Tools for Troubleshooting

Article
09/11/2009

Microsoft Windows XP Professional provides a number of tools that can help you diagnose and resolve hardware and software problems. The subset of tools discussed here is especially useful for troubleshooting many common problems.

For information on how to obtain the Windows XP Professional Resource Kit in its entirety, please see https://www.microsoft.com/mspress/books/6795.asp.

Bb457126.3squares(en-us,TechNet.10).gif

For more information about troubleshooting concepts and strategies, see Chapter 27, “Understanding Troubleshooting,” in this book.
For more information about troubleshooting startup problems, see Chapter 29, “Troubleshooting the Startup Process,” in this book.
For more information about enabling, disabling, and managing devices, see Chapter 9, “Managing Devices,” in this book.
For more information about troubleshooting disk problems, see Chapter 28, “Troubleshooting Disks and File Systems,” and Chapter 12, “Organizing Disks,” in this book.

Using This Appendix

This appendix describes the troubleshooting and maintenance tools available in Windows XP Professional. To help you locate the tools needed to solve a problem, Table C-1 describes how this appendix presents related tools.

Table C-1 Using This Appendix

To Find Information About...	See This Section
Identifying the types of tools that Windows XP Professional provides, including: How to install and run the tools How to get Help about the tools	Installing and Running Troubleshooting Tools
Troubleshooting instability and startup problems, and restoring system and data files	Disaster Recovery Tools
Troubleshooting problems related to startup, applications, and services	Application and Service Tools
Troubleshooting a computer that is in a remote location	Remote Management Tools
Maintaining disks and volumes to prevent problems before they occur	Disk and Maintenance Tools
Troubleshooting problems caused by incompatible, missing, or corrupted driver and system files	System File Tools
Monitoring and troubleshooting network performance problems	Networking Tools
Locating other chapters related to troubleshooting in Microsoft Windows XP Professional Resource Kit, Third Edition	Additional Resources

Installing and Running Troubleshooting Tools

Tools are small applications that implement a limited set of functions and help you perform management or problem-solving tasks. The subset of tools discussed in this appendix is presented in categories based on tool uses, such as recovery, diagnosis, and system file maintenance. Tools are also described according to where to find them and how to use them. For example, you can download a debugging tool or install Windows Support Tools from the Support folder on the Microsoft Windows XP Professional operating system CD.

Installing Tools

When you use the operating system CD to install Windows XP Professional, Setup installs several tools with the operating system. You can install additional tools from the CD or by downloading them as needed.

Built-In Tools

Setup installs built-in tools as part of the default setup. For each built-in tool, Windows XP Professional Help and Support Center provides an overview, and usage and syntax examples (if applicable).

Support Tools

Windows Support Tools are optional tools that you might find useful for troubleshooting. Setup does not install these tools; instead, use the Support Tools setup program.

To install Support Tools

While Windows XP Professional is running, insert the Windows XP Professional operating system CD into your computer.
Click No if you are prompted to reinstall Microsoft Windows.
When the Welcome screen appears, click Perform Additional Tasks, and then click Browse this CD.
Navigate to the drive:\Support\Tools folder on the Windows XP Professional CD, and double-click Setup.exe.

The variable drive represents the drive letter assigned to the CD-ROM.
Follow the instructions that appear on the screen.

If Support Tools Setup detects an older version of Support Tools, you are prompted to uninstall them. It is recommended that you remove all previous versions of Support Tools before proceeding with the installation.

If you do not have a Windows XP Professional operating system CD available, or for network-based installations, you can install Support Tools by running \\server\share\i386\Support
\Tools\Setup.exe on the network distribution share. The Support Tools setup program adds Windows Support Tools to the Start menu, allowing you to view Support Tools Help for more information. For more information about Support Tools setup options, including command-line and unattended setup parameters, see the Readme.htm file in the \Support\Tools folder.

Tip An updated set of Support Tools is available for Windows XP Service Pack 2 from the Microsoft Download Center at https://www.microsoft.com/downloads. To obtain these tools, go to the Download Center and search for “Windows XP Service Pack 2 Support Tools for Advanced Users.” For more information on these updated tools, see article 838079, “Windows XP Service Pack 2 Support Tools,” in the Microsoft Knowledge Base at https://support.microsoft.com.

Downloadable Debugging Tools

Microsoft Debugging Tools for Windows enables advanced users to diagnose and troubleshoot complex problems that might not be solved by other means. For example, you can use a kernel debugger to determine the cause of a Stop error, such as a Stop 0x0000000A, IRQL_NOT_LESS_ OR_EQUAL. The Windows XP Professional operating system CD does not provide debugging tools; you must download them from Microsoft at https://www.microsoft.com/whdc/devtools/debugging/default.mspx.

Tool Interface Types

Windows XP Professional tools typically implement a command-line interface or a graphical user interface (GUI). The interface type determines how you interact with the tool.

Command-line interface tools

These tools use a character mode user interface and typically accept only keyboard input. Compared to GUI tools, command-line tools typically require less disk space and fewer system resources to run. In many cases, you can use additional features or change the default behavior of a command-line tool by specifying optional parameters when starting the tool. File name extensions of command-line tools include .vbs, .exe, and .com. For inexperienced users, command-line tools might be more difficult to use than GUI tools.

Graphical user interface tools

GUI tools accept mouse input and have graphical controls such as windows, dialog boxes, and menus. Typically, GUI-based tools require more disk space and system resources than command-line tools. Most GUI tools also accept optional parameters that change default behavior. File name extensions of GUI tools include .exe and .msc. For many users, GUI tools are easier to use than command-line tools.

Starting GUI Tools

You can start GUI tools from the Start menu, by using shortcuts provided by the operating system and software installation programs, or, if you want to specify optional parameters, by using either of the following methods:

From the Run dialog box.

In the Run dialog box, start the tool by using the following syntax:

toolname [/switch1][/switch2]

The **/**switch parameters are optional, and the number of available parameters varies by tool. Typing the file name extension is normally optional. For example, to start Task Manager (Taskman.exe), you can type taskman or taskman.exe. The exception is when two tools have file names that differ only by file name extension (for example, mytool.com and mytool.exe).

– or –
From the command prompt.

At the command prompt, type the file name of the tool and any parameters.

Starting GUI Snap-In Tools

Snap-ins are GUI administrative tools that differ from standard GUI programs in that you can run them individually or group them together to create a custom set of tools. You can modify, create, and save snap-in consoles by using the Microsoft Management Console (MMC), a framework that hosts administrative tools. You then access a snap-in or a snap-in group by using the console, which displays the tools in a console tree, and the administrative properties, services, and events that are acted on by the items in the tree. An example of a predefined Windows XP Professional console is the Computer Management snap-in Compmgmt.msc. You can run a snap-in or snap-in group from the Start menu by using shortcut icons provided by the operating system and software installation programs, or by using any of the following methods:

From the Run dialog box.

In the Run dialog box, start the tool by using the following syntax:

toolname.msc [/switch1][/switch2]

The **/**switch parameters are optional, and the number of available parameters varies by tool. When starting a snap-in from the Run dialog box, you must type the complete file name, including the .msc extension. For example, to start the Services snap-in, you must type: services.msc. Starting a snap-in or snap-in group by using this method automatically invokes MMC, which displays the contents of the console.

– or –
From the command prompt.

At the command prompt, type the entire file name of the snap-in, including the .msc extension and any optional parameters.

– or –
From MMC.

In the Run dialog box, type mmc. To add one or more snap-ins, click Add/Remove Snap-in on the File menu. You can run a snap-in by clicking the snap-in name from the MMC interface.

For more information about MMC and snap-ins, see Windows XP Professional Help and Support Center.

Starting Command-Line Tools and Logging Output

You can start a command-line tool from the command prompt by typing the tool file name (the .exe extension is optional), including any optional parameters. Use the following syntax:

toolname [/switch1][/switch2]

The **/**switch parameters are optional, and the number of available parameters varies by tool. Typing the file name extension is optional. For example, to start IP Configuration (IPConfig.exe), type ipconfig or ipconfig.exe.

The exception to this is when two tools have file names that differ only by file name extension. For example, Mytool.com and Mytool.exe.

For more information about the command prompt, see Windows XP Professional Help and Support Center.

How to obtain a log of command-line tool output

Although most command-line tools display useful information, many do not provide a way to permanently record data to a log. If you do not record the information displayed, you must rerun the tool. However, redirection, a command-line feature, allows you to direct command-line tool output to disk by using the following command-line syntax:

toolname [/switch1][/switch2][...]> [drive:]\[path]\filename.txt

By using the greater-than (>) sign, called the redirection symbol, you can specify the drive, path, and file name to save output to. The **/**switch parameters are optional, and the number of available parameters varies by tool. The drive and path parameters are also optional. If you do not specify a drive or path, output is saved to the current drive and path.

Ways to view command-line Help

A common use of redirection is to save or view the help information for a command-line tool. For most command-line tools, you can view a list of parameters by using the back-slash-question-mark (/?) parameter. A large amount of help text might cause the page to scroll too quickly for you to read. To read Help for command-line tools, you can use the following syntax to pause the display or to save the information to a file.

To view Help information one screen at a time

To display information and pause between each screen of output until the user presses a key, use the following syntax:
```
toolname /? | More
```
For example, to pause help output for the dir command, type dir /? | More.

To save Help information to a file

To cause the tool or command to save help information to a file, use the following syntax:
```
toolname /? > [drive:][path]filename.txt
```
For example, to save help information for the dir directory list command, type:
```
dir /? > D:\dir_help.txt
```
You can then use a text editor (such as Notepad.exe) to view the help information that you saved to disk.

Help and Support Center

Windows XP Professional Help and Support Center provides a central location to access Help, tool usage and installation information, configuration wizards, search engines, and links to information that covers a wide range of Windows XP Professional topics, including:

Hardware devices, such as modems and network adapters
Internet and networking
Multimedia applications and devices
E-mail, printing, and faxing issues
Working remotely
Remote assistance and troubleshooting
System information and diagnostics
Troubleshooting tools and diagnostic programs provided by Windows XP Professional

To open Help and Support Center

Click Start, and then click Help and Support.
For more information about tools, under Pick a task, click Use Tools to view your computer information and diagnose problems.

You can also use Windows XP Professional Help and Support Center to submit a form describing your problem to Microsoft. A Microsoft Support Professional then evaluates the information and contacts you by using the chosen contact option. One such option is Remote Assistance, which allows the Microsoft Support Professional to assist you by sharing control of your computer. For more information about Remote Assistance, see “Remote Assistance” later in this appendix.

Disaster Recovery Tools

Software and hardware issues can affect the way that your system functions. Severe problems might prevent you from starting Windows XP Professional normally.

Software problems

Installing incompatible software, incorrectly changing system configuration settings, or installing faulty device drivers can cause system instability or a Stop error.

Hardware problems

Hardware that is defective, malfunctioning, incorrectly installed, or incorrectly configured can also cause instability or a Stop error.

Recovery Feature	Function	Tool Type, Interface
Last Known Good Configuration	A startup option to use when the system cannot start in normal or safe mode following a driver or application installation that causes a problem. By using the Last Known Good Configuration, you can recover by reversing the most recent driver and registry changes made since you last started Windows XP Professional.	Built-in, startup option
Device Driver Roll Back	A Device Manager feature that allows you to replace an individual device driver with the previously installed version if the driver was updated after you installed Windows XP Professional. Device Driver Roll Back is available in normal or safe mode.	Built-in, GUI
System Restore	A service that actively monitors your system and records changes to the registry, to system files, and to certain application files. System Restore allows you to undo recent registry and file changes by using information previously saved in restore points. Use to restore the system to a previous state. System Restore is available in normal or safe mode.	Built-in, GUI
Add or Remove Programs in Control Panel	A Control Panel feature you can use to uninstall programs. Use to temporarily uninstall software that you suspect is causing a problem. You can uninstall an application in normal or safe mode.	Built-in, GUI
Recovery Console	A command-line environment that you can use to perform advanced troubleshooting operations. In addition to Last Known Good Configuration and safe mode, advanced users can use Recovery Console to attempt manual recovery operations.	Built-in, command-line environment
Backup	A tool for saving data, such as the system state, before you troubleshoot problems, attempt workarounds, or apply updates. Backup (Ntbackup.exe) enables you to restore system settings and data if your troubleshooting attempts worsen the problem. Use in conjunction with a parallel installation to restore a system that cannot start in normal or safe modes. Backup is available in safe or normal mode. For more information about parallel installations, see Chapter 29, “Troubleshooting the Startup Process.”	Built-in, GUI
Automated System Recovery (ASR)	A Backup (Ntbackup.exe) option to use when boot and system files become corrupt, preventing your system from starting in normal or safe modes or from using Recovery Console. This option is more desirable than formatting disks and reinstalling Windows because ASR restores system settings and critical files on the system and boot partitions. The user interface to ASR backup is the ASR Wizard in Backup, which steps you through the process of creating an ASR backup set and an ASR floppy. Windows XP Professional Setup provides the user interface to ASR restore. Because the ASR process formats disks, consider this a last resort when using Last Known Good Configuration, Device Driver Roll Back, System Restore, or Recovery Console does not solve the problem. ASR is available in safe or normal mode.	Built-in, GUI (ASR Backup), and text-mode Setup option (ASR Restore)

Last Known Good Configuration

The Last Known Good Configuration startup option allows you to recover from a problem by reversing driver and registry changes made since you last started Windows XP Professional. Windows XP Professional does not update Last Known Good Configuration information in the registry until the operating system successfully restarts in normal mode and a user logs on and is authenticated.

Using Last Known Good Configuration restores information for the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet. Additionally, if you updated any device drivers, choosing Last Known Good Configuration restores the previous drivers.

Using Last Known Good Configuration might enable you to resolve startup or stability problems. For example, if a Stop error occurs immediately after installing a new application or device driver, you can restart the computer and use Last Known Good Configuration to recover from the problem.

When you are troubleshooting, it is recommended that you use Last Known Good Configuration before you try other options, such as safe mode. However, even if you decide to use safe mode first, logging on to the computer in safe mode does not update the Last Known Good Configuration. Therefore, using Last Known Good Configuration remains an option if you cannot resolve your problem by using safe mode.

Remove any floppy disks or CDs from your computer and restart your computer.
When prompted, press F8. If Windows XP Professional starts without displaying the Please select the operating system to start menu, restart your computer. Press F8 after the firmware POST process completes, but before Windows XP Professional displays graphical output.
On the Windows Advanced Options Menu, select Last Known Good Configuration

For more information about other options available on the Windows Advanced Options Menu, see “Using Safe Mode” later in this appendix.

You can also use Last Known Good Configuration by selecting it from the startup recovery menu. Windows XP Professional detects when the last startup attempt was not successful and displays a message that includes a menu of startup options, as shown in Figure C-1.

Figure C-1 Startup recovery menu

The startup recovery menu is separate from the Windows Advanced Options Menu. A user manually invokes the Windows Advanced Options Menu by pressing F8, while the operating system automatically displays the startup recovery menu after an unsuccessful startup.

Restart your computer. The startup recovery menu appears shortly after Windows XP Professional starts.
On the startup recovery menu, select Last Known Good Configuration (your most recent settings that worked).

In some cases, other troubleshooting options might be preferable to choosing Last Known Good Configuration. If you know the specific driver causing the problem, you have the option of using Device Driver Roll Back in safe mode. This might be preferable because Device Driver Roll Back changes are limited to a single device. Also, consider using System Restore because it enables you to revert system registry settings by date. For more information about Device Driver Roll Back and System Restore, see “Device Driver Roll Back” and “System Restore” later in this appendix.

Using Safe Mode

If you are unable to start your system by using Last Known Good Configuration, Windows XP Professional provides safe mode, a startup option that disables startup programs and nonessential services to create an environment useful for troubleshooting and diagnosing problems. In safe mode, Windows XP Professional starts a minimal set of drivers that the operating system needs to function. Support for devices such as audio devices, most USB devices, and IEEE 1394 devices is disabled to reduce the variables that you need to account for when diagnosing the cause of startup problems, Stop messages, or system instability.

Logging on to the computer in safe mode does not update Last Known Good Configuration information. Therefore, if you log on to your computer in safe mode and then decide you want to try Last Known Good Configuration, the option to do so is still available.

Safe Mode Enables Only Essential Drivers and Services

Essential drivers and system services enabled in safe mode include the following:

Drivers for serial or PS/2 mouse devices, standard keyboards, hard disks, CD-ROM drives, and standard VGA devices. Your system firmware must support universal serial bus (USB) mouse and USB keyboard devices for you to use these input devices in safe mode.
System services for the Event Log, Plug and Play, remote procedure calls (RPCs), and Logical Disk Manager.

The following registry keys list the driver and service groups enabled in safe mode.

Safe mode

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

Safe mode with networking

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

Enabling only components needed for basic functionality allows the operating system to start in the following situations.

The computer consistently stops responding

You can restart the operating system in safe mode and use the tools described in this appendix to diagnose and resolve problems.

The computer starts with a blank or distorted video display

You can start your computer in safe mode and then use Control Panel to select video adapter settings that are compatible with your monitor. New settings take effect when you restart the computer.

The computer does not start normally after you install new hardware or software

If recently installed hardware or software prevents you from starting Windows XP Professional in normal mode, you can use safe mode to uninstall software, or to remove or roll back device drivers.

If you can start the computer in safe mode but not in normal mode, the problem is caused by a driver or service that runs in normal mode.

Safe Mode Bypasses Startup Programs

Bypassing startup programs reduces system complexity and enables you to see whether a startup program is the source of the problem. Safe mode bypasses startup programs in the following locations or of the following types.

Current User, All Users, and Administrator profiles

In safe mode, the operating system does not run startup programs called by shortcuts stored in the Start Menu\Programs\Startup folder in the following directories:

USERPROFILE
ALLUSERSPROFILE
SystemDrive\Documents and Settings\Administrator

Run and RunOnce registry subkeys

In safe mode, Windows XP Professional does not run startup programs specified in registry Run and RunOnce subkeys. For more information about startup programs specified in the registry, see Chapter 29, “Troubleshooting the Startup Process,” in this book.

Advertised applications and network logon scripts

In safe mode, the operating system does not run network-based startup programs. To enable network logon scripts in safe mode, select Safe Mode with Networking on the Windows Advanced Options Menu.

For more information about startup programs, startup program registry subkeys, and disabling startup programs for diagnostic purposes, see Chapter 29, “Troubleshooting the Startup Process,” in this book.

Note Your computer might take longer to start and shut down when it is running in safe mode because Windows XP Professional disables disk caching in safe mode.

To start your computer in safe mode

Remove all floppy disks and CDs from your computer, and then restart your computer.
When prompted, press F8. If Windows XP Professional starts without displaying the Please select the operating system to start menu, restart your computer. Press F8 after the firmware POST process completes, but before Windows XP Professional displays graphical output.

From the Windows Advanced Options Menu, select a safe mode option listed in Table C-3. Table C-3 also lists other options available on the Windows Advanced Options Menu.

Table C-3 Options on the Windows Advanced Options Menu

Startup Option	Description
Safe Mode	Loads the minimum set of device drivers and system services required to start Windows XP Professional. User specific startup programs do not run.
Safe Mode with Networking	Includes the services and drivers needed for network connectivity. Safe mode with networking enables logging on to the network, logon scripts, security, and Group Policy settings. Nonessential services and startup programs not related to networking do not run.
Safe Mode with Command Prompt	Starts the computer in safe mode, but displays the command prompt rather than the Windows GUI interface.
Enable Boot Logging	Creates a log file (Ntbtlog.txt) in the systemroot folder, which contains the file names and status of all drivers loaded into memory. Systemroot is an environment variable that can vary from one system running Windows XP Professional to another. For more information about environment variables, see Chapter 29, “Troubleshooting the Startup Process,” in this book.
Enable VGA Mode	Starts the computer in standard VGA mode by using the current video driver. This option helps you recover from distorted video displays caused by using incorrect settings for the display adapter or monitor.
Last Known Good Configuration	Restores the registry and driver configuration in use the last time the computer started successfully.
Debugging Mode	Starts Windows XP Professional in kernel debugging mode, which allows you to use a kernel debugger for troubleshooting and system analysis.
Start Windows Normally	Starts Windows XP Professional in normal mode.
Reboot	Restarts the computer.

You can also select a safe mode option to use from the startup recovery menu that appears when Windows XP Professional detects that the most recent startup attempt was unsuccessful. For more information about the startup recovery menu, see “Last Known Good Configuration” earlier in this appendix.

For more information about safe mode, see Windows XP Professional Help and Support Center.

Device Driver Roll Back

Updating one or more device drivers might cause problems, such as resource conflicts that prevent devices from functioning, Stop errors, and startup problems. To prevent problems after upgrading a device driver, avoid using beta or unsigned drivers, because these drivers might not be fully tested for Windows XP Professional compatibility.

If a problem does occur immediately after you update a driver, you can revert to the previous version by using a Device Manager feature called Device Driver Roll Back. If the problem prevents you from starting Windows XP Professional in normal mode, you can roll back device drivers in safe mode. You must be logged on as an administrator or a member of the Administrators group to roll back a driver.

To roll back a driver

In the Run dialog box, type devmgmt.msc.
Expand a category, such as Standard floppy disk controller, and then double-click a device name.
On the Driver tab, click Roll Back Driver.
At the prompt, click Yes to confirm that you want to roll back to the previous driver.

The driver roll back process checks for a previous driver, and if one is not found, the following message appears:
```
No driver files have been backed up for this device. 
```

If you are having problems with this device you should view the Troubleshooter information. Would you like to launch the Troubleshooter?

If rolling back drivers does not resolve the problem, you have the option of using the Last Known Good Configuration or System Restore. For more information about System Restore and Last Known Good Configuration, see “Last Known Good Configuration” and “System Restore” in this appendix.

Driver roll back limitations

When using Device Driver Roll Back, be aware of the following limitations:

You cannot roll back beyond one driver version. For example, you cannot revert to the second-to-the-last version of a driver.
You cannot roll back printer drivers.
You cannot roll back drivers for all functions of a multifunction device simultaneously. You must roll back each driver separately. For example, if you have a multifunction device that provides audio and modem functionality, you must roll back the modem driver and the audio driver separately.
You cannot uninstall a driver by using Device Driver Roll Back. (You must use the Uninstall feature in Device Manager to do this.)

For more information about Device Manager and rolling back drivers, see Windows XP Professional Help and Support Center or Chapter 9, “Managing Devices,” in this book.

System Restore

Using System Restore, you can restore to a state prior to the occurrence of a problem. System Restore monitors changes to certain system and application files. System Restore functions like an “undo” feature for Windows XP Professional configuration changes, allowing you to recover from problems caused by such things as incorrect system settings, faulty drivers, incompatible applications and so on, without risk to personal files, such as documents or e-mail.

System Restore enables you to restore your system by automatically creating restore points based on a preset schedule or in response to system events (such as installing a new application or driver). You can also manually create restore points as needed. You must be logged on as an administrator or a member of the Administrators group to use System Restore.

System Restore consists of two parts, file monitoring and restore point management.

File Monitoring

System Restore monitors file operations for a core set of system and application files specified in systemroot\System32\Restore\Filelist.xml. System Restore records changes to the original file and sometimes copies it to a hidden archive before Windows XP Professional overwrites, deletes, or changes the monitored file. System Restore does not monitor the following files and folders:

The virtual memory paging file
Personal user data, such as files in My Documents, Favorites, Recycle Bin, Temporary Internet Files, History, and Temp folders
Image and graphics files, such as those with .bmp, .jpg, and .eps extensions
Application data files with extensions not listed in systemroot\System32\ Restore\
Filelist.xml such as .doc, .xls, .mdb, and .pst

Restore Points and Restore Point Management

Restore points contain the following two types of information:

A snapshot of the registry
Certain dynamic system files

System Restore creates restore points according to the following system events, user actions, or time intervals.

Installing an unsigned device driver

Installing an unsigned driver causes System Restore to create a restore point.

Installing System Restore–compliant applications

Installing an application that uses Windows Installer, or Install Shield Pro version 7.0 or later, causes System Restore to create a restore point.

Installing an update by using Automatic Updates

Installing an update by using Automatic Updates or installing an update directly by using Windows Update causes System Restore to create a restore point. For more information about the Automatic Updates feature in Windows XP Professional, see “Windows Update” later in this appendix.

Performing a System Restore operation

System Restore creates a new restore point when you revert your system to a previous state by using a restore point. System Restore implements this safeguard in the event that you use the wrong restore point. You can undo the last restore, rerun System Restore, and select another restore point.

Restoring data from backup media

When you use the Backup tool to restore files, System Restore creates a restore point to use before restoring from backup media. If problems occur with the Backup application and your system is left in an undetermined state, you can restore your system. System Restore does not revert personal data files copied to the computer by using the Backup tool.

Creating a restore point manually

Creating a restore point manually is an action that you initiate by using the System Restore Wizard. For example, before you add new hardware or software, manually create a restore point to record the current system state. If a problem occurs after installation, you can undo the changes.

Creating daily restore points

System Restore creates a restore point every 24 hours if the computer is turned on, or if it has been 24 hours since the last restore point was created. Scheduled restore-point creation occurs when the computer is idle—that is, when there is no mouse, keyboard, or disk activity.

Creating restore points at preset intervals

Restore-point creation at specified intervals is disabled by default but can be enabled by using the registry editor, Regedit.exe. See Table C-4 later in this appendix for a description of the System Restore registry entries RPSessionInterval and RPGlobalInterval.

For systems using the NTFS file system, System Restore compresses archive information during idle time when there is no mouse, keyboard, or disk activity.

Archiving and Purging of Restore Points

System Restore archives expand to include multiple restore points, each representing unique system states. System state refers to the components that define the current state of the operating system and includes the following:

User account information stored in the registry
Application, hardware, and software settings stored in the registry
Files that Windows XP Professional requires for startup, including those in the systemroot directory and boot files on the system partition, such as Ntldr

Archived restore point information is saved to a hidden systemdrive folder or an archive on the volume where a monitored file is located. The archive collects multiple restore points, each representing individual system states. The files, registry snapshots, and logs associated with older restore points are purged on a first in, first out (FIFO) basis, optimizing System Restore disk space and making room for new restore points. System Restore uses the following algorithms and conditions to determine whether it is time to purge restore point data.

When System Restore consumes at least 90 percent of allotted space

System Restore purges restore points to reduce the amount of allotted space used from 90 percent to 75 percent. System Restore is limited to 12 percent of available disk space, which is not pre-allocated. Windows XP Professional and applications can use the free portion of this space.

When you reduce the amount of disk space allotted to System Restore

By using Control Panel or Disk Cleanup to reduce the amount of System Restore space, you can cause System Restore to purge all but the most recent restore points. For more information about Disk Cleanup, see “Disk Cleanup” in this appendix.

When you disable System Restore

Disabling System Restore deletes all restore points.

When a specified period of time has elapsed

You can configure System Restore to purge restore points by elapsed time. For example, you can specify deletion of restore points older than two months. See Table C-4 for a description of the System Restore registry entry RPLifeInterval. By default, System Restore purges restore points older than 90 days.

Using System Restore

Before changing system settings during troubleshooting, create a restore point. If a problem occurs, you can undo the negative effects of diagnostic and troubleshooting changes by reverting to a previous state. The following items illustrate situations where System Restore can help you recover from problems that might occur.

Uninstalling incompatible software does not resolve the problem

If the problem persists after uninstalling an application, you can use System Restore to return the system to a state before you installed the new software.

Updating a device driver causes system instability

During the week, you decide to update drivers for five devices. At the end of the week, you find that your system is unstable. If you are not sure which driver is causing conflicts, you can revert your system configuration by using a restore point created the previous week.

Downloading content causes a problem

You visit a Web site and download a program or control that causes problems. By using System Restore, you can undo the negative effects of downloaded software.

Identifying a problem is not possible

If you are unable to diagnose a problem but know approximately when the problem started, you can use System Restore to restore your system to a state when it was performing normally.

Undoing a System Restore operation that does not solve the problem

You can undo the effects of the last restore point used by selecting Undo my last restore at the System Restore screen that appears after a restore operation. You can optionally rerun System Restore and select another restore point.

To restore the system by using a restore point

Click Help and Support Center, and under Pick a task, click Undo changes to your computer with System Restore.
On the Welcome to System Restore screen, click Restore my computer to an earlier time, and then click Next.
Select a restore point on the Select a Restore Point screen, and then click Next.
At the Confirm Restore Point screen, click Next.

When you choose a specific restore point, System Restore examines the System Restore change logs. These logs contain information that enables System Restore to create a restore map, which outlines how to revert the system to the selected system state. System Restore processes the restore map, reverses file and registry changes (by using information stored in the restore point), and then restarts the computer. If you are not satisfied with the results, you can rerun System Restore and select another restore point, or you can select the Undo my last restoration option available on the Welcome to System Restore screen.

Note If you know the specific driver causing the problem, rolling back drivers might be a preferred troubleshooting option because it limits changes to reverting a driver for one device. For more information about rolling back drivers, see “Device Driver Roll Back” earlier in this appendix.

To create a restore point manually

Start System Restore.
Click Create a restore point, and then click Next.
At the Create a Restore Point screen, type a description for the restore point in the Restore point description line.
Click the Create button.

Using Control Panel to Configure System Restore

You can use the Control Panel to configure and manage your system restore settings.

To configure System Restore settings by using Control Panel

In Control Panel, open System.
In the System Properties dialog box, click the System Restore tab.
System Restore is enabled by default. If you have disabled System Restore, you can enable it by clearing the Turn off System Restore check box.

You can also specify the amount of hard disk space that System Restore uses for data archives by adjusting the Disk space to use slider for each volume.

Be aware of the following before using System Restore:

System Restore requires a minimum of 200 MB of disk space when you install Windows XP Professional. If your computer does not have enough disk space available after you install Windows XP Professional, you must first free sufficient disk space and then enable System Restore by using the preceding steps.
System Restore can consume up to 12 percent of available disk space for systems with hard drives over 4 gigabytes (GB), and up to 400 megabytes (MB) for hard drives under 4 GB. If you require more disk space for applications and data, you can reduce the amount of space dedicated to System Restore archives.
By default, System Restore monitors all volumes, but you can exclude hard disks (with the exception of the system hard disk) from monitoring. If you exclude a volume, System Restore clears all restore points on the volume. System Restore does not revert changes on excluded volumes. For more information about excluding volumes from System Restore monitoring, see Windows XP Professional Help and Support Center.
After System Restore is enabled, System Restore can function below the 200-MB disk free space installation requirement. System Restore can continue to monitor and copy files on a volume until the amount of free disk space falls to approximately 50 MB.

Using the Group Policy Snap-In to Configure System Restore

You can use the Group Policy snap-in, Gpedit.msc, to modify System Restore Group Policy settings. The following two policy settings, which are found in Computer Configuration\Administrative Templates\System\System Restore, affect how System Restore functions.

Turn off System Restore

Enabling this setting disables System Restore. In addition, a user is unable to access the System Restore Wizard and cannot configure System Restore by using the System Restore tab in the System Properties dialog box in Control Panel.

Disabling this setting enables System Restore and blocks a user from disabling System Restore by selecting the Turn off System Restore check box on the System Restore tab in the System Properties dialog box in Control Panel. A user might still be able to configure System Restore settings, depending on the value of the Turn off Configuration Group Policy setting.

Turn off Configuration

Enabling this setting removes the System Restore configuration tab in the System Properties dialog box in Control Panel.

If this setting is not configured, the System Restore configuration tab remains, and the user retains the ability to configure System Restore.

To configure System Restore settings by using the Group Policy snap-in

In the Run dialog box, type gpedit.msc.
In the console tree, expand Local Computer Policy, and then expand Computer Configuration, Administrative Templates, and then System.
Click System Restore, and then double-click Turn off System Restore or Turn off Configuration.
On the Setting tab, click Not Configured, Enabled, or Disabled, and then click OK.

For more information about Group Policy, see Chapter 17, “Managing Authorization and Access Control,” Chapter 1, “Planning Deployments,” and Chapter 5, “Managing Desktops,” in this book. Also, see the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit and the Change and Configuration Management Deployment Guide link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Tip You can also open System Properties from the Start menu by clicking Run and typing sysdm.cpl in the Run dialog box. Many such Control Panel tools are stored in the systemroot\System32 folder and use a .cpl extension. You can start frequently used Control Panel tools from the Run dialog box or by creating shortcuts.

Tip Other frequently used tools include Appwiz.cpl (Add or Remove Programs), Hdwwiz.cpl (Add Hardware Wizard), Mmsys.cpl (Sounds and Audio Devices Properties), Nusrmgr.cpl (User Accounts), and Powercfg.cpl (Power Options Properties).

Using the Registry Editor to Configure System Restore

You can use the registry editor, Regedit.exe, to change entries in the HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SystemRestore subkey that are not configurable by using Control Panel. Table C-4 lists some of these settings.

Table C-4 Selected System Restore Registry Settings

Registry Value	Description
RPSessionInterval	Specifies the intervals, in seconds, between scheduled restore-point creation during an active user session. The default value is 0 seconds (disabled).
RPGlobalInterval	Specifies the time interval, in seconds, at which scheduled restore points are created (regardless of whether or not there is an active user session). The default value is 86,400 seconds (24 hours).
RPLifeInterval	Specifies the time interval, in seconds, for which restore points are kept. System Restore deletes restore points older than the specified value. The default value is 7,776,000 seconds (90 days).
DiskPercent	Specifies the maximum amount of disk space on each drive that System Restore can use. This value is specified as a percentage of the total drive space. The default value is 12 percent.

Caution Do not edit the registry unless you have no alternative. The Registry Editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first.

Using Custom Scripts to Configure System Restore

By using custom scripts that use Windows Management Instrumentation (WMI), you can change System Restore parameters by declaring the WMI class RegSR and changing specific object properties. By using WMI classes that are documented in the Software Development Kit (SDK), you can create custom scripts to perform the following tasks:

Create restore points
Enumerate restore points
Restore the system
Enable System Restore
Disable System Restore
Retrieve status about the last System Restore operation

For more information about WMI, see the MSDN Library link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources, and in the table of contents expand Win32 and COM Development, expand Administration and Management, and finally expand Windows Management Instrumentation (WMI). For more information about System Restore scripting, see the Software Development Kit (SDK) information in the MSDN Library link and the Windows Script Technologies link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

How System Restore Works with Other Windows XP Professional Features

Windows XP Professional features, options, and troubleshooting tools can affect the behavior of System Restore. Table C-5 describes how System Restore works with these features.

Table C-5 How System Restore Works with Windows XP Tools and Features

Tool or Feature	Interaction with System Restore
Add or Remove Programs	System Restore does not uninstall applications. To properly remove all files installed by an application’s setup program, run the uninstall program provided with the application.
Automated System Recovery (ASR)	A successful ASR restore operation resets restore points. All restore points created prior to the ASR restore operation are lost, with the restored data serving as the basis for subsequent monitoring and restore point management.
Backup	System Restore creates a restore point before you perform a restore operation by using Backup (Ntbackup.exe). If the Backup restore operation fails or if the user cancels, System Restore reverts the operating system state but does not restore personal data files. If the Backup restore operation succeeds, you cannot use restore points created before the successful Backup restore operation.
Device Driver Roll Back	System Restore reverts drivers and the Device Driver Roll Back state to match the information in the restore point. Use Device Driver Roll Back instead of System Restore if you are certain that a specific driver (for example, a video card driver) is the source of a problem. If you already performed a System Restore and want to roll back a specific driver without affecting other system changes, you can undo the last System Restore restore operation and then roll back the problem driver.
Folder Redirection	System Restore does not restore files in redirected folders.
Last Known Good Configuration	System Restore applies settings stored in the selected restore point. System Restore reverts the Last Known Good Configuration to match the information in the selected restore point. This guarantees that the restored registry and Last Known Good state are consistent.
Operating System Upgrades	Upgrading from Windows Millennium Edition to Windows XP Professional or upgrading from one Windows XP Professional version to another causes all System Restore restore points to be reset. All restore points created prior to the operating system upgrade are lost.
Plug and Play	System Restore does not alter Plug and Play routines. For example, if you use a restore point created before a device was installed, that device is redetected and Windows XP Professional attempts to initialize new hardware and install drivers after System Restore completes.
Recovery Console	System Restore does not monitor changes made within Recovery Console. You cannot apply restore points in Recovery Console.
Roaming User Profiles	System Restore does not restore roaming user profile information.
Safe mode	You cannot create restore points in safe mode. You can use System Restore to apply restore points in safe mode.
Windows File Protection	System Restore synchronizes Windows File Protection (WFP) data to agree with restored information. For more information about Windows File Protection, see “Windows File Protection” later in this appendix.
Windows Update	Using a restore point might revert recent updates such as a new video card driver or updates downloaded by using Windows Update. By using Automatic Updates, you can help ensure that your system is up –to date. For example, after you apply a restore point, Automatic Updates can download updates to your system and you can then decide whether to reinstall them. For more information about Automatic Updates, see “Windows Update” in this appendix.

Warning System Restore is not a backup feature and does not replace Backup. System Restore saves registry information and incremental changes to monitored files. System Restore does not save personal data. In addition, System Restore requires that you be able to start Windows XP Professional in safe or normal mode. You must use Backup or ASR to recover from data loss caused by hard disk–related damage that prevents you from starting the operating system in safe mode, normal mode, or Recovery Console.

Add or Remove Programs

If problems occur soon after you install an application, you can use Add or Remove Programs in Control Panel to remove the application. You can then focus your efforts on searching for an update or workaround that might permanently resolve the problem.

Software conflicts can cause problems with other software or cause hardware to behave unpredictably or stop responding. For example, after installing an incompatible CD-ROM mastering application, you cannot shut down your system properly. You observe that the problem is consistent, and you decide to uninstall the application. After removing the CD-mastering software, you can successfully shut down the computer. You search for a Windows XP Professional–specific update on the manufacturer’s Web site and find that reinstalling the application and applying the update resolves the problem.

To uninstall an application

Do one of the following:
- In Control Panel, click Add or Remove Programs.
- In the Run dialog box, type appwiz.cpl, and then click OK.
Under Currently installed programs, click an application to uninstall.
Click Change/Remove, and confirm or cancel the uninstall process.

Uninstalling software might not always resolve the problem. However, it does eliminate a possible cause, and it reduces the number of variables to consider while troubleshooting. For more information about adding or removing programs, see Windows XP Professional Help and Support Center.

Recovery Console

Recovery Console is a character-mode environment that you can run directly from the Windows XP Professional operating system CD or install as a startup option. Unlike normal or safe mode, the Windows graphical user interface (GUI) is not available within Recovery Console. Recovery Console provides a set of commands for advanced users who are comfortable working outside the Windows GUI environment.

If you cannot start Windows XP Professional in safe mode or normal mode, Recovery Console allows you to perform many troubleshooting and maintenance tasks, such as disabling problem drivers and services that you suspect are causing startup problems. Recovery Console is separate from the command-line Cmd.exe shell and grants limited access to local NTFS and file allocation table (FAT) formatted volumes.

For more information about using Recovery Console to troubleshoot startup and disk problems, see Chapter 29 “Troubleshooting the Startup Process,” and Chapter 28 “Troubleshooting Disks and File Systems,” in this book.

Installing and Using Recovery Console

Before you install Recovery Console, you need to be aware of the following disk and file system limitations.

Recovery Console is sensitive to file-system changes

If you install Recovery Console to a hard disk that uses the FAT file system, converting to NTFS causes Recovery Console to stop functioning. You must reinstall Recovery Console after converting to NTFS.

Recovery Console limitations on dynamic disks

Certain Recovery Console limitations exist for dynamic disks. For more information, see article 227364, “Dynamic Volumes Are Not Displayed Accurately in Text-Mode Setup or Recovery Console,” in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Installing Recovery Console

You can start Recovery Console directly from the Windows XP Professional operating system CD or install it on the hard disk as a startup option.

Warning To enable your system to start from the Windows XP Professional operating system CD you might need to change the device boot order settings stored in firmware. For more information about changing boot order settings, see Chapter 29, “Troubleshooting the Startup Process,” in this book.

To start Recovery Console from the Windows XP Professional operating system CD

Restart the computer by using the Windows XP Professional operating system CD.
Wait for the Windows XP Professional Setup program to display the Welcome to Setup screen (this might take a few moments). Choose To repair a Windows XP Professional installation by pressing R.
Type the number corresponding to the Windows XP Professional installation that you want to use, and then press ENTER. You must type a number when prompted, even if only a single Windows XP Professional installation exists. If you press ENTER without typing a number, Windows XP Professional restarts the computer.
At the prompt, enter the password for the local Administrator account so that you can access the contents of the local hard disk. Recovery Console accepts only the password for the local Administrator account. If you do not enter the correct password within three attempts, Windows XP Professional denies access and restarts the computer.

For more information about the password requirements for Recovery Console, see article 258585, “Recovery Console Prompts for Administrator Password Even If Administrator Account Has Been Renamed,” in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

To install Recovery Console as a hard disk startup option for x86-based systems

With Windows running, insert the Windows XP Professional operating system CD into your CD-ROM drive.
Click No when prompted to upgrade to Windows XP Professional.
At the command prompt, type a command using the following syntax:
```
drive:\i386\winnt32.exe /cmdcons
```
– or –
```
drive:\amd64\winnt32.exe /cmdcons
```
In the preceding syntax, drive represents the letter of the CD-ROM. For x64 AMD systems, use the amd64 directory version of winnt32.exe. For network-based installations, or if you do not have access to a Windows XP Professional operating system CD, you can install Recovery Console from a network distribution share by typing:

\\server\share\i386\winnt32.exe /cmdcons

After you enter this command and restart your computer, Recovery Console appears as a menu item in the operating system startup menu.

Directory and folder access

If you successfully log on, you can access the following directories and folders by using Recovery Console:

The root directory of any volume
The systemroot folder and subfolders of the selected Windows XP Professional installation
The Recovery Console Cmdcons folder and any subfolders (if you installed Recovery Console as a startup option)
Files and directories on removable disks

Recovery Console restrictions

By default, Recovery Console enforces the following four restrictions:

You cannot access certain folders, such as Program Files, Documents and Settings, and disks or folders containing other Windows XP Professional installations.
You cannot copy files to removable disks because floppy-disk write access is disabled by default. When you attempt to copy files to removable disks, an error message similar to the following appears: “Access is denied.”
You cannot change the local Administrator account password from Recovery Console.
You do not have access to a text-editing tool in Recovery Console.

You can customize Recovery Console to bypass the first and second restrictions, by using the SET command to modify environment variables. Windows XP Professional uses environment variables to associate string values, such as folder or file paths, to variables that applications and the operating system can use. For example, by using environment variables, scripts can run without modification on computers that have different configurations. For more information about environment variables, see “To add or change the values of environment variables” in Windows XP Professional Help and Support Center.

Customizing Recovery Console

You can use the Recovery Console set command to display or modify the following four Recovery Console environment variables.

AllowWildCards

Setting the value of this variable to TRUE allows you to use wildcard characters (* and ?) with some commands. For example, typing dir *.txt lists all files in the current directory with the .txt file name extension to the screen.

AllowAllPaths

Setting the value of this variable to TRUE allows you to expand the scope of the change directory cd command to include all folders on all disks.

AllowRemovableMedia

Setting the value of this variable to TRUE allows you to copy files from the hard disk to removable disk media.

NoCopyPrompt

Setting the value of this variable to TRUE allows you to copy files without being prompted to continue when overwriting an existing file.

To change the value of the preceding variables from the default value of FALSE to TRUE, use the following syntax:

set variable = [TRUE|FALSE]

When you first attempt to use the set command to change the value of environment variables from FALSE to TRUE, an error message similar to the following appears:

The SET command is currently disabled. The SET command is an optional 
Recovery Console command that can only be enabled by using the 
Security Configuration and Analysis snap-in.

To enable the set command, enable the Allow floppy copy and access to all drives and all folders Group Policy setting by using the Group Policy snap-in.

To enable use of the set command by using the Group Policy snap-in

Restart Windows XP Professional in normal mode.
In the Run dialog box, type gpedit.msc.
In the console tree, expand Local Computer Policy, and then expand Computer Configuration, Windows Settings, Security Settings, and Local Policies.
Click Security Options.
Double-click Recovery Console: Allow floppy copy and access to all drives and all folders, click Enabled, and then click OK.

In an Active Directory–based network, to enable set command functionality for all computers, set Group Policy on a domain controller. Setting up policy from a central location is more efficient than applying settings for each computer.

You can also use the Group Policy snap-in to enable the policy Recovery Console: Allow automatic administrative logon, which allows you to bypass the logon process when Recovery Console starts. Activating this policy eliminates a security barrier intended to protect your computer against unauthorized users. Therefore, it is important that you enable this policy only on systems that have secure consoles, such as those in locked rooms. You can also make Group Policy changes by using the Security Configuration and Analysis snap-in.

For more information about Group Policy, see Chapter 17, “Managing Authorization and Access Control,” Chapter 1,“Planning Deployments,” and Chapter 5, “Managing Desktops.” Also, see the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit and the Change and Configuration Management Deployment Guide link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Using Recovery Console to Recover from Startup Problems

Using Recovery Console enables you to recover from the following problems:

Corrupted or deleted startup files caused by incompatible software, user error, or virus activity.
Disk problems related to damage to the master boot record (MBR), partition table, or boot sector.
A partition boot sector overwritten by another operating system’s setup program.

If critical system files, such as Ntldr or Ntoskrnl.exe, are missing or corrupted, you can restore them by starting Recovery Console and copying fresh files from the Windows XP Professional operating system CD or other removable disk media. For more information about using Recovery Console to recover from startup problems, see Chapter 29, “Troubleshooting the Startup Process,” in this book.

Boot sector damage can be caused by incompatible software, hardware problems, virus activity, or when you attempt to configure your computer as a multiple-boot system. For example, setup programs for other operating systems might not be compatible with Windows XP Professional and might attempt to overwrite the boot sector or startup files.

When configuring a multiple-boot system on x86-based systems, you must install other operating systems, such as Microsoft Windows 95 and Microsoft Windows 98, before installing Windows XP Professional. To avoid boot sector problems, install Windows operating systems on different partitions in the following order:

Windows 95, Windows 98, or Microsoft Windows Millennium Edition (Windows Me)
Microsoft Windows NT Workstation version 4.0 with Service Pack 4 or later
Microsoft Windows NT Server version 4.0 with Service Pack 4 or later
Microsoft Windows 2000 Professional
Windows XP Professional

If you do not follow the preceding order, you might lose the ability to start Windows XP Professional. To restore the ability to start your system, use the Recovery Console fixboot command as described in Chapter 28, “Troubleshooting Disks and File Systems,” in this book.

Note For a multiple-boot computer that participates in an Active Directory domain, use a different computer name for each operating system installation to avoid security identifier (SID) issues.

Leave partitions with Windows 95, Windows 98, or Windows Me installed as FAT16 or FAT32, because these operating systems are not compatible with NTFS. In addition, be aware of the following limitations when running Windows NT 4.0:

Computers running Windows NT 4.0 cannot access FAT32 partitions. For a multiple-boot computer running Windows NT 4.0 and Windows 95, Windows 98, or Windows Me, you must use a FAT16 formatted system partition.
Computers running Windows NT 4.0 require Service Pack 4 or later to access NTFS volumes previously mounted by Windows 2000 or Windows XP Professional.
Computers running Windows NT 4.0 cannot access files stored by using the Encrypting File System.

For more information about file system interoperability, see Chapter 13, “Working with File Systems.” For more information about the Encrypting File System, see Chapter 18, “Using Encrypting File System.”

For x86-based systems, Microsoft Windows 2000 Setup might overwrite the Windows XP Professional versions of system files, Ntldr and Ntdetect.com, if you install Windows 2000 after Windows XP Professional. You cannot use Windows 2000 versions of Ntldr and Ntdetect.com to start Windows XP Professional. To restore these system files, use the procedure that follows.

Note The general rule when installing multiple boot configurations is to install them in the order they were released. Also, if you’re installing both 32-bit and x64 versions, install the x64 version last.

To restore Windows XP Professional versions of Ntldr and Ntdetect.com on x86-based systems

Start Recovery Console by using the Windows XP Professional operating system CD.
Navigate to the system partition root, and type the following commands from the Recovery Console prompt:

copy drive:\i386\ntldr

copy drive:\i386\ntdetect.com

In the preceding two commands, drive represents the letter of the CD-ROM that holds the Windows XP Professional installation files.
Answer the Overwrite system? (Yes/No/All): prompts by pressing Y.
Restart the computer.

Using Recovery Console Commands

Recovery Console provides a list of commands that you can use for troubleshooting. When using Recovery Console, you can view and reuse previous commands by pressing the UP ARROW and DOWN ARROW keys, which move you forward or backward through your command history.

For the list of Recovery Console commands that follow, brackets ([]) enclose optional parameters and a pipe (|) separates mutually exclusive choices. Recovery Console commands and parameters are not case sensitive.

Attrib

Use the attrib command to change the file attributes for a single file or folder. Use the following syntax:

attrib -|+[c][h][r][s][drive:][path]filename

Parameter	Description
+	Sets an attribute
-	Clears an attribute
c	Sets or clears a compressed file attribute
h	Sets or clears a hidden file attribute
r	Sets or clears a read-only file attribute
s	Sets or clears a system file attribute
drive:	Specifies the drive letter to use
path:	Specifies the directory path to use

Follow these guidelines for using the attrib command:

You must set or clear at least one attribute.
You can change attributes for only one file or directory at a time.
You can view attributes by using the dir command.
Do not separate attribute parameters with spaces.
You can set multiple attributes simultaneously:
- To change multiple attributes in the same way, use either the set or clear parameter (+ or -). Include all the attribute options to be changed, and do not separate them with spaces. For example, to set the compressed, hidden, and read-only attributes for a single file, use the following syntax:
```
attrib +chr filename
```
- To change multiple attributes in different ways, use the set parameter (+) and include all the attribute letters to be set, followed without a space by the clear parameter (-) and all the attribute letters to be cleared. For example, to set the compressed and hidden file attributes and to clear the read-only file attribute, use the following syntax:
```
attrib +ch-r filename
```

Batch

Use the batch command to run the commands specified in a text file. Use the following syntax:

batch inputfile [outputfile]

Parameter	Description
inputfile	Specifies the text file (by using [drive:][path][filename]format) that contains the list of commands you want to carry out.
outputfile	If specified, stores the output of the Batch command in the specified file. If you do not specify a value for outputfile, the Batch command displays its output on the screen. Specify outputfile by using [drive:][path][filename]format.

The batch command cannot call itself recursively. Do not include the batch command in the file specified by the inputfile parameter.

Bootcfg

Use the bootcfg command to scan your hard disks and use the information to modify the contents of the Boot.ini file or rebuild a new copy. Use the following syntax:

bootcfg [/add][/default]| [/list][/rebuild][/scan]

Parameter	Description
/add	Adds a Windows installation to the operating system boot menu list
/default	Sets the default boot menu
/list	Lists the entries already in the boot menu list
/rebuild	Scans hard disks for Windows installations and to select which to add
/scan	Scans all disks for Windows installations, and displays the results

Always back up the Boot.ini file before modifying it. For more information about the Boot.ini file, see Chapter 29, “Troubleshooting the Startup Process.”

Cd or Chdir

Use the cd or chdir command to display the name of the current volume or directory, or to change to the folder specified. Use the following syntax:

cd [path]|[..]|[drive:]

– or –

chdir [path]|[..]|[drive:]

Parameter	Description
path	Specifies the directory that you want to change to
..	Displays the parent folder
drive:	Specifies the drive that you want to change to

If you want to display the current volume and folder, use the cd or chdir command without parameters.

Cd and Chdir treat spaces as delimiters, requiring that a space precede all arguments, including double periods. Use quotation marks to enclose a path or file name that contains a space.

Chkdsk

Use the chkdsk command to check a volume, and if needed, to repair the volume. Also, use Chkdsk to recover and move readable information before marking bad sectors as unusable. Use the following syntax:

chkdsk [drive:][/p]|[/r]

You can use Chkdsk without parameters. When you do not specify a volume, Chkdsk runs on the current volume.

Parameter	Description
drive:	Specifies the volume that you want Chkdsk to check.
/p	Performs an exhaustive volume check. This parameter does not make any changes to the volume.
/r	Locates bad sectors, and recovers readable information before marking them as unusable. Implies /p.

Chkdsk requires the file Autochk.exe. If Chkdsk cannot find Autochk in the systemroot\
System32 directory, it attempts to locate Autochk on the Windows XP Professional installation CD. If you are using a multiple boot configuration, verify that you are issuing this command from the volume containing Windows XP Professional.

Cls

Use the cls command to clear the screen and redisplay the command prompt. Use the following syntax:

cls

Copy

Use the copy command to copy a single file to a specified location. Use the following syntax:

copy source destination

Parameter	Description
source	Specifies the file (by using [drive:][path][filename]format) that you want copied
destination	Specifies the destination (by using [drive:][path][filename]format) where you want to copy the source file

The following also applies to the copy command:

You cannot use wildcard characters (* and ?) with the copy command.
If you do not specify a destination directory, the copy command uses the current folder by default.
If you do not specify a destination file name, the copy command uses the existing file name by default.
If the destination file name already exists, you are warned before overwriting it.
Compressed files from the Windows XP Professional operating system CD are automatically expanded as they are copied.

Del or Delete

Use the del or delete command to delete a file or folder. Use the following syntax:

del [drive:][path]filename

– or –

delete [drive:][path]filename

Parameter	Description
drive:	Specifies the volume of the file you want to delete
path	Specifies the directory of the file you want to delete
filename	Specifies the file you want to delete

You cannot use wildcard characters with this command.

Dir

Use the dir command to display a list of the files and folders in a directory. Use the following syntax:

dir [drive:][path][filename]

Parameter	Description
drive:	Specifies the volume of the directory for which you want a listing
path	Specifies the directory for which you want a listing
filename	Specifies the file for which you want a listing

In Recovery Console, the dir command functions differently, listing all folders and files, including those with hidden and system attributes set. For each file and subdirectory, the dir command lists its attributes (if they apply) by using the following abbreviations.

Disable

Use the disable command to disable a service or driver. Use the following syntax:

disable servicename

Parameter	Description
servicename	Specifies the service or driver that you want to disable

Use the related command listsvc to view a list of service and driver names for your system. The disable command displays the previous start type of a service before changing it to SERVICE_DISABLED. Record this value so that you can restore the original state of a service after troubleshooting a problem.

Diskpart

Use the diskpart command to manage the partitions on your hard disk. For example, to create or delete disk partitions, use the following syntax:

diskpart[/add|/delete][device-name|drive-name|partition-name][size]

Parameter	Description
/add	Creates a new disk partition.
/delete	Deletes an existing partition.
device-name	Specifies the name of the device for which you want to create or delete a partition—for example, \Device\HardDisk0. To obtain the name of a device, view the output of the map command.
drive-name	Specifies the drive letter of the partition that you want to delete—for example, D:. Use only with /delete.
partition-name	Specifies the partition that you want to delete; can be used in place of the drive-name parameter. For example, \Device\HardDisk0. Use only with /delete.
size	Specifies the size, in megabytes, of the partition you want to create. Use only with /add.

If you do not use a parameter, a user interface for managing your partitions appears.

Caution This command can damage your partition table if the disk has been upgraded to dynamic disk. Do not modify the structure of dynamic disks unless you are using the Disk Management snap-in.

Enable

Use the enable command to enable or change the startup type of a service or driver. Use the following syntax:

enable servicename [start_type]

Parameter	Description
servicename	Specifies the service or driver that you want to enable.
start_type	Specifies the startup type for a service or driver. Valid values are: SERVICE_BOOT_START SERVICE_SYSTEM_START SERVICE_AUTO_START SERVICE_DEMAND_START

servicename

Specifies the service or driver that you want to enable.

start_type

Specifies the startup type for a service or driver. Valid values are:

SERVICE_BOOT_START
SERVICE_SYSTEM_START
SERVICE_AUTO_START
SERVICE_DEMAND_START

Use the related command listsvc to view a list of service and driver names for your system. The enable command displays the previous start type of the service before changing it. Record this value so that you can restore the original state of the service after troubleshooting a problem.

If you do not specify a new start type, the enable command displays the previous start type.

For more information about enabling or disabling services for troubleshooting, Chapter 29, “Troubleshooting the Startup Process.”

Exit

Use the exit command to close Recovery Console and restart your computer. Use the following syntax:

exit

Expand

Use the expand command to expand a compressed file stored on the Windows XP Professional operating system CD or in a cabinet (.cab) file, and copy it to a specified destination. Use the following syntax:

expand source [/f:filespec][target][/y]
expand source [/f:filespec]/d

Parameter	Description
source	Specifies the file you want to expand (by using [drive:][path][filename]format). You cannot use wildcard characters (* and ?).
target	Specifies the destination folder and/or file name for the new file using [drive:][path][filename]format.
/f:filespec	Specifies the specific file(s) you want to expand if the source contains more than one file. Wildcards are optional.
/y	Specifies that the confirmation prompt that appears when attempting to overwrite an existing file is not required.
/d	Specifies that files display, but does not expand the files in the cabinet file.

Fixboot

Use the fixboot command to rewrite the boot sector code to the system volume. This is useful for repairing a corrupted boot sector. If you need to replace the boot sector of a volume that is not the system volume, you must specify the appropriate drive letter. Use the following syntax:

fixboot [drive:]

Parameter	Description
drive:	Specifies the volume drive letter on which to rewrite a new boot sector.

If you do not specify a drive, the default is the system boot volume.

Fixmbr

Use the fixmbr command to rewrite the master boot code of the master boot record (MBR) of the startup hard disk. This command is useful for repairing corrupted MBRs. Use the following syntax:

fixboot [device-name]

Parameter	Description
device-name	Specifies the name of the device that needs a new MBR—for example, \Device\HardDisk1

If you do not specify a device, the default is disk 0. If disk 0 is not the device that needs repairing, you can obtain the device name of other disks by using the map command.

If the fixmbr command detects an invalid or nonstandard partition table signature, it prompts you for permission before rewriting the MBR.

Use this command with care because it can damage your partition table if any one or more of the following applies:

A virus is present and a third-party operating system is installed on the same computer.
A nonstandard MBR is installed by a third-party disk utility.
A hardware problem exists.

Always run antivirus software before using this command.

Running the fixmbr command overwrites only the master boot code, leaving the existing partition table intact. If corruption in the MBR affects the partition table, running the fixmbr command is unlikely to resolve the problem. For more information, see Chapter 28, “Troubleshooting Disks and File Systems.”

Format

Use the format command to format the specified volume to the specified file system. Use the following syntax:

format [drive:][/q][/fs:file_system]

Parameter	Description
drive:	Specifies the drive letter for the volume you want to format.
/q	Specifies a quick format (clears only the table of contents).
/fs:file-system	Specifies the file system you want to use. Valid values for file-system include FAT, FAT32, and NTFS.

Consider the following points before using the Format command:

If a file system is not specified, the format command defaults to the NTFS file system.
Choosing FAT formats a volume as FAT16. FAT16 volumes cannot be larger than 4 GB. Limit FAT16 partitions to 2 GB to increase storage efficiency and to maintain compatibility with Microsoft MS-DOS, Windows 95, Windows 98, and Windows Me.
Windows XP Professional can format FAT32 volumes up to 32 GB in size. For larger volumes, use NTFS.

For more information about these file systems, see Chapter 13, “Working with File Systems.”

Help

Use the help command to view Help information for Recovery Console commands. Use the following syntax:

help [command]

Parameter	Description
command	Specifies the command for which you want to view Help information.

Use the command parameter to specify a name of any Recovery Console command.

If you do not specify a parameter, Help lists information about all the supported commands.

Listsvc

Use the listsvc command to view details about the services and drivers on your system, including service start types. Use the following syntax:

listsvc

Use the listsvc command together with the disable and enable commands. The information displayed is extracted from the System registry file that is located in the *systemroot\*System32\Config folder. If the file System is damaged or missing, the information displayed might be inaccurate. For more information about enabling or disabling services for troubleshooting, see Chapter 29, “Troubleshooting the Startup Process.”

Logon

Use the logon command to detect and log on to Windows installations. Use the following syntax:

logon

You must correctly enter the local Administrator password within three attempts or the computer restarts.

Map

Use the map command to list all drive letters, file system types, volume sizes, and mappings to physical devices that are currently active. Use the following syntax:

map [arc]

Parameter	Description
arc	Use the arc parameter to force the use of the Advanced RISC Computing (ARC) specification format to describe paths instead of using device paths. You can use this information to create or repair the Boot.ini file.

The map command might not work correctly with systems using dynamic disk features.

Md or Mkdir

Use the md or mkdir command to create a new directory or subdirectory. Use the following syntax:

md [drive:]path
mkdir [drive:]path

Parameter	Description
drive:	Specifies the volume on which to create a folder
path	Specifies the name of the folder to create

You cannot use wildcard characters with this command.

This command might not display all the volumes on a disk or the correct volume sizes on dynamic disks.

More or Type

Use the more or type command to display the contents of a text file. Use the following syntax:

more [path\]filename
type [path\]filename

Parameter	Description
filename	Specifies the file name to view
path	Specifies the folder where the file is located

If a text file is too large to fit on one screen, use the following page viewing options:

ENTER to scroll down one line at a time
SPACEBAR to scroll down one page at a time
ESC to quit viewing the text file

Net Use

Use the net use command to connect to a remote share for the Windows XP Recovery Console. Use the following syntax:

net use [devicename | *][\\computername\sharename[\volume][password | *]] 
        [/user:[domainname\]username] 
        [/user:[dotted_domain_name\]username] 
        [/user:[username@dotted_domain_name] 
        [/smartcard] 
        [/savecred] 
        [[/delete]| [/persistent:{YES | NO}]] 
 
net use { devicename | *} [password | *]/home 
 
net use [/persistent:{YES | NO}]

Parameter	Description
devicename	Assigns a name to connect to the resource, or specifies the device to be disconnected. Use an asterisk (*) instead of a specific device name to assign the next available device name.
\\computername\sharename	Specifies the UNC path to the server and the shared resource. If computername contains spaces, use quotation marks around the entire UNC path.
password	Specifies the password needed to access the shared resource. Use an asterisk (*) to prompt for the password.
username	Specifies the user name with which to log on.
domainname	Specifies another domain. If omitted, net use uses the current logged-on domain.
dotted_domain_name	Specifies the fully qualified domain name for the domain where the user account exists.
/user	Specifies a different user name with which the connection is made. This switch cannot be used with /savecred.
/savecred	Stores the provided credentials for reuse if the user is prompted for a password. This parameter cannot be used with /smartcard or /user.
/smartcard	Specifies the network connection is to use the credentials on a smart card. If multiple smart cards are available, you are asked to specify the credential. This parameter cannot be used with /savecred.
/delete	Cancels the specified network connection. If you specify the connection with an asterisk (*), all network connections are canceled.
/persistent:{yes \| no}	Controls the use of persistent network connections. The default is the setting used last. Deviceless connections are not persistent. “Yes” saves all connections as they are made and restores them at next logon. “No” does not save the connection being made or subsequent connections. Existing connections are restored at the next logon. Use /delete to remove persistent connections.

Rd or Rmdir

Use the rd or rmdir command to delete a directory or subdirectory. Use the following syntax:

rm [drive:]path rmdir [drive:]path

Parameter	Description
drive:	Specifies the volume on which to delete a folder
path	Specifies the name of the folder to delete

You cannot use wildcard characters with this command.

Ren or Rename

Use the ren or rename command to rename a file or directory. Use the following syntax:

ren [drive:][path]name1 name2 rename [drive:][path]name1 name2

Parameter	Description
drive:	Specifies the volume drive letter on which the file to be renamed resides
path	Specifies the path to the file or folder to be renamed
name1	Specifies the file or folder to be renamed
name2	Specifies the new name for the file or folder

You cannot use wildcard characters with this command.

Set

Use the set command to set Recovery Console environment variables. Use the following syntax:

set [variable = value]

Recovery Console disables the set command by default, and you must use the Group Policy snap-in to enable the set command. For more information about enabling the set command, see “Customizing Recovery Console” earlier in this appendix.

Environment Variable	Description
AllowWildCards	Set to TRUE to enable wildcard character (* and ?) support for some commands, such as DEL, that do not otherwise support them
AllowAllPaths	Set to TRUE to allow access to all files and folders on the computer
AllowRemovableMedia	Set to TRUE to allow files to be copied to removable media, such as floppy disks
NoCopyPrompt	Set to TRUE to suppress the confirmation prompt that appears when overwriting a file

To display the list of current environment variables, use the set command without specifying a parameter.

Systemroot

Sets the current directory to the systemroot directory of the Windows XP Professional installation with which you are currently working. Use the following syntax:

systemroot

Backup

Troubleshooting a problem eventually requires that you test one or more possible solutions and observe the results. Therefore, you must be able to restore system settings if the changes you make have negative effects. The Backup tool (Ntbackup.exe) allows you to save system files, application files, and data files that might be at risk. Backups enable you to undo sweeping changes and recover data if troubleshooting does not proceed as expected.

For example, you find and apply several changes suggested in Microsoft Knowledge Base articles. Although the problem disappears, you are unable to identify the change or combination of changes responsible. Using a backup set created before you applied the changes, you can restore the problem configuration and retest possible solutions individually until you identify the exact steps required to resolve the problem. Identifying the exact steps required avoids applying unnecessary changes that might lead to other problems.

Whether you use Backup or an equivalent backup program with similar functionality, enable the Verify data and Save system state options if available. Enabling data verification causes Backup to check that files on disk are identical to those stored on the backup media immediately after a backup or restore operation. Enabling the Save system state option causes Backup to include system state information in the list of items to save to backup media. Always follow the backup media manufacturer’s recommendations, especially when reusing tape cartridges.

To save system state information in Backup

In the Run dialog box, type ntbackup.
In the Backup Utility Wizard, click Advanced Mode, click the Backup tab, and then select System State.
In the Backup destination box, select File or a backup device installed on your computer.
In the Backup media or file name box, type the destination file name.
Click Start Backup.

If you want to include other files, such as application or personal data files, select the files to save before clicking Start Backup.

There are two points that you need to consider when performing backup and restore operations.

Backups might not contain the latest data

If data on backup media is not current, a restore operation might replace application files, drivers, service packs, or software updates by copying older files to your system. Always maintain a record of recent driver or service pack changes in case you need to reapply these changes after restoring files.

Plug and Play redetects hardware and might re-install drivers

Windows XP Professional redetects any hardware that you installed since the last backup and, after restoring the system state from a backup, might request drivers from the Windows XP Professional operating system or from removable disks.

For more information about using Backup to save and restore files, see Windows XP Professional Help and Support Center and Chapter14, “Backing Up and Restoring Data.”

Automated System Recovery

Automated System Recovery (ASR) is a Backup (Ntbackup.exe) and Windows XP Professional Setup option that enables you to restore the ability to start Windows XP Professional when other recovery methods are ineffective or not available. For example, if a hardware problem or virus activity causes disk corruption problems that prevent you from starting in safe mode, using Recovery Console, or using the Last Known Good Configuration.

The ASR user interface consists of the following two parts:

The ASR Wizard provided by Backup
The ASR restore option provided by Windows XP Professional Setup

ASR automates the process of saving and restoring system state information.

For more information about Automated System Recovery, see Windows XP Professional Help and Support Center and Chapter 14, “Backing Up and Restoring Data.”

Application and Service Tools

Windows XP Professional provides tools and features that you can use to diagnose and troubleshoot startup, applications, and services. Table C-6 is an alphabetical list of tools useful for troubleshooting applications and services. When attempting to identify and resolve problems, follow the guidelines discussed in Chapter 27, “Understanding Troubleshooting.”

Table C-6 Application and Service Tools for Troubleshooting

Tool	Function	Tool Type, Interface
Bootcfg (Bootcfg.exe)	Viewing or editing startup settings in the Boot.ini file entries.	Built-in, GUI
Boot logging	Creating a text-based log (Ntbtlog.txt) of listed drivers that loaded or failed at startup.	Built-in, startup option
Dependency Walker (Depends.exe)	Examining a selected application or software component, and determining the modules required for it to start.	Support tool, GUI
Device Manager	Viewing and changing hardware and device driver settings.	Built-in, GUI
DirectX Diagnostic Tool (Dxdiag.exe)	Doing the following: Viewing information about installed components and drivers for the Microsoft DirectX application programming interface (API). Testing sound, graphics output, and DirectPlay service providers. Disabling or enabling DirectX hardware acceleration features.	Built-in, GUI
Dr. Watson (Drwtsn32.exe)	Recording detailed information to a log when application errors occur.	Built-in, GUI configuration
Error Reporting	Monitoring your system for problems that affect Windows XP Professional components and applications. When a problem occurs, you can send a report to Microsoft. An automated process searches the error-reporting database for matching conditions and responds with any troubleshooting information found.	Built-in, GUI
Event Query (Eventquery.vbs )	Displaying events and properties from the event logs.	Built-in, command-line
Event Triggers (Eventtriggers.exe)	Setting triggers based on event log events.	Built-in, command-line
Event Viewer (Eventvwr.msc)	Viewing the Event log, which contains information about application, security, and system events for your computer.	Built-in, GUI
Global Flag Editor (Gflags.exe)	Enabling or disabling advanced internal system diagnostics and troubleshooting tests.	Support Tool, GUI
Group Policy Snap-in (Gpedit.msc)	Viewing, creating, deleting, or editing user and computer Group Policy object (GPO) settings.	Built-in, GUI
Group Policy Results (Gpresult.exe)	Displaying information about the cumulative effect that Group Policy objects have on computers and users.	Built-in, command-line
Group Policy Update (Gpupdate.exe)	Refreshing GPOs so that changes take effect immediately. GPUpdate replaces the Windows 2000 tool Secedit.exe, and it provides increased control and flexibility.	Built-in, command-line
Kernel Debugger	Analyzing computer memory or a memory dump file written to disk when a Stop message occurs.	Debugging Tool, command-line
Memory Pool Monitor (Poolmon.exe)	Detecting and analyzing memory leaks.	Support Tool, GUI
OpenFiles (Openfiles.exe)	Listing or closing connections to files and folders opened remotely through a shared folder.	Built-in, command-line
Online Crash Analysis	Sending kernel memory dump files to a Web site hosted by Microsoft Corporation for evaluation. An automated process searches a database of known issues for matching conditions. You can optionally receive e-mail updates about your problem.	Web site
Performance Monitor (Perfmon.msc)	Obtaining data that is useful for detecting and diagnosing bottlenecks and changes in overall system performance.	Built-in, GUI
Process and Thread Status (Pstat.exe)	Viewing the status of threads, processes, and drivers.	Support Tool, command-line
Program Compatibility Wizard	Testing and resolving compatibility problems regarding running programs that worked correctly on an earlier version of Windows.	Built-in, GUI
Registry Editor (Regedit.exe)	Searching, viewing, and editing the contents of the registry.	Built-in, GUI
Resultant Set of Policy (Rsop.msc)	Viewing information about the cumulative effect that Group Policy objects have on computers and users.	Built-in, GUI
Runas.exe	Running tools and programs with different permissions than the user’s current logon provides.	Built-in, command-line
Runas (GUI feature)	Running tools and programs with different permissions than the user’s current logon provides.	Built-in, GUI
SC (Sc.exe)	Viewing, stopping, starting, pausing, and disabling services, or changing service startup types for diagnostic purposes from the command line.	Built-in, command line
Services snap-in (Services.msc)	Viewing, stopping, starting, pausing, and disabling services, or changing service startup types for diagnostic purposes.	Built-in, GUI
Shutdown Event Tracker	Recording information to the System log, and describing the reason for shutting down or restarting the computer.	Built-in, GUI
System Configuration Utility (Msconfig.exe)	Enabling or disabling various settings for troubleshooting and diagnostic purposes.	Built-in, GUI
System Information in Help (Msinfo32.exe)	Collecting and displaying system configuration information about hardware, system components, and software. You can start System Information as a stand-alone tool or by using Windows XP Professional Help and Support Center.	Built-in, GUI
System Information (Systeminfo.exe)	Viewing computer configuration information. This is the character-mode version of the GUI-mode System Information tool.	Built-in, command-line
Task Killing Utility (TsKill.exe)	Ending one or more active tasks or processes.	Built-in, command-line
Task Lister (Tasklist.exe)	Listing active tasks and processes.	Built-in, command-line
Task Manager (Taskman.exe)	Viewing and ending active processes running on your system. In addition, you can use Task Manager to view system information, such as CPU and memory usage statistics.	Built-in, GUI
Uninstall Windows XP Professional	Uninstalling Windows XP Professional, and reverting to the previous operating system.	Built-in, GUI

In the preceding table, process refers to an instance of an application together with the set of system resources allocated to run the application. Thread refers to an object within a process that is allocated processor time by the operating system to run code. Threads, not processes, run program code. Every process must have at least one thread, which allows a process to maintain parallel lines of execution. This is especially valuable for multiprocessor systems because Windows XP Professional can assign different threads to different processors.

Bootcfg

Bootcfg (Bootcfg.exe) is a command-line tool that reduces the potential for error when adding or editing startup settings in the Boot.ini file. You must be logged on as an administrator or a member of the Administrators group to use Bootcfg.

To use Bootcfg to view Boot.ini file settings

To view Boot.ini file Windows XP Professional startup settings from the command prompt, type bootcfg /query.

For more information about using Bootcfg, click Tools in Help and Support Center.

Boot Logging

If your computer stops responding during startup, Boot logging allows you to identify initialized drivers. This information is useful if your computer cannot complete the startup process. By examining the boot log, you can identify the file name of the last file processed, which might be causing the problem. You can then focus your troubleshooting efforts on the suspect file and replace the file or search for an update.

To enable boot logging

Restart the computer.
When prompted, press F8, and then select Enable Boot Logging on the Windows Advanced Options Menu.

Enabling boot logging and restarting causes the operating system to create a log file in the systemroot directory named Ntbtlog.txt. You can view the log by double-clicking it. The log lists files that Windows XP Professional attempted to load during startup. In the log, Loaded driver or Did not load driver precedes the path to each file.

Loaded driver

A phrase that appears next to each driver or service that Windows XP Professional successfully loaded. The path and file name of the specific driver or service follow.

Did not load driver

A phrase that appears next to a driver or service that Windows XP Professional did not successfully load. The path and file name of the specific driver or service follow.

The following lines are sample Ntbtlog.txt entries:

Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys 
Did not load driver \SystemRoot\System32\DRIVERS\sflpydisk.sys

Examine the boot log to help identify missing or corrupted files. If a critical system file is corrupted or missing, Windows XP Professional might generate a Stop message or write an entry to the Event logs. To check whether a file listed as Did not load driver is corrupted, you can do the following:

Check for zero-byte files or files with date and time stamps that do not match the Windows XP Professional installation date.
Compare files in systemroot\System32 to the same files on the Windows XP Professional operating CD or another computer running the same edition (and service pack) of Windows XP Professional.
Run the System File Checker (Sfc.exe) command-line tool to inspect system files. For more information about the System File Checker, see “System File Checker” later in this appendix.

Note In safe mode, new boot log entries are appended to the existing Ntbtlog.txt file.

Dependency Walker

Dependency Walker (Depends.exe) is a support tool that enables you to examine a selected application or component to determine what other components are required for the application to start. The tool lists the dependencies in a tree format.

For every component selected, Dependency Walker lists the programming functions of each primary and secondary module. Typically, the system modules have .exe, .dll, .ocx, and .sys file name extensions.

Dependency Walker can also help you identify problems related to missing or corrupt modules, circular dependency errors, and mismatched module types.

For more information about Dependency Walker, click Tools in Help and Support Center, and then click Windows Support Tools. For more information about service dependencies, see Chapter 29, “Troubleshooting the Startup Process.”

Device Manager

Device Manager (Devmgmt.msc) enables you to manage hardware installed on your computer. Use Device Manager to view device settings, to change hardware resource settings to resolve conflicts, and to update, uninstall, or roll back drivers.

For more information about Device Manager, click Tools in Help and Support Center. Or see Chapter 9, “Managing Devices,” in this book and the section “Driver Signing and Digital Signatures” later in this appendix.

DirectX Diagnostic Tool

The DirectX Diagnostic Tool (Dxdiag.exe) displays information about DirectX application programming interface (API) components and drivers installed on your system. DirectX is found in Windows 95, Windows 98, Windows Me, Windows 2000, Windows Server™ 2003, and Windows XP Professional. DirectX allows these operating systems to take advantage of new and current hardware acceleration technologies that new video, audio, and input devices offer.

The DirectX APIs enhance multimedia application performance and enable Windows compatibility with a variety of video, audio, and input hardware. Although multimedia devices, such as audio and video adapters, are physically and functionally similar, they can use different hardware architecture and design philosophies. DirectX technology allows manufacturers to devote more time developing new technologies with less concern about low-level Windows programming details.

The DirectX Diagnostic Tool allows you to view and save information about the following types of hardware:

Audio (DirectMusic and DirectSound)
Video (DirectDraw and Direct3D)
Controller and input devices (DirectInput)
Network hardware (DirectPlay)

Using the DirectX Diagnostic Tool, you can test multimedia driver compatibility and display driver status and version information. If necessary, you can use the tool to disable or reduce hardware acceleration levels to diagnose problems. You can also use the tool to collect information that might be useful during a technical support call.

To start the DirectX Diagnostic Tool

In the Run dialog box, type dxdiag.

The DirectX Diagnostic Tool dialog box reports information on separate tabs about the various components and drivers. Table C-7 describes each tab in the DirectX Diagnostic Tool dialog box.

Table C-7 Tabs in the DirectX Diagnostic Tool Dialog Box

Tab	Description
System	Provides system information about your computer, and specifies the version of DirectX that is installed on your computer.
DirectX Files	Lists the file name, version number, date, and size for each DirectX file that is installed on your computer.
Display	Lists current display settings, and allows you to disable hardware acceleration and test DirectDraw and Direct3D compatibility.
Sound	Displays current sound settings, and tests audio hardware DirectSound compatibility.
Music	Lists music port information, such as Musical Instrument Digital Interface (MIDI) settings, and allows you to test the DirectMusic component of DirectX.
Input	Lists the input devices and drivers installed on your computer.
Network	Lists the registered DirectPlay service providers that are installed on your computer, and allows you to test DirectPlay components.
More Help	Offers additional options if you cannot resolve your DirectX issue by using previous tabs. You can start the System Configuration tool (Msconfig.exe) or override DirectDraw video refresh display settings from this tab. For more information about the System Configuration tool, see “System Configuration Utility” later in this appendix.

Recognizing Common DirectX Issues

You can use the DirectX Diagnostic Tool to determine whether the following issues apply to your system.

Incorrect or outdated DirectX components

In the Notes section on the DirectX Files, Display, Sound, Music, Input, and Network tabs, look for warnings or files labeled as Beta, Debug, Outdated, or Unsigned drivers. For best performance, install the most recent versions of DirectX and use Microsoft-signed drivers. For more information about obtaining and installing the latest version of DirectX, see the DirectX link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Unsigned or beta drivers

Check the DirectX Files tab for drivers labeled Unsigned or Beta. Unsigned and beta drivers have not been fully tested by Microsoft Corporation for compatibility with the latest version of DirectX.

No video hardware acceleration

Some graphics-intensive programs run slowly or not at all if DirectDraw or Direct3D hardware acceleration is unavailable or disabled. Hardware acceleration offloads a substantial portion of 2D image and 3D geometry processing from the central processing unit (CPU) to the video adapter, resulting in much faster system performance. If you experience poor video performance, use the DirectX Diagnostic Tool to verify acceleration settings.

To check video hardware acceleration settings

Start the DirectX Diagnostic Tool.
Select the Display tab, and then in DirectX features verify that at least DirectDraw Acceleration and Direct3D Acceleration are marked as Enabled.

If the option to enable acceleration is not available, your video adapter might not support DirectX acceleration in hardware or you might need to install updated drivers.

Note Features such as AGP or Direct3D acceleration might not be available with older video hardware. You might need to upgrade your video hardware to use certain features in newer technologies.

Testing DirectX Components

You can test the following DirectX components:

DirectDraw and Direct3D functionality for video adapters
DirectSound and DirectMusic for audio devices
DirectPlay for network devices

On the Display, Sound, Music, and Network tabs, click a Test button. Record any messages that appear, and then watch or listen to the tests. Each test prompts you to answer Yes or No to verify successful results. The DirectX Diagnostic Tool tests basic features first and progresses to more advanced functions. If you click No, the more advanced tests are cancelled.

If the default DirectX driver settings cause problems, you can reduce or disable acceleration features for video and audio adapters. For more information about disabling or reducing hardware acceleration levels, see Chapter 9, “Managing Devices.”

Saving Information

To save information gathered by the DirectX Diagnostic Tool, click the Save All Information button in the dialog box. You can save information from all DirectX tabs to a user-specified folder and file name.

For more information about DirectX components, architecture, and multimedia in general, see Windows XP Professional Help and Support Center. Also see Chapter 9, “Managing Devices,” and Chapter 10, “Managing Digital Media.” For more information about obtaining and installing the latest version of DirectX, see the DirectX link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Dr. Watson

In the event of an application error, also known as a user-mode program exception, the Dr. Watson tool (Drwtsn32.exe) writes information to a text-based log file named DrWtsn32.log, in systemdrive\Documents and Settings\All Users\Application Data\Microsoft\DrWatson (default folder location). This log contains the following information:

The file name of the program that caused the error
Information about the computer and user under which the error occurred
A list of programs and services active when the error occurred
A list of modules, such as Dynamic Link Library components (DLLs), that were in memory when the error occurred
Additional information that might be needed if you decide to contact technical support

The task and module lists are useful for duplicating the conditions under which an application error occurred. Using the lists as a reference, you can add or remove programs and services until you can reproduce the problem.

To view and configure Dr. Watson logs

In the Run dialog box, type drwtsn32.

Problem descriptions appear in Application Errors.
Select an entry, and then click View to display more information about the error.
To configure reporting settings, select items in the Options area.

In the Run dialog box, type:

notepad %systemdrive%\documents and settings\all users\documents\drwatson\drwtsn32.log

For more information about the Dr. Watson tool (including a log file overview), click Tools in Help and Support Center.

Error Reporting

Windows XP Professional provides the Error Reporting service, which monitors your system for user-mode and kernel-mode faults that affect the operating system and applications. When an error occurs, the Error Reporting service gathers information about your problem and gives you the option to use an automated system to find more information and possibly a resolution.

User Mode Reporting

When a user mode error occurs, such as an application error, the Error Reporting service takes the following steps:

Displays an alert.

This alert states that Windows XP Professional detected a problem. You can click Report this Problem or Don’t Report; or you can click click here for technical information before sending a report to Microsoft.
Sends a problem report to Microsoft.

If you click Report this Problem, the Error Reporting service sends the error report anonymously to Microsoft by using a Secure Sockets Layer (SSL) encryption secured Internet connection. You might be prompted to provide additional information to complete your error report. When the process is complete, you can click More Information, which directs you to updated drivers, patches, or Microsoft Knowledge Base articles.

To verify that Windows Error Reporting is enabled for programs

In Control Panel, open System.
Click the Advanced tab, and then click Error Reporting.
In the Error Reporting dialog box, select Enable error reporting, and if not checked, click to enable the Programs check box.

Kernel Mode Reporting

When a Stop error occurs, Windows XP Professional displays a Stop message and writes diagnostic information to a memory dump file. When you restart your system by using Normal mode or Safe mode (with networking) and log on to Windows XP Professional, the Error Reporting service gathers information about the problem and displays a dialog box that gives you the option of sending a report to Microsoft.

For more information about Error Reporting, click Tools in Help and Support Center. For more information about Stop Messages, memory dump files, and using Error Reporting to get information about kernel-mode errors, see “Common Stop Messages for Troubleshooting” on the companion CD.

Event Query

Event Query (Eventquery.vbs) is a command-line tool that you can use to search the event logs by using specified criteria. For troubleshooting, using Event Query enables you to view the event logs for entries related to specified event properties, including date and time, event ID, and user name.

Event Query also enables you to save output to a file and to specify the file format to use. For example, you can save output to a .csv file and further analyze the data by using Microsoft Excel.

For more information about Event Query and the event logs, click Tools in Help and Support Center.

Event Triggers

Event Triggers (Eventtriggers.exe) is a command-line tool that you can use to view, set, or delete trigger events. You can specify an error-log trigger condition to monitor and the task to run, including starting other programs, if thresholds are exceeded. For example, you can create a trigger that starts Disk Cleanup (Cleanmgr.exe) when a “Low Disk Space” message is recorded to the System log.

For more information about Event Triggers and the event logs, click Tools in Help and Support Center.

Event Viewer

Event Viewer (Eventvwr.msc) maintains application, security, and system logs for your computer. It also contains useful information for diagnosing hardware and software problems. Event Viewer provides three logs.

Application Log

Contains events logged by applications or programs. For example, a database program might record read or write errors to this log.

Security Log

Holds security event records, such as logon attempts and actions related to creating, opening, or deleting files. An administrator can view information or specify events to record in the security log.

System Log

Contains information about system components. For example, an entry is made when a driver or other system component fails to load during startup. For more information about how to insert custom shutdown information into the System log, see “Shutdown Event Tracker” later in this appendix.

You can save Event Viewer logs and specify filtering criteria for viewing information. Event Viewer logs can provide clues to problems that affect the system. When troubleshooting, use the information to identify problems with applications, drivers, or services, and to identify frequently occurring issues.

To start Event Viewer

In the Run dialog box, type eventvwr.msc.

– or –
Start Event Viewer from the Computer Management snap-in.

For more information about the Computer Management MMC snap-in, see “Computer Management Tool” later in this appendix. For more information about using Event Viewer, see Help on the Action menu in Event Viewer.

Global Flags Editor

Global Flags Editor (Gflags.exe) is a GUI-mode Support Tool that allows members of the Administrators group to enable and disable advanced internal system diagnostics and troubleshooting features on computers running Windows XP Professional. Gflags.exe is designed as a debugging tool for application developers. It is most often used to turn on indicators that other tools track, count, and log.

Use it to edit the global flag settings that the kernel uses when starting. The term global flag refers to the GlobalFlag registry entries that Windows XP Professional checks to enable or disable advanced internal system diagnostics and troubleshooting tests.

Caution Incorrect use of Global Flags Editor might cause system startup failure or adversely affect performance. Use this tool only as directed by Microsoft Product Support Services.

For more information about Global Flags Editor, click Tools in Help and Support Center, and then click Windows Support Tools. For more information about memory leaks, see Debugging Tools Help and “Evaluating Memory and Cache Usage” in the Operations Guide of the MicrosoftWindows2000 Server Resource Kit.

Group Policy Snap-In

The Group Policy snap-in (Gpedit.msc) allows you to view, create, delete, or edit user and computer Group Policy objects (GPOs). The Group Policy snap-in enables you to view which Group Policy settings are in effect and simplify troubleshooting by disabling GPOs that can affect the way your system starts and performs. You must be logged on as an administrator or a member of the Administrators group to use the Group Policy snap-in.

To start the Group Policy snap-in

In the Run dialog box, type gpedit.msc.

For an illustration of using the Group Policy snap-in to help diagnose a startup problem, see Chapter 29, “Troubleshooting the Startup Process.” Also, see article 256320, “Startup Scripts May Appear to Hang Windows 2000,” in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Two related tools—Group Policy Results (Gpresult.exe) and the Resultant Set of Policy snap-in (Rsop.msc)—enable you to view Group Policy settings. Another related tool, Group Policy Update (Gpupdate.exe), enables you to immediately refresh changes to GPOs. For more information about using the Group Policy snap-in, see Windows XP Professional Help and Support Center.

For more information about Group Policy, see Chapter 17, “Managing Authorization and Access Control,” Chapter 1, “Planning Deployments,” and Chapter 5, “Managing Desktops.” Also, see the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit and the Change and Configuration Management Deployment Guide link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Group Policy Results

Group Policy Results (Gpresult.exe) is a command-line tool that displays information about the cumulative result that Group Policy objects (GPOs) have on computers and users. Use this tool to view which Group Policy settings are in effect for the local computer, sites, domains, and organizational units (OUs). Group Policy Results provides information that can help you identify and troubleshoot problems that are caused by missing or improperly applied GPOs.

Two related tools—the Group Policy snap-in (Gpedit.msc) and the Resultant Set of Policy snap-in (Rsop.msc)—enable you to change and view Group Policy information. For more information about using Gpresult.exe, see Windows XP Professional Help and Support Center.

For more information about Group Policy, see Chapter 17, “Managing Authorization and Access Control,” Chapter 1, “Planning Deployments,” and Chapter 5, “Managing Desktops.” Also, see the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit and the Change and Configuration Management Deployment Guide link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Group Policy Update

Group Policy changes do not always take effect immediately. You can use the Group Policy Update (Gpupdate.exe) command-line tool to immediately refresh changes to user and computer GPOs. Group Policy Update replaces the secedit /refreshpolicy command used in Windows 2000 to refresh Group Policy settings. You must be logged on as an administrator or a member of the Administrators group to run Gpupdate.exe.

After you run Gpupdate.exe, you can use the Resultant Set of Policy snap-in (Rsop.msc) or the Group Policy Results (Gpresult.exe) tool to verify that the updated settings are in effect. For more information about using Gpupdate.exe, see Windows XP Professional Help and Support Center.

For more information about Group Policy, see Chapter 17, “Managing Authorization and Access Control,” Chapter 1, “Planning Deployments,” and Chapter 5, “Managing Desktops.” Also, see the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit and the Change and Configuration Management Deployment Guide link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Kernel Debugger

You can use a kernel debugger for real-time computer debugging, or to analyze a memory-dump file saved to disk when a Stop error occurs. A kernel debugger enables advanced users to view the contents of computer memory, including source code and variables. The following are two debuggers that you can obtain from Microsoft.

Kernel Debugger

Kernel Debugger (Kd.exe) is a command-line debugging tool that you can use to analyze a memory dump file written to disk when a Stop message occurs. Kernel Debugger requires that you install symbol files on your system.

WinDbg Debugger

WinDbg Debugger (Windbg.exe) provides functionality similar to Kernel Debugger, but it uses a graphical user interface.

Kernel Debugger and WinDbg Debugger are two of many available debugging tools. For more information about kernel debugging tools, Stop messages, memory-dump files, or symbol files, see Debugging Tools Help or “Common Stop Messages for Troubleshooting” on the companion CD.

Memory Pool Monitor

Memory Pool Monitor (Poolmon.exe) is a Support Tool used to detect memory leaks.

For more information about the Pool Monitor and a related tool, Global Flags Editor (Gflags.exe), click Tools in Help and Support Center, and then click Windows Support Tools. Also, see Debugging Tools Help. For more information about memory leaks, see “Evaluating Memory and Cache Usage” in the Operations Guide of the Microsoft Windows 2000 Server Resource Kit. Also, see “Global Flags Editor” earlier in this appendix.

Online Crash Analysis Web Site

The Online Crash Analysis Web site enables you to send kernel-mode error reports to Microsoft Corporation and track the status of reports previously sent by using your Microsoft Passport information. You can access the Online Crash Analysis Web site by using the Error Reporting service or by using your Web browser. For more information about using the Online Crash Analysis Web site and the Error Reporting service to diagnose Stop errors, see “Common Stop Messages for Troubleshooting” on the companion CD.

OpenFiles

OpenFiles (Openfiles.exe) is command-line tool that you can use to view or disconnect connections to files and folders opened remotely by using a shared folder.

For more information about using OpenFiles, click Tools in Help and Support Center.

Performance Snap-In

The Performance (Perfmon.msc) MMC snap-in enables you to establish performance baselines, diagnose system problems, and anticipate increased system resource demands. This tool can be used to obtain useful data for detecting system bottlenecks and changes in system performance.

The Performance snap-in has two components:

System Monitor
Performance Logs and Alerts

These components allow you to collect, save, and view real-time data pertaining to memory, disk, processor, network, and other activities in various formats such as graphs, histograms, and reports. You can configure Performance Logs and Alerts to record performance data and set system alerts when a specified parameter is above or below a defined threshold.

To start the Performance snap-in

In the Run dialog box, type perfmon.msc.

For more information about the Performance Tool, see Windows XP Professional Help and Support Center and “Overview of Performance Monitoring” in the Operations Guide of the Microsoft Windows 2000 Server Resource Kit.

Process and Thread Status

Process and Thread Status (Pstat.exe) is a command-line Support Tool that enables you to view the status of threads, processes, and drivers running on your computer.

For an illustration of how to use Process and Thread Status to identify driver problems, see article 192463, “Gathering Blue Screen Information After Memory Dump,” in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

For more information about Process and Thread Status, click Tools in Help and Support Center, and then click Windows Support Tools.

Program Compatibility Wizard

The Program Compatibility Wizard allows you to test and resolve compatibility issues with a program that worked correctly on an earlier version of Windows. By using the Program Compatibility Wizard, you might be able to run an older program by using a specific compatibility mode and display resolution.

You can run a program released for an earlier version of Windows by using the following compatibility modes:

Windows 95
Windows 98 and Windows Me
Windows NT 4.0 (Service Pack 5)
Windows 2000

You can also use the following display options to resolve video driver compatibility problems:

Run in 256 colors
Run in 640 x 480 screen resolution
Disable visual themes

To set compatibility mode options for a program (Method 1)

From the Start menu, click Accessories, and then click Program Compatibility Wizard.
Follow the on-screen instructions to select a program and to specify the compatibility options to use when running the program.

To set compatibility mode options for a program (Method 2)

Open Windows Explorer to locate the program.
Right-click the program’s icon, and then click Properties.
In the Properties dialog box, click the Compatibility tab.
Select the options you want to use, and then click OK.

Warning It is recommended that, while working in compatibility mode, you do not run virus-detection software, backup programs, CD authoring tools, or other programs that install system drivers and services.

Always consult the software manufacturer’s Web site for more information about obtaining Windows XP Professional–specific updates. For more information about program compatibility, see Windows XP Professional Help and Support Center.

Registry Editor

Advanced users can use the Registry Editor, Regedit.exe, to view or change system settings. The registry is a central database that stores information about users, software, and hardware. The registry editor displays the data by using a GUI that lists subtrees, keys, subkeys, and entries. Subkeys are similar to folders and can hold entries and other subkeys. Valid data types for entries include strings, dwords (hexadecimal values), and binary values.

Editing the registry directly is seldom required, and using the registry editor is typically a last-resort option. Use caution when editing the registry, because specifying incorrect values can cause instability. The registry editor is intended for advanced users who are familiar with registry concepts and want to configure settings for which a user interface does not exist. If you must edit the registry, back it up first and see the Registry Reference in the Microsoft Windows 2000 Server Resource Kit at https://www.microsoft.com/reskit.

Before Using the Registry Editor

Before you use the Registry Editor, be sure that you can restore your system if problems occur. Before changing registry values, use System Restore or the Backup tool. For more information about System Restore, see “System Restore” earlier in this appendix. For more information about using the Backup tool for troubleshooting, see “Backup” earlier in this appendix. Also, see Chapter 14, “Backing Up and Restoring Data.”

If you have not saved the system state and you encounter problems, you might be able to recover by restarting the computer and using the Last Known Good Configuration startup option. For more information about using this option, see “Last Known Good Configuration” earlier in this appendix.

Features of the Registry Editor

The Registry Editor, Regedit.exe, in Windows XP Professional provides many improvements and convenient features that enable you to do the following:

Make all your changes by using one Registry Editor, Regedit.exe. Regedit.exe in Windows XP Professional combines the features of the two registry editors in Windows 2000 (Regedit.exe and Regedt32.exe) into a single program. Regedit.exe in Windows XP Professional supports importing portions of the registry that were backed up by using versions of Regedit32.exe included with Windows NT 4.0 and Windows 2000.
Perform searches by using criteria that you specify. Performance improvements enable you to view search results more quickly than previous versions.
Save commonly used or hard-to-find subkeys and entries in a list of favorites for faster access in the future.
Quickly return to a location in the registry, because the Registry Editor records and opens the last location that you viewed.
Export all or a portion of registry content to a file that can be read by using a text editor such as Notepad. Information contained in these exported files is logically organized and labeled.
Use the registry editor from the command line by specifying the /s parameter. When you use /s, Regedit.exe does not display a GUI or pause for user confirmation. This enables you to use the registry editor in batch files.

Registry Subtrees

The registry consists of five subtrees that group computer information and settings by category or scope. Table C-8 lists and describes the five subtrees that make up the registry.

Table C-8 Registry Subtrees

Subtree	Description
HKEY_CLASSES_ROOT	Stores the information that maintains file associations to ensure that the correct program runs when you open a data file. For example, the information in this subkey associates files using a .doc file name extension with Microsoft Word if Microsoft Office is installed. This subtree also contains information necessary to support core aspects of the Windows user interface, such as drag-and-drop operations.
HKEY_CURRENT_USER	Contains configuration settings for the user currently logged on. Examples of information stored for each user are Desktop wallpaper and custom color settings. User-specific information in HKEY_CURRENT_USER is taken from the HKEY_USERS subtree during the logon process.
HKEY_LOCAL_MACHINE	Contains computer-specific hardware and software settings that apply to the entire computer, regardless of the user logged on. An example of this is hard-disk configuration settings.
HKEY_USERS	Contains information that applies to all users of the computer. Settings that apply to all users, as well as user-specific settings, are stored in this subtree. User-specific information is grouped by security identifier (SID) values, a unique number assigned to a user account.
HKEY_CURRENT_CONFIG	Contains information about the current hardware profile used by the local computer. HKEY_CURRENT_CONFIG is an alias for information stored in HKEY_LOCAL_MACHINE.

For more information about using the registry editor, Regedit.exe, click Tools in Help and Support Center.

Resultant Set of Policy

The Resultant Set of Policy (RSoP) snap-in (Rsop.msc) enables you to poll and evaluate the cumulative effect that local, site, domain, and organizational unit Group Policy objects (GPOs) have on computers and users. Resultant Set of Policy enables you to check for GPOs that might affect your troubleshooting. For example, a GPO setting can cause startup programs to run after you log on to the computer.

Use this snap-in to evaluate the effects of existing GPOs on your computer. This information is helpful for diagnosing deployment or security problems. Rsop.msc reports individual Group Policy settings specific to one or more users and computers, including advertised and assigned applications.

To start the Resultant Set of Policy snap-in

In the Run dialog box, type rsop.msc.

For more information about Group Policy, see Chapter 17, “Managing Authorization and Access Control,” Chapter 1, “Planning Deployments,” and Chapter 5, “Managing Desktops.” Also, see the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit and the Change and Configuration Management Deployment Guide link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Two related tools, the Group Policy snap-in (Gpedit.msc) and the Group Policy Results tool (Gpresult.exe) allow you to view Group Policy information. For more information about the preceding tools, see “Group Policy Snap-In” and “Group Policy Results” earlier in this appendix.

RunAs (Command-Line Tool)

RunAs (Runas.exe) is a command-line tool that you can use to run tools and programs with different permissions than the user’s current logon provides. For troubleshooting, this enables you to run configuration and diagnostic tools with administrator credentials while logged on as another user (for example, a user account that is a member of the Power Users group). You can then test and observe the results that these changes have on user accounts and groups that do not have administrative privileges.

For more information about using the RunAs command-line tool, see Windows XP Professional Help and Support Center.

RunAs (GUI Feature)

Windows XP Professional enables you to run tools and programs from the Start menu, Windows desktop, and Windows Explorer, with different permissions than the user’s current logon provides. For troubleshooting, this enables you to run configuration and diagnostic tools with administrator credentials while logged on as another user (for example, a user account that is a member of the Power Users group). You can then test and observe the results that these changes have on user accounts and groups that do not have administrative privileges.

To start a program as an administrator

Locate an executable file, snap-in, or shortcut to run by using the Start menu, Windows desktop, or Windows Explorer.
Press and hold the SHIFT key, right-click the program icon, and then click Run as.
In the Run As dialog box, specify a user account with administrative permissions, and then click OK.

For more information about using RunAs functionality from the Windows GUI, see “Use the runas command to start programs as an administrator” in Windows XP Professional Help and Support Center.

SC

SC (Sc.exe) is a command-line tool that communicates with the Windows XP Professional Services Control Manager (SCM) and displays information about processes running on your computer. SC enables you to perform many functions including:

Display service information such as startup type and whether you can pause or end a process.
Start, pause, resume, or end a process.

The following illustrates output obtained by typing sc query at the command prompt:

SERVICE_NAME: winmgmt 
DISPLAY_NAME: Windows Management Instrumentation 
        TYPE               : 20 WIN32_SHARE_PROCESS 
        STATE              : 4 RUNNING 
                                (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN) 
        WIN32_EXIT_CODE    : 0 (0x0) 
        SERVICE_EXIT_CODE : 0 (0x0) 
        CHECKPOINT         : 0x0 
        WAIT_HINT          : 0x0

SC enables you to create lists of components that are running in safe and normal modes. By comparing the differences between the two lists, you can determine which components are not required to start Windows XP Professional. For diagnostic purposes, you can disable services individually in safe mode and then try to start your computer in normal mode.

For more information about SC, click Tools in Help and Support Center. For more information about troubleshooting startup problems, see Chapter 29, “Troubleshooting the Startup Process.”

Services Snap-In

The Services (Services.msc) snap-in enables you to view service information or to temporarily stop, pause, or disable services for troubleshooting or diagnostic purposes. You must be logged on as an administrator or a member of the Administrators group to change service properties.

To start the Services snap-in

In the Run dialog box, type services.msc.

– or –
Start the Services snap-in from the Computer Management tool.

For more information about the Computer Management tool, click Tools in Help and Support Center. Also, see “Computer Management Tool” later in this appendix.

To view properties for a service, double-click the service name. For more information about services and using the Services snap-in to troubleshoot application and startup problems, click Tools in Help and Support Center and see Chapter 29, “Troubleshooting the Startup Process.”

Shutdown Event Tracker

Shutdown Event Tracker provides a mechanism to record reasons in the System log for scheduled (planned), unscheduled (unplanned), and unexpected computer shutdowns or restarts. This mechanism takes the form of a Shutdown Event Tracker dialog box that appears if any of the following events occur:

Immediately after a user clicks Shut Down from the Start menu, and then clicks Shut Down or Restart from the Shut Down Windows dialog box
After a user resets the computer and logs on to Windows XP Professional
After power is disconnected, when a user starts the computer and logs on to Windows XP Professional

You can indicate whether the shutdown or restart was “planned” or “unplanned.” The reasons and comments that you provide are recorded to the System log. Predefined reasons that Windows XP Professional provides for planned and unplanned shutdowns include the following:

Hardware: Maintenance (Planned and Unplanned)
Hardware: Installation (Planned and Unplanned)
Operating System: Upgrade (Planned and Unplanned)
Operating System: Configuration Change (Planned and Unplanned)
Application: Maintenance (Planned and Unplanned)
Application: Unresponsive (Planned and Unplanned)
Application: Unstable (Unplanned)

A shutdown that is not initiated by the operating system, an application, a service, or the Shut Down Windows dialog box is an unexpected shutdown. Causes of unexpected shutdown include a power failure or a disconnected power cable. Predefined reasons for unexpected shutdowns include the following:

System Failure: Stop error
Power Failure: Cord Unplugged
Power Failure: Environment
Other Failure: System Unresponsive
Unknown

Caution Do not edit the registry unless you have no alternative. The Registry Editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back it up first.

By default, Shutdown Event Tracker is disabled for Windows XP Professional but enabled by default for Windows Server 2003. Use the following procedure to enable or disable Shutdown Event Tracker.

To enable or disable Shutdown Event Tracker

In the Run dialog box, start the Registry Editor by typing regedit.exe and then clicking OK.
In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Reliability, and then double-click ShutdownReasonUI.
To enable Shutdown Event Tracker, assign a value of 1.

– or –

To disable Shutdown Event Tracker, assign a value of 0.
Click OK, and then close the Registry Editor.

Use the following procedure to view Shutdown Event Tracker information.

To view Shutdown Event Tracker information

In the Run dialog box, type eventvwr.msc.
In Event Viewer (local), click System Log.
On the View menu, click Find to open the Find in local System dialog box.
In the Event ID box, type 1074 (planned and unplanned) or 1076 (unexpected shutdown), and then click Find Next.
Click the up or down arrows to view each matching entry. Shutdown or restart information appears in the Description box.

A related command-line tool, Shutdown (Shutdown.exe) enables you to shut down the computer from the command line. By using the -d parameter, Shutdown also enables you to record shutdown reasons to the System log. Another related tool, Event Query (Eventquery.vbs) enables you to search the System log on one or more computers for shutdown information, and save the output to a file for further evaluation. For more information about Shutdown Event Tracker and the Shutdown command-line tool, click Tools in Help and Support Center.

System Configuration Utility

System Configuration Utility (Msconfig.exe) allows you to temporarily change the way Windows XP Professional starts by disabling startup programs and services individually or several at a time. For example, on x86-based computers, you can use this tool to disable 16-bit startup applications specified in Win.ini and System.ini. Figure C-2 shows the tabs available and the options on the General tab. You must be logged on as an administrator or a member of the Administrators group to change or restore settings by using System Configuration Utility.

Figure C-2 System Configuration Utility

To change options by using System Configuration Utility

In the Run dialog box, type msconfig.
In the System Configuration Utility dialog box, click one of the tabs, and then enable or disable the available options by clearing or selecting the check box for a configuration option.

System Configuration Utility provides several configuration tabs that allow you to enable or disable system services and startup applications.

General

Allows you to start Windows XP Professional in Normal, Diagnostic, or Selective Startup mode.

Diagnostic Startup

Starts Windows XP Professional in safe mode with only basic device drivers and services active. When you select the Diagnostic Startup option, System Configuration Utility disables most services, and you might not be able to run certain Computer Management and Control Panel tools. To use these tools, select the Selective Startup option on the General tab, and then enable the following services listed on the Services tab:

Cryptographic Services
Event Log
Logical Disk Manager
Help and Support
Plug and Play
Remote Procedure Call (RPC)
System Restore Service
Windows Management Instrumentation

For more information about the Computer Management tool, see “Computer Management Tool” later in this appendix.

Selective Startup

Allows you to enable or disable programs and services listed in the SYSTEM.INI, WIN.INI, BOOT.INI, Startup, and Services tabs. Disabling a check box under Selective Startup disables all entries in the corresponding tab. You can also enable or disable individual entries on each tab.

WIN.INI and SYSTEM.INI Tabs

On these two tabs, you can enable or disable services and startup programs meant for earlier versions of Windows. Both the systemroot\System.ini and systemroot\Win.ini files are not required by Windows XP Professional and these files are maintained only for compatibility with older software that does not use the registry to save settings. The System.ini file is used to start and store information for drivers and services; the Win.ini file plays a similar role for applications.

BOOT.INI Tab

On this tab, you can customize your Boot.ini file. For more information about the Boot.ini file, see Chapter 29, “Troubleshooting the Startup Process.”

Services Tab

On this tab, you can enable or disable specific services. Enabling Hide All Microsoft Services allows you to isolate and disable third-party services.

Certain applications (such as antivirus programs) run as services. Problems with these applications might prevent you from starting Windows XP Professional in normal mode. You can use System Configuration Utility to disable a service and verify that it is the cause of the problem. For more information about troubleshooting startup problems, see Chapter 29, “Troubleshooting the Startup Process.”

Startup Tab

You can enable or disable startup programs on this tab. For more information about disabling startup programs, see Chapter 29, “Troubleshooting the Startup Process.”

If you change any startup setting by using System Configuration Utility, the following message appears the next time you log on to the system:

You have used the System Configuration Utility 
to change the way Windows starts. The System Configuration 
Utility is currently in Diagnostic or Selective Startup  
mode, causing this message to be displayed and the utility 
to run every time Windows starts. Choose the Normal Startup 
mode on the General tab to start Windows normally and undo the 
changes you made using the System Configuration Utility.

Simplifying system configuration is an essential part of troubleshooting. For more information about using System Configuration Utility, click Tools in Help and Support Center.

Systeminfo

Systeminfo (Systeminfo.exe) is a command-line tool that displays computer configuration information. You can use this tool to gather information useful for troubleshooting, such as the firmware version and any software updates applied. This tool is separate from the GUI-based System Information tool (Msinfo32.exe) but provides similar information.

To start Systeminfo, type systeminfo at the command prompt.

The following is an illustration of Systeminfo output:

Host Name:                 RLY-1-TST 
BIOS Version:              BIOS v4.51PG 
Boot Device:               \Device\HarddiskVolume1 
Total Physical Memory:     127.00 M 
Available Physical Memory: 8,976.00 K 
Virtual Memory: Max Size: 443,176.00 K 
Virtual Memory: Available: 190,580.00 K 
Virtual Memory: In Use:    252,596.00 K 
Domain:                    mydomain.com 
Logon Server:              \\LOGON-SRV-1 
Hotfix(s):                 1 Hotfix(s) Installed.

For more information about Systeminfo.exe, click Tools in Help and Support Center.

System Information

System Information (Msinfo32.exe) displays configuration information that can help you diagnose and troubleshoot problems.

To start System Information

In the Run dialog box, type msinfo32.

System Information displays and groups information about your computer into categories.

System Summary

System Summary displays information about the system, such as processor type, computer name, and the amount of physical memory available. System Summary is a good starting point to search for information about the environment in which the problem is occurring.

Hardware Resources

This item displays information such as direct memory access (DMA) channels, free and used interrupt request (IRQ) lines, device conflicts, and resource sharing. Hardware Resources contains a Problem Devices item, which lists descriptions and error codes for devices that might not be functioning correctly. Expand Hardware Resources to obtain information about system hardware resource settings. Table C-9 describes the information displayed.

Table C-9 Hardware Resource Information

Resource	Description
Conflicts/Sharing	Provides information about shared or conflicting devices, including several bus types such as Industry Standard Architecture (ISA), Peripheral Component Interconnect (PCI), Small Computer System Interface (SCSI), and PC Card or Personal Computer Memory Card International Association (PCMCIA). Shared resources are not necessarily in conflict. For example, PCI devices can share IRQs.
DMA	Reports the DMA channels in use, the devices that use them, and the channels that are free for use.
Forced Hardware	Lists devices that have manually specified resources, instead of resources that Windows XP Professional assigns. This information is useful for troubleshooting Plug and Play resource conflicts.
I/O	Lists all input and output (I/O) port ranges in use and the devices that use each range.
IRQ	Summarizes IRQ usage by identifying the devices that use each IRQ; also identifies which IRQs are free.
Memory	Lists memory address ranges in use by devices.

For more information about system resources and managing device settings, see Chapter 9, “Managing Devices.”

Components

This item displays hardware information for installed devices such as ports, display, and USB. Components contains a Conflicts/Shared item, which lists descriptions and error codes for devices that might not be functioning correctly. Expand Components for information about device component configuration. For information about devices that have assigned error codes from Windows XP Professional, check Problem Devices when you are troubleshooting.

For more information about system resources and how to manage device settings, see Chapter 9, “Managing Devices.”

Software Environment

Software Environment displays a list of drivers, environment variables, tasks, and services. You can use this information to verify that a process is running or to determine versions. Expand Software Environment for information about software in system memory. Table C-10 describes the information displayed.

Table C-10 Software Environment

Category	Description
System Drivers	Lists and displays status for all enabled drivers.
Signed Drivers	Provides the same type of information as System Drivers, but limits the scope to signed drivers.
Environment Variables	Lists all system environment variables and their values.
Print Jobs	Lists open print jobs.
Network Connections	Lists all mapped network connections.
Running Tasks	Lists all processes currently running on the system.
Loaded Modules	Lists loaded system-level DLLs and programs, along with their version numbers, size, and file date and path. Useful for debugging software problems, such as application faults.
Services	Lists all available system services, showing current run status and start mode.
Program Groups	Lists all existing program groups for all known users of the system.
Startup Programs	Lists programs started automatically either from the registry, the Startup program group or the Win.ini file.
OLE Registration	Lists OLE file associations controlled by the registry.

Internet Explorer

This item displays a list of configuration settings related to Internet Explorer. Expand Internet Explorer to obtain information about system configuration. Table C-11 describes the information displayed.

Table C-11 Internet Explorer

Category	Definition
Summary	Lists Internet Explorer information, such as the version and cipher strength
File Versions	Lists all files associated with Internet Explorer, as well as version numbers, file sizes, file dates, installation paths, and manufacturer
Connectivity	Lists all the connectivity settings used by Internet Explorer
Cache	Lists a general summary of cache settings and of cached objects
Content	Determines whether Content Advisor is enabled, and lists all installed personal certificates, other people certificates, and publishers
Security	Lists the settings for Internet security zones

The Tools menu in System Information provides convenient access to several troubleshooting tools and features including the following:

Backup
Disk Cleanup
Dr. Watson
DirectX Diagnostic Tool
File Signature Verification Tool
Hardware Wizard
Network Connections
System Monitor

To save System Information data to a text file

Start System Information.
On the File menu, click Export, and then type a file name.
To print the information, under the File menu, click Print.

A full System Information printout is an important record of your computer’s baseline configuration that you can use for troubleshooting. For more information about system baselines, see Chapter 27, “Understanding Troubleshooting.”

Task Kill

Task Kill (Tskill.exe) is a command-line tool used to end one or more processes. You can end processes by using a command-line parameter to Tskill.exe that specifies the process identifier (PID) or any part of the process name, such as the title of the application’s main window. You can obtain a list of process names and IDs by using a related tool, Task List (Tasklist.exe).

Use Task Kill for troubleshooting when you suspect that faulty services or applications that stop responding or consume excessive system resources might be adversely affecting the performance of your system. Symptoms typically include sluggish performance, slow screen updates, delayed response to network requests, or slow response to keyboard and mouse input.

You can use Task Kill to specify how to stop processes by using either of the following methods:

Sending the process a command to halt itself
Forcing the process to end

Task Kill is useful for terminating tasks when Task Manager is not available or when you are remotely connecting to other computers by using the Telnet protocol.

For more information about Task Kill or the related Task List tool, click Tools in Help and Support Center. For more information about using task-listing or task-ending tools for troubleshooting, see Chapter 29, “Troubleshooting the Startup Process.”

Task List

The Task List command-line tool (Tasklist.exe) allows you to obtain a list of active processes that are running on a local computer. For each process, Task List displays the process name and process identifier (PID). The following is output from Task List:

Host Name        Image Name                   PID Session   Mem Usage 
================ ========================= ====== ======== ============ 
RLY-TST-WXP      System Idle Process            0        0         20 K 
RLY-TST-WXP      System                         4        0        216 K 
RLY-TST-WXP      smss.exe                     188        0        332 K 
RLY-TST-WXP      csrss.exe                    200        0      2,996 K

You can terminate a process by specifying the PID number as a command-line parameter to process-ending tools such as Task Kill or Process Viewer. You can disable a process to rule it out as the cause of a problem. For more information about troubleshooting applications and services, see Chapter 29, “Troubleshooting the Startup Process.”

For more information about the Task List or the related Task Kill and Process Viewer tools, click Tools in Help and Support Center.

Task Manager

Task Manager (Taskmgr.exe) is a GUI tool that enables you to view or end a process or an unresponsive application. You can also use Task Manager to gather other information, such as CPU statistics.

To start Task Manager

At the command prompt, type taskmgr.

– or –
You can start Task Manager by pressing Ctrl+Alt+Del and then clicking Task Manager.

The Task Manager window contains four tabs: Applications, Processes, Performance, and Networking. The Applications and Processes tabs provide a list of applications or processes currently active on your system. These lists are valuable because active tasks do not always display a user interface, making it difficult to detect activity. Task Manager displays active processes and enables you to end most items by clicking End Process. You cannot end some processes immediately, and you might need to use other programs—such as the Services snap-in, Task Kill, Process Viewer, or equivalent tools—to end them. You can also customize Task Manager to increase or decrease the level of detail shown on the Processes tab.

To display additional information on the Processes tab

Start Task Manager, and then click the Processes tab.
On the View menu, click Select Columns.
Select or clear the columns that you want to add to, or remove from, the Processes tab.

For more information about using Task Manager, start the tool, and then on the Help menu, click Task Manager Help Topics.

Uninstall Windows XP Professional

For systems upgraded to Windows XP Professional from Windows 98 or Windows Me, you might be able to revert to the previous operating system as a method for resolving the following problem.

After upgrading to Windows XP Professional, you might discover that a critical application does not run or a device fails to initialize. Consult the software or hardware manufacturer to determine whether a compatibility problem exists. You might also learn that one of the following conditions applies to you:

The program does not run correctly, even after running the Program Compatibility Wizard. For more information, see “Program Compatibility Wizard” earlier in this appendix.
The manufacturer no longer supports the application or device, and an update is not available. Furthermore, device drivers for earlier versions of Windows do not work.
The manufacturer supports the device, but a Windows XP Professional update is not yet available. Furthermore, device drivers for earlier versions of Windows do not work.

Reverting to the previous operating system enables you to continue using the application or device while waiting for a compatible update or replacement. You can choose to upgrade to Windows XP Professional at a later date.

To uninstall Windows XP Professional

In the Run dialog box, type appwiz.cpl and then click OK.
In the Currently installed programs box, click Windows XP Professional, and then click Remove.
Follow the on-screen instructions to uninstall Windows XP Professional.

You can uninstall Windows XP Professional only if your computer meets all the following requirements:

The computer was upgraded from Windows 98 or Windows Me.
The system partition uses the FAT or FAT32 file system. This is the default for computers upgraded from Windows 98 and Windows Me. If you use Convert.exe to convert the file system from FAT to NTFS, you can no longer uninstall Windows XP Professional.
The computer had sufficient disk space to save uninstall information when you upgraded to Windows XP Professional.

To detect incompatible components before upgrading to Windows XP Professional, run Setup with the /checkupgradeonly parameter.

To check system compatibility before installing Windows XP Professional

Insert the Windows XP Professional operating system CD into the computer, and then wait for the Welcome to Microsoft Windows XP screen to appear. Click Check system compatibility.

– or –
At the command prompt, type drive:\i386\winnt32.exe /checkupgradeonly (where drive: represents the network or CD-ROM path to the Windows XP Professional installation files).

For more information about uninstalling Windows XP, see Windows XP Professional Help and Support Center. Also see article 303661, “How to Uninstall Windows XP and Revert to a Previous Operating System.” To find this article, see the Microsoft Knowledge Base link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

For more information about upgrading to or deploying Windows XP Professional, see Chapter 1, “Planning Deployments.”

Remote Management Tools

If a computer that you want to troubleshoot is in a remote location, you can use the tools alphabetically listed in Table C-12 to access computers running Windows XP Professional. Table C-12 lists only a few of the Windows XP Professional tools and features that you can use for remote troubleshooting.

Table C-12 Remote Management Tools for Troubleshooting

Tool	Function	Tool Type, Interface
Computer Management Tool (Compmgmt.msc)	Viewing, troubleshooting, and managing local or remote computer settings.	Built-in, GUI
Remote Desktop	Remotely accessing remote computers by using a GUI terminal session. Remote Desktop is a new feature for Windows XP Professional.	Built-in, GUI
Remote Assistance	Remotely sharing input device access to a remote computer by using a GUI terminal session. To function, this option requires two people: a remote helper, or expert, and another person seated at the computer experiencing problems. Remote Assistance is a new feature for Windows XP Professional.	Built-in, GUI
Telnet	Establishing remote console sessions, and running command-line programs and scripts on remote computers.	Built-in, command-line

For more information about remote troubleshooting tools and features, click Tools in Help and Support Center. For more information about configuring remote connections, see Chapter 25, “Connecting Remote Offices,” Chapter 8, “Configuring Remote Desktop.”

Computer Management Tool

The Computer Management tool (Compmgmt.msc) provides a predefined set of MMC snap-ins for performing common computer management tasks or gathering useful information about local or remote computers for troubleshooting. By using Computer Management, you can view information about the following:

Event Viewer Logs
Shared Folders
Local Users and Groups Accounts
Performance Logs and Alerts
Device Manager
Storage Devices (including Removable Storage, Disk Defragmenter, and Disk Management MMC snap-ins)
Services and Applications (including the Services snap-in)

To view information or manage a remote computer

On the desktop, right-click My Computer, and then click Manage.
Right-click Computer Management (Local), and then click Connect to another computer.
In the Select Computer dialog box, click Another computer, and then enter the name of the remote computer to which you want to connect.
Select any of the tools listed to view and manage remote computer information.

Note that for Computer Management to connect to a remote Windows XP computer, the remote computer must allow incoming network traffic on TCP port 445. In Windows XP Service Pack 2, the default configuration of Windows Firewall blocks incoming network traffic on this port, so to use Computer Management to connect to a remote computer running Windows XP Service Pack, you add an exception to Windows Firewall on the remote machine to open TCP port 445. To do this, do the following:

Click Start, select All Programs, select Accessories, and select Command Prompt.
At the command prompt, type netsh firewall set portopening TCP 445 ENABLE and press ENTER.

You can also use Computer Management to view information gathered by applications or custom scripts that implement Windows Management Instrumentation (WMI), a unified architecture for describing and using Windows objects.

For more information about WMI, see the MSDN Library link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources and in the table of contents expand Win32 and COM Development, expand Administration and Management, and finally expand Windows Management Instrumentation (WMI).

Remote Desktop

Although Remote Desktop is not specifically a troubleshooting tool, this feature does enable you to use a local keyboard, mouse, and video display to remotely diagnose and troubleshoot problems that do not require collaboration with someone logged on at the computer. For example, you can use Remote Desktop to verify a problem on a computer within a network domain.

While using Remote Desktop, the remote computer remains locked and any actions that you perform are not visible on the monitor attached to the remote computer. This is intended behavior because Remote Desktop was designed primarily for the following reasons:

To enable you to work with or troubleshoot a computer (such as your office system) from a remote location by using a direct network, secure virtual private network (VPN), or remote access connection to your organization’s network
To enable administrators or other designated users or groups (such as Help Desk) to manage or troubleshoot computers remotely
To remotely access a computer without concern about unauthorized users viewing your actions or taking control of the remote system

Remote Desktop Restrictions

Remote Desktop uses Windows XP Professional security features to grant or deny access based on user permissions. Before using Remote Desktop, be aware of the following restrictions:

You typically cannot establish connections to external (nondomain) computers that are located outside your organization’s firewall. To bypass this limitation, use Internet Proxy or Microsoft Internet Security and Acceleration Server client software.
You typically cannot establish a session from your home computer on the Internet to your office system. To bypass this limitation, you must first establish a secure VPN connection to your office network.
You cannot establish Remote Desktop connections between two computers connected directly to the Internet.
Remote Desktop does not allow simultaneous remote and local access to the Windows XP Professional desktop, and one user must log off before another can log on. For members of the Administrators group, Windows XP Professional prompts for confirmation before logging the other user off to avoid loss of unsaved data. Whenever possible, notify the other user before logging the user off.

For more information about planning special Remote Desktop configurations, consult with your network administrator.

Configuring and Using Remote Desktop

Windows 2000 Server–based and Windows XP Professional–based computers can host remote clients. However, Windows XP Professional–based systems can host only one user session at a time.

To configure a computer to host a Remote Desktop session

Log on by using a user account that belongs to the local or domain Administrators group.
Do one of the following:
- In Control Panel, click System.
- In the Run dialog box, type sysdm.cpl and then click OK.
Click the Remote tab, and in Remote Desktop, click the Allow users to connect remotely to this computer check box if it is not enabled.
Click Select Remote Users, and then in Remote Desktop Users, click Add to grant Remote Desktop access to specific users.

When you click OK, changes take effect immediately; you do not need to restart your computer. Members of the local or domain Administrators group have Remote Desktop privileges by default.

Unlike members of the Administrators group, nonadministrators granted Remote Desktop access cannot end another user’s session. If another user is logged on, a Remote Desktop session requested by a nonadministrator is refused by the remote system.

To connect to a computer by using Remote Desktop

In the Run dialog box, type mstsc.
Type the name of the computer to which you want to connect, and then click Connect.

A session window opens, and a Log On to Windows dialog box prompts you to supply valid user credentials. After you log on to the remote computer, the session window displays the contents of the remote computer’s desktop. You can then interact with the remote computer, with your activities limited only by user permission settings.

Other Remote Desktop Features

Remote Desktop also includes these features:

Bandwidth efficiency.

Remote Desktop caches and compresses data to enhance performance.
Terminal Services Compatibility.

Remote Desktop can host sessions with clients running Terminal Services client software. For example, you can use Remote Desktop to establish remote sessions with Windows NT Workstation 4.0–based and Windows 2000 Professional–based computers running Terminal Services client software.

For more information about Remote Desktop, see Chapter 8, “Configuring Remote Desktop,” in this book and Windows XP Professional Help and Support Center.

Remote Assistance

Remote Assistance allows you to invite a trusted person (a friend or computer expert) to remotely and interactively assist you with a problem. You can also use Remote Assistance to remotely assist a user who trusts you. This feature is useful in situations where detailed or lengthy instructions are required to reproduce or resolve problems.

Problems that are difficult to reproduce

A user requesting assistance reports a problem that is reproducible only under specific circumstances. Instead of having the user describe the problem to you, you can remotely view the problem computer while the user shows you the steps that cause the error to occur.

Problems that require following complicated instructions

A user describes a problem that you know can be fixed by adjusting video display settings. You describe the steps required, but the inexperienced user cannot follow your instructions. You can help by interactively demonstrating the steps required to correct the problem.

Differences Between Remote Assistance and Remote Desktop

In Remote Assistance terminology, the user sending the request for assistance, an invitation, is called the novice, and the person providing assistance is known as the expert. The following list shows the key distinctions between Remote Assistance and Remote Desktop:

Remote Desktop establishes new sessions, while Remote Assistance attaches another user (the expert) to an existing session.
To use Remote Assistance, both the novice and expert need to be present at their computers and must cooperate with each other. Remote Desktop relies on Windows security features and users with the appropriate privileges do not require permission before establishing new sessions.
Remote Assistance requires that both computers are running a version of Microsoft Windows XP.

Establishing Remote Assistance Connections

You can establish the following types of connections by using Remote Assistance:

A local area network (LAN) connection between the expert and novice
A direct Internet connection between the expert and novice
A connection between an expert located behind a firewall and a novice on the Internet
A connection between an expert and a novice located behind different firewalls

Establishing Remote Assistance connections through a firewall might require network configuration changes such as opening TCP Port 3389. Consult your network administrator for more information.

To send a Remote Assistance invitation to an expert

Notify the expert (by a method such as e-mail, telephone, or instant messaging) that you intend to send a Remote Assistance invitation, and provide the password you plan to use (if any). For security purposes, Remote Assistance does not include password information with the invitation, an intentional omission based on the assumption that the expert knows the invitation password.
From the Start menu, click Remote Assistance.
Follow the instructions for Remote Assistance and, when prompted, specify options, such as the delivery method, time until expiration, expert’s e-mail address, and a message.
Click Send Invitation to send the invitation to the expert.

The novice has several options when sending the invitation, including:

Invitation delivery method (by means of e-mail or instant message notification)
Time until expiration (in hours, minutes, or days)
Password protection feature (optional)

If a problem occurs when you send invitations, verify that Remote Assistance is enabled.

To verify that Remote Assistance is enabled

Do one of the following:
- In Control Panel, click System.
- In the Run dialog box, type sysdm.cpl, and then click OK.
On the Remote tab, in Remote Assistance, select the Allow Remote Assistance invitations to be sent from this computer check box if it is disabled and then click OK.

To respond to a Remote Assistance invitation sent from a novice

Using e-mail or instant messaging software that is installed on the expert computer, wait for the Remote Assistance invitation to arrive from the novice.
Open the invitation message, and double-click the attachment that is included to start the session. If prompted to do so, provide password information. The following prompt appears on the novice computer:
```
User has accepted your Remote Assistance invitation and is 
```

ready to connect to your computer. Do you want to let this person view your screen and chat with you?

If the information you provided is correct and the novice confirms the preceding prompt, a terminal window appears and displays the novice’s desktop. You can now use the Remote Assistance Chat window to send or receive text messages.

Although you can view the remote computer’s desktop content, you are initially in read-only mode and are not able to move windows or manipulate on-screen objects, such as the Start menu or desktop icons, until the novice gives you permission to do so.
To interact with the novice’s desktop, click Take Control, and then ask the novice to confirm the Allow Expert Interaction button in the Remote Assistance window. After the novice clicks this button, you and the novice share access to the novice’s desktop, and you can now interact with on-screen objects by using your local mouse and keyboard. At any time, the novice can restrict you to view-only mode by pressing a user-defined hot key (by default, the ESC key).

Invitation Limitations

An expert can reuse a Remote Assistance invitation ticket multiple times as long as both of the following conditions are met:

The invitation ticket has not expired.
The IP address of the expert computer has not changed since the novice issued the invitation ticket.

The second condition is mainly a concern for experts who use computers that require dial-up connections to Internet service providers (ISPs). Computers that use dial-up connections are typically assigned different IP addresses by Dynamic Host Configuration Protocol (DHCP) servers each time they connect to the Internet. A separate ticket for each IP address is required.

Security Concerns

When using Remote Assistance, consider the following security issues:

When the novice clicks the Allow Expert Interaction button, a Remote Assistance expert performs all actions under the novice’s user security context and has the same level of network access and local computer privileges.
To allow experts outside of your organization to establish Remote Assistance connections (for example, outsourced technical support), the preferred connection method is by VPN account. This is the preferred method because it avoids opening TCP Port 3389 to allow traffic through your firewall. Consult your network administrator for more information about your organization’s policies towards external technical support providers.
In Windows XP Service Pack 2, the default configuration of Windows Firewall blocks incoming Remote Assistance offers from being received. For more information, see article 555179, “Windows XP SP2 Firewall blocks offers of Remote Assistance,” in the Microsoft Knowledge Base at https://support.microsoft.com.

Offer Remote Assistance

An added feature for Windows XP Professional, known as Offer Remote Assistance, enables an expert with Administrators group privileges to initiate a session without first receiving an invitation from the novice. This feature allows experts (for example, Domain Administrators) to provide assistance within an organization. Offer Remote Assistance is disabled by default, but you can enable it by modifying a Group Policy setting.

To enable Offer Remote Assistance

In the Run dialog box, type gpedit.msc.
Expand Local Computer Policy, expand Computer Configuration, and then expand Administrative Templates.
Expand System, and then expand Remote Assistance.
In the details pane, double-click Offer Remote Assistance, click Enabled, and then click OK.

You can also grant Offer Remote Assistance privileges to nonadministrators by using the following procedure.

To enable Offer Remote Assistance for nonadministrators

In the Run dialog box, type gpedit.msc.
Expand Local Computer Policy, expand Computer Configuration, and then expand Administrative Templates.
Expand System, and then expand Remote Assistance.
In the details pane, double-click Offer Remote Assistance and then click Enabled.
Click Show and then click Add. In the Add Item dialog box, type the name of the user or group that you want to grant Offer Remote Assistance privileges to by using the following syntax:
```
domain\username
```
– or –
```
domain\groupname
```
The computers of the novice and expert users must be members of the same domain or members of domains that trust each other.
Click OK and repeat Steps 1 through 5 for each user or group.

For more information about Group Policy, see Chapter 17, “Managing Authorization and Access Control,” Chapter 1, “Planning Deployments,” and Chapter 5, “Managing Desktops.” Also, see the Deployment Planning Guide of the Microsoft Windows 2000 Server Resource Kit and the Change and Configuration Management Deployment Guide link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

To offer remote assistance to a novice

You, an expert, inform the novice that you intend to offer Remote Assistance.
In Help and Support Center, click Pick a task, click Use Tools, and then click Offer Remote Assistance.
Follow the instructions, and provide the name or IP address for the computer to which the novice is logged on.

The following prompt appears on the novice’s computer:

The network administrator Domain\User would like to 
view your screen and chat with you in real time, 
and work on your computer. 
Would you like to give Domain\User access to your computer?

A Remote Assistance session starts after the novice responds affirmatively to the prompt.

Note The Offer Remote Assistance feature does not remove the requirement that the novice be present to accept the session request from the expert. The novice can end the session at any time by clicking Disconnect or by pressing the disconnect hot key.

Other Remote Assistance Features

In addition to sharing control of the desktop, Remote Assistance also provides these features useful for troubleshooting problems affecting the novice:

File transfers.

This enables the novice and the expert to send or receive files.
Voice over IP.

This feature lets the novice and expert communicate verbally in real-time by using an Internet connection.
Chat.

Chat enables the novice and expert to establish two-way real-time text communication.
Desktop scaling.

This feature enables the expert to scale the view of novice’s desktop to fit the Remote Assistance view window. This allows the expert to choose between different views, depending on the situation.
Bandwidth efficiency.

Remote Assistance automatically senses connection speed and configures settings such as color depth and voice data rate, depending on the available bandwidth.

For more information about Remote Assistance, click Support or Tools in Help and Support Center.

Telnet

The Microsoft Telnet client (Telnet.exe) and server enable you to establish command console sessions to a remote host. You can then use this session to run command-line programs and scripts on the remote computer. Telnet benefits include low system resource and bandwidth requirements, as well as interoperability with Telnet clients and servers running on other operating systems, such as UNIX.

The Windows XP Professional Telnet client and server are more robust than their Windows 2000 Professional and Windows NT Workstation 4.0 counterparts and add new features such as auditing.

For more information about Microsoft Telnet, click Tools in Help and Support Center.

Disk and Maintenance Tools

Windows XP Professional provides disk and maintenance tools you can use to prevent problems from occurring. Some of the most useful tools are listed alphabetically in Table C-13. The disk-related tools allow you to view disk information and correct a problem before it becomes a serious issue. My Computer Information and Windows Update allow you to periodically check the status of your computer, apply updates that enhance Windows XP Professional, and they might also help resolve problems caused by incompatible device drivers.

Table C-13 Disk and Maintenance Tools

Tool	Function	Tool Type, Interface
Chkdsk (Chkdsk.exe)	Verifying and repairing the logical integrity of a file system on a Windows XP Professional–based volume	Built-in, command-line, GUI
Disk Cleanup (Cleanmgr.exe)	Increasing the amount of disk space that applications and Windows XP Professional can use by deleting unused files	Built-in, GUI
Disk Defragmenter (Dfrg.msc and Defrag.exe)	Contiguously arranging files, folders, and programs, and grouping unused space on the hard disk to optimize disk performance	Built-in, GUI, command-line
Disk Management (Diskmgmt.msc) and DiskPart (Diskpart.exe)	Viewing disk information, and performing disk-related functions such as extending volumes or partitioning disks	Built-in, GUI, command-line
Fsutil (Fsutil.exe)	Displaying volume and file system information, and performing advanced disk-related operations	Built-in, command-line
My Computer Information in Help and Support	Viewing hardware and software status, and obtaining Help and troubleshooting information	Built-in, GUI
Windows Update (Wupdmgr.exe)	Obtaining updates, service packs, device drivers, and other enhancements	Built-in, GUI

Chkdsk

Chkdsk (Chkdsk.exe) is a command-line tool that checks volumes for problems and attempts to repair any that it finds. For example, Chkdsk can repair problems related to bad sectors, lost clusters, cross-linked files, and directory errors. For NTFS formatted disks, the Windows XP Professional version of Chkdsk.exe can provide substantial performance improvements (compared to the versions in Windows 2000 Professional and Windows NT Workstation 4.0) when using the new the /i and /c parameters. These two parameters instruct Chkdsk.exe to skip certain file system checks, which might reduce the time needed to run Chkdsk. You must be logged on as an administrator or a member of the Administrators group to use Chkdsk.

In addition to using the command-line version of Chkdsk, you can run Chkdsk from My Computer or Windows Explorer.

To run Chkdsk from the command prompt

At the command prompt, type chkdsk.

To run Chkdsk from My Computer or Windows Explorer

In My Computer or Windows Explorer, right-click the volume you want to check, and then click Properties.
On the Tools tab, click Check Now.
Do one of the following:
- To run Chkdsk in read-only mode, click Start.
- To repair errors without scanning the volume for bad sectors, select the Automatically fix file system errors check box and then click Start.
- To repair errors, locate bad sectors, and recover readable information, select the Scan for and attempt recovery of bad sectors check box and then click Start.

Before running Chkdsk, be aware of the following:

Chkdsk requires exclusive access to a volume while it is running. Chkdsk might display a prompt asking whether you want to check the drive the next time you restart your computer.
Chkdsk might take a long time to run, depending on the number of files and folders, the size of the volume, disk performance, and available system resources (such as processor and memory).
Chkdsk might not accurately report information in read-only mode.

For more information about using Chkdsk, see Chapter 28, “Troubleshooting Disks and File Systems.”

Disk Cleanup

Disk Cleanup (Cleanmgr.exe) enables you to delete unneeded files and periodically compress infrequently accessed files. Insufficient disk free space can cause many problems ranging from Stop messages to file corruption. To increase free space, you can do the following:

Move files to another volume, or archive them to backup media.
Compress files or disks to reduce the space required to store data.
Delete unneeded files.

To run Disk Cleanup

At the command prompt, type cleanmgr.
Select the drive you want to clean up, and then click OK.
On the Disk Cleanup tab, select an option.

– or –

Click the More Options tab to remove restore points and uninstall operating system components or applications.

For more information about restore points, see “System Restore” earlier in this appendix.

To compress files by using Disk Cleanup

On the Disk Cleanup tab, select the Compress old files check box.
In the Description box, click Options to specify how many days to wait before compressing a file.

For more information about Disk Cleanup, click Tools in Help and Support Center.

Disk Defragmenter

Windows XP Professional provides two methods for defragmenting volumes:

The Disk Defragmenter snap-in (Dfrg.msc)
The new Disk Defragmenter command-line tool (Defrag.exe)

Both defragmentation tools rearrange files, folders, and programs so that they occupy contiguous space on the hard disk. The tools also reorder free space, moving it into a contiguous block at the end of each volume. As a result, the operating system can write files to the hard disk sequentially more often, which improves performance. You must be logged on as an administrator or a member of the Administrators group to use the defragmentation tools.

To start the Disk Defragmenter snap-in

In the Run dialog box, type dfrg.msc.

You can also start Disk Defragmenter from the Computer Management tool. For more information about the Computer Management tool, see “Computer Management Tool” earlier in this appendix.

To start the Defrag.exe command-line tool

At the command prompt, type defrag.

For more information about Disk Defragmenter, see Chapter 28, “Troubleshooting Disks and File Systems.”

Disk Management and DiskPart

Windows XP Professional provides two tools that you can use to view the status of disks and volumes:

The Disk Management snap-in (Diskmgmt.msc)
The command-line tool DiskPart (Diskpart.exe)

Both tools use a number of predefined descriptions to indicate the status of disks and volumes in the computer. For example, if no errors are present on a disk, the tools display an Online status for the disk and a Healthy status for volumes on the disk. By periodically running these tools, you can identify disk or volume problems and repair them before they lead to data loss. You must be logged on as an administrator or a member of the Administrators group to use Disk Management or DiskPart.

To use the Disk Management snap-in

In the Run dialog box, type diskmgmt.msc.

You can also start Disk Defragmenter from the Computer Management tool. For more information about the Computer Management tool, see “Computer Management Tool” earlier in this appendix.

To start DiskPart and view a list of commands

At the command prompt, type diskpart.
At the DISKPART> prompt, type commands.

DiskPart is a text-mode command interpreter that provides commands for managing disks, volumes, and partitions. The command-line Diskpart.exe tool is separate from the diskpart command that you can use in Recovery Console.

For more information about troubleshooting disk-related problems, see Chapter 28, “Troubleshooting Disks and File Systems.” For more information about using DiskPart, click Tools in Help and Support Center.

Fsutil.exe

Fsutil (Fsutil.exe) is a command-line tool that provides commands for performing file system and volume-related tasks, such as querying or changing file and disk attributes. You must be logged on as an administrator or a member of the Administrators group to use Fsutil.

To obtain a list of Fsutil subcommands

At the command prompt, type fsutil.

To obtain help for an Fsutil subcommand

At the command prompt, use the following syntax:
```
fsutil subcommand help
```

For more information about Fsutil, click Tools in Help and Support Center.

My Computer Information in Help and Support Center

“My Computer Information” in Windows XP Professional Help and Support Center enables you to view your computer’s hardware and software status and to gather help and troubleshooting information.

To view My Computer Information in Help and Support Center

Under Pick a task, click Use Tools to view your computer information and diagnose problems.
Under Tools, click My Computer Information, and then follow the instructions displayed on the screen.

Table C-14 lists the type of information available.

Table C-14 Information Available in My Computer Information

Category	Description
General	Displays details about your computer, such as the processor speed and the amount of physical memory and disk space available
Status	Shows diagnostic information that can help you solve existing problems and tips that can help you avoid issues
Hardware	Contains detailed information about internal and external hardware installed on your computer
Software	Lists system software installed on your computer
View computer information on another computer	Shows information for a remote computer, if you have administrative permissions on the remote computer

For more information about My Computer Information, see Windows XP Professional Help and Support Center.

Windows Update

Windows Update is an online extension of Windows XP Professional that provides a central location to find product enhancements, such as service packs, device drivers, and system security updates. For more information about Windows Update and configuring Automatic Updates, see Chapter 15, “Managing Software Updates,” in this book.

System File Tools

Windows XP Professional provides tools to help you troubleshoot problems caused by incompatible, missing, or corrupted driver and system files. Helpful tools for troubleshooting system and driver file issues are listed alphabetically in Table C-15. These tools enable you to detect and correct issues caused by problem files, or prevent their installation.

Table C-15 System File and Driver Tools

Tool	Function	Tool Type, Interface
Driver Query (Driverquery.exe)	Lists information about the drivers on a computer	Built-in, command-line
Driver Signing and Digital Signatures	Maintains system stability by verifying that device drivers have passed a series of rigorous tests administered by the Windows Hardware Quality Labs (WHQL)	Built-in, GUI
Windows File Protection	Scans protected system files, and restores overwritten files with the correct versions provided by Microsoft	Built-in, GUI

Driver Signing and Digital Signatures

Driver signing is a multistage process in which device drivers are verified. For a driver to earn this certification, it must pass a series of compatibility tests administered by the Windows Hardware Quality Labs (WHQL). As a result of stringent WHQL standards, using signed drivers typically results in a more stable system. Microsoft digitally signs drivers that pass the WHQL tests, and Windows XP Professional performs signature detection for signed device categories, such as the following:

Keyboards
Hard disk controllers
Modems
Mouse devices
Multimedia devices
Network adapters
Printers
SCSI adapters
Smart card readers
Video adapters

A Microsoft Corporation digital signature indicates that a driver file is an original, unaltered system file that Microsoft has approved for use with Windows XP Professional.

Windows XP Professional can warn users about installing unsigned drivers or prevent them from doing so. If a driver is not digitally signed, the user receives a message that requests confirmation to continue.

Microsoft digitally signs all drivers included with the Windows XP Professional operating system CD. When downloading updated drivers from a manufacturer’s Web page, always select drivers that are signed by Microsoft.

Windows XP Professional provides the following tools to help you identify digitally signed files:

File Signature Verification
Driver Signature Checking
System Information
Device Manager
DirectX Diagnostic Tool
Hardware Compatibility List

File Signature Verification

The File Signature Verification tool (Sigverif.exe) detects signed files and allows you to do the following:

View the certificates of signed files to verify that the file has not been tampered with after being digitally signed.
Search for signed files in a specific location.
Search for unsigned files in a specific location.

To run File Signature Verification

In the Run dialog box, type sigverif.

When you click the Advanced button, the Advanced File Signature Verification Settings dialog box provides additional configuration options on the Search and Logging tabs.

Search

You can specify file search options, such as whether to search all drivers or limit the scope of your search by using file name and folder criteria.

Logging

You can specify that search results be saved to a file, the log file name to use, and whether to overwrite or append the log file. You can also view the log file by clicking View Log.

File Signature Verification writes information to systemroot\Sigverif.txt, a log that contains the following information about the scanned files:

Name
Modification date
Version number
Signed status
Location (name of catalog file)

Driver Signature Checking

Driver Signature Checking enables you to detect unsigned drivers before you install them. Using Control Panel, you can set verification levels for driver signature checking to ensure that Windows XP Professional inspects files for digital signatures whenever you install or update drivers.

To enable Driver Signature Checking

In Control Panel, open System.
Click the Hardware tab, and then click Driver Signing.

Table C-16 describes the three levels of file signature verification that appear in the Driver Signing Options box.

Table C-16 Signature Checking Levels

Level	Description
Level 0 (Ignore)	Disables digital signature checking. The message that identifies a digitally signed driver does not appear, and all drivers are installed even if they are unsigned.
Level 1 (Warn)	Determines whether the driver has passed WHQL testing. A message appears whenever a user tries to install a driver that fails the signature check.
Level 2 (Block)	Blocks installation of a driver that fails the signature check. You are notified that Windows XP Professional cannot install the unsigned driver.

System Information

System Information enables you to view a list of signed drivers installed on your system.

To view a list of signed drivers

In the Run dialog box, type msinfo32.exe.
Expand Software Environment, and then click Signed Drivers.

Driver Query

Driver Query (Driverquery.exe) is a command-line tool that displays information about drivers running on your computer.

For more information about using Driver Query to view signing information for drivers, see “Driver Query” later in this appendix.

Device Manager

Device Manager enables you to verify that Microsoft Corporation has provided or digitally signed a driver for a specific device.

To view driver signing information by using Device Manager

In the Run dialog box, type devmgmt.msc.
Expand a device category. (For this example, expand Floppy disk controllers.)
Double-click Standard floppy disk controller, and then click the Driver tab.
Verify that Driver Provider is listed as Microsoft (for Microsoft-provided drivers) or that Digital Signer mentions Microsoft WHQL (for manufacturer-provided drivers).

DirectX Diagnostic Tool

The DirectX Diagnostic Tool (Dxdiag.exe) displays file names and properties for multimedia device drivers, such as audio and video. Use this tool to check for beta or unsigned DirectX driver files.

Windows Catalog

The Windows Catalog is a Web-based database of hardware and software compatible with Windows XP and certified under the Designed for Windows XP Logo Program. The Windows Catalog can be found at https://www.microsoft.com/windows/catalog, and it replaces the Hardware Compatibility List (HCL) of earlier versions of Microsoft Windows.

Driver Query

Driver Query (Driverquery.exe) is a command-line tool that lists information about drivers running on your computer.

Tip Run the Driver Query tool when your system is working properly and then redirect the information to a file. You can use these results as a comparison later if the system has problems with missing or corrupted drivers.

The information generated by the Driver Query tool can fill several screens, so it is helpful to redirect the video output to a file by using the following syntax:

driverquery > drivers_M-D-Y.txt

In the preceding syntax, M is the numerical month, D is the day, and Y is the year. Keep this file in a safe location, or print it and record the date on the page. Comparing Driver Query output files created on different dates can help you determine which drivers have changed.

Table C-17 describes the output from the Driver Query tool.

Table C-17 Column Names and Descriptions of the Driver Query Tool Output

Column	Description
HostName	The name of the computer queried.
FileName	The driver file name shown without path or file-name-extension information. To list driver file names with the path and extension, use the -verbose parameter.
DisplayName	The friendly name of the driver.
Description	A description of the driver. This can be the same as the DisplayName.
DriverType	The type of driver, for example, kernel or file system.

The following is output from Driver Query:

Module Name Display Name           Driver Type   Link Date 
============ ====================== ============= ======================== 
aec          Microsoft Kernel Acous Kernel        07/07/2001 09:50:41 AM 
AFD          AFD Networking Support Kernel        07/16/2001 11:47:08 AM 
atapi        Standard IDE/ESDI Hard Kernel        07/15/2001 09:02:51 PM

When you specify the /si parameter, Driver Query displays digital signature information for both signed and unsigned drivers. The following is output obtained by typing driverquery /si:

DeviceName                     InfName       IsSigned Manufacturer 
============================== ============= ======== ==================== 
Microsoft AC Adapter           battery.inf   TRUE     Microsoft 
Microsoft ACPI-Compliant Contr battery.inf   TRUE     Microsoft 
Microsoft ACPI-Compliant Contr battery.inf   TRUE     Microsoft

The information in the IsSigned column is useful for troubleshooting because a value of FALSE indicates that a driver has not been approved by Microsoft for use with Windows.

For more information about Driver Query, click Tools in Help and Support Center. For more information about driver signing, see “Driver Signing and Digital Signatures” earlier in this appendix.

Windows File Protection

To maintain operating system stability, Windows XP Professional implements the following mechanisms to ensure that software installation programs do not overwrite critical system files:

Windows File Protection (WFP) service
System File Checker (Sfc.exe) tool

Windows File Protection Service

The Windows File Protection (WFP) service monitors changes to protected system files. When the WFP service detects that a protected system file has changed, it examines file signature information to determine whether the new file is the correct version. If the version is incorrect, the WFP service displays a message similar to the following:

A file replacement was attempted on the protected system file filename. 
To maintain system stability, the file has been restored to the 
correct Microsoft version. If problems occur with your application, 
please contact the application vendor for support.

The WFP service then records an entry to the System log and replaces the invalid file with a backup copy from the systemroot\System32\Dllcache folder. If a backup copy is not found in Dllcache, you are prompted to provide the Windows XP Professional operating system CD or a source file location.

System File Checker

System File Checker (Sfc.exe) is a command-line tool that examines protected system files on your computer and restores the correct versions by using backups stored in the Dllcache folder or files copied from the operating system CD.

Protected files include those with .sys, .dll, .exe, .ttf, .fon, and .ocx file-name extensions. Because of disk space considerations, storing all protected files in the Dllcache folder might not be practical, especially on computers with limited storage space. Therefore, you must be ready to provide the Windows XP Professional operating system CD when prompted to do so.

You can use System File Checker to repopulate the Dllcache folder if the contents become damaged or unusable. To purge and repopulate the contents of the Dllcache folder, in the Run dialog box, type

sfc /purgecache

You can also specify the protected file cache size by using the following syntax:

**sfc /cachesize=****x

The value of x represents the number of megabytes (MB) of space to use in hexadecimal notation. For example, to specify 200 MB, type

sfc /cachesize=C8

Note For network-based installations, the WFP service and the System File Checker tool search the network source file directory if the required backup file is not in the Dllcache folder. You must be a member of the Administrators group to purge or change the space allotted for cached protected files.

For more information about the Windows File Protection service and System File Checker, click Tools in Help and Support Center. Also, see article 222473, “Registry Settings for Windows File Protection,” in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

Networking Tools

Many factors affect network performance and reliability, including remote connections, hardware configuration (network adapters or the physical network connection), and device drivers. Quite often, network difficulties are related to protocol configuration errors. For example, use of incorrect settings in TCP/IP-based networks can affect IP addressing, routing, and IP security.

Windows XP Professional provides a collection of useful troubleshooting tools that allow you to monitor network performance across a variety of connections, including analog and ISDN modems, and broadband connections such as xDSL and cable. Table C-18 is an alphabetical list of tools useful for diagnosing network and protocol configuration issues.

Table C-18 Network Troubleshooting and Diagnostic Tools

Tool	Function	Tool Type, Interface
GetMac (Getmac.exe)	Displays media access control (MAC) control information for network adapters and protocols installed on a computer.	Built-in, command-line
IP Configuration (Ipconfig.exe)	Displays the current configuration of the installed IP stack on a networked computer by using TCP/IP.	Built-in, command-line
IP Security Monitor	Confirms that secured communications are successfully established by displaying the active security associations on local or remote computers.	Built-in, GUI
NetBT Statistics (Nbtstat.exe)	Displays protocol statistics and current TCP/IP connections by using NetBIOS over TCP/IP (NetBT), including NetBIOS name resolution to IP addresses.	Built-in, command-line
Netsh(Netsh.exe)	Views or modifies TCP/IP network configuration for a computer. Netsh also provides scripting features.	Built-in, command-line
Network Connectivity Tester (NetDiag.exe)	Views network-client health by running a wide range of connectivity tests.	Support Tool, command-line
Netstat	Displays protocol statistics and current TCP/IP connections.	Built-in, command-line
Network Diagnostics	Views network-related information, such as network adapter status and IP addresses for DHCP and Domain Name System (DNS) servers.	Built-in, GUI
Network Monitor Capture Utility (Netcap.exe)	Monitors network traffic, and captures information to a log file.	Support Tool, command-line
Nslookup.exe	Performs DNS queries, and examines content zone files on local and remote servers.	Built-in, command-line
Path Ping (Pathping.exe)	Obtains network performance statistics. Path Ping displays information for the destination computer and all routers along the way.	Built-in, command-line

For more detailed information about configuring hardware resources for network adapters, see Chapter 9, “Managing Devices.”

For more information about the preceding tools and configuring and troubleshooting networks, see “Configuring TCP/IP” on the companion CD and Chapter 24, “Configuring IP Addressing and Name Resolution.” Also, see the TCP/IP Core Networking Guide or the Internetworking Guide of the Microsoft Windows 2000 Server Resource Kit.

GetMac

GetMac (Getmac.exe) is a command-line tool that enables you to obtain the media access control (MAC) address for all network adapters and network protocols installed on your computer.

For more information about using GetMac, click Tools in Help and Support Center.

IP Config

IP Config (Ipconfig.exe) is a command-line tool that displays the current configuration of the installed IP stack on networked computers that are using the TCP/IP network protocol. You can use Ipconfig.exe to do the following:

Produce a detailed configuration report for all network interfaces.
Release or renew IP addresses for specified adapters.
Remove all entries from, or display the contents of, the Domain Name System (DNS) Resolver Cache.
Refresh all DHCP leases, and reregister DNS names.
Display or modify the DHCP class IDs that are allowed for specified adapters.

Warning Incorrect use of IP Config can cause network connectivity issues. Unless you are familiar with IP Config, use this tool without command-line parameters or by using only the /all parameter.

For more information about IP Config, see Windows XP Professional Help and Support Center. Also, see “Configuring TCP/IP” on the companion CD and Chapter 24, “Configuring IP Addressing and Name Resolution.”

IP Security Monitor

You can use the Internet Protocol Security (IPSec) Monitor snap-in to verify the security IPSec communications. IP Security Monitor displays security information—such as the quantity of packets that you sent by using the Authentication Header (AH) or Encapsulating Security Payload (ESP) security protocols, and the number of security associations and keys generated since the computer was started.

IP Security Monitor monitors the local computer unless you specify a different computer. You can specify a different computer by right-clicking IP Security Monitor in the console tree, and then clicking Add Computer.

IP Security Monitor shows only active security associations. For a log of successful and unsuccessful security associations, search the Security log for Netlogon events.

For more information about IPSec, see “Configuring TCP/IP” on the companion CD and “Internet Protocol Security” in the TCP/IP Core Networking Guide in the Microsoft Windows 2000 Server Resource Kit. Also see article 231587, “Using the IP Security Monitor Tool to View IPSec Communications,” in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources.

NetBT Statistics

NetBT Statistics (Nbtstat.exe) is a command-line tool for troubleshooting network NetBIOS names over TCP/IP (NetBT) resolution problems. It displays protocol statistics and current TCP/IP connections that are using NetBT.

When a network is functioning, NetBT resolves NetBIOS names to IP addresses. It uses several options for NetBIOS name resolution, including local cache lookup, WINS server query, broadcast, Lmhosts and Hosts file lookup, and DNS server query. The output of the NetBT Statistics tool is in tabular format.

For more information about using NetBT, see “Configuring TCP/IP” on the companion CD, Chapter 24, “Configuring IP Addressing and Name Resolution,” in this book, and Tools in Help and Support Center.

Netsh

The Netsh command-line tool (Netsh.exe) enables you to access other tools that you can use to view and modify local network interface TCP/IP configurations. Using the Netsh tool, you can perform a wide variety of tasks, such as:

Displaying and configuring network interface parameters for local and remote computers
Configuring routers, including routing protocols and routes
Configuring Windows XP Professional remote access routers that are running the Routing and Remote Access service
Configuring Windows Firewall in Windows XP Service Pack 2
Using the scripting feature to run a series of commands in batch mode against a specified computer or router

Netsh works by directing your command to an appropriate “helper” network component by using entry points called contexts. Helpers are dynamic-link library (DLL) files that extend the functionality of Netsh by enabling access to their network routines. A helper can also extend the capabilities of other helpers.

For more information about Netsh, see “Configuring TCP/IP” on the companion CD and Tools in Help and Support Center.

Netstat

Netstat (Netstat.exe) is a command-line tool that displays TCP/IP protocol statistics and active connections to and from your computer. Netstat also provides an option to display the number of bytes sent and received, as well as network packets dropped (if any). You can use this tool to quickly verify that your computer can send and receive information over the network.

For more information about Netstat, click Tools in Help and Support Center.

Network Connectivity Tester

Network Connectivity Tester (Netdiag.exe) is a command-line Support Tool that helps to identify network-related problems. Network Connectivity Tester runs several network-related tests to determine client connectivity health. Network Connectivity Tester displays information for each network adapter and marks each connectivity test as Passed, Failed, or Skipped, allowing you to quickly isolate problem areas.

For more information about Network Connectivity Tester, click Tools in Help and Support Center, and then click Windows Support Tools.

Network Diagnostics

Network Diagnostics enables you to view software and hardware network component information from a central location.

To start Network Diagnostics

In Help and Support Center, under Pick a task, click Use Tools to view your computer information and diagnose problems.
In Tools, click Network Diagnostics, and then click Scan your system.

The results page includes options to expand or collapse the network data gathered. You can also save the results to a file for later reference. Network Diagnostics organizes information into the categories listed in Table C-19.

Table C-19 Network Diagnostics Information Categories

Name of Log	Overview
Internet Service	Displays information about Internet Explorer Web Proxy and Microsoft Outlook Express mail and news configuration
Computer Information	Displays information such as computer name, hardware state and capabilities, as well as operating system name and version information
Modems and Network Adapters	Displays network hardware and software information, including domain, media access control (MAC) address, IP address, and subnet information

For more information about Network Diagnostics, click Tools in Help and Support Center.

Network Monitor Capture Utility

Network Monitor Capture Utility (Netcap.exe) is a command-line Support Tool that allows a system administrator to monitor network packets and save the information to a capture (.cap) file. On first use, Network Monitor Capture Utility installs the Network Monitor Driver.

You can use information gathered by using Network Monitor Capture Utility to analyze network use patterns and diagnose specific network problems.

For more information about Network Monitor Capture Utility, click Tools in Help and Support Center, and then click Windows Support Tools.

NSLookup

This diagnostic tool displays information about Domain Name System (DNS) servers. To use NSLookup, you must first install the TCP/IP network protocol.

For more information about Nslookup and DNS, see Windows XP Professional Help and Support Center. Also, see “Windows 2000 DNS” in the TCP/IP Core Networking Guide of the Microsoft Windows 2000 Server Resource Kit and “Active Directory Diagnostics, Troubleshooting, and Recovery” in the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit.

PathPing

You can use PathPing (Pathping.exe) to troubleshoot IP connectivity issues. PathPing is a command-line tool that traces network routes. It combines features of Ping (Ping.exe) and Trace Route (Tracert.exe) with features not found in either tool. PathPing sends network packets to each router on the way to a final network destination IP address, and then reports information as the packets travel from one router to another. (This point-to-point travel is also referred to as a hop.) Because PathPing shows the degree of packet loss across router segments or links, you can use it to identify routers or links that might be congested and cause network problems.

PathPing first displays the IP addresses of the destination and each router that it crosses. When the packets reach their destination, PathPing computes and displays a summary of network hop statistics. In the following example, the loss rate is displayed as the percentage value at the far right, preceding the “|” symbol.

The following is a PathPing report.

Tracing route to rly-wxp-pro [7.54.1.196] 
over a maximum of 30 hops: 
 0 rly-srv [172.16.87.35] 
 1 tstroute1 [172.16.87.218] 
 2 tstroute2 [192.168.52.1] 
 3 tstroute3 [192.168.80.1] 
 4 tstroute4 [7.54.247.14] 
 5 rly-wxp-pro [7.54.1.196] 
Computing statistics for 125 seconds... 
          Source to Here   This Node/Link 
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address 
 0                                         rly-srv [172.16.87.35] 
                                0/ 100 = 0% | 
 1 41ms     0/ 100 = 0%      0/100 = 0% tstroute1 [172.16.87.218] 
                               13/ 100 = 13% | 
 2 22ms    16/ 100 = 16%      3/100 = 3% tstroute2 [192.168.52.1] 
                                0/ 100 = 0% | 
 3 24ms    13/ 100 = 13%      0/100 = 0% tstroute3 [192.168.80.1] 
                                0/ 100 = 0% | 
 4 21ms    14/ 100 = 14%      1/100 = 1% tstroute4 [7.54.247.14] 
                                0/ 100 = 0% | 
 5 24ms    13/ 100 = 13%      0/100 = 0% rly-wxp-pro [7.54.1.196] 
Trace complete.

Analyzing the preceding PathPing report, the link between 172.16.87.218 (hop 1) and 192.168.52.1 (hop 2) has a 13 percent drop-packet rate. Dropped packets represent data that needs to be retransmitted, which adversely affects data throughput. All other links appear to be functioning normally with 0 percent packet-loss rates. Packet loss between the first and second hops could indicate heavy network traffic, congested routers, or slow links.

For information about PathPing (as well as the related Ping and Trace Route tools), see “Configuring TCP/IP” on the companion CD and Chapter 24, “Configuring IP Addressing and Name Resolution,” in this book, and Windows XP Professional Help and Support Center. Also, see the TCP/IP Core Networking Guide of the Microsoft Windows 2000 Server Resource Kit.

Additional Resources

These resources contain additional information related to this appendix.

Chapter 27, “Understanding Troubleshooting,” in this book, for more information about troubleshooting methodology
Chapter 28, “Troubleshooting Disks and File Systems”
Chapter 29, “Troubleshooting the Startup Process”
Chapter 13, “Working with File Systems”
Chapter 12, “Organizing Disks”
Chapter 9, “Managing Devices”
Chapter 10, “Managing Digital Media”
Chapter 14, “Backing Up and Restoring Data”
“Configuring TCP/IP” on the companion CD
“Common Stop Messages for Troubleshooting” on the companion CD
“Overview of Performance Monitoring” in the Operations Guide of the Microsoft Windows 2000 Server Resource Kit for more information about monitoring performance
The Driver Development Kits (DDK) link on the Web Resources page at https://www.microsoft.com/windows/reskits/webresources

Tools for Troubleshooting

On This Page

Related Information

Using This Appendix

Installing and Running Troubleshooting Tools

Installing Tools

Built-In Tools

Support Tools

To install Support Tools

Downloadable Debugging Tools

Tool Interface Types

Command-line interface tools

Graphical user interface tools

Starting GUI Tools

Starting GUI Snap-In Tools

Starting Command-Line Tools and Logging Output

How to obtain a log of command-line tool output

Ways to view command-line Help

To view Help information one screen at a time

To save Help information to a file

Help and Support Center

To open Help and Support Center

Disaster Recovery Tools

Software problems

Hardware problems

Other problems

Last Known Good Configuration

To use Last Known Good Configuration from the Windows Advanced Options menu

To use Last Known Good Configuration from the startup recovery menu after an unsuccessful startup

Using Safe Mode

Safe Mode Enables Only Essential Drivers and Services

Safe mode

Safe mode with networking

The computer consistently stops responding

The computer starts with a blank or distorted video display

The computer does not start normally after you install new hardware or software

Safe Mode Bypasses Startup Programs

Current User, All Users, and Administrator profiles

Run and RunOnce registry subkeys

Advertised applications and network logon scripts

Device Driver Roll Back

To roll back a driver

Driver roll back limitations

System Restore

File Monitoring

Restore Points and Restore Point Management

Installing an unsigned device driver

Installing System Restore–compliant applications

Installing an update by using Automatic Updates

Performing a System Restore operation

Restoring data from backup media

Creating a restore point manually

Creating daily restore points

Creating restore points at preset intervals

Archiving and Purging of Restore Points

When System Restore consumes at least 90 percent of allotted space

When you reduce the amount of disk space allotted to System Restore

When you disable System Restore

When a specified period of time has elapsed

Using System Restore

Uninstalling incompatible software does not resolve the problem

Updating a device driver causes system instability

Downloading content causes a problem

Identifying a problem is not possible

Undoing a System Restore operation that does not solve the problem

To restore the system by using a restore point

To create a restore point manually

Using Control Panel to Configure System Restore

To configure System Restore settings by using Control Panel

Using the Group Policy Snap-In to Configure System Restore

Turn off System Restore

Turn off Configuration

Using the Registry Editor to Configure System Restore

Using Custom Scripts to Configure System Restore

How System Restore Works with Other Windows XP Professional Features

Add or Remove Programs

To uninstall an application

Recovery Console

Installing and Using Recovery Console

Recovery Console is sensitive to file-system changes