Admin Tip #32 : Windows 2000 ERD and Recovery Console

Hits: Failed to execute CGI : Win32 Error Code = 3



In Windows NT 4, the utility Rdisk.exe is used to save critical information about your system to a floppy disk. If you run into problems such as a corrupted registry, or if you're unable to boot NT, the Emergency Repair Disk (ERD) can be used to repair the current installation.

You can still create an ERD in Windows 2000, but it's not the same as NT's. First, there is no Rdisk.exe for W2K. You must use the Backup utility to create your W2K ERD. The second and most drastic difference is in the contents of the floppy. NT's ERD includes part of the registry, but W2K's ERD does not. Instead, when you create your ERD, the Backup utility will create a copy of the registry in the \Winnt\Repair\RegBack directory on your hard drive provided you enable the Also Back Up The Registry To The Repair Directory check box.

To create a Windows 2000 ERD disk:

Follow instructions on screen from this point.

Why does the Windows 2000 ERD not include registry hives. Microsoft's position is that there is simply not enough space on commonly available removable media. When you update the w2k erd, the registry files are copied to %systemroot%\Repair\Regback. Potential gotcha! for NT gurus: unlike Windows NT, the w2k Repair directory only contains the original installation hives only. Updated hives go to Repair\Regback. The registry files are only updated when you run ntbackup with the backup system state data option.

OK. What gets copied to the ERD floppy? autoexec.nt, config.nt, & setup.log. Setup.log contains CRC data for core w2k files. Windows 2000 recovery processes use this file to detect changes to core files. As in Windows NT, the ERD is usable only on the PC it was created on. For comparsion purposes, you may want to read Contents of NT ERD for a complete list of what gets copied to the Windows NT 4 ERD.

The Windows 2000 ERD repair process is much like Windows 2000. Boot using the setup floppy disks or using the installation CD. Type r to enter recovery mode and r again to enter ERD mode. You can choose Manual Repair or Fast Repair. The fast option is a quick option. Fast option is the choice if one does not have much experience with the repair options or if one wanted a (possible) quick fix. No user interaction occurs. The fast option repairs system files, boot sector problems, and registry hives.

The manual mode gives the experienced administrator more control. Manual mode allows you verify that the w2k files in the system parition uncorrupted using the Inspect Startup Environment option. Any files needing replacement are taken from the installation CD. You can have the system check the system files CRCs using the Verify Windows 2000 System Files option. If a file which does not match, you are given the option to overwrite it from the installation CD copy. Finally there is an Inspect Boot Sector option. This option verifies that the boot sector refers to the correct ntldr. To repair the ntldr or ntoskrnl, you use the verify system files option.

There is some significant confusion about boot disks, ERD, and Recovery Console. A boot disk means a disk that contains the Ntldr, NtDetect.com and Boot.ini files so that it can provide the corrupted boot files to get the Windows 2000, already installed on the harddrive, to boot.

The classic bootdisk does not exist under Windows 2000 or Windows NT. It is a boot floppy disk that boots the machine all by itself. It has on it a fully functional DOS operating system. If your NT is installed on a FAT partition, you can use such a bootdisk to access the files on your NT or W2K box, but NT is not running and you can not execute 32bit programs. You can gain similar access to NTFS partitions using NTFS drivers with a DOS or Linux bootdisk. This kind of access to files without NT loaded is one of the basis for various methods to recover lost admin passwords.

An ERD is a floppy disk containing files designed to help recover a damaged NT installation. For Windows NT it was the primary tool. For Windows 2000, the ERD can be used as in Windows NT or it can be used in conjunction with the Recovery Console. The ERD does not boot the machine. Instead, it contains files that contain settings and configuration information that can be used to return the operating system back to its condition when the ERD was created.

The Recovery Console is a console program can be launched after the Startup Setup version of the Windows 2000 operating system is booted. It is a console program that can be used to discover and fix system issues. Under the Recovery Console, you have access to the following commands:

The Recovery Console is a gods send for experienced admins. The commands run in an abbreviated version of Windows 2000 and you are restricted to the %systemroot% directories and the root of each drive. A real enhancement for Windows 2000.

If the ERD process does not resolve your problem, you can use the Recovery Console, but which is definitely only for experienced administrators. If the sh*t has hit the fan, its probably time to get that experience. You need to install the Recovery Console before you have problems. Place the W2K installation CD in the cdrom and run r:\i386\winnt32.exe /cmdcons where r: is your cdrom drive letter. After its installed, you will have another boot option

Microsoft Windows 2000 Recovery Console

If you haven't been proactive or the system doesn't boot even to this point, you can get to the Recovery Console by booting with the Windows 2000 Setup floppy disks or to the Windows 2000 CD. The Recovery Console will require you to enter the password for the local administrators account if used on W2K Professional or a member server. If run against a domain controller, you will be required to enter the password for the administrator password that was entered during dcpromo, the Directory Services Restore Mode Administrator password. This password is only used under conditions when the active directory can not be accessed, Directory Services Restore mode or Recovery Console. This password in not in the AD or the local SAM. It is stored in a mini-SAM used for this special purpose.

One of the most powerful features of the Recovery Console in Windows 2000 is the utilities fixboot and fixmbr. If the boot sector gets corrupted, it can be replaced by fixboot. There are a set of boot sector viruses which damage or hide the boot sector (replacing it with its own contaminated sector code to insure that the boot sector virus is loaded into memory at boot. Fixboot gives the W2K admin a powerful tool against the destructive programs as well as accidental damage. Fixmbr is a powerful tool to replace a contaminated or damaged Master Boot Sector (mbr). There is a set of viruses which also use the mbr to spread its contamination. Fixmbr will fix the resultant damage.

To restore your system with the Emergency Repair Process:

Windows 2000 recovery console can be accessed by booting from the W2K CD and then selecting the recovery options. The W2K recovery console is can be used to fix NT 4.0 installations. Once logged into the NT 4.0, you can use the various command line utilities to repair the damaged server. Experiment on an NT workstation. Related : HOW TO: Copy Files from Recovery Console to Removable Media



After the Resource Kits, the Admin Companions are next most useful books from Microsoft.


eagerly awaited