \cmdcons directory if it is installed on the hard drive.
Removable media access is read-only by default. Policy settings are available,which can modify the behavior of removable and local drive access rules.
8/8/2019 Module Tools and Troubleshooting
82/172
Tools and Troubleshooting Recovery Console
82 Microsoft Partner
For more information, please refer to the following article.KB Article: How to add more power to Recovery Console by using Group
Policy in Windows XP Professional (310497)
Note: This article is only applicable to Windows XP Professional as thefunctionality of Group Policy is NOT available in Home Edition.
Recovery Console vs. Safe Mode
Safe Mode is the preferable way to do repairs to the system; however, therewill be occasions when none of the Safe Mode options will allow access to the
system. This can be on systems with NTFS drives as the system and bootvolumes, where a critical device driver has been removed, overwritten, orcorrupted and needs to be replaced before the system will boot.
Using Recovery Console
To use Recovery Console, you should be familiar with the process for startingRecovery Console, logging on to an installation, and performing key
troubleshooting actions.
Note: this document does not present complete coverage of all commands inRecovery Console. Rather, the focus is on the most common troubleshooting
actions performed. For information on all commands available in Recovery
Console, see the following article:KB Article: Description of the Windows XP Recovery Console (314058)
Starting Recovery Console
Recovery Console can be started three ways:
From the Windows XP CD From the Boot Floppies If it is installed on the hard drive, it can be selected from the boot menu
at start up.
From the CD-ROM
Boot to the CD-ROM. Press a key when you see the message to Press any
key to boot from CD. If this message does not appear, the BIOS boot ordermay need to be changed.
8/8/2019 Module Tools and Troubleshooting
83/172
Recovery Console Tools and Troubleshooting
Microsoft Partner 83
The next screen offers the option to Repair or Install. You can press ENTER to
set up Windows XP or you can press R to start Recovery Console.
Figure 25 P ress R to Start Recovery Console
The above step should not be confused with the Repair installation step. To
run a Repair installation you would press ENTER at the above prompt, andthen press R to run Repair.
Recovery Console starts by listing Windows installations found on the drivesavailable on the computer. This list will not include Windows 95/98/Me. Selectan installation by entering the number listed to the left as shown below.
Figure 26 Select Installation
8/8/2019 Module Tools and Troubleshooting
84/172
8/8/2019 Module Tools and Troubleshooting
85/172
Recovery Console Tools and Troubleshooting
Microsoft Partner 85
While you cannot walk a customer through the process of configuringthe BIOS boot order, you can indicate to them what kind of setting they
can look for. This setting is typically listed as Boot Device, BootPriority, Boot Order, or similar text. The customer should set the CD-ROM device as first in the boot order.
IMPORTANT: It is important to set the customers expectations thatyou cannot guide them through this process, and that they perform
these steps at their own risk.Risks include: misconfiguration of the hard disk settings resulting in no
ability to access the drive, and other boot failures. While unlikely, dataloss is also a remote possibility.
If you are not able to boot the computer from a Windows XP CD, an
alternative is to download the files to create Setup Boot Disks.
From the boot Floppies
If you are unable to configure the computer to boot from the Windows XP CD,
you can use information in the following article to download the Setup Bootfloppy disk images as an alternative:KB Article: How to obtain Windows XP Setup boot disks (310994)