Send us your tips and questions. You can also visit Bob Chronister's online Tricks & Traps at http://www.winntmag.com/forums/index.html.
Many of the questions I receive relate to system security, protection, and maintenance. Some users don't think Windows NT is scalable and isn't ready for the enterprise, but others see NT as succeeding in becoming a serious network and power-user operating system (OS). In fact, Microsoft is stating publicly (much to my surprise) that NT is faster with 32MB of RAM than Windows 95 with the same amount of memory. Regardless of NT's potential success, it's still an OS and capable of crashing your system. Users and administrators need to be prepared for the inevitable system crash. This month and next, I want to give you the answers to some questions about using safety and recovery methods that work with NT.
Q: I need a powerful application that will let me install, uninstall, and move programs in Windows NT. The Add/Remove Programs applet in Control Panel doesn't suffice. What options are available?
I'm familiar with two applications that can add, remove, and move programs in NT: Symantec Norton Uninstall Deluxe and Quarterdeck CleanSweep. When you install Norton Uninstall Deluxe, it scans all files to determine what files belong to what application, as you see in Screen 1, page 232. You can then use the application to delete files (you must be careful and always have a backup present), as you see in Screen 2, page 232. When you finish deleting files, the uninstaller lists the files it deleted and shows you the amount of disk space, as you see in Screen 3, page 232. You can use Norton Uninstall Deluxe to delete designated files, and you can move programs with the application.
When Norton Uninstall Deluxe detects a change to the system or every time a setup application runs, the product asks whether you want to monitor the event. After a while, this process can get irritating, but it ensures that true uninstall and move information is maintained.
CleanSweep offers similar functionality, and CleanSweep Deluxe incorporates more Web-based utilities than Norton Uninstall Deluxe. Specifically, CleanSweep monitors ActiveX plugins and includes a Web-based antivirus application.
Q: Our system is in a high-risk environment and needs an additional safety blanket to guard against boot sector attacks. How can I safeguard the boot sector on this system?
The first step you need to take to safeguard against boot sector attacks is to physically secure your machines--eliminate easy user access. Next, you can run an antivirus application that protects your environment in a manner similar to a DOS-based terminate-and-stay-resident (TSR) program. Of the antivirus applications I've tested, I've had the best luck with Command Software Systems' Fprot and Cheyenne's InnocuLan. Be aware that antivirus applications can disrupt operating system (OS) upgrades and service packs and prevent applications from running. On the plus side, some of the new antivirus applications can monitor files that you download from the Internet.
If you have a copy of the Microsoft Windows NT Server 4.0 Resource Kit or Microsoft Windows NT Workstation 4.0 Resource Kit, you can go a step further in protecting your boot sector. I recently began working with some of the wonderful, under-documented applications in the resource kits and discovered Disksave and Disk Probe.
Disksave is an insurance policy and can save you considerable time, but you can use it on only Intel-based machines. Simply put, Disksave lets you copy the Master Boot Record (MBR) and boot record to a floppy. The MBR contains code that the BIOS on x86-based computers uses to read the partition table and locate the OS partition. If the MBR is corrupt, the machine won't boot and leaves you either with a black screen or messages such as Invalid partition table or Missing operating system. If the boot sector (which contains the code that loads the OS kernel or a multiboot loader) is corrupt, you will see STOP:0x0000007B failures during the NT boot phase. Finally, a machine can hang before loading ntldr, which displays the boot selections. Disksave lets you save the MBR and boot sector as binary image files. After you save these crucial disk structures, you can easily restore them if they become corrupt.
Copy Disksave to a DOS boot floppy, go to the machine with the damaged MBR or boot sector, boot to the DOS boot floppy, and run Disksave. Disksave presents you with certain options.
F2 Backup the Master Boot Record. This function prompts you for a path and filename for the saved MBR image. Pick a filename that is easy to remember and readable from DOS. I like the name MBRdisk#.dsk (the filename always needs to end with the .dsk extension). The resulting file is a 512-byte binary image of the MBR sector. (The MBR is always located at cylinder 0, side 0, sector 1 of the boot disk). For example, use A:\mbrdisk0.dsk (Disksave works only on partition 0).
F3 Restore Master Boot Record. This function prompts you for a path and filename to restore a previously saved MBR file, which is why I suggest that you provide an obvious name for the file. The only error checking you can perform before using this command is to ensure that the file you are about to restore is 512 bytes. If you restore an incorrect file to the MBR, you will permanently destroy the partition table information, and the machine won't boot without a valid MBR.
F4 Backup the Boot Sector. This function prompts you for a path and filename for saving the boot sector image. The resulting file is a 512-byte binary image of the boot sector. F4 opens the partition table, finds the active partition, and moves to the starting point of that partition. This command then saves the sector at that location under the filename you entered (e.g., A:\bootsect.dsk).
F5 Restore Boot Sector. This function prompts you for a path and filename to restore a previously saved boot sector file. As with the F3 command, the only error checking you can perform before using the F5 command is to ensure that the file you are about to restore is 512 bytes. Copying an incorrect file to the boot sector will permanently destroy boot sector information, and the machine won't boot. So be careful.
F6 Disable FT on the Boot Drive. This function lets you reset the fault tolerant bit on a mirrored system drive and is useful when NT won't boot from such a drive. The function looks for the bootable or active partition and checks to see whether the SystemType byte has the high bit set (i.e., the partition is part of a fault tolerant set). Using this option breaks the mirror, which is a nonrecoverable act for Disksave.
Another useful utility on the Microsoft Windows NT Server 4.0 Resource Kit and Microsoft Windows NT Workstation 4.0 Resource Kit is Disk Probe. You use Disk Probe when you have a corrupt boot sector and you've tried the standard repair techniques without success. You can also use it to locate the backup copy of a boot sector on drives with an incomplete or faulty read of the backup boot sector.
Using Disk Probe to Recover the Backup Boot Sector. Disk Probe works by loading active handles on the drive, which let you directly access the drive. As you might expect, you must use this application with great caution. You can use Disk Probe on only an NTFS file system, because FAT doesn't keep a copy of the boot sector (if you look at the area of the disk where you expect to see a backup boot sector, you see that no information is present).
This method of recovering the backup boot sector involves locating, retrieving, and moving the backup boot sector to its correct position on the disk. Previous versions of NT kept the backup boot sector in the middle of the disk, but NT 4.0 stores it at the end of the disk (I'll show you how to use Disk Probe with NT 4.0). Never run Disk Probe when Disk Administrator is open because both applications require locked drives.
Before you can recover the boot sector, you must have used either Disk Probe or Disksave to save the boot sector information to a file. To recover the boot sector with Disk Probe, implement the following procedure.
This procedure is relatively safe, but Disksave is probably easier.
You can use a second method to recover the boot sector with Disk Probe if you didn't save the boot sector information to a file. In the following example, I used a Quantum Empire 1080S hard disk.
Using Disk Probe Editor to Find the Backup Boot Sector
What do you do when your machine can't read the boot sector and you get the message that an incomplete read occurred or you realize when you look at the ASCII strings of the boot sector that the boot sector is incorrect? Even worse, the hex values your machine needs to find the copy of the boot sector are probably wrong. In this situation, I use Disk Probe to determine the location of the backup copy of the boot sector. Follow these steps carefully--using Disk Probe can be fatal to your hard disk:
Total Sectors: 2104452
Relative Sector: 63
To find the backup copy of the boot sector, perform the following calculation for the primary partition: Total Sectors + Relative Sector NT 4.0 Connection = 2104452 + 63 1 = 2104514.