winternals defragmentation, recovery, and administration field guide

We begin with ERD Commander 2005 and then step through recoveringyour computer what a change from back in 1999 to now.We then give you an overview of utilizing the tools for various task

w w w s y n g r e s s c o m

Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers We are also committed to extending the utility of the book you purchase via additional materials available from our Web site

SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions Once registered, you can access our solutions@syngress.com Web pages There you will find an assortment

of value-added features such as free e-booklets related to the topic of this book, URLs of related Web site, FAQs from the book, corrections, and any updates from the author(s).

ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few.

DOWNLOADABLE EBOOKS

For readers who can’t wait for hard copy, we offer most of our titles in able Adobe PDF form These eBooks are often available weeks before hard copies, and are priced affordably.

download-SYNGRESS OUTLET

Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings.

SITE LICENSING

Syngress has a well-established program for site licensing our ebooks onto servers

in corporations, educational institutions, and large organizations Contact us at sales@syngress.com for more information.

CUSTOM PUBLISHING

Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use Contact us at sales@syngress.com for more information.

Visit us at

tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is

to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

Winternals Defragmentation, Recovery, and Administration Field Guide

Copyright © 2006 by Syngress Publishing, Inc All rights reserved Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

1 2 3 4 5 6 7 8 9 0

ISBN: 1-59749-079-2

Publisher: Andrew Williams Page Layout and Art: Patricia Lupien

Acquisitions Editor: Gary Byrne Copy Editor: Audrey Doyle

Technical Editor: Dave Kleiman Indexer: Nara Wood

Cover Designer: Michael Kavish

Distributed by O’Reilly Media, Inc in the United States and Canada.

For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights,

The incredibly hardworking team at Elsevier Science, including JonathanBunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti,Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, KristaLeppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, DavidLockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek,Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and ChrisReinders for making certain that our vision remains worldwide in scope.David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang AiHua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributorsfor the enthusiasm with which they receive our books.

David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer,Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslanefor distributing our books throughout Australia, New Zealand, Papua NewGuinea, Fiji,Tonga, Solomon Islands, and the Cook Islands

Technical Editor

Dave Kleiman(CAS, CCE, CIFI, CISM, CISSP, ISSAP, ISSMP,MCSE) has worked in the information technology security sectorsince 1990 Currently, he is the owner of

SecurityBreachResponse.com and is the Chief Information SecurityOfficer for Securit-e-Doc, Inc Before starting this position, he wasVice President of Technical Operations at Intelliswitch, Inc., where

he supervised an international telecommunications and Internet vice provider network Dave is a recognized security expert Aformer Florida Certified Law Enforcement Officer, he specializes incomputer forensic investigations, incident response, intrusion anal-ysis, security audits, and secure network infrastructures He haswritten several secure installation and configuration guides aboutMicrosoft technologies that are used by network professionals Hehas developed a Windows operating system lockdown tool, S-Lok(www.s-doc.com/products/slok.asp ), which surpasses NSA, NIST,and Microsoft Common Criteria Guidelines

ser-Dave was a contributing author to Microsoft Log Parser Toolkit

(Syngress Publishing, ISBN: 1-932266-52-6) He is frequently aspeaker at many national security conferences and is a regular con-tributor to many security-related newsletters, Web sites, and Internetforums Dave is a member of several organizations, including theInternational Association of Counter Terrorism and SecurityProfessionals (IACSP), International Society of Forensic ComputerExaminers® (ISFCE), Information Systems Audit and ControlAssociation® (ISACA), High Technology Crime InvestigationAssociation (HTCIA), Network and Systems ProfessionalsAssociation (NaSPA), Association of Certified Fraud Examiners(ACFE), Anti Terrorism Accreditation Board (ATAB), and ASISInternational® He is also a Secure Member and Sector Chief forInformation Technology at The FBI’s InfraGard® and a Memberand Director of Education at the International Information SystemsForensics Association (IISFA)

Lawrence Abramsis the CTO for Thorn Communications, anInternet service provider based in New York City that focuses onmanaged services for colocation customers at its three data centers.Lawrence manages the technical and security operations as well asbeing involved in the day-to-day operations of the business He isinvolved with the deployment and monitoring of intrusion preven-tion systems, intrusion detection systems, and firewall systemsthroughout Thorn’s network to protect Thorn’s customers Lawrence

is also the creator of BleepingComputer.com, a Web site designed toprovide computer help and security information to people with alllevels of technical skills With more than a million different visitorseach month, it has become a leading resource to find the latest spy-ware removal guides

Lawrence’s areas of expertise include malware removal and puter forensics He is active in the various online antimalware com-munities where he researches new malware programs as they arereleased and disseminates this information to the public in the form

com-of removal guides He was awarded a Microscom-oft Most ValuableProfessional (MVP) in Windows security for this activity

Lawrence currently resides in New York City with his wife, Jill,and his twin boys, Alec and Isaac

Nancy Altholz(MSCS, MVP) is a Microsoft MVP in WindowsSecurity She is a security expert and Wiki Malware Removal Sysop

at the CastleCops Security Forum As Wiki Malware RemovalSysop, she oversees and authors many of the procedures that assistsite visitors and staff in system disinfection and malware prevention

As a security expert, she helps computer users with variousWindows computer security issues Nancy is currently coauthoring

Rootkits for Dummies ( John Wiley Publishing), which is due for

release in August 2006 She was formerly employed by Medelec’s

Contributing Authors

Vickers Medical Division as a Software Engineer in New ProductDevelopment Nancy holds a master’s degree in Computer Science.She lives with her family in Briarcliff Manor, NY

Kimon Andreouis the Chief Technology Officer at Secure DataSolutions (SDS) in West Palm Beach, FL SDS develops softwaresolutions for electronic discovery in the legal and accounting indus-tries SDS is also a provider of computer forensic services Hisexpertise is in software development, software quality assurance, datawarehousing, and data security Kimon’s experience includes posi-tions as Manager of Support & QA at S-doc, a software securitycompany, and as Chief Solution Architect for SPSS in the EnablingTechnology Division He also has led projects in Asia, Europe, NorthAmerica, and South America Kimon holds a Bachelor of Science inBusiness Administration from the American College of Greece and aMaster of Science in Management Information Systems from

Florida International University

Brian Barber(MCSE, MCP+I, MCNE, CNE-5, CNE-4, CNA-3,

CNA-GW) is coauthor of Syngress Publishing’s Configuring Exchange 2000 Server (ISBN: 1-928994-25-3), Configuring and Troubleshooting Windows XP Professional (ISBN: 1-928994-80-6), and

two study guides for the MSCE on Windows Server 2003 track(exams 70-296 [ISBN: 1-932266-57-7] and 70-297 [ISBN: 1-932266-54-2]) He is a Senior Technology Consultant with SierraSystems Consultants Inc in Ottawa, Canada He specializes in ITservice management and technical and infrastructure architecture,focusing on systems management, multiplatform integration, direc-tory services, and messaging In the past he has held the positions ofSenior Technical Analyst at MetLife Canada and Senior TechnicalCoordinator at the LGS Group Inc (now a part of IBM GlobalServices)

Tony Bradley (CISSP-ISSAP, MCSE, MCSA, A+) is a Fortune

100 security architect and consultant with more than eight years ofcomputer networking and administration experience, focusing thelast four years on security.Tony provides design, implementation,and management of security solutions for many Fortune 500 enter-prise networks.Tony is also the writer and editor of the About.comsite for Internet/network security He writes frequently for manytechnical publications and Web sites

I want to thank my wife, Nicki, for her support and dedication as I worked on this project She is my “Sunshine” and my inspiration I also want to thank Gary Byrne and Dave Kleiman for inviting me to participate

on this project and for their unending patience as we worked to put it all together.

Daniel Covell(CCNA, MCP) is a Senior Systems Analyst at SharpHealthCare in San Diego Sharp HealthCare is an integrated

regional health-care delivery system that includes four acute-carehospitals, three specialty hospitals, and three medical groups Sharphas more than 14,000 employees and represents $1 billion in assetsand $1.4 billion in revenue Daniel is a key team member in sup-porting more than 10,000 desktops and thousands of PDAs, laptops,and tablets

Daniel has more than 13 years of experience in desktop support,network support, and system design He has worked for governmentagencies, large outsourcing projects, and several consulting firms Hisexperience gives him a very broad understanding of technology andits management

Daniel also owns a small computer consultancy business andcurrently resides in El Cajon, CA, with his wife, Dana

Daniel wrote the section of Chapter 5 titled “Advanced Disk Fragmentation Management (Defrag Manager).”

Laura E Hunter(CISSP, MCSE: Security, MCDBA, MicrosoftMVP) is an IT Project Leader and Systems Manager at theUniversity of Pennsylvania, where she provides network planning,

implementation, and troubleshooting services for various businessunits and schools within the university Her specialties includeWindows 2000 and 2003 Active Directory design and implementa-tion, troubleshooting, and security topics Laura has more than adecade of experience with Windows computers; her previous expe-rience includes a position as the Director of Computer Services forthe Salvation Army and as the LAN administrator for a medicalsupply firm She is a contributor to the TechTarget family of Web

sites and to Redmond Magazine (formerly Microsoft Certified Professional Magazine).

Laura has previously contributed to the Syngress WindowsServer 2003 MCSE/MCSA DVD Guide & Training System series

as a DVD presenter, author, and technical reviewer, and is the author

of the Active Directory Consultant’s Field Guide (ISBN:

1-59059-492-4) from APress Laura is a three-time recipient of the prestigiousMicrosoft MVP award in the area of Windows Server—

Networking Laura graduated with honors from the University ofPennsylvania and also works as a freelance writer, trainer, speakerand consultant

Laura wrote Chapter 3 and was the technical editor for Chapters 5 and 6.

Mahesh Satyanarayanais a final-semester electronics and nications engineering student at the Visveswaraiah TechnologicalUniversity in Shimoga, India He expects to graduate this summerand has currently accepted an offer to work for Caritor Inc., anSEI-CMM Level 5 global consulting and systems integration com-pany headquartered in San Ramon, CA Caritor provides IT infras-tructure and business solutions to clients in several sectors

commu-worldwide Mahesh will be joining the Architecture and Designdomain at Caritor’s development center in Bangalore, India, where

he will develop software systems for mobile devices His areas ofexpertise include Windows security and related Microsoft program-ming technologies He is also currently working toward adminis-trator-level certification on the Red Hat Linux platform

Craig A Schiller(CISSP-ISSMP, ISSAP) is the President ofHawkeye Security Training, LLC He is the primary author of thefirst Generally Accepted System Security Principles He was a coau-

thor of several editions of the Handbook of Information Security Management and a contributing author to Data Security Management.

Craig has cofounded two ISSA U.S regional chapters: the CentralPlains Chapter and the Texas Gulf Coast Chapter He is a member

of the Police Reserve Specialists unit of the Hillsboro PoliceDepartment in Oregon He leads the unit’s Police-to-Business-High-Tech speakers’ initiative and assists with Internet forensics

Darren Windham (CISSP) is the Information Security lead atViewPoint Bank, where he is responsible for ensuring compliancewith GLB, FFIEC, OTS, FDIC, and SOX regulations, as well asmanaging technology risks within the organization

Darren’s previous experience in technology includes networkdesign, system configuration, security audits, internal investigations,and regulatory compliance He has also worked as a security consul-tant for local companies, including other financial institutions Hisbackground also includes system administration for manufacturingfirms and one of the coms of the late 1990s Darren was a reviewer

for the book Hacking Exposed: Computer Forensics (McGraw-Hill

Osborne Media, ISBN: 0-07225-675-3)

Darren is a member of Information Systems Audit and ControlAssociation® (ISACA), North Texas Electronic Crimes Task Force(N-TEC), and the North Texas Snort User Group

Companion Web Site

Some of the code presented throughout this book is available fordownload from www.syngress.com/solutions Look for the Syngressicon in the margins indicating which examples are available fromthe companion Web site

Contents

Foreword xxiii

Chapter 1 Recovering Your Computer with ERD Commander 1

Introduction 2

Utilizing ERD Commander 2

Creating the ERD Commander Boot CD 2

Using ERD Commander Recovery Utilities 14

Booting a Dead System 16

Being the Locksmith 17

Accessing Restore Points 20

Removing Hotfixes 25

Summary 31

Frequently Asked Questions 33

Chapter 2 Examining Your Computer 35

Introduction 36

Exploring Process Activity with Process Explorer 36

Default Display Explanation .36

The Upper Pane 37

The Lower Pane 37

The Toolbar Buttons 38

The Mini-CPU Graph 38

Examining Process Resource Consumption 39

Viewing and Controlling Process Activity Using Process Explorer 45

Process Explorer’s Control Features 45

File 46

Options 46

View 47

Process 48

Find 48

DLL/Handle 48

Users 49

Help 49

Viewing Process Information and Controlling Process Activity 49

The Process Context Menu .49

The Process Properties Dialog 50

The Shortcut Toolbar .51

Significant Toolbar Shortcut Functions .52

General Malware Symptoms Recognizable by Process Explorer 52

Packed Images .52

Exploring Program Autostart Locations Using Autoruns 57

Describing the Main Window View 59

What the Column Headers Mean 60

Understanding the Display Feature Groupings 61

Everything .61

Logon 61

Explorer 62

Shell Extensions 63

Internet Explorer .63

Services .63

Drivers 63

Scheduled Tasks 63

Image Hijacks 64

AppInit DLLs .64

Boot Execute Native Images 64

Known DLLs 65

WinLogon Notifications 65

Winsock Providers 65

LSA Providers 65

Printer Monitor .66

Using the Autoruns Menu Functions 66

Options 66

File 67

What’s in the Autoruns Log 68

Registry and Folder Autostart Locations Monitored by Autoruns 69

Newly Reported Startup Entry Slated for Next Version of Autoruns 72

Researching an Autostart Item 73

The Dynamic Duo: Using Autoruns and Process Explorer Together to Troubleshoot Startups and Combat Malware 74

Requirements 74

Investigating Autoruns Startups 75

Example 1 75

Example 2 78

Example 3 82

Example 4 84

Step 1: Download and Install AntiHookExec.exe 86

Step 2: Change the PATH Environment Variable 86

Step 3: Launch Autoruns and Process Explorer 86

Step 4: View Autoruns for Relevant Entries 87

Step 5: View Process Explorer for Relevant Entries 90

Step 6: Stop and Delete the hxdef Service, and Then Reboot 92

Step 7: Delete the hxdef Files and Registry Autostarts 94

Step 8: Remove the Malware Payload 95

Example 5 96

Other Examples of Malware That Uses Nontraditional Hidden Startups Locatable in Autoruns 102

The SmitFraud Trojan 102

The Vundo Trojan 104

Using File Compare in Autoruns to Diagnose Changes in Startups 104

Most Common Malware Starting Locations .105

Other Common Malware Startup Locations 106

Summary 107

Solutions Fast Track 108

Frequently Asked Questions 111

Chapter 3 Checking the Security of Your Computer 113

Introduction 114

Viewing the Security Settings of Your Resources (AccessEnum) 114

Understanding File and Directory Access Rights 114

Configuring Access Control Lists 115

Configuring Permissions Inheritance 118

Understanding Registry Access Rights 120

Using AccessEnum and Interpreting Its Results 122

Comparing Permissions over Time 125

Listing the Users with Access to Encrypted Files (EFSDump) 126

Running EFSDump and Interpreting Its Results 127

Moving/Deleting Files in Use on Reboot (PendMoves, MoveFile) 128

Running PendMoves 129

Running MoveFile 130

Viewing Shared Resources and Their Access Permissions (ShareEnum) 131

Running ShareEnum and Interpreting Its Results 132

Investigating Suspicious Local Files (Sigcheck) 135

Running Sigcheck and Interpreting Its Results 135

Searching for Installed Rootkits (RootkitRevealer) 138

Scanning a Computer for Rootkits 140

Removing a Rootkit 143

Summary 146

Solutions Fast Track 146

Frequently Asked Questions 149

Chapter 4 Computer Monitoring 151

Introduction 152

Viewing Users Who Are Logged On and What They’re Doing .152

Using PsLoggedOn to See Logged-On Users 152

Real-World Examples 154

Using LogonSessions to Find Information about a Logged-On User 155

Understanding Logon Sessions 156

Using LogonSessions.exe to View Current Windows Sessions 156

Understanding the Output of LogonSessions.exe 157

Using Tokenmon to Monitor a User’s Security Tokens .161

What Is a Token? 161

Impersonation and Its Importance 162

Configuring and Running Tokenmon 163

Understanding Tokenmon’s Output 165

Setting Up Filters 167

Practical Uses of Tokenmon 168

Finding Open Resources and the Processes That Are Accessing Them .168

Using PsTools to Examine Running Processes and Files 168

Remotely Monitoring Open Files with PsFile.exe 169

Monitoring Processes with PsList.exe 172

Real-World Examples .176

Using Handle to Determine What Local Files a User Has Open 178

Downloading and Using Handle 179

Searching for Handles 181

Closing Handles 181

Real-World Example 182

Using Filemon to Monitor

Real-Time File System Activity 182

Configuring Filemon 184

Selecting the Volumes to Monitor 185

Understanding Filemon’s Output 186

Setting Up Filters 190

Real-World Examples 192

Viewing All Registry Activity with Regmon 196

A Brief Introduction to the Windows Registry 197

Using Regmon to Monitor Real-Time Activity in the Registry 199

Configuring Regmon 201

Understanding Regmon’s Output 201

Setting Up Filters 205

Examining the Registry during the Windows Boot Sequence in an NT-Based Operating System 208

Real-World Examples 209

Summary 212

Solutions Fast Track 212

Frequently Asked Questions 214

Chapter 5 Disk Management 217

Introduction 218

Managing Disk Fragmentation (Defrag Manager, PageDefrag, Contig, DiskView) 218

Managing Pagefile Fragmentation 220

Removing PageDefrag Manually 222

Optimizing Frequently Accessed Files 223

Defragmenting Multiple Files Using Contig 226

Creating Optimized Files Using Contig 228

Using DiskView to Locate Fragmented Files 229

Making Contig an Environment Variable 231

Advanced Disk Fragmentation Management (Defrag Manager) 232

Installing Defrag Manager 232

Running the Defrag Manager Schedule Console 234

Adding Workstations and Servers to Schedules 242

Working with Schedules 243

The Client 243

Command-Line Defragmentation 244

Reporting 245 Getting Extended File/Disk Information

DiskExt 247

Understanding Basic Disks 248

Understanding Dynamic Disks 248

Using DiskExt to Determine Extensions 249

DiskView 250

Finding a File’s Cluster Properties 250

Finding the MFT Zone 251

NTFSInfo 252

LDMDump 254

Analyzing the Partition Layout Using LDMDump 254

Finding Volume Information Using LDMDump 255

Disk Volume Management (NTFSInfo, VolumeID, LDMDump) 257

Getting Extended NTFS Information 257

Using NTFSInfo to Get MFT Details 260

Metadata Files and NTFSInfo 261

Investigating the Internals of the Logical Disk Manager 261

Looking inside the LDM Database 263

Managing Volume IDs 268

Managing Disk Utilization (Du, DiskView) 270

An Easier Way to Find Large Directories 271

Finding Space Utilized by User Documents and Applications 272

Viewing Where Files Are Located on a Disk 272

Viewing NTFS Metadata Files from DiskView 273

Summary 276

Solutions Fast Track 277

Frequently Asked Questions 278

Chapter 6 Recovering Lost Data 281

Introduction 282

Recovering Data Across a Network (Remote Recover) 282

Remote Data Recovery 282

Remote Disk Recovery 283

Recovering Files (FileRestore) 284

The File Restoration Process 284

Recovering the Files 285

Recovering Data with NTRecover 287

Local File Restoration 287

Caveats and Pitfalls 287

Advanced Data Recovery and Centralized Recovery (Recovery Manager) 288

Recovery Points 288

Precision Repair 292

System Rollback 292

Restoring Lost Active Directory Data (AdRestore) 293

Restoration Methodologies 293

How AdRestore Works 294

Summary 295

Solutions Fast Track 295

Frequently Asked Questions 296

Chapter 7 System Troubleshooting 299

Introduction 300

Making Sense of a Windows Crash (Crash Analyzer Wizard) 300

Running the Crash Analyzer Wizard 300

Crash Analyzer Wizard Prerequisites 301

Using the Crash Analyzer Wizard 301

Taking Corrective Action 306

Install Updated Driver 307

Find a Workaround 307

Disable the Driver 307

Real-World Example 308

Identifying Errant Drivers (LoadOrder) 308

Running the Utility and Interpreting the Data 308

Execute LoadOrder 309

Interpret LoadOrder Results 310

Real-World Example 310

Detecting Problematic File and Registry Accesses (FileMon, Regmon) 311

Problematic File Accesses 311

Installing FileMon 311

Configuring FileMon 312

Real-World Example 315

Problematic Registry Accesses 316

Installing Regmon 316

Using Regmon 316

Real-World Example 318

Analyzing Running Processes (PsTools) 319

Methodologies 319

Listing Process Information 319

Stopping a Process 321

Putting It All Together (FileMon, RegMon, PsTools) 322

Finding Suspicious Files 323

Digging Deeper with RegMon 323Wrapping It Up with PsTools 324Summary 325Solutions Fast Track 325Frequently Asked Questions 328

Chapter 8 Network Troubleshooting 331

Introduction 332Monitoring Active Network Connections

(TCPView,Tcpvcon,TCPView Pro) 332TCPView 332Tcpvcon 335TCPView Pro 343Performing DNS and Reverse DNS Lookups (Hostname) 344Domain Name Addressing 344How Hostname Works 345Getting Public Domain Information (Whois) 346Internet Domain Registration 346Running Whois and Interpreting the Results 346Identifying Problematic Network

Applications (TDIMon,TCPView Pro) 351Using the Tools to Find and Correct Issues 353IRP Life Cycle 355TDI Commands 356Summary 360Solutions Fast Track 360Frequently Asked Questions 362

Chapter 9 Tools for Programmers 363

Introduction 364Implementing a Trace Feature (DebugView) 364Using a Trace Feature During Application

Development/Debugging 365Using a Trace Feature While in Deployment 365Sample Trace Feature Implementations 366Identifying I/O Bottlenecks

(Filemon, Regmon,Tokenmon, Process Explorer) 368CPU Utilization 369Viewing Loaded Objects 370Benchmarking File, Registry, and Token Accesses 372Isolating Areas for Optimization 373Analyzing Applications (Process Explorer, Strings) 374Examining a Running Application 374

Running Threads 374Open Sockets 376Open Handles 376Finding Embedded Text 376

I Wonder How It’s Doing That 378Debugging Windows (LiveKd) 379Debugging a Live Windows System 380

A Programmer’s View of a System Crash 381Tracking Application Configuration

Problems (Process Explorer,Tokenmon) 382Listing Active Security Credentials 382Verifying That the Correct Files and Modules Are Loaded 384Summary 386Solutions Fast Track 386Frequently Asked Questions 388

Chapter 10 Working with the Source Code 391

Introduction 392Overview of the Source 392Tools with Source Code 392IDE and Languages Used 394Porting Considerations 394Compiling the Source 396Warnings and Errors 396Sample Derivative Utilities 397Simple Keyboard Filters 398Keyboard Sniffer 401l33tspeak Filter 404License Uses 405Personal Use 407Commercial Use 407Summary 408Solutions Fast Track 408Frequently Asked Questions 410

Chapter 11 NT 4.0-Only Tools 413

Introduction 414Optimizing an NT 4.0 System (CacheSet, Contig, PMon, Frob) 414File System Optimization 414CacheSet 415Contig 418

Process Optimization 420PMon 421Frob 423Recovering Data (NTRecover) 425Recovering Lost or Damaged Data 427Fixing a Damaged Volume 432Accessing a Windows NT 4.0 NTFS

Volume from a FAT File System Volume 432Diagnosing a Windows 2000 NTFS

Volume from Windows NT 4.0 (NTFSCHK) 434Running NTFSCHK 435Summary 436Solutions Fast Track 436Frequently Asked Questions 438

Chapter 12 Having Fun with Sysinternals 441

Introduction 442Generating a Blue Screen of Death on Purpose (BlueScreen) 442Installing BlueScreen 442Setting Up the BlueScreen Screensaver 443Let the Fun Begin 444Modifying the Behavior of the Keyboard (Ctrl2cap) 445Installing and Using Ctrl2cap 445Uninstalling Ctrl2cap 446How It Works 446Creating Useful Desktop Backgrounds (BgInfo) 447Customizing Displayed Data 447Configuring BgInfo Using the Menu Options 449Running BgInfo from the Command Line 451Bypassing the Login Screen (Autologon) 452Setting Up Autologon 453Enabling and Disabling Autologon 453Summary 454Solutions Fast Track 454Frequently Asked Questions 456

Index 459

Six years and seven months ago,Winternals brought forth a set of tools thatcame to my rescue It was November of 1999 when I purchased my firstWinternals Administrator’s Pak It contained BlueSave Version 1.01, ERDCommander Professional Version 1.06, Monitoring Tools (FileMon andRegmon) Enterprise Editions Version 1.0, NTFSDOS Professional Version 3.03,NTRecover Version 1.0, and Remote Recover Version 1.01.We had a Windows

NT 4 server in the dead zone I spent a few hours reading over the ERD andRemote Recover user guides, created a “client floppy” (yes this was when westill had to use floppies), and began my quest.Thank goodness that version ofERD had the ability to access NT-defined fault-tolerant drives, because within

a few hours we had recovered the system and were back up and running Since

my Windows NT administrator experience began in 1996, I thought back onhundreds of incidents that made me wish I had purchased Winternals sooner

We have come a long way since then; the Winternals team has improved uponand added many tools and features to the Administrator’s Pak utilities However,one thing remains the same—in the Microsoft administrator’s world,Winternals

a great time working together and throwing ideas, and some jokes, around ateach other.We set out with a goal of writing about the Winternals and

xxiii

Foreword

Sysinternals tools in real-world situations administrators can and will face on adaily basis, with the hope of making your jobs easier.The result was the

Winternals Defragmentation, Recovery, and Administration Field Guide All of the

authors have worked extremely hard to put together a book that we hope youwill find useful and enjoyable

We begin with ERD Commander 2005 and then step through recoveringyour computer (what a change from back in 1999 to now).We then give you

an overview of utilizing the tools for various tasks, such as locating and

removing malware, troubleshooting, configuring security, recovering data,

working with the source code to create useful tools, and working with NT4.0-only tools.We wrap things up with a chapter about having fun with theSysinternals tools Heck, we have to have some fun in our jobs, and what betterway then giving your fellow sysadmin gray hair with some fake BSODs!

All of us, and I imagine many of you, would like to thank Mark

Russinovich, Bryce Cogswell, and the Winternals team for putting togetherthese utilities, giving us the fine selection of freeware tools, and making thelives of Microsoft administrators around the globe that much easier In addition,

we would like to thank Syngress for giving us the opportunity to get this mation out to the community

infor-—Dave Kleiman Owner of SecurityBreachResponse.com and Chief Investigator, Secure Data Solutions, LLC

Recovering Your Computer with ERD Commander 2005

Solutions in this chapter:

■ Utilizing ERD Commander 2005

■ Booting a Dead System

■ Being the Locksmith

■ Accessing Restore Points

■ Removing Hotfixes

Chapter 1

1

Summary

Solutions Fast Track

Frequently Asked Questions

ERD commander is one of the finest compilations of emergency utilities for

Microsoft systems administrators With its graphical and command line environmentsthat have the ability to access any Windows NT files system from a bootable CD in

a Windows like environment, it is an integral part of the Windows administrator’stoolbox.There have been many times that I have been greeted by the Blue Screen ofDeath after installing a hotfix, and it was ERD that came to the rescue

If there is one thing Winternals software is known for, it is its capability to bringdead systems back to life Do not get me wrong Winternals software is capable ofdoing so much more than that, but I am convinced that if you asked 100 networkadministrators of Windows servers what Winternals software is known for, theywould say it is known for recovering a server that has fallen and cannot get up.Whether it is diagnosing windows crashes, finding malware, remotely recovering filesoff a dead system, fixing registry mishaps, or gaining access to a system you havebeen locked out of, ERD is there for you

Utilizing ERD Commander 2005

ERD Commander 2005 is the crown jewels of Winternals’ latest version of theAdministrator’s Pak.To help you get started, the ERD Commander 2005 Boot CDWizard will guide you through the task of creating the most appropriate bootable

CD for your environment Once you have tailored the boot CD to your ments and tastes, you can boot the system and begin to grasp the power that is atyour fingertips In subsequent sections, we will delve into booting into the ERDCommander 2005 desktop interface and we will discuss the use of three of the mostcommonly used utilities for recovering an inaccessible or unresponsive system

require-Creating the ERD Commander 2005 Boot CD

The ERD Commander 2005 Boot CD is not the main tool in the network

adminis-trator or desktop support professional’s toolbox; it is the toolbox.The team at

Winternals has created a powerful collection of tools and has made them available in asingle location, accessible from a familiar and easy-to-use interface In terms of thetasks you would perform to recover an inaccessible or unresponsive system, you shouldhave everything you need on the CD In this section, we will walk through the process

of creating the boot CD, and customizing ERD Commander 2005 to suit your needs.Assuming you have the Winternals Administrator’s Pak already installed, you canproceed to the wizard that configures and creates the ERD Commander 2005 Boot

CD, which is located in the Winternals Administrator’s Pak program group (select

Programs | Administrators Pak | ERD Commander 2005 Boot CD

Wizard) After double-clicking the Program Group item to launch the wizard, you

will be presented with the “Welcome…” screen shown in Figure 1.1

Figure 1.1Launching the ERD Commander 2005 Boot CD Wizard

Click the About button to display ERD Commander 2005 version tion Click the Next button to proceed to the screen for accepting the Winternals

informa-license (see Figure 1.2) Note that the Next button is disabled until you except the

license agreement; you must accept the license agreement to continue progressing

through the wizard Click the “Yes, I accept…” radio button and click Next to

continue Clicking “No, I do not accept…” will terminate the wizard.

Figure 1.2Accepting the License Agreement

The next screen displays the licensing information that you entered when youoriginally installed the Winternals Administrator’s Pak.The expiration date is worth

noting (see Figure 1.3).You will most commonly use this software under difficult

circumstances, and it would be awful for the software license to expire and the

soft-ware to be unsupported or disabled just when you need to use it Click the Next

button to continue

Figure 1.3Verifying the Licensing Information

Configuring & Implementing…

A Boot CD in Every Pot

The range of hardware that is available on the market produces an infinite number of possible hardware combinations Combine this with the varying roles

of the different hardware (workstations and servers), and before long you will start to identify a requirement for specific types of boot disks The configuration

of the boot disk will depend on the types of management and recovery activities you need to perform, the mass storage and network controller drivers required, and most important, how much power you are willing to grant to the individuals who will be using the boot disk The tools available in ERD Commander 2005 are powerful, and in untrustworthy hands (due to inadequate training, experience,

or judgment) they can do as much (or more) damage than they can be used for good In this section, pay special attention to the needs of your technology envi- ronment, your organization, and especially security, as you configure the ERD Commander 2005 Boot CD.

At this stage of the wizard, you will need to extract and prepare files so that youcan configure and tailor them to your requirements in subsequent stages Clicking

the Next button will launch the file extraction process, shown in Figure 1.4.

Figure 1.4Extracting the Files Required for the Boot CD

At this stage in the wizard we are starting to configure the boot CD, beginningwith boot options (see Figure 1.5).The first boot option will cause the CD to boot

straight into ERD Commander 2005.The second option is to boot into the remote

recover client.The third option will present a selection screen (seen in Figure 1.20)

and will prompt the user to boot into either the ERD Commander 2005 desktop

interface or the Remote Recover client Option number three (dual-mode

opera-tion) provides the most flexibility and will be the most desirable option for most

network administrators Click the radio button for the desired option and click the

Nextbutton to continue

Figure 1.5Setting Up the Boot Options for the CD

At this stage in the wizard, the process splits into two paths that rejoin at a laterstep If you selected the first option (“Always boot to ERD Commander 2005”), youwill proceed into configuring the ERD Commander 2005 user interface Choosingthe second option (“Always boot as a Remote Recover client”), shown selected inFigure 1.6, will skip ERD Commander 2005 configuration and will take you

through the process of configuring Remote Recover If you selected dual-modeoperation, ERD Commander 2005 will be configured first, before Remote Recover

Figure 1.6Configuring a Remote Recover Client Boot CD

Remote Recover uses User Datagram Protocol (UDP) over Ethernet to accessthe server that needs to be revived (as opposed to NTRecover, which uses RS-232[serial] connectivity over a null-modem serial cable; NTRecover will be discussed indetail in Chapter 11) As seen in Figure 1.7, the Remote Recover Options screeninvolves setting the UDP port number and restricting file system access on the clientfrom the boot CD to read-only Read-only access is sufficient for recovering datafrom the client system If you need to add, rename, modify, or delete files on the

client system, leave the checkbox empty, which is the default setting Click the Next

button to continue

WARNING

You should not change the port number unless you absolutely need to

do so in order to comply with firewall policies in your organization Ifyou do change the port number, make note of it and use it when config-uring the client boot disk You need the port numbers on both the clientand the host boot disks to set up the network connection

Figure 1.7Setting Remote Recover UDP Port and Disk Access Options

You configure the options for controlling access to the client system on theRemote Recover Security screen (see Figure 1.8) Since the purpose of this part of

the wizard is to configure the client system boot disk—the boot disk that is used to

boot the system to be recovered—the options establish the conditions under which

functioning systems can connect Functioning systems will need to run the host

soft-ware, at a minimum.The first option will permit connections from any system

run-ning the host software.The second will permit a connection from a system that is

using the particular boot disk you are creating.The third option will permit

connec-tions from any system running the host software as long as the correct password is

provided.The password field will be enabled when you click on the radio button for

the third option Once you have chosen the desired option, click the Next button to

continue.This concludes the configuration of Remote Recover.The next screen

after this stage, Additional Mass Storage Drivers, is shown in Figure 1.12

Figure 1.8Configuring Remote Recover Security

If you had opted to boot ERD Commander 2005 (refer back to Figure 1.5), youwould have proceeded directly to the first stage in configuring the ERD Commander

2005 user interface, displayed in Figure 1.9.This stage involves selecting what toolsyou want to be available on the boot disk All included components will be availablefrom the Start menu in the ERD Commander 2005 desktop and through the

Solution Wizard By default, all tools are included Once you have finished adding

and removing the listed components click the Next button to continue.

Figure 1.9Equipping the Boot CD with Recovery and Management Tools

You have two options for configuring Crash Analyzer support Choosing thefirst option will install the debugging tools on the boot CD.You can use the defaultdebugging tool offered in the available field (see Figure 1.10) or you can use the

“…” button at the right of the field to navigate to the appropriate directory whereyour desired debugging tool is located If Microsoft’s “Debugging Tools for

Windows” is not installed or the Wizard cannot locate the package, the Next buttonwill be disabled, forcing you to select the second option For option number two,you will use the debugging tool on the partition that hosts the Windows installationyou will be attempting to recover If the files required by the Crash Analyzer aremissing or corrupted in the Windows installation directory, you are out of luck.The

safest option is the first one Select the desired option’s radio button and click Next

screen and download the package, click the Cancel button to terminate

the wizard, install it, and rerun the wizard You could trust theDebugging Tools on the client system, but if the file system is not intact

or if the package was not installed on it, you will wish you had included

it on the boot disk

Figure 1.10Configuring Crash Analyzer Support

On the Password Protection screen, you have the option of preventing rized use of the CD by enforcing the use of a password before being able to access

unautho-the ERD Commander 2005 desktop interface Do not take this screen lightly ERD

Commander 2005 presents a level of access to a system that may be dangerous in the

hands of an untrained or reckless individual, such as resetting passwords, which is

demonstrated later in this chapter when we discuss being the locksmith If

unautho-rized use of the CD is possible, choose the second option and enter an identical

password in both fields (see Figure 1.11) Click the Next button to continue.

WARNING

The password is only for preventing access to the CD and is specific tothe boot disk You cannot use these credentials for authenticating toWindows

Figure 1.11Securing the ERD Commander 2005 Boot CD

This is the stage where the two configuration processes (as dictated by theoptions you chose in Figure 1.5) rejoin.The next two screens permit the addition ofdrivers for mass storage devices and network controllers, or network interface cards(NICs) By default, the boot disk is equipped with a vast array of the most commondevice drivers If you use specialized or less common controllers, or if you suspectthat your device may be newer than the vintage of supplied mass storage drivers, you

should add them here Click the Add Device button to specify the required drivers

(see Figure 1.12).You will be asked for a location where the driver files are stored

You can specify as many drivers as you think you will need Click the Next button

to proceed to adding network controller drivers

Figure 1.12Adding Mass Storage Drivers

If you are planning to use ERD Commander 2005 to recover virtualservers in a VMware environment, add the mass storage and networkdrivers that are added when you install VMware Tools in the Guest oper-ating system

There is a good chance that you do not need to add anything on this screen;

however, as stated earlier in this chapter, if you use NICs that are newer than your

version of the Administrator’s Pak or you are using an esoteric network device, it is a

good idea to add the driver as a precaution.The boot CD is equipped by default to

support many network controller drivers and will use all of its drivers to attempt to

bring up a NIC, not simply the ones you add on the screen Once you have added

the required network controller drivers, click the Next button to continue (see

Figure 1.13)

Figure 1.13 Adding NIC Drivers

On this screen, you have the opportunity to add any additional files you thinkyou might need to use to recover a system (see Figure 1.14) One suggestion would

be to add a screen capture utility to generate screenshots while recovering the

system in case you need to document what you have done.You will need to

aggre-gate them in a single directory first, and then, using the Explore button, specify the

directory Once you have provided the location, click the Next button to continue.

Figure 1.14Specifying Additional Utilities to Add on the Boot CD

You are almost done On the Write CD Image File screen (as seen in Figure1.15), you can accept the default location or select the location where you want the

CD image to be written.The Browse button will bring up an Explorer window foryou to navigate to the desired directory.You are free to change the filename tosomething more significant; however, it is imperative that you preserve the iso file-

name extension Click Next to begin the CD image creation process, as seen in

Figure 1.16

Figure 1.15Specifying the Location of the CD Image File

A typical image that is configured using all of the default settings is mately 153 MB in size, and occupies only about 25 percent of the capacity of a typ-ical consumer-grade blank CD-R.You can use any CD-R, CD-RW, DVD-R, orDVD-RW media Identify the media that your systems can boot from before

approxi-selecting the media It would be awful if you went to recover a system with ERDCommander 2005 burned to DVD-RW media, only to find out that the system is

not equipped with a drive that accepts DVD media CD-R is probably the safest

option because it is the most universally recognized

Figure 1.16Creating the Boot CD Image

If the “Burn to the following CD recordable drive now ” selection is not able (see Figure 1.17), your recording device is not natively supported by the wizard

avail-If it is available, the image will be saved to your hard disk, and you can transfer the

image using third-party software Selecting “View supported recordable CD devices”

will display the vast list of CD-R, CD-RW, DVD-R, and DVD-RW drives that are

natively supported by ERD Commander 2005

Figure 1.17Transferring the CD Image to Blank CD Media

If your drive is supported, click Next to create the CD.You will be prompted to

insert blank media into your recordable CD device, and you will see the progress of

the image transfer process (see Figure 1.18) If your drive is not supported you can use

your favorite CD burning software to burn the iso image to a blank CD or DVD

Figure 1.18Completing the ERD Commander 2005 Boot CD Wizard

This is the final stage in the ERD Commander 2005 Boot CD Wizard.TheExplore button in Figure 1.18 will open Windows Explorer to the directory speci-fied just above the button If the CD creation could not be completed you may beable to launch the appropriate application from a context menu in the Explorerwindow Failing that, you can do so from the Start menu At this point, your individ-ually tailored boot disk is complete.You are now ready to boot a system and startusing the ERD Commander 2005 utilities

Using ERD Commander 2005 Recovery Utilities

If you left all of the components selected on the Tool Selection step of the wizard,they will be available from one of the three tool-related Program Groups on theStart menu in the ERD Commander 2005 desktop environment.Table 1.1 lists theProgram Groups and where the tools are located

Table 1.1ERD Commander 2005 Program Groups and Tool Names

Program Group Tool Name

Administrative Tools Autoruns (described in Chapter 2)

Disk ManagementEvent Log

RegEditService and Driver ManagerSystem Info

Networking Tools File Sharing

Map Network DriveTCP/IP Configuration