NTFSDOS
The most popular utility on the Systems Internals Web site is NTFSDOS. NTFSDOS is a file system driver that provides read-only access to NTFS drives from DOS, Windows 9x, and Windows 3.x. NTFSDOS is popular for two reasons. The first is that NTFSDOS provides a means for accessing files on the NTFS drives of systems that won't boot. Booting a system from a standard DOS boot disk will give you access to files on a system's FAT drives, but NTFS drives are inaccessible from outside NT without a third-party driver. After you can access the NTFS files, you can salvage the files by copying them from the nonbootable system.
The second reason for NTFSDOS's popularity is that the utility allows for the sharing of files and applications between NT and Windows 9x or Windows 3.x in a dual-boot environment. NTFS drives are invisible to Windows 9x and Windows 3.x, but NTFSDOS makes the NTFS drives appear to these systems as standard—although read-only—drives.
NTFSDOS has prompted Microsoft to add an encryption facility to NTFS in Win2K. Because NTFSDOS doesn't honor NTFS file security, you can boot a system off an NTFSDOS boot disk and access otherwise secure NTFS files on the system's hard disk (see "NTFSDOS Poses Little Security Risk," September 1996, to learn why NTFSDOS doesn't exploit holes in NT security). Microsoft is introducing Encrypting File System (EFS), which prevents NTFSDOS from reading sensitive files.
NTFSDOS's connection with NT internals occurs only through the tool's interpretation of NTFS on-disk data structures. Otherwise, NTFSDOS is a DOS terminate-and-stay-resident (TSR) program that hooks DOS's network file system callouts to interface DOS (and Windows) to NTFS volumes. Source code to NTFSDOS isn't available, but you can learn about NTFS's on-disk structures from my January 1998 column, "Inside NTFS," or by studying the source code to a read-only NTFS file system driver for Linux that is available through http://www.informatik.hu-berlin.de/~loewis.
NewSID
In my June 1998 article, "NT Rollout Options," I describe a security problem that cloning NT installations can cause. Cloning is a popular technique for quickly rolling out identical NT system configurations to multiple workstations throughout an enterprise. The security problem arises from the fact that SIDs of local accounts derive from the SID of the computer on which the accounts reside. The NT setup process assigns a computer's SID, and if you clone a system from a computer whose SID is already assigned, the clone will have the original computer's SID. Therefore, local accounts on cloned systems will have identical SIDs, resulting in the inability of NT's security mechanism to distinguish between the users of two cloned computers. Users associated with accounts on cloned computers can access files and other resources belonging to other users. The solution to this problem is to change the SID of a cloned computer, which also changes the SIDs of the computer's accounts.
Several companies have developed SID changers to accompany their disk-cloning software, and Bryce and I have developed a SID-changing tool, NewSID, which QuarterDeck Software distributes as part of its system cloning utility. We supply NewSID on the Systems Internals Web site with full source code, which reveals how the utility finds and updates a computer's SID, and the way it updates all references to a particular system's SID. References that refer to a local account exist in any NTFS file and in Registry security settings; therefore, NewSID must traverse every Registry key and NTFS file on a computer to assign a new SID.
Also, you can use NewSID to move NT 4.0 Backup Domain Controllers (BDCs) between domains. Domain controllers from the same domain share the same computer SID, so to move a controller to a new domain, you simply give the BDC the SID of the new domain and let the domain synchronize the BDC. You can tell NewSID to copy a SID from another computer instead of randomly generating a SID, so that it matches that of a PDC or BDC.
Useful Tools
I hope you'll find the tools I've described valuable additions to your NT toolkit, helping you solve problems and learn more about the way NT works. You'll find additional similar tools at the Systems Internals Web site.
Register
Particularly, I can’t read enough of Mark Russinovich’s articles. The author (in collaboration with Bryce Cogswell at http://www.sysinternals.com) saves the NT analyst community time and effort by supplying us with utilities such as HandleEx and Filemon (not to mention Regmon and others). And, he updates them!
The author’s NT Internals: “Inside NT Utilities” (February) highlights some basic troubleshooting tools that I’ve put to use many times, especially recently when I had to troubleshoot an Internet Information Server (IIS)-based Web application from a third-party developer. Without such tools, professionals like me would spend our days turning on file and object access auditing for everything and wading through lines upon lines of event logs.<br>
--James Haefele
James Haefele August 06, 1999