Ask Dr. Bob Your NT Questions - 01 Mar 1998

Send us your tips and questions. You can also visit Bob Chronister's online Tricks & Traps at http://www.winntmag.com/forums/index.html.

Many of the questions I receive relate to system security, protection, and maintenance. Some users don't think Windows NT is scalable and isn't ready for the enterprise, but others see NT as succeeding in becoming a serious network and power-user operating system (OS). In fact, Microsoft is stating publicly (much to my surprise) that NT is faster with 32MB of RAM than Windows 95 with the same amount of memory. Regardless of NT's potential success, it's still an OS and capable of crashing your system. Users and administrators need to be prepared for the inevitable system crash. This month and next, I want to give you the answers to some questions about using safety and recovery methods that work with NT.

Q: I need a powerful application that will let me install, uninstall, and move programs in Windows NT. The Add/Remove Programs applet in Control Panel doesn't suffice. What options are available?

I'm familiar with two applications that can add, remove, and move programs in NT: Symantec Norton Uninstall Deluxe and Quarterdeck CleanSweep. When you install Norton Uninstall Deluxe, it scans all files to determine what files belong to what application, as you see in Screen 1, page 232. You can then use the application to delete files (you must be careful and always have a backup present), as you see in Screen 2, page 232. When you finish deleting files, the uninstaller lists the files it deleted and shows you the amount of disk space, as you see in Screen 3, page 232. You can use Norton Uninstall Deluxe to delete designated files, and you can move programs with the application.

When Norton Uninstall Deluxe detects a change to the system or every time a setup application runs, the product asks whether you want to monitor the event. After a while, this process can get irritating, but it ensures that true uninstall and move information is maintained.

CleanSweep offers similar functionality, and CleanSweep Deluxe incorporates more Web-based utilities than Norton Uninstall Deluxe. Specifically, CleanSweep monitors ActiveX plugins and includes a Web-based antivirus application.

Q: Our system is in a high-risk environment and needs an additional safety blanket to guard against boot sector attacks. How can I safeguard the boot sector on this system?

The first step you need to take to safeguard against boot sector attacks is to physically secure your machines--eliminate easy user access. Next, you can run an antivirus application that protects your environment in a manner similar to a DOS-based terminate-and-stay-resident (TSR) program. Of the antivirus applications I've tested, I've had the best luck with Command Software Systems' Fprot and Cheyenne's InnocuLan. Be aware that antivirus applications can disrupt operating system (OS) upgrades and service packs and prevent applications from running. On the plus side, some of the new antivirus applications can monitor files that you download from the Internet.

If you have a copy of the Microsoft Windows NT Server 4.0 Resource Kit or Microsoft Windows NT Workstation 4.0 Resource Kit, you can go a step further in protecting your boot sector. I recently began working with some of the wonderful, under-documented applications in the resource kits and discovered Disksave and Disk Probe.

Disksave
Disksave is an insurance policy and can save you considerable time, but you can use it on only Intel-based machines. Simply put, Disksave lets you copy the Master Boot Record (MBR) and boot record to a floppy. The MBR contains code that the BIOS on x86-based computers uses to read the partition table and locate the OS partition. If the MBR is corrupt, the machine won't boot and leaves you either with a black screen or messages such as Invalid partition table or Missing operating system. If the boot sector (which contains the code that loads the OS kernel or a multiboot loader) is corrupt, you will see STOP:0x0000007B failures during the NT boot phase. Finally, a machine can hang before loading ntldr, which displays the boot selections. Disksave lets you save the MBR and boot sector as binary image files. After you save these crucial disk structures, you can easily restore them if they become corrupt.

Copy Disksave to a DOS boot floppy, go to the machine with the damaged MBR or boot sector, boot to the DOS boot floppy, and run Disksave. Disksave presents you with certain options.

F2 Backup the Master Boot Record. This function prompts you for a path and filename for the saved MBR image. Pick a filename that is easy to remember and readable from DOS. I like the name MBRdisk#.dsk (the filename always needs to end with the .dsk extension). The resulting file is a 512-byte binary image of the MBR sector. (The MBR is always located at cylinder 0, side 0, sector 1 of the boot disk). For example, use A:\mbrdisk0.dsk (Disksave works only on partition 0).

F3 Restore Master Boot Record. This function prompts you for a path and filename to restore a previously saved MBR file, which is why I suggest that you provide an obvious name for the file. The only error checking you can perform before using this command is to ensure that the file you are about to restore is 512 bytes. If you restore an incorrect file to the MBR, you will permanently destroy the partition table information, and the machine won't boot without a valid MBR.

F4 Backup the Boot Sector. This function prompts you for a path and filename for saving the boot sector image. The resulting file is a 512-byte binary image of the boot sector. F4 opens the partition table, finds the active partition, and moves to the starting point of that partition. This command then saves the sector at that location under the filename you entered (e.g., A:\bootsect.dsk).

F5 Restore Boot Sector. This function prompts you for a path and filename to restore a previously saved boot sector file. As with the F3 command, the only error checking you can perform before using the F5 command is to ensure that the file you are about to restore is 512 bytes. Copying an incorrect file to the boot sector will permanently destroy boot sector information, and the machine won't boot. So be careful.

F6 Disable FT on the Boot Drive. This function lets you reset the fault tolerant bit on a mirrored system drive and is useful when NT won't boot from such a drive. The function looks for the bootable or active partition and checks to see whether the SystemType byte has the high bit set (i.e., the partition is part of a fault tolerant set). Using this option breaks the mirror, which is a nonrecoverable act for Disksave.

Disk Probe
Another useful utility on the Microsoft Windows NT Server 4.0 Resource Kit and Microsoft Windows NT Workstation 4.0 Resource Kit is Disk Probe. You use Disk Probe when you have a corrupt boot sector and you've tried the standard repair techniques without success. You can also use it to locate the backup copy of a boot sector on drives with an incomplete or faulty read of the backup boot sector.

Using Disk Probe to Recover the Backup Boot Sector. Disk Probe works by loading active handles on the drive, which let you directly access the drive. As you might expect, you must use this application with great caution. You can use Disk Probe on only an NTFS file system, because FAT doesn't keep a copy of the boot sector (if you look at the area of the disk where you expect to see a backup boot sector, you see that no information is present).

This method of recovering the backup boot sector involves locating, retrieving, and moving the backup boot sector to its correct position on the disk. Previous versions of NT kept the backup boot sector in the middle of the disk, but NT 4.0 stores it at the end of the disk (I'll show you how to use Disk Probe with NT 4.0). Never run Disk Probe when Disk Administrator is open because both applications require locked drives.

Before you can recover the boot sector, you must have used either Disk Probe or Disksave to save the boot sector information to a file. To recover the boot sector with Disk Probe, implement the following procedure.

1. Boot into NT with an NT boot floppy.
2. Run Disk Probe.
3. From the File menu, select Open to open the boot sector file that you saved (I always save this file to my NT boot floppy and give it a .dsk extension).
4. From the Drive menu, select Physical Drive. Double-click the drive that contains the MBR you want to restore.
5. Clear the Read only check box, click the Handle set to active button, and click OK.
6. From the Sectors menu, select Write to open the Write Sector window. Set the Starting Sector to write the data to 0, and click Write it. Disk Probe will display a message asking whether you want to overwrite the data in sector 0 on the physical drive in question. Click Yes, which you see in Screen 4.
7. At this point, you can verify the write procedure by clicking the Sectors menu and selecting Read, specifying Starting Sector 1.
8. Close Disk Probe, and reboot your system.

This procedure is relatively safe, but Disksave is probably easier.

You can use a second method to recover the boot sector with Disk Probe if you didn't save the boot sector information to a file. In the following example, I used a Quantum Empire 1080S hard disk.

1. Open Disk Probe.
2. From the Drive menu, select Physical Drive, and double-click the drive you want to repair. Clear the Read Only check box below the drive listing, and click Set Active. You will notice that the active handle is set to the chosen physical drive. Click OK.
3. From the Sectors menu, select Read. Insert 0 for Starting Sector and 1 for the Number of Sectors. Click Read. You are now looking at the MBR of your physical disk. You can verify that you're looking at the MBR by examining the ASCII text on the right side of the disk image beginning at offset 8B, which should read Invalid partition table.... Screen 5 shows this dialog box.
4. From the View menu, select Partition Table. In the partition table Index dialog box, use the scroll bar to select the partition you want to examine. Double-click that partition. Make sure you highlight the proper values in the Boot Indicator (should be SYSTEM), System ID (should be NTFS), and Partition table index (should be Partition 1) fields, as you see in Screen 6. The field in the lower left corner of Screen 6 shows the Relative Sector. Write down this value (in this case, 63).
5. Click Go, which is next to the Relative Sector field. Go puts you at the boot sector and places the starting sector in the Relative Sector field.
6. From the View menu, select Bytes and examine the data. Depending on the type of corruption, you should see some ASCII strings, such as NTFS in the upper right corner or A disk read error occurred... beginning at offset 130, as you see in Screen 7.
7. From the View menu, select NTFS boot sector, and choose Volume End. This sequence puts you at the backup copy of the boot sector.
8. From the View menu, select Bytes and verify that you are looking at the backup NTFS boot sector. (If you receive a message identifying an incomplete data read or see what appears to be an incorrect backup record, go to the next section that deals with using Disk Probe to find the backup boot sector.)
9. From the Sectors menu, select Write. Make sure the dialog box shows the correct handle and physical drive.
10. In the text box Starting sector to write data, enter the relative sector value you noted in step 4, and select Write it.
11. From the Sectors menu, select Read and type in the starting sector value from step 5 in the Starting Sector field, as you see in Screen 8. While keeping the number of sectors to 1, select Read. Make certain that the data you read matches what you see in Screen 7. If not, correct the problem by redoing the read/write sequences you just completed.
12. Close Disk Probe, and reboot your system.

Using Disk Probe Editor to Find the Backup Boot Sector
What do you do when your machine can't read the boot sector and you get the message that an incomplete read occurred or you realize when you look at the ASCII strings of the boot sector that the boot sector is incorrect? Even worse, the hex values your machine needs to find the copy of the boot sector are probably wrong. In this situation, I use Disk Probe to determine the location of the backup copy of the boot sector. Follow these steps carefully--using Disk Probe can be fatal to your hard disk:

1. Open Disk Probe.
2. From the Drives menu, select Physical Drive and double-click the physical drive you want to repair.
3. Clear the Read Only check box, and click Set Active. You will notice that the active handle has been set to the chosen physical drive. Click OK.
4. From the Sectors menu, select Read. Insert 0 for Starting Sector and 1 for the Number of Sectors. Click Read. You are now looking at the MBR of your physical disk. You can verify that you're looking at the MBR by examining the ASCII text on the right side of the disk image and beginning at offset 8B. This text should read Invalid Partition Table....
5. From the View menu, select Partition Table. Be sure you choose the correct partition number. Two values, Total Sectors and Relative Sector, determine the site of the backup copy. The Relative Sector value is the location of the boot sector. I extracted the following values from the View Partition screen in my previous example for the Quantum 1080S hard disk:

   Total Sectors: 2104452
   Relative Sector: 63

   To find the backup copy of the boot sector, perform the following calculation for the primary partition: Total Sectors + Relative Sector ­ NT 4.0 Connection = 2104452 + 63 ­ 1 = 2104514.

6. From the Sectors menu, select Read, and enter the number you just calculated.

7. From the View menu, select Bytes, and verify that the sector is the NTFS boot sector.

8. From the Sectors menu, select Write, and make sure the dialog box shows the correct handle and physical drive.

9. In the text box Starting sector to write data, type in the relative sector value that you wrote down in Step 5. Select Write to copy the boot sector to that location.

10. From the Sectors menu, select Read. In the starting sector, type in the sector to which you wrote the backup copy and set Number of Sectors to 1. Select Read, and verify that the data was written.

11. Close Disk Probe, and reboot your system.