Page Six ...back it up before you break it! 

...select an «Item number» to view a topic, «Title number» to return.
«Item 141» How To Create a Boot Disk for an NTFS or FAT Partition
«Item 142» Definition of System and Boot Partition
«Item 143» Moving the Windows Default Paging and Spool File
«Item 144» Cannot Scroll When a Command is Run in Full Screen Mode
«Item 145» Service Control Manager Event 7024 (2270)
«Item 146» How to Remove Files with Reserved Names
«Item 147» Setting Up a Network News Transfer Protocol (NNTP) Server
«Item 148» How NTFS Reserves Space for its Master File Table (MFT)
«Item 149» The Lmhosts File for TCP/IP in Windows
«Item 150» Make "Portqry.exe" Only Report Listening Ports
«Item 151» How to Use the "RestrictAnonymous" Registry Value
«Item 152» System Information (Msinfo32.exe)
«Item 153» The NETSTAT.EXE Command
«Item 154» NETSTAT -an Displays TCP and UDP When Only UDP Is Bound To the Socket
«Item 155» Missing COMMAND.COM Causes Hidden Console Error
«Item 156» How to Remove Linux and Install Windows on Your Computer
«Item 157» Description of Advanced Disk Properties Features
«Item 158» How to Eliminate a Process That Is Not Responding
«Item 159» Task Killing Utility (Kill.exe)
«Item 160» Situations in Which Windows May Not Start in Safe Mode
«Item 161» FreeWare Utility «» AutoRuns and LoadOrder
«Item 162» NTDetect Fails When Computer Starts
«Item 163» How to Write an LMHOSTS File
«Item 164» Troubleshooting LMHOSTS Name Resolution Issues
«Item 165» How to Locate and Correct Disk Space Problems on NTFS Volumes
«Item 166» Dynamic vs. Basic Storage in Windows 2000
«Item 167» Diagnose System Problems with Event Viewer
«Item 168» Windows 2000 Professional Resource Kit Tools
«Item 169» Boot Error Message
«Item 170» FreeWare Utility «» InCtrl5

«141» How To Create a Boot Disk for an NTFS or FAT Partition

The Microsoft Knowledge Base Article ID: 301680 contains a step-by-step procedure which describes how to create a boot disk for Microsoft Windows NT or Microsoft Windows 2000 to access a drive with a faulty boot sequence on an Intel-based computer.

«142» Definition of System and Boot Partition

The names commonly used for the partitions containing Windows 2000 startup and operating system files, however unintuitive they may seem, are for the system and boot partitions, respectively. Microsoft defines these terms as follows:

System Partition:

The system partition refers to the disk volume containing hardware specific files needed to boot Windows NT/2000 (NTLDR, BOOT.INI, and so on). On Intel x86-based machines, it must be a primary partition that has been marked active. On x86 machines, this is always drive 0, the drive the system BIOS searches during system boot for the operating system.

Boot Partition:

The boot partition contains the Windows NT/2000 operating system files (usually \WINNT) and it support files (usually \WINNT\SYSTEM32). It can be the same partition as the system partition.

[ Article ID: 100525 ]

«143» Moving the Windows Default Paging and Spool File

Microsoft Knowledge Base Article ID: 123747 describes how to move the Paging file and Print Spooler to another hard disk. You may want to do this if you install a new hard disk that is faster than the hard disk currently storing your paging and print spooler files.

«144» Cannot Scroll When a Command is Run in Full Screen Mode

When you run a command within an MS-DOS shell (that is, at a Command prompt) in Full Screen mode, scrolling does not work. This behavior can occur because Windows XP and Windows 2000 do not support command-window scrolling in Full Screen mode.

To resolve this behavior, set the Command prompt to open in a Window instead of in Full Screen mode:

1. Click Start on the taskbar, click Run, type cmd, and then click OK to start a Command prompt.
2. Press ALT+TAB to switch to another window.
3. On the taskbar, right-click the task that is associated with the Command prompt, and then click Properties..
4. In the Cmd.exe Properties dialog box:

a. On the Options tab, click Window.
b. On the Layout tab, specify the window and buffer size that you want to use.
c. Click OK.

5. When a prompt appears, specify whether you want to save the settings only for this particular usage of the Command prompt or also for subsequent usage.

Microsoft states that this behavior is by design.

[ Article ID: 304805 ]

«145» Service Control Manager Event 7024 (2270)

During the startup process, you may see the following error message:

At least one service or driver failed during system startup.
Use Event Viewer to examine the event log for details.

Event Viewer shows Service Control Manager event number 7024. This is described as: "The Messenger service terminated with service-specific error 2270."

Further information is available by using the net helpmsg command. Error message 2270 is described as:

The computer name could not be added as a message alias. The name may already exist on the network.

This behavior occurs when the computer's name is not unique on the network. Sometimes a computer will be given a name that is also a user name.

The Messenger service functions by listening to the network for messages that are directed to a set of aliases. The list of aliases consists of the computer name, the user name of the current user, and any aliases that are added by using the net name command. If there are no users logged on, the only alias that Messenger can listen to is the computer name. Therefore, Messenger always expects to be able to add the computer name, during the startup process, as an alias to listen to. If this name already exists on the network (because it was added on another computer), Messenger is unsuccessful in adding that name, and does not start.

To resolve this problem rename the computer to a unique name by using the Network tool in Control Panel. The next time you start the computer, the error message should not appear.

[ Article ID: 101355 ]

«146» How to Remove Files with Reserved Names

Because applications control the policy for creating files in Windows, files sometimes are created with illegal or reserved names, such as LPT1 or PRN. The following explains how to delete such files using the standard user interface.

If the file was created on a file allocation table (FAT) partition, you may be able to delete it under MS-DOS using standard command line utilities (such as DEL) with wildcards. For example:

~ DEL PR?.*
~ or ~
~ DEL LPT?.*

These commands do not work on an NTFS partition as NTFS supports the POSIX subsystem and filenames such as PRN are legal under this subsystem. However, the operating system assumes the application that created them can also delete them; therefore, you can use commands native to the POSIX subsystem.

You can delete (unlink) these files using a simple, native POSIX application. For example, the Windows Resource Kit includes such a tool, Rm.exe.

NOTE: POSIX commands are case sensitive. Drives and folders are referenced differently than in MS-DOS. Windows 2000 and later POSIX commands must use the following usage syntax:

posix /c <path\command> [<args>] IE: posix /c c:\rm.exe -d AUX.

Usage assumes Rm.exe is either in the path, or the current folder:

rm -d //driveletter/path using forward slashes/filename

For example, to remove a file or folder named COM1 (located at C:\Program Files\Subdir in this example), type the following command:

rm -d "//C/Program Files/Subdir/COM1"

To remove a folder and its entire contents (C:\Program Files\BadFolder in this example), type the following command:

rm -r "//C/Program Files/BadFolder"

Another option is to use a syntax that bypasses the normal reserve-word checks altogether. For example, you can possibly delete any file with a command such as:

DEL \\.\driveletter:\path\filename

For example:

DEL \\.\c:\somedir\aux

[ Article ID: 120716 ]

«147» Setting Up a Network News Transfer Protocol (NNTP) Server

Knowledge Base Article ID: 308162 provides step-by-step instructions for setting up a Network News Transfer Protocol (NNTP) server on a Windows 2000 Server-based computer.

Microsoft NNTP Service implements NNTP, with which you can create newsgroups and host discussion groups on a server. By using any standard news reader client (such as Microsoft Outlook Express), users in your organization can read articles from others who have similar interests, post articles to other users, and participate in conversation threads.

«148» How NTFS Reserves Space for its Master File Table (MFT)

The NTFS file system contains at its core, a file called the master file table (MFT). There is at least one entry in the MFT for every file on an NTFS volume, including the MFT itself. Because utilities that defragment NTFS volumes cannot move MFT entries, and because excessive fragmentation of the MFT can impact performance, NTFS reserves space for the MFT in an effort to keep the MFT as contiguous as possible as it grows.

NTFS uses MFT entries to define the files to which they correspond. All information about a file, including its size, time and date stamps, permissions, and data content is either stored in MFT entries or in space external to the MFT but described by the MFT entries. (Directory entries, external to the MFT, also contain some redundant information regarding files. But a full discussion of all the structures on NTFS is beyond the scope of this document.)

As files are added to an NTFS volume, more entries are added to the MFT and so the MFT increases in size. When files are deleted from an NTFS volume, their MFT entries are marked as free and may be reused, but the MFT does not shrink. Thus, space used by these entries is not reclaimed from the disk.

Because of the importance of the MFT to NTFS and the possible impact on performance if this file becomes highly fragmented, NTFS makes a special effort to keep this file contiguous. NTFS reserves a percentage of the volume for exclusive use of the MFT until and unless the remainder of the volume is completely used up. Thus, space for files and directories is not allocated from this MFT zone until all other space is allocated first. Depending on the average file size and other variables, either the reserved MFT zone or the unreserved space on the disk may be used up before the other as the disk fills to capacity.

Volumes with a small number of relatively large files exhaust the unreserved space first, while volumes with a large number of relatively small files exhaust the MFT zone space first. In either case, fragmentation of the MFT starts to take place when one region or the other becomes full. If the unreserved space becomes full, space for user files and directories starts to be allocated from the MFT zone competing with the MFT for allocation. If the MFT zone becomes full, space for new MFT entries is allocated from the remainder of the disk, again competing with other files.

To better accommodate volumes that must hold a large number of small files a new Registry parameter has been introduced that can increase the percentage of a volume that NTFS reserves for its master file table.NtfsMftZoneReservation is a REG_DWORD value that can take on a value between 1 and 4, where 1 corresponds to the minimum MFT zone size and 4 corresponds to the maximum. If the parameter is not specified or an invalid value is supplied, NTFS uses a default value of 1 for this parameter. The exact ratios that correspond to each setting are undocumented because they are not standardized and may change in future releases. In order to know what setting is best for your environment, it may be necessary to experiment with different values.

To determine the corrent size of the MFT on a Microsoft Windows 2000 or Windows XP-based computer, use Disk Defragmenter to analyze the NTFS drive, and then click View Report. This displays the drive statistics, including the current MFT size and number of fragments. The Disk Defragmenter displays "green" for what is called "system files" and on an NTFS formatted volume this is simply the combination of the MFT, pagefile.sys (if one exists on this volume) and what is called the "MFT Zone" or reserved space for "MFT Expansion". The defragmentation report only displays information about the pagefile and MFT; it does not mention the MFT Zone because it does not effect in any way disk utilization or capacity.

The MFT Zone is not subtracted from available (free) drive space used for user data files, it is only space that is used last. When the MFT needs to increase in size, for example, you created new files and directories, it is taken from the MFT Zone first, thus decreasing MFT fragmentation and optimizing MFT performance. The default MFT Zone is calculated and reserved by Ntfs.sys when it mounts the volume, and is based on volume size. You can increase the MFT Zone by means of the Registry entry documented below, but you cannot make the default MFT Zone smaller than what is calculated by Ntfs.sys. Increasing the MFT Zone does not decrease in any way disk space that can be used by users for data files.

NOTE: The results returned by the dir command may not be current. The size reported by the dir command may reflect cached data that reflects the size of the MFT at the time the system was started following an orderly shutdown.

To add this value, perform the following steps:

1. Run Registry Editor (Regedt32.exe), and go to the following subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem

2. From the Edit menu, click Add Value.
3. Type the following information in the dialog box:

Value Name: NtfsMftZoneReservation Data Type : REG_DWORD Data : (valid range is 1-4)

4. Quit Registry Editor and restart your computer.

NOTE: This is a run-time parameter and does not affect the format of a volume. Rather, it affects the way NTFS allocates space on all volumes on a given system. Therefore, to be completely effective, the parameter must be in effect from the time that a volume is formatted throughout the life of the volume.

[ Article ID: 174619 ]

«149» The Lmhosts File for TCP/IP in Windows

The Lmhosts file is a local text file that maps Internet Protocol (IP) addresses to NetBIOS names of remote servers with which you want to communicate over the TCP/IP protocol. The Lmhosts file is located in the %SystemRoot%\System32\Drivers\Etc folder on a Windows computer. There is also a sample Lmhosts file (Lmhosts.sam) in this folder.

Windows recognizes names instead of IP addresses for network requests and a name discovery process is used to correctly route network requests with TCP/IP. Because the name discovery process is generally not routed by an IP router, the Lmhosts file allows Windows computers to communicate using TCP/IP across a subnet bridged by an IP router.

Under TCP/IP alone, NetBT (NetBIOS over TCP/IP) checks this list in memory before doing a b-node name discovery. For example, a reference to \\Eric is translated to reference the actual IP address of 135.25.25.14 (this is a fictional address).

Sample Lmhosts File

142.25.125.15 Joe #PRE
129.102.12.10 Paul #PRE
148.107.16.45 James
135.25.25.14 Eric #PRE
133.120.26.225 John
192.36.14.250 Ed #PRE
221.250.05.126 Mackey

When Windows loads, it reads the first 100 entries, by default, in the Lmhosts file marked with #PRE. You can increase the number of #PRE entries that will load into memory at logon by adding the "MaxPreLoad" entry in the Registry. This entry should be added to the following Registry key:

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NetBT\Parameters

The maximum number allowed for MaxPreLoad depends on the performance of the system. Some computers are able to parse or search through more entries in the Lmhosts file than others. Based on system performance, Windows usually searches through about 1000 entries before it times out (15 seconds).

[ Article ID: 101927 ]

For additional information on Lmhosts see:

«163» How to Write an LMHOSTS File
«164» Troubleshooting LMHOSTS Name Resolution Issues

«150» Make "Portqry.exe" Only Report Listening Ports

You can use the Portqry.exe command-line tool to help troubleshoot TCP/IP connectivity issues. Portqry.exe runs on Windows 2000 and Windows XP. Portqry.exe reports the port status of target TCP and UDP ports on a computer you select. By default, Portqry.exe reports the status of a port as LISTENING, NOT LISTENING, or FILTERED. When you use the -q (quiet) switch with Portqry.exe, all output to the screen (except error messages) is suppressed. After the target port is queried, Portqry.exe returns one of the following values:

» 0 (zero) is returned if the target port is listening.
» 1 is returned if the target port is not listening.
» 2 is returned if the target port is listening or filtered.

You can use this functionality in conjunction with batch files to customize the Portqry.exe output. For example, to obtain a list of only the ports that are listening on a remote computer, you could use the following two batch files.

Query.bat Defines What Ports to Query and Calls Listen.bat

:Top
@echo off
:loop
@echo PortQry is querying TCP ports 25,110,143,53, and 389
@echo It will only report which ports are listening
@FOR %%I IN (25 110 143 53 389) DO CALL listen.bat %%I
:end

Listen.bat Calls Portqry.exe and Passes it the Target Port

:Top
@echo off
@portqry -n myserver.reskit.com -e %1 -p tcp -q
@if errorlevel = 2 goto end
@if errorlevel = 1 goto end
@if errorlevel = 0 goto success
:success
@Echo Port %1 is listening
goto end
:end

NOTE: Only the ports that are found listening are reported.

Copy the text of each of the preceding batch files, paste this text into a text file, and then save these files as Query.bat and Listen.bat. Copy these files into the same folder that contains Portqry.exe, and then run Query.bat. Edit the list of ports in the Query.bat file, as well as the protocol that is used and the target server in the Listen.bat file to change the functionality as needed.

NOTE: When you use the -q switch with the -l (log file) switch, Portqry.exe overwrites an existing log file with the same name, and does not prompt you for permission to do so.

[ Article ID: 310513 ]

«151» How to Use the "RestrictAnonymous" Registry Value

An Administrator may configure a Windows 2000-based computer to prevent anonymous log on access to all resources, with the exception of resources the anonymous user may have explicitly been given access to. To control this behavior, use either of the following methods:

Local Security Policy MMC Snap-In

1. Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.

NOTE: If you cannot perform this step because "Administrative Tools" does not show up in the Program list, then click Start, point to Settings, point to Control Panel, click Administrative Tools, and then click Local Security Policy. Then proceed to step two.

2. Under Security Settings, double-click Local Policies, and then click Security Options.
3. Double-click Additional restrictions for anonymous connections, and then click No access without explicit anonymous permissions under Local policy setting.

RestrictAnonymous Registry Value

Use Registry Editor to view the following Registry key,

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

and then add the following value to this key, or modify it if the value already exists:

Value: "RestrictAnonymous" Value Type: REG_DWORD Value Data: 0x2 (Hex)

When the RestrictAnonymous registry value is set to 2, the access token built for non-authenticated users does not include the Everyone group, and because of this, the access token no longer has access to those resources which grant permissions to the Everyone group. This could cause undesired behavior because many Windows 2000 services, as well as third-party programs, rely on anonymous access capabilities to perform legitimate tasks.

For example, when an Administrator in a trusting domain wants to grant local access to a user in a trusted domain, there may be a need to enumerate the users in the trusted domain. Because the Administrator in the trusting domain cannot be authenticated by the trusted domain, an anonymous enumeration may be used. The benefits of restricting the capabilities of anonymous users from a security perspective should be weighed against the corresponding requirements of services and programs that rely on anonymous access for complete functionality.

The following tasks are restricted when the RestrictAnonymous registry value is set to 2 on a Windows 2000-based domain controller:

» Down-level member workstations or servers are not able to set up a netlogon secure channel.
» Down-level domain controllers in trusting domains are not be able to set up a netlogon secure channel.
» Microsoft Windows NT users are not able to change their passwords after they expire. Also, Macintosh users are not able to change their passwords at all.
» The Browser service is not able to retrieve domain lists or server lists from backup browsers, master browsers or domain master browsers that are running on computers with the RestrictAnonymous registry value set to 2. Because of this, any program that relies on the Browser service does not function properly.

Because of these results, it is not recommended that you set the RestrictAnonymous registry value to 2 in mixed-mode environments that include down-level clients. Setting the RestrictAnonymous registry value to 2 should only be considered in Windows 2000 environments only, and after sufficient quality assurance tests have verified that appropriate service levels and program functionality is maintained.

NOTE: Pre-defined "High Secure" security templates set the RestrictAnonymous registry value to 2, and because of this, caution should be used when using these templates.

For additional information about the RestrictAnonymous registry value, click the article number below to view the article in the Microsoft Knowledge Base:

178640 Could Not Find Domain Controller When Establishing a Trust

RestrictAnonymous is set by changing the registry key to 0 or 1 for Windows NT 4.0 or to 0, 1, or 2 for Windows 2000. These numbers correspond to the following settings:

» 0 None. Rely on default permissions
» 1 Do not allow enumeration of SAM accounts and names
» 2 No access without explicit anonymous permissions

[ Article ID: 246261 ]

«152» System Information (Msinfo32.exe)

System Information retrieves and reports your system configuration information for your hardware, system components, and software environment. Support technicians require specific information about your computer when they are troubleshooting your configuration. You can use System Information to quickly find the data they need to resolve a system problem. You can also run System Information from the command line using options for loading, viewing, and saving configuration information.

Msinfo32.exe is located in the \Program Files\Common Files\Microsoft Shared\MSInfo folder of the drive on which Windows 2000 is installed. To run System Information from the command line, you can also click Start, click Run, type msinfo32, and then click OK.

System Information syntax

msinfo32 [/? | /msinfo_file»filename | /report filename | /s filename | /nfo filename]
[/computer computername] [/categories +|-category name(s)]

Parameters:

/? ... Displays the syntax for the command-line parameters.
/msinfo_file ... Open the specified NFO or CAB file.
/report filename ... Saves the system data for the specified categories to a text file.
/s filename ... Saves the system data for the specified categories to a System Information file (NFO file).
/nfo filename .. Saves the system data for the specified categories to a System Information file (NFO file).
/computer computername ... Opens System Information in Windows 2000, connects to the specified computer.
/categories +|-categoryname(s) ... Collects a subset of category information. Use with /report to specify the context for the text report. Use with /s to save specified categories of information in the NFO file. Only the categories you specify will be saved. For example:

C:\>msinfo32 /report my_sys.txt /categories +SWEnvDrivers+ComponentsNetAdapter

You can also save all but a specified category or categories. For example:

C:\>msinfo32 /report my_sys.txt /categories +All-SWEnvDrivers

«153» The NETSTAT.EXE Command

The Netstat command displays protocol statistics and current TCP/IP network connections. This command is available only if the TCP/IP protocol has been installed.

Syntax:

netstat [-a] [-e] [-n] [-s] [-p protocol] [-r] [interval]

Parameters:

-a ................. Displays all connections and listening ports. Server connections are normally not shown.
-e ................. Displays Ethernet statistics. This may be combined with the -s option.
-n ................. Displays addresses and port numbers in numerical form (rather than attempting name lookups).
-s ................. Displays per-protocol statistics. By default, statistics are shown for TCP, UDP, ICMP, and IP. The -p option can be used to specify a subset of the default.
-p protocol ... Shows connections for the protocol specified by protocol; protocol can be tcp or udp. If used with the -s option to display per-protocol statistics, protocol can be tcp, udp, icmp, or ip.
-r .................. Displays the contents of the routing table.
interval ........ Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+B to stop redisplaying statistics. If this parameter is omitted, netstat prints the current configuration information once.

The Netstat utility provides statistics on the following network components:

Foreign Address

The IP address and port number of the remote computer to which the socket is connected. The name corresponding to the IP address is shown instead of the number if the Hostsfile contains an entry for the IP address. In cases where the port is not yet established, the port number is shown as an asterisk (*).

Local Address

The IP address of the local computer, and the port number the connection is using. The name corresponding to the IP address is shown instead of the number if the Hostsfile contains an entry for the IP address. In cases where the port is not yet established, the port number is shown as an asterisk (*).

Proto

The name of the protocol used by the connection.

(state)

Indicates the state of TCP connections only. The possible states are as follows:

CLOSED FIN_WAIT_2 SYN_RECEIVED
CLOSE_WAIT LAST_ACK SYN_SEND
ESTABLISHED LISTEN TIMED_WAIT
FIN_WAIT_1

«154» NETSTAT -an Displays TCP and UDP When Only UDP Is Bound To the Socket

Winsock applications can specify what UDP ports they listen on. You can use the NETSTAT utility with the -an option to display the status of a socket. However, NETSTAT -an may display both UDP and TCP listening on the same socket when only UDP is bound to the socket.

This behavior does not affect socket connections, but is simply a display problem with Netstat.

[ Article ID: 194171 ]

«155» Missing COMMAND.COM Causes Hidden Console Error

If you remove or rename %SystemRoot%\System32\Command.com, the following error message appears when you start a 16-bit Windows or MS-DOS program:

16 bit MS-DOS Subsystem: config.nt. The system file is not suitable
for running MS-DOS and Microsoft Windows Applications.

To correct this problem, use one of the following methods:

» Run the Windows Emergency Repair process and verify system files. Restart Windows and run the program again.
~ or ~
» Expand Command.co_ from the Windows CD-ROM to %SystemRoot%\SYSTEM32\Command.com.
~ or ~
» Expand Autoexec.nt_ and Config.nt_ from the Windows CD-ROM disc to %SystemRoot%\SYSTEM32\Autoexec.nt and Config.nt, respectively.

For additional information about trouble-shooting steps for running 16-bit Windows programs, click the article number below to view the article in the Microsoft Knowledge Base:

103656 Troubleshooting 16-Bit Windows Applications Under Windows

[ Article ID: 142271 ]

«156» How to Remove Linux and Install Windows on Your Computer

The Microsoft Knowledge Base Article ID 247804 describes how you can remove the Linux operating system from your computer, and install a Windows operating system. This article also assumes that Linux is already installed on the hard disk using Linux native and Linux swap partitions, which are incompatible with the Windows operating system, and that there is no free space left on the drive.

Windows and Linux can coexist on the same computer. For additional information, refer to your Linux documentation.

«157» Description of Advanced Disk Properties Features

This describes some of the advanced performance options available if you view the properties of a hard disk. Some of these advanced options are only available on small computer system interface (SCSI) hard disks, and may not be available for drives based on Integrated Drive Electronics (IDE) or Advanced Technology Attachment Packet Interface (ATAPI). These options are found in two different locations, the Disk Properties tab, and the SCSI Properties tab. Also described here are how these advanced options may affect the overall performance and stability of your computer.

To view these advanced performance options, double-click My Computer, right-click the disk you want to view, click Properties, click the Hardware tab, and then click Properties.

The Disk Properties Tab "Write Cache Enabled" Feature

If you enable this feature, your computer sends an enable-write-cache command to the hard disk activating the hard disk write-back cache, and if you disable this feature, the hard disk write-back cache is deactivated. When you enable this feature, you receive a warning message that says enabling this option could lead to file system damage or data loss. This could happen if a computer or power failure occurs that would prevent your computer from shutting down properly. This is because until the cached data is written to disk, the last few write operations were reported to the operating system as being complete by the hardware, but the hardware still contains the data in its physical memory.

Should a power loss occur, those last few write operations may not take place, possibly leading to data loss or file system damage. However, if the data contained on the disk is temporary data (such as a paging file) that can be easily reproduced, or read-only data that can be restored in the event of data damage due to the write cache being enabled, then you may see an increase in disk Input/Output (I/O) performance by enabling it. In this case, most write operations would more than likely be to the file system itself to keep track of files last access dates and time stamps, file size changes, and file ownership and security information if on an NTFS partition. Note that this hardware caching option is independent of the operating system NTFS file cache that could also be in use if the drive contains an NTFS partition.

NOTE: Some hard disks do not support the option to disable the write cache on a permanent basis, and report that the write cache is enabled again after the computer is restarted. This is because some drives do not have Non-Volatile Random Access Memory (NVRAM) to enable you to save the disable cache setting.

Other disks may show the Write Cache Enabled check box as not available for disk. This is disabled if the property page cannot retrieve the current disk write cache setting from the disk.

You should also be aware of the following issue:

281672 Possible Data Loss After You Enable Write Caching

The SCSI Properties Tab "Disable Tagged Queuing" Feature

Tagged queuing is done by the SCSI controller and driver to increase the speed of completing I/O tasks. This is accomplished by sorting the commands so the order of the commands issued to the physical disk drive to read or write results in the most efficient movement of the physical read and write heads. Since moving the physical heads takes time, by intelligently moving them in a sequential order rather than in random order, seek times are minimized, resulting in greater I/O performance.

The SCSI Properties Tab "Disable Synchronous Transfers" Feature

There are two methods of transferring data over SCSI cables, Synchronous mode and Asynchronous mode. Asynchronous mode transfers use an interlocked handshake method where a device (adapter or drive) cannot do the next data transfer operation until it receives positive acknowledgment that the other device received the last data transfer properly. Synchronous transfer mode permits the sending device to send multiple data packets without receiving acknowledgment that the receiver actually received every data packet sent. By doing to, more data can be sent or received before an acknowledgement is required. Disabling either Tagged Queuing or Synchronous transfers results in performance degradation. However, if you suspect a device is having trouble with overlapped requests (queuing) or getting data reliably and quickly (synchronously), you can attempt to use a slower but more reliable mode of operation.

[ Article ID: 233541 ]

«158» How to Eliminate a Process That Is Not Responding

If a program or process is not responding (hangs) while waiting for user input, and cannot accept input or be terminated, usually the only way to terminate the process is to restart the computer. If you cannot restart the computer to terminate the process that is not responding, use the Kill.exe program from the Windows Support Tools to terminate the process for the program that is not responding. When you use Kill.exe, you do not have to restart the computer.

NOTE: You can use the Process tab of Task Manager in Windows to identify the process ID (PID) of the program that is not responding.

[ Article ID: 171773 ]

«159» Task Killing Utility (Kill.exe)

Use this command-line tool to end one or more tasks or processes. Processes can be killed by the process ID number (PID), or by any part of the process name or the name of the window in which it is running (usually the title of the application's main window). [ Kill.exe can be obtained from the Windows Support Tools. See Item 177. ]

Kill syntax:

kill [/f] {process_id | pattern}

Parameters:

/f ................... Forces the process to terminate, rather than allowing it to halt itself.
process_id .... Specifies the ID number of the process to be ended.
pattern ......... Can be either a complete process name, or an expression using wildcards that will be compared to the process names and window titles of all current processes. For example, typing kill *help* will end all processes with process names or window titles that contain "help".

Example: Killing the wnvirq32 process by using the process id

C:\NTRESKIT>kill 204
process #204 killed

Example: Killing the atsvc process by using the process name

C:\NTRESKIT>kill atsvc
process #180 [atsvc.exe] killed

«160» Situations in Which Windows May Not Start in Safe Mode

You can use Safe mode to start Windows using a minimal set of drivers and services. If a faulty driver or program is causing problems, you may be able to use Safe mode to bypass the problem and start Windows so that you can diagnose the problem. However, Safe mode may not work in all situations.

Safe mode may not work in these situations:

» A mass storage driver (SCSI or IDE) is damaged or has been accidentally removed.
» The Ntoskrnl.exe or Hal.dll file is damaged.
» A program replaced system files that are critical to the operation of Windows.

To diagnose a problem with Safe mode, follow these steps:

1. Try all versions of Safe mode to see if Windows will start.
2. If no version of Safe mode will start, try using the Windows Recovery Console to replace or rename a faulty driver or to disable or enable a service.
3. If the Recovery Console does not resolve the issue, you may need to restore the system from a backup.

For additional information on Recovery Console see:

«56» Recovery Console Tips for System Admins

[ Article ID: 199175 ]

«161» FreeWare Utility «» AutoRuns and LoadOrder

[ Here are two examples of the small, fast, efficient, and free utilities available from Sysinternals, Inc. Do yourself a favor and spend some time surfing their site. You will no doubt find other candidates for your System Maintenance arsenal. ]

AutoRuns

This applet shows you what programs are configured to run during system bootup or login. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You'll probably be surprised at how many executables are launched automatically. AutoRuns works on Windows 9x and Windows NT/2K. (The complete list of auto-run locations was obtained from David Solomon's "Windows 2000 Internals" seminar). [ You can obtain AutoRuns here ]

LoadOrder

This applet shows you the order that a Windows NT or Windows 2000 system loads device drivers. Note that on Windows 2000 plug-and-play drivers may actually load in a different order than the one calculated, because plug-and-play drivers are loaded on demand during device detection and enumeration. [ You can obtain LoadOrder here]

«162» NTDetect Fails When Computer Starts

When you start a computer running Windows, the boot process may not succeed, and you may receive the following error message:

NTDetect Failed

This behavior can occur if the Ntdetect.com file is missing or damaged.

To resolve this issue in Windows 2000 and Windows XP:

1. Start the computer from the Windows 2000 or Windows XP CD-ROM.
2. At the "Welcome to Setup" menu select R for repair.
3. Select Manual Repair.
4. Select only Startup Environment from the repair options.
5. When prompted, insert the Emergency Repair Disk (ERD). If you do not have an ERD you can proceed without one.
6. When the repair process is completed, remove the ERD from the floppy disk drive, and then press ENTER to restart the computer.

[ Article ID: 242112 ]

«163» How to Write an LMHOSTS File

There may be instances when you are experiencing name resolution issues on your TCP/IP network and you need to use Lmhosts files to resolve NetBIOS names. Use the following steps to create a properly formatted Lmhosts file:

1. Using a text editor, such as Notepad.exe or Edit.com, create a file called Lmhosts and save it in the folder: %SystemRoot%\System32\Drivers\ETC

NOTE: The file name is Lmhosts, with no extension. If you are using Notepad.exe it may append .txt automatically. If it does this, you will need to rename the file using no extension at a command prompt.

2. Add the following entries to the Lmhosts file:

10.0.0.1 PDCName #PRE #DOM:Domain-name
10.0.0.1 "Domain-name \0x1b" #PRE

NOTE: The Domain-name in this entry is case sensitive. Make sure you enter it in upper case.
NOTE 2: Spacing of these entries is imperative. Replace 10.0.0.1 with the IP address of your primary domain controller (PDC), PDCName with the NetBIOS name of your PDC, and Domain with your Windows NT domain name. There must be a total of 20 characters within the quotations (the domain name plus the appropriate number of spaces to pad up to 15 characters plus the backslash plus the NetBIOS hex representation of the service type).

To help determine where the 16th character is, copy the following line to your LMHOSTS file:

# IP Address "123456789012345*7890"

Line up the double quotes (") by adding or removing spaces from the comment line, and place the \ on the 16th column (the column marked with the asterisk). You must use SPACES after the name and before the \, not a tab.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
163409 NetBIOS Suffixes (16th Character of the NetBIOS Name)

3. After you add the above lines, save the file, and exit the editor.
4. From a command prompt, type the following and press ENTER: nbtstat -R

NOTE: The -R is case sensitive and must be upper case. After typing the above, you should receive the following message:

Successful purge and preload of the NBT Remote Cache Name Table.

5. Type the following at a command prompt and then press ENTER: nbtstat -c

NOTE: The -c is also case sensitive and must be lower case. After typing the above, you should receive a display similar to the following:

Node IpAddress: [10.0.0.5] Scope Id: []
NetBIOS Remote Cache Name Table
Name Type Host Address Life [sec]
----------------------------------------------------------
PDCName <03> UNIQUE 10.0.0.1 -1
PDCName <00> UNIQUE 10.0.0.1 -1
PDCName <20> UNIQUE 10.0.0.1 -1
Domain <1B> UNIQUE 10.0.0.1 -1

[ Article ID: 180094 ]

«164» Troubleshooting LMHOSTS Name Resolution Issues

When you attempt to load the contents of an Lmhosts file into the NetBIOS Remote Cache Name Table using the Nbtstat -R command, you may notice that the entries are not loading. You can view this by using the Nbtstat -c command.

The Lmhosts file is very specific in its required syntax and may be incorrectly formatted.

To troubleshoot this issue, use the following:

» Open the Lmhosts file in a text editor, such as Notepad.exe, and place three or four carriage returns at the bottom of the file.

NOTE: If you are using Notepad.exe, then make certain that you do not save the file using Unicode.

» Make sure the Lmhosts lookup is enabled by performing the following steps:

1. Click Start, point to Settings, and click Control Panel.
2. Double-click Networks, on the Protocols tab, and double-click TCP/IP Protocol.
3. On the WINS Address tab and click the Enable LMHOSTS Lookup to enable it.

NOTE: You need to restart your computer for this change to take effect.

» Verify that your Lmhosts file is in the proper folder and does not have a file extension.

[ Article ID: 180099 ]

«165» How to Locate and Correct Disk Space Problems on NTFS Volumes

The NTFS file system supports many volume and file-level features that may lead to what appears to be lost or misreported free disk space. This behavior may be apparent when an NTFS volume suddenly becomes very full for no reason, and yet an administrator cannot find the cause or locate the offending folders and files. This sometimes occurs because of malicious or unauthorized access to an NTFS volume on which very large files or a high quantity of small files are secretly copied, which then have their NTFS permissions removed or restricted. This behavior may also occur after a system malfunction or power outage occurs, causing volume corruption.

Microsoft Knowledge Base Article ID 303079 discusses how to check an NTFS disk's space allocation to discover offending files and directories or check for volume corruption.

«166» Dynamic vs. Basic Storage in Windows 2000

In Windows 2000 and Windows XP, a new storage type has been defined and exposed in the new Logical Disk Management snap-in; previous versions of Windows NT used only basic storage:

» Basic storage uses normal partition tables supported by all versions of Windows, MS-DOS, and Windows NT. A disk initialized for basic storage is called a basic disk. It can hold primary partitions, extended partitions, and logical drives.

» Basic volumes include partitions and logical drives, as well as volumes created using Windows NT 4.0 or earlier, such as volume sets, stripe sets, mirror sets, and stripe sets with parity. In Windows 2000, these volumes are called spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes, respectively.

» Dynamic storage is supported by Windows 2000. A disk initialized for dynamic storage is called a dynamic disk. It can hold simple volumes, spanned volumes, mirrored volumes, striped volumes, and RAID-5 volumes. With dynamic storage, you can perform disk and volume management without having to restart the operating system.

Upgrading a disk from basic to dynamic can be done from the Disk Management MMC Snap-in. In Programs, go to select Disk Management from Administrative Tools. You may be prompted to upgrade your disks or you can right-click the disk to upgrade it.

WARNING: Upgrading a disk to dynamic storage will render the entire disk unreadable to operating systems other than Windows 2000. This is a one-way process. In order to change back to basic disk format, the drive must be repartitioned.

Storage types are separate from the file system type; a basic or dynamic disk can contain any combination of FAT16, FAT32, NTFS v4.0, NTFS v5.0 partitions or volumes.

Windows 2000 accommodates both basic and dynamic storage. A disk system can contain any combination of storage types. However, all volumes on the same disk must use the same storage type.

On a basic disk, a partition is a portion of the disk that functions as a physically separate unit. On a dynamic disk, storage is divided into volumes instead of partitions.

NOTE: Dynamic disks are not supported on portable computers or Microsoft Windows XP Home Edition.

Dynamic Storage Terms:

» A volume is a storage unit made from free space on one or more disks. It can be formatted with a file system and assigned a drive letter. Volumes on dynamic disks can have any of the following layouts: simple, spanned, mirrored, striped, or RAID-5.

» A simple volume uses free space from a single disk. It can be a single region on a disk or consist of multiple, concatenated regions. A simple volume can be extended within the same disk or onto additional disks. If a simple volume is extended across multiple disks, it becomes a spanned volume.

» A spanned volume is made from free disk space that is linked together from multiple disks (up to a maximum of 32 disks). A spanned volume can be extended onto additional disks. A spanned volume cannot be mirrored.

» A mirrored volume is a fault-tolerant volume whose data is duplicated on two physical disks. All of the data on one volume is copied to another disk to provide data redundancy. If one of the disks fails, the data can still be accessed from the remaining disk. A mirrored volume cannot be extended. Mirroring is also known as RAID-1.

» A striped volume is a volume whose data is interleaved across two or more physical disks. The data on this type of volume is allocated alternately and evenly to each of the physical disks. A striped volume cannot be mirrored or extended. Striping is also known as RAID-0.

» A RAID-5 volume is a fault-tolerant volume whose data is striped across an array of three or more disks. Parity (a calculated value that can be used to reconstruct data after a failure) is also striped across the disk array. If a physical disk fails, the portion of the RAID-5 volume that was on that failed disk can be recreated from the remaining data and the parity. A RAID-5 volume cannot be mirrored or extended.

» The system volume contains the hardware-specific files (Ntldr, Boot.ini, Ntdetect.com) needed to load Windows NT/2000.

» The boot volume contains Windows NT/2000 operating system files that are located in the %Systemroot% and %Systemroot%\System32 folders.

[ For additional information see: Item 183 Use Disk Management to Manage Basic & Dynamic Disks ]

[ Article ID: 175761 ]

«167» Diagnose System Problems with Event Viewer

Knowledge Base Article ID 302542 contains a step-by-step guide describing how to use Event Viewer as a troubleshooting tool. Event Viewer displays detailed information about system events. This information includes the event type, the date and time that the event occurred, the source of the event, the category for the event, the Event ID, the user who was logged on when the event occurred, and the computer on which the event occurred.

«168» Windows 2000 Professional Resource Kit Tools

"The Windows 2000 Professional Resource Kit includes over 200 software tools on the Resource Kit companion CD. Use these tools to manage Active Directory™ and TCP/IP; to administer security features, users, and groups; to work with the registry, and to automate recurring jobs. The documentation in Tools Help describes how to use these tools.

"The tools are listed here in alphabetical order by the name of the executable file, followed by the friendly name. A few tools do not have an executable file or are known by a friendly name; they are listed by their friendly name.

"If a tool's name is formatted as hot text, either the tool or a hotfix for the tool is available to download for free. Click the link for an overview of the tool."

[ You can obtain the Resource Kit hereby searching with this keyword phrase: Windows 2000 Professional Resource Kit ] [ Also see Item 179, "Free Tool Downloads" ]

«169» Boot Error Message

Could not start because \Winnt\System32\Config\System.ced is missing or corrupt

Well it's not missing and it's probably not corrupt. You usually get this message if something is writing too much data to the System subkey in the Registry. (Hint: Think about what you have installed lately.)

Intel and ARC (RISC) systems have a design limit such that 16 megabyte (MB) of memory is available at this stage of the boot process and the following must fit in that available 16M RAM :

Ø Loader
Ø Kernel
Ø HAL
Ø Boot drivers
Ø System registry hive

If the System registry hive exceeds 13MB, you will get that error. To resolve the problem, you must replace it with a backup version. Use the Repair Console tool to replace the backup copy of the System hive from the repair folder. If you do not have the Repair Console tool installed, you can run it from the Emergency Repair process:

1. Start the computer by using the Windows CD-ROM or the Startup disk.
2. When you see the "Welcome to Setup" message, press R for "repair."
3. Press C to run the Recovery Console tool.
4. Select the installation that you want to repair.
5. Enter the Administrator password. If this is a domain controller, you need to supply the password for Directory Services Restore Mode.
6. Log on to the Recovery Console tool and enter the following commands:

cd system32\config
ren system system.old
ren system.alt systemalt.old

7. Copy the backup of the System hive from either the %SystemRoot%\Repair folder or the %SystemRoot%\Repair\Regback folder if you run the Emergency Repair Disk Wizard from Windows Backup and Recovery tools.

You will need to restore the most recent copy of the System hive. Any programs that run as a service or hardware device drivers that you installed since you last ran the Emergency Repair Disk will have to be re-installed.

To copy the default System hive, type the following command:

copy c:\winnt\repair\system

To copy the System hive that was backed up the last time that you ran the Emergency Repair Disk Wizard, type the following command:

copy c:\winnt\repair\regback\system

After you run these commands, type exit at the command prompt to restart your computer.

«170» FreeWare Utility «» InCtrl5

From PC Magazine:

"InCtrl5 is the fifth incarnation of one of the most popular PC Magazine utilities. By monitoring the changes made to your system when you install new software, it enables you to troubleshoot any unexpected problems that come up. Virtually every modern program uses an install utility that installs or updates files, and also may record data in the Registry, and update INI files or other essential text files. A companion uninstall utility should precisely reverse the effects of the install utility. When a newly installed program causes existing applications to fail, or when the supplied uninstall utility can't complete its task, to restore your system you need a record of exactly what the original install utility did. InCtrl5 can provide this record. This new version offers a variety of new features, including an attractive new interface, the ability to track changes to text files such as AUTOEXEC.BAT and CONFIG.SYS, HTML reports, and command-line switches. InCtrl5 was written by Neil J. Rubenking and first appeared in PC Magazine, December 5, 2000. Source code is included.

"Note: PC Magazine programs are copyrighted and cannot be distributed, whether modified or unmodified. Use is subject to the terms and conditions of the license agreement distributed with the programs."

[ Requirements: Windows 95/98/NT/2000 ~ License: by subscription. ]

| | |

~ Includes previous work and rights from Ted Quantrill's Tip Quarry ~