Tuesday, December 23, 2008


Using Telnet to Send Email Through an SMTP Gateway

The first thing to do is to open a connection from your computer to your mail server using telnet.

telnet mail.domain.ext 25

You should receive a reply like:
220 SMTP Proxy Server Ready

You will then need to declare where you are sending the email from:

HELO local.domain.name
Don't worry too much about your local domain name although you really should use your exact fully qualified domain name as seen by the outside world. The mail server has no choice but to take your word for it as of RFC822-RFC1123.

This should give you:
250 +OK SMTP server Ready

Now give your email address:
MAIL FROM: mail@domain.ext

Should yield:
250 +OK Sender OK

Now give the recipients address:
RCPT TO: mail@domain.ext

Should yield:
250 +OK Recipient OK

To start composing the message, issue the command:

If you want a subject for your email, type:
Subject: -type subject here-
then press enter twice (these are needed to conform to RFC 882)

You may now proceed to type the body of your message.

To tell the mail server that you have completed the message enter a single "." on a line of its own.

The mail server should reply with:
250 +OK message queued for delivery.

You can close the connection by issuing the QUIT command.

The mailserver should reply with something like:
221 Service closing transmission channel closing connection
Connection to host lost.


The commands are not case sensitive, but if you make a typing mistake, backspace & correct, you will get this error:
500 Command unrecognized: commandname

If you make a typing mistake on the recipient's name, backspace & correct, the message will not be deliverable.

modified from http://www.yuki-onna.co.uk/email/smtp.html

Thursday, September 4, 2008


Dell Optiplex GX270 - Outlook would not launch - froze before giving the user a logon screen. Reinstalling Office 2003 & repairing Office 2003 did not solve the issue.

Trying to delete the user's profile froze the mail control panel.
Trying to add a new profile produced this message:

The time limit for logging on was reached while waiting for system resources. Try again.

Clicking OK on the message produced another error message code 0X8004xxxx (I didn't write it down)

I went to the properties of the Intel Pro/1000 MT network card & clicked on Configure. On the Advanced tab, I set the Speed & Duplex property to 100Mb Full & clicked OK. The network connection status changed from "connected" to "disabled" and the control panel froze.

I restarted the machine & logged on as a different user. I could add profiles & logon to Outlook.
Had the user log back on & everything works fine now.

Monday, August 4, 2008


If a user is logged into the domain, running the login.exe app for Attendant Solutions would generate a message box like this:

Open File - Security Warning

Name: At-Login.exe
Publisher: Unknown Publisher
Type: Application
From: T:\ATT

The publisher could not be verified. Are you sure you want to run this this software?

This file does not have a valid digital software that verifies its publisher. You should only run software from publishers you trust. How can I decide what software to run?

There are 2 choices - "Run" or "Cancel"

If I click on Run, the login screen screen comes up as usual, but after logging in, the program stops with an error:

Attendant Solutions (At-Start)

Error 52 { 52-Bad file name or number } occurred at 160 in ATStart


Logging on to the local machine instead of the domain works fine. The machine is still joined to the domain, but the user is logged on as a local user.

Mapping the drive by name, rather than by IP address (in the active directory logon script) solved this issue. Now the user can logon to the domain and run Attendant Solutions without issue.

Tuesday, July 29, 2008


The Hyperion plugin to Excel stops working.

In Excel, Click on the Help menu & choose “About Microsoft Office Excel”, Click on “Disabled Items”, select Hyperion from the Disabled Items list & click “Enable”.

Saturday, May 31, 2008


To get a RAID, Inc. Condor 12-bay RAID array to recognize new Western Digital WD2500JB drives, the jumper must be removed - setting the drive to "Single or Master". No other jumper setting will work.

32-bit operating systems will only recognize 2TB drives. An array larger than that requires a 64-bit OS.

Saturday, May 17, 2008


You can turn “Show all formatting marks” on in Microsoft Word & Outlook by hitting Ctrl+Shift+8,. Occassionally, people turn this on accidentally so I’m guessing what happens is that they are trying to type an asterisk (Shift+8) & catch the Ctrl key at the same time. Ctrl+Shift+8 will turn it back off again. The other way to turn this feature on & off is to go to Tools-Options in Word (you must open a new e-mail first in Outlook to do this), then on the View tab uncheck "All" in the Formatting Marks section.

BTW, Ctrl+Shift+l (the letter l) will start a bullet point list. Ctrl+Alt+l will start a numbered list. The bullet list will continue each time you press the Enter key, back the numbered list requires another Ctrl+Shift+l to get the next number in the sequence.

Monday, May 12, 2008



“That being said, yes, you're correct, I'm one of the senior engineers at StorageCraft. I was also one of the core engineers who developed DriveImage/Ghost.”

From http://www.wilderssecurity.com/showthread.php?t=139716&page=11

It's fairly important to determine your exact needs before selecting a backup solution. Home users who don't care about disaster recovery have many free backup options. Technical home users can cobble together enough free stuff to make a passable backup/disaster-recovery solution. Enterprises, generally, need to be far more cautious about the software they place on their servers, and should carefully evaluate the software for stability (does it deadlock your system? do its services hang or crash? do its device drivers cause blue screens or do they have any interop issues with other drivers?), data integrity (are the back up image files good even after thousands of incrementals and splits? does it corrupt original data?) performance (does it use a lot of memory, leak memory, hog CPU or interrupt any applications?), security (does it protect your data? How are its APIs guarded?), and maintenance (is it automated, scriptable, can it be controlled remotely, can one console GUI control an entire enterprise, etc). If you are an enterprise customer, or a very discriminating customer, it would be advisable to ask the backup solution vendor these pointed questions and do your own due diligence as well.A side note: If you are evaluating criteria like the above, in relation to memory leaking you will find that the Microsoft Volume Shadow Copy Service (VSS) on Windows XP has some bugs that will cause VSS requestor processes (VSS-aware backup applications) to leak memory on each snap/unsnap cycle. Also, on XP, on each snap/unsnap cycle the vssvc.exe service as well as a dllhost.exe process will leak a little memory. This is usually only an issue if you use a VSS-compliant backup application to automatically backup your data on regular intervals over a long period of time. These same leaks used to also occur on Windows Server 2003 however they have been fixed in a recent private (you must request it, KB923628, directly from MS support) hotfix for Windows Server 2003 only.If you are an enterprise or extremely-discriminating user, the following may prove useful.First let me warn you that I'm a bit biased on this topic (I'm an engineer who has worked on core components for a couple of the mainstream backup/disaster-recovery products out there, from competing companies). Also, my experience on this topic is limited to the Windows platforms.I would recommend that you consider backup solutions that enable you to quickly recovery individual files, as well as to quickly recover from a full system meltdown (ie. a hard disk crash). In my mind there are currently only three products which can do this with any degree of reliability. They are (in no particular order):1) Symantec's Ghost (for Desktops) and LiveState Recovery (for Servers)2) StorageCraft's ShadowProtect3) Acronis' True ImageThese three products share several similar traits. They all create backup images files which represent the entire state of a logical volume's data, rather than backing up individual files themselves. This enables you to perform full volume restoration should a disaster occur, such as a hard drive failure. They also enable you to easily restore individual files by allowing you to mount/browse into the contents of a backup image file. They allow you to backup your volumes in a hot/in-use state, so you do not need to stop any of your work or close any of your applications when the backup is performed. They allow you to set up a backup schedule so that the backups are automated and no user intervention is required to ensure that backups are occurring. They allow you to perform "incremental backups" which means that when a backup occurs, it will only backup the changes which occurred since the previous backup. They all provide a bootable "recovery environment" CD which contains a bootable OS as well as tools that can be used to restore/recovery files and/or full volumes in the event that you are restoring to a machine which doesn't contain an OS, or if you are restoring an image file over your existing OS. They are all "enterprise ready" as they allow you to remotely manage large networks from one GUI console, contain scripting support, and are integrated with platform technologies (such as Microsoft's Volume Shadow Copy Service - more detail below).I'll discuss how these products differ in their offerings of these features.Hot Backups: This is probably the most important aspect of these products because this feature allows you to backup your machine with zero down time. You don't (at least you shouldn't - keep on reading) need to stop any of your applications in order to capture a good clean backup. This feature is made possible by a sophisticated "snapshot" device driver which can instantly capture the state of a logical volume at a specified time and expose this captured state to the backup software. Although Windows XP and 2003 ship with a built-in snapshot device driver (volsnap.sys), it is somewhat lacking in features (especially on XP) and alltogether absent on Windows 2000. Therefore all of these products give preference to a proprietary snapshot device driver. The snapshot device driver used in Symantec's products is licensed to Symantec from StorageCraft (see the copyright file properties of pqv2i.sys or symsnap.sys). StorageCraft of course uses its own snapshot device driver (albeit a newer and better version) in ShadowProtect. Acronis also has its own snapshot device driver. There is a significant difference between the StorageCraft snapshot device driver and the Acronis device driver which results in a substantial difference in performance when incremental backups are created. StorageCraft's snapshot device driver is far more efficient and fast. This can be easily reproduce by creating a backup job and performing changes to many files after the first full backup and before an incremental backup. In this sense, Acronis is more of a desktop product as it simply consumes too much CPU and I/O bandwidth when taking incrementals which is less desireable on servers.Scheduled Backups: The schedulers for these three products are very similar. One of the main differences is how frequently they allow you to backup your drives. Symantec's products allow you to backup a volume once every hour. StorageCraft's produt allows you to schedule a backup to occur once every 15 minutes, however the schedule can be modified so that the backup will occur once every minute (which is possible because of StorageCraft's highly-optimized incremental imaging technology). Acronis' products allow you to schedule backups to occur on a volume once per day. Symantec and Acronis allow you to backup to CD or DVD. StorageCraft's solution does not currently support backup directly to optical media. Acronis users report many issues when they backup to optical media if the backup requires more than one disk (so called "spanned images"). Symantec's backup to optical media appears to be solid.Platform Integration (VSS): Microsoft provides a framework called the "Volume Shadow Copy Service" (VSS) to assist in the creation of clean backups. This service can be used by backup products (called "VSS Requestors"), as well as by applications (called "VSS writers), which create data (such as Exchange, SQL Server, etc). When a backup product requests a backup, it can tell VSS to "quiesce" these VSS-aware applications. This will cause these applications to perform a quick flush of their critical data, without interrupting anything, so that the snapshot device driver will capture their data in its optimal state. Interacting properly with VSS is critical to performing a good quality backup and if you are an enterprise customer you really need to give this particular issue some weight. Symantec's online knowledge base indicates that you must take down your Exchange server in order to successfully backup its data. StorageCraft and Acronis allow you to backup your Exchange server without taking it down. VSS-aware snapshot device drivers which provide snapshots of volumes to backup software are called "VSS Software Providers" and of the three products only StorageCraft's snapshot device driver is a true VSS Software Provider. Neither Symantec's nor Acronis' device driver is a VSS software provider. You can verify this by installing these three products and then typing the command: C:\> vssadmin list providers You will see Microsoft's system provider "volsnap" as well as StorageCraft's VSS software provider.File Recovery (Mounting/Browsing Image File Contents): When a backup is taken, an "image file" is created, which contains the data necessary to represent the contents of a volume at a given time. An incremental image file is dependent upon the data in the previous incremental image file, and this dependency chain run all the way back to the first full/base image file created for a particular volume. This first (full/base) image file usually contains all in-use sectors so it is generally very large. All of these products allow you to compress and/or encrypt these image files. In order to allow users to restore individual files from a backup image, all of these products allow you to "mount" your backup images as virtual drives. Symantec's products also ship with a secondary "image file browser" application which allows for browsing without mounting. There are subtle differences in the mounters. All of these mounters allow you to make changes to the mounted image, but only the StorageCraft and Acronis mounters allow you to save your changes. StorageCraft's mounter allows you to mount to both drive letters and to specified directories (called "mount points") so you are not limited to 26 concurrent mounts. Symantec's mounter, like its image browser, is rather resource-hungry (uses a lot of memory) and is simply incapable of mounting multiple terabyte-sized volumes concurrently. I don't have benchmarks on terabyte-image mounting for Acronis StorageCraft's mounter allows you to mount *hundreds* of terabyte-sized volumes concurrently. This can be easily done by creating a full image, and then many incremental images with modified data, of a particular terabyte-sized volume, then mounting the full and all of the incremental images concurrently. Each mount should present a full terrabyte-sized volume. Large volume support is critical to the enterprise, and is becoming more common on desktops as well.Disaster Recovery: To recover from a disaster, where no OS exists on your machine, or to restore an image over your existing OS, or to restore an existing image to a bare machine (one whose hard drive is blank - this is called "Bare Metal Recovery/Restore"), you must be able to boot some OS under which the recovery software can run and have access to the backup image file(s) and to the hard disk controller and hard drive to which you wish to restore the image. Acronis uses a bootable recovery CD based on Linux. StorageCraft and Symantec both use a bootable recovery CD based on Windows. In my opinion, the Windows-based recovery environments are superior for Windows imaging products because they contain a larger set of device drivers on the CD for greater device coverage. This means that you are more likely to be able to access your backup images from your network, media, or USB device, and to be able to see and access the drive to which you wish to restore the image, using a Windows-based recovery environment than you are with a Linux-based recovery environment. It's very important that you test the recovery environment BEFORE a disaster occurs to ensure that it can see your drives and the location on which you're saving your backups. The StorageCraft and Symantec Recovery environments are very similar. StorageCraft provides some useful options which are not available from Symantec. For instance, StorageCraft's recovery environment, at the start of its boot, allows you to choose if you wish to boot with the minimum or maximum driver configuration. If you don't need to access exotic drive or network devices, the minimum configuration is usually sufficient and boots much faster (usually around 2-3 minutes faster). For the enterprise-conscious user, both StorageCraft and Symantec ship their recovery environment with a tool that allows a remote administrator to manage the recovery environment, however this tool is free of cost from StorageCraft yet quite expensive from Symantec. Acronis and Symantec advertise that they allow you to restore an image to a different machine (aka "Universal Restore"), however in my experience I have been disappointed by this feature in both of these products as I have *never once* succeeded in restoring to a different machine (in many test cases) using LiveState or True Image. Acronis and Symantec will allow you to restore an image to a volume which is smaller than the volume that was used to create the image. A typical user will create one big primary partition that consumes their entire disk. For these typical users, if they plan to restore to a hard drive that is smaller than their original drive, then this feature is an important point to consider.Deployment: The installation experience for these products is very different from one to the next. For the enterprise user, Acronis' enterprise product actually consists of several separate (and unintegrated) product installations. This is an akward and time consuming affair. Acronis's install is not dependent on the .NET framework. StorageCraft's install is a single installation file which contain all features, fully integrated (the total installer size is 9MB). StorageCraft's install is not dependent on the .NET Framework. Symantec's installer is a single install as well, however it does depends on the .NET framework, and therefore can be quite lengthy and consume a good deal of disk space.None of these products are perfect, and like I said, I'm biased, so play it safe and evaluate them all.
Last edited by grnxnm : September 2nd, 2006 at 12:28 AM.

Which, if any, of these will work with my RAID array as my only hard drive?

When installing Windows, you need to install a driver for it (the F6 option) -- an Intel ICH7R. Obviously, for anything that runs while Windows is running, access to the drive is not an issue. I'm concerned primarily about the restore case -- with separate boot floppies/CDs/partitions, will I have a driver available to access the RAID array? I used to use Ghost 9 but gave up with Ghost 10 for all of the reasons I've seen expressed by others. So, I'm looking for a replacement product.
In the Windows world, your best bet (IMHO) at gaining access to your RAID drive(s) from the recovery environment is to use a recovery environment which has the greatest device coverage, hence one which is based on Windows itself. Both ShadowProtect and Ghost/LiveState ship with recovery environments (bootable CDs) which are based on Windows. When you boot the recovery CD of these products, you will have the option to press F6 and feed in your miniport diskette. Often though you'll find that, for the more common host bus adapters, the miniport device driver for your adapter is already included on the recovery CD and is automatically loaded when the CD boots. If you intend to use your backup product for quick disaster recovery (to quickly recovery your system boot volume), then it is critical that you first ensure that the recovery environment of your chosen product is capable of accessing both the drives/media/network resources on which your backup images are stored as well as the drive(s) to which you will be restoring images. Acronis True Image has a recovery environment which is based on Linux, and this can cause problems when you attempt to access certain devices. Windows-based recovery environments are better, and hence the easiest solution for this issue is ShadowProtect or Ghost/LiveState. For enterprise (corporate) customers there are additional incentives for using a Windows-based recovery CD. For instance, Windows automatically supports Dynamic Volumes. Trusting that some non-Windows recovery environment properly supports dynamic volumes, especially as the structures that define them (licensed from Veritas to Microsoft) are all proprietary and undisclosed, is a stretch.

From http://www.wilderssecurity.com/showthread.php?t=139716&page=12

It was my understanding that image based backups locked the drive currently being backed up.

Oh, I see. This is true for older generation backup products, which do not incorporate snapshot technology. However, latest-generation image-based backup applications usually employ snapshot technology, and the sole purpose of snapshot technology is to enable the backup application to capture the state of the volume at a point-in-time without the need to lock the volume or stop any of the applications that are using files on the volume.Maybe it would be useful to the forum to describe exactly what "snapshot technology" is. The goal of snapshot technology is to instantaneously capture all of the data on a volume at a given point in time without interrupting I/O to that volume (without locking anything, stopping applications, etc). This is invariably implemented using an "upper volume class filter device driver" which intercepts I/O underneath the file system, but above the volume devices (see the storage stack diagram below). When the snapshot device driver is instructed by the backup application to establish a snapshot of a given volume, it immediately starts tracking changes that occur to that volume. Each time a write occurs on the volume the snapshot driver first copies off the old data that was already at the location into some scratch pad area and then allows the new write operation to continue on down to the device. Thanks to this copy-on-write mechanism, the snapshot driver is able to preserve all of the information necessary to expose to a backup application the data that was on a volume at a given point in time. Snapshot drivers usually expose the snapshot point-in-time by creating a virtual device similar to a volume device. The backup application will read the sectors on this virtual device in the same way that it would have read them from the real volume. The backup application *may* lock access to this virtual snapshot device, but keep in mind that this virtual device is generally only used by the backup application (it's not visible to normal applications). Locking the virtual snapshot device has no effect on the actual volume device that is being backed up - the real device is never locked and remains accessible to applications. Because snapshot device drivers sit within the storage stack itself, they have absolute control of the flow of I/O to the disk. When a snapshot driver is instructed to establish a snapshot, it takes only a few microseconds, if not less time, for it to halt I/O to the device and establish the necessary in-memory structures necessary to maintain mappings of which sectors have been changed (causing copy-on-write operations) since the establishment of the snapshot, and then to allow I/O to recommence. It's important to understand that there is a difference between the act of "taking a snapshot" and the act of "imaging the data on a snapshot". Taking a snapshot requires only a few microseconds, if not less time. Imaging the snapshot is the process of backing up all of the data that are exposed by the snapshot device driver for a particular point-in-time (usually exposed as I mentioned by a virtual volume device), which is all of the data on the drive at a given point in time, and this can be a lenghty process. When a plain-vanilla snapshot device driver creates a snapshot of a volume, it is instantaneously capturing the volume's state at a given time, and the state of the volume's data is very similar to the state of its data if you kill the power to the computer. This is called a "crash consistent" state. The reason for this is that, at any given time, many files are open and in use and also the file system itself can have structures which are write-cached and have not yet been flushed. Creating a plain-vanilla snapshot captures the data in this in-use state, so it's not a very clean snapshot (it's "crash consistent"). VSS was introduced with Windows XP, and one of its primary purposes is to facilitate the establishment of snapshots when the data is in a clean state. To do this, backup applications and snapshot drivers must be written to interact with VSS. VSS controls the snapshotting process. The backup application will ask VSS to take a snapshot, using a specified snapshot "provider" (snapshot device driver). VSS will then tell all VSS-aware "writers" (applications which generate data such as Exchange, Oracle, SQL, IIS, and many system services such as the registry, etc) to quiesce (meaning that these applications flush their files to disk in a state that is clean and then pause for a small moment until they are told to resume activity) and then VSS will send a special flush-and-hold message (IOCTL) to the file sytem on the volume on which the snapshot is being established and when the file system receives this flush-and-hold message it will flush all of its metadata to disk and it will then send this flush-and-hold message further down the stack and the file system will not send any more I/O down the stack until the flush-and-hold IOCTL is completed by the snapshot driver which resides below it (which establishes an I/O barrier at the file system level). When the snapshot driver receives the flush-and-hold IOCTL, it knows that all VSS-aware applications as well as the file system itself have flushed their data in a clean state, so it establishes the snapshot and then completes the flush-and-hold IOCTL, which completion event is then received by the file system driver above it at which point the file system driver releases I/O and passes the completed flush-and-hold IOCTL back to the VSS service, which then releases all of the VSS-aware applications. Through this mechanism, VSS-compliant backup software, which use VSS-compliant providers, can create backups of extremely high-load Exchange, Oracle, IIS, SQL, etc. servers on a regular basis without the need to stop any services or applications, without shutting down the machine, while also ensuring that the backups contain good clean data (databases will not need to be fixed/repaired if they are restored, because VSS ensures that they are captured in a good state).On platforms older than XP, where VSS is not present, other techniques are used to obtain images which are better than crash consistent state images. For instance, some snapshot drivers implements their own I/O barrier at the file system level (using a file system filter driver), if necessary, and on platforms that lack VSS (Windows NT and 2000) the driver is capable of performing the file system flush-and-hold operation which is natively supported on XP+. This enables it to perform snapshots at a time when the file system's metadata has been flushed to disk. Coupled with this is a more manual quiescense process which is facilitated by the backup application itself, which enables users to specify scripts which they wish to be called before and after the establishment of the snapshot, which scripts can be used to stop/start services, etc (or in other words, the scripts are a way of quiescing important applications). While this is more tedious, it gives users of older platforms, that lack VSS, some of the advantages of VSS.Windows Storage StackI/O within the Windows kernel flows from one driver to the next until it is finally passed directly to the hardware device. Each type of device typically has several layers of drivers that manage I/O as it flows to the device. For storage, I/O generally is initiated in user mode (from applications) and is passed to the kernel's I/O manager where it then forwarded to the appropriate file system driver, then to the volume class driver, then to the disk driver, and finally to the storage controller port driver. Filters can be added at any level in this stack.

Win32 Application(s)

Win32 Subsystem

Native NT API

I/O Manager

File System Filter
Driver(s) such as
AntiVirus Drivers

File System Driver
such as NTFS.SYS

Volume Filter
Driver(s) such as
Snapshot Driver

Volume Driver

Filter Driver(s)

Disk Driver

Filter Driver(s)

Port and Miniport

Actual hardware

And changes on one volume are related to changes on other volumes, e.g., due to registry references to other volumes.

I'm glad you brought that up! In fact, this specific scenario (where dependent data is spread across multiple volumes) is specifically addressed by the VSS framework, and mechanisms are in place within VSS to ensure that interdependent multi-volume data can all be flushed simultaneously and all captured in a clean state, without interrupting application services.

From http://www.wilderssecurity.com/showthread.php?t=139716&page=13

Any sector-based imaging product that supports incremental imaging will generate very large incrementals if you defrag a volume in between backups.

From http://www.wilderssecurity.com/showthread.php?t=139716&page=15

A side note: You mentioned "Drive Snapshot". While this product may work just fine for the home user, I would advise the Enterprise user to use caution if they are considering adopting it as a solution. Drive Snapshot employs what is generally considered to be a dangerous technique (dispatch table hooking) which enables it to dynamically insert its volume filters into the storage stack. The net effect is that Drive Snapshot can install without the need to reboot, however the cost is that it employs this risky (and frowned upon) technique. Ask anyone in the main driver development forums (OSR's NTDEV and NTFSD email lists) or any of the DDK team at Microsoft what they think of dispatch table hooking in an enterprise solution and you'll find that it's not advisable. Just do your due diligence - test the heck out of it and especially do interop testing with other volume filter drivers. Who knows, perhaps Tom Ehlert's dispatch table hook is solid. It's a cool trick, that's for sure.

ShadowProtect doesn't modify the MBR in order to operate. ShadowProtect will always back up the MBR, as well as the entire first track, each time a backup is made. It's important that not only the MBR be backed up, but all 63 sectors of the first track need to be backed up, because products that inject boot loader code into the MBR often also inject code/data into the additional "hidden sectors" of the first track on the disk. If you backup and restore only the MBR, there's the possibility that you have restored only a portion of a boot-loader-injected app. To be safe, you must back up and restore the entire first track, including the MBR. However, if you have a standard MBR, with no injected boot-loader code, then there's no need to restore the MBR or any of the hidden sectors at restore time.A note on MBR restoration - a portion of the MBR is of course the partition table itself. The rest of the MBR sector is executable code. When we restore the MBR, we of course do not destroy the existing partition table, but rather we restore the CODE portion of the MBR.At restore time, ShadowProtect will allow you to choose between these options:1) not do anything to the existing MBR and hidden sectors2) restore the MBR along with the image that you're restoring3) restore the MBR AND the entire first track along with the image you're restoring4) Lay down the standard MBR along with the image you're restoring.I didn't realize that First Defense-ISR modifies the MBR in order for it to operate. This, to me, suggests that they're using an int 13h hook in order to filter disk I/O. A strange, and unnecessary, approach for a windows product. Windows itself provides a safe framework for volume filtering, which is interop-friendly. Any product that injects code into the MBR will almost certainly cause issues with other products that do the same. So, be cautious - make sure that if you use this product you never intstall some other software which also uses boot-loader code (such as a disk encryption product). It's a great recipe for very nasty interop problems.

ShadowProtect leverages Windows' own support for RAID, SCSI, USB, etc., by always running from within Windows (2000/XP/2003/WinPE), so you will have the same device support as you have from within Windows. I'm not sure what your question is about drive letter assignment, can you please clarify? As far as speed goes, we did a lot of benchmarks to ensure that our product's speed meets or beats the competition. We also did a lot of optimization to ensure that we use less (often far less) CPU and memory during our most intensive operations. Bare Metal Restore/Recovery (BMR) is of course supported using the bootable ShadowProtect Recovery Environment CD. Image sizes are only limited by the file system which contains the image files. FAT32 files can only be <= 4GB in size, so if you are backing up a large volume and storing the image on a FAT32 volume, ShadowProtect will automatically split the image into 4GB pieces (this is a so called "split image"). Also, you can instruct ShadowProtect to split the image at a particular size if you wish to later archive the split pieces to optical media (note that ShadowProtect doesn't *yet* support archiving directly to optical media). Image sizes when stored on NTFS volumes can be up to 2^64 bytes in size (truly massive). Assuming the partition is sufficient in size, you can restore an image to any partition, regardless of whether it is the active partition or not. At restore time, you can also decide if you want the partition to which you're restoring to become an active partition if it is not currently the active partition. See comments above regarding interactions with the MBR and partition table. I'm glad you mentioned the BOOT.INI - after restoring a volume, ShadowProtect parses the existing BOOT.INI file to ensure that the system is still bootable, and if the BOOT.INI is invalid it will patch the BOOT.INI so that the system will boot (and back up the original BOOT.INI). Migrating to similar hardware is not a problem. Migrating to significantly different hardware ("Restore to Anywhere") is not currently supported, however this feature will be in the next major release and is in fact 100% coded and we have been demoing it to partners (see paragraph below for more details). Speaking of "Restore to Anywhere," I'm personally very disappointed with the implemention of this feature in both Ghost/LiveState and TI, as I have never *once* successfully used this feature in either product. I hope that our solution will prove to be much more robust (I can tell you that right now, in alpha state, it's already way faster than the equivalent feature in the competitions' products, way easier to use (just check a box, no need to install anything else, works with all your older images unmodified), and already works in most of the cases we've tested it against). When I say "significantly-different" hardware, what I mean by this is:-Restoring to a machine that has a different motherboard chipset (VIA, Intel, AMD, SiS, nForce, etc).-Restoring to a machine that has a different type of interrupt controller (PIC, APIC, etc).-Restoring to a machine that supports a different number of CPUs (uni vs. multi)-Restoring to a machine that has a different storage controllerRegarding "conflicts with other running utilities", or interop issues in general, and the problems the forum members have had with other "snapshot" utilities, it may be useful to understand the pedigree of StorageCraft's snapshot device driver. All complex drivers will occasionally have interop issues. However, the more exposure your driver has, the more likely you are to discover and fix these interop issues.ShadowProtect's snapshot driver was developed by two DDK MVPs (MVPs are individuals who're globally recognized as being the most knowlegeable/helpful in a particular Microsoft-related technology - in this case these guys are world reknowned device driver developers). Our snapshot device driver is actually licensed by many companies for inclusion in their own products (Ghost, for instance, uses our snapshot driver, as does VMware, LiveVault, Dantz (in Retrospect), and a host of others). Due to its wide exposure over the years (it's been shipping in commercial products for around 5 years) and large install base (our driver is installed on literally tens of millions of computers), we've had the time and exposure necessary to shake out the vast majority of bugs.StorageCraft's core competency has always been the development of kernel mode technologies (device drivers). In fact, for many years, StorageCraft was purely a tools vendor, licensing tools to other software shops to help them to build products. Over the last 2.5 years, we've transformed into a products company. I suppose that we just got tired of watching others wrap our technologies with GUIs and make insane profits from it. We figured we could probably make a better product as we are the actual developers of the core technology itself.Rollback Rx does NOT use our snapshot driver.

From http://www.wilderssecurity.com/showthread.php?t=139716&page=16

Oh, also, I should mention that the Desktop Recovery Environment is a Windows Server 2003-flavored WinPE. This means that you need the Windows Server 2003 version of the miniport diskette for your storage controller, even if you don't use Windows Server 2003 on your actual computer. If you can't find a Server 2003 miniport diskette, then one for XP usually works.

From http://www.wilderssecurity.com/showthread.php?t=139716&page=17

I had an interesting conversation with Howard today and I thought I'd mention one thing that we discussed which may be of use to anyone who uses ShadowProtect, Ghost, True Image, or any similar product with incremental capability on a multi-OS-boot system.Typically, when you install a snapshot-based imaging product, a snapshot device driver is installed along with the product. If you're generating incremental images, then this feature is often supported by the snapshot driver which keeps track of the sectors that have changed since the previous full/incremental backup. When you shutdown your system, this change list is serialized to disk and reloaded on boot. If you boot to another OS, on which the snapshot driver is not installed, and make changes to a volume on which this "incremental tracking" is being performed, the tracking will not occur within this other OS environment, and so when you boot back to the original OS and generate a new incremental, it won't be a good incremental.So, generally speaking, follow this guideline: If you use snapshot-based incremental backup on a multi-boot system, only create full/differential images, but never incremental images. Data integrity is key.

Does not apply to True Image.

Wow, that's very interesting! That, combined with the evidence that TI's incremental performance degrades very quickly when you make a lot of changes to your volume from one incremental to the next, strongly suggests that TI's internal implementation for their "incremental" feature is actually an abbreviated differential implementation. There are pros and cons to this. The pros are that it won't have issues with multi-boot environments. The cons are that performance will be very poor for backup jobs that perform incrementals on high-load servers. Hence the product is poorly suited for enterprise servers, but for multi-OS-boot end users it has a distinct advantage (if they want dependable (theoretically) incremental capability and also want to boot to multi OSs).

Friday, May 2, 2008


From the command prompt, dir /ad will show hidden files & directories

From the command prompt, once you have navigated to a folder, you can type explorer . (explorer space period) & Windows Explorer will open in that folder.

Monday, April 28, 2008


To increase the size of everything in Windows – go to Display Properties – Settings tab – Advanced button – General tab – Change the DPI setting to 120DPI.

Thursday, April 24, 2008


Outlook config files:

Outlook data files (.pst)
drive:\Documents and Settings\\Local Settings\Application Data\Microsoft\Outlook

Offline Folders file (.ost)
drive:\Documents and Settings\\Local Settings\Application Data\Microsoft\Outlook

Personal Address Book (.pab)
drive:\Documents and Settings\\Local Settings\Application Data\Microsoft\Outlook

Offline Address Books (.oab)
drive:\Documents and Settings\\Local Settings\Application Data\Microsoft\Outlook

Command bar and menu customizations (.dat)
drive:\Documents and Settings\\Application Data\Microsoft\Outlook

Navigation Pane settings (.xml)This file includes Shortcuts, Calendar, and Contact links.
drive:\Documents and Settings\\Application Data\Microsoft\Outlook\Outlook.xml

Registered Microsoft Exchange extensions (.dat)
drive:\Documents and Settings\\Local Settings\Application Data\Microsoft\Outlook

Outlook contacts nicknames (.nk2)
drive:\Documents and Settings\\Application Data\Microsoft\Outlook

Rules (.rwz)
drive:\Documents and Settings\\Application Data\Microsoft\Outlook
Note: If you upgraded from a version of Outlook prior to Outlook 2002,you may have a .rwz file on your computer hard disk drive. The file is no longer needed and the rules information is now kept on the server for Microsoft Exchange email accounts, and within the personal folders file (.pst) for POP3 and IMAP email accounts. You can delete the file.
If you use the rules import or export feature, the default location for .rwz files is:drive:\Documents and Settings\\My Documents.

Print styles (Outlprnt with no extension)
drive:\Documents and Settings\\Application Data\Microsoft\Outlook

Signatures (.rtf, .txt, .htm)
drive:\Documents and Settings\\Application Data\Microsoft\Signatures

Stationary (.htm)
drive:\Documents and Settings\\Application Data\Microsoft\Stationary

Custom forms
drive:\Documents and Settings\\Local Settings\Application Data\Microsoft\Forms

Dictionary (.dic)
drive:\Documents and Settings\\Application Data\Microsoft\Proof

Templates (.oft)
drive:\Documents and Settings\\Application Data\Microsoft\Templates

Send/Receive settings (.srs)
drive:\Documents and Settings\\Application Data\Microsoft\Outlook

Message (.msg, .htm, .rtf)
drive:\Documents and Settings\\My Documents

from http://web.mit.edu/ist/products/outlook/backup.html

Wednesday, April 23, 2008


The 1st time a user logs into Citrix, they get the following prompt:

Window Name:
Client File Security

A server application is requesting access to your local client files.

What access do you want to grant?
No Access
Read Access
Full Access

Do you want to be asked again?
Always ask me
Never ask me again for this server
Never ask me again

To reset these rights after they have been set:

From the users’ session, click on the Citrix icon (red ball on a black square) in the upper left hand corner of the frame. Select “File Security Status” and you can reset the security options.

Friday, April 11, 2008


Installed Safari on my Vista machine today. Initial impressions:

No Home Page button by default. What???

Can’t open home page in new tabs.

No option to go forward or back more than 1 page.

Ugly gray interface.

At least auto inline complete is there.

There’s no button to open a new tab – Right-click or Ctrl-T only – not great when I’m using my tablet PC.

No option to reopen tabs when closing the application.

Easily my least favorite Windows browser. I’m not a big Opera fan, but this makes me want Opera.

Thursday, April 10, 2008


Removed Alltel’s Officesync today. Phone rang, the device locked up, I had to hard boot it. After restart, the Officesync inbox was missing. Notification of new mail was still there, but there was no Inbox to see the messages. I didn’t like that Officesync created another inbox instead of using the existing Outlook inbox. I also found the additional Officesync calendar to be woefully inferior to the already existing Outlook calendar. Again, why not just use the existing Outlook features, or at least give the option when installing?


Formulas won’t work in Excel if the cell formatting is set to “Text”. Formulas will also not calculate if calculation is set to “Manual” in the Excel Options.


Windows Media Player 11 has an additional option under Sharing in Windows Vista:

Find media that others are sharing


Windows RDP/RDC tips:

To get to the console of the remote machine using Windows Remote Desktop Connection, from the run command use MSTSC.EXE /CONSOLE

To restart a remote machine that is running Vista, click on Windows Security on the Start Menu of the remote machine (right above the normal disconnect/logoff icons). From the Windows Security screen click on the power button icon in the lower right-hand corner & choose Restart.


There are settings in the Java control panel to modify whether Java will store cached files.


MemMaid app for Windows Mobile:

I have constant memory issues with my HTC 6800 – I have to restart the phone ever morning to get through the day without lockups & display issues. I was hoping that MemMaid would allow me to reclaim the memory that leaks throughout the day, but it does not. I like some of the other utilities it provides, but the main thing I wanted was to reclaim memory.

Zumobi app for Windows Mobile:

On my HTC 6800, it takes about 50 seconds for the app to launch & then another minute to finish loading the tiles.

It consumes about 10MB of RAM, which is a lot on this memory deprived device.

While I like the idea, I think there’s too much wasted space in the display of the tiles & I don’t like that I can’t click on a tile & go straight to that tile.

I would prefer that the “back” button be one of the soft keys at the bottom of the phone, rather than the “Z”.


“If the reminder option is enabled but you're still not receiving the reminder pop-up, then try running the following command-line switches to resolve the issue /cleanreminders and /resetfolders.”




Temp folder for Outlook attachments is set by the following registry key:


The location must be followed by a trailing \

Interestingly, if you login to Windows as a different user (with admin rights), you can see the hidden OLKxxx folder in C:\Documents and Settings\User Name\Local Settings\Temporary Internet Files\


BTI Attendant Solutions

Map \\XXXX-BTI2\C$ - user must be an administrator on the server

If you get this error when launching Attendant Solutions:

“LINEMON.OCX or one of its dependencies is not correctly registered.” Go to the mapped drive & navigate to WINNT\System32 – copy the LINEMON.OCX file to the local machine’s system32 folder.


Chkdsk runs every reboot – volume is dirty

From http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/defrag.mspx?mfr=true


If a volume's dirty bit is set, this indicates that the file system may be in an inconsistent state. The dirty bit can be set because the volume is online and has outstanding changes, because changes were made to the volume and the computer shutdown before the changes were committed to disk, or because corruption was detected on the volume. If the dirty bit is set when the computer restarts, chkdsk runs to verify the consistency of the volume.

Every time Windows XP starts, Autochk.exe is called by the Kernel to scan all volumes to check if the volume dirty bit is set. If the dirty bit is set, autochk performs an immediate chkdsk /f on that volume. Chkdsk /f verifies file system integrity and attempts to fix any problems with the volume.

Top of pageTop of page


To query the dirty bit on drive C, type:

fsutil dirty query C:

Sample output:

Volume C: is dirty


Volume C: is not dirty


1. Select R to repair your installation, then select C to start the RC.

2. When prompted, review the available XP installations and enter the number that appears next to the XP installation that you want to repair.

3. Enter the Administrator account password.

4. Navigate to the System32 folder. For example, type

cd \windows\system32

5. Rename the winlogon.exe, msgina.dll, shell32.dll, and shlwapi.dll files with the .old file extension by typing

6. ren winlogon.exe winlogon.old

7. ren msgina.dll msgina.old

8. ren shell32.dll shell32.old

ren shlwapi.dll shlwapi.old

9. Copy the service pack version of these files to the System32 folder by typing

10. cd ..\servicepackfiles\i386

11. copy msgina.dll c:\windows\system32

12. copy shell32.dll c:\windows\system32

13. copy winlogon.exe c:\windows\system32

copy shlwapi.dll c:\windows\system32

14. Reboot the computer.


At the command prompt in Recovery Console, type the following line, and then press ENTER:

expand d:\i386\driver.cab /f:filename [path]

In this command, replace d: with the CD-ROM drive letter, filename with the name of the file to expand, and path with the folder in which to copy the driver file. Typically, driver (.sys) files are stored in the %SystemRoot%\System32\Drivers folder.

For example, to replace the Atimpab.sys driver file, you might type:

expand d:\i386\driver.cab /f:atimpab.sys %systemroot%\System32\Drivers\

Note that in this command, you must use the /f switch because the Driver.cab cabinet file contains more than one file.


Brother Printer Config info:

Password: access

The Printer Settings Page prints a report listing all the current printer settings including the network print

server settings. You can print the Printer Settings Page using the printer control panel.

1 Make sure that the front cover is closed and the power cord is plugged in.

2 Turn on the printer and wait until the printer is in the Ready state.

3 Press the Go button three times. The printer will print the current printer settings.

Restoring the network settings to factory default

If you wish to reset the print server back to its default factory settings (resetting all information such as the

password and IP address information), please follow these steps:

1 Turn off the printer.

2 Make sure that the front cover is closed and power cord is plugged in.

3 Hold down the Go button as you turn on the power switch. Keep the Go button pressed down until the

Toner, Drum and Paper LEDs light up. Release the Go button. Make sure that the Toner, Drum and

Paper LEDs are off.

4 Press the Go button six times and then release the Go button. Make sure that all the LEDs light up to

indicate the print server has been reset to its default factory settings.


Fixing Thunder Database Problem

Unique key error means SQL DB for that Thunder file has become corrupted. To fix the problem the SQL DB must be deleted and then recreated.

1. On Thunder-SQL run the SQL Query Analyzer (Program files/MS Sequel) Password is “xxxx”

2. Go to FILE/OPEN and select

MAKEALL61.SQL (which is located on the desktop)

That should delete the DB.

3. Return to Thunder server. Open problem DB. Window should be empty.

4. Select FILE/ADVANCED/REBUILD DB (do not change any selections)

DB will be rebuilt in about 15 mins.

LANCE at OAGSUPPORT for Avid is the best person for this.


To delete files or folders that Windows generates “Cannot delete file. Cannot read from the source file or disk” error:

Go to command prompt – navigate to the folder that contains the file or folder that cannot be deleted and type the command dir /x /a to get the 8.3 DOS name of the file or folder – use the del command or the rmdir command with that 8.3 name to delete the file or folder.

Or, download & install the deletefxpfiles program from deletefxpfiles.com


Windows XP won’t auto detect USB drives when caused by sysprep:

Search the registry for FactoryPreInstallInProgress=dword:00000001 – Delete Key.

Delete AuditInProgress key.

Look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Factory for additional entries & delete them.

Delete PNPDetection REG_SZ=1 key


After installing Windows Service Pack 2, BSOD Blue Screen of Death with PAGE_FAULT_IN_NONPAGED_AREA STOP 0x00000050 – file mrxdav.sys is caused by the Novell client (4.83 & 4.90). Updating to 4.91 solves the problem.


An Excel spreadsheet would not print the contents of certain cells – the grid prints & most of the other cells print fine. This is a pre-formatted document from corporate that has the cell formatting locked. The resolution to this problem was to go into the Page Setup settings and select 600 dpi as the print quality. That field was blank when first viewed.


Word or Excel gives an error when opening or saving documents:

GW – Groupwise ODMA Integration error message. Unable to load the resource Library.

After re-installing Groupwise 5.5, (even though you did not select ODMA integration for Word, Excel, PowerPoint, Access) on a workstation the user might get errors when opening attachments. "GroupWise ODMA Integration” "Unable to load the resource library. Exit . . ."

Look for GWODM132.DLL in the windows SYSTEM or SYSTEM32 directory and rename
it to GWODM132.BAK. This will keep ODMA from "firing up" and giving that
Note:  Excel might have a file in its startup directory:
With the DLL deleted, the GWxxx.xla (macro) file will try to launch integration upon startup and will give you an error such as : 
Run-time error ‘53’:
File not found: gwodm132.dll
Go to C:\Program Files\Microsoft Office\Office\XLStart\GWxxx.xla and delete the xla file from the Xlstart folder.
This may also happen on NT workstations when a user account is

added to the machine *after* the GW client has been installed.

This may occur because you installed GroupWise as Administrator and integration is turned off for Administrator. When the user logs in, their registry settings say that ODMA integration is on. Perhaps if we gave the user admin rights and then installed the GW client as that user this would not be an issue. However, if we then later added a user to the workstation they might get the error. Better to rename/delete GWODM132.DLL after the Groupwise installation.

Also, this happened once.  The user could not save any spreadsheet, getting the error:
GWXL97.xla could not be found. Check the spelling of the file name, and verify that the file location is correct.
The fix turned out to be:  Go to p:\windows\application Data\Microsoft\excel and delete Excel.xlb.


User could not access their timecard in Kronos. The Java applet error indicated that it failed or did not initialize. Uninstalling and re-installing Java did not solve the problem. Clearing the cache of the Java Control Panel did not solve the problem. Deleting the cookies and temporary internet files in IE solved the problem.

Compaq laptop would not startup. The BIOS flash screen appeared and went away, then you would see a blinking DOS type cursor in the upper left hand corner of the screen (display). The HDD activity light (LED) would blink rapidly and the machine would stay in that condition. Looking at the BIOS settings, the Boot Order menu showed the CDROM drive and 3 floppy disk drives as the startup drive choices. The HDD was not available. I reset the BIOS back to its default settings configuration and the HDD was back on the list of startup devices. The machine restarted normally.


On startup, you receive a black screen with the following message, “Error loading operating system”. On startup in Safe Mode, you receive a blue screen stop 0X000000ED. Boot the system from a Windows XP install CD, choose Recovery Console, run chkdsk /r from the Command Prompt. If that doesn’t work, run fixboot, then run chkdsk /r again.

Groupwise does not allow you to move e-mails to another folder if it is open on the secondary screen of a 2 screen system.

After creating a new task in the Task Scheduler, you receive the following message: “The new task has been created, but may not run because the account information could not be set.” The specific error is: 0X80090016: Keyset does not exist. – “Protected Storage” Service must be started.

To get Windows XP to auto logon to a user with a password, from the Run command, type Control userpasswords2 to get the Windows 2000 logon setup screen.

To determine what version of Direct X is on a machine, go to a run line and enter dxdiag

To silently map a drive in Windows 2000, run the following line from the registry:

wscript.exe c:\yourpath\nvisible.vbs DriveMap.bat

in nvisible.vbs, put:

CreateObject("Wscript.Shell").Run """" & WScript.Arguments(0) & """", 0, False

and in DriveMap.bat, put:

net user username password

net use y: \\thunder\e password /user:username /persistent:no

While trying to do a Microsoft Windows Update, you get the error “Your current security settings prohibit running active X controls”, even though active X controls are set correctly and the site is a “Trusted Site”. Go to a run command and execute these commands:

regsvr32 Softpub.dll

regsvr32 Wintrust.dll

regsvr32 Initpki.dll

regsvr32 Mssip32.dll

If that doesn’t work, execute this list of commands:

regsvr32 wuapi.dll

regsvr32 wuaueng.dll


regsvr32 wups.dll

regsvr32 wuweb.dll

regsvr32 atl.dll

To add “My Computer” to the security settings tab of Internet Explorer, go to HKEY_Current_User\SOFTWARE\Microsoft\Windows\Internet Settings\Zones\0 and change the Flags DWORD from 21H to 47H (71)

SuperMicro X6DAL-TG Startup sequence LED’s on MB:

If machine has been powered up & down & the power cord has remained connected:

Before power up, DS9 is orange (green & red LED’s on together)

On power up:

1) DS5 blinks green until DS7 comes on green & DS8 comes on orange

2) DS8 goes out

3) DS7 goes out & DS8 comes back on

4) DS8 goes out

5) DS5 stays on green

6) Video Out is generated & fans slow (if set in BIOS to slow)

If the machine was just plugged in before the startup:

Before power up, DS9 is orange (green & red LED’s on together)

On power up:

1) After a few seconds, DS5 comes on green, DS7 comes on green & DS8 comes on orange

2) DS8 goes out

3) DS7 goes out & DS8 comes back on

4) DS8 goes out

5) DS5 stays on green

6) Video Out is generated & fans slow (if set in BIOS to slow)

When one of the CPU’s was bad, DS8 stayed on, no video was generated, and the fans stayed on full speed.

Western Digital 80GB SATA drives were intermittently not recognized by the Intel RAID controller


To start a new cmd command line shell: (from http://blogs.msdn.com/adioltean/articles/271063.aspx )

1) Get the local time (through the TIME shell command, for example)

2) Add one minute to this time

3) Run the AT command with this new time.

4) Wait one minute for the command window to appear.

E:\Documents and Settings\Adi>time

The current time is: 16:29:00.96

Enter the new time:

E:\Documents and Settings\Adi>at 16:30 /interactive cmd.exe

Added a new job with job ID = 1


E:\Documents and Settings\Adi>sc create testsvc binpath= "cmd /K start" type= own type= interact

[SC] CreateService SUCCESS

E:\Documents and Settings\Adi>sc start testsvc

[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

Note that this time, the SC START immediately creates a new CMD window, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).

In the end, I would like to mention one more thing. You can use this new service to start as many CMD windows as you want, and you will get a new CMD window as soon as you do a “sc start testsvc” again.

To remove a file that Windows says it cannot find:

Use renamer.exe to rename it, then delete it.

Navigate to the folder from a command line cmd.exe and use del *.* in the folder or

Use DIR /X to see the 8 character DOS name if needed.

Go above that folder and type RMDIR /S to remove the folder without the OS caring what is in that folder.


Excel formula function NetWorkWeek is not available by default in Excel 2000. Go to Tools>Add-ins>Select “Analysis ToolPak” – CD is required for install000

If a user’s profile folder in Windows XP is set to “Make this folder private”, it cannot be copied to another user’s folder (e.g. after creating a new user and trying to duplicate the old “secured” user to the new user. Login as the secured user and right-click on the user’s folder, go to “Sharing and Security” and de-select “Make this folder private”.


Desktop icons can be hidden by adding the “Hidden” attribute to the shortcut and then setting the folder options of the “Desktop” folder to hide hidden items.


To recover a machine that won’t start into Windows due to a corrupted Registry, boot from the Windows CD into Recovery Console. From Microsoft Knowledge Base 307545:


Part one

In part one, you start the Recovery Console, create a temporary folder, back up the existing registry files to a new location, delete the registry files at their existing location, and then copy the registry files from the repair folder to the System32\Config folder. When you have finished this procedure, a registry is created that you can use to start Windows XP. This registry was created and saved during the initial setup of Windows XP. Therefore any changes and settings that occurred after the Setup program was finished are lost.

To complete part one, follow these steps:


Insert the Windows XP startup disk into the floppy disk drive, or insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted to do so.


When the "Welcome to Setup" screen appears, press R to start the Recovery Console.


If you have a dual-boot or multiple-boot computer, select the installation that you want to access from the Recovery Console.


When you are prompted to do so, type the Administrator password. If the administrator password is blank, just press ENTER.


At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:

md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

copy c:\windows\repair\system c:\windows\system32\config\system
copy c:\windows\repair\software c:\windows\system32\config\software
copy c:\windows\repair\sam c:\windows\system32\config\sam
copy c:\windows\repair\security c:\windows\system32\config\security
copy c:\windows\repair\default c:\windows\system32\config\default


Type exit to quit Recovery Console. Your computer will restart.

Note This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location.

If you have access to another computer, to save time, you can copy the text in step two, and then create a text file called "Regcopy1.txt" (for example). To create this file, run the following command when you start in Recovery Console:

batch regcopy1.txt

With the batch command in Recovery Console, you can process all the commands in a text file sequentially. When you use the batch command, you do not have to manually type as many commands.

The problem with this method (Part 1) is that it restores the Registry to the Install version – you will NOT be able to see any system restore points.

Part two

To complete the procedure described in this section, you must be logged on as an administrator, or an administrative user (a user who has an account in the Administrators group). If you are using Windows XP Home Edition, you can log on as an administrative user. If you log on as an administrator, you must first start Windows XP Home Edition in Safe mode. To start the Windows XP Home Edition computer in Safe mode, follow these steps.

Note Print these instructions before you continue. You cannot view these instructions after you restart the computer in Safe Mode. If you use the NTFS file system, also print the instructions from Knowledge Base article KB309531. Step 7 contains a reference to the article.


Click Start, click Shut Down (or click Turn Off Computer), click Restart, and then click OK (or click Restart).


Press the F8 key.

On a computer that is configured to start to multiple operating systems, you can press F8 when you see the Startup menu.


Use the arrow keys to select the appropriate Safe mode option, and then press ENTER.


If you have a dual-boot or multiple-boot system, use the arrow keys to select the installation that you want to access, and then press ENTER.

In part two, you copy the registry files from their backed up location by using System Restore. This folder is not available in Recovery Console and is generally not visible during typical usage. Before you start this procedure, you must change several settings to make the folder visible:


Start Windows Explorer.


On the Tools menu, click Folder options.


Click the View tab.


Under Hidden files and folders, click to select Show hidden files and folders, and then click to clear the Hide protected operating system files (Recommended) check box.


Click Yes when the dialog box that confirms that you want to display these files appears.


Double-click the drive where you installed Windows XP to display a list of the folders. If is important to click the correct drive.


Open the System Volume Information folder. This folder is unavailable and appears dimmed because it is set as a super-hidden folder.

Note This folder contains one or more _restore {GUID} folders such as "_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}".

Note You may receive the following error message:

C:\System Volume Information is not accessible. Access is denied.

If you receive this message, see the following Microsoft Knowledge Base article to gain access to this folder and continue with the procedure:

309531 How to gain access to the System Volume Information folder


Open a folder that was not created at the current time. You may have to click Details on the View menu to see when these folders were created. There may be one or more folders starting with "RPx under this folder. These are restore points.


Open one of these folders to locate a Snapshot subfolder. The following path is an example of a folder path to the Snapshot folder:

C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot


From the Snapshot folder, copy the following files to the C:\Windows\Tmp folder:







Rename the files in the C:\Windows\Tmp folder as follows:






These files are the backed up registry files from System Restore. Because you used the registry file that the Setup program created, this registry does not know that these restore points exist and are available. A new folder is created with a new GUID under System Volume Information and a restore point is created that includes a copy of the registry files that were copied during part one. Therefore, it is important not to use the most current folder, especially if the time stamp on the folder is the same as the current time.

The current system configuration is not aware of the previous restore points. You must have a previous copy of the registry from a previous restore point to make the previous restore points available again.

The registry files that were copied to the Tmp folder in the C:\Windows folder are moved to make sure that the files are available under Recovery Console. You must use these files to replace the registry files currently in the C:\Windows\System32\Config folder. By default, Recovery Console has limited folder access and cannot copy files from the System Volume folder.

Note The procedure described in this section assumes that you are running your computer with the FAT32 file system.

For additional information about how to access the System Volume Information Folder with the NTFS file system, click the following article number to view the article in the Microsoft Knowledge Base:

309531 How to gain access to the System Volume Information folder

Part Three

In part three, you delete the existing registry files, and then copy the System Restore Registry files to the C:\Windows\System32\Config folder:


Start Recovery Console (or by using a Windows 98 Boot Disk).


At the command prompt, type the following lines, pressing ENTER after you type each line:

del c:\windows\system32\config\sam

del c:\windows\system32\config\security

del c:\windows\system32\config\software

del c:\windows\system32\config\default

del c:\windows\system32\config\system

copy c:\windows\tmp\software c:\windows\system32\config\software

copy c:\windows\tmp\system c:\windows\system32\config\system

copy c:\windows\tmp\sam c:\windows\system32\config\sam

copy c:\windows\tmp\security c:\windows\system32\config\security

copy c:\windows\tmp\default c:\windows\system32\config\default

Note Some of these command lines may be wrapped for readability.


Type exit to quit Recovery Console. Your computer restarts.

Note This procedure assumes that Windows XP is installed to the C:\Windows folder. Make sure to change C:\Windows to the appropriate windows_folder if it is a different location.

If you have access to another computer, to save time, you can copy the text in step two, and then create a text file called "Regcopy1.txt" (for example).

Part Four


Click Start, and then click All Programs.


Click Accessories, and then click System Tools.


Click System Restore, and then click Restore to a previous RestorePoint.