When to use the ERD, Safe Mode, and the Recovery Console

In Windows 2000, everything is bigger and more sophisticated than in Windows NT, including the native troubleshooting and repair tools. When something goes wrong with the OS, you have three options: You can use your Emergency Repair Disk (ERD) to initiate a repair operation; you can boot to Safe Mode to avoid troublesome drivers or application-specific problems; or, as a last resort, you can boot to the Recovery Console (RC) and disable a malfunctioning driver or service. All three of these tools can help you diagnose or recover from system problems that are the result of missing or corrupted files, a confused driver, or a temporary pagefile that won't go away. To determine which tool to use in a given set of circumstances, you need to understand the scope of the troubleshooting and repair operations that the ERD, Safe Mode, and the RC offer.

ERD Repairs
If you have a system that simply won't boot, you need the ERD. You can use the ERD to repair a damaged boot sector, repair a damaged Master Boot Record (MBR), repair or replace missing or damaged NT Loader (NTLDR) and ntdetect.com files, and reload a third-party ntbootdd.sys SCSI driver that you need to access the boot drive. The ERD lets you recover the system disk after a virus infection and is the only tool that lets you boot a system from the shadow of a broken mirror set.

One result of Win2K's bigger and better approach to repair tools is the larger size of the configuration databases—commonly called SYSTEM hives—that Win2K stores in the registry. Win2K's larger and more numerous hive files no longer fit on an ERD. Therefore, Microsoft has trimmed down Win2K's ERD utility so that it provides only three functions:

  • inspect and repair the startup environment
  • verify Win2K files and replace missing or damaged files
  • inspect and repair the boot sector

If your repair needs go beyond such minor corrections—for example, if incorrect or damaged device drivers are installed in the System folder or if problems occur after you see the startup (OSloader) screen—you need to use either Safe Mode or the RC.

Creating a Current ERD
Creating an ERD as you deploy each system in your enterprise should be standard procedure. In some cases, the ERD is the only utility you can use to get a system up and running again. Creating an ERD not only gives you the benefit of quick access to an essential repair tool—it's also easier than ensuring that each workstation has a copy of the distribution media or has access to a network-based installation share point. Additionally, the ERD is the fastest way to create an on-disk backup copy of active registry databases—you can repair a system much faster if you have an on-disk copy as opposed to a copy on backup media.

Win2K setup disks contain a version of the ERD. This version is useful only when you're initially installing a system. After you customize the OS (e.g., enable or disable services, add individual and group accounts, add security information), the generic ERD is too outdated to help you recover a system. To ensure that you'll be able to recover a certain system in the event of a failure, you must create a new ERD after you configure the system to your satisfaction.

To create an ERD that can back up your current system configuration, use Win2K's Backup utility. Backup doesn't appear in Administrative Tools (where you might expect it) but rather is tucked away under System Tools in the Accessories program group. You can also start the Backup utility by opening a command prompt and typing

ntbackup

In either case, Backup starts by displaying the Welcome tab. When you select the Create an Emergency Repair Disk option on this tab, Backup prompts you to place a blank formatted disk in the 3.5" floppy disk drive, as Figure 1 shows.

In this dialog box, you can also choose to back up registry files. To ensure that you have a current copy of key configuration database files on disk, you should always select this option. Here's why: Win2K maintains two sets of registry files. Setup places a copy of the original generic registry hives in the \%systemroot%\repair directory. When you create an ERD and select the option to back up the registry, Backup also copies the SYSTEM hive files to the \%systemroot%\repair\regback directory. To use the RC to restore a current version (as opposed to the generic version) of key registry files, you'll need the files that Backup creates in the \regback directory. When Backup finishes creating the ERD disk and backing up the registry, the utility displays a confirmation window.

To maintain a current copy of registry files in the \regback directory, be sure to create a new ERD whenever you update or change the system configuration. If disaster strikes, you'll be able to activate the RC and use current files to repair the system—instead of having to take two steps backward because you forgot to make an on-disk backup of the registry files. If you must revert to the original registry hive files during a repair and you haven't used the ERD option to create a local copy of the current files, you'll need to restore the current files from a backup tape. If you must revert to the files in the original Repair directory, you're in for a lot of unnecessary work. To fully restore the system in that case, you'd need to reconfigure services and reinstall all service packs, hotfixes, and applications after the system is running again.

The ERD utility's only drawback is that it requires access to a 3.5" floppy disk drive—even if all you want to do is back up the registry files to the \regback directory. For laptop or notebook users, this requirement can be a bit of a handicap.

Manual Repair or Fast Repair?
An ERD contains only three files: autoexec.nt, config.nt, and setup.log. Because Win2K doesn't rely on autoexec.nt and config.nt, those two files are essentially useless. The important file is setup.log, which contains a list of all components that Setup installed during the original Win2K installation. Each filename in setup.log is followed by a checksum that verifies the file's contents. When you select the Verify Windows 2000 system files option on the ERD repair menu, the Repair utility compares installed files with the files listed in the setup.log file to identify missing or corrupted files. When Repair identifies a missing or corrupted file, the utility replaces the file with a good copy from the distribution media.

To start an ERD repair, you need to boot from a distribution CD-ROM or from 3.5" Setup floppy disks. Then, select R to start the Repair utility. For a third option, see the Microsoft article "How to Create a Bootable Disk for an NTFS or FAT Partition" (http://support.microsoft.com/suport/kb/articles/q119/4/67.asp). If you find that you need to replace a single registry hive, you must use the RC—you can't use the ERD to make this low-level repair.

The Repair utility gives you two choices. Press M to choose Manual Repair, which lets you choose from a list of repair options. Press F for Fast Repair, which performs all repair operations.

Manual Repair. Select Manual Repair if you want to control the tasks that the Repair utility performs. The Manual Repair menu displays three options: Inspect the startup environment, Verify Windows 2000 system files, and Inspect the boot sector. When you select Inspect the startup environment, Repair replaces or corrects the boot.ini file. When you select Verify Windows 2000 system files, Repair compares the loaded NTLDR, ntdetect.com, arcsetup, and arcldr.exe boot files with their corresponding entries in the setup.log file. If Repair detects a discrepancy, the utility prompts you to replace or skip the file. You'll need the distribution media or a third-party driver disk to replace the problem file. (The Verify Windows 2000 system files option doesn't verify the ntbootdd.sys file, which the OS needs to access a system on a SCSI drive, so you'll need a SCSI driver disk if you need to reload this file.) When you select Inspect the boot sector, the Repair utility repairs the active system partition and reinstalls boot-loader files.

Fast Repair. Select Fast Repair if you need to recover a newly installed system. Fast Repair automatically performs all three Manual Repair options and verifies crucial registry files (i.e., SAM, SECURITY, SYSTEM, and SOFTWARE). If a hive is missing or corrupted, Fast Repair copies the version that resides in the \%systemroot%\repair directory to the \%systemroot%\system32\config directory. Of course, this process restores the original (as opposed to the current) registry file, which returns the system to its original configuration.

If you must use Fast Repair, you can then restore the current state from a backup or use the RC to replace the generic versions of the registry hives with current versions that reside in the \regback directory. The Microsoft article "Differences Between Manual and Fast Repair in Windows 2000" (http://support.microsoft.com/support/kb/articles/q238/3/59.asp) details each of these operations and provides additional repair-related references.

Safe Mode Repairs
If you're experiencing a problem that occurs after Win2K boots, you need to boot the system in Safe Mode. To access Safe Mode, press F8 when you see the For troubleshooting and advanced startup options for Windows 2000 message on the boot menu during system restart. Safe Mode offers 10 boot options, but the first three options—Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt—are the most important. (For information about how to use Safe Mode to recover Active Directory—AD—see Robert McIntosh, "AD Disaster Recovery," page 43.)

Each of the first three Safe Mode options starts Win2K with default settings, including a VGA monitor driver, basic mouse and keyboard drivers, and a short list of device drivers and services necessary for basic operation (plus a network driver, if you select the Safe Mode with Networking option). Safe Mode doesn't disable Plug and Play (PnP) detection, so if a device is causing problems, you should disconnect it before you boot in Safe Mode. However, if you want to determine how or whether PnP recognizes and configures new hardware, be sure to connect the new hardware before you boot.

Safe Mode. Select this mode when a system acts up after you install custom mouse or keyboard software, fax software, digital camera software, a custom network client, or power-management software on a notebook. If you can boot in Safe Mode, you might be able to restore the system by simply uninstalling the offending software. In Safe Mode, you can also reinstall security updates, hotfixes, or even a full service pack to bring a sick system back to good health. When you're finished, simply shut down the system as usual from the Start menu.

Safe Mode with Networking. This mode offers the same functionality as Safe Mode but adds networking capability. Be aware that Safe Mode with Networking supports only LAN connections, so you can't troubleshoot, test, or create new DUN or VPN connections in this mode.

Safe Mode with Command Prompt. Select this option when problems with a video driver, keyboard, or mouse prevent you from interacting with a GUI. In this mode, the system runs only nine processes: System, SMSS, Csrss, Winlogon, Services, Lsass, Taskmgr, Svchost, and Winmgt. To see a list of commands that this boot mode supports, type

help

at the command prompt. You can access many familiar repair utilities, such as Chkdsk, Chkntfs, Convert, Diskcopy, and Format, as well as common file-manipulation commands. Although navigating Win2K from a command prompt is relatively difficult, you can check and format FAT and NTFS disks, and you can move, copy, rename, and delete files and directories. To reboot the system in Safe Mode, press Ctrl+Alt+Del to bring up the familiar Windows Security dialog box, then click Shutdown. If the Security dialog box doesn't appear, you'll need to cycle the power to restart.

After you select a Safe Mode option, Startup returns the system to the boot menu, from which you select a specific Win2K installation (assuming you have more than one system root). A long list of files then scrolls by as the boot loader loads OS components. Booting in Safe Mode is more time-consuming than booting normally, so be patient while you wait for the logon prompt.

At the logon prompt, you must enter the local Administrator account and password—not the domain administrator's account and password. If you've forgotten the account name or password, you'll need to reinstall the OS or use a third-party utility to reset the account and password. Next, Win2K confirms that you're running in Safe Mode, as Figure 2 shows, and prompts you to click OK before you proceed. As Figure 3 shows, Win2K places Safe Mode reminders in every corner of the screen, changes the background color to black, and restricts the display area to a minimal VGA window.

RC Repairs
The RC contains a superset of the features that the ERD and Safe Mode offer. The RC is essential if you find that the system has problems with loaded drivers, services, or registry files that are open while the OS is running. (You can't use the ERD or Safe Mode to make these types of repairs.) The RC is command-line driven, so it's also effective when hardware or driver problems prevent you from interacting with the GUI.

Like the ERD, the RC can repair a corrupted boot.ini file or MBR, and it can check, verify, and replace Win2K components. The RC can also replace a bad SCSI or video driver with a good copy; format and partition a hard disk; stop or disable problematic services; and delete a temporary pagefile that prevents you from creating a larger, permanent pagefile. For information about how to use the RC to repair three of the most common system problems that you might encounter, see the sidebar "Using the RC to Solve Common Problems," page 36.

You can run the RC from a Win2K CD-ROM or the Setup disks. (At the Welcome to Setup screen, press F10.) Alternatively, you can install a local copy, but a local copy is useful only if the system boots. A little-known benefit of the RC is that you can use it to troubleshoot and repair an NT 4.0 system (run the RC from the CD-ROM or install a local copy of the RC on the NT 4.0 system).

The RC installation procedure is fast and straightforward, but you must satisfy a few prerequisites before you begin:

  • You need 7MB of free space on the boot disk.
  • You can't install the RC during Win2K Setup.
  • You can't install the RC if your boot disk is part of a software mirror set.

If you have a software mirror, you must break the mirror, install the RC, then recreate the mirror set. However, if you're using legacy basic-disk mirroring (i.e., a software mirror that you upgraded from NT 4.0 to Win2K), you shouldn't break the mirror unless you plan to upgrade the system disk from basic to dynamic. Win2K can't recreate a legacy disk mirror set. If you plan to reestablish the system disk in Win2K, you must convert the legacy disk to dynamic, then recreate the mirror.

Assuming your system meets these prerequisites, you'll need the distribution media for Win2K (you can install the RC from any installation media, including Win2K Professional) and the local Administrator account password. To install a local copy of the RC, open a command prompt and type

F:\i386\winnt32 /cmdcons

where F is the location of the distribution files or the Win2K CD-ROM. Winnt32.exe initiates Win2K or NT 4.0 Setup. The /cmdcons switch installs the RC and is just one of many options that this utility understands.

Starting the RC
After you reboot, the RC appears on the boot option menu's bottom line. When you select the RC, the utility displays the text Windows 2000 Recovery Console V5.0 at the top of a black screen and the familiar line of dots while startup files load. Then, the RC displays a text-based screen that lists Win2K and NT 4.0 installations by partition letter and system directory name and prompts you to select the OS that you want to start. Figure 4 shows a system that boots four OSs*one on C, one on D, and two on E. When the RC lists the installations that it recognizes, it doesn't include the descriptive text for each partition and directory. Thus, if you have multiple roots, you should verify the letter and the system directory name of the partition you want to start before you boot to the RC. After loading the OS, the RC displays a command prompt in the system root.

When you install a local copy of the RC, the installation sets the boot.ini file's attributes to System, Hidden, Read-Only, and Archive. Figure 5 shows the boot.ini file of the four-OS system from Figure 4. The final line in this file (C:\cmdcons\bootsect.dat="Microsoft Windows 2000 Recovery Console" /cmdcons) is the command that starts the RC. If you later decide to uninstall the RC, you'll need to reset the boot.ini file attributes so that you can delete the RC startup line and save the modified boot.ini file. I explain later how to reset the attributes and delete this line.

The RC Administrator Password
After you enter the number for the root that you want to start, the RC prompts you for the local Administrator password. The console always prompts for the "Administrator" password, even if you've renamed the administrative account. Although the RC logon screen's text doesn't change to reflect a renamed administrative account, the RC will accept the password for the renamed account and log you on.

After you enter the correct password, you'll see a command prompt. You're now free to explore system files, disable services, delete or replace files, and make other changes to revive the system.

A known security vulnerability can occur when you install the RC on a system that you later promote to a Win2K domain controller (DC). When you use the Configure Your Computer Wizard to promote the first DC in a forest, Win2K sets the password for the Directory Services Restore Mode to a null value. This null value lets a malicious user log on without proper authorization. Even worse, the Configure Your ComputerWizard automatically sets the RC Administrator password to the null value.

In December 2000, Microsoft released a security hotfix that eliminates this vulnerability. The Microsoft article "The Configure Your Computer Wizard Sets Blank Recovery Mode Password" (http://support.microsoft.com/support/kb/articles/q271/6/41.asp) describes this security loophole and provides a URL from which you can download the hotfix. Microsoft will most likely include this hotfix in Service Pack 2 (SP2).

Reinstalling the RC
Two situations require you to reinstall the RC. If you install the RC on a FAT partition, then you subsequently convert that partition to NTFS, the file-system—specific files in the \cmdcons directory aren't valid for the new NTFS partition. In this situation, you'll either need to reinstall the RC or run the RC from a Win2K distribution CD-ROM.

You'll also need to reinstall the RC after you upgrade to SP2. Because the \cmdcons directory contains crucial drivers that boot the system, and because service packs can potentially update these drivers, you should first create a slipstream installation or use the Win2K-integrated installation. After the SP2 upgrade is finished, reinstall the RC from the slipstream or integrated installation directory. This procedure ensures that the \cmdcons directory contains the most recent versions of all required boot-time drivers.

Removing the RC
Removing the RC is a multistep procedure. In brief, you need to delete the CMDLDR hidden file at the root of the boot drive, the \cmdcons hidden directory and its contents, and the text line in the boot.ini file that starts the utility.

Because CMDLDR and the \cmdcons directory are Hidden, System files, you must first enable the display of these files in Windows Explorer. On Windows Explorer's Tools menu, click Folder Options and select the View tab. Select the Show hidden files and folders check box, clear the Hide protected operating system files check box, and click OK. Locate and delete the \cmdcons directory and the CMDLDR file.

Eliminating the RC command line in the boot.ini file is slightly more complicated because boot.ini is a read-only file, in addition to being a Hidden, System file. In Windows Explorer, right-click the file, select Properties, and clear the file attributes. Clearing the Read-only check box lets you modify the boot file and save the file with the same name. Alternatively, you can reset the attributes by typing

Attrib -h -s -r boot.ini

at a command prompt.

The boot.ini file is crucial to the startup sequence, so before modifying it, you should always make a copy of the file by typing

C:\copy boot.ini boot.ini.bak

Then, open boot.ini.bak in a text editor (e.g., Notepad, WordPad), delete the line that contains the Windows 2000 Recovery Console text, and save the file with its original boot.ini filename.

Now, all traces of the RC are gone, and you're ready to restart the system. For security reasons, I recommend that you use the Attrib +h +s +r boot.ini command to reset the Hidden, System, and Read-only attributes on boot.ini after the system is up and running. If you're working on an end-user system, you might then want to reset Windows Explorer's View options to their previous settings.

Common RC Repairs
The RC understands the console commands that you see in Table 1. Using these commands, you can copy, rename, or replace OS files and directories; enable or disable drivers and services; repair crucial boot files; scan hard disks for errors and optionally repair them; create or format hard disk partitions; and more. If you want to run scripts in the RC, you need to enable the RC's Set command. The Microsoft article "Description of the Windows 2000 Recovery Console" (http://support.microsoft.com/support/kb/articles/q229/7/16.asp) documents each command's functionality and syntax. For more information about RC commands, see Kathy Ivens, "The Recovery Console," page 99, and John D. Ruley, Windows 2000 Pro, "Key Recovery Console Commands," July 2000. For further insight about how and why you might use the RC to recover from system failures, see Sean Daily, "Mastering the Recovery Console," July 2000.

When you're working with the RC, you need to be aware of several important restrictions. You can access only the system disk, the \%systemroot% directory, the \cmdcons directory, and removable media, including 3.5" floppy disks and CD-ROMs. Although you can display other directories on the system disk, you'll get an Access denied message if you try to change a file or directory other than the system root. Also, you can't use the RC to create new files or copy files from the system disk to removable media. (However, you can copy files from a floppy disk or CD-ROM to the hard disk.) Before you start a repair operation, keep these restrictions in mind and make sure you have all the information and replacement drivers you need.

Armed and Dangerous
If you need to fix minor boot-time problems, use the ERD. If your system starts but has application-specific problems, boot into Safe Mode. If you need to modify loaded OS components, boot the RC. Remember that in Win2K, PnP is active when you boot into Safe Mode and when you boot the RC; therefore, if you have problems with a device, you should disconnect the device before you start a repair utility. More important, keep in mind that any one of these utilities has the power to permanently disable or cripple your OS, so do your homework, prepare, and proceed with caution. Consider yourself armed and dangerous.