371_HTC_AD_FM.qxd 12/14/05 12:56 PM Page vi
www.syngress.com
Syngress is committed to publishing high-quality books for IT Professionals and
delivering those books in media and formats that fit the demands of our cus-
tomers. We are also committed to extending the utility of the book you purchase
via additional materials available from our Web site.
SOLUTIONS WEB SITE
To register your book, visit www.syngress.com/solutions. Once registered, you can
access our Web pages. There you will find an assortment
of value-added features such as free e-booklets related to the topic of this book,
URLs of related Web site, FAQs from the book, corrections, and any updates from
the author(s).
ULTIMATE CDs
Our Ultimate CD product line offers our readers budget-conscious compilations of
some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect
way to extend your reference library on key topics pertaining to your area of exper-
tise, including Cisco Engineering, Microsoft Windows System Administration,
CyberCrime Investigation, Open Source Security, and Firewall Configuration, to
name a few.
DOWNLOADABLE EBOOKS
For readers who can’t wait for hard copy, we offer most of our titles in download-
able Adobe PDF form. These eBooks are often available weeks before hard copies,
and are priced affordably.
SYNGRESS OUTLET
Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt
books at significant savings.
SITE LICENSING
Syngress has a well-established program for site licensing our ebooks onto servers
in corporations, educational institutions, and large organizations. Contact us at
for more information.

CUSTOM PUBLISHING
Many organizations welcome the ability to combine parts of multiple Syngress
books, as well as their own content, into a single volume for their own internal use.
Contact us at for more information.
Visit us at
382_WinTrnl_FM.qxd 5/12/06 5:08 PM Page i
382_WinTrnl_FM.qxd 5/12/06 5:08 PM Page ii
Lawrence Abrams
Nancy Altholz
Kimon Andreou
Brian Barber
Tony Bradley
Daniel Covell
Laura E. Hunter
Mahesh Satyanarayana
Craig A. Schiller
Darren Windham
Winternals
®
Defragmentation, Recovery, and
Administration Field Guide
Dave Kleiman Technical Editor
382_WinTrnl_FM.qxd 5/12/06 5:08 PM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc-
tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be
obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is
sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do not

allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation
may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The
Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is
to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in
this book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 HJIRTCV764
002 PO9873D5FG
003 829KM8NJH2
004 JL922134FC
005 CVPLQ6WQ23
006 VBP965T5T5
007 HJJJ863WD3E
008 2987GVTWMK
009 629MP5SDJT
010 IMWQ295T6T
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Winternals Defragmentation, Recovery, and Administration Field Guide
Copyright © 2006 by Syngress Publishing, Inc. All rights reserved. Except as permitted under the Copyright
Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or
stored in a database or retrieval system, without the prior written permission of the publisher, with the
exception that the program listings may be entered, stored, and executed in a computer system, but they
may not be reproduced for publication.

1 2 3 4 5 6 7 8 9 0
ISBN: 1-59749-079-2
Publisher: Andrew Williams Page Layout and Art: Patricia Lupien
Acquisitions Editor: Gary Byrne Copy Editor: Audrey Doyle
Technical Editor: Dave Kleiman Indexer: Nara Wood
Cover Designer: Michael Kavish
Distributed by O’Reilly Media, Inc. in the United States and Canada.
For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights,
at Syngress Publishing; email matt@syng
ress.com or fax to 781-681-3585.
382_WinTrnl_FM.qxd 5/12/06 5:08 PM Page iv
Acknowledgments
v
Syngress would like to acknowledge the following people for their kindness
and support in making this book possible.
Syngress books are now distributed in the United States and Canada by
O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible,
and we would like to thank everyone there for their time and efforts to bring
Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike
Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol
Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown,Tim Hinton, Kyle
Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal
Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue
Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki,
Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick Dirden.
The incredibly hardworking team at Elsevier Science, including Jonathan
Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti,
Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista
Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David
Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek,

Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris
Reinders for making certain that our vision remains worldwide in scope.
David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai
Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors
for the enthusiasm with which they receive our books.
David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer,
Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane
for distributing our books throughout Australia, New Zealand, Papua New
Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands.
382_WinTrnl_FM.qxd 5/12/06 5:08 PM Page v
382_WinTrnl_FM.qxd 5/12/06 5:08 PM Page vi
vii
Technical Editor
Dave Kleiman (CAS, CCE, CIFI, CISM, CISSP, ISSAP, ISSMP,
MCSE) has worked in the information technology security sector
since 1990. Currently, he is the owner of
SecurityBreachResponse.com and is the Chief Information Security
Officer for Securit-e-Doc, Inc. Before starting this position, he was
Vice President of Technical Operations at Intelliswitch, Inc., where
he supervised an international telecommunications and Internet ser-
vice provider network. Dave is a recognized security expert. A
former Florida Certified Law Enforcement Officer, he specializes in
computer forensic investigations, incident response, intrusion anal-
ysis, security audits, and secure network infrastructures. He has
written several secure installation and configuration guides about
Microsoft technologies that are used by network professionals. He
has developed a Windows operating system lockdown tool, S-Lok
(www.s-doc.com/products/slok.asp ), which surpasses NSA, NIST,
and Microsoft Common Criteria Guidelines.
Dave was a contributing author to Microsoft Log Parser Toolkit

(Syngress Publishing, ISBN: 1-932266-52-6). He is frequently a
speaker at many national security conferences and is a regular con-
tributor to many security-related newsletters, Web sites, and Internet
forums. Dave is a member of several organizations, including the
International Association of Counter Terrorism and Security
Professionals (IACSP), International Society of Forensic Computer
Examiners® (ISFCE), Information Systems Audit and Control
Association® (ISACA), High Technology Crime Investigation
Association (HTCIA), Network and Systems Professionals
Association (NaSPA), Association of Certified Fraud Examiners
(ACFE),Anti Terrorism Accreditation Board (ATAB), and ASIS
International®. He is also a Secure Member and Sector Chief for
Information Technology at The FBI’s InfraGard® and a Member
and Director of Education at the International Information Systems
Forensics Association (IISFA).
382_WinTrnl_FM.qxd 5/12/06 5:08 PM Page vii
viii
Lawrence Abrams is the CTO for Thorn Communications, an
Internet service provider based in New York City that focuses on
managed services for colocation customers at its three data centers.
Lawrence manages the technical and security operations as well as
being involved in the day-to-day operations of the business. He is
involved with the deployment and monitoring of intrusion preven-
tion systems, intrusion detection systems, and firewall systems
throughout Thorn’s network to protect Thorn’s customers. Lawrence
is also the creator of BleepingComputer.com, a Web site designed to
provide computer help and security information to people with all
levels of technical skills. With more than a million different visitors
each month, it has become a leading resource to find the latest spy-
ware removal guides.

Lawrence’s areas of expertise include malware removal and com-
puter forensics. He is active in the various online antimalware com-
munities where he researches new malware programs as they are
released and disseminates this information to the public in the form
of removal guides. He was awarded a Microsoft Most Valuable
Professional (MVP) in Windows security for this activity.
Lawrence currently resides in New York City with his wife, Jill,
and his twin boys,Alec and Isaac.
Nancy Altholz (MSCS, MVP) is a Microsoft MVP in Windows
Security. She is a security expert and Wiki Malware Removal Sysop
at the CastleCops Security Forum. As Wiki Malware Removal
Sysop, she oversees and authors many of the procedures that assist
site visitors and staff in system disinfection and malware prevention.
As a security expert, she helps computer users with various
Windows computer security issues. Nancy is currently coauthoring
Rootkits for Dummies (John Wiley Publishing), which is due for
release in August 2006. She was formerly employed by Medelec’s
Contributing Authors
382_WinTrnl_FM.qxd 5/12/06 5:08 PM Page viii
ix
Vickers Medical Division as a Software Engineer in New Product
Development. Nancy holds a master’s degree in Computer Science.
She lives with her family in Briarcliff Manor, NY.
Kimon Andreou is the Chief Technology Officer at Secure Data
Solutions (SDS) in West Palm Beach, FL. SDS develops software
solutions for electronic discovery in the legal and accounting indus-
tries. SDS is also a provider of computer forensic services. His
expertise is in software development, software quality assurance, data
warehousing, and data security. Kimon’s experience includes posi-
tions as Manager of Support & QA at S-doc, a software security

company, and as Chief Solution Architect for SPSS in the Enabling
Technology Division. He also has led projects in Asia, Europe, North
America, and South America. Kimon holds a Bachelor of Science in
Business Administration from the American College of Greece and a
Master of Science in Management Information Systems from
Florida International University.
Brian Barber (MCSE, MCP+I, MCNE, CNE-5, CNE-4, CNA-3,
CNA-GW) is coauthor of Syngress Publishing’s Configuring
Exchange 2000 Server (ISBN: 1-928994-25-3), Configuring and
Troubleshooting Windows XP Professional (ISBN: 1-928994-80-6), and
two study guides for the MSCE on Windows Server 2003 track
(exams 70-296 [ISBN: 1-932266-57-7] and 70-297 [ISBN: 1-
932266-54-2]). He is a Senior Technology Consultant with Sierra
Systems Consultants Inc. in Ottawa, Canada. He specializes in IT
service management and technical and infrastructure architecture,
focusing on systems management, multiplatform integration, direc-
tory services, and messaging. In the past he has held the positions of
Senior Technical Analyst at MetLife Canada and Senior Technical
Coordinator at the LGS Group Inc. (now a part of IBM Global
Services).
382_WinTrnl_FM.qxd 5/12/06 5:08 PM Page ix
x
Tony Bradley (CISSP-ISSAP, MCSE, MCSA, A+) is a Fortune
100 security architect and consultant with more than eight years of
computer networking and administration experience, focusing the
last four years on security.Tony provides design, implementation,
and management of security solutions for many Fortune 500 enter-
prise networks.Tony is also the writer and editor of the About.com
site for Internet/network security. He writes frequently for many
technical publications and Web sites.

I want to thank my wife, Nicki, for her support and dedication as I
worked on this project. She is my “Sunshine” and my inspiration. I also
want to thank Gary Byrne and Dave Kleiman for inviting me to participate
on this project and for their unending patience as we worked to put it all
together.
Daniel Covell (CCNA, MCP) is a Senior Systems Analyst at Sharp
HealthCare in San Diego. Sharp HealthCare is an integrated
regional health-care delivery system that includes four acute-care
hospitals, three specialty hospitals, and three medical groups. Sharp
has more than 14,000 employees and represents $1 billion in assets
and $1.4 billion in revenue. Daniel is a key team member in sup-
porting more than 10,000 desktops and thousands of PDAs, laptops,
and tablets.
Daniel has more than 13 years of experience in desktop support,
network support, and system design. He has worked for government
agencies, large outsourcing projects, and several consulting firms. His
experience gives him a very broad understanding of technology and
its management.
Daniel also owns a small computer consultancy business and
currently resides in El Cajon, CA, with his wife, Dana.
Daniel wrote the section of Chapter 5 titled “Advanced Disk
Fragmentation Management (Defrag Manager).”
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft
MVP) is an IT Project Leader and Systems Manager at the
University of Pennsylvania, where she provides network planning,
382_WinTrnl_FM.qxd 5/12/06 5:08 PM Page x
xi
implementation, and troubleshooting services for various business
units and schools within the university. Her specialties include
Windows 2000 and 2003 Active Directory design and implementa-

tion, troubleshooting, and security topics. Laura has more than a
decade of experience with Windows computers; her previous expe-
rience includes a position as the Director of Computer Services for
the Salvation Army and as the LAN administrator for a medical
supply firm. She is a contributor to the TechTarget family of Web
sites and to Redmond Magazine (formerly Microsoft Certified
Professional Magazine).
Laura has previously contributed to the Syngress Windows
Server 2003 MCSE/MCSA DVD Guide & Training System series
as a DVD presenter, author, and technical reviewer, and is the author
of the Active Directory Consultant’s Field Guide (ISBN: 1-59059-492-
4) from APress. Laura is a three-time recipient of the prestigious
Microsoft MVP award in the area of Windows Server—
Networking. Laura graduated with honors from the University of
Pennsylvania and also works as a freelance writer, trainer, speaker
and consultant.
Laura wrote Chapter 3 and was the technical editor for Chapters 5
and 6.
Mahesh Satyanarayana is a final-semester electronics and commu-
nications engineering student at the Visveswaraiah Technological
University in Shimoga, India. He expects to graduate this summer
and has currently accepted an offer to work for Caritor Inc., an
SEI-CMM Level 5 global consulting and systems integration com-
pany headquartered in San Ramon, CA. Caritor provides IT infras-
tructure and business solutions to clients in several sectors
worldwide. Mahesh will be joining the Architecture and Design
domain at Caritor’s development center in Bangalore, India, where
he will develop software systems for mobile devices. His areas of
expertise include Windows security and related Microsoft program-
ming technologies. He is also currently working toward adminis-

trator-level certification on the Red Hat Linux platform.
382_WinTrnl_FM.qxd 5/12/06 5:08 PM Page xi
xii
Craig A. Schiller (CISSP-ISSMP, ISSAP) is the President of
Hawkeye Security Training, LLC. He is the primary author of the
first Generally Accepted System Security Principles. He was a coau-
thor of several editions of the Handbook of Information Security
Management and a contributing author to Data Security Management.
Craig has cofounded two ISSA U.S. regional chapters: the Central
Plains Chapter and the Texas Gulf Coast Chapter. He is a member
of the Police Reserve Specialists unit of the Hillsboro Police
Department in Oregon. He leads the unit’s Police-to-Business-
High-Tech speakers’ initiative and assists with Internet forensics.
Darren Windham (CISSP) is the Information Security lead at
ViewPoint Bank, where he is responsible for ensuring compliance
with GLB, FFIEC, OTS, FDIC, and SOX regulations, as well as
managing technology risks within the organization.
Darren’s previous experience in technology includes network
design, system configuration, security audits, internal investigations,
and regulatory compliance. He has also worked as a security consul-
tant for local companies, including other financial institutions. His
background also includes system administration for manufacturing
firms and one of the .coms of the late 1990s. Darren was a reviewer
for the book Hacking Exposed: Computer Forensics (McGraw-Hill
Osborne Media, ISBN: 0-07225-675-3).
Darren is a member of Information Systems Audit and Control
Association® (ISACA), North Texas Electronic Crimes Task Force
(N-TEC), and the North Texas Snort User Group.
Companion Web Site
Some of the code presented throughout this book is available for

download from www.syngress.com/solutions. Look for the Syngress
icon in the margins indicating which examples are available from
the companion Web site.
382_WinTrnl_FM.qxd 5/12/06 5:08 PM Page xii
xiii
Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Chapter 1 Recovering Your
Computer with ERD Commander. . . . . . . . . . . . . . . . . . . . . . . 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Utilizing ERD Commander . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Creating the ERD Commander Boot CD . . . . . . . . . . . . . . . .2
Using ERD Commander Recovery Utilities . . . . . . . . . . . . .14
Booting a Dead System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Being the Locksmith . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Accessing Restore Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Removing Hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Chapter 2 Examining Your Computer . . . . . . . . . . . . . . . . . . 35
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Exploring Process Activity with Process Explorer . . . . . . . . . . . . .36
Default Display Explanation . . . . . . . . . . . . . . . . . . . . . . . . .36
The Upper Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
The Lower Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
The Toolbar Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
The Mini-CPU Graph . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Examining Process Resource Consumption . . . . . . . . . . . . . .39
Viewing and Controlling Process
Activity Using Process Explorer . . . . . . . . . . . . . . . . . . . . . . . . . .45

Process Explorer’s Control Features . . . . . . . . . . . . . . . . . . . .45
File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Find . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
DLL/Handle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Viewing Process Information
and Controlling Process Activity . . . . . . . . . . . . . . . . . . . . . .49
The Process Context Menu . . . . . . . . . . . . . . . . . . . . . . .49
382_WinTrnl_TOC.qxd 5/15/06 2:17 PM Page xiii
xiv Contents
The Process Properties Dialog . . . . . . . . . . . . . . . . . . . . . .50
The Shortcut Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Significant Toolbar Shortcut Functions . . . . . . . . . . . . . . .52
General Malware Symptoms
Recognizable by Process Explorer . . . . . . . . . . . . . . . . . . . . .52
Packed Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Exploring Program Autostart Locations Using Autoruns . . . . .57
Describing the Main Window View . . . . . . . . . . . . . . . . . . . .59
What the Column Headers Mean . . . . . . . . . . . . . . . . . . .60
Understanding the Display Feature Groupings . . . . . . . . . . . .61
Everything . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Shell Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Internet Explorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Scheduled Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Image Hijacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
AppInit DLLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Boot Execute Native Images . . . . . . . . . . . . . . . . . . . . . . .64
Known DLLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
WinLogon Notifications . . . . . . . . . . . . . . . . . . . . . . . . . .65
Winsock Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
LSA Providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Printer Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Using the Autoruns Menu Functions . . . . . . . . . . . . . . . . . . .66
Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
What’s in the Autoruns Log . . . . . . . . . . . . . . . . . . . . . . . . . .68
Registry and Folder Autostart
Locations Monitored by Autoruns . . . . . . . . . . . . . . . . . . .69
Newly Reported Startup Entry
Slated for Next Version of Autoruns . . . . . . . . . . . . . . . . .72
Researching an Autostart Item . . . . . . . . . . . . . . . . . . . . .73
The Dynamic Duo: Using Autoruns and Process Explorer
Together to Troubleshoot Startups and Combat Malware . . . . . . . .74
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Investigating Autoruns Startups . . . . . . . . . . . . . . . . . . . . . . .75
Example 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
382_WinTrnl_TOC.qxd 5/15/06 2:17 PM Page xiv
Contents xv
Example 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Example 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Step 1: Download and Install AntiHookExec.exe . . . . . . . .86

Step 2: Change the PATH Environment Variable . . . . . . . .86
Step 3: Launch Autoruns and Process Explorer . . . . . . . . .86
Step 4: View Autoruns for Relevant Entries . . . . . . . . . . . .87
Step 5: View Process Explorer for Relevant Entries . . . . .90
Step 6: Stop and Delete the
hxdef Service, and Then Reboot . . . . . . . . . . . . . . . . . . . .92
Step 7: Delete the hxdef Files and Registry Autostarts . . . .94
Step 8: Remove the Malware Payload . . . . . . . . . . . . . . . .95
Example 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Other Examples of Malware That Uses
Nontraditional Hidden Startups Locatable in Autoruns . . . . .102
The SmitFraud Trojan . . . . . . . . . . . . . . . . . . . . . . . . . . .102
The Vundo Trojan . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Using File Compare in Autoruns
to Diagnose Changes in Startups . . . . . . . . . . . . . . . . . . . . .104
Most Common Malware Starting Locations . . . . . . . . . .105
Other Common Malware Startup Locations . . . . . . . . . .106
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Chapter 3 Checking the Security of Your Computer . . . . . . 113
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Viewing the Security Settings
of Your Resources (AccessEnum) . . . . . . . . . . . . . . . . . . . . . . . .114
Understanding File and Directory Access Rights . . . . . . . . . .114
Configuring Access Control Lists . . . . . . . . . . . . . . . . . .115
Configuring Permissions Inheritance . . . . . . . . . . . . . . . .118
Understanding Registry Access Rights . . . . . . . . . . . . . . . . .120
Using AccessEnum and Interpreting Its Results . . . . . . . . . . .122
Comparing Permissions over Time . . . . . . . . . . . . . . . . .125

Listing the Users with Access to Encrypted Files (EFSDump) . . .126
Running EFSDump and Interpreting Its Results . . . . . . . . . .127
Moving/Deleting Files in
Use on Reboot (PendMoves, MoveFile) . . . . . . . . . . . . . . . . . . .128
Running PendMoves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Running MoveFile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Viewing Shared Resources and
Their Access Permissions (ShareEnum) . . . . . . . . . . . . . . . . . . . .131
382_WinTrnl_TOC.qxd 5/15/06 2:17 PM Page xv
xvi Contents
Running ShareEnum and Interpreting Its Results . . . . . . . . .132
Investigating Suspicious Local Files (Sigcheck) . . . . . . . . . . . . . .135
Running Sigcheck and Interpreting Its Results . . . . . . . . . . .135
Searching for Installed Rootkits (RootkitRevealer) . . . . . . . . . . .138
Scanning a Computer for Rootkits . . . . . . . . . . . . . . . . . . .140
Removing a Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Chapter 4 Computer Monitoring . . . . . . . . . . . . . . . . . . . . . 151
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Viewing Users Who Are Logged
On and What They’re Doing . . . . . . . . . . . . . . . . . . . . . . . . . .152
Using PsLoggedOn to See Logged-On Users . . . . . . . . . . . .152
Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Using LogonSessions to Find
Information about a Logged-On User . . . . . . . . . . . . . . . . .155
Understanding Logon Sessions . . . . . . . . . . . . . . . . . . . .156
Using LogonSessions.exe to
View Current Windows Sessions . . . . . . . . . . . . . . . . . . .156

Understanding the Output
of LogonSessions.exe . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Using Tokenmon to Monitor a User’s Security Tokens . . . . .161
What Is a Token? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Impersonation and Its Importance . . . . . . . . . . . . . . . . . .162
Configuring and Running Tokenmon . . . . . . . . . . . . . . .163
Understanding Tokenmon’s Output . . . . . . . . . . . . . . . . .165
Setting Up Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Practical Uses of Tokenmon . . . . . . . . . . . . . . . . . . . . . .168
Finding Open Resources and
the Processes That Are Accessing Them . . . . . . . . . . . . . . . . . . .168
Using PsTools to Examine Running Processes and Files . . . .168
Remotely Monitoring Open Files with PsFile.exe . . . . . .169
Monitoring Processes with PsList.exe . . . . . . . . . . . . . . .172
Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . .176
Using Handle to Determine
What Local Files a User Has Open . . . . . . . . . . . . . . . . . . .178
Downloading and Using Handle . . . . . . . . . . . . . . . . . . .179
Searching for Handles . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Closing Handles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Viewing All File Activity with Filemon . . . . . . . . . . . . . . . . . . .182
382_WinTrnl_TOC.qxd 5/15/06 2:17 PM Page xvi
Contents xvii
Using Filemon to Monitor
Real-Time File System Activity . . . . . . . . . . . . . . . . . . . . . .182
Configuring Filemon . . . . . . . . . . . . . . . . . . . . . . . . . . .184
Selecting the Volumes to Monitor . . . . . . . . . . . . . . . . . .185
Understanding Filemon’s Output . . . . . . . . . . . . . . . . . .186
Setting Up Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Viewing All Registry Activity with Regmon . . . . . . . . . . . . . . .196
A Brief Introduction to the Windows Registry . . . . . . . . . . .197
Using Regmon to Monitor
Real-Time Activity in the Registry . . . . . . . . . . . . . . . . . . .199
Configuring Regmon . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Understanding Regmon’s Output . . . . . . . . . . . . . . . . . .201
Setting Up Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
Examining the Registry during the Windows
Boot Sequence in an NT-Based Operating System . . . . . .208
Real-World Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
Chapter 5 Disk Management . . . . . . . . . . . . . . . . . . . . . . . . 217
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Managing Disk Fragmentation
(Defrag Manager, PageDefrag, Contig, DiskView) . . . . . . . . . . . .218
Managing Pagefile Fragmentation . . . . . . . . . . . . . . . . . . . . .220
Removing PageDefrag Manually . . . . . . . . . . . . . . . . . . .222
Optimizing Frequently Accessed Files . . . . . . . . . . . . . . . . . .223
Defragmenting Multiple Files Using Contig . . . . . . . . . .226
Creating Optimized Files Using Contig . . . . . . . . . . . . . .228
Using DiskView to Locate Fragmented Files . . . . . . . . . .229
Making Contig an Environment Variable . . . . . . . . . . . . .231
Advanced Disk Fragmentation
Management (Defrag Manager) . . . . . . . . . . . . . . . . . . . . . .232
Installing Defrag Manager . . . . . . . . . . . . . . . . . . . . . . . .232
Running the Defrag Manager Schedule Console . . . . . . .234
Adding Workstations and Servers to Schedules . . . . . . . . .242

Working with Schedules . . . . . . . . . . . . . . . . . . . . . . . . .243
The Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243
Command-Line Defragmentation . . . . . . . . . . . . . . . . . .244
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Getting Extended File/Disk Information
(DiskExt, DiskView, NTFSInfo, LDMDump) . . . . . . . . . . . . . . .247
382_WinTrnl_TOC.qxd 5/15/06 2:17 PM Page xvii
xviii Contents
DiskExt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Understanding Basic Disks . . . . . . . . . . . . . . . . . . . . . . .248
Understanding Dynamic Disks . . . . . . . . . . . . . . . . . . . .248
Using DiskExt to Determine Extensions . . . . . . . . . . . . .249
DiskView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250
Finding a File’s Cluster Properties . . . . . . . . . . . . . . . . . .250
Finding the MFT Zone . . . . . . . . . . . . . . . . . . . . . . . . .251
NTFSInfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
LDMDump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
Analyzing the Partition Layout Using LDMDump . . . . . .254
Finding Volume Information Using LDMDump . . . . . . .255
Disk Volume Management
(NTFSInfo, VolumeID, LDMDump) . . . . . . . . . . . . . . . . . . . . . .257
Getting Extended NTFS Information . . . . . . . . . . . . . . . . . .257
Using NTFSInfo to Get MFT Details . . . . . . . . . . . . . . .260
Metadata Files and NTFSInfo . . . . . . . . . . . . . . . . . . . . .261
Investigating the Internals of the Logical Disk Manager . . . . .261
Looking inside the LDM Database . . . . . . . . . . . . . . . . .263
Managing Volume IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Managing Disk Utilization (Du, DiskView) . . . . . . . . . . . . . . . .270
An Easier Way to Find Large Directories . . . . . . . . . . . . . . .271
Finding Space Utilized by

User Documents and Applications . . . . . . . . . . . . . . . . . .272
Viewing Where Files Are Located on a Disk . . . . . . . . . . . . .272
Viewing NTFS Metadata Files from DiskView . . . . . . . .273
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
Chapter 6 Recovering Lost Data . . . . . . . . . . . . . . . . . . . . . 281
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Recovering Data Across a Network (Remote Recover) . . . . . . . .282
Remote Data Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . .282
Remote Disk Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . .283
Recovering Files (FileRestore) . . . . . . . . . . . . . . . . . . . . . . . . . .284
The File Restoration Process . . . . . . . . . . . . . . . . . . . . . . . .284
Recovering the Files . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Recovering Data with NTRecover . . . . . . . . . . . . . . . . . . .287
Local File Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
Caveats and Pitfalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .287
Advanced Data Recovery and
Centralized Recovery (Recovery Manager) . . . . . . . . . . . . . . . .288
Setup and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
382_WinTrnl_TOC.qxd 5/15/06 2:17 PM Page xviii
Contents xix
Recovery Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Precision Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
System Rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292
Restoring Lost Active Directory Data (AdRestore) . . . . . . . . . . .293
Restoration Methodologies . . . . . . . . . . . . . . . . . . . . . . . . .293
How AdRestore Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Chapter 7 System Troubleshooting . . . . . . . . . . . . . . . . . . . 299
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Making Sense of a Windows Crash (Crash Analyzer Wizard) . . . .300
Running the Crash Analyzer Wizard . . . . . . . . . . . . . . . . . .300
Crash Analyzer Wizard Prerequisites . . . . . . . . . . . . . . . .301
Using the Crash Analyzer Wizard . . . . . . . . . . . . . . . . . .301
Taking Corrective Action . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Install Updated Driver . . . . . . . . . . . . . . . . . . . . . . . . . .307
Find a Workaround . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Disable the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307
Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Identifying Errant Drivers (LoadOrder) . . . . . . . . . . . . . . . . . . .308
Running the Utility and Interpreting the Data . . . . . . . . . . .308
Execute LoadOrder . . . . . . . . . . . . . . . . . . . . . . . . . . . .309
Interpret LoadOrder Results . . . . . . . . . . . . . . . . . . . . . .310
Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .310
Detecting Problematic File and
Registry Accesses (FileMon, Regmon) . . . . . . . . . . . . . . . . . . . .311
Problematic File Accesses . . . . . . . . . . . . . . . . . . . . . . . . . . .311
Installing FileMon . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311
Configuring FileMon . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Problematic Registry Accesses . . . . . . . . . . . . . . . . . . . . . . .316
Installing Regmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Using Regmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316
Real-World Example . . . . . . . . . . . . . . . . . . . . . . . . . . .318
Analyzing Running Processes (PsTools) . . . . . . . . . . . . . . . . . . .319
Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Listing Process Information . . . . . . . . . . . . . . . . . . . . . . .319

Stopping a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Putting It All Together (FileMon, RegMon, PsTools) . . . . . . . . . .322
Finding Suspicious Files . . . . . . . . . . . . . . . . . . . . . . . . . . . .323
382_WinTrnl_TOC.qxd 5/15/06 2:17 PM Page xix
xx Contents
Digging Deeper with RegMon . . . . . . . . . . . . . . . . . . . . . .323
Wrapping It Up with PsTools . . . . . . . . . . . . . . . . . . . . . . .324
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Chapter 8 Network Troubleshooting . . . . . . . . . . . . . . . . . . 331
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Monitoring Active Network Connections
(TCPView,Tcpvcon,TCPView Pro) . . . . . . . . . . . . . . . . . . . . .332
TCPView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Tcpvcon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335
TCPView Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Performing DNS and Reverse DNS Lookups (Hostname) . . . . .344
Domain Name Addressing . . . . . . . . . . . . . . . . . . . . . . . . . .344
How Hostname Works . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Getting Public Domain Information (Whois) . . . . . . . . . . . . . . .346
Internet Domain Registration . . . . . . . . . . . . . . . . . . . . . . .346
Running Whois and Interpreting the Results . . . . . . . . . . . .346
Identifying Problematic Network
Applications (TDIMon,TCPView Pro) . . . . . . . . . . . . . . . . . . .351
Using the Tools to Find and Correct Issues . . . . . . . . . . . . . .353
IRP Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
TDI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .356
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .362
Chapter 9 Tools for Programmers . . . . . . . . . . . . . . . . . . . . 363
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Implementing a Trace Feature (DebugView) . . . . . . . . . . . . . . . .364
Using a Trace Feature During Application
Development/Debugging . . . . . . . . . . . . . . . . . . . . . . . . . .365
Using a Trace Feature While in Deployment . . . . . . . . . . . . .365
Sample Trace Feature Implementations . . . . . . . . . . . . . . . . .366
Identifying I/O Bottlenecks
(Filemon, Regmon,Tokenmon, Process Explorer) . . . . . . . . . . . .368
CPU Utilization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369
Viewing Loaded Objects . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Benchmarking File, Registry, and Token Accesses . . . . . . . . .372
Isolating Areas for Optimization . . . . . . . . . . . . . . . . . . . . . .373
Analyzing Applications (Process Explorer, Strings) . . . . . . . . . . . .374
Examining a Running Application . . . . . . . . . . . . . . . . . . . .374
382_WinTrnl_TOC.qxd 5/15/06 2:17 PM Page xx
Contents xxi
Running Threads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
Open Sockets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Open Handles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
Finding Embedded Text . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
I Wonder How It’s Doing That . . . . . . . . . . . . . . . . . . . . . .378
Debugging Windows (LiveKd) . . . . . . . . . . . . . . . . . . . . . . . . . .379
Debugging a Live Windows System . . . . . . . . . . . . . . . . . . .380
A Programmer’s View of a System Crash . . . . . . . . . . . . . . .381
Tracking Application Configuration
Problems (Process Explorer,Tokenmon) . . . . . . . . . . . . . . . . . . .382
Listing Active Security Credentials . . . . . . . . . . . . . . . . . . . .382
Verifying That the Correct Files and Modules Are Loaded . . .384

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Chapter 10 Working with the Source Code . . . . . . . . . . . . . 391
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Overview of the Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .392
Tools with Source Code . . . . . . . . . . . . . . . . . . . . . . . . . . .392
IDE and Languages Used . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Porting Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Compiling the Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Warnings and Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Sample Derivative Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Simple Keyboard Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
Keyboard Sniffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
l33tspeak Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
License Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
Personal Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
Commercial Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Chapter 11 NT 4.0-Only Tools. . . . . . . . . . . . . . . . . . . . . . . . 413
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Optimizing an NT 4.0 System (CacheSet, Contig, PMon, Frob) . .414
File System Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . .414
CacheSet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Contig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418
382_WinTrnl_TOC.qxd 5/15/06 2:17 PM Page xxi
xxii Contents
Process Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420

PMon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Frob . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Recovering Data (NTRecover) . . . . . . . . . . . . . . . . . . . . . . . . .425
Recovering Lost or Damaged Data . . . . . . . . . . . . . . . . . . .427
Fixing a Damaged Volume . . . . . . . . . . . . . . . . . . . . . . .432
Accessing a Windows NT 4.0 NTFS
Volume from a FAT File System Volume . . . . . . . . . . . . . . . . . .432
Diagnosing a Windows 2000 NTFS
Volume from Windows NT 4.0 (NTFSCHK) . . . . . . . . . . . . . .434
Running NTFSCHK . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .438
Chapter 12 Having Fun with Sysinternals . . . . . . . . . . . . . . 441
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442
Generating a Blue Screen of Death on Purpose (BlueScreen) . . .442
Installing BlueScreen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .442
Setting Up the BlueScreen Screensaver . . . . . . . . . . . . . .443
Let the Fun Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
Modifying the Behavior of the Keyboard (Ctrl2cap) . . . . . . . . . .445
Installing and Using Ctrl2cap . . . . . . . . . . . . . . . . . . . . . . . .445
Uninstalling Ctrl2cap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446
How It Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446
Creating Useful Desktop Backgrounds (BgInfo) . . . . . . . . . . . . .447
Customizing Displayed Data . . . . . . . . . . . . . . . . . . . . . . . .447
Configuring BgInfo Using the Menu Options . . . . . . . . . . .449
Running BgInfo from the Command Line . . . . . . . . . . . . . .451
Bypassing the Login Screen (Autologon) . . . . . . . . . . . . . . . . . .452
Setting Up Autologon . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453
Enabling and Disabling Autologon . . . . . . . . . . . . . . . . .453

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . .456
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
382_WinTrnl_TOC.qxd 5/15/06 2:17 PM Page xxii
Six years and seven months ago,Winternals brought forth a set of tools that
came to my rescue. It was November of 1999 when I purchased my first
Winternals Administrator’s Pak. It contained BlueSave Version 1.01, ERD
Commander Professional Version 1.06, Monitoring Tools (FileMon and
Regmon) Enterprise Editions Version 1.0, NTFSDOS Professional Version 3.03,
NTRecover Version 1.0, and Remote Recover Version 1.01.We had a Windows
NT 4 server in the dead zone. I spent a few hours reading over the ERD and
Remote Recover user guides, created a “client floppy” (yes this was when we
still had to use floppies), and began my quest.Thank goodness that version of
ERD had the ability to access NT-defined fault-tolerant drives, because within
a few hours we had recovered the system and were back up and running. Since
my Windows NT administrator experience began in 1996, I thought back on
hundreds of incidents that made me wish I had purchased Winternals sooner.
We have come a long way since then; the Winternals team has improved upon
and added many tools and features to the Administrator’s Pak utilities. However,
one thing remains the same—in the Microsoft administrator’s world,Winternals
is a lifesaver.
Winternals not only makes excellent products you can purchase for the
enterprise but also sponsors the freeware Sysinternals tools
(www.sysinternals.com), by far the greatest collection of freeware tools for the
Microsoft administrator’s toolbox in the market.
I spent quite a bit of time speaking with Winternals users with various
experience using the utilities and tools for different functions. Many of those
users expressed interest in helping with the book, so I gathered a group of
security professionals from around the globe, and we formed an outline.We had

a great time working together and throwing ideas, and some jokes, around at
each other.We set out with a goal of writing about the Winternals and
xxiii
Foreword
382_WinTrnl_Fore.qxd 5/15/06 2:12 PM Page xxiii