Chapter 15

Booting, Troubleshooting, and Service Packs

Table 15-3 displays the differences between the two processor platforms pre-boot sequences.

Now that we have discussed the files needed to boot Windows NT, let’s look at the process NT uses to load so it can run successfully.

As Windows NT begins to load the system files, it does so in a predetermined fashion. It moves from a character mode into a graphical mode—this transition is crucial—and as this takes place, it engages many different facilities.

As Windows NT loads, it goes through four distinct phases. These phases are the Kernel load phase, the Kernel initialization phase, the Services load phase, and finally the Windows subsystem start phase. The process is complete when a user successfully logs on. Let’s look at each of these phases.

The Kernel load phase begins when NTOSKRNL.EXE is loaded into memory. At this point you see the message, "NTDETECT is checking hardware". Then the hardware abstraction layer (HAL) is called into play. The function of HAL is to hide differences in hardware from the operating system. In this manner, HAL virtualizes the hardware specifics from Windows NT (which in turn enhances portability). This comes at a cost, however, both in performance and in the range of applications that NT can run. This is becoming much less of an issue. Basically, any program that relies upon direct hardware calls does not run under Windows NT. The programs affected by this are primarily games.

After HAL is constructed, the Registry is consulted to determine which drivers are to be loaded, and in what order. So where in this vast database is the information found? If you look at Figure 15-3, you see the Service Group order key.

The last step of the Kernel load phase occurs when the screen turns black and dots progress across the top of the screen. It is at this stage that the drivers in the Service Group Order subkey are loaded into memory. If you had selected the /SOS option in your BOOT.INI, you actually would see the names of the drivers being loaded. This is a valuable troubleshooting technique, and will be visited later.

It is now time to begin initialization of the Kernel. This occurs when the screen turns blue. Each driver loaded during the Kernel load phase is initialized. As this occurs, dots parade across the screen. If the progression appears to hang, a driver that either is taking a long time to load, or is having trouble loading. You can get a rough idea of what caused the hang by counting the dots which preceded it. How Windows NT treats a failed service is governed by the settings found in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\ErrorControl. There are four levels of settings:

Figure 4: During Kernel initialization, the error control level assigned to each service determines how Windows NT handles exceptions.

We are now ready to begin the Services load phase. At this point, Windows NT reads the contents of the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute. The default entry for this particular key is shown in Figure 15-5. The autocheck autochk * is roughly equivalent to the old DOS utility CHKDSK. You can customize this key to tell NT to fix any problems found on the disk automatically, if you change the autochk * to autochk /p *. It then check each partition on your system for errors. If you change it to autochk /p \DosDevices\c:, it checks drive C: for errors.

The Session Manager subkey of the Registry contains global variables used by the Session Manager. These items are stored in the following Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager. In order to explore these settings, we have to use the Registry editor to view them. The Registry contains critical configuration information, without which Windows NT is severely lobotomized. It is with the utmost respect and caution that we examine this database. Prior to working with the Registry, make sure that you have a good backup (just in case). Remember that some settings are changed dynamically, and therefore enacted without warning or prompting. It is for this reason that I prefer REGEDT32 set to Read Only mode. It can prevent transient fingers from inadvertently making real-time changes to your workstation. This is illustrated in Figure 15-6.

1. Select Start | Run and type REGEDT32 in the run box.
2. Select Options | Read Only Mode.
3. Select the HKEY_LOCAL_MACHINE pane from the cascaded windows.
4. Select the System key.
5. Select the CurrentControlSet subkey.
6. Select the Control subkey.
7. Scroll down until you see the SessionManager subkey.
8. Choose File | Exit when you’re finished examining the details of the key.

When the Windows Subsystem starts, it starts winlogon.exe, which starts the Local Security Authority (LSA). The LSA is the main element of the Windows NT security system, and is responsible for showing the Ctrl-Alt-Del logon dialog box.

The next thing that happens is that the Service Controller executes and takes a final look through the Registry, checking for services that are marked to load automatically.

The process is complete after a successful logon has been accomplished. After a successful logon has occurred, the Windows NT Kernel copies the Clone Control Set to LastKnownGood. The system does not consider the boot to be successful unless the Clone Control Set has been copied to LastKnownGood. Later in the chapter we discuss how LastKnownGood can be utilized for your benefit.

Now that we have seen what happens while Windows NT is starting, let’s take a closer look at the BOOT.INI file it uses during startup.

The BOOT.INI file is a critical .INI file created by Windows NT when it is first installed. This file is where you can configure the many ways your system behaves when Windows NT is booted. If this file becomes damaged or corrupted, Windows NT simply doesn’t load.

There are two sections that make up the content of the BOOT.INI. As seen below, the first is the boot loader section and the second is the operating systems section. No matter how many operating systems are installed, you must still have a BOOT.INI file.

1. Select Start | Programs | Windows NT Explorer and go to the root of your C: drive.
2. Make sure all files are displayed so that you can see the BOOT.INI file (which is a system, read-only file).
3. Once you find the BOOT.INI file, right-click it, choose Properties, and uncheck the Read-only box.
4. Click the OK button and then open BOOT.INI with Notepad.
5. Change the Timeout setting from 30 seconds to 15 seconds.
6. Make sure that when you save changes created with Notepad, you select the All Files Type, or else you will end up with BOOT.INI.TEXT and it will not work!
7. Right-click BOOT.INI, choose Properties and check the Read-only box.

The boot loader section contains two basic entries: timeout, and the default operating system. The timeout is simply a countdown timer to give you a chance to make a selection other than the default. When timeout reaches 0, the default operating system is loaded. If you want your system to start up more quickly, you either can make a selection or change the timeout setting. However, if the timeout setting is changed to 0, you won’t have a chance to make any selection.

If you are dual-booting your system, you can make changes here to select the default operating system by pointing the default setting to the one preferred. Rather than directly editing the BOOT.INI to make changes to the boot loader section, it is preferable to utilize the Startup/Shutdown tab under System Properties. As seen in Figure 15-7, the graphical tools provided are easy to use—much easier than trying to edit the Advanced RISC Computing (ARC) naming path to the default OS.

The operating systems section of the BOOT.INI file is perhaps the most ominous looking portion of this important file. Although it is poorly understood even by many professionals, you need to learn this section, as it might be on your exam. So what is the operating systems section of the BOOT.INI? Its function is to tell you what operating systems are installed on the machine, and to tell Windows NT where to find them. Even if you are not dual-booting your machine, the BOOT.INI file still has this section.

The ARC naming convention comes to us from the RISC world. It is useful in identifying partition information on multidisk/multipartition machines. For instance, look at Figure 15-8.

If we look at the BOOT.INI for this machine, we see the following:

From this we can see the boot partition is on partition number 7. But what is all this other stuff? Let’s look and see.

A SCSI controller that has its resident BIOS disabled uses the SCSI ARC name. All other controllers (IDE controllers, and SCSI controllers with BIOS enabled) are listed as multi. The numbers that follow SCSI or multi start counting with 0. In the preceding example, the multi (0) indicates that it is the first controller (either IDE or SCSI with the BIOS enabled).

Disk is only used if SCSI is listed as the first word of the ARC path. If Disk is used, the SCSI bus number is used here. It starts counting with 0. If you have multi in the first space, then Disk will always be 0.

Rdisk indicates the SCSI Logical Unit Number (LUN), when SCSI is the first word in the ARC path. It indicates the ordinal number of the disk, if the first word is multi. Remember the counting here also starts with 0.

This is simply the partition number on the disk. The important thing to remember is that the counting starts with 1. In Figure 15-7, even though the OS/2 Boot Manager is at the physical end of the drive, it is counted as number 1 partition, since the system boots from it, then moves up in count from the C: drive.

To put this all together now, if we have the following:

multi(0)disk(0)rdisk(0)partition(7)\ WINNTWS="Windows NT Workstation Version 4.00"

we know it is either an IDE controller or a SCSI controller with the BIOS enabled. It is the first controller on the system. Disk (0) in this instance is ignored. Rdisk (0) means that it is the first drive on the system. Partition (7) means that Windows NT Workstation is located on the seventh partition.

Please note that if changes are made to the system, and this section of the BOOT.INI is not updated, Windows NT will not load on the next boot.

You may be wondering about the "unknown" partitions listed in Figure 15-8. The unknown partitions are valid, but unknown to Windows NT 4 Workstation, as it does not recognize OS/2, LINUX, or FAT32 partitions.

The path listed in the preceding BOOT.INI is simply the path to the location of each operating system.

There are several switches that can be used to customize the way Windows NT boots up. Some of these are used for troubleshooting purposes. These can be used in the BOOT.INI file.

This switch tells Windows NT that you do not have a serial mouse on a particular COM port, and as a result it does not poll the port for a mouse. You might want to use this if you have a serial device attached to a particular COM port. If NT detects the device, it might think it is a mouse, and as a result the device would not function properly under Windows NT. If you were to use /noserialmice without a particular COM port specified, this disables polling on all COM ports. If you say /noserialmice=COM1 then only polling on COM1 is disabled.

This switch causes Windows NT to load the standard VGA driver in 640 by 480 mode. This is useful if, for instance, you make a change to a video driver and then reboot, only to find you cannot read anything on the screen. In the /basevideo mode you can get the machine up, and change the settings back to something supported by your particular hardware configuration. By default Windows NT sets this option up for you. It appears on the screen as VGA mode of BOOT.INI.

This switch enables the automatic recovery and restart options, and is set up when you make changes to the Recovery section of Startup/Shutdown under System in Control Panel. While you can add it to the BOOT.INI manually, the safest way to change this is through Control Panel.

SOS mode does pretty much what it sounds like; it tells you what drivers Windows NT is loading during start up. Remember the dots that go across your screen as drivers are loaded? This switch causes NT to echo the names onto the screen. It is useful for determining which driver is hanging during startup. This entry is also added by default to the VGA mode entry in BOOT.INI.

The /nodebug switch tells NT that no debug information is being monitored. When this information is being used, there is a pretty significant performance hit as a result. This switch is useful to developers.

If you use the /maxmem switch, you can tell Windows NT how much memory it is allowed to use. Why would you want to limit how much memory NT uses? Normally you wouldn’t, but if you suspected that you had bad memory modules, you can play with these settings until you locate the bad module.

The /SCSIordinal switch is used if you have two identical SCSI controllers in the same system. You would use this switch to tell NT which one was which. The numbering on this begins with 0, so 1 would indicate the second controller.

We have edited the BOOT.INI with a text editor, so let’s take a look at how to modify it using a Control Panel applet.

1. Select Start | Settings | Control Panel.
2. Select the System applet.
3. Select the Startup/Shutdown tab.
4. Change the timeout setting from 15 seconds to 30 seconds.
5. Click the OK button.
6. The settings take effect after the next reboot.

Earlier in this section, we mentioned dual-booting different operating systems. In the next section, we discuss multiboot configurations.

Windows NT supports multibooting between Windows NT and additional operating systems, if your system partition contains the Windows NT boot sector.

When you install Windows NT, set up copies the first sector of the system partition (the boot sector) to a file named bootsect.dos. NT then replaces the original boot sector with its own boot sector.

When you start your computer, and the system partition contains the Windows NT boot sector, the code in the boot sector loads the Windows NT boot loader, NTLDR. The operating system menu, which is built from the BOOT.INI file, enables you to choose the operating system to be loaded.

If you select an operating system other than Windows NT from the operating system menu, NTLDR loads and starts the Bootsect.dos file. This functionality results in the other operating system starting, as if NTLDR had not intervened.

If you want to dual-boot between Windows 95 and Windows NT, you should install Windows 95 first and then install Windows NT. If the Windows 95 boot sector replaces the Windows NT boot sector, it causes a problem for Windows NT accessing any NTFS volume. Why would it cause this problem? Because the Windows 95 boot sector is for FAT partitions, and does not recognize NTFS partitions.

So, now we have a fully-functioning Windows NT Workstation, in which everything will work perfectly from here on out, correct? Not on your life! As I said in the beginning of the chapter, I have never seen an operating system that doesn’t need to be massaged from time to time. In the next section, we start looking at methods to help you in troubleshooting hardware and software.

Any discussion about troubleshooting hardware and software could easily fill this entire book, so we will limit ourselves to only a few topics on the matter. Let’s start the section off with a look at boot failures and methods available to overcome them.

Boot failures can take many different paths to lead your system to failure. It can be anything from a boot file being corrupted to a bad video driver not allowing your system to complete the boot process.

The first item to ensure is that you have a Windows NT boot floppy, in case one of the boot files for your system ever gets deleted. With a boot floppy on hand, you might be able to get your system back up quickly, and might be able to copy the missing or corrupt file back to your hard disk. You must use a special boot disk that has been formatted on a Windows NT system and modified to mimic the boot configuration of the system that won’t boot. When you create the boot disk, you may need to modify the BOOT.INI file to show the ARC path to the boot partition on the bad system. Exercise 15-4 leads you through the steps of creating a Windows NT boot floppy for an Intel-based machine.

1. Log on as Administrator and select My Computer.
2. Right-click 3 ½ Floppy (A:) and select Format from the menu.
3. Make sure you have a blank floppy disk in the drive and click the Start button.
4. Acknowledge the warning by clicking the OK button.
5. When the format completes, click the OK button.
6. Copy the following files to the newly formatted disk: NTLDR, NTDETECT.COM, BOOT.INI, and NTBOOTDD.SYS (if your system uses NTBOOTDD.SYS).
7. Reboot your system with the boot floppy you just created. It is better to try the boot floppy now, and make sure it works properly, than to find out that it doesn’t work when you need it.

While the Windows NT boot disk can save you from several boot problems, it doesn’t solve them all.

What happens if you load a new device driver that doesn’t function correctly, and prohibits the system from booting correctly? Is all lost, and is your only option to reload Windows NT? I hope you answered with a big resounding NO! You can get around this problem by reverting to the LastKnownGood configuration. LastKnownGood is the configuration that was saved to a special control set in the Registry after the last successful logon to Windows NT. So instead of reloading the operating system, you can restart the computer without logging on, and select LastKnownGood during the boot sequence. This loads the previously known good control set, and bypasses the bad device driver. Exercise 15-5 leads you through the process of booting, using the LastKnownGood configuration.

1. Start Windows NT Workstation.
2. When the BOOT.INI displays the OS menu, select Windows NT Workstation.
3. A message appears, telling you to press Spacebar for the LastKnownGood. Press the Spacebar immediately, as you have only a few seconds to make this choice before it disappears.
4. Select L to choose the LastKnownGood configuration from the Hardware Profile/Configuration Recovery menu.
5. Press Enter to confirm your choice. After the system boots, it displays a message confirming that it loaded from a previous configuration.

While the LastKnownGood configuration can save your day, like the Windows NT boot floppy it doesn’t work in all situations. Another tool available for your use is the Emergency Repair Disk.

The Emergency Repair Disk (ERD) can be used to return a Windows NT system back to the configuration it was last in, based on the last time you updated your Emergency Repair Disk. This disk can repair missing Windows NT files, and restore the Registry to include disk configuration and security information. To create an ERD, use the Repair Disk Utility. Figure 15-9 shows the Repair Disk Utility after it has been started.

If you choose the Update Repair Info button, the Repair Disk Utility overwrites some of the files located in the %systemroot%\Repair directory. After the %systemroot%\Repair directory has been updated, the program prompts you to create an Emergency Repair Disk. The disk it creates is the same as if you had chosen the Create Repair Disk option.

If you choose the Create Repair Disk button, the Repair Disk Utility formats the disk prior to creating the ERD. This occurs whether you use a prior ERD or a new disk. Exercise 15-6 shows you how to create an ERD.

1. Log on as Administrator.
2. Select Start | Programs | Command Prompt.
3. Type rdisk in the prompt window.
4. Choose the Update Repair Info button.
5. After the program updates your %systemroot%\Repair directory, it prompts you to create an ERD. Select OK after inserting a disk.
6. A message is displayed showing that configuration files are being copied.
7. Choose Exit after the files are copied to the disk.

If you look at the files on the ERD you will notice some of them end with a ._. This indicates that those files have been compressed. You can decompress those files using the expand utility that comes with Windows NT.

Now that we have an up-to-date Emergency Repair Disk, it is time to use it in the Emergency Repair Process. The Emergency Repair Process is used when your system doesn’t function correctly, and using the LastKnownGood configuration doesn’t solve the problem. This process requires the original installation disks from when you first installed Windows NT Workstation. You also need the ERD that you created in the preceding exercise. Please note that ERDs are computer-specific, so don’t get them mixed up if you have several systems. Exercise 15-7 shows you how to complete the Emergency Repair Process.

1. Start your system using the Windows NT Setup boot disk.
2. Insert disk 2 when the system prompts you for it.
3. When the first screen appears press R to start the Emergency Repair Process.
4. Four selections are displayed on your screen. Follow the on screen instructions to select only the option Inspect Registry Files.
5. Select the Continue (Perform Selected Tasks) line and press Enter.
6. Windows NT wants to perform mass storage detection, so go ahead and let it do that.
7. Insert disk 3 when prompted, and press Enter.
8. Press Enter to skip the Specify Additional Mass Storage Devices step.
9. When the system prompts you, insert the ERD you created in Exercise 15-6.
10. Several choices are displayed on your screen. Select only the DEFAULT (Default User Profile) choice.
11. Select Continue (Perform Selected Tasks) and press Enter.
12. The correct data is copied back to your Windows NT Workstation partition. Once the data has been copied, remove the ERD and press Enter to restart your system.

Windows NT features a Recovery utility that can perform selected tasks in the event of a STOP error. You configure the recovery options within the Startup/Shutdown tab of System Properties. You should remember this tab from earlier in the chapter when we discussed changing the boot loader options of the BOOT.INI file. Figure 15-10 shows the Startup/Shutdown tab.

The Recovery options are, for the most, part self-explanatory. However, it is worth mentioning that the Automatically Reboot option allows your system to be returned to normal operation quickly after a system crash, instead of it having to be rebooted manually. The most important option in the Recovery utility, as far as troubleshooting goes, is the Write Debugging Information To utility. When this option is checked and a STOP error occurs, the entire contents of memory get dumped to the pagefile. When your system restarts, this information is copied automatically from the pagefile to the name you specified in the Recovery option block.

Since the entire contents of your system’s memory is dumped to the pagefile, the pagefile has to be as large as the amount of physical memory installed in your system. A system that has 64MB of physical memory needs to have a pagefile that is at least 64MB in size. One other caveat: The pagefile has to be located on the boot partition. Exercise 15-8 gives you a chance to configure your system for memory dumps.

1. Select Start | Settings | Control Panel.
2. Double-click the System applet and select the Startup/Shutdown tab.
3. Under Recovery, select the Write Debugging Information To box. It is your choice to either accept the default path and filename, or pick one of your own.
4. If you want the next memory dump to overwrite any file that has the same name, select the Overwrite box. If you leave this block unchecked, Windows NT doesn’t write a memory dump file if one already exists with the same name.

The Task Manager should look familiar to you. We examined it in Chapter 14 while discussing Performance Tuning. Let’s look at one more function that it can perform with regard to troubleshooting your system. It has the capability to end a task that may be causing your system to hang. Under normal operating conditions you see the word "Running" underneath the status column, as illustrated in Figure 15-11. However, if a task is no longer responding, the words "Not responding" are in the status column. Exercise 15-9 leads you through the process of shutting down a task.

1. Use your right mouse button and click once on your Taskbar.
2. Select Task Manager from the menu.
3. Click the Start button and select Programs | Accessories | Paint.
4. Click the Start button and select Programs | Accessories | Clock.
5. Click the Start button and select Programs | Accessories | Notepad.
6. Select the Applications tab on the Task Manager. You see the three applications that you just started. To the right of the applications is listed the Status of each application.
7. Let’s assume that the Clock application has run rampant and is using 100 % of the CPU, and needs to be shut down. Click Clock so that it is highlighted, and click the End Task button.
8. On a real task that is not responding, you might receive a dialog box stating that the task is not responding, and asking if you would like to wait. Click End Task.
9. Close all remaining applications that are running.
10. Close the Task Manager.

If you share your Windows NT Workstation with other people, at some point the inevitable happens: someone loses access to a resource. Of course, this only happens if you are using the NTFS file system. Assuming you have Administrator privileges, you can easily solve the dilemma by taking ownership of the resource and sharing it to the person who needs access with full control, so he can gain ownership of the resource. In my experience, this action normally occurs when someone is fired or quits. Exercise 15-10 shows you how to gain ownership of a resource and allow someone else to take ownership of it. In the exercise, User1 is the person who quits the organization and User2 is the person who takes his place.

1. Log on to your system as Administrator and create two new user accounts named User1 and User2.
2. Log off the system and log back on as User1. Create a folder named user1test and set the permissions so only User1 has access to it. This folder is the one that User2 needs to access in order to retrieve valuable data.
3. Log off the system and log back on as User2. Try to access the user1test folder.
4. Log off the system and log back on as Administrator.
5. Open Windows NT Explorer and right-click the user1test folder.
6. Select Properties and choose the Security tab.
7. Select the Ownership button.
8. Select the Take Ownership button. The system prompts you with a dialog box stating that one or more of the items is a directory. Click the Yes button.
9. Select the Permissions button and give User2 full control of the user1test folder.
10. Select the OK button.
11. Select the OK button.
12. Log off the system and log back on as User2.
13. Access the user1test folder and follow steps 5-8 to gain ownership of the folder.

Not all of your problems will be boot-related, or easily identified with any of the methods described so far. You might need to use other tools to help you diagnose the problem your system is having. In the next section, we look at two tools available to you: the Event Viewer and Windows NT Diagnostics.

The Event Viewer, located in the Administration submenu, allows you to examine various events that have been generated by the Windows NT system, services, and applications, or through user actions that have been audited. Figure 15-12 shows an example from the Event Viewer.

The event viewer can display three separate logs. Depending on the type of item you need to view, it dictates which log you will open.

By default, each log file is a maximum of 512KB in size, and overwrites events older than seven days. These default settings are configurable by changing the Maximum Log Size and Event Log Wrapping options. The maximum size of the log can be changed in 64KB increments. The three event log wrapping options are: overwrite events as needed, overwrite events older than (n) days, and do not overwrite events (clear log manually).

Event log files can be saved in three different formats; event log file with the .EVT extension, text file with the .TXT extension, or a comma-delimited text file with the .TXT extension. The .EVT file is a binary file that can be read only by the event viewer utility. Any ASCII editor can read both types of text files.

There are five types of events you might encounter in the various logs. A unique icon identifies each event type, so that you can locate rapidly the type of event you may be interested in finding. Table 4 describes each of the events corresponding to an icon.

Events can be seen in greater detail by using the mouse to double-click the event, or by choosing Detail from the View menu while the event is highlighted. The detail dialog box displays a text description that can help in analyzing the event. Hexadecimal information may also be provided, depending on the event. If you save the log file, the text description is saved no matter what format of log file, but the hexadecimal data is saved only if you use the .EVT format. Figure 15-13 shows the Event Details for an event from the System log.

Exercise 15-11 shows you how to use the Event Viewer to see the logs on your system.

1. Select Start | Programs | Administrative Tools | Event Viewer.
2. Select the Log menu and choose Application. Review any entries that are in this log.
3. Select the Log menu and choose Security. Review any entries that are in this log.
4. Select the Log menu and choose System. Review any entries that are in this log.
5. If you have entries in your System Log, highlight one of them and press Enter. The details for that event are displayed.
6. Click the Close button to close the Event Detail window.
7. Select the Log menu and choose Exit to close the Event Viewer.

NT has some wonderful tools to help you find out what is happening in your computer. Of course, tools are only valuable if you use them. If you are accustomed to the DOS/Windows environment, which offers few tools bundled with the operating system, you probably don’t even look to the operating system for information about what is happening with your system. Habits can be tough to change, but you should try to change this one.

It’s interesting to observe student behavior during an NT class when computer problems pop up, especially when the problems are not part of the troubleshooting labs. When this happens, more than half the students revert to old troubleshooting patterns. After the students pursue these lines fruitlessly for a while, you actually can see them becoming aware of the tools in NT and beginning to use them.

The tool to start with, when a problem occurs, is the Event Viewer. From there you can look over the three log files to see what activities have been logged. Consider the following scenario: You are having trouble connecting to a remote host and are running the TCP/IP protocol.

When we introduce this problem in class, the students start flying through their troubleshooting techniques for IP. They begin pinging away, wondering about default gateways and routers, checking subnet masks, and changing IP addresses. None of these activities involves using the Event Viewer and checking the System Log file. When they finally get around to checking the logs, they discover that the network adapter has failed.

Even though I’ve been working with NT a long time, I find myself doing the same type of thing—launching into some process or another, trying to get information before I remember to check the Event Viewer. Old habits die hard.

Windows NT Diagnostics (also called WinMSD) has several tabs that reflect a lot of information about your Windows NT Server system. Figure 15-14 shows Windows NT Diagnostics after it has first been started.

The Version tab shows the NT version number, build, and type, the CPU architecture, and multiprocessor support. The serial number and the name of the person to whom the copy of Windows NT is registered are also displayed on this tab.

The System tab shows system-level information about the hardware, including the vendor ID, the Hardware Abstraction Layer (HAL) type, the BIOS date, and a description of the CPU.

The Display tab shows the video BIOS date, the display processor, the video resolution, the quantity of video RAM, the vendor, the digital to analog (DAC) type, and the driver type and revision.

The Drives tab provides a tree display that can be sorted by drive letter or drive type for each logical disk drive. Selecting any drive brings up a Properties window that shows information such as the drive letter, the serial number, the disk space available and how much disk space is in use. A File System tab on the Properties window gives information about the file system being used, including the maximum number of characters in a filename. The File System tab also shows whether the case will be preserved in filenames, the support of case-sensitive filenames, support for Unicode in a filename, file-based compression, and security preservation and enforcement.

The Memory tab shows in-depth details on memory utilization in your system, including the total number of processes, handles, and threads in use. This tab also displays the total amount of physical memory and the page file space available and currently in use.

The Services tab displays information on all services and devices on your Windows NT Server. Highlighting a selection and selecting the Properties button brings up a Service Properties dialog box for the service or device. Information is displayed that shows the executable file associated with the service or device, the start type, the user account with which it is associated, and any error associated with it. The service flags are also displayed, indicating whether the service runs in its own memory space, whether it is a kernel driver, and whether it can interact with the Windows NT desktop. A Dependencies tab shows you if the highlighted choice depends on another service or device. If it does depend on another service or device, it may help you in troubleshooting why a service or device failed to start.

The Resources tab displays information about hardware resources, including interrupt requests (IRQ), I/O ports, direct memory access (DMA), physical memory, and device drivers. If you select an item, it displays a dialog box indicating the associated device driver, bus, and bus type. A check box on this tab allows you to choose whether you want resources owned by the NT HAL to be displayed on the list.

The Environment tab displays all environment variables and values. It can display either values for the system or values for the local user for user-specific entries.

The Network tab provides you with a great deal of information: the number of logged on users, the transport protocols in use—along with the media access control (MAC) address of each transport, the internal network settings, and the system statistics regarding server bytes sent, hung sessions, and more.

Now that you are familiar with all the tabs offered by Windows NT Diagnostics, Exercise 15-12 gives you the chance to see how your system is functioning.

1. Click the Start Button.
2. Select Programs.
3. Select Administration Tools.
4. Select Windows NT Diagnostics.
5. Select the Drives tab.
6. Click the + to the left of Local Hard Disks.
7. Double-click the C: drive.
8. Select the File System tab. Observe the statistics that are applicable to the drive.
9. Click the OK button.
10. Select the Services tab.
11. Highlight Workstation and click the Properties button. Observe the Service Flags that are applicable for the workstation service.
12. Select the Dependencies tab. Notice that the workstation service has group dependencies on transport driver interface (TDI).
13. Click the OK button.
14. Click the OK button to close Windows NT Diagnostics.

There are times when, no matter how much troubleshooting you do to your system, nothing fixes it. The reason could be a bug within Windows NT. In the next section we discuss how Microsoft handles this type of situation.

Microsoft periodically issues a Service Pack to fix bugs that have been detected in the Windows NT operating system. At the time of this writing, the latest service pack issued is Service Pack 3.

The latest Service Pack can be ordered from Microsoft by phone or from their FTP site. The FTP address is ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ussp3/i386 for Intel-based machines.

The first thing you need to do prior to installing a Service Pack is to read the README.TXT file that comes in the archive to see what bugs have been fixed, and whether there are any peculiarities that might affect the installation on your system. Installing a Service Pack is not a complex task; there are only a couple of decisions that need to be made. It is wise to err on the side of caution, as a Service Pack can render your machine inoperable. Exercise 15-13 shows you the process of installing Service Pack 3.

1. Obtain Service Pack 3 (nt4sp3_i.exe) via FTP from ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ussp3/i386. Save the executable file to a folder.
2. Select Start | Programs | Windows NT Explorer and open the folder where you stored the Service Pack archive.
3. Double-click the nt4sp3_i.exe file. The file starts extracting files to a temporary location and starts update.exe automatically. After the files have been extracted, you are prompted with a Welcome screen that explains the procedure. It is wise to follow the instructions about updating your ERD and backing up all system and data files.
4. Click the Next button. The Software License Agreement is shown. After reading it, click the Yes button.
5. Service Pack Setup prompts you to pick the type of installation desired. Be sure the Install the Service Pack radio button is selected, and click the Next button.
6. The next screen asks you if you want to create an Uninstall directory. As always, it is wise to err on the side of caution so be sure the radio button Yes, I Want To Create an Uninstall Directory is selected, and click the Next button. If you do not create an Uninstall directory, you can’t use the Uninstall feature of the Service Pack.
7. The next screen tells you that it is ready to install the Service Pack. Click the Finish button to complete the process. The Service Pack changes only those files that were originally set up on your system.

Do not delete the Service Pack archive from your system. Anytime you change hardware or software on the system you will have to reapply the Service Pack. If you reapply it, you must also choose to create a new uninstall directory.

You may find that the Service Pack does not function correctly on your system. If this happens, you have to remove it from your system. Keep in mind that you can only uninstall the Service Pack if you originally installed the Service Pack with the Uninstall Directory option selected. Exercise 15-14 shows you how to remove a Service Pack from your system.

1. Select Start | Programs | Windows NT Explorer and open the folder where you stored the Service Pack archive.
2. Double-click the nt4sp3_i.exe file. The file starts extracting files to a temporary location and starts update.exe automatically. After the files have been extracted, you are prompted with a Welcome screen that explains the procedure.
3. Click the Next button. The Software License Agreement is shown. After reading it, click the Yes button.
4. Service Pack Setup prompts you to pick the type of installation desired. Select the Uninstall a Previously Installed Service Pack radio button and click the Finish button.
5. After your system restarts, the Update.exe program replaces the files that were updated by the Service Pack with the files from the previous installation.

"Blue Screen of Death" is just about the most frightening phrase you can say to clients when dealing with their Windows NT systems. Blue screens are actually text mode STOP messages identifying hardware and software problems that have occurred while Windows NT has been running. The reason for producing the blue screen is to alert you to the fact that an error message has been generated. The blue screen gives you information to help in troubleshooting the problem, rather than the system failing in an invisible manner. As shown in Figure 15-15, the blue screen consists of a STOP message, the text translation, the addresses of the violating call, and the drivers loaded at the time of the STOP screen.

Having access to a variety of troubleshooting resources can make your life much easier when dealing with Windows NT. In this section, we discuss some of the resources that are available to you.

Microsoft maintains World Wide Web (WWW) servers and FTP (File Transfer Protocol) servers that can provide you with updated drivers, current product information, and more. The web address is www.microsoft.com and the FTP address is ftp.microsoft.com. The FTP site allows anonymous logons, so feel free to explore the site.

The Knowledge Base, developed by Microsoft product support specialists, contains support information about problems that they have solved. I cannot stress enough the value of the Knowledge Base, the first place I look when I encounter an unusual problem. It’s always possible that someone else has encountered the problem, and solved it. The Knowledge Base is available in many different places. It can be accessed on Microsoft’s web site, the TechNet CDs, and Resource kit CDs.

The Resource Kits contains detailed information that is an in-depth, technical supplement to the documentation included with the product. Resource kits also come with a CD that is full of useful utilities. Resource kits can be obtained from your local dealer, and they also are included on the TechNet CDs.

The TechNet CDs are an invaluable tool for supporting any Microsoft product. We already have discussed a couple of the items included on the TechNet CDs, when we looked at other troubleshooting resources. There are over 1.5 million pages of technical documentation available on the TechNet CDs, along with drivers, updates, and Service Packs. TechNet is available by yearly subscription and delivers new CDs to you every month as they are updated.

Windows NT Help is no farther away than a few mouse clicks. Help is available in three different contexts. You can use the Contents tab in Help to find topics grouped by subject, or use the Index tab to find specific topics listed alphabetically, or use the Find tab to search for information by typing in a subject, title, specific word or phrase. Figure 15-16 displays the Help Index tab. Exercise 15-15 gives you an opportunity to use Help to find a specific phrase.

16. Select Start | Help. The Help Topics window is displayed.
17. Select the Index tab and type netwo in dialog box 1.
18. The words Network Adapter are highlighted in dialog box 2.
19. If you double-click on Network Adapter, you are presented with the Topics Found dialog box.
20. Double-click To Install a Network Adapter, to receive help on that topic.
21. Close Help after you have finished reading the information displayed.

The boot processes for Intel- and RISC-based machines are quite similar. The main difference concerns the files used during the booting of each type of machine. Windows NT loads in four distinct phases. It is helpful during troubleshooting to realize what is supposed to happen during each phase. Windows NT depends on the BOOT.INI file to load the operating system properly. The BOOT.INI file is made up of two sections, boot loader and operating systems. The ARC naming convention is used throughout BOOT.INI. It is possible to modify the way Windows NT starts up by using a variety of switches in BOOT.INI.

Windows NT supports multibooting between multiple operating systems. This can be useful when you need to use more than one operating system on a single machine. If you are going to run Windows 95 and Windows NT on the same system, it is best to install Windows 95 first.

Troubleshooting hardware and software is never an easy process. Problems can include a variety of boot failures in which you may need to use the LastKnownGood configuration or the emergency repair disk. System recovery can assist in troubleshooting by providing a dump of your physical memory that can be further analyzed when appropriate. If an application stops responding, you can use the Task Manager to shut it down. In some situations you may need to take ownership of a resource to clear up a security problem that exists. Other tools available to help with troubleshooting Windows NT are the Event Viewer and Windows NT Diagnostics (WinMSD).

When Microsoft fixes a significant amount of bugs, it issues a Service Pack. Service Packs can be obtained from the Microsoft FTP site. Installing a Service Pack is not a complex task, but you should read the readme.txt file prior to installation.

The "Blue Screen of Death" can be intimidating, and it’s something that no one dealing with Windows NT looks forward to seeing. It reflects that a serious problem has occurred and gives information to help you find out what caused the STOP error.

There are many resources available to help you troubleshoot Windows NT. Some of the resources available include Microsoft’s web site, the TechNet CD subscription, and the online Help file that is included with Windows NT.

The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully, as there may be more than one correct answer. Choose all correct answers for each question.

A.) NTLDR

B.) BOOT.INI

C.) NTBOOTDD.SYS

D.) OSLOADER.EXE

E.) NTDETECT.COM