Chapter 1 - Administering Windows NT Systems

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Chapter 1 Administering Windows NT Systems

From the book Essential Windows NT System Administration by AEleen Frisch. (ISBN: 1565922743). Copyright ©1999 by OReilly & Associates, Inc. Reprinted by permission of the publisher.

On This Page

About System Administration
About Windows NT
Administrative Tools
The Windows NT Filesystem
Never Forget That It's a PC

About System Administration

Like all truly satisfying pursuits, system administration requires both breadth and depth of expertise. I'll invoke a popular metaphor and say that successful system administration involves more than wearing a lot of different hats; you also need to know which one to wear to perform a particular task or solve a particular problem and, equally important, what else you will need to get the job done right. Whatever challenges and frustrations the tremendous variety inherent in system administration may bring, it also keeps the workday interesting.

First-rate system administrators bring three kinds of strengths to their job:

Technical expertise

This includes both a knowledge of the tools and procedures required to keep the system and network operating efficiently and a detailed-enough understanding of how the system's various components work to address the problems that will arise.

While Windows NT is frequently marketed as an operating system that requires little or no system administration, this is an ideal honored more in the breach than in reality. Well designed system administration tools can go a long way toward making Windows NT systems management easy and painless under normal circumstances--and some of the Windows NT tools come reasonably close to this goal--but realistically, you can expect the unexpected to occur all too frequently.

The bottom line is that someone has to know how things really work: it should be you.

Problem solving skills

System administrators are distinguished from ordinary users, power users, and operators in that they know what to do when things go wrong. While all these classes of users are comfortable using the system under normal circumstances, only system administrators have to know what to do when things are anything but normal. This doesn't mean you have to know the solution instantly for every problem you encounter. Sometimes you will, but more often what you bring to the situation is a strategy for figuring out what has gone wrong and the tools for fixing it once you have done so.

Ordinary users of Windows NT systems and their associated networks are like ordinary automobile drivers; they know how to start and operate the car, how to add gasoline and when to take it in for periodic preventive maintenance. Power users also know how to change their own oil and spark plugs, when to add water to the radiator, and what to do if the battery dies or a tire goes flat. Operators are like automotive technicians who can carry out a variety of standard procedures--changing the oil and lubricating the engine, checking and replacing the brake pads, and the like--as well as diagnosing and repairing simple problems (e.g., the car won't start because the alternator has failed and needs to be replaced). System administrators are like master mechanics--the only ones who can perform complex operations and diagnose and repair major problems; they can trace the car's tendency to die in cold weather to a carburetor that needs to be rebuilt, and they can go on to rebuild it themselves. They are capable of doing so because they understand how the car's engine works at a deep enough level to track down the specific points of trouble when a problem arises.

If the automotive metaphor doesn't resonate with you, consider this one. Ordinary users are like cooks who can use a bread machine to make a loaf of fresh bread. Power users can use the machine to make several different varie-ties of bread, and they know how to use the machine to prepare dough for later baking in a normal oven. Operators can also make exotic kinds of bread, including ones requiring significant variations to the standard method of using the machine, and they can adapt recipes to it using the instructions provided with the appliance as a guide. System administrators are like the people who design the procedures for using the bread machine. Because they know what baking bread involves in detail, not only can they create recipes that work well in the bread machine, but they can devise procedures for adapting arbitrary bread recipes for use in the machine, and they can formulate troubleshooting strategies for use when the machine's final product doesn't turn out perfectly.

People skills

Successful system administrators are continually aware that computers are used by people and organizations and that managing them cannot be extricated from this social context. System administration often involves a tension between authority and responsibility on the one hand and service and cooperation on the other. The extremes seem easier to maintain than any middle ground; fascistic dictators who rule "their network" with an iron hand, unhindered by the needs of users, find their opposite in the harried system managers who jump from one user request to the next, in continual interrupt mode.

The trick is to find a balance between being accessible to users and their needs, and sometimes even their mere wants, while maintaining your authority and sticking to the policies put into place for the overall system welfare. The goal is to provide an environment where users can get what they need to do done, in as easy and efficient a manner as possible, given the constraints of security, other users' needs, the inherent capabilities of the system, and the realities and constraints of the human community in which all of them are located.

To put it more concretely, the key to successful, productive system administration is knowing when to address a shortage of disk space on a file server with a command that deletes the 500+ MB of scratch files created in several random directories by one of the system's users and when to walk over to her desk and talk with her face-to-face. The first approach displays technical finesse as well as administrative brute force, and both are certainly appropriate--even vital--at times. At other times, a simpler, less aggressive approach will work better to resolve your system's disk shortage problems as well as the user's confusion. It's also important to remember that there are some problems no Windows NT command can address.

This book provides the information you need in all three of these areas. Even if you're not a full-time system administrator, you'll find that developing these three areas will also serve you well in whatever your primary area of endeavor may be.

The System Administrator's Job

Sometimes it seems that there are as many system administrator job descriptions as there are people doing the job. Although things aren't really quite that random, I find it most helpful to describe system administration in terms of broad, general areas of responsibility:

  • Installing and configuring computer systems and networks, updating them as necessary, and keeping them running properly on a day-to-day basis.

  • Managing users and user accounts, including both the computer-related aspects of creating and maintaining user accounts and systems, and responding to user requests, questions, and problems.

  • Taking care of the peripheral devices attached to the various computer systems (e.g., printers, tape drives, uninterruptible power supplies) as well as adding or removing them as needed.

  • Overseeing regular system backups, which can range from performing backups yourself to designing and implementing a backup plan to be carried out by others under your supervision.

  • Ensuring that the systems and networks for which you are responsible are secure and that valuable or sensitive data is protected from undesired access.

  • Monitoring system and network activity in order to quickly detect any problems related to system security, performance, or general functioning that may arise, and then responding appropriately to anything you may find.

Exactly what each of these areas entails is something that varies a great deal among computer installations, as does the relative amount of emphasis placed on the various areas of responsibility, and of course both change over time. This book covers each of them in detail in an effort to prepare you for whatever you may face, now and in the future.

About Windows NT

O brave new world that has such people in it!
`Tis new to thee.
Miranda and Prospero
The Tempest V.i.183-84

Windows NT is a 32-bit, microkernel-based, preemptive multitasking operating system providing privileged and unprivileged execution modes and compatibility with some legacy programs designed for DOS/Windows 3.1 systems and, to a lesser extent, OS/2 systems and POSIX-compliant systems.

What does this all mean and why should you care? Let's look at each bit of the preceding description individually:

  • A 32-bit operating system, meaning that physical memory is addressed using 32-bit addresses, resulting in a maximum physical address space of 4 GB (2 to 3 GB of which is available to application programs). Most modern operating systems use a 32- or 64-bit design.[1]

    [1] Microsoft has promised 64-bit memory access support for Digital Equipment Corp. Alpha processor-based systems in a future beta release of Windows NT.

  • Built around a microkernel: the program that serves as the central core of the operating system is designed to be as small and efficient as possible. Only the most fundamental and important operating system functions are handled by this small kernel program; most operating system services are implemented by semi-independent secondary subsystems, all controlled by the microkernel. Many modern operating systems are based on a microkernel architecture.

  • Preemptive multitasking means that the operating system[2] is responsible for deciding which process[3] gets to run at any given time and when one process must pause in order to let a different one run. Modern operating systems all use preemptive multitasking. (Indeed, I would argue that this is one of the defining features of any computing environment that can accurately be called an operating system.)

    [2] This portion of the operating system is traditionally known as the scheduler.

    [3]Under Windows NT, the fundamental executable/scheduleable entity is actually a thread, not a process. However, we won't worry about this distinction until we consider system performance in Chapter 11.

    The opposite of preemptive multitasking is a scheduling method known as cooperative multitasking (the scheme used by both Windows and MacOS). This scheme gives a running process complete control of the system until it voluntarily gives up control. It is designed for an environment like that of a traditional PC with a single user, where switching between tasks occurs as the user desires. Such an approach seldom works well when a computer system is required to perform multiple tasks simultaneously.

  • Multiple execution modes: Windows NT provides two different modes under which processes may execute: user mode and kernel mode. Kernel mode execution is a privileged mode that allows complete access to every system resource and all of memory and is limited to the operating system itself. In contrast, processes executing in user mode (unprivileged mode) can obtain access to system resources only by making requests to the operating system. Thus, the portions of system memory used by the operating system are protected and can only be accessed by processes running in kernel mode.

    All other processes needing to access any portion of protected memory may do so only via services provided by the operating system; they can never access protected memory directly. The operating system also has the ability to grant or refuse access as appropriate for system integrity, which means that it is very difficult for an application program to corrupt system memory and thereby cause a system failure.

    Some mechanism for restricting application access to system memory (and the memory used by other processes) is a key component of all modern operating systems. Users familiar with traditional personal computer environments such as DOS, Windows 3.1, Windows 95, and Macintosh System 7 and System 8 will realize at once that protected memory is a significant enhancement to the way things work on those systems.

  • Compatibility with some legacy DOS, Windows 3.1, OS/2, and POSIX programs: Windows NT provides subsystems for running many 16-bit DOS and Windows programs and OS/2 programs. The operating system also complies with the POSIX 1 standard, which includes the POSIX application program interface, so POSIX programs can be ported more easily to Windows NT.

While these Windows NT features are important and beneficial, they are not as new and groundbreaking as its marketing tends to imply. In reality, they are essential parts of any viable, high performance operating system designed to address current computing requirements.

The NT acronym is officially translated as "New Technology,"[4] but what is really new about Windows NT is its bringing of real operating system functionality combined with a familiar look-and-feel (user interface) into the traditional personal computer world. It is also helpful to remember that Windows NT is a very young operating system, still developing and evolving, so we shouldn't be surprised when it experiences a few growing pains (and inflicts a few others on its users).

[4] There are other legends about the origin of the name "Windows NT." My favorite takes note of the fact that Microsoft CEO Bill Gates hired David N. Cutler away from Digital Equipment Corp. in 1988 to design a new operating system. Cutler had managed the development of the RSX-11 and VAX/VMS operating systems for Digital. If you increment each of the letters in the string "VMS," you get "WNT." Compare this to the apocryphal legend of the origin of the computer's name in the film 2001: A Space Odyssey : HAL can be formed by decrementing each of the letters in the string "IBM." Windows NT does have many design features in common with VMS, including multiple execution modes, similarity in some filesystem data structures, access control lists, the user rights (privileges) facility, and compatibility subsystems for running applications from the company's previous operating system.

The Windows NT Architecture

Figure 1-1 illustrates the structure of the Windows NT operating system. It is separated into two sections: the upper section containing components that run in user mode and the lower section containing those that run in kernel mode. The heart of the Windows NT operating system consists of the modules running in kernel mode. Although you'll see it referred to by several names, including the "Executive Services" and the "NT Executive," in more common usage, it is simply the operating system kernel.


Figure 1-1: Idealized Windows NT operating system architecture

Most interactions with the computer hardware take place via the Hardware Abstraction Layer (HAL), although some device drivers also directly access the hardware. Isolating hardware access into a separate module allows most of the Windows NT operating system to remain independent of any particular computer architecture, thereby simplifying its ability to support multiple computer platforms and multiprocessor systems (at least in theory).

The core of the Windows NT kernel is the microkernel, which oversees the workings of all of the other modules, and handles communications between them and the HAL. The other components of the kernel each have a single specific area of responsibility:

  • The I/O Manager controls most input and output on the system.

  • The Object Manager creates, modifies, and deletes system objects: data structures corresponding to a specific instance of a resource (for example, a file, a process, or a port). Under Windows NT, most such items are objects. The Security Reference Manager (SRM) is responsible for enforcing system security settings by granting or denying access to objects and system resources upon request from the Object Manager. This process relies on data structures known as security access tokens (SATs).

  • The Process Manager creates and manages system processes. However, process scheduling is handled by the microkernel.

  • The Local Procedure Call Facility is responsible for communication between distinct processes (interprocess communication).

  • The Virtual Memory Manager handles the allocation and use of the system's memory. We'll discuss it in detail in Chapter 11.

  • The Graphics Subsystem provides services required for interfacing to graphical displays. This component became part of the Windows NT kernel with version 4 (previously, it was part of the Win32 subsystem). Note that current "official" Windows NT architecture diagrams don't include it explicitly.

All of these components provide systemservices: system-level operations and functions available to ordinary (user mode) processes to carry out common tasks.

The components in the upper part of Figure 1-1 all execute in user mode; they can access system resources and memory only via the limited set of unprivileged interfaces provided as system services. Some operating system components run in user mode.

The Win32 Subsystem provides processes with the standard application programming interface (API): a set of standard library subroutines used to perform operations, access resources, and otherwise request system services. All application programs (depicted as ovals in the diagram) eventually interact with this operating system component. 32-bit native Windows NT programs, such as Word 7 and the various Windows NT commands, communicate directly with the Win32 Subsystem.

Compatibility with programs designed for other environments comes via a series of secondary API subsystems. For example, supported POSIX commands communicate with the POSIX subsystem, which in turn interfaces to the Win32 subsystem; supported OS/2 commands are similarly handled by the OS/2 Subsystem.[5]

[5] At least, this is the official position taken by the Microsoft documentation. In some cases, such subsystems make calls to the kernel directly.

DOS and Windows 16-bit applications are handled by a series of nested subsystems (culminating as always with the Win32 Subsystem). The NT Virtual DOS Machine (NTVDM) provides a DOS-compatible environment for DOS programs. 16-bit Windows applications, such as the Write word processing utility provided with Windows 3.1, communicate first with a subsystem designed to handle such applications' 16-bit system calls; these calls are converted to the 32-bit calls used by Windows NT in a subsystem called Windows on Win32 (WOW). These applications also require a NTVDM environment because they also depend on DOS services.

The Windows NT login procedure uses a separate security subsystem in an analogous manner in order to authenticate users at login time.

Implications of the Windows NT design

The "client-server" design philosophy pervades the entire Windows NT environment, from the operating system itself to the simplest tool that it provides; you will need to be aware of it as you learn about administering Windows NT systems. These are its most important implications:

  • Windows NT embodies quite a different view of a multiuser operating system than system administrators coming from non-Windows environments will be used to. Under Windows NT, distinct computer systems are almost always viewed as single user systems. Only one user may be logged in to any given system at a time; only a single user can use a given system's CPU resources interactively (we look at ways to address this deficiency in Chapter 4). Many administrative tools are similarly designed with single system assumptions deeply embedded within them.

    In the Windows NT environment, it is the network that is the true multiuser system. The network is the mechanism through which Windows NT intends multiple users to share all computer resources.

  • The modular design of the Windows NT operating system carries through to the administrative and user facilities that it provides. They tend to be compartmentalized into a large number of tools with limited scopes of action. This approach works well when the underlying system components function independently of the rest of the system, but it can be inconvenient and counterintuitive when related items are arbitrarily separated into separate tools or separate components within tools. It also can result in inconsistencies in the ways that the various tools operate.

  • The design model also implicitly deemphasizes the role of system administration. Once installation and initial configuration is complete, ordinary applications and the operating system are expected to function according to the design's predefined procedures. This works well as long as the situation conforms to what the designer has assumed will be normal conditions. As we know, however, reality takes delight in not corresponding to our expectations. In such cases, one would like the ability to modify the way the operating system works in order to address this discrepancy. Unfortunately, because all the alternatives have not been anticipated in advance by the designers, the hooks for modifying many aspects of Windows NT functioning aren't accessible to system administrators (and often not even to systems programmers).

  • Finally, Windows NT reflects its Windows heritage in giving priority to the graphical user interface (GUI). This means that the primary system administrative tools are all GUI-based. While there are some command-line utilities that perform the same functions, many administrative tools have no command line equivalent. This makes automating system management tasks much more complex.

Windows NT Variations

Windows NT is packaged and sold in two main formats: a server version and a workstation version.[6] The two products are designed for systems with different functions within a network. Workstations are designed to be used primarily by a single user, although they can optionally share their resources with other systems. Servers are designed to provide resources and services to a collection of systems (workstations and possibly other servers) linked together by a local area network; they can provide computing resources and facilities (e.g., database services), disk space, access to printers, networking-related services (e.g., hostname resolution), and the like.

[6] At press time, Microsoft has recently introduced the Enterprise Edition of Windows NT Server which includes built-in clustering support and facilities for running distributed applications.

Windows NT groups computers into collections known as domains, each overseen by a special server system--the primary domain controller (PDC)--possibly assisted by one or more backup domain controllers (also servers).[7] These servers are responsible for user authentication and other related activities. We consider Windows NT domains and domain controllers in more detail in Chapter 3 and Chapter 8.

The same kernel is used for both versions of the Windows NT product; it is configured somewhat differently for the two environments. The most important differences are the following:

[7] Windows NT systems may also be part of workgroups, but domains are the native Windows NT facility for organizing groups of computers.

  • The maximum number of processors in a multiprocessor system supported is two for the workstation version and 32 for the server version.

  • The workstation version is limited to 10 simultaneous client connections for many system services (file sharing, printing, some Internet and web-related services).

  • The server version includes some additional software: several administrative tools for managing domains, the Internet Information Server, various networking name service facilities, and others.

  • Some of the subsystems in the server version provide advanced features not available in the workstation version: for example, fault-tolerant filesystems and remote booting capabilities for diskless workstations.

  • Some parameters related to system performance are set differently in the two products (we'll consider them in Chapter 11).

  • The workstation version costs substantially less than the server version (currently about $700 less for a 10-client license).

For more detailed information about the differences between the Windows NT server and workstation products, consult the works on this topic listed in Appendix B.

Service packs and hot fixes

Major releases of Windows NT products are distributed on CD-ROM. Minor releases between major versions are called service packs. They are updates that must be applied to the basic operating system. Within a major release, service packs are numbered sequentially. Successive service packs are cumulative and include all of the changes from the earlier ones for the same major release.

Warning: You probably don't want to be the first on your block to install a new service pack as soon as it becomes available. I prefer to wait a bit and monitor the Windows NT-related newsgroups in order to allow any problems with it to be identified and solved (in other words, I let other people troubleshoot it for me). Even when you do decide to install a service pack, it is prudent to do so on a test system first, rather than on a critical production system (people who venture beyond the rim of known space should not be surprised if they encounter shadows).

Service packs may be downloaded [8] from the Microsoft FTP site from the directory ; country is the appropriate subdirectory corresponding to the various language-specific versions of the product (use usa as the country for the United States). The actual files to download are located in a subdirectory of nt40, whose name varies but is generally intuitive. For example, the files for Service Pack 3 for the U.S. version are located in the subdirectory ussp3, which in turn contains the subdirectories alpha and i386 that hold the actual service pack files for the corresponding architecture. Thus, the required file for the Intel platform for Service Pack 3 is .../fixes/usa/nt40/ussp3/i386/nt4sp3_i.exe.

[8] Service packs may also be ordered on CD-ROM from Microsoft. The North American version of the latest service pack can be ordered by telephoning (800) 370-8758, faxing (716) 873-0906, or writing to Microsoft NT Service Pack 3, P.O. Box 1095, Buffalo, NY 14240-1095.

Once the download operation has completed, run the executable, from either the command line or the Start menu, or by double-clicking on its icon. This unpacks it to a new subdirectory of C:\Temp (assuming that C: is the system disk) and automatically starts the program Update. Run the executable from the command line with the /X option to unpack it without installing it; you can then run Update manually when desired. Once the service pack is installed, the system must be rebooted.

It's prudent to allow the installation process to create an uninstall directory; that way, you can back out the service pack's changes to the system if problems appear.

Note: Service packs must be reapplied if you add new hardware to the system, install new software (such as a new service or network protocol), or restore a backup created before updating the system.

You can determine the current operating system version via the Version tab in the Windows NT Diagnostics administrative tool (it can be accessed from the Start menu via the path Programs->Administrative Tools (Common)->Windows NT Diagnostics). It is illustrated in Figure 1-2.


Figure 1-2: Windows NT version information

Microsoft also supplies hotfixes to correct specific problems that are corrected between service packs; hot fixes are usually minor patches to the operating system. In general, you should only install hot fixes that address problems your system is actually experiencing; this caution is necessary because full regression testing is not always completed before a hot fix is released.

Hot fixes may also be downloaded from the Microsoft FTP site. For example, hot fixes to Service Pack 3 are located in subdirectories The ReadMe.Txt file located in each directory explains the purpose of the hot fix and the procedure for obtaining and installing it. Most hot fixes are delivered as self-installing executables, which you can activate by double-clicking on their icon (or running them from the command line). They may also be unpacked without installing by invoking them with the /x option. You can then run the HotFix utility included in the archive to install them at a later time.

Older versions of the HotFix utility may also be invoked with its /Full option (abbreviate to /F), to list the hot fixes that have been installed on a Windows NT system. It also lists the hot fixes installed on a remote system if you include a system name in the command, as in this example that produces a detailed listing of the hot fixes installed on the server vala:

C:\> hotfix \\vala /F

Use the /? option to HotFix to determine if it supports this option.

Administrative Tools

Windows NT provides four classes of administrative tools:

Control panel applets

These utilities are accessed via the Start->Settings->Control Panel menu path or from the Control Panel folder under My Computer (some may also be reached in other ways). They are generally designed to display and modify system configuration settings. These programs typically use tabs to divide the settings they control into several groups.

Administrative wizards

On server systems, these programs provide automated, step-by-step procedures for performing common administrative tasks such as adding new users and setting permissions on files and directories. They are accessed via the Start->Programs->Administrative Tools (Common)->Administrative Wizards menu path or the wizmgr command.

Graphical administrative tools

These tools are found on the Start->Programs->Administrative Tools (Common) menu. Each is designed to manage a specific system or domain component or subsystem.

Command-line tools

Some of the functionality found in the preceding classes is duplicated in Windows NT commands. These commands may be entered directly into the Start->Run... dialog box or via a command window (you can open one by specifying cmd to Start->Run...).

The following subsections introduce the various tools available for administering Windows NT. These tools will be discussed in more detail as they come up in the subsequent chapters of this book (where we will also consider other additional useful programs and utilities beyond those provided with standard Windows NT).

Most tools must be run from an account with Administrator privileges. We discuss the Administrator account in detail in Chapter 3.

Control Panel Applets

Control panel applets allow you to view and modify the configuration of the local system. These are the most important control panel applets from a system administration perspective:


View or set the system date, time, and time zone.


Manage licenses on the local system. On a server, it also allows you to change the Windows NT licensing mode (from per-server to per-seat).


Add, configure, and remove network adapters, protocols, services, and computer identification and the relationships among them.


View and modify the settings for serial ports and add new ports.


A shortcut to the Printers folder, from which you can add, remove, and manage printers and print queues, manipulate print jobs, and configure the printing subsystem.

Regional Settings

Specify how dates, times, numbers, and currency are displayed and sorted.

SCSI Adapters

Add and remove SCSI adapters and display the properties of SCSI devices.


Monitor the system's client usage and shared resources.


Configure and manipulate server processes (including their automatic startup at boot-time).


Display various system characteristics and settings and specify some startup, shutdown, user environment, and performance-related system parameters.

Tape Devices

Manage the system's tape drives.


Manage system interaction with an uninterruptible power supply.

In addition, while the Accessibility Options, Display, Keyboard, Mouse, Multimedia, and Sounds applets are primarily useful for configuring and customizing the associated subsystems for your personal use, they occasionally have administrative uses as well.

Administrative Wizards

The administrative wizards are included on Windows NT server systems. These automated procedures for common administrative tasks can generally be used on either the local computer or on a remote computer (one of the first questions you are asked is the system or domain context under which you want to perform the action). They proceed as a series of dialog boxes requesting the information required to complete the desired action.

There are eight administrative wizards, whose names are generally self-explanatory: Add User Accounts, Group Management, Managing File and Folder Access, Add Printer, Add/Remove Programs, Install New Modem, Network Client Administration (allows you to set up the system as a server for subsequent network installations of Windows NT), and License Compliance (checks a domain for unlicensed products).

Standard Graphical Administrative Utilities

Table 1-1 summarizes the GUI-based system administration tools provided by Windows NT. Each entry lists the name of the utility (which appears on the Start->Programs->Administrative Tools (Common) menu in most cases), the command executable name (by which it may be accessed from the Run menu), and a brief description of its purpose. The "type" column in the table indicates whether each tool is provided by default on server systems (code letter S) and workstation systems (code letter W); the code letters CT indicate a server program that may be installed on a Windows NT workstation as part of a collection of client tools (discussed in a moment).

Table 1-1 Windows NT Administrative Tools







S, W

Backup and restore files.

DHCP Manager



Control the TCP/IP Dynamic Host Configuration Protocol service.

Disk Administrator


S, W

Manage disks and disk partitions.

DNS Manager



Control the TCP/IP Domain Name Service.

Event Viewer


S, W

Monitor hardware, security, and application-related system status messages and errors.

License Manager



Manage software licensing for one or more domains.

Network Client Administrator



Prepare system to provide network-based installation services and administration tools.

Network Monitor



Monitor and record network activity.

Performance Monitor


S, W

Monitor, analyze, and record system usage data relevant to performance optimization.

Registry Editor


S, W

View and modify settings in the system registry.

Remote Access Administrator


S, CT, W

Manage Remote Access Services (dial-up networking).

Remote Boot Manager



Configure remote booting services.

Server Manager



Manage shared resources and services; promote/demote domain controllers.

System Policy Editor



Create and modify system policies, specifying allowed user actions and system access.

Task Manager


S, W

View and manipulate processes.

User Manager



Create and modify local (system-specific) user accounts.

User Manager for Domains



Create and modify domain user accounts.

Windows NT Diagnostics


S, W

View system characteristics and current settings.

WINS Manager



Manage the Windows Internet Naming Service facility.

Most of these tools can be used to configure either the local system or a specific remote system (the latter is usually specified via an option named Select Computer or Select Server or something similar on the application's left-most menu). The Windows NT Server distribution CD contains versions of many of the server tools that may be installed on Windows NT Workstation and Windows 95 systems to enable you to perform system administration tasks on servers remotely.

These programs are installed on a workstation system by executing the Setup.Bat command in the \Clients\Srvtools\WinNT directory on the Windows NT Server distribution CD at the target workstation. The tools will be copied into the C:\WinNT\System32 directory on the workstation. If you want the items to appear in the Administrative Tools (Common) menu, create shortcuts for each of the executables in the C:\WinNT\System32\Profiles\All Users\Start Menu\Pro-grams\Administrative Tools (Common) directory (the quickest way is to drag their icons from the System32 subdirectory to the destination directory; you can rename the shortcuts to their canonical names if you want).

On Windows 95 systems, the procedure is only slightly more involved:

  • Insert the Windows NT Server distribution CD into the CD-ROM drive.

  • Select Start->Settings->Control Panel->Add/Remove Programs->Windows Setup-> Have Disk.

  • Enter the path X:\Clients\Srvtools\Win95 (where X: is the appropriate letter for the CD-ROM drive) into the resulting dialog box.

  • Select the Windows NT Server Tools components and select the Install button.

This procedure installs the administrative tools into the \Srvtools directory on the disk containing the Windows 95 directory.

Other Sources of Administrative Tools

There are three other important sources of administrative tools for Windows NT:

  • The Windows NT Resource Kits, sold by Microsoft and consisting of extra documentation and (unsupported) software. There are both workstation and server versions of the Resource Kit. They are available in the computer sections of most larger bookstores, at many retail software stores, and from mail-order hardware and software suppliers. The kits sell for about $55 and $150 for the workstation and server versions, respectively.

    The Resource Kits contain many important administrative programs, and you should consider them a required part of any Windows NT installation. It's unfortunate that there is additional cost associated with them, since their contents really ought to be part of the normal Windows NT products.

  • Freely available software, available for downloading from the Web.

  • Commercial software: trial or demonstration versions are often available on the Web.

The contents of the Resource Kits and the locations of major software repositories are both given in Appendix B.

Introducing the Windows NT Registry

The Windows NT registry is a central database of configuration settings.[9] It serves to replace the scores of initialization (.Ini ) files found on Windows systems. Although Windows 95 contains a similar facility, the Windows NT registry uses a different format and is much more complex.

[9] Readers familiar with AIX will note that the registry performs a function analogous to AIX's Object Data Manager database.

The registry is stored in a series of binary files usually located in the directory C:\WinNT\System32\Config. Logically, the registry is a collection of named keys and their values. Registry keys form the structure of the registry, and are organized hierarchically; locations within the registry are referred to using a syntax analogous to subdirectory pathnames. Values are terminal nodes in the registry tree containing actual system settings (known as data). Put most simply, keys are like directories and values are like files, with data corresponding to file contents.[10] A subtree of keys and values stored together in a single file is known as a hive.

[10] Well, this is almost true. Occasionally, keys have values named "<No Name>" (which have data types and data as usual). In these cases, the value is referred to simply by the key name.

The registry is composed of series of five tree-structured groups of keys, each headed by a root key: [11]

[11] Hives need not correspond to root keys. A subtree headed by a root key may be stored as one or more hives. This list also ignores the HKEY_DYN_DATA pseudokey (accessible by programs).

  • HKEY_CLASSES_ROOT: definitions of known system file types and OLE classes

  • HKEY_USERS: configuration data for the default and defined user accounts

  • HKEY_LOCAL_MACHINE: local system configuration data

  • HKEY_CURRENT_USER: a pointer into the HKEY_USERS tree for the currently logged in user

  • HKEY_CURRENT_CONFIG: a pointer into the HKEY_LOCAL_MACHINE\System\CurrentControlSet subtree for the current system configuration

You will typically access keys only within the HKEY_USERS and HKEY_LOCAL_MACHINE trees.

Registry key values have one of 11 data types. Here are those you're likely to encounter:

  • REG_BINARY: binary data

  • REG_DWORD: integer data (often displayed in hexadecimal notation)

  • REG_SZ: character string values

  • REG_MULTI_SZ: a list of character strings (appearing one per line in the Registry Editor)

  • REG_EXPAND_SZ: a character string value containing expandable parameters (variables replaced by their actual values when the key is used)

The other defined data types are:

  • REG_DWORD_BIG_ENDIAN: also holds a 32-bit integer, high byte first

  • REG_FULL_RESOURCE_DESCRIPTOR, REG_RESOURCE_LIST, and REG_ RESOURCE_REQUIREMENTS_LIST: complex data types for hardware configuration and system resource data (such keys are not editable)

  • REG_LINK: a pointer (quasi-symbolic link) to another location within the registry

  • REG_NONE: used for untyped data

Using the Registry Editor

Ideally, you shouldn't have to worry about the system registry or modify the values of any of its settings. However, as of the current version of Windows NT, this ideal is far from achievable; there are many system features that are accessible in no other way. While it is a bad idea to make random, experimental, or gratuitous changes to the registry, from time to time you will need to modify registry entries for a variety of reasons: to change the way the system functions, to correct a problem, to add or modify keys or values to enable additional system features.

Windows NT provides a utility known as the Registry Editor for accessing and modifying the registry: regedt32.[12] By default, neither an icon for this tool nor an entry in the Administrative Tools (Common) menu is present, but you can always create them. The Registry Editor is a powerful tool that requires care when used. Microsoft's standard message about it (see the following Warning) is worth paying attention to.

[12] The Windows 95 utility, RegEdit, is also included. It has a more powerful searching facility than the Windows NT utility. Note: "Using Registry Editor incorrectly can cause serious, systemwide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk." [Microsoft Corp.]

Prudent use of the Registry Editor involves several activities:

  • Back up the registry files before you begin (this process is discussed in Chapter 7).

  • Be sure that you have a bootable, saved configuration that you can fall back on if necessary (discussed in Chapter 2).

  • Plan your actions before you undertake them and test them afterward.

  • Use the Registry Editor with care. Keep in mind that changes to the registry are immediate and that there is no undo command. Use the utility in read-only mode (Options->Read Only Mode) when you just want to examine registry entries.

  • Keep records of the changes you have made.

Figure 1-3 illustrates the process for changing an existing registry value: you select the window for the desired root key in the Registry Editor and then navigate to the desired key by selecting successive items in the left side of the browsing window. The values and associated data stored at the current location appear in the right side of the window; values and data are separated by colons.[13]

[13] If your window is missing one of these sections, select View->Tree and Data.


Figure 1-3: Using the Windows NT Registry Editor

To modify a value, double-click on its entry in the right side of the browsing window. A dialog box appears containing the current setting, which you can modify as necessary (note that the value's data type is indicated in the dialog box's titlebar). For example, the illustration changes the HKEY_USERS\ DEFAULT\Desktop\ScreenSaveTimeOut value from 60 to 10 (seconds in this case). Once you click OK to close the dialog box, the change is made immediately. Use the Cancel button to abandon any changes.

The Registry Editor may also be used to add new keys and values to the registry via these two options on its Edit menu:

Edit->Add Key

Adds to the structure of the registry only, by creating a new subkey of the current key. The Registry Editor prompts you for the name of the new key.

Edit->Add Value

Adds a value (a terminal leaf) to the current key in the registry. The Registry Editor prompts you for the value name, its data type, and the desired data setting.

Registry keys have owners and access permissions just like files and directories do. We'll consider them in Chapter 10.

The Registry Editor is an easy way to change the value of a particular registry setting (or to add a new one). Sometimes, though, you will want to find a registry component whose name you don't know. The Resource Kit provides the scanreg utility for searching registry key names, value names, and value data for strings; it is a command line utility with the following syntax:

scanreg -s string  scope-options  [other-options]

One or more options specifying the items to be searched must be included: -k says to scan key names, -v searches value names, and -d scans the data. For example, the following command searches all key and value names for the string "cd":

C:\ > scanreg -s cd -kv
Key   : "\Software\Microsoft\Multimedia\Audio\WaveFormats"
Value : "CD Quality"
End of search: 1 matching string(s) found.

The Resource Kit includes a help file that documents registry keys and values. The file is named RegEntry.Hlp, and it may be searched using the normal Help facility methods.

Tips and Tricks for the Windows NT User Interface

We'll end our discussion of system administration tools with a brief consideration of some power tips for the Windows NT user interface, the sorts of things that take a while to figure out or stumble across on your own.

Know your desktop

  • SHIFT-click in a window's close box (the X in its upper right corner) to close the window and its parents.

  • Right-clicking--clicking with the right mouse button--on most items brings up a context-specific menu of operations for that item, including its Properties; this menu is known as the shortcut menu. This works on files, desktop icons, the desktop itself, and many other entities you will encounter.

    For example, use the Properties of MyComputer to access system properties and the Properties of the desktop for display properties. Access the Properties of the taskbar to set its properties and to change the Start menu for all users; other items on the taskbar's right-click menu manipulate all open windows.

  • ALT-double-clicking with the left mouse button immediately opens an item's Properties. Pressing ALT-ENTER when the item is selected does the same thing.

  • Use CTRL-TAB to move between the various tabs in a multipanel dialog box; CTRL-SHIFT-TAB cycles among them in reverse order.

  • Use the icons in the tray in the lower-right corner of the taskbar to access many control panels and other tools. For example, hold the mouse over the time in the tray to get the date. Right click on it to set the date and time.

  • CTRL-ESC brings up the Start menu.

  • Use the Start->Run... menu path to access directories and files quickly by entering the desired location in its dialog box. Entering a directory name displays that directory. Entering a filename opens it in the appropriate application program or runs the file itself, if it is executable.

  • Customize the Start menu by dragging and dropping things on it, using the Start->Settings menu item, or by adding the desired items to the Programs folder (or one of its subfolders) in C:\WinNT \Profiles\AllUsers\Start Menu or C:\WinNT \Profiles\username\Start Menu (to modify the systemwide or a single user's Start menu, respectively).

  • Select an item, then SHIFT-right-click on it to get a context menu, including an Open with option, which allows you to specify the application program with which to open it. For example, select a file, then SHIFT-right-click on it and enter E W O RETURN to open a file with Wordpad.

  • You can start the Find Files or Folders facility (located on the Start menu) by pressing the F3 key from the desktop (if you are in an application, click on the desktop and then press F3 to open it).

  • On keyboards that include the new Windows key (adjacent to each ALT key), there are additional keyboard shortcuts available, including:

    • WIN-R opens the Run dialog box.

    • WIN-F immediately opens the Find Files or Folders facility.

    • WIN-M minimizes all currently open windows, and WIN-SHIFT-M undoes a WIN-M operation.

    • WIN-Break opens the System Properties dialog box.

    In general, WIN-x selects the desktop items whose names begin with the specified letter, when that key combination is not already defined. Once an item is selected, pressing ENTER opens it, and ALT-ENTER opens its Properties.


  • You can specify whether or not a new window is opened every time you change folders when browsing via the View->Options->Folder path from any browse window.

  • Holding down the CTRL key when you double-click on a folder to open it reverses whatever setting is in effect for the current operation.

  • SHIFT-double-clicking when browsing opens folders in Explorer view instead of the normal browsing view.

  • The backspace key moves up one directory level when browsing.

  • Hold down the CTRL key to select multiple, nonadjacent items within a browsing window.

  • SHIFT-DELETE bypasses the recycle bin for the currently selected files. You can also make this the default behavior by right-clicking on the Recycle Bin and modifying its Properties.

  • Customize browse windows' File->Send To menu (Send To is repeated on the shortcut menu) by adding items to the folders named SendTo, located in C:\WinNT \Profiles\DefaultUser or C:\WinNT \Profiles\username. Right-drag items to a folder to add them to the Send To menu for subsequently created users or the specified current user. Be aware that program executables will need to be in the user's path in order to be accessible. On a workstation, simply modify the SendTo folder in C:\WinNT.

Working with files and directories

  • Hold down the CTRL key while dragging an item to force a copy operation.

  • Right-drag an item to its new location to get a menu of options: Create Shortcut, Move, Copy, Cancel.

  • View a folder's Properties to view total number and size of files in a subtree.

  • Open MyComputer and click on a disk to see its total capacity and remaining free space (displayed at bottom of window).

  • View a disk's Properties to display its current used and free space.

  • If you change the value of the registry key HKEY_CLASSES_ROOT\.bat from "batfile" to "txtfile," double-clicking on a .BAT file edits it rather than run it. Similarly, changing the value for the key for HKEY_CLASSES_ROOT\.cmd from "cmdfile" to "txtfile" does the same thing for command files (.CMD is the conventional extension for Windows NT script files).

Using and customizing the command window

  • Open a command window by running the cmd command in the Start->Run... dialog box.

  • Use the Tab key for filename completion within command windows. When entering a command, if you type the first couple of letters of a file or directory name and then press the Tab key, Windows NT fills in the remainder of the name for you automatically (try it!)[14]. If more than one name matches the characters entered so far, then the first matching item is used. In this case, use the arrow keys to cycle through the list of matching items.

    [14] If it doesn't work, it's easy to enable it: the character used for filename completion is controlled by the CompletionChar value of the HKEY_CURRENT_USER\Software\Microsoft\Command Processor registry key. The Tab key corresponds a setting of 0x9. You can specify a different key by setting it to the ASCII character number for the desired key (in hex). Changes to this setting apply to subsequently created command windows

  • Right-click its upper-left corner when the window is open, and select Properties to change its default size, appearance, and functioning:

    • The Layout panel sets the default window size and buffer size (number of remembered previous lines).

    • The Options panel sets command history length, allows you to select insert mode as the default command editing mode, and enables quick edit mode to cut and paste text within command windows. In this mode, you highlight the desired text with the left mouse button and click the right mouse button to copy it to the buffer. You can subsequently paste the saved text at the current cursor location by right-clicking. You can also use the Edit submenu on the shortcut menu for these operations.

    • Other panels let you select the fonts and colors used in command windows.

    • Select Save properties for future windows with same title upon exiting the Properties dialog box to make your selections the new command window defaults. They're in effect whenever you open a command window with the cmd command.

The Windows NT Filesystem

Windows NT uses a substantially more compact filesystem[15] tree for its system files than many other operating systems. It includes the following directories at the top level of the system disk (usually C:):

[15] Here, we use the term filesystem to refer to the aggregate of all of the disk partitions--the entities that get assigned drive letters--and the entire directory trees that they hold, in other words, everything under C:\, D:\, and so on for every partition on the system. This same term is also used to refer to a formatted disk partition, as in "the Disk Administrator is used to create a filesystem on the new partition" or "The NTFS filesystem type has many advantages over the FAT filesystem." Which use of the term "filesystem" is meant will always be clear from the context.

\Program Files

Subdirectories hold some Windows NT executables. Application programs often install files under this directory by default.


Scratch directory used for temporary files.


Top-level directory for the Windows NT system files. The built-in environment variable %SystemRoot% points to the drive and directory at the top of the Windows NT file tree; its usual value is thus C:\WinNT.[16]

[16] I haven't worried about this distinction in previous sections. However, we will use the canonical terminology from this point on.

These are the most important subdirectories of %SystemRoot%:


User profiles subdirectories (user profiles specify the user's Windows NT environment).


Windows NT command executables, dynamic link library files (DLLs), and some configuration files.

System32 \Config

Registry files, event logs, and user accounts database.

System32 \Drivers

Device drivers.

System32 \Spool

Print spooling subsystem files.

System32 \Repl

Directory replication service (a facility for automatically synchronizing the filesystems of several computer systems) top-level directory.


TrueType and other font files.


Files required for creating an emergency repair disk.


Windows NT help files.


Windows 95 files are located here (and in %SystemRoot% itself) if it is also installed on the computer. This directory is also used by some legacy 16-bit applications.

Windows NT Network File Naming Conventions

Windows NT uses a notation for specifying the location of network files and directories known as the uniform naming convention (UNC).[17] Within a Windows NT domain, the full pathname for a file may be given as:

[17] Sometimes referred to as the universal naming convention.


Host is the name of the system where the file resides, and share_name is the name by which a specific directory location on that host is made available as a network resource. These two items are followed by a path to the file from that point. You will see this notation, and subsets of it, throughout the rest of this book.

Never Forget That It's a PC

When I started as a system administrator, no one I knew ever dared to open up one of the computers and start messing with things inside (although many of us would have liked to). New peripheral devices were attached to the outside of the computer, and all hardware maintenance was handled by the computer vendor's field service technicians.

Managing Windows NT systems is nothing like this.[18] Working with the computer hardware is a large part of the job, and getting familiar with the inside of the chassis is an essential part of becoming a proficient system administrator. People coming from other PC-based environments will be aware of this already. However, some UNIX system administrators and people coming from environments dominated by mainframes will have a bit of adjusting to do.

[18] Except perhaps on high-end Alpha servers.

While many Windows NT system administrators are capable of building computers from their basic components (motherboard, disk drives, power supply, and so on), it is not necessary to go this far if you don't want to. In practical terms, what you need to be able to do is to add new components--most often, new devices and their required controllers--to the system unit of a Windows NT computer and reconfigure existing components as required for compatibility with the new items. We'll discuss the specifics of adding various peripherals and their controllers at many points later in the book. For now, we will consider the hardware characteristics of generic PC devices of which you need to be aware.

Devices use several parameters for communicating with the computer's CPU:

Interrupt request numbers (IRQs)

A series of standard signals used by devices to request attention from the CPU. In general, only one device should be assigned to each IRQ.

I/O port addresses

Sections of system memory used by devices. I/O address ranges must be uniquely assigned and must not overlap.

DMA channels

Allow devices to communicate directly with memory without using the CPU. Each DMA channel should be assigned to one device. Some devices consume two or more DMA channels (e.g., sound cards).

System memory addresses

These correspond to sections of system memory above the canonical DOS 640-KB limit and are used occasionally by devices requiring more system memory. System memory address ranges must be uniquely assigned and must not overlap.

Windows NT has no "Plug-n-Play" capability at present, so most devices must be configured manually. IRQ conflicts are the most common problem you will encounter, followed by I/O address conflicts. Table 1-2 lists common IRQ assignments.

Table 1-2 Common IRQ Assignments


Common Use


System timer




Cascade: switch over to 2nd IRQ controller


COM2, COM4 (2nd and 4th serial ports)


COM1, COM3 (1st and 3rd serial ports)


LPT2 (2nd parallel port)


Floppy disk controller


LPT1 (1st parallel port)


Real-time clock


Redirected IRQ2


PS/2 mouse port


Math coprocessor error signal


IDE hard disk controller

Thus, IRQs 10, 11, and 15 are generally available for you to assign to new devices. It is also possible to reassign the IRQs for serial and parallel ports the system is not using, provided that you disable the port in the system's (power-on) hardware setup program first. If your system contains only SCSI disks (including the CD-ROM drive), then IRQ 14 is also available.

Network cards often use IRQ 10 or IRQ 3. SCSI adapters often use IRQ 11.

Note: It's a good idea to keep records of the hardware settings for important computer systems.

The Windows NT Diagnostics (winmsd) administrative tool's Resources panel can be used to determine most settings in use on the current system. Use the buttons at the bottom of the panel to select the setting type to examine. Figure 1-4 shows a typical IRQ listing. Not all standard system IRQs are included in the listing, but the display is still useful for determining the assignments of devices that have been added to the system. This system has a network card using IRQ 3 and a SCSI controller using IRQ 10.


Figure 1-4: System IRQ setting display in the Windows NT diagnostics tool

On Intel systems, I often find it helpful to test and configure new devices by booting the computer with a DOS diskette prior to attempting to install them under Windows NT. The diagnostic and configuration programs provided with many devices by their manufacturers generally run only in the DOS environment. I've also learned the hard way to make sure that a new device actually works before telling Windows NT about it. You can probably guess how: I spent what seemed like hours trying to debug the Windows NT settings for a device that turned out to be just plain broken; nonfunctioning new devices are many times more common in the PC world than they are for larger computer systems.

Other tabs in the diagnostics utility display additional useful information about the system. For example, the System tab lists the processor type and BIOS revision dates, the Memory tab displays the amount of physical memory on the system and statistics about current memory usage, and the Drives tab lists system and network disk resources.

Use the utility's Print button to print out some or all of this system configuration information or to save it to a text file (you will be prompted for the desired destination).

Windows NT also provides a hardware detection facility known as NTHQ (for NT Hardware Query). NTHQ is included on the Windows NT distribution CD in the directory \Support\HQTool. In order to use this facility, complete the following steps:

  • Copy the files in that directory to a convenient location on a hard disk.

  • Insert a blank floppy disk into the diskette drive.

  • Run MakeDisk.Bat, which copies the NTHQ image file to the floppy disk, creating a bootable diskette.

  • Boot the system with the new diskette.

Once NTHQ comes up, you can use it to determine the settings of all hardware devices on the system, to determine any parameter conflicts and to perform some limited functionality testing.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.

Click to Order