By Jerry Honeycutt
Published October 2009
By providing tools that
help you quickly troubleshoot and repair Windows®-based desktops, Microsoft® Diagnostics and Recovery Toolset (DaRT) can
reduce the time, cost, and frustration associated with recovering computers
that will not boot. DaRT 6.5 adds support for the Windows 7 and Windows Server®
2008 R2 operating systems. This white paper gives an overview of DaRT:
its benefits, its capabilities, and how to evaluate it.
Contents
Overview
Creating the DaRT Media
Starting the DaRT Media
Exploring the DaRT Tools
ERD Registry Editor
Locksmith
Crash Analyzer
File Restore
Disk Commander
Disk Wipe
Computer Management
Explorer
Solution Wizard
TCP/IP Config
Hotfix Uninstall
SFC Scan
Search
Standalone System Sweeper
Evaluating DaRT
A user frantically calls support and your manager sends you
to fix the problem. At the user’s desk, you log on to the Windows operating
system and use the variety of tools that are available for troubleshooting. You
look in Event Viewer for clues about the problem. You determine that the problem
is a faulty device driver, and so you use the Computer Management console to
disable that driver. Windows includes many such tools to help you diagnose and
fix problems, but what do you do if you cannot boot the computer in to Windows?
The Microsoft
Desktop Optimization Pack (MDOP) for Software Assurance can help
organizations reduce the cost of deploying applications, deliver applications
as services, and better manage desktop configurations. Together, the MDOP
applications that are shown in Figure 1 can give Software Assurance customers a
highly cost-effective and flexible solution for managing desktop computers.
.gif)
Figure 1. Microsoft Desktop Optimization Pack
To help recover Windows-based desktops that will not boot,
MDOP offers the Microsoft Diagnostics and Recovery Toolset (DaRT). DaRT is a powerful
set of tools that extend the Windows Recovery Environment (Windows RE). With
DaRT, you can analyze an issue to determine its source, view the computer’s
event log for more clues, disable a faulty device driver, and remove hotfixes
even when you cannot start the installed Windows operating system. Additionally,
DaRT includes tools that enable you to troubleshoot the installed Windows
operating system when starting Windows would not be prudent. For example, you
can restore deleted files and sweep the computer for malware.
DaRT can help you quickly recovery computers running both 32-bit
and 64-bit versions of Windows, in less time and with less frustration than reimaging
the computer. This white paper describes the tools, such as Locksmith and Crash
Analyzer, that are in DaRT. The paper then describes how Software Assurance
customers can begin evaluating DaRT today.
Microsoft does not provide DaRT as a boot image. DaRT is not
an .iso file that you download and burn to a CD. Instead, DaRT is a program
that creates boot media, based on the Windows RE and a set of tools that DaRT
provides. This boot media starts the Windows RE, from which you can start ERD
Commander. ERD Commander provides a launch platform for the DaRT tools.
You use the ERD Commander Boot Media Wizard to create the
ERD Commander boot media. To start the wizard, click Start, All Programs, Microsoft Diagnostics and Recovery Toolset,
ERD Commander Boot Media Wizard. The
ERD Command Boot Media Wizard will ask for the following:
.jpg)
Figure 2. ERD Commander Boot Media
Wizard
- Definitions
for Standalone System Sweeper
At its completion, the ERD Commander Boot Media Wizard
prompts you for the location and name of the image file to create. By default, the
wizard creates the file ERD65.iso on your desktop. The wizard also prompts you
to burn this image to a CD. You cannot copy this image to a USB flash disk.
ERD Commander in DaRT 6.5 supports Windows 7 and Windows
Server® 2008 R2. Both x86 and
x64 versions of DaRT 6.5 are available. DaRT does not support cross-platform
boot media. Additionally, ERD Commander in DaRT 6.5 has the following, minimal
hardware requirements:
- 1 GHz 32-bit (x86) or 64-bit (x64) processor
- BIOS support for starting the computer from a CD
drive
To start DaRT:
- Boot a physical computer by using the ERD
Commander boot media.
- Boot a virtual machine by mounting the ERD
Commander boot image to it.
After starting the computer by using the ERD Commander boot
media, Windows RE asks a few simple questions to initialize the environment.
These include whether to initialize network connectivity in the background by
using DHCP (you can manually configure network connectivity later by using the
TCP/IP Config tool), which drive letters map to the Windows operating system that
you are repairing, and which language and keyboard you want to use. Finally,
you choose the Windows operating system to repair.
After preparing the environment, you see the System Recovery
Options window, shown in Figure 3. Clicking Microsoft Diagnostics and Recovery Toolset opens the ERD Commander,
which provides a launch platform for all of the DaRT tools that you included in
the boot media.
.gif)
Figure 3. System Recovery Options
Figure 4 shows the ERD Commander. From this window, you can
launch any of the individual tools that you included in the ERD Commander boot
media. You can also use the Solution Wizard to choose the best tool, based on a
brief interview. Click Help to see
detailed instructions for using each tool. The following sections provide an
overview of each tool.
.gif)
Figure 4. ERD Commander
You can use ERD Registry
Editor, shown in Figure 5, to edit the registry of the Windows operating system
that you are repairing. This includes adding, removing, and editing keys and
values and importing .reg files.
ERD Registry Editor enables
you to make registry edits that could help repair a system that will not boot.
Additionally, you can use ERD Registry Editor to edit values that the installed
Windows operating system locks while it is running.
.gif)
Figure 5. ERD Registry Editor
Notice in Figure 5 that HKEY_CURRENT_USER is missing,
because a user did not log on to the installed operating system. Instead, ERD
Registry Editor populates HKEY_USERS with all the user hive files found in the
target installation. Additionally, HKEY_LOCAL_MACHINE does not contain a
HARDWARE key.
Warning Serious
problems might occur if you modify the registry incorrectly by using ERD Registry
Editor. These problems might require that you reinstall the operating system.
Microsoft cannot guarantee that these problems can be solved. Modify the
registry at your own risk.
The Locksmith Wizard is a
simple tool that allows you to set the password for any local account on the
Windows operating system that you are repairing, as Figure 6 shows. You do not need
to know the current password. However, the password you set must comply with
any requirements that a local Group Policy object (GPO) defines, including
password length and complexity. Use this tool in the event that the password
for a local account, such as the local Administrator account, is unknown. This
tool cannot set passwords for domain accounts.
.gif)
Figure 6. Locksmith Wizard
By using the Crash Analyzer
Wizard, you can quickly determine the cause of an issue by analyzing the memory
dump file on the Windows operating system that you are repairing. Based on this
information, you can take corrective action. The Crash Analyzer Wizard can
eliminate much of the guesswork involved in diagnosing nonresponsive systems.
For example, if the Crash
Analyzer Wizard reports that a device driver called MyFault.sys is the cause,
as shown in Figure 7, you can disable the device driver by using the Services
and Drivers item in Computer Management (see the section “Computer Management”).
After discovering and disabling the faulting device driver, you can try to start
the repaired Windows operating system.
.gif)
Figure 7. Crash Analyzer Wizard
The Crash Analyzer Wizard requires the Debugging Tools for
Windows. As described in the section “Creating the DaRT Media,” you can include
the Debugging Tools for Windows in the ERD Commander boot media or you can
install them on each computer that you are repairing. Microsoft recommends that
you include the tools in the ERD Commander boot media. Otherwise, you must
locate the Debugging Tools for Windows each time you use the Crash Analyzer Wizard
to diagnose a computer that is not responding.
In addition to the Debugging Tools for Windows, the Crash
Analyzer Wizard requires symbol files for the operating system that you are
repairing. Symbol files map memory addresses to names, helping to provide
meaningful information for troubleshooting. You can include the symbol files on
your ERD Commander boot media or you can download the symbol files when you use
the Crash Analyzer Wizard to repair a computer (in which case, an Internet
connection is required while troubleshooting).
Even if you plan to reimage the computer, running the Crash
Analyzer Wizard to determine the cause of the issue is a good idea. The image might
have a bad driver that is causing intermittent problems in your environment. Running
the Crash Analyzer Wizard can help you to see these patterns and improve your
image stability.
Note If you
do not have access to symbols or the Debugging Tools for Windows on the
computer that you are repairing, then you can copy the memory dump file to
another computer and use the standalone version of the Crash Analyzer Wizard to
diagnose the issue. By enabling you to analyze memory dump files remotely, this
tool is also useful when you are diagnosing an issue that does not prevent
Windows from starting. To run the standalone version of the Crash Analyzer
Wizard on the computer that contains DaRT, click Start, All Programs, Microsoft Diagnostics and Recovery Toolset,
ERD Commander Boot Media Wizard.
In Windows, the Recycle Bin helps prevent users from
deleting files by mistake. However, users sometimes realize that they need a
particular file only after emptying the Recycle Bin. In other cases, files are
too big to fit in the Recycle Bin, or an application deletes the files.
File Restore enables you to attempt to restore all of these deleted
files. Figure 8 shows the File Restore user interface. First, you must find the
file you want to restore; File Restore has filtering capabilities to help
expedite this process. For instance, you can use a file mask to search for specific
file-name patterns. Additionally, you can limit results to a certain path, date
range, or size range. File Restore can even find files in deleted directories. For
each file that File Restore finds, it indicates whether recovery is likely or
unlikely.
.gif)
Figure 8. File Restore
File Restore is not limited to regular disk volumes. File
Restore can find and restore files on lost volumes or on volumes that are encrypted
by Windows BitLocker™ Drive Encryption. In the first
case, File Restore can scan for and locate lost volumes, which you can then search
for deleted files. In the second case, File Restore gives you the ability to
unlock BitLocker-encrypted volumes by manually providing the recovery password
or loading the recovery key from a file.
By using Disk Commander, you can recover and repair disk
partitions or volumes. As Figure 9 shows, you can choose from the following
recovery processes:
- Restore
the Master Boot Record (MBR).
- Recover
one or more lost volumes.
- Restore
partition tables from Disk Commander backup.
- Save
partition tables to Disk Commander backup.
.gif)
Figure 9. Disk Commander
Warning Microsoft
recommends that you back up a disk before using Disk Commander to repair it. By
using Disk Commander, you can potentially damage volumes and make them
inaccessible. Additionally, changes to one volume can affect other volumes
because volumes on a disk share a partition table.
Many organizations simply
format computers’ hard disks when they donate, recycle, or discard them.
However, just formatting the hard disk does not destroy sensitive company or
personal data on that disk. As various news accounts have shown, malicious
users can get their hands on computers that companies discard and can recover
sensitive data.
Disk Wipe, shown in Figure
10, can erase all data from a disk or volume. Two algorithms are available. You
can use a single- or four-pass overwrite, which meets U.S. Department of
Defense standards. After wiping a disk or volume, you cannot recover the data.
Thus, verify the size and label of a volume before erasing it.
.gif)
Figure 10. Disk Wipe
The Computer Management console, shown in Figure 11, is
familiar to any information technology (IT) professional. The console is tailored
to diagnose and repair problems that can prevent the Windows operating system
from booting. The items in this console include the following:
.gif)
Figure 11. Computer Management
Sometimes, before you attempt
to repair or reimage a system, you need to remove business-critical information
that the user stored on a local drive. In DaRT, you can use Explorer to browse the
computer’s file system and network shares. Because you can map drive letters to
network shares, you can easily copy and move files from the system to the
network for safekeeping or from the network to the system to restore them. Figure
12 shows Explorer.
.gif)
Figure 12. Explorer
With so many tools in DaRT,
figuring out which one to use can often be challenging. The Solution Wizard,
shown in Figure 13, asks you a series of questions and then recommends the best
tool for the job, based on your answers. This wizard helps you determine which
tool to use when you are not familiar with the tools in DaRT. After becoming
familiar with DaRT, you are more likely to start the correct tool for each job,
without the help of the Solution Wizard.
.gif)
Figure 13. Solution Wizard
When you start the ERD
Commander boot media, it optionally obtains its TCP/IP configuration (IP
address and DNS server) from Dynamic Host Configuration Protocol (DHCP). If
DHCP is unavailable, you can manually configure TCP/IP by using the TCP/IP
Configuration tool, shown in Figure 14. First, you choose a network adapter,
and then you configure the IP address and DNS server for that adapter. Click Advanced to configure advanced TCP/IP
settings.
.gif)
Figure 14. TCP/IP Configuration
Shown in Figure 15, the
Hotfix Uninstall Wizard can remove hotfixes or service packs from the Windows
operating system that you are repairing. Use this tool when a hotfix or service
pack is potentially preventing the operating system from starting. Microsoft
recommends that you use this tool to uninstall only one hotfix at a time, even
though the tool allows you to uninstall more than one at a time. Be aware that
programs that you have installed or updated after installing the hotfix might
not work correctly after you uninstall the hotfix.
.gif)
Figure 15. Hotfix Uninstall Wizard
Use the System File Repair
Wizard to repair system files that are preventing the installed Windows
operating system from starting. The System File Repair Wizard can automatically
repair system files that are corrupted or missing. Alternatively, the wizard
can prompt you before performing any repairs.
.gif)
Figure 16. System File Repair Wizard
Before reimaging a computer,
recovering files from the local hard disk is important—particularly when the
user might not have backed up or stored the files elsewhere. Although the
Explorer tool can be helpful, File Search can help you to find documents when you
do not know the file path or to search for general types of files across all
the local hard disks. File Search, shown in Figure 17, enables you to search
the computer for files. You can search for specific file-name patterns in
specific paths. Additionally, you can limit results to a date range or size
range. In recovery scenarios, when repairing the installed operating system is not
possible, you can use File Search to find users’ documents and copy them from
the computer.
.gif)
Figure 17. File Search
Having a good antivirus and
anti-malware strategy in your organization is crucial. Although real-time
scanner tools such as Microsoft Forefront™ Client Security are vital, today’s ever-changing landscape
requires many different tools to defend your network.
Malware that uses rootkits can
mask itself from the running operating system. If a rootkit-enabled virus or
spyware makes its way to the system, most real-time scanning and removal tools
can no longer see it or remove it. Because DaRT boots from a CD and the installed
operating system is offline, you can attack the rootkit without it hiding from
you.
Figure 18 shows the
Standalone System Sweeper. This tool can help detect malware and unwanted software
and alert you to security risks. When the Standalone System Sweeper detects
malicious or unwanted software, it prompts you to remove, quarantine, or allow each
item. You can use this tool to scan a computer for and remove malware while the
installed Windows operating system is not running.
.gif)
Figure 18. Standalone System Sweeper
DaRT is an add-on license available only to Software
Assurance customers. Begin your evaluation today:
·
Download
and evaluate DaRT as part of MDOP.
MDOP is available to Volume
Licensing customers, Microsoft Development Network (MSDN®) subscribers, and Microsoft TechNet subscribers.
·
See MDOP on
Microsoft.com.
To learn how DaRT and MDOP for
Software Assurance can help you better manage GPOs, see http://go.microsoft.com/fwlink/?LinkId=160297.
·
See MDOP on
TechNet.
For technical information about
DaRT and MDOP for Software Assurance, see http://www.microsoft.com/technet/mdop
on TechNet.