Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


September 1999

Recovering from NT Startup Failures, Part 1


From the September 1999 Edition
of Windows IT Pro
Sean Daily
Feature
InstantDoc #7076
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Backup and Recovery Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Think Parallel

An alternate/parallel NT installation. Using an alternate/parallel NT installation to recover the Registry is my favorite solution. Booting an alternate NT installation lets you access NTFS-based volumes on the system that would otherwise be inaccessible, and a parallel installation gives you access to the primary installation's Registry files so that you can repair or replace them. (You can also gain this type of access by using ERD Commander from Systems Internals at http://www.sysinternals.com or NTFSDOS from Winternals Software at http:// www.winternals.com.) After you boot to an alternate installation, you can perform the same actions that you can perform using NT Repair, but with more flexibility and options. Although this method isn't the solution Microsoft recommends, I think it's the best Registry repair process for advanced NT users. (For more information about parallel NT installations, see the sidebar "Think Parallel.")

Before you begin, make a backup copy of the Registry files. I usually back up the existing files into a subdirectory of the folder that contains the Registry files (e.g., \%systemroot%\system32\ config\backup). After you back up the files, you can experiment with replacing individual Registry hive files. However, you can't simply copy the replacement versions, because the ERD and \%systemroot%/repair folder store these files in compressed format. To use the files, employ the expand.exe command to manually expand them. For example, to expand a compressed copy of the SYSTEM hive from an ERD or the \%systemroot%\repair folder, type the following command at an NT or DOS command prompt:

expand system._ system

Copy the resulting file to the \%systemroot%\system32\config folder of the primary installation, and reboot the system.

If you don't want to deal with compressed files, you can use the Microsoft Windows NT Server 4.0 Resource Kit regback.exe utility to maintain extra copies of the Registry. This handy tool makes a backup that contains all the system Registry hive files in uncompressed format. In addition, this tool automatically backs up the SAM and SECURITY hives, so you don't have to worry about using special switches. However, regback.exe's uncompressed Registry copies consume a lot of space and might not fit on a 3.5" disk. The safest place to store regback.exe-created Registry backups is on a partition other than the NT boot partition—preferably a partition on a different physical hard disk. For maximum protection against hardware-related failures that render the Registry hive files inaccessible, store an extra copy of each server's Registry on a different system.

Overwritten or Corrupted Files
One of NT 4.0's serious downfalls is its use of shared system files, which third-party application vendors can freely overwrite with out-of-date or otherwise incompatible support files. In addition, NT doesn't do much to protect itself against the replacement of other key system files, such as system services' files and drivers. In some cases, these conflicts are merely annoying because they cause unwanted errors or application failures. However, this type of problem can result in the inability to start NT. (Windows 2000—Win2K—removes some of this risky exposure by privatizing application DLLs and providing greater protection from overwriting critical system files.)

To repair damaged or incompatible files on an NTFS volume, you can use a parallel NT installation or NT Setup's Repair process. To repair FAT volumes, you can use a DOS or Windows 9x boot disk to access the volume.

Replacing files from a parallel installation is easier if you know which files are invalid or damaged. As a disaster-prevention measure, create an installation source on your hard disk or a CD-ROM that contains copies of the latest core NT system files for the service pack on your system. If you're running a parallel NT installation that you patched to the same service-pack level as the primary installation, you can use that installation as your source. However, if your parallel installation isn't the same service-pack level as your primary installation, create a separate directory that contains the latest versions of the primary installation's files.

To use NT Setup's Repair process to replace damaged or conflicting files, select the Verify Windows NT system files option when Setup presents you with the list of repair options. Microsoft intended this feature to let you quickly identify files that are different from the original NT installation files. However, an NT installation that you've installed a service pack on causes Setup to list most files as unoriginal because the service pack has modified them. Thus, your best bet is to instruct Setup to replace all nonoriginal files by selecting the A option and reapplying the latest service pack after NT is back up and running.

Alternatively, you can replace NT system files with original versions using NT Setup's upgrade option to reinstall NT. Although some users circumvent the previous NT Setup Repair process and jump into an upgrade installation, I don't recommend this solution for several reasons. First, the upgrade process usually takes much longer than the repair process. Second, the upgrade process is more involved and poses greater risks to your system. Finally, if an upgrade installation successfully resolves your original problem, it will probably cause a tcpip.sys blue screen error (i.e., STOP error 0x00000050). When you install NT 4.0 or NT 4.0 SP1 over NT 4.0 SP2 or later, the installation doesn't replace the SP2 or later version of tcpip.sys. Thus, the driver fails the base version of NT or NT SP1. To avoid this mess, first use the NT Setup Repair process' Verify Windows NT system files option to replace the existing files with the original versions. If NT Setup's Repair process doesn't resolve the boot problem, you can run the NT Setup upgrade option without fear of the tcpip.sys blue screen, because NT Setup's Repair process has replaced the SP2 or later version of tcpip.sys with the original version.

An Ounce of Prevention
The difference between a quick fix and a major nightmare is often one preparatory step. Tools, such as parallel NT installations and additional backup copies of the Registry, improve your chances of resolving NT startup failures. Therefore, be sure that your servers are always prepared for the worst.

Next month, I'll discuss the third most common cause of NT startup blue screens: an autostarting service or driver that causes a STOP blue screen when it initializes. I'll teach you about some additional recovery tricks, including a method for remotely repairing the Registry of a failed installation from within a parallel NT installation. In addition, I'll show you third-party tools that can bail you out of trouble when a system won't boot.

End of Article

   Previous  1  [2]  Next  


Reader Comments
I don't know how you do it- but just when I start to worry about something, I pick up an NTMagazine and there you are with the answer. Its amazing how you get right into the worry part of my brain and know just when and what I am worrying about.

Funny thing is this time - I was catching up on older issues I hadn't had a chance to read and bingo! The first one I picked up there was this article answering the very question I had been asking but hadn't had time to act on formulating a written plan - What should be my plan of action in case of a server failure.

Thanks NT Mag. You saved me hours - you generally do.

Suzanne Foubert
Systems Administator
Baylor College of Medicine
Houston, Texas

Suzanne Foubert October 29, 1999

Excellent article. This answered a few questions that had been bothering me. Keep up the good work.

Ruben Rodriguez November 01, 1999

I just want to let you know how much
I appreciate Sean Daily's "Recovering from NT Startup Failures, Part 1" (September 1999). As a beginner who is working toward completing my six exams for an MCSE, I found the article very practical. I'm looking forward to part 2.

Jackie Molen December 13, 1999

<i>Part 2 appears in the November 1999 issue (page 83), and I hope you find the article equally helpful. Part 2 delves into several disaster preparation and recovery topics that I didn't have space for in part 1.<br><br>

--­Sean Daily</i>

Sean Daily December 13, 1999

After reading "Recovering from NT Startup Failures, Part 1," I thought you might help me with a specific problem. In a stressful moment, one of our customers changed the permissions on the system share C$, setting System to No Access. Now she has an infinite boot on the server--­it boots and boots and boots! My customer tried an Emergency Repair Disk (ERD) without any luck. The entire Microsoft BackOffice product line is installed on the server, and accessing SQL Server 7.0 and the databases is a major concern. Is there any way to help my customer? In the article, the author refers to ERD Commander and NTFSDOS--­is it too late to use these tools?

Bo Heegaard December 13, 1999

<i>You can recover from this situation in several ways, but the easiest way is to have your customer install a parallel installation of Windows NT. While your customer is booted under that installation, have her set whatever permissions are necessary to get the original installation back up and running. After she can boot back into the original installation, she can use Fixacls from the Microsoft Windows NT Server 4.0 Resource Kit to restore the original permissions on the \%systemroot% folder and its subdirectories.<br><br>

--­Sean Daily</i>

Sean Daily December 13, 1999

Sean Daily's "Recovering from NT Startup Failures, Part 1" (September 1999) is very informative, but I'd like to know more about troubleshooting Windows NT's memory dump file. If I forward dump-file output to Microsoft, I usually get an answer, but it doesn't help me update my knowledge. Can you provide some guidelines for tracing problems in a memory dump file?

Prasanna Ghanekar December 13, 1999

<i>Unfortunately, I can't claim to be an expert at interpreting memory dump files. In the 7 years that I've been working with NT, I've never encountered a situation in which examining a memory dump file proved useful. However, I've successfully recovered from dozens of STOP errors on various NT systems.
The average network administrator will find blue screen information more helpful than a memory dump. The blue screen information contains valuable information about the drivers and services present in memory and the specific STOP error that halted the system. Your best bet is to concentrate on what changed just before the blue screen and which error message you received. Researching (e.g., in the Microsoft Knowledge Base, Deja.com, newsgroups) other occurrences of the particular STOP error is often the most efficient way to resolve problems.
Microsoft provides the memory dump file primarily for software developers, rather than users or network administrators. The dump file provides to developers a real-world stack dump from a customer site that might yield clues about whether a service or driver participated in a particular problem. However, sending these files to the software developer is often impractical because the files are so large. I've found that most developers aren't interested in receiving or analyzing these files, and even Microsoft has recently changed its policies about sending in dump files. Luckily, Windows 2000 (Win2K) makes the memory dump file more useful: You can pare down the file to a minimal set of information that can be more helpful to Microsoft and third-party developers. Perhaps with this change, memory dump files will become more useful. <br>><br>

--­Sean Daily </i>

Sean Daily December 13, 1999

Thank you very much for the advice in Sean Daily's "Recovering from NT Startup Failures, Part 1" (September 1999). The author mentions that creating a parallel Windows NT installation provides you with a back door to your system when your primary installation is down. I have several questions about parallel installations. Why can't I just use the boot disk that I created instead of a parallel NT installation? From the NT Setup's Repair options, I have the opportunity to inspect the Registry files. If I choose the \%systemroot%\repair folder instead of the Emergency Repair Disk (ERD), which one has the most recent files?
--­Thomas Leung

Thomas Leung February 16, 2000

<i> Although you can use an NT startup disk in some cases (e.g., a file required to start NT, such as NTLDR, is corrupted or missing; the boot sector is damaged), this strategy wouldn't help in many other situations. For example, if files in the \winnt folder are damaged or the problem involves the Registry, using an NT boot disk won't help. In these cases, the parallel installation will let you access the NTFS boot volume and make the necessary repairs to files or the Registry.
In regard to your second question, the files in the \%systemroot%\repair folder and those on the ERD will usually be the same. Of course, that's assuming that you opted to update the ERD the last time you ran Rdisk (choosing to update is an option, not a requirement). NT first makes a compressed copy of the Registry into the repair folder on the hard disk, then copies those files to a 3.5" disk during the ERD creation process. However, if you have an out-of-date ERD or you didn't update the ERD during the last execution of Rdisk, the hard disk-based copy would be the most recent version.
--­Sean Daily </i>

Sean Daily February 16, 2000

 See More Comments  1   2 

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

Windows 7 Sets Sales Record

Microsoft CEO Steve Ballmer described Windows 7's first ten days of sales as "fantastic" while in Japan yesterday. ...
Related Articles Recovering from NT Startup Failures, Part 2
Storage Whitepapers Turn to a Proven Server and Storage Migration Solution

The Impact of Disk Fragmentation on Servers

Take Control of Your Email: Understand the Business Reasons for Email Storage Management
Related Events Disk-to-Disk Grows Up

WinConnections and Microsoft® Exchange Connections

Check out our list of Free Email Newsletters!
Storage eBooks A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs

Keeping Your Business Safe from Attack: Encryption and Certificate Services
Related Storage Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement