Important Notice



lefttopTrial GuidePublished November 2010Important NoticeCopyrightThe information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS plying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.? 2010 Microsoft Corporation. All rights reserved.Microsoft, Active Directory, ActiveX, Excel, SoftGrid, SQL Server, Windows, Windows PowerShell, and Windows Vista are trademarks of the Microsoft group of companies.All other trademarks are property of their respective owners.Contents TOC \o "1-3" \h \z \u Important Notice PAGEREF _Toc271038089 \h 2Copyright PAGEREF _Toc271038090 \h 2Introduction to the Trial Guide PAGEREF _Toc271038091 \h 5Audience for This Guide PAGEREF _Toc271038092 \h 5Product Documentation PAGEREF _Toc271038093 \h 5Overview of Microsoft Diagnostics and Recovery Toolset PAGEREF _Toc271038094 \h 6Crash Analyzer PAGEREF _Toc271038095 \h 6ERD Commander PAGEREF _Toc271038096 \h 6System Recovery Options PAGEREF _Toc271038097 \h 6DaRT Tools PAGEREF _Toc271038098 \h 7Trial System Requirements PAGEREF _Toc271038099 \h 8Microsoft Diagnostics and Recovery Toolset Desktop Client PAGEREF _Toc271038100 \h 8Minimum Hardware Requirements PAGEREF _Toc271038101 \h 8Checklist of Tasks PAGEREF _Toc271038102 \h 9Before You Get Started PAGEREF _Toc271038103 \h 9Basic Tasks PAGEREF _Toc271038104 \h 9Additional Information PAGEREF _Toc271038105 \h 10Installing Microsoft Diagnostics and Recovery Toolset PAGEREF _Toc271038106 \h 11Download and Create MDOP ISO PAGEREF _Toc271038107 \h 11Install DaRT Tools PAGEREF _Toc271038108 \h 12Review DaRT Installation PAGEREF _Toc271038109 \h 15Crash Analyzer Wizard PAGEREF _Toc271038110 \h 15Creating DaRT Boot Media PAGEREF _Toc271038111 \h 17How to Create the DaRT Boot Media PAGEREF _Toc271038112 \h 17Using DaRT Boot Media Tools PAGEREF _Toc271038113 \h 19BitLocker Drive Encryption PAGEREF _Toc271038114 \h 19System Recovery Options PAGEREF _Toc271038115 \h 20Startup Repair PAGEREF _Toc271038116 \h 20System Restore PAGEREF _Toc271038117 \h 20System Image Recovery PAGEREF _Toc271038118 \h 20Windows Memory Diagnostics PAGEREF _Toc271038119 \h 21Command Prompt PAGEREF _Toc271038120 \h 21Microsoft Diagnostics and Recovery Toolset PAGEREF _Toc271038121 \h 23Troubleshooting PAGEREF _Toc271038122 \h 40Common Errors on the Microsoft Diagnostics and Recovery Toolset Client PAGEREF _Toc271038123 \h 40You might need to manually extract and install 64-bit definition updates for Standalone System Sweeper: PAGEREF _Toc271038124 \h 40Unicode characters are not displayed in some circumstances: PAGEREF _Toc271038125 \h 40DaRT 6.5 command-line installation will silently fail if run with the quite mode option unless it is run using elevated administrator permissions: PAGEREF _Toc271038126 \h 41File search fails to move a folder to a different volume: PAGEREF _Toc271038127 \h 41There is no Input Method Editor (IME) support on ERD: PAGEREF _Toc271038128 \h 41Some data may not be available on machines where the drive letters are remapped: PAGEREF _Toc271038129 \h 41Accessing the Microsoft Support Knowledge Base PAGEREF _Toc271038130 \h 42Contacting Microsoft Training PAGEREF _Toc271038131 \h 42Introduction to the Trial GuideThis trial guide is designed to help you quickly set up and evaluate Microsoft? Diagnostics and Recovery Toolset (DaRT) in a test environment. This guide provides details of the steps necessary to install DaRT components. You will install Microsoft Diagnostics and Recovery Toolset, create an Emergency Repair Disk, and then review the DaRT tools that will help you accelerate desktop repair. To help this process flow as smoothly as possible, we recommend that you read this guide carefully before installing Microsoft DaRT.Audience for This GuideThis guide was written for Microsoft Windows? system administrators and PC technician support professionals. As an information technology (IT) professional, you should have sufficient knowledge and experience to accomplish the following tasks:Installing softwareCreating ISOs and boot disksTroubleshooting system startupsProduct DocumentationComprehensive documentation is available in the Microsoft Diagnostics and Recovery Toolset Help.Release Notes for Microsoft Diagnostics and Recovery Toolset 6.5: Tour of the Diagnostics and Recovery Toolset: Overview of Microsoft Diagnostics and Recovery ToolsetMany IT departments take a proactive approach to backing up network data, but tend to be reactive in planning for desktop system failures because they have no tools or processes in place that enable them to be prepared. Instead, they typically reimage problem machines, but that can result in a loss of user settings, personalization, and data. Microsoft Diagnostics and Recovery Toolset can help you save time and reduce the challenges associated with troubleshooting and repairing system failures on Windows-based desktops. Administrators can easily restore PCs that have become unusable, rapidly diagnose probable causes of issues, and quickly repair unbootable or locked-out systems, all faster than the average time it takes to reimage the machine. When necessary, you can also quickly restore critical lost files. This helps IT teams make PCs safer to use, keeps employees productive, and makes desktops easier and less expensive to manage.Microsoft Diagnostics and Recovery Toolset 6.5 is a complete suite of powerful and versatile tools that allow you to repair unbootable or locked-out systems, restore lost data, and diagnose system and network issues while the system is safely offline. Microsoft DaRT includes the following tools:Crash AnalyzerThis lets you examine a Windows crash dump file, helping you determine the problem that caused the system to fail. For more information about how to analyze a system crash, see the Crash Analyzer section in this guide.ERD Commander This is tool is used to create the DaRT disk, a boot disk that adds functionality to the Windows Recovery Environment (Windows RE), which provides utilities and wizards that help perform system diagnosis and repair procedures, such as recovering data, disabling problematic drivers, and removing hotfixes. For more information about diagnosing and repairing systems, see the Creating DaRT Boot Media section in this guide.System Recovery OptionsOnce you start the computer with the DaRT boot media, Windows RE is launched, and presents the administrator with questions to initialize the environment, including initializing the network adapters as well as selecting the language and Windows installation for repair. After preparing the environment, you see the System Recovery Options dialog box, which contains the following options:Startup RepairSystem RestoreSystem Image RecoveryWindows Memory DiagnosticsCommand PromptA detailed description of each of these options can be found later in this guide.DaRT ToolsWhen booting from DaRT boot media, an additional option to the normal Windows Recovery Environment menu is presented, the “Microsoft Diagnostics and Recovery Toolset” link. When you click this link, you are presented with an additional 14 tools, including a Solutions Wizard, to help you decide which tool is best to use in your current scenario, and a Help link. These tools are listed below in Table 1, and detailed individually later in this guide:TaskSolutionEdit the RegistryThe ERD Registry Editor utility provides information about the registry that can help you repair a system.Regain access to a systemThe Locksmith wizard can be used to list the local user accounts and change passwords.Diagnose a system failureThe Crash Analyzer can be used to diagnose the cause of a system crash and identify the driver that caused the failure.Salvage and repair partitions or volumesThe Disk Commander can be used to salvage or repair partitions, or volumes.Recover deleted filesThe File Restore utility can be used to find and restore deleted files from any supported Windows-based file system.Erase disks or volumesThe Disk Wipe utility can be used to securely erase disks or volumes.Search for particular filesThe Search utility allows you to restrict the scope of your search by specifying part of the name, search location, estimated size of the file, or the time when the file was modified.Browse drivesThe Explorer utility allows you to browse folders and files that are stored on various drives.Perform administrative tasks to manage the computerThe Computer Management utility provides recovery tools to help you:Disable problematic drivers or services. View event logs. Partition and format hard disk drives.Get information about Autoruns.Get information about the computer. Configure TCP/IPThe TCP/IP Config utility helps you to display and set a TCP/IP configuration.Uninstall Windows hotfixes and service packsHotfix Uninstall can be used to remove Windows hotfixes or service packs from a system that cannot be started.Check and repair system filesThe SFC Scan utility helps you check system files and repair any that are corrupt or missing.Use an antimalware toolThe Standalone System Sweeper utility helps detect malware or other unwanted software, and alerts you to potential risks.Table SEQ Table \* ARABIC 1: List of tools included in the DaRT Boot DiskTrial System RequirementsFor this evaluation, one computer will run Microsoft Windows 7. You can use virtual machines on a single physical computer that meets the system requirements of this trial.In this trial, it is important that you set up Microsoft Diagnostics and Recovery Toolset in a test machine that is not your production workstation since you may be performing tasks that may disrupt the use of this system. The purpose of this trial is for you to gain an understanding of the tools available to administrators with DaRT. You can address any questions relating to integration into your production environment, such as which tools to give to administrators, developing a process for updating the antivirus and antimalware definition files, and developing documentation for IT staff. The following section lists the computer systems used for this trial evaluation.Microsoft Diagnostics and Recovery Toolset Desktop Client Windows 7 Enterprise or Ultimate EditionsWindows Server??2008?R2Minimum Hardware Requirements1GHz 32-bit (x86) or 64-bit (x64) processor1GB of system memoryCD or DVD drive (writeable CD or DVD drive required to create ERD CD or DVD)BIOS support for starting the computer from a CD or DVD driveChecklist of TasksThe following table lists all the tasks that need to be completed in the correct order. If you have not worked with DaRT before, it is strongly recommended that you follow this sequence of tasks carefully to ensure a successful installation and test of the DaRT system. If you complete all the tasks listed under “Basic Tasks” you will have successfully completed the basic system evaluation. If you want to continue with evaluating other system components, refer to the list of tasks under “Additional Information.”Before You Get StartedTaskPre-RequisiteTipCreating DaRT Boot DiskWindows 7 or Windows Server 2008 R2 installation media Copy installation media to a network share or local directory prior to running the ERD Commander Boot Media WizardWindows Debugging ToolsDownload from Windows Symbol FilesDownload from TasksAreaTaskMethodDaRT 6.5 ToolsCreate en_desktop_optimization_pack_2010_x86_x64_dvd_x16-58156.iso Download MDOP ISOEstablish access to DaRT toolsInstall DaRT ToolsLook at results of the DaRT installation processReview DaRT InstallCrash Analyzer for DaRT 6.5Go through the Crash Analyzer processExamine Crash AnalyzerDaRT Boot Media for DaRT 6.5Establish access to a failed system by creating the DaRT Boot MediaDaRT Boot MediaReview DaRT ToolsDaRT ToolsAdditional InformationAreaTaskMethodCrash Analyzer for DaRT 6.5Test Crash Analyzer process with demo crash dump filesCrash FilesInstalling Microsoft Diagnostics and Recovery ToolsetThe section guides you through the step-by-step process of installing Microsoft Diagnostics and Recovery Toolset. Note: You must use the software and operating system versions listed in the following section to ensure that the instructions and screen shots are accurate for the purposes of your testing and evaluation.Download and Create MDOP ISO MSDN and TechNet subscribers can download DaRT and use in a proof-of-concept (POC) or test environment. In order to download the Microsoft Desktop Optimization Pack (MDOP) to license for production use, you must be a Software Assurance (SA) customer. For more information on becoming an SA customer, go to . Existing SA customers can download MDOP, and the entire suite of tools that it includes, at any of the following Microsoft sites:Volume Licensing Service Center (VLSC):. Once you have downloaded the MDOP ISO file, burn the ISO to CD or DVD media. Then simply start the media, and install Microsoft Diagnostics and Repair Toolset. Install DaRT ToolsInstalling the DaRT tools is a simple process. Simply insert the MDOP media and the click the link for Microsoft Diagnostics and Repair Toolset, as seen in Figure 1. If your company policy disables Autorun features on CD and DVD media, browse to the Launcher directory and then click Launcher.hta.Figure SEQ Figure \* ARABIC 1: Splash screen displayed when the MDOP 2010 media is run from CD or DVD media.Once you click on the Microsoft Diagnostics and Repair Toolset link, you will be presented with another screen, with options to install different versions of DaRT for the different operating systems supported, as well as options for 32-bit or 64-bit OS support. See Figure 2 for a complete list of options available. Make sure you select the appropriate version for the desktop or server you need to recover. For the purpose of this guide, in the DaRT 6.5 for Windows 7 and Windows Server 2008 R2 section, select Install DaRT 6.5 (32-bit) or (64-bit) based on the Windows version installed.Figure SEQ Figure \* ARABIC 2: Microsoft Diagnostics and Recovery Toolset can be installed to support many operating systems and versions.Note: Documentation for each of the available options can be found on the MDOP media by browsing to the x:\DaRT\Documents folder (where x is the letter assigned to your CD/DVD Rom drive).When you click Install DaRT 6.5 (32-bit), the Microsoft Diagnostics and Recovery Toolset 6.5 Setup Wizard will launch.On the Welcome to the Microsoft Diagnostics and Recovery Toolset 6.5 Setup Wizard page click Next.On the End-User License Agreement page, click I agree.On the Select Installation Folder page, accept the default installation folder, and in the Install Microsoft Diagnostics and Recovery Toolset 6.5 for section, click AllUsers if other users will log onto this computer and need access to DaRT. Otherwise, leave the default setting and then click Next.On the Choose Setup Type page, select Complete to install the Crash Analyzer Wizard and the ERD Commander Boot Media Wizard.On the Ready to Install page, click Install.On the Completing the Microsoft Diagnostics and Recovery Toolset 6.5 Setup Wizard page, click Finish.Review DaRT InstallationWhen DaRT has been successfully installed, you will see the Microsoft Diagnostics and Recovery Toolset program group on your Start\All Programs menu. Within the program group you will notice four (4) available options:Crash Analyzer WizardERD Commander Boot Media WizardHelpRelease NotesThe Help link will open a Microsoft Compiled HTML file (CHM) file with step-by-step instructions on using the two available tools. The Release Notes link will open the relnotes.htm file, which is also available in the C:\Program Files\Microsoft Diagnostics and Recovery Toolset directory.Crash Analyzer WizardThe Crash Analyzer Wizard helps you to analyze a crash dump file to identify the driver that caused the system to fail. You can use Crash Analyzer to review crash dump files, e.g., crash dump files that may be a result of a Blue Screen of Death (BSoD) incident.Before using the Crash Analyzer tool, you should download and install the Microsoft Debugging Tools for Windows and Symbol Files. Microsoft Debugging Tools for Windows can be downloaded from . You will also need a crash dump file to analyze.The following is a list of options available for ensuring you have access to the Symbol Files:Copy the Dump File to another system: If the Symbol Files cannot be downloaded due to a lack of an internet connection, copy the crash dump file to another system that does have an internet connection, and run the Crash Analyzer Wizard from that system.Access the Symbol Files from another system: Download the Symbol Files from a system that does have an internet connection, and then copy the Symbol Files to the system that has the crash dump file you wish to analyze. Alternatively, you can download the Symbol Files to a system that has an internet connection and share the folder that contains the Symbol Files. Then from the system that contains the crash dump file you wish to analyze, map a network drive to that shared folder.Access the Symbol Files through an HTTP proxy server: If the symbols cannot be downloaded because an HTTP proxy server must be accessed, use the following steps to access an HTTP proxy server:In DaRT 6.5, the Crash Analyzer Wizard has a new setting available on the Specify Symbol Files Location page, marked Proxy server (optional, using the format "server:port"). You can use this text box to specify a proxy server. Enter the proxy address in the form <hostname>:<port>, where the <hostname> is a DNS name or IP address, and the <port> is a TCP port number, usually 80. There are two modes in which the Crash Analyzer can be run:Online mode: In this mode, if the proxy server field is left blank, the wizard uses the proxy settings from Internet Options in Control Panel. If you enter a proxy address in the text box that is provided, that address will be used, and it will override the setting in the Internet Options.Windows Recovery Environment: When the Crash Analyzer is run from DaRT, there is no default proxy address. If the computer is directly connected to the Internet, a proxy address is not required, so you can leave this field blank in the wizard setting. If the computer is not directly connected to the Internet, and it is in a network environment with a proxy server, you must set the proxy field in the wizard to access the symbol store. The proxy address can be obtained from the network administrator. Setting the proxy server is essential only when the public symbol store is connected to the Internet. If the symbols are already on the ERD disk, or if they are accessible locally, setting the proxy server is not required.How to Open and Run the Crash AnalyzerClick Start\All Programs\Microsoft Diagnostics and Recovery Toolset\Crash Analyzer Wizard.On the Welcome to the Crash Analyzer Wizard page, click Next.On the Specify Microsoft Debugging Tools for Windows page, type the path to the directory containing the Microsoft Debugging Tools for Windows, or click the download link to download the package, if you have not pre-downloaded the tools and have an Internet connection, and then click Next.On the Specify Symbol Files Location page, select the appropriate option, as described above, and then click Next.On the Specify Dump File page, browse to the location of the crash dump file you wish to analyze, and then click Next.On the Analysis Summary page, click to view the details of the summary, and then when you are finished, click Next.On the Recommendations page, review the recommended actions, and then click Finish.Creating DaRT Boot Media The tools included in the DaRT boot disk will allow a desktop support technician to quickly recover lost files, uninstall Windows patches and drivers, modify registry keys, reset local user passwords, and much more. For example, a new application or driver introduces an incompatibility with the current configuration, or the inability to logon to a reclaimed system because you do not have the local administrator password, would result in a desktop support technician re-imaging the affected system. However, by using DaRT, the technician can often fix the issue in less time than the re-image would take, and without losing any local files or personalization settings which exist on the system.Creating the DaRT boot media can be done with a wizard interface or through a Command Prompt. Creating the media using the Command Prompt allows you to set an expiration on the ISO file. This is useful to ensure that only updated virus definitions are ever included on the DaRT DVD.How to Create the DaRT Boot MediaBefore you create the DaRT Boot Media, you will need access to the Windows 7 or Windows Server 2008 R2 media. Copy the DVD onto a local directory on the computer from which you plan to create the DaRT Boot media, or place the DVD into the system’s DVD writer drive. Additionally, you should have the Debugging Tools for Windows downloaded onto either the system from which you plan to create the DaRT Boot Media, or the system which you wish to repair.If you want to set an expiration date on the DaRT DVD, open a Command Prompt window and type C:\Program Files\Microsoft Diagnostics and Recovery Toolset\ERDC.exe /numDays (where numDays is the number of days that the bootable media will be useable). The wizard will launch just as if you launched it from the Start menu, except the DVD will have an expiration date. All of the rest of the steps are the same as detailed below.Click Start\All Programs\Microsoft Diagnostics and Recovery Toolset\ERD Commander Boot Media WizardOn the Welcome to the ERD Commander Boot Media Wizard, click Next.On the Select Boot Image page, browse to the location of the Windows 7 or Windows Server 2008 R2 media, and then click Next.On the Preparing the Files page, click Next.On the Tools Selection page, click Next.On the Crash Analyzer Wizard page, browse to the directory where you downloaded the Debugging Tools for Windows, and then click Next.On the Standalone System Sweeper Definition Download page, select Next if you have an Internet connection. Otherwise select the No, manually download definitions later option and then click Next.On the Standalone System Sweeper Definition Download page, when the status displays as Definition download succeeded, click Next.On the Additional Driver page, add any additional drivers which may be necessary to repair the affected system, and then click Next.On the Additional Files page, browse to add any additional files which will be needed on the DaRT Boot media, and then click Next.On the Create Startup Image page, click Browse to specify the location where you want the startup image to be created, and then click Next.On the Burn to a recordable CD page, select the drive containing the recordable CD or DVD drive, and then click Next.On the ERD Commander Boot Media Wizard page, click Finish. Note that you can also explore the contents of the media by clicking the Explore button.Using DaRT Boot Media Tools In order to successfully use the tools included on the DaRT Boot media, the BIOS of the affected system must support booting from a CD or DVD Rom drive. Ensure the BIOS allows for booting to the CD or DVD Rom drive. Once confirmed, follow these steps to use the DaRT Boot media, and the tools which it contains:Insert the DaRT Boot Media into the DVD drive of the system which you would like to repair, and restart the system.In the NetStart dialog box, click Yes to initialize network connectivity in the background.In the NetStart dialog box, click Yes to remap the drive letters to match the mappings from the target operating system.In the System Recovery Options dialog box, select the appropriate keyboard input method, and then select Next. For the purpose of this guide, select US.In the System Recovery Options dialog box, there are several options. Select the appropriate option and then click Next:Use recovery tools that can help fix problems starting Windows: Use this option to be presented with a list of tools included on the DaRT Boot media.DaRT Boot media will scan the system for all installed operating systems and list them here.If the operating system that you need to repair is not listed in this dialog, then click the Load Drivers button to load the appropriate drivers for the hard drive containing the affected operating system.Restore your computer using a system image that you created earlier: A system image is an exact copy of your hard drive, which can be created by using Windows Backup.When you select to use the recovery tools, the System Recovery Options dialog will appear.BitLocker Drive EncryptionIf the system you are repairing has been encrypted with BitLocker? Drive Encryption, you must have your BitLocker Recovery Key available. When prompted, insert your USB drive with the BitLocker Recovery Key and then select Load key from removable media. Alternatively, you can select Manually input the key, and then enter the 48-digit Recovery Key. WinRE BitLocker partition unlocking tool will only unlock one BitLocker volume. If multiple volumes are locked by BitLocker, Standalone System Sweeper, File Restore, and Explorer will only be able to process files on one locked volume. This may result in a file not being found when trying to restore a file from multiple volumes, or may result in malware not getting detected when a user specifies a “full scan” to scan all drives on a computer. To work around this issue, only work with a single volume at a time.System Recovery OptionsThe System Recovery Options dialog box contains links to different tools to repair different issues. These are the same System Recovery Options that are available on the Windows 7 installation media, except for the Microsoft Diagnostics and Recovery Toolset, which is only available here. The tools include:Startup Repair: Automatically fix problems that are preventing Windows from starting.System Restore: Restore Windows to an earlier point in time.System Image Recovery: Recover your computer using a system image you created earlier.Windows Memory Diagnostics: Check your computer for memory hardware mand Prompt: Open a command prompt window.Microsoft Diagnostics and Recovery Toolset: Launch various DaRT recovery tools.Startup RepairThis tool can be used to restore a system that will not boot due to corrupt, missing, or damaged system files. If problems are found, Startup Repair will fix them automatically. In some cases, Startup Repair will fix the immediate problem of the system not booting properly, and then another tool may have to be used to recover any missing files or data.System RestoreEach time a Windows Update is installed, or a program is installed or removed, Windows automatically creates a Restore Point. In the unlikely event that the installation of a Windows patch or the installation or removal of software has made the system unable to boot properly, the System Restore tool will allow you to restore your system to an earlier point in time, using a Restore Point previously created. This is a very useful tool when the system cannot boot either normally, or even in Safe Mode.System Image RecoveryA system image is a copy of the drives required for Windows to run. It can also include additional drives. A system image can be used to restore the computer if the hard drive or computer ever stop working; however, you cannot choose individual items to restore. You create a system image backup using Backup and Restore Program in the Control Panel.When you click the System Image Recovery tool, you are presented with a wizard interface, with several options:Use the latest available system image (recommended): If a system image is found, the details of the system image will be displayed in the fields on this page. Otherwise, this option is grayed out.Select a system image: When this option is selected, or if it is the only option available, you will be presented with additional options to help System Image Restore locate the appropriate system image. Select this option and then click Next.If the system image is on an external drive or a DVD, insert the external drive or DVD before clicking Next.If the system image is on a network location or you need to install a driver for a backup device containing the system image, click Advanced. The Re-image Your Computer dialog box will appear with the following options:Search for a system image on the network: If you select this option, you must provide the network location of the system image.Install a driver: If you select this option, you must browse to the location of the driver you wish to install, for the device containing the system image.Note: When you restore a system using the system image, the entire hard drive will be overridden with the contents of the system image. You cannot selectively decide what to restore, and what to keep.Windows Memory DiagnosticsThe Windows Memory Diagnostics tool will scan your computer for memory hardware problems. When you select this tool, you are presented with two options:Restart now and check for problems (recommended): Select this option to reboot the system immediately and scan for memory hardware problems upon the startup of the system.Check for problems the next time I start my computer: Select this option to scan the system the next time the computer is started. Use this option if you would like to continue working without the interruption of a mand PromptWhen you select this tool, the familiar Windows Command prompt opens in the Windows RE. From within this environment, all of the useful command-line tools are available, from the networking tools, like IPCONFIG and PING, to Disk utilities like DISKPART and NET USE.Often, the system will not boot properly due to a corrupted master boot record, a corrupt boot sector, or a corrupt Boot Configuration Data (BCD) store. If this is the case, you should try the Windows Startup repair tool first.To rebuild the BCD store using the bootrec.exe command:In the Command Prompt window, type bootrec.exe and then press Enter.Type attrib c:\boot\bcd –r –s –hType ren c:\boot\bcd bcd.old (you should always rename this file as to not overwrite or delete it in case you need to revert back to it later).Type bootrec /RebuildBcdOther Bootrec.exe options include:/FixMbr: This option writes a Windows 7 compatible MBR (Master Boot Record) to the system partition. This option does not overwrite the existing partition table. This option is useful to resolve MBR corruption issues, or to remove non-standard code from the MBR./FixBoot: This option writes a new boot sector to the system partition. Use this option if one of the following conditions is true:The boot sector has been replaced with a non-standard Windows 7 boot sector.The boot sector is damaged.An earlier Windows operating system (Windows XP or earlier) has been installed after Windows 7 was installed. In this scenario, the computer starts using the Windows NT Loader (NTLDR) instead of Windows Boot Manager (bootmgr.exe)./ScanOS: This option scans all disks for installations that are compatible with Windows 7. Additionally, it displays the entries that are currently not in the BCD store. Use this option, if your Windows 7 installation is not listed in the BCD store./RebuildBcd: This option scans all disks for installations that are compatible with Windows 7, and lets you select the installations that you want to add to the BCD store. Use this option when you need to completely rebuild the BCD store.Microsoft Diagnostics and Recovery ToolsetAs we have previously stated, this option will present you with a list of powerful tools to assist in getting your system back online, usually in less time than a re-image. The 14 tools in this toolset are detailed below.Figure SEQ Figure \* ARABIC 3: Diagnostic and Recovery Toolset ToolsERD Registry EditorYou can use the ERD Registry Editor to edit the registry of the Windows operating system that you are repairing. This includes adding, removing, and editing keys and values, and importing .reg files. When you open the ERD Registry Editor, the HKEY_LOCAL_MACHINE string does not contain a hardware key. Additionally, there will be no HKEY_CURRENT_USER key, as no user has actually logged onto the operating system. All edits are being performed through Windows RE.Figure SEQ Figure \* ARABIC 4: ERD Registry EditorLocksmithLocksmith is a simple tool that allows you to set the password for any local account on the Windows operating system that you are repairing, including the administrator account. This tool is particularly useful in the event that the password for a local account, such as the local administrator account, is unknown.You do not need to know the current password in order to change a password. However, the password you set must comply with any requirements that a local Group Policy object (GPO) defines, including password length and complexity.Note: This tool cannot set passwords for domain accounts.Figure SEQ Figure \* ARABIC 5: Locksmith WizardCrash AnalyzerCrash Analyzer allows you to quickly determine the cause of an issue by analyzing the memory dump file on the Windows operating system that you are repairing. Based on this information, you can take corrective action. The Crash Analyzer Wizard can eliminate much of the guesswork involved in diagnosing nonresponsive systems. For example, if you install a piece of hardware which includes the driver MyFault.sys, and the computer becomes unresponsive, the Crash Analyzer can read the dump file (C:\Windows\Memory.dmp file) for the cause of the crash. You can then use this information to disable the device in Computer Management, using the Services and Drivers node.Figure SEQ Figure \* ARABIC 6: Crash Analyzer Wizard Analysis SummaryFile RestoreIn many cases, users delete files only to realize that they still need access to these files later. Fortunately, the Windows Recycle Bin does not permanently delete files, and in most cases, users can simply open the Recycle Bin and restore the needed file. However, after a user empties the Recycle Bin, if a file is too big for the Recycle Bin, or if an application deletes the file, recovering the file is not as simple.File Restore enables you to restore files in each of these scenarios. First, you must find the file that needs to be restored, which is made easier through the File Restore interface, and the filtering capabilities. The interface also allows for wildcards and exact path locations, files sizes, date ranges, etc. A deleted file which resides in a deleted directory can also be found and recovered.Note: When a file is deleted, the deleted file’s space on the drive is available to the operating system to overwrite. Therefore it is important to recover the deleted file as soon as possible.If the drive that you are recovering the file from is encrypted with BitLocker Drive Encryption, File Restore gives you the opportunity to unlock the encrypted volume by manually providing the recovery password or loading the recovery key from a file.Figure SEQ Figure \* ARABIC 7: File RestoreDisk CommanderThe Disk Commander tool allows you to recover and repair disk partitions and volumes, restore the master boot record using a GUI interface, restore partition tables from a backup, or save partition tables to a backup. Examples of where this tool could be useful include recovering the partition table after it has been lost due to corruption or infection from a virus. It is important to remember that two or more volumes on a single disk will share a partition table, so changes to one volume may affect another volume on the same hard drive. For this reason, as a best practice, always make a Disk Commander backup before attempting to repair the disk.Figure SEQ Figure \* ARABIC 8: Disk Commander WizardDisk WipeOften, an organization will simply format the computers’ hard drives prior to recycling, donating, or discarding the computers. However, formatting the hard drive is not enough. A malicious user with the right tools can still read the confidential data that still resides on the hard drive.Disk Wipe can erase all data from a disk or from a single volume on a disk. There are two algorithms available: Single pass overwrite and 4 pass overwrite, which meets the U.S. Department of Defense standards.Figure SEQ Figure \* ARABIC 9: Disk WipeComputer ManagementWhile many users are familiar with Computer Management in Windows, the Computer Management tool included in DaRT is a subset of the familiar console. The console in DaRT is tailored to include only the tools necessary to diagnose and repair problems preventing Windows from booting. The console includes the following tools:System Information: Includes useful information about the system you are diagnosing, including number and type of processors, build number and version of the kernel, amount of RAM, etc.Event Viewer: Displays logs about system and application activity.Autoruns: Displays those services and processes that are configured to run at startup, and allows you to disable them.Services and Drivers: Displays all services, including the startup configuration and all drivers loaded into the driver store. You can stop or disable any service, or uninstall any driver that may be causing Windows to be unresponsive.Disk Management: Displays information about the hard drives installed, the partitions and volumes configured, and the file systems.Figure SEQ Figure \* ARABIC 10: Computer ManagementHelpThis documentation is in the form of Microsoft Compiled HTML (CHM) file. It is also available in the C:\Program Files\Microsoft Diagnostics and Recovery Toolset directory.Figure SEQ Figure \* ARABIC 11: DaRT Help ExplorerBefore using the Disk Wipe tool or Computer Management tool to delete or format partitions, you may need to store company sensitive data or user documents, as to not lose them in the repair process. The Explorer tool allows you to open an Explorer window to gain access to the files and folders, mapped network drives, and file systems of the system you are repairing. Since DaRT supports both network connectivity, for mapping drives, and USB devices this makes recovering the data much easier if a disk wipe or re-image becomes necessary.Figure SEQ Figure \* ARABIC 12: DaRT ExplorerSolution WizardWith so many tools available in the DaRT toolset, determining the correct tool for your specific needs may be challenging. The Solutions Wizard asks a series of questions and recommends the best tool based on your answers, helping to make it easier for you to get familiar with the set of tools available. Once you have been working with DaRT and have been using the tools, you will likely go directly to the tool that you need. Until you are more familiar with the toolset, start with the Solution Wizard.Figure SEQ Figure \* ARABIC 13: Solution WizardTCP/IP ConfigWhen you boot the system using the DaRT boot media, you have the option of obtaining an IP address from a Dynamic Host Configuration Protocol (DHCP) server. If DHCP is unavailable, you can manually configure Transport Control Protocol/Internet Protocol (TCP/IP) information by using this tool. Simply choose your network adapter and then configure the appropriate information, either TCP/IP version 4 or TCP/IP version 6. Often, you will use this tool prior to using one of the other tools. When you click the Advanced button, you are presented with additional information, such as the physical address (MAC Address) of the network adapter, the IPv4 and IPv6 information, link speed, DNS information, etc.Figure SEQ Figure \* ARABIC 14: TCP/IP ConfigHotfix UninstallThe Hotfix Uninstall Wizard can remove hotfixes and service packs from the Windows operating system that you are repairing. Use this tool when you believe a recent patch or service pack is preventing Windows from booting properly. It is recommended that you remove only one hotfix at a time, although the tool allows you to uninstall more than one at a time. Note: Some programs which were installed or updated after the hotfix was installed may need to be repaired or reinstalled as well.Figure SEQ Figure \* ARABIC 15: Hotfix Uninstall WizardSFC ScanSystem File Checker can be used to help repair operating system files that are preventing your system from properly booting. SFC Scan will verify your operating system files based on the signatures to ensure they have not been altered. You can go through the process to verify and replace and files that may be flagged as not compliant with the signature status of the original system files.Figure SEQ Figure \* ARABIC 16: SFC Scan WizardSearchIn recovery scenarios, when repairing the installed operating system is not possible, you can use File Search to find users’ documents and copy them from the computer. Although the Explorer tool can be helpful, File Search can help you find documents when you do not know the file path or search for general types of files across all the local hard disks. The interface is like the File Restore interface with the filters and wildcards available to assist in finding the correct files prior to re-imaging the system.Figure SEQ Figure \* ARABIC 17: SearchStandalone System SweeperThe Standalone System Sweeper can help detect malware and unwanted software and alert you to security risks, while the system is offline and disconnected from the corporate network. When the Standalone System Sweeper detects malicious or unwanted software, it prompts you to remove, quarantine, or allow each item. You can use this tool to scan a computer for and remove malware while the installed Windows operating system is not running. Malware that uses rootkits can mask itself from the running operating system. A rootkit is a program, or a set of programs, which gets installed onto a system and impersonates running services, making the rootkit invisible to the installed operating system. If a rootkit-enabled virus or spyware makes its way to the system, most real-time scanning and removal tools can no longer see it or remove it. Because DaRT boots into Windows RE and the installed operating system is offline, you can attack the rootkit without it hiding from you, and since the definitions can be updated at run-time, you will always have an updated definitions file. If you expect a machine may be compromised by malware, for example, if it is suddenly performing unusually, but other anti-virus/anti-malware tools are not identifying a problem you can run the Standalone System Sweeper determine if the machine has been infected with a rootkit.During the creation of the DaRT boot media, you have the option of updating the Standalone System Sweeper definitions, to ensure you always have an up-to-date definition file. Alternatively, if you are using boot media which has been previously created, because DaRT has TCP/IP and networking support, you have the option of updating the definition file during run-time. Note that these are the same definition files that are available to other Microsoft antimalware products. Figure SEQ Figure \* ARABIC 18: Standalone System SweeperTroubleshootingThis section addresses some of the most common issues you might encounter when you install, configure, and test Microsoft Diagnostics and Recovery Toolset.If you need additional help, search either the Microsoft Knowledge Base or the Diagnostics and Recovery Toolset mon Errors on the Microsoft Diagnostics and Recovery Toolset ClientThe following sections list the most common errors encountered with Microsoft Diagnostics and Recovery Toolset. You might need to manually extract and install 64-bit definition updates for Standalone System Sweeper:The following is a known issue with the Standalone System Sweeper. As a temporary workaround, you can follow these steps in order to install up-to-date definitions on the x64 version of the Standalone System Sweeper. From a browser on a computer that is connected to the Internet, go to the Microsoft Security Portal and download the x64 version of Standalone System Sweeper definition updates.Expand the contents of the definition package as follows. Open a command prompt, and type: mpam-fex64 /x: <folder path> where <folder path> is the directory to which the extracted contents need to be copied.e.g., mpam-fex64.exe /x: “%ProgramFiles%\DefUpdates”.Copy the extracted contents to a removable media device, such as a USB flash drive.Insert the USB flash drive into the machine where you want to run the Standalone System Sweeper.Start DaRT and launch the Standalone System Sweeper.From the DaRT menu, launch Explorer.Copy MPASBase.vdm, MPASDlta.vdm, mpavbase.vdm, mpavdlta.vdm and mpengine.dll into the Updates folder relative to the windows path of the operating system selected:e.g., c:\Windows\Standalone System Sweeper\Definition Updates\UpdatesWait for a few seconds. The antimalware and antivirus version numbers on the Standalone System Sweeper home page will be refreshed to show the new version numbers.Unicode characters are not displayed in some circumstances:If a user deletes a file that has Unicode characters in its file name and tries to restore the file using the File Restore tool, the file will not be found. This only occurs when characters from a language other than the language of the Windows 7 DVD are used to create the DaRT ERD CD.DaRT 6.5 command-line installation will silently fail if run with the quiet mode option unless it is run using elevated administrator permissions:DaRT 6.5 installation supports the normal MSI options for command-line installation. Please refer to Command-Line Options for more details about the various available switches.File search fails to move a folder to a different volume:While attempting to move a folder to a different volume in File Search, an error is returned stating "An error occurred while writing the file [filename]. Ensure the drive has sufficient space and the destination path is accessible.” Moving folders between volumes is not supported by the File Search application. To work around this, use the Explorer to move the folder.There is no Input Method Editor (IME) support on ERD:An input Method Editor allows you to type double-byte characters for languages such as Japanese. This functionality would be provided by the Win?PE/Win?RE environment, but by default Win?PE/Win?RE does not include support for IME. To enable IME support in Win?RE and to turn on the ERD CD, follow the steps from the following KB article to create a Win?RE image that supports IME and then create the ERD CD from the image. When creating the Win PE/Win RE image, it is essential that the WinPE-SRT-Package is added using the PEImg.exe tool. Failure to add this package to the image will prevent the generated ERD CD from working. For information on how to use PEImg to add packages to a Windows?PE image please see Building a Windows PE Image.Some data may not be available on machines where the drive letters are remapped:This problem is known to occur on BitLocker-enabled machines as well as multi-boot machines. The problem is that some information in the offline registry has hard-coded drive letters, and DaRT uses different letters for the same volumes. The typical effects include not having access to certain local user accounts in ERD Registry Editor or Autoruns. Additionally, some tools may not be able to get the properties that rely on resolving file paths.Accessing the Microsoft Support Knowledge BaseTo access the Microsoft Support Knowledge Base and search for answers to the most frequently asked questions, go to Microsoft Support.Contacting Microsoft TrainingTo register for training courses, obtain course descriptions, and get information about Microsoft certifications, go to Microsoft Training & Events. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download