Chapter 22 - Disk, File System, and Backup Utilities

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

This chapter explains various disk utilities, file system utilities, and Backup utilities and how to use them. It shows where to obtain the utilities and other sources of related information.

Three chapters in this part of the Windows NT Workstation Resource Guide also identify situations in which you should use the utilities (described in this chapter) and contain more information about them:

• Chapter 17, "Disk and File System Basics."

• Chapter 20, "Preparing for and Performing Recovery."

• Chapter 21, "Troubleshooting Startup and Disk Problems."

The utilities described in this chapter are available from different sources.

The following utilities are on the Windows NT Workstation product* *CD. When you install Windows NT, they are installed in %systemroot%\System32. You must run all of these utilities from the command prompt. The Section column in the next table identifies the section in this chapter in which the utility is described.

Utility	Purpose	Section
AT	Run Windows NT backup at scheduled time.	Backup
Cacls	Display and modify Access Control Lists (ACLs) for NTFS files and folders.	File System
Compact	Display and change compression of NTFS files and folders.	File System
Convert	Convert volume from FAT to NTFS.	File System
Expand	Expand files that are compressed on the Windows NT Workstation product CD, the Windows NT Workstation Resource Kit CD, or that you compressed by using the Compress utility.	File System

The rest of the utilities described in this chapter are provided in the Windows NT Workstation Resource Kit. You can install the Resource Kit by double-clicking Setup.exe when you load the Resource Kit CD.

The Windows NT Resource Kit utilities are organized into subgroups, by functional area. Rktools.hlp contains info about each of the utilities on the resource kit. To find out which functional area contains which utilities, double-click Rktools.hlp, and double-click each Tools group on the Contents screen.

When you install the Windows NT Resource Kit, Setup creates a Resource Kit program group that has Rktools.hlp and Readme.txt in it. It also creates a program group within the Resource Kit program group for each subgroup that you install. You can install only those subgroups that you want by doing a custom install.

To do a custom installation of the Resource Kit

1. Double-click Setup.exe at the root of the Windows NT Workstation Resource Kit CD.

2. Click the Custom button.

3. Check the group or groups that contain the utilities you want to install.

The following table contains information about each of the Resource Kit utilities described in this chapter. As in the previous table, the Section column identifies the section in this chapter in which the utility is described.

Utility	Type	Purpose	Subgroup	Section
Compress	Command prompt	Compress files and folders.	File	File System
DirUse	Command prompt	Display folder size information, including compression information for NTFS volumes.	File	File System
DiskMap	Command prompt	Display information about the disk and the contents of the Partition Table.	Disk/Fault Tolerance	Disk
DiskProbe	Windows NT–based	Low-level disk editor.	Disk/Fault Tolerance	Disk
DiskSave	MS-DOS-based	Save and restore Master Boot Record and Partition Boot Sector.	Disk/Fault Tolerance	Disk
Expndw32	Windows NT–based	Expand compressed files.	File	File System
FTEdit	Windows NT–based	Recover stripe sets and volume sets.	Disk/Fault Tolerance	Disk

Disk Utilities

DiskProbe, DiskSave, and FTEdit are low-level editors. When you use them, you are changing information on the disk without any checks as to whether the changes make sense. Each utility does display messages asking you to verify that you really want to change the information. However, you can easily make changes that have serious consequences, such as:

• You cannot start any operating system.

• A volume is no longer accessible.

• You have to recreate and reformat all of the partitions and logical drives.

Used carefully however, you can solve these same problems when they occur through human error, hardware problems, power outages, and similar events. It is a good idea to get familiar with using these utilities in a test situation before you need to use them for real. Testing is especially important if your configuration has volume sets, stripe sets, extended partitions, or extended volume sets.

DiskMap displays information layout of partitions and logical drives on your disk, and you cannot change information on the disk when using this utility.

Note You can save and restore Master Boot Records and Partition Boot Sectors by using both DiskProbe and DiskSave. Both utilities save these files in the same format, so they can be saved by using one utility and restored by using the other.

DiskMap — Display a Map of the Disk

This utility produces a report on the configuration of the disk that you specify. It provides information about the disk characteristics and a description for each partition and logical drive on the disk.

DiskMap can be run from the command prompt. The syntax is:

diskmap /d<drive#> [/h]

These are the options for DiskMap

Option	Description
/d<drive#>	Drive# is the physical disk for which you want a map.
/h	Indicates hexadecimal output. The default is decimal output.

Some fields in the DiskMap report are always hex or always decimal, regardless of whether you specify the /h option when you run the utility. These fields are shown in the next table. You can see the fields in the DiskMap sample report, shown later in this section.

Always hex	Always decimal
Signature	The MB portion of the DiskSize field
System ID	Partition number

As an example, Figure 22.1 is a Disk Administrator screen shot of a computer with one hard disk.

 

Figure 22.1 Disk Administrator screen shot 

You get the following report for the disk configuration shown in Figure 22.1when you enter diskmap /d0 at the command prompt:

Cylinders HeadsPerCylinder SectorsPerHead BytesPerSector MediaType
1023 16 63 512 12
TrackSize = 32256, CylinderSize = 516096, DiskSize = 527966208 (503MB)

Signature = 0x14f24efd
StartingOffset PartitionLength StartingSector PartitionNumber
* 32256 210018816 63 1
210051072 209534976 410256 2
472227840 10321920 922320 3
419618304 10289664 63 4
429940224 8225280 63 5
438197760 12354048 63 6
450584064 16998912 63 7

MBR:
Starting Ending System Relative Total
Cylinder Head Sector Cylinder Head Sector ID Sector Sectors
* 0 1 1 406 15 63 0x06 63 410193
407 0 1 812 15 63 0x07 410256 409248
813 0 1 914 15 63 0x05 819504 102816
915 0 1 934 15 63 0x01 922320 20160

EBR: (sector 819504)
Starting Ending System Relative Total
Cylinder Head Sector Cylinder Head Sector ID Sector Sectors
813 1 1 832 15 63 0x87 63 20097
833 0 1 848 15 63 0x05 20160 16128
0 0 0 0 0 0 0x00 0 0
0 0 0 0 0 0 0x00 0 0

EBR: (sector 839664)
Starting Ending System Relative Total
Cylinder Head Sector Cylinder Head Sector ID Sector Sectors
833 1 1 848 15 63 0x01 63 16065
849 0 1 872 15 63 0x05 36288 24192
0 0 0 0 0 0 0x00 0 0
0 0 0 0 0 0 0x00 0 0

EBR: (sector 855792)
Starting Ending System Relative Total
Cylinder Head Sector Cylinder Head Sector ID Sector Sectors
849 1 1 872 15 63 0x07 63 24129
873 0 1 905 15 63 0x05 60480 33264
0 0 0 0 0 0 0x00 0 0
0 0 0 0 0 0 0x00 0 0

EBR: (sector 879984)
Starting Ending System Relative Total
Cylinder Head Sector Cylinder Head Sector ID Sector Sectors
873 1 1 905 15 63 0x87 63 33201
0 0 0 0 0 0 0x00 0 0
0 0 0 0 0 0 0x00 0 0
0 0 0 0 0 0 0x00 0 0

This utility is very useful for producing hardcopy reports for each disk, which should be kept with the other configuration information that you maintain for your computer. You can create a hardcopy by redirecting the output to a printer or to a file, which you can then print. This example creates a file:

diskmap /d0 >disk0map.txt

The first three lines of the output:

Cylinders HeadsPerCylinder SectorsPerHead BytesPerSector MediaType
1023 16 63 512 12
TrackSize = 32256, CylinderSize = 516096, DiskSize = 527966208 (503MB)

are information that DiskMap obtained by using IOCTL_DISK_GET_DRIVE_GEOMETRY. The information is the geometry of the disk as seen by Windows NT. The hardware might have different physical geometry, because translation can be performed either at the hardware or device driver layer. It is important to know what geometry Windows NT is using. You can use this information if you need to repair the Partition Table, which is described in the section entitled "Editing and Repairing the Partition Table," later in this chapter. The TrackSize, CylinderSize, and DiskSize values are bytes.

The second section of the output is information about the disk returned from IOCTL_DISK_GET_DRIVE_LAYOUT. Windows NT uses the signature to correlate information in the HKEY_LOCAL_MACHINE \SYSTEM \DISK Registry subkey with the appropriate physical disk when the disk contains volume sets or stripe sets. The StartingOffset and PartitionLength fields are the values for each of these data in bytes.

The MBR and EBR sections on the printout describe the contents of the Partition Table(s). The MBR section is for the Partition Table contained on the first sector of the disk. If there is no extended partition on the disk, there are no EBR sections. Otherwise, there is one EBR section for each logical drive in the extended partition. The fields in each of these sections are described in the "Partition Table" section in Chapter 17, "Disk and File System Basics."

Each partition that has an asterisk (*) at the left side is a system partition, which contains the files used to load an operating system such as Windows NT. On an x86-based computer, each disk can have a system partition, but there should only be one partition with the * on each disk. RISC-based computers can have more than one system partition on a disk.

The DiskMap utility has several possible error messages. Some messages are not serious, and you can easily correct them. Other messages usually are caused by some type of hardware problem or corruption of the data on the disk. This table describes the error messages that you might see. The N and E in the message indicate numbers.

Message	Meaning
BLOCKED: CreateFile() Failed /dN [Error E] Ensure that you have selected a valid drive number and that the selected drive is not locked by another process.	The attempt to open physical disk N failed. Either some other program, such as Disk Administrator or DiskProbe, has the drive open, or the value following /d is invalid (out of range or not a number).
Unable to get drive layout using IOCTL_DISK_GET_DRIVE_GEOMETRY. Error: [Error E]. This is a fatal error.	The call to DeviceIoControl() with the parameter IOCTL_DISK_GET_DRIVE_ GEOMETRY failed. You would get this error if you removed the disk in a removable media device. Otherwise, it could indicate a hardware failure where a device that was available at startup is no longer available.
Unable to allocate memory	DiskMap tried to allocate memory for a temporary buffer and no memory was available. Try closing other programs.
Unable to get drive layout using IOCTL_DISK_GET_DRIVE_LAYOUT. Error: [Error E].	The call to DeviceIoControl() with the parameter IOCTL_DISK_GET_DRIVE_LAYOUT failed. In attempting to walk the Partition Table chain, some kind of error was encountered. This error indicates Partition Table corruption, hardware RAID array corruption, hardware failure, or a change in apparent disk geometry that makes portions of the volume inaccessible. More information about why the call failed might be available in other parts of the utility where it walks the chain manually.
Unable to read next EBR. Error: [Error E].	A call to ReadFile() failed. This is usually caused by an attempt to read past the end of the disk, as in the case where the pointer to the next EBR is not valid. It can also indicate a bad sector at the EBR location.
Next EBR failed to pass sanity check.	This message means that the Ending Head for each of the four Partition Table entries is not 0 or not equal to TracksPerCylinder-1, or that the last two bytes in the sector are not 0x55 0xAA. The problem is either an error in the chain of EBRs or this sector has been corrupted.
Detected partition corruption.	This message means that the value in the Relative Sector field for a Partition Table entry is not equal to the SectorsPerHead value.

In general, if the partition size and layout displayed by DiskMap looks about right and the utility does not display any error messages, then the Partition Tables are probably correct.

An example of where DiskMap can be very useful is when a Partition Table was written incorrectly and the last EBR referenced is past the end of the disk. Disk Administrator will not initialize in this situation, because it depends on the information from IOCTL_DISK_GET_DRIVE_LAYOUT, which would fail. DiskMap would also display an error about IOCTL_DISK_GET_DRIVE_LAYOUT, but would display the EBRs that it can read up to the point of failure. If you have a hardcopy of a map of the disk that had no errors, you can see where the two chains diverged. You can restore the original partition information by correcting the first EBR that has bad values by using a low-level disk editor such as DiskProbe. Typically, the rest of the original EBRs would not have been damaged by the bad EBR chain. Sometimes, though, it might be necessary to repair more than one EBR.

DiskProbe — a Low-level Disk Editor

This Windows NT–based utility enables you to save, restore, find, examine, and change data on the disk. DiskProbe gives an administrator access to every byte on the physical disk without regard to access privilege, and with it you can change any part of the disk. It is your responsibility to make sure that you have backups of the disk.

After starting DiskProbe, as shown in Figure 22.2, you use the Drives menu to open a physical disk or a logical drive.

 

Figure 22.2 Opening a disk by using DiskProbe

Clicking Physical Drive on the Drives menu opens the entire physical disk. You can access any sector on the disk. When you read or write sectors, the sector number is the absolute sector from the beginning of the disk.

Clicking Logical Volume on the Drives menu opens the logical drive associated with a drive letter. Sector numbers are relative to the start of the logical drive, and you can only access sectors within the range of the logical drive. You cannot use DiskProbe to access a network drive.

When you have opened either a disk by clicking either Physical Drive or Logical Volume, you can get information about the characteristics of the disk by clicking Volume Information on the Drives menu. You get the same information regardless of how you opened the disk. This information is the same as what you see if you run the DiskMap utility for this disk. You can use this information if you need to repair the Partition Table. Here is an example:

 

Whenever you use DiskProbe to read a sector, it displays the sector number of the first sector it read in the title bar. It also displays the sector number of the sector you are currently viewing in the status bar. This information is useful if you have read more than one sector.

When you are first using DiskProbe, or are looking at information in an extended partition, it is recommended that you write down the sector number for the start of each partition and logical drive. You should also write down the sector number of the Partition Boot Sector partition or logical drive. You can produce a hardcopy of the disk configuration by using the DiskMap utility, which is described earlier in this chapter.

If your disk has volume sets or an extended partition, remembering which partition or logical drive you are looking at can become difficult. You can always start over by reading sector 0, which reads the Partition Table for the disk.

Note In the DiskProbe utility, sectors are numbered starting from zero.

The location of some system information on NTFS volumes is different, depending on which version of Windows NT was used to format the volume. For example, Windows NT 4.0 writes a backup of the Partition Boot Sector for the volume at the end of the volume. Earlier versions of Windows NT put the backup at the center of the volume.

For more information about DiskProbe, see Dskprobe.hlp and Rktools.hlp on the Windows NT Workstation Resource Kit CD.

Comparing DiskProbe to Disk Administrator

Although DiskProbe and Disk Administrator both provide you with information about the organization of your hard disks, each utility has additional functionality. Disk Administrator enables you to configure and format your disks. DiskProbe enables you to save and change the data on the disk.

Disk Administrator shows you, for each disk, the size and organization of:

• Primary partitions

• Logical drives (single contiguous areas in an extended partition)

• Stripe sets

• Volume sets

When displaying information about stripe sets and volume sets, both DiskProbe and Disk Administrator read the HKEY_LOCAL_MACHINE \SYSTEM \DISK Registry subkey to determine which disks contain the members of the volumes.

When you view the Partition Table, DiskProbe enables you to determine the starting and ending location of primary partitions, logical drives, and volume sets.

DiskProbe simply displays the information that it finds in each Partition Table, it is up to you to understand how the individual entries in the Partition Table relate to what you have configured on your disks. If your configuration contains extended partitions, you might find it easier to understand the DiskProbe information if you print a screen shot of the Disk Administrator display (by pressing ALT+Print Screen, pasting the screen shot into Paint or a document, and then printing the picture or document). The section "Walking an Extended Partition," presented later in this chapter, contains an example of the Disk Administrator and DiskProbe information for an extended partition.

Note Because both DiskProbe and Disk Administrator can modify the Partition Table, and DiskProbe enables you to directly modify any sector on a disk, you should never have both of these utilities open at the same time. When you are using DiskProbe, you should also be very cautious about running any other programs. DiskProbe writes directly to the disk without using the file cache, the NTFS log file, or any file system device drivers.

Backing Up and Restoring the Master Boot Record

The Master Boot Record on the hard disk that you use to start your computer is the most important sector on the disk. The Master Boot Record on other disks is not as critical. However, if the partition information in the other Master Boot Records is not correct, you might not be able to access partitions on those disks.

For an example of a Master Boot Record, see Chapter 17, "Disk and File System Basics."

To back up the Master Boot Record

1. In the Resource Kit folder, double-click the DiskProbe icon.

2. On the Drives menu, click Physical Drive. You will see the Open Physical Drive dialog box, which is shown in the following figure.

    

   The Available Physical Drives are listed as PhysicalDriven, where n=0 for the first hard disk. Double-click the disk that contains the Master Boot Record you want to save. You should always save the Master Boot Record on the startup disk. In the case of an x86-based computer, the startup disk is usually PhysicalDrive0.

   When you have more than one disk, you should back up the Master Boot Record on each disk, since it contains the Partition Table for that disk.

3. In the Handle 0 group box, click Set Active. Click Close.

4. On the Sectors menu, click Read to open the Sector Range dialog box, which is shown in the figure below. Set Starting Sector to 0 and Number of Sectors to 1. Click Read.

    

   Make sure that the sector you read looks like a Master Boot Record, as described in Chapter 17, "Disk and File System Basics."

5. On the File menu, click Save As. Enter the filename. Consider saving the file to the Emergency Repair Disk, the Windows NT startup floppy disk, or the MS-DOS bootable floppy disk. You can save it on more than one disk. If you have more than one disk whose Master Boot Record you are baking up, using a filename such as Mbrdiskn.dsk can help you remember which file corresponds to which disk.

To restore the Master Boot Record

1. In the Resource Kit folder, double-click the DiskProbe icon.

2. On the File menu, click Open. Enter the filename and open the file. Verify that the file looks like a Master Boot Record and that it is 512 bytes. DiskProbe displays a message if the size of the file you open is not a multiple of 512.

3. On the Drives menu, click Physical Drive. The Available Physical Drives are listed as PhysicalDriven, where n=0 for the first hard disk. Double-click the disk that contains the Master Boot Record you want to restore.

4. In the Handle 0 group box, clear the Read Only check box, and click Set Active. Click Close.

5. On the Sectors menu, click Write to open the Write Sector dialog box. Set Starting sector to write data to 0. Click Write it.

6. DiskProbe displays a message box so you can verify the information.

Displaying and Using the Partition Table

The Master Boot Record is the first sector on each hard disk. The first step in troubleshooting Partition Table problems should be to read the Master Boot Record and look at the Partition Table. The description in this section applies to viewing the Partition Table in the Master Boot Record. See "Walking an Extended Partition," presented later in this chapter, for information about finding the Partition Table for an extended partition.

To display the Partition Table

1. Read the Master Boot Record by using steps 1 through 4 in the procedure for backing up the Master Boot Record, given earlier in this chapter.

2. On the View menu, click Partition Table to see the information displayed in a user-friendly manner. You will see a screen like the following:

    

   Figure 22.3 DiskProbe Partition Table view 

DiskProbe makes it easy for you to look at the information for each partition. In the Partition table index list box, double-click the partition number for which you want to see the Partition Table entry.

Click the Next Partition button to see the information in the first sector of the next partition. For a primary partition, clicking the Next Partition button reads the Partition Boot Sector of the next partition. When the next partition is an extended partition, clicking Next Partition reads the Partition Table sector for the first logical drive in the extended partition.

For a primary partition, clicking the Go button next to the Relative Sector field reads the Partition Boot Sector for the current partition. When the System ID field is EXTENDED, clicking the Go button reads the Partition Table for the next logical drive in the extended partition.

If you make changes to the Partition Table, you must explicitly write the sector to disk by clicking Write on the Sectors menu.

When you are viewing the information for an extended partition in the Partition Table area of the Master Boot Record, the Total Sectors field is the total size of the extended partition, which is usually larger than the size of the first logical drive in the partition.

Walking an Extended Partition

If the disk has an extended partition, finding the information for each logical drive is more complicated than just looking at the Partition Table in the Master Boot Record, but DiskProbe does the work for you. "Logical Disks and Extended Partitions," within Chapter 17 describes the organization of an extended partition.

Information for the logical drives in an extended partition is basically chained from one logical drive to the next. The term walking an extended partition means that utilities like DiskProbe and DiskMap use the information defined for one logical drive in the chain to find the next logical drive in the chain. Knowing how to walk an extended partition is necessary if one of the links in the chain becomes corrupted, and you want to try to repair it.

The description in this section applies when you are viewing the Partition Table information in the first sector of each logical drive.

To help make the descriptions easier to understand, following is a screen shot from Disk Administrator, and the information from DiskProbe for the extended partition shown in the screen shot. The extended partition includes volume set E, logical drives I and K, and 4 MB of unused space between E and L. This example is the same disk configuration used in the section "DiskMap — Display a Map of the Disk," presented earlier in this chapter.

 

Note This example is for illustration purposes, and is not a good organization for the disk, because the free space at the end of the primary partition is unusable. This is because you can have only four partition table entries in the Master Boot Record. In this example, primary partitions C, D, and L each use one entry. The extended partition, which includes volume set E, logical drives I and K, and the free space between E and K, uses the other entry. Disk Administrator displays an error message if you try to use any of the area after drive L to create a partition or extend an NTFS logical drive.

The distinction between the two areas of free space is that the one on the left is free space within an extended partition, while the free space on the right, which has a different background pattern, is not a part of any partition.

To walk the extended partition in this example, start with the information for partition 3 in the Partition Table on relative sector 0. Partition 3 points you to the first logical drive in the extended partition. By following the links in the Partition Table entry for each logical drive, you can find the information for all of the logical drives.

The next table identifies which sectors contain information about the extended partition and the logical drives. The table also describes which buttons to click to walk the extended partition.

Relative sector	Contents
0	Partition 3 of the Master Boot Record contains an EXTENDED entry, which is the information about the first part of volume set E. Click Go when viewing partition 3 to read the Partition Table for the first part of volume set E.
819504	Partition 1 describes the first part of volume set E. Partition 2 is an EXTENDED entry with the information for logical drive I. Click Next Partition when viewing partition 1 to read the Partition Table for logical drive I.
839664	Partition 1 describes logical drive I, Partition 2 is an EXTENDED entry with the information for logical drive K. Click Next Partition when viewing partition 1 to read the Partition Table for logical drive K.
855792	Partition 1 describes logical drive K. Partition 2 is an EXTENDED entry with the information for the second part of volume set E. Click Next Partition when viewing partition 1 to read the Partition Table for the second part of volume set E.
879984	Partition 1 describes the second part of volume set E. Partition 2 is all zeroes (end of the extended partition).

The next table shows the information in Partition 3 of the Master Boot Record and each of the Partition 1 entries for the extended partition.

Field Name	Master Boot Record entry	First part of E (10 MB)	I (8 MB)	K (12MB)	Second part of E (16 MB)
System ID	EXTENDED	NTFS FT	FAT	NTFS	NTFS FT
Boot Indicator	NO_ SYSTEM	NO_ SYSTEM	NO_ SYSTEM	NO_ SYSTEM	NO_ SYSTEM
Start Head	1	1	1	1	1
End Head	15	15	15	15	15
Start Sector	1	1	1	1	1
End Sector	63	63	63	63	63
Start Cylinder	813	813	833	849	873
End Cylinder	914	832	848	872	905
Relative Sector	819504	63	63	63	63
Total Sectors	102816	20097	16065	24129	33201

When the System ID field for a Partition 2 in an extended partition contains the value EXTENDED, double-click Partition 1 in the Partition table index list box, and then click Next Partition to read the first sector of the next logical drive. The only information in the first sector of a logical drive is a Partition Table, which has two entries. The Partition 1 entry contains information about the current logical drive, and the Partition 2 entry is the information for the next logical drive in the extended partition. The System ID for each Partition 2 entry should be EXTENDED unless you are at the end of the extended partition.

The next screen shot shows the Partition Table entry for the first part of volume set E; the Partition Table is located at relative sector 819504.

 

When the System ID field contains any value except EXTENDED or UNKNOWN, clicking the Go button next to the Relative Sector field reads the Partition Boot Sector for the logical drive.

To view the information for Partition 2 (the next logical volume), double-click Partition 2 or click Next Partition while viewing the information for Partition 1.

The Relative Sector field for each Partition 2 entry in an extended partition is the offset from the beginning of the extended partition, not the offset from the beginning of the Partition Table associated with the Partition 1 entry. Therefore, do not use the Go button to try to read the Partition Boot Sector for Partition 2.

Note Sometimes, the System ID byte for NTFS volume sets and stripe sets does not have the correct value. It should be 0x87, which DiskProbe displays as NTFS FT. Instead, it might be 0x86, which DiskProbe displays as FAT FT. Windows NT uses information in the Partition Boot Sector to determine which file system to use, so this incorrect value causes no problems, although it can be confusing to a person trying to understand the data on the disk. To be certain which file system is being used for a volume, look at the Partition Boot Sector.

Viewing the Partition Boot Sector

You can use DiskProbe to view the information in Partition Boot Sectors. You see a formatted view of the information in the BIOS Parameter Block and the Extended BIOS Parameter Block. For a description of these structures, see "Partition Boot Sector," in Chapter 17, "Disk and File System Basics."

To view a Partition Boot Sector

1. In the Resource Kit folder, double-click the DiskProbe icon.

2. On the Drives menu, click Logical Volume. In the Logical Volumes list box of the Open Logical Volume dialog box, double-click the drive letter for the volume whose Partition Boot Sector you want to read.

3. In the Handle 0 group box, click Set Active. Click OK.

4. On the Sectors menu, click Read to display the Read Sectors dialog box. Set Starting Sector to 0 and Number of Sectors to 1.

5. On the View menu, click NTFS Bootsector or FAT Bootsector to see the information.

The next screen shot shows the NTFS Bootsector view of primary partition D for the disk configuration shown in Figure 22.1.

When viewing an NTFS Partition Boot Sector, there are Go buttons next to the fields Clusters to MFT and Clusters to MFT mirr. When you click one of these buttons, it reads the first sector of the MFT or the MFT mirror, respectively. For information about these structures, see "Master File Table (MFT) and NTFS System Files" in Chapter 17, "Disk and File System Basics."

Windows NT writes a backup of the NTFS Partition Boot Sector at the logical center of the volume (Windows NT version 3.51 and earlier) or the end of the volume (Windows NT 4.0). You can use the Volume Middle and Volume End buttons to read the backup Partition Boot Sector. However, there are some situations, when using Windows NT version 3.51 or earlier, where the backup Partition Boot Sector does not get written in the correct location:

• Converting a volume from FAT to NTFS does not put the backup Partition Boot Sector on the disk.

• Extending a volume set does not put the backup Partition Boot Sector on the disk.

View the sector you read to make sure it looks like an NTFS Partition Boot Sector, and that the information in it is accurate for the volume.

When viewing a FAT Partition Boot Sector, there is also a Volume End button, but there is no backup of the FAT Partition Boot Sector on the volume. If you are trying to find where volumes begin and end so you can repair a Partition Table, you can use the Volume End button for both FAT and NTFS primary partitions and logical drives to read what should be the sector immediately before the beginning of the next primary partition or logical drive.

Note If you are viewing a backup NTFS Partition Boot Sector, do not use the Go, Volume End, or Volume Middle buttons. These buttons read the correct sectors only when you are viewing the Partition Boot Sector at the beginning of the volume.

Backing Up and Restoring the Partition Boot Sector

The Partition Boot Sector contains information that the file system uses to access the volume. On x86-based computers, the Master Boot Record uses the Partition Boot Sector on the system partition to load the operating system kernel files, or in the case of Windows NT, the boot loader.

For examples of a Partition Boot Sector for a FAT and an NTFS volume, see Chapter 17, "Disk and File System Basics."

There are several procedures that you can use, depending on whether you are backing up or restoring the Partition Boot Sector for:

• A primary partition

• A logical drive, which is a single contiguous area in an extended partition

• Several Partition Boot Sectors in an extended partition

• A volume set

• A stripe set

You can open the disk to read the Partition Boot Sector by using either Physical Drive or Logical Volume on the Drives menu. When you use Physical Drive, you have to read the Partition Table to find the address of the Partition Boot Sector. When you use Logical Volume, you read the Partition Boot Sector by reading sector 0 of the logical drive. You cannot read the Master Boot Record when you use Logical Volume.

To back up a Partition Boot Sector for a primary partition by using Physical Drive

1. Read the Partition Table and view it by using the procedure in "Displaying and Using the Partition Table," presented earlier in this section.

2. In the Partition table index list box, double-click the partition number for the Partition Boot Sector that you want to save. For instance, to save the Partition Boot Sector for the system partition, double-click the partition number that has the Boot Indicator set to SYSTEM.

3. To read the Partition Boot Sector, click the Go button next to the Relative Sector field. On the View menu, click NTFS BootSector or FAT BootSector to see the information displayed appropriately. Make sure that the sector you just read looks like a Partition Boot Sector, as described in Chapter 17, "Disk and File System Basics."

4. On the File menu, click Save As. Enter the filename. Consider saving the file to the Emergency Repair Disk, the Windows NT startup floppy disk, or the MS-DOS bootable floppy disk. You can save it to more than one disk. When you are saving a Partition Boot Sector, using a name such as PBSssssssssDISKn.dsk, where ssssssss is the relative sector of the Partition Boot Sector and n is the disk number, can help you remember what the file contains.

To back up the Partition Boot Sector by using Logical Volume

1. In the Resource Kit folder, double-click the DiskProbe icon.

2. On the Drives menu, click Logical Volume. In the Logical Volumes list box, double-click the drive letter for the volume whose Partition Boot Sector you want to save.

3. In the Handle 0 group box, click Set Active. Close the dialog box.

4. On the Sectors menu, click Read. Set Starting Sector to 0 and Number of Sectors to 1. Make sure that the sector you read looks like a Partition Boot Sector, as described in Chapter 17, "Disk and File System Basics."

5. On the File menu, click Save As. Enter the filename. Consider saving the file to the Emergency Repair Disk, the Windows NT startup floppy disk, or the MS-DOS bootable floppy disk. You can save it to more than one disk. When you are saving a Partition Boot Sector in this manner, using a name such as PBSdDSKn.dsk, where d is the drive letter of the logical drive, and n is the disk number, can help you remember what the file contains. Using a name such as this assumes that you will not be changing drive letters.

To back up the Partition Boot Sectors in an extended partition by using Physical Drive

1. Read the Partition Table and view it by using the procedure in "Displaying the Partition Table," presented earlier in this section.

2. In the Partition table index list box, double-click the partition number for the extended partition, and then click Go. Doing this reads the first Partition Table entry in the extended partition.

3. You can walk the extended partition to find the logical drive whose Partition Boot Sector you want to back up. When you walk the extended partition, view the information for Partition 1 and click Go to read the Partition Boot Sector. You can use the Search function on the Tools menu to find each Partition Boot Sector. See "Finding a Partition Boot Sector," presented later in this chapter, for information about finding these disk sectors.

   You can also print a map of the disk by using the DiskMap utility, which provides you with the address of the Partition Table entry for each logical drive. You can then use DiskProbe to read the first sector of the logical drive whose Partition Boot Sector you want to back up, and use the Go button to read the Partition Boot Sector.

   Once you have read a Partition Boot Sector, on the View menu, click NTFS BootSector or FAT BootSector to see the information displayed appropriately. Make sure that the sector you just read looks like a Partition Boot Sector, as described in Chapter 17, "Disk and File System Basics."

4. On the File menu, click Save As. Enter the filename. Consider saving the file to the Emergency Repair Disk, the Windows NT startup floppy disk, or the MS-DOS bootable floppy disk. When you are saving a Partition Boot Sector, using a name such as PBSssssssssDISKn.dsk, where ssssssss is the relative sector of the Partition Boot Sector and n is the disk number, can help you remember what all of the files contain.

To restore the Partition Boot Sector for a primary partition by using Physical Drive

1. In the Resource Kit folder, double-click the DiskProbe icon.

2. On the Drives menu, click Physical Drive. In the Available Physical Drives group box, the disks are listed as PhysicalDriven, where n=0 for the first hard disk. Double-click the disk that contains the Partition Boot Sector that you want to replace.

3. In the Handle 0 group box, clear the Read Only check box, click Set Active, and click Close.

4. If you know the address of the sector you need to write, skip to step 6. To use DiskProbe to compute the sector, first read the Partition Table and view it by using the procedure in "Displaying and Using the Partition Table," presented earlier in this section. Figure 22-3 shows the DiskProbe Partition Table view.

5. In the Partition table index list box, double-click the partition number for the Partition Boot Sector that you want to replace. For example, to view information about the Partition Boot Sector for the system partition, double-click the partition number that has the Boot Indicator set to SYSTEM.

   The Relative Sector field contains the sector number for the Partition Boot Sector. Write down this number.

6. On the File menu, click Open, and enter the filename of the file that contains the Partition Boot Sector. Open the file. Verify that it looks like a Partition Boot Sector.

7. On the Sectors menu, click Write to display the Write Sector dialog box. In the Starting sector to write data, enter the sector number from step 5 (or that you already know is the correct sector). Click the option button for the disk to which you want to write the sector. Click Write it. 

    

8. DiskProbe displays a message box so you can verify the information.

To restore the Partition Boot Sector by using Logical Volume

1. In the Resource Kit folder, double-click the DiskProbe icon.

2. On the Drives menu, click Logical Volume. In the Logical Volumes list box of the Open Logical Volume dialog box, double-click the logical drive whose Partition Boot Sector you want to restore.

3. In the Handle 0 group box, clear Read Only, click Set Active, and click Close.

4. On the File menu, click Open, and enter the filename of the file that contains the Partition Boot Sector. Open the file. Verify that it looks like a Partition Boot Sector and is 512 bytes. DiskProbe displays an error if the file size is not a multiple of 512.

5. On the Sectors menu, click Write to display the Write Sector dialog box. In the Starting sector to write data, enter 0 for the Starting sector to write data. Click Write it.

6. DiskProbe displays a message box so you can verify the information.

To restore the Partition Boot Sector in an extended partition by using Physical Drive

1. If you know the address of the Partition Boot Sector that you want to restore (which you would know if the sector number is part of the filename), follow the procedure for restoring the Partition Boot Sector (given earlier in this chapter) for a primary partition, skipping steps 4 and 5. You are done.

   If you do not know the address, you can find it by walking the extended partition. Follow steps 1 through 3 in the procedure for backing up the Partition Boot Sector for an extended partition (given earlier in this chapter). Even though the Partition Boot Sector that you read is the one you want to replace, when you read it, DiskProbe displays its relative sector number. Write down this number.

   You can also calculate the address of the Partition Boot Sector by using a DiskMap output for the disk. The sector number for a Partition Boot Sector is the address of the EBR for the logical drive + the Relative Sector value.

2. In the Handle 0 group box of the Open Physical Drive dialog box, be sure that Read Only is cleared.

3. On the File menu, click Open, and enter the filename of the file that contains the Partition Boot Sector. Open the file. Verify that it looks like a Partition Boot Sector.

4. On the Sectors menu, click Write to display the Write Sector dialog box. In the Starting sector to write data, enter the sector number that you found in step 1. Click the option button for the disk to which you want to write the sector. Click Write it.

5. DiskProbe displays a message box so you can verify the information.

If you formatted an NTFS volume when running Windows NT version 4.0, a backup of the Partition Boot Sector for NTFS volume is located at the end of the volume. Earlier versions of Windows NT put the backup at the center of the volume. If you did not make a backup of the Partition Boot Sector, you can find the backup sector and copy it to the first sector of the volume.

To restore the backup NTFS Partition Boot Sector

1. In the Resource Kit folder, double-click the DiskProbe icon.

2. "Finding a Partition Boot Sector," presented later in this chapter, describes different methods for finding the Partition Boot Sector. When you find a Partition Boot Sector within the boundaries of an NTFS volume, make sure that the data are reasonable for the volume. If you have deleted volumes, or extended an NTFS volume set, there might be old, invalid, Partition Boot Sectors on the disk. Save the backup to a disk.

3. Close any handles that you opened to find the backup.

4. On the Drives menu, click Logical Volume. Click the Close Handle button for any drives or logical volumes that are currently open. In the Logical Volumes list box of the Open Logical Volume dialog box, double-click the logical drive whose Partition Boot Sector you want to restore.

5. In the Handle 0 group box, clear Read Only and click Set Active. Click OK.

6. On the File menu, click Open, and enter the name of the file you copied to disk in step 2. Open the file.

7. On the Sectors menu, click Write to display the Write Sector dialog box. Since you are going to be writing to relative sector 0, make sure that the active handle is a drive letter, not PhysicalDriven. Enter 0 for the Starting sector to write data. Click Write it.

8. DiskProbe displays a message box so you can verify the information.

Finding a Partition Boot Sector

This section discusses some approaches for finding primary partitions and logical drives on your disk in order to repair the Partition Table, which is discussed in "Editing and Repairing the Partition Table," presented later in this chapter.

When you are looking for Partition Boot Sectors in order to repair the Partition Table, you know that some information is wrong or missing. Therefore, you need to verify that the information you use to find a Partition Boot Sector, or a Partition Table in an extended partition, is accurate. For example, if you use the Number of Sectors field for one primary partition to calculate the location of the Partition Boot Sector for the next partition, make sure that there is a valid Partition Boot Sector at that sector.

The easiest way to find the start of a primary partition is to find the Partition Boot Sector for the partition. For an extended partition, subtract the sectors per track from the address of the Partition Boot Sector to find the Partition Table entry for the logical drive.

The Partition Boot Sector for the first partition on your hard disk is always the first sector on head 1 of cylinder 0. Because disks typically have 32 or 63 sectors per track, you can usually find the Partition Boot Sector for the first partition at either relative sector 32 or relative sector 63. You can get the sectors-per-track information by clicking Volume Information on the Drives menu.

If you think that the relative sector field for a primary partition or logical drive is correct, you can read the sector by clicking Go when you are viewing its information to see if the sector looks like a Partition Boot Sector.

There is also a Total Sectors field on the Partition Table view. If you think this field is accurate, you can use this value to calculate the start of the next primary partition or logical drive.

The FAT and NTFS Partition Boot Sectors each have a field that contains the total number of sectors. If you already know or have found the start of a primary partition or logical drive, you can add the number of sectors to the starting sector to find the start of the next partition or logical drive. For an NTFS Partition Boot Sector, on the View menu, click NTFS BootSector. The Total sectors field contains the value you want. For a FAT volume, on the View menu, click FAT Bootsector. If the size of the primary partition or logical drive fits in 16 bits, the Small sectors field contains the size. Otherwise, the size is in the Large sectors field.

You can also use DiskProbe to search for Partition Boot Sectors. As you find each one, write down its location, and use the Partition Table view in DiskProbe to enter the information.

There are three situations in which you can find a Partition Boot Sector that is not at the beginning of a volume. You need to know about these other Partition Boot Sectors so you do not use the information about where these Partition Boot Sectors are located to repair the Partition Table.

• If you formatted an NTFS volume, or converted a volume from FAT to NTFS when running Windows NT version 4.0, the NTFS volume has a backup of its Partition Boot Sector at the end of the volume. Earlier versions of Windows NT put the backup at the middle of the volume when you formatted it, but did not create a backup when you converted the volume.

• When you extend an NTFS volume set, Windows NT version 4.0 puts a new copy of the Partition Boot Sector in the middle of the extended volume set. It does not remove the old copy of the Partition Boot Sector. If you extend a volume set when running Windows NT version 3.51, it does not remove the old copy of the Partition Boot Sector either, nor does it write a new one.

• There can be old, invalid Partition Boot Sectors on the disk if you have deleted volumes.

To search for Partition Boot Sectors

1. In the Resource Kit folder, double-click the DiskProbe icon.

2. On the Drives menu, click Physical Drive. The Available Physical Drives in the Open Physical Drive dialog box are listed as PhysicalDriven, where n=0 for the first hard disk. Double-click the disk that you want to open, click Set Active, and click Close.

3. On the Tools menu, click Search. The information that you search for depends upon whether you want to find a FAT or an NTFS Partition Boot Sector. If you check the Search at offset check box and specify an Offset in hex at which to search for a specific value, the search runs much faster than searching each entire sector. You can search the entire disk if you do not change the default values in the First sector to search and Last sector to search fields.

   This is an example of a search for an NTFS Partition Boot Sector. 

    

   Note The contents of the Partition Boot Sector for an NTFS volume are slightly different, depending on whether you formatted the volume when running Windows NT version 4.0 or earlier versions of Windows NT. If you specify a value in the Offset in hex field, you might need to search at a different offset depending on the data you are searching for, and which version of Windows NT you used to format the volume. For example, the string "discontinguous" starts at location 19A when you use Windows NT version 4.0 to format the volume. But discontinguous is at hex location 195 if you formatted the volume when running Windows NT version 3.5. The string "NTFS" starts at offset 3 regardless of the version of Windows NT that you used to format the volume. If you don't know which version of Windows NT was used to format a volume, search for NTFS. Note that DiskProbe will find matches in sectors that are not Partition Boot Sectors.

4. If DiskProbe finds a match, it displays the address of the sector, as the following shows: 

    

   Be sure to verify that each sector DiskProbe finds is really a Partition Boot Sector. The View menu enables you to look at the data as bytes or formatted as an NTFS or a FAT Partition Boot Sector.

Editing and Repairing the Partition Table

You can use DiskProbe to display and change your Partition Table. Repairing a damaged Partition Table is risky, and should never be attempted by a user not familiar with the procedure. If all of the partitions on the disk are primary partitions, the repair process is much simpler than if you have an extended partition, volume sets, or stripe sets.

If the wrong partition is set as the system partition, or you do not have a system partition on the disk, you can use DiskProbe to set the Boot Indicator field for the correct partition.

Note The system partition is always a primary partition.

To change or set the Boot Indicator field

1. View the Partition Table by using the procedure described in "Displaying and Using the Partition Table," presented earlier in this chapter.

2. Double-click each partition number in the Partition table index list box to determine which one is the system partition, or that none is set as the system partition. The partition that has the Boot Indicator field set to SYSTEM is the system partition.

3. To clear the Boot Indicator field for a partition, double-click its partition number, double-click NOSYSTEM in the Boot Indicator list box.

4. To set the system partition, double-click its partition number, and double-click SYSTEM in the Boot Indicator list box.

5. Make sure that the disk is in read/write mode. On the Drives menu, click Physical Drive to see the Open Physical Drive dialog box. Clear the Read Only check box, if it is checked. Click Close.

6. On the Sectors menu, click Write, and enter 0 in Starting sector to write to. Click Write it.

7. DiskProbe displays a message box so you can verify the information.

When you create a volume set or stripe set, Windows NT sets the FT bit of the System ID byte in the Partition Table. This bit indicates that Windows NT needs to use the Registry subkey HKEY_LOCAL_MACHINE \SYSTEM \DISK to know how to find all of the members of the volume. Because volume sets and stripe sets cannot be accessed without the DISK subkey, they can only be accessed by Windows NT. In a dual-boot configuration, the other operating system cannot use a partition with the FT bit set.

In general, you should use Disk Administrator, and not DiskProbe, to change the value of this field. You might want to set or clear the FT flag to test a recovery procedure, but be sure to have a backup of the Registry and the data on the partition before you do so.

To clear the Fault Tolerant (FT) flag for a primary partition

1. View the Partition Table by using the procedure described in "Displaying and Using the Partition Table," presented earlier in this chapter.

2. Double-click the partition number in the Partition table index list box for which you want to change the value of the FT flag.

3. If you want to remove the FT flag from a FAT partition, you need to figure out whether the partition should be FAT 12 bit, FAT 16 bit, or FAT Large. See the section titled "System ID Field," in Chapter 17, "Disk Management Basics," for information about the types of FAT partitions. Double-click either FAT 12 bit, FAT 16 bit, or FAT Large in the System ID field.

4. If you want to remove the FT flag from a NTFS partition, double-click NTFS in the System ID field.

5. Make sure that the disk is in read/write mode. On the Drives menu, click Physical Drive to see the Open Physical drives dialog box. Clear the Read Only check box, if it is checked. Click Close.

6. On the Sectors menu, click Write, and enter 0 in Starting sector to write to. Click Write it.

7. DiskProbe displays a message box so you can verify the information.

When you have found the Partition Boot Sectors, you can calculate all of the information for the Partition Table entries. If you do not know the values for the number of heads, number of sectors per track, or number of cylinders for the disk, open a handle by clicking either Physical Drive or Logical Volume on the Drives menu, and then click Volume Information on the Drives menu.

If none of the information in your Partition Table is correct, you might be safer to try to do a complete backup of the volumes. It might even be faster to backup and restore the data instead of repairing the Partition Table. You can then recreate the volumes, reformat your hard disk, and restore all of the data.

Note If a primary partition or logical drive extends beyond cylinder 1023, set the Starting and Ending Sector, Head, and Cylinder fields to the maximum values. Maximum values indicate to Windows NT that it needs to use the information in the Partition Boot Sector to know how to access the volume. Remember that your system and boot partitions should not go beyond cylinder 1023 if you have set up your computer to dual-boot MS-DOS or Windows 95.

Repairing the Partition Table

1. For primary partitions, view the Partition Table by using the procedure described in "Displaying and Using the Partition Table," presented earlier in this section. For an extended partition, the section "Walking an Extended Partition," presented earlier in this chapter, describes finding the Partition Table entry for each logical drive.

2. Double-click the partition number for which you want to change information. Enter the new values.

3. Make sure that the disk is in read/write mode. On the Drives menu, click Physical Drive to see the Open Physical Drive dialog box. Clear the Read Only check box, if it is checked. Click Close.

4. On the Sectors menu, click Write, and enter the sector number of the Partition Table that you read in step 1. If you are changing information for primary partitions, the sector number is 0. Click Write it.

5. DiskProbe displays a message box so you can verify the information.

DiskSave — Back Up and Restore Critical Disk Sectors

DiskSave is an MS-DOS-based utility that enables you to save the Master Boot Record (MBR) and Partition Boot Sector (PBS) as binary files. You must start MS-DOS to run this utility. It will not run from the command prompt.

You should save these files to your Windows NT startup floppy disk or your MS-DOS bootable floppy disk. If your computer fails to start because it has a problem using the MBR or PBS, you can restore them and try the startup again.

This tool also enables you to turn off the FT bit in the System ID field of the system partition. This bit should never be set on Windows NT Workstation, because the system partition on Windows NT Workstation cannot be a volume set or stripe set.

The Master Boot Record contains code that the system BIOS on x86-based computers uses to read the Partition Table and find the Partition Boot Sector of the system partition. This sector also contains the partition table. If this sector becomes damaged, the computer cannot find or start the operating system.

The Partition Boot Sector contains code that loads the operating system kernel or a boot loader. A corrupt Partition Boot Sector can also cause startup failures.

Note If either of the sectors that you restore does not match the configuration of your computer, you can make your problems worse. Always be sure to save the Master Boot Record and the Partition Boot Sector whenever you make changes that affect them.

These are the DiskSave functions:

• F2, back up the Master Boot Record. This function saves cylinder 0, head 0, sector 1 of the startup disk to the filename that you enter. You need to save a new copy of this record any time that you create or delete a partition, or change the file system used on a partition.

• F3, restore the Master Boot Record. This function copies the file that you specify to cylinder 0, head 0, sector 1 of the startup disk. Restoring this sector also replaces the Partition Table. There are no checks to determine if the sector is a valid Master Boot Record.

• F4, backup the Partition Boot Sector. This function saves the first sector of the system partition on disk 0 to the filename specified.

• F5, restore the Partition Boot Sector. This function replaces the first sector of the system partition with the contents of the specified file. There are no checks to determine if the sector is a valid Partition Boot Sector.

• F6, turn off the FT bit for the system partition on disk 0. This function does not apply to Windows NT Workstation.

When DiskSave makes calls to the system BIOS, it checks the status of each call. The normal return value is zero. Originally, a nonzero value indicated an error, and the error codes were documented. Currently, there are system BIOSs that return nonzero values, which are not documented. These nonzero values do not seem to be errors. So far, all of these nonzero values that are not errors have occurred when using IDE disks.

If the value is non-zero, DiskSave displays a message at the bottom of the screen. If you see a message about a system BIOS call returning a nonzero value, it would be a good idea to check whether the function worked correctly. One way to check is to start Windows NT, and use the Windows NT–based utility DiskProbe to compare the sector that you tried to save or restore with a copy of the data. For example, if you see a message about a nonzero return code when you select F4 to save the Partition Boot Sector, finish saving the sector to a file. Then, using DiskProbe, read the Partition Boot Sector from disk, and compare the contents to the file that you just saved.

To use DiskSave to back up the Master Boot Record or Partition Boot Sector

1. Press F2 to save the Master Boot Record and F4 to save the Partition Boot Sector. You need to enter the full name for the file, including the path. For example, to save the Master Boot Record to a folder on your C drive, use a name such as C:\Backup\Mbrdisk0.dsk. If you copy it to a floppy disk, the path should be similar to A:\Mbrdisk0.dsk.

   Note DiskSave only saves the Master Boot Record on disk 0 and the Partition Boot Sector for the system partition on disk 0.

To use DiskSave to replace the Master Boot Record or Partition Boot Sector

1. Press F3 to replace the Master Boot Record and F5 to replace the Partition Boot Sector. You need to enter the full name for the file, including the path. For example, if you have saved the Master Boot Record on your Emergency Repair Disk or the Windows NT startup floppy disk, the path might be A:\Mbrdsk0.dsk.

   Note DiskSave only restores the Master Boot Record on disk 0 and the Partition Boot Sector for the system partition on disk 0.

FTEdit — Recovering Volume Sets and Stripe Sets

The FTEdit utility on the Windows NT Workstation Resource Kit CD aids in the recovery of stripe sets, volume sets, stripe sets with parity, and mirror sets. Stripe sets with parity and mirror sets are available for Windows NT Server only, but are discussed here for completeness. For more information about using FTEdit, see Ftedit.hlp on the Windows NT Workstation Resource Kit CD.

Because stripe sets and volume sets are not fault tolerant, if one of the disks in a stripe set or volume set fails, the entire volume is no longer usable. And all the primary partitions or logical drives that are members of the volume are marked as orphans. In Disk Administrator, the members of the volume are displayed as Unknown.

All data about the configuration of volume sets and stripe sets are contained in the Registry subkey HKEY_LOCAL_MACHINE \SYSTEM \DISK. This disk configuration information is stored in binary format, so it is not practical to edit it manually. When the Registry information is corrupt or missing, and no backups are available, you can use FTEdit to build the Registry information and allow the operating system to read the volumes.

For example, if the disk containing the boot partition becomes unusable, or the computer fails, you might want to move the disks containing stripe sets and volume sets to another computer. Alternatively, you might decide to reinstall the operating system on a new disk. In either case, the operating system does not have any information about the volumes.

The operating system has information about which disks are members of volumes, but it cannot distinguish between a stripe set, a stripe set with parity, a volume set, or a mirror set without the Registry information. In this situation, when the volumes are displayed in Disk Administrator, the file system might be displayed as Unknown, and there will be no drive letter assigned to the volumes. This is to prevent writing to the volume, which could corrupt it.

When using FTEdit to rebuild the DISK Registry subkey, you need to know the order in which the unused areas on the disks were combined to create the volume. The following scenario shows why order is important.

A previous user created a volume set by combining unpartitioned areas on three disks in this order:

• 2 MB on disk 2

• 3 MB on disk 0

• 4 MB on disk 1

When someone creates a volume set, the Partition Boot Sector is the first sector on the first area selected. Data are written to the areas in the order in which they are combined. Thus, if someone created a 6 MB file on this volume set, the file would occupy the following areas:

• 2 MB on disk 2

• 3 MB on disk 0

• 1 MB on disk 1

Now you need to use FTEdit to rebuild the volume set. You select the disks in the order disk 0, disk 1, and then disk 2. Windows NT will not be able to find the Partition Boot Sector for the volume set, because the first sector of the volume set that you rebuilt is on disk 0, which contains only data. The Partition Boot Sector is actually on disk 2, but that disk area is at the end of the volume set you created. Your attempt to rebuild the volume set has failed, because you did not know the order in which to combine the disk areas.

The remainder of this section describes using FTEdit to build Registry information for a stripe set that has been moved from another computer. (Disks 1, 2, and 3 are the disks that have been moved.) Each disk is 519 MB and has one primary partition. Both computers are running Windows NT Workstation version 4.0.

To rebuild a stripe set

1. Open Disk Administrator, so that you can update the disk configuration information. Disk Administrator needs to store the disk signature and other basic disk information before the disks can be recognized.

2. Open FTEdit. The following dialog box is displayed. 

   

   Figure 22.4 Using FtEdit to recover a stripe set 

   The Disks group box identifies all of the disks connected to the computer. The Partitions group box contains information about the disk currently selected, or the first disk if none is selected. Disk 0 is two gigabytes, and contains two partitions.

3. On the Edit menu, click Create FT Set. In the FT Set Type dialog box, click the option button for the type of volume you are building. In this example, click Stripe Set.

    

4. In the Disks list box, select the first disk that will be a member of the stripe set. Available partitions are displayed in the Partitions list box on the right.

   Double-click the partition from each disk that will make up the stripe set with parity. The disk and partition information will be displayed in the list box on the lower right. The title of this list box reflects the type of volume being built. For this example, the title is Stripe Set Information. The next screen shot shows the dialog box after double-clicking partition 1 on each of Disk 1, Disk 2, and Disk 3. 

    

5. Click the Save FT Set button. The information is transferred to the FT Set Member Information list box. Check to make sure the information is correct. FTEdit should look like the following illustration: 

    

   The Partitions list box shows the information for Disk 0. The disks that are used in creating the new volume are those listed in the FT Set Member Information list box.

6. On the Edit menu, click Save Changes to System. The following message box is displayed: 

    

7. Exit FTEdit, close any open programs, and restart the system. You need to do this to get the new information loaded into the Registry.

8. Open Disk Administrator.

   Click one of the partitions in the stripe set. If the status bar has a message like Stripe set #N [INITIALIZING], the computer on which you were previously using the stripe set did not finish shutdown. Wait for Disk Administrator to finish the initialization. If the volume was functional before the disks were moved, and the correct information was entered in FTEdit, the data on the volume should be intact.

9. From the Disk Administrator Tools menu, click Drive Letter. In the Assign Drive Letter dialog box, click Assign drive letter, and then choose a drive letter for the new volume. 

   The volume is now accessible from Windows NT Explorer, My Computer, and by the rest of the operating system.

10. After confirming that the volume is correctly configured and is accessible, be sure to add this new configuration information to the records that you keep for this computer.

    You might want to back up the volume at this time.

These same steps can be used to recover volume sets. To successfully use FTEdit to build Registry information, you must know the following information:

• Which disks contain stripe sets and volume sets.

• Which partitions belong to the stripe sets and volume sets.

• The order in which the partitions were combined into the stripe sets or volume sets.

If your configuration involves multiple stripe sets and volume sets on several different disks, you might face a very difficult job remembering which primary partitions and logical drives belong to which volumes. For this reason, it is a good idea to keep the disk configuration simple, and to keep recovery information as up-to-date as possible.

Note FTEdit edits the binary information in the Registry. It cannot recover damaged or corrupt data on the disk.

File System Utilities

The utilities described in this section are available on either the Windows NT Workstation product CD, or the Windows NT Workstation Resource Kit CD. This table shows which ones are on which CD.

Utility	Location
Cacls	product CD
Compact	product CD
Compress	resource kit CD
Convert	product CD
Diruse	resource kit CD
Expand	product CD
Expndw32	resource kit CD

Cacls: Changes ACLs of NTFS Files and Folders

You can use the Cacls utility to display or modify access control lists (ACL) of files or folders. A description of the command options follows the syntax. This is the format of the command:

CACLS <filename|folder> [/t] [/e] [/c] [/g user:perm] [/r user [...]] 
[/p user:perm [...]] [/d user [...]]

Option	Description
filename or folder name	Displays ACLs.
/t	Changes ACLs of specified files in the current folder and all subfolders.
/e	Edit ACL instead of replacing it.
/c	Continue on access denied errors.
/g user:perm	Grant specified user access rights, where perm can be: R Read C Change (write) F Full control
/r user	Revoke specified user's access rights (only valid with /e).
/p user:perm	Replace specified user's access rights, where perm can be: N None R Read C Change (write) F Full control
/d user	Deny access to the specified user.

Wildcards can be used to specify more than one file in a command. You can specify more than one user in a command also.

If you already have permissions set for multiple users on a folder or file and do not use the /e option, all user permissions are removed except for the user and permissions specified on the command line. You should use the following syntax when modifying user permissions to include read, change, and full control respectively:

cacls <filename|folder> /e /r <username>
cacls <filename|folder> /e /g <username>:<permission>
cacls <filename|folder> /e /p <username>:<permission>

The Cacls utility does not provide a /y option that answers automatically with Y for Yes to the ARE YOU SURE? Y/N prompt. However, you can use the echo command to pipe the character Y as input to the prompt when you are running cacls in a batch file. Use the following syntax to automatically answer Y:

echo y| cacls <filename|folder> /g <username>:<permission>

Note Do not enter a space between the y and the pipe symbol (|). If you do, Cacls fails to make the permission change.

Compact: Compresses and Uncompresses NTFS Files and Folders

The Compact utility is the command line version of the compression functionality in My Computer or Windows NT Explorer. The Compact utility displays and alters the compression of folders and files on NTFS volumes. It also displays the compression state of folders. For more information about this utility, type compact /? at the command prompt. The table following describes the options.

The format of the command is:

compact [/c] [/u] [/s[:folder]] [/a] [/i] [/f] [/q] [filename [...]]

Option	Description
none	Displays the compression state of the current folder.
/c	Compresses the specified folder or file.
/u	Uncompresses the specified folder or file.
/s[:folder]	Specifies that the requested action (compress or uncompress) be applied to all subfolders of the specified folder, or to the current folder if none is specified.
/i	Ignores errors.
/f	Forces compression or uncompression of the specified folder or file.
/a	Displays files with the hidden or system attribute.
/q	Reports only the most essential information.
filename	Specifies a pattern, file, or folder. You can use multiple filenames and wild cards.

There are reasons why you would want to use this utility instead of My Computer or Windows NT Explorer:

• You can use Compact in a batch script. Using the /i option enables you to skip files that cannot be opened when you are running in batch mode, such as when a file is already in use by another program.

• If the system crashed when compression or uncompression was occurring, the file or folder is marked as Compressed or Uncompressed, even if the operation did not complete. You can force the operation to complete by using the Compact utility with the /f option (with either the /c or /u).

Note The Compact utility automatically compresses or uncompresses all of the files and subfolders when you change the compression state of a folder. It does not ask whether you want to change the compression state of the files or subfolders in it.

Compress: Compresses Files or Folders

This command line utility can be used to compress one or more files. You cannot open a file that has been compressed by using this utility. You have to expand it by using Expand or Expndw32 first.

To use this utility, type compress with the appropriate options at the command line: compress [-r] [-d] source [destination]

Option	Description
-r	Renames compressed files.
-d	Updates compressed files only if out of date.
source	Specifies the source file. The "*" and "?" wildcards can be used.
destination	Specifies the destination file or path. The destination can be a folder. If source specifies multiple files and the -r option is not specified, then destination must be a folder.

Note You should not use this utility to compress files or folders on NTFS volumes. Instead, compress NTFS files and folders by using the Compact utility or by setting or clearing the Compressed attribute in My Computer or Windows NT Explorer. See Chapter 18, "Choosing a File System," for information about using My Computer or Windows NT Explorer.

Convert: Converts a Volume From FAT to NTFS

You can use the Convert utility to convert a volume from the FAT file system to the NTFS file system. This utility performs the conversion within the existing volume. You do not need to back up and restore the files when you use this utility.

You cannot convert the Windows NT boot partition while you are running Windows NT. Therefore, the Convert utility gives you the choice of converting the partition the next time you start Windows NT. When you convert the partition this way, Windows NT restarts twice to complete the conversion process.

To use this utility, type convert with the appropriate options (explained in the table following the syntax) at the command line: convert drive: /FS:NTFS [/v] 

Option	Description
drive	Logical drive that you want to convert.
/FS	You must specify that you want to convert to the NTFS file system.
/v	Run the utility in verbose mode.

DirUse: Provides Information About Usage of Disk Space

You can use the DirUse utility on the Windows NT Workstation Resource Kit CD to obtain disk space usage per folder. For more information about DirUse, type diruse /? at the command line, or see the Windows NT Resource Kit Tools Help for information about this utility.

This utility is useful to get the actual usage of space for compressed files and folders in NTFS volumes.

The format of the command is: diruse [/s | /v] [/q:#] [/m | /k | /b] [/a] [/l] [/d] [/o] [/c] [/,] [/*] [dirs]

The option of interest for compressed folders and files is /c, which causes the display of compressed file or folder size instead of apparent size. For example, if your D drive is an NTFS volume, type diruse /s /m /c d: at the command prompt to get the disk space actually used (in MB) and number of files in each of the folders. To see compression information for an individual file, you can use My Computer or Windows NT Explorer, select the file, and select Properties from the File menu.

Expand and Expndw32: Expand Compressed Files

You can use two utilities to expand one or more compressed files from your Windows NT CD, or a file that you compressed by using compress.

You can use Expndw32, the Windows NT–based expand utility, in one of these ways:

• If you have installed the Windows NT Workstation Resource Kit, you can double-click the Expand Files icon in the File Tools program group.

• From My Computer or Windows NT Explorer, open the Expndw32.exe file. If you have installed the Windows NT Workstation Resource Kit, this utility is in the folder into which you installed the Windows NT Workstation Resource Kit. On the Windows NT Workstation Resource Kit CD, use the version that corresponds to the hardware platform that you are using.

For help while you are using the utility, choose the Help button or press F1.

The MS-DOS-based expand utility runs from the command line. Type the expand command with the appropriate options, as shown in the table: expand [-r] source [destination]

Option	Description
-r	Renames expanded files.
source	Specifies the source file. The "*" and "?" wildcards can be used.
destination	Specifies the destination file or path. The destination can be a folder. If source specifies multiple files and the -r option is not specified, then destination must be a folder.

Backup Utilities

AT: Enables You to Schedule Windows NT Backup

The Windows NT Backup utility, Ntbackup.exe, does not include functionality for schedule unattended backups. However, by using the Schedule service with the command line capabilities of Ntbackup, you can set up unattended backups.

The following procedure shows how to use the Schedule service and Ntbackup to schedule an unattended backup of the entire C drive of a computer with an installed tape device. With minor modifications, these steps could also allow for scheduling unattended backups from a computer on a network to a computer with an installed tape device or other configurations.

To schedule unattended backup

1. Start the Schedule service on the computer with the tape device already installed. This can be done by using the Services option in Control Panel, clicking Schedule, and clicking Start. Alternatively, you can configure the Schedule service to start every time Windows NT starts by clicking Startup and setting the Startup Type to Automatic.

2. Using any text editor, such as Notepad, create a command file such as Mybackup.cmd to perform the commands to backup the files.

   This example: 

   ntbackup backup c: /D "My Backup Files" /B /L "c:\backup.log"
   

does the following:

  - Backs up all files on the C drive.

  - Replaces any files currently on the tape.

  - Labels the backup set "My Backup Files."

  - Backs up the local registry.

  - Logs all backup information to C:\\Backup.log.

3. Using the AT command, schedule the command file (Mybackup.cmd) to run when desired. The following AT command schedules Mybackup.cmd to execute at 11:00 P.M. every Monday, Wednesday, and Friday: 

   AT 23:00 /every:M,W,F MYBACKUP.CMD
   

When there is no tape in the drive and you use the AT command without the interactive switch to run Windows NT Backup, the backup encounters an error or is unable to accept the command line. As a result, Windows NT Backup stops responding. You cannot run Windows NT Backup again until you restart Windows NT.

Use the /INTERACTIVE switch with the AT command to open the interactive desktop. This way, if any errors occur, you will be able to correct them and continue, or quit Windows NT Backup.

For information about AT options, type AT /? at a command prompt or search the online Command Reference for AT. For additional information on available Ntbackup options, use the Help menu when running Ntbackup.exe.