TreeWalk DNS
...select an «Item number» to view a topic, «Title number» to return.
«Item 171» Error Messages in Event Log Service
«Item 172» Unable to Change the Startup Parameter When a Service Hangs
«Item 173» Problem Selecting the Highest Monitor Graphics Mode
«Item 174» How To Install Windows 2000 Professional
«Item 175» How to Create Setup Boot Disks
«Item 176» Cannot End a Process in Task Manager
«Item 177» Install the Windows 2000 Support Tools
«Item 178» FreeWare Utility «» Yankee Clipper
«Item 179» Free Tool Downloads
«Item 180» Oleview.exe: OLE/COM Object Viewer
«Item 181» User Shell Folders in Windows 2000
«Item 182» How To Configure Windows 2000 as a Web Server
«Item 183» Use Disk Management to Manage Basic and Dynamic Disks
«Item 184» Save and Restore Network Settings
«Item 185» The NetShell Utility: Netsh
«Item 186» Windows NT 4.0 Profiles-Policies
«Item 187» The Desktop Heap
«Item 188» Default Processes in Windows 2000 Professional
«Item 189» Microsoft Personal Security Advisor
«Item 190» Edit the Boot.ini File in Windows 2000
«Item 191» How to Encrypt Data Using EFS
«Item 192» How To Back Up Your Encrypting File System Private Key
«Item 193» How to Restore an EFS Private Key for Encrypted Data Recovery
«Item 194» The CACLS.EXE Command
«Item 195» How To Move A Windows Installation To Different Hardware
«Item 196» How To Create A Log Using System Monitor
«Item 197» FreeWare Utility «» metapad
«Item 198» Description of the Windows Recovery Console
«Item 199» How to Install the Windows Recovery Console
«Item 200» Description of the SET Command in Recovery Console
«171» Error Messages in Event Log Service
The following error messages may occur in Event Log Service due to the default file size limitations or default Event Log Wrapping in Event Log Settings:
The application log file is full. ~ or ~ The system log file is full.
These error messages are really not error messages. They are warning messages. They may occur if the size of the log file exceeds 512K, the default setting. They may also occur if the Event Log Wrapping is not set to "Overwrite Events As Needed". The file sizes can be viewed in File Manager. The files are Appevent.evt and Sysevent.evt; they are located in the %WinRoot%\System32\Config folder.
To prevent these messages from occurring:
1. Open Administrative Tools, and Event Viewer.
2. Click on Properties.
3. Change Maximum Log Size for each log to the desired size, depending on the hard disk space available, or select "Overwrite Events As Needed".
[ Article ID: 109443 ]
«172» Unable to Change the Startup Parameter When a Service Hangs
Suppose a Service stops responding during startup and you are unable to change the Startup parameter to manual, either locally or remotely, through the Server Manager Service. For example, the Event Log Service locks the system locally after a pop-up message appears saying the Event Log is full. Do not panic :-)
This problem can happen because "Overwrite Events Older than seven days" is the default setting for Event Viewer logging.
To change the startup parameter of a Service in this condition, you can modify the Registry by performing the following steps:
1. Start the Registry Editor (Regedt32.exe).
2. From the Registry menu, click Select Computer. Type in the name of the computer that is not responding, and then click OK.
3. Locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
4. Edit the following entries:
Value Name: Start
Data Type: REG_DWORD
Data: 3 (Default: 2)
(Data values are 0 = Boot, 1 = System, 2 = Automatic, 3 = Manual, 4 = Disabled)
After the value for Start has been set to Manual, you can remotely shut down the computer using Shutdown.exe or Shutgui.exe from the Windows Resource Kit.
In the case of the event logs being full, after you restart, you can now rename or delete the event files located in the %SystemRoot%\System32\Config folder as needed.
NOTE: This method of changing the Start parameter is also useful in trouble-shooting other Services, such as Exchange and SQL Services. After you have control of the computer, the Service can be started manually from the DOS prompt by typing: "net start <service name>". If an error occurs, you will get the error message in the DOS box or by Control Panel Services Start and you can check the event log to determine if an error occurs.
[ Article ID: 158995 ]
«173» Problem Selecting the Highest Monitor Graphics Mode
Windows uses the information in the monitor's .inf file to calculate the supported video modes. It some cases, the algorithm used is too conservative. To work around this issue:
» If your monitor and video adapter support Plug and Play, use the Control Panel|Display|Settings|Advanced to change the the monitor driver to Plug and Play Monitor. This will cause Windows to query the device for the supported modes, instead of using the data in the .inf file.
» If your monitor or video driver do NOT support Plug and Play, use the documentation, or call the vendor, to determine the exact video modes that the monitor will support. Guessing will likely result in damaging your monitor, video adapter, or both. Then:
1. Control Panel|Display|Settings|Advanced|Monitor.
2. Clear the Hide modes that this monitor cannot display box.
3. In the Refresh Frequency drop-down box, select a rate that your monitor can support.
4. Press OK and OK.
«174» How To Install Windows 2000 Professional
To install Windows 2000 Professional, follow these steps:
1. Start the installation by using one of the following methods:
» Start from the Windows 2000 Professional installation CD-ROM. Make sure that the CD-ROM is set to start before the hard disk starts. Insert the CD-ROM, and then when you are prompted, press any key to start the Windows 2000 Professional Setup program.
» Start from boot disks. Insert Disk 1, and then insert each of the remaining three floppy disks when you are prompted to do so.
For additional information about creating boot disks for Windows 2000, see Item 175 below.
» Start from within a current operating system. Insert the CD-ROM, and then, at a command prompt, type drive:\i386\winnt32.exe and then press ENTER, or if this is an installation on a computer that has no previous installation of Windows, type drive:\i386\winnt.exe and then press ENTER, where drive is the letter of the CD-ROM drive.
2. Setup inspects your computer's hardware configuration and then begins to install the Setup and driver files. When the Microsoft Windows 2000 Professional screen appears, press ENTER to set up Windows 2000 Professional.
3. Read the license agreement, and then press the F8 key to accept the terms of the license agreement and continue the installation.
4. When the Windows 2000 Professional Setup screen appears, either press ENTER to set up Windows 2000 Professional on the selected partition, or press C to create a partition in the unpartitioned space.
5. If you choose to install Windows 2000 Professional on a file allocation table (FAT) partition, specify whether you want to:
» leave the current file system intact,
» format the partition as FAT16,
» convert the existing file system to the NTFS file system, or
» format the partition by using the NTFS file system.
Press ENTER after you make your selection. Setup examines the existing hard disks and then copies the files that are needed to complete the installation of Windows 2000 Professional. After the files are copied, the computer restarts.
6. When the Windows 2000 GUI Mode Setup Wizard appears, click Next to start the wizard. Setup detects and installs such devices as a specialized mouse or keyboard.
7. When the Regional Options dialog box appears, customize your installation of Windows 2000 Professional for locale, number format, currency, time, date, and language, if necessary. Click Next.
8. In the Personalize Your Software dialog box, type your name and the name of your organization, and then click Next.
9. In the Product ID dialog box, type the 25-character product key, and then click Next.
10. In the Computer Name and Password dialog box, either accept the default name that Setup generates or assign a different name for the computer. When you are prompted for an administrative password, type a password for the Administrator account. Click Next.
11. In the Date and Time Settings dialog box, set the correct date and time for your computer. You can also specify which time zone you are in and set the computer to automatically adjust the clock for daylight saving time. Click Next.
12. Setup installs the networking software and detects your network settings. When the Network Settings dialog box appears, click either:
» Typical to set default network settings such as File and Print Sharing for Microsoft Networks, Client for Microsoft Networks, and TCP/IP protocol that uses Dynamic Host Configuration Protocol (DHCP), or
» Custom to specify the network components that you require for your network environment,
and then click Next.
13. In the Workgroup or Computer Domain dialog box, specify the workgroup or the domain to join. If you indicate that you are part of a domain, specify your domain user name and password. Click Next. Setup installs the networking components.
14. During the final stage of installation, Setup installs Start menu items, registers components, saves settings, and removes temporary files. When the Completing the Windows 2000 Setup Wizard dialog box prompts you to do so, remove the Windows 2000 CD-ROM, and then click Finish to restart the computer.
15. After the computer restarts, click Next in the Welcome to the Network Identification Wizard dialog box.
16. In the Users of This Computer dialog box, specify either that users must enter a user name and password or that you want Windows 2000 to automatically log on a specific user when the computer starts. Click Finish.
When the Windows 2000 Professional desktop appears, the installation is complete.
[ Article ID: 304868 ]
«175» How to Create Setup Boot Disks
To create a set of Setup boot disks for Windows 2000, run the Makeboot.exe tool from the Bootdisk folder on the Windows 2000 CD-ROM:
1. Insert the Windows 2000 CD-ROM in the CD-ROM drive.
2. Click Start, and then click Run.
3. In the Open box, type: drive:\bootdisk\makeboot a:, where drive is the letter of your CD-ROM drive, and then press Enter.
NOTE: You do not have to be running Windows 2000 to create the Setup Boot disks. A directory called \Bootdisk resides in the root of the Windows 2000 Setup CD. This directory contains two utilities capable of generating the 4 Setup Boot floppies. If you are booted into Windows 9x you will need to run the 32-bit version of this utility called Makebt32.exe. If you are in DOS, or booted with a Windows 98 Startup Floppy that has access to the CDROM, you can use the 16-bit version called Makeboot.exe.
[ Article ID: 197063 ]
«176» Cannot End a Process in Task Manager
When you try to use Task Manager to End Process, you receive:
The operation could not be completed. Access is denied.
Even though you are an Administrator, it is still not possible to end a process that was started in a different security context, such as a Service. To work around this feature you must be granted the right to Debug Programs, under Local Policy|User Rights Assignment, and you must use Kill.exe (which is contained in the Windows Support Tools - see below).
«177» Install the Windows 2000 Support Tools
Support personnel and network administrators can use the Windows 2000 Support Tools to help manage their networks and troubleshoot problems. To install the Windows 2000 Support Tools:
1. Start Windows 2000. Note that you must log on as a member of the Administrator group to install these tools.
2. Insert the Windows 2000 CD-ROM into your CD-ROM drive.
3. Click Browse this CD, and then open the Support|Tools folder.
4. Double-click Setup.exe, and then follow the instructions that appear on the screen.
The following support tools are included with Windows 2000:
| Acldiag.exe | Gflags.exe | Pviewer.exe |
| Adsiedit.msc | Kill.exe | Reg.exe |
| Apcompat.exe | Ksetup.exe | Remote.exe |
| Apmstat.exe | Ktpass.exe | Repadmin.exe |
| Browstat.exe | Ldp.exe | Replmon.exe |
| Clonepr.dll | Memsnap.exe | Rsdiag.exe |
| Dcdiag.exe | Movetree.exe | Rsdir.exe |
| Depends.exe | Msicuu.exe | Sdcheck.exe |
| Dfsutil.exe | Msinfo32.exe | Search.vbs |
| Dnscmd.exe | Msizap.exe | SIDWalker |
| Dommig.doc | Netdiag.exe | Snmputilg.exe |
| Dsacls.exe | Netdom.exe | Tlist.exe |
| Dsastat.exe | Nltest.exe | W2000msgs.chm |
| Dskprobe.exe | Pmon.exe | Windiff.exe |
| Dumpchk.exe | Poolmon.exe | Winrep.exe |
| Filever.exe | PPTP Ping | Wsremote.exe |
«178» FreeWare Utility «» Yankee Clipper
by Joe LeVasseur and Konrad Krupa
A super powerful Windows clipboard extender/memory- now in its third generation. Handles Pictures, Richtext, URLS, etc - any size. Features printing, drag and drop, optional permanent storage of clippings. Familiar "Outlook" interface. Freeware.
Major features:
» Saves past 200 text and RTF, 20 BMP and Metafile, and 200 URL clipboard entries.
» Has the ability to save and re-use "boilerplate" clippings. Simply right-click on the item and select "Send to boilerplate". Unlimited boilerplate collections can be created.
» URL aware- links copied to clipboard can be instantly launched.
» Has a "Load and Shoot" function to paste text anywhere.
» Can float on top of other applications for fast pasting.
» No size limits for "clippings".
» Prints any text clipboard entry, nicely word-wrapped.
» This is a simple program to understand and use.
» Has a global hotkey to make the application visible when hidden, and another to instantly show and select past "clippings" without showing the application.
» Clippings can be dragged & dropped to/from YC III.
» Can strip unwanted "quote" characters ("<", "|") from "clippings".
» Free- totally, no strings attached Free.
Still to come:
» Improved printing- of (Hopefully) any type of content. This is trickier than it seems. Right now the program can print any text item- nicely wordwrapped. We want to be able to print bitmaps, RTF, etc. Just give us some time.
» More stuff you ask for. (Within reason. We like to keep the functionality of the program focused.)
[ I have used this fine utility for some time now and have found it invaluable. It can be obtained Here]
«179» Free Tool Downloads
You can download the Windows 2000 Resource Kit software tools listed on this page at Microsoft for free and install them on your computer. These utilities can help you streamline administrative tasks such as managing Active Directory, administering security features, working with Group Policy and Terminal Services, automating application deployment, and other important jobs. Nearly 300 such tools are included on the Windows 2000 Server Resource Kit companion CD.
These tools are designed to be installed and run only on Microsoft® Windows 2000. They are neither localized nor supported by Microsoft.
«180» Oleview.exe: OLE/COM Object Viewer
[This is one of the tools available from the source mentioned in the item above.]
This administration and testing tool browses in a structured way, configures, activates, and tests all Microsoft Component Object Model (COM) classes installed on your computer.
You can also configure local or system-wide COM settings, including security settings, and enable or disable Distributed COM. You can activate COM classes locally or remotely to test Distributed COM setups. OleView fully supports the Component Categories specification, which is a core COM technology.
Test any COM class by double-clicking its name in Oleview. The program then lists the interfaces supported by that class. Double-clicking an interface entry invokes a viewer that exercises that interface.
View type library contents in Oleview to determine what methods, properties, and events a Microsoft ActiveX control supports. You can then copy a formatted OBJECT tag to the Clipboard for inserting into an HTML document. OleView is oriented toward developers and advanced users; however, the user interface offers the ability to toggle between Expert and Novice modes.
OleView displays the Registry entries for each class in an easy-to-read format. The Registry view (right pane) shows all relevant Registry information, including named values of keys you can activate such as ApartmentModel.
The OleView window highlights active items in bold. One or objects can be activated at the same time. Dragging a file name onto the Oleview window creates a file name and binds to it.
Right-click an object in OleView to see its context menu.
The right pane has tabs for administering COM class information. You can set Distributed COM options and security as well as change keys such as LocalServer32.
[ You can obtain this free utility from Microsoft. ]
«181» User Shell Folders in Windows 2000
The User Shell Folders Registy key stores paths to Windows Explorer folders. The key exists at:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The Folders are:
Name: AppData
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Application Data
Name: Cache
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Local Settings\Temporary Internet Files
Name: Cookies
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Cookies
Name: Desktop
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Desktop
Name: Favorites
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Favorites
Name: History
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Local Settings\History
Name: Local AppData
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Local Settings\Application Data
Name: Local Settings
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Local Settings
Name: My Pictures
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\My Documents\My Pictures
Name: NetHood
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\NetHood
Name: Personal
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\My Documents
Name: PrintHood
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\PrintHood
Name: Programs
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Start Menu\Programs
Name: Recent
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Recent
Name: SendTo
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\SendTo
Name: Start Menu
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Start Menu
Name: Startup
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Start Menu\Programs\Startup
Name: Templates
Type: REG_EXPAND_SZ
Data: %USERPROFILE%\Templates
«182» How To Configure Windows 2000 as a Web Server
The Knowledge Base Article 308192 is a step-by-step guide for setting up a World Wide Web server for anonymous access in a Windows 2000 environment.
«183» Use Disk Management to Manage Basic and Dynamic Disks
You can use the Windows 2000 Disk Management snap-in tool to manage your hard disks and the volumes or partitions that they contain. With Disk Management, you can create and delete partitions, format volumes with the FAT, FAT32, or NTFS file systems, upgrade disks, and create fault-tolerant disk systems. You can perform most disk-related tasks without having to restart your computer because most configuration changes take effect immediately. The MS Article regarding Disk Management describes some of the more common disk storage management tasks that you can perform by using Disk Management. NOTE: This is now Archived Content from the Microsoft database.
[ For additional information see: Item 166 Dynamic vs. Basic Storage in Windows 2000. ]
«184» Save and Restore Network Settings
You can save your network settings to a text file by using the Netsh utility. For example:
netsh -c interface dump > networksetting.txt
If you execute this command:
netsh -f networksetting.txt
you can reload the saved settings without requiring a reboot. The name of the file is arbitrary.
By creating dumps for each of your network configurations, you can "hotload" the needed configuration through the use of a batch file or shortcut that calls up the appropriate dump. This also does not require a reboot.
[ See the following Item for additional information on the Netsh utility. ]
«185» The NetShell Utility: Netsh
The NetShell utility Netsh is a command-line, scripting interface for configuring and monitoring Windows 2000. The configuration tool provides an interactive shell interface to the user. The front end is the command shell that accepts your commands, and the back end is a helper that corresponds to a system component or utility. A helper is a Dynamic Link Library file (.dll) that extends the functionality of Netsh. A helper provides configuration and/or monitoring support for one or more services, utilities, or protocols, but helpers can also be used to extend other helpers. The command shell directs the command to the appropriate helper, and the helper carries out the command.
The Netsh command allows you to run the NetShell utility to display or modify the configuration of a currently running computer. It also provides a scripting feature that you can use to run a collection of commands in batch mode against a specified computer.
Contexts
The command shell provides for contexts, which are groupings of netsh commands for specific networking components. A context is identified by a string that is appended to commands. Commands entered in a given context are passed to an associated helper. The contexts available depend on the Windows 2000 components installed. For example, typing routing at the Netsh command changes to the routing context. Typing ras at the Netsh command changes to the ras (remote access portion of the Routing and Remote Access service) context.
Subcontexts may exist within each context. For example, within the routing context, you can change to the ip and ipx subcontexts.
Netsh [-r RemoteComputer] [-a AliasFile] [-c Context] [Command | -f ScriptFile]
To display a list of subcontexts and commands that can be used in a context, at the Netsh prompt, type the context name, followed by a space and ?. For example, to display a list of subcontexts and commands that can be used in the routing context, at the Netsh prompt, type the following:
Netsh>routing ?
Netsh Commands
As well as the context commands shown above, the following additional commands can be used with Netsh. Optional parameters are shown in brackets ([ ]). Alternative entries are shown with a pipe (|) between them.
Command (and its) Result:
?
Displays help.
abort
Discards any changes made in offline mode. No effect in online mode.
add helper DLL-name
Installs the helper DLL in netsh.
alias [alias-name] [string1] [string2 ...]
If alias, lists all aliases.
If alias alias-name, displays the equivalent string.
If alias alias-name string1 string2 ..., sets alias-name to the specified strings.
bye
Exits the program.
commit
Commits any changes made in the offline mode to the router. No effect in the online mode.
delete helper DLL-name
Removes the helper DLL from netsh.
dump -file-name
Dumps or appends configuration to a text file.
exec Script-file-name
Loads the script file and executes commands from it.
exit
Exits the program.
h
Displays help.
help
Displays help.
offline
Sets the current mode to offline. Any changes made in this mode will be saved, but require a commit or online command to be set in the router.
online
Sets the current mode to online. Any changes in this mode will be immediately reflected in the router.
popd
Pops a context from the stack.
pushd
Pushes current context onto the stack.
quit
Exits the program
set mode [mode =] online|offline
Sets the current mode to online or offline.
show alias|helper|mode
If show alias, lists all defined aliases.
If show helper, lists all top-level helpers.
If show mode, shows the current mode.
unalias alias-name
Deletes the specified alias.
«186» Windows NT 4.0 Profiles-Policies
"This article is the fifth in a series of articles that provides information and procedures for implementing Microsoft Windows NT 4.0 Profiles and Policies on client workstations and servers."
[ Despite its title and description, Article 185590contains a wealth of valuable information for those interested in tweaking their Windows 2000 system. ]
«187» The Desktop Heap
Most longtime Windows users are familiar with the desktop heap, a memory space that Windows allocates for desktop objects such as, well, windows. Each open window or other desktop object uses up a certain amount of the desktop heap. In older versions of Windows the desktop heap was very small, and objects weren't always disposed from the heap correctly. This was a good part of the reason for the Incredible Shrinking Resource Heap problem that plagued the 16- and hybrid 16/32-bit versions of Windows. NT fixed this problem by devoting a far larger chunk of memory to the desktop heap -- but the fact that it had a far better memory manager than Win 3.x or Win9x, and a pure 32-bit architecture, didn't hurt either.
In Windows NT 4.0 (post SP2) and Windows 2000, the desktop heap can be edited through the Registry and cranked up a bit if you find yourself manipulating a lot of desktop objects. The key is:
HKLM/System/CurrentControlSet/Control/Session Manager/SubSystems
Within that key is a subkey called "Windows", which contains in it, among other things, the value "SharedSection=1024,3072". If you change this to "1024,3072,512" (note the comma and the value), this increases the size of the desktop heap. You can also increase the second value to 4096 or higher, which sets the limit of any one desktop heap.
«188» Default Processes in Windows 2000 Professional
Described below are the processes which run by default in Microsoft Windows 2000. These processes can be viewed using Task Manager.
Csrss.exe - You cannot end this process from Task Manager.
» This is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.
Explorer.exe - You can end this process from Task Manager.
» This is the user shell, which we see as the familiar taskbar, desktop, and so on. This process isn't as vital to the running of Windows as you might expect, and can be stopped (and restarted) from Task Manager, usually with no negative side effects on the system.
Internat.exe - You can end this process from Task Manager.
» Internat.exe runs at startup; it loads the different input locales specified by the user. The locales to be loaded are taken from the following registry key:
HKEY_USERS\.DEFAULT\Keyboard Layout\Preload
Internat.exe loads the "EN" icon into the system tray, allowing the user to easily switch between locales. This icon disappears when the process is stopped, but the locales can still be changed through Control Panel.
Lsass.exe - You cannot end this process from Task Manager.
» This is the local security authentication server, and it generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.
Mstask.exe - You cannot end this process from Task Manager.
» This is the task scheduler service, responsible for running tasks at a time predetermined by the user.
Smss.exe - You cannot end this process from Task Manager.
» This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).
Spoolsv.exe - You cannot end this process from Task Manager.
» The spooler service is responsible for managing spooled print/fax jobs.
Svchost.exe - You cannot end this process from Task Manager.
» This is a generic process, which acts as a host for other processes running from DLLs; therefore, don't be surprised to see more than one entry for this process. To see what processes are using Svchost.exe, use Tlist.exe from the Windows 2000 Support Tools [See Item 177]; the syntax is tlist -s at the command prompt.
Services.exe - You cannot end this process from Task Manager.
» This is the Services Control Manager, which is responsible for starting, stopping, and interacting with system services.
System - You cannot end this process from Task Manager.
» Most system kernel-mode threads run as the System process.
System Idle Process - You cannot end this process from Task Manager.
» This process is a single thread running on each processor, which has the sole task of accounting for processor time when the system isn't processing other threads. In Task Manager, expect this process to account for the majority of processor time.
Taskmgr.exe - You can end this process from Task Manager.
» This is the process for Task Manager itself.
Winlogon.exe - You cannot end this process from Task Manager.
» This is the process responsible for managing user logon and logoff. Moreover, Winlogon is active only when the user presses CTRL+ALT+DEL, at which point it shows the security dialog box.
Winmgmt.exe - You cannot end this process from Task Manager.
» Winmgmt.exe is a core component of client management in Windows 2000. This process initializes when the first client application connects or continuously when management applications request its services.
Many of the processes that cannot be ended from Task Manager can be ended using the Resource Kit utility Kill.exe [ See Item 159 ]. However, caution is advised as execution of this command could cause system failure or other unwanted side effects.
[ Article ID: 263201 ]
«189» Microsoft Personal Security Advisor
[ From the Microsoft Technet web page located here ]
"Security and Trustworthy Computing are currently among the most important topics for customers on TechNet. The 5-Minute Security Advisor series has been created to help quickly communicate important security topics, tasks, and issues. The advisor will point to the content necessary to go deeper into technical details or into step-by-step, how-to guides."
[Highly recommended for the home user.]
«190» Edit the Boot.ini File in Windows 2000
311578 is a step-by-step Knowledge Base article describing how to edit the Boot.ini file in a Windows 2000 environment. NTLDR displays the bootstrap loader screen, where you can select an operating system to start. This screen is based upon the information in the Boot.ini file. If you do not select an entry before the counter reaches zero, NTLDR loads the operating system that is specified by the default parameter in the Boot.ini file. Windows 2000 Setup places the Boot.ini file in the active partition. NTLDR uses information in the Boot.ini file to display the bootstrap loader screen from which you select the operating system.
You should back up the Boot.ini file before you edit it. The first tasks described include modifying your folder options so you can view hidden files, and then backing up the Boot.ini file.
«191» How to Encrypt Data Using EFS
The Encrypting File System (EFS) is the file encryption technology Microsoft uses to encrypt data directly on volumes that use the NTFS file system. You can use the encrypted data the same way you use non-encrypted data. In addition, you can configure permissions for your encrypted data to prevent unauthorized use. Someone who does not have the correct permissions receives an Access Denied error message if they try to open, copy, move, or rename an encrypted file or folder.
To encrypt data, follow these steps:
1. Right-click the Start button, click Explore, and then browse to the file or folder you want to encrypt.
2. Right-click the file or folder you want, and then click Properties.
3. Click Advanced, click to select the Encrypt Contents To Secure Data check box, and then click OK.
4. Repeat steps 2-3 for each file or folder you want to encrypt.
NOTE: If you encrypt a folder, all the files and folders contained within the folder are encrypted.
You can use the Cipher.exe tool to display or encrypt data at an MS-DOS prompt. To encrypt a file using the Cipher.exe tool, type a command similar to the following line at the MS-DOS prompt:
cipher [/E | /D] [/S:dir] [/I] [/F] [/Q] [dirname [...]]
The command line switches are defined in the following table. To view this information at the MS-DOS prompt, type cipher /? at an MS-DOS prompt.
|
Switch |
Description |
|
/E |
Encrypts the specified directories. Directories will be marked so that files added afterward will be encrypted. |
|
/D |
Decrypts the specified directories. Directories will be marked so that files added afterward will not be encrypted. |
|
/S |
Performs the specified operation on directories in the given directory and all subdirectories. |
|
/I |
Continues performing the specified operation even after errors have occurred. By default, CIPHER stops when an error is encountered. |
|
/F |
Forces the encryption operation on all specified directories, even those which are already encrypted. Already-encrypted directories are skipped by default. |
|
/Q |
Reports only the most essential information. |
|
dirname |
Specifies a pattern, or directory. |
Used without parameters, CIPHER displays the encryption state of the current directory and any files it contains. You may use multiple directory names and wildcards. You must put spaces between multiple parameters.
NOTE: EFS does not work on file that use the System attribute. Your computer could become unusable if you encrypt Windows system files. Also, note that EFS cannot be used on compressed files or folders. There are additional switches available with the command line utility Cipher.exe. To view them use the cipher /? command.
[ For additional information see: Item 93 Encrypting Files in Windows 2000 ]
[ Article ID: 230520 ]
«192» How To Back Up Your Encrypting File System Private Key
When you use EFS to encrypt the files on your computer, an EFS public key encrypts the files, and an EFS private key decrypts the files. If you lose the private key after a file is encrypted, the file cannot be recovered. The following describes how to back up your private key so that you can recover encrypted data in the event that you lose the copy on your computer.
WARNING: After you export the private key to a disk, store the disk in a secure place. If someone gains access to your EFS private key, he or she can gain access to your encrypted data.
Export your Private Key from Recovery Agent
1. Log on to your computer using the local Administrator account. NOTE: You must use the built-in Administrator account, not just an account with Administrator privileges.
2. Click Start, click Run, type secpol.msc, and then click OK.
3. Click the plus sign (+) next to Public Key Policies to expand this item.
4. Click the Encrypted Data Recovery Agents category.
5. In the right-hand pane, a certificate that is issued to "Administrator" with an intended purpose of "file recovery" is displayed. Right-click this item, and then click All tasks > export.
6. Click Next.
7. Ensure the Yes, export the private key option is selected, and then click Next.
8. In the Export File Format dialog box, if you want to remove the private key associated with the Administrator account, click to select the Delete the private key if the export is successful check box.
9. Click Next.
10. Type and confirm a password to secure the exported key, and then click Next.
11. You are prompted to save the certificate and the private key to a file. You should back up the file to a disk or removable media device, and then store the backup in a location where physical security of the backup is ensured. Type an appropriate file name, and then click Next.
12. When the Completing the Certificate Export Wizard dialog box is displayed, verify the options that you selected, and then click Finish.
13. When the The export was successful dialog box is displayed, click OK.
14. You must restart your computer to complete the removal of the private key.
If your computer is not participating in a Windows domain, (for example, a stand-alone computer), the local Administrator account is the designated EFS recovery agent. Because of this, you can recover your encrypted data only if you previously backed up the local Administrator's private key.
[ Article ID: 241201 ]
«193» How to Restore an EFS Private Key for Encrypted Data Recovery
The following describes how to import an EFS recovery key that was previously exported to file on a disk using the procedure outlined in Item 192 above.
If you lose your Encrypting File System (EFS) private key (for example, your computer installation is destroyed), a designated EFS recovery agent must restore the files. The designated recovery agent uses his or her EFS recovery agent private key to decrypt the files so they can be recovered.
Restore the Designated Recovery Agent's EFS Private Key on Another Windows 2000 Installation
1. Log on to your computer using the local Administrator account, or an account that is a designated EFS recovery agent.
2. Browse to the path and file name of the .pfx file to which you exported the EFS recovery agent's private key, and then right-click the file.
3. Click Install PFX to start the Certificate Import wizard.
4. Click Next and confirm the file location and name.
5. Click Next. Type the password for the private key, and then click Next.
6. Click Place all certificates in the following store, and then click Browse.
7. Click Personal, and then click OK.
8. Click Finish, click Yes to add the certificate, and then click OK.
After you successfully import the certificate, you should be able to use the local Administrator account or the recovery agent account to decrypt the files on the computer that failed. To confirm this, open one of the encrypted files (it should be accessible). If you want to make the file accessible to a new user or the original user, you must decrypt the file by removing the advanced properties encryption attribute. The new user can then re-encrypt the files using the new private key.
[ Article ID: 242296 ]
«194» The CACLS.EXE Command
First, a little background:
Microsoft Windows NT and Windows 2000 protect system resources with Access Control Lists (ACLs). ACLs are lists of Security IDentifiers (SIDs) and lists of access rights or permissions that are granted to that security principal. SIDs are relative to a domain. The SID of a user or group from a domain is always based on the SID of the domain, and uniquely identifies the user or group. ACLs are placed on a resource to indicate which users and groups are permitted to access the resource, and what level of access the users and groups are allowed. When a user attempts to access the resource, Windows compares the list of SIDs in the ACL to the list of SIDs that identify the user and his or her group memberships, and grants or denies access as appropriate.
When a user logs on to a domain, the user's account SID and group membership SIDs are determined by a domain controller in the user's account domain. The SID of the trusted domain, the Relative ID (RID) of the user's account, the RID of the user's primary group, and the SIDs of all other group memberships are combined into an authorization data structure and passed to the requesting computer. If the authenticating domain controller is running Windows 2000, it also checks to determine if the user has any SIDs in his or her SIDHistory attribute and includes those SIDs in the authorization data.
Some relevant definitions:
Access Control
The mechanisms for limiting access to certain items of information or to certain controls based on users' identity and their membership in various predefined groups. Access control is typically used by system administrators for controlling user access to network resources such as servers, directories, and files and is typically implemented by granting permissions to users and groups for access to specific objects.
Discretionary Access Control List (DACL)
A list that represents part of an object's security descriptor that allows or denies permissions to specific users and groups. Discretionary access control list is also called DACL.
Access Control Entry (ACE)
An entry in an object's discretionary access control list (DACL) that grants permissions to a user or group. An ACE is also an entry in an object's system access control list (SACL) that specifies the security events to be audited for a user or group. Access control entry is also called ACE.
System Access Control List (SACL)
A list that represents part of an object's security descriptor that specifies which events are to be audited per user or group. Examples of auditing events are file access, logon attempts, and system shutdowns. System access control list is also called SACL.
Security Descriptor
A set of information attached to an object that specifies the permissions granted to users and groups, as well as the security events to be audited.
Permission
A rule associated with an object to regulate which users can gain access to the object and in what manner.
Object
An entity such as a file, folder, shared folder, printer, or Active Directory object described by a distinct, named set of attributes. For example, the attributes of a File object include its name, location, and size; the attributes of an Active Directory User object might include the user's first name, last name, and e-mail address. For OLE and ActiveX, an object can also be any piece of information that can be linked to, or embedded into, another object.
And now for the command:
Cacls.exe
Displays or modifies access control lists (ACLs) of files.
Syntax:
cacls filename [/t] [/e] [/c] [/g user:perm] [/r user [...]] [/p user:perm [...]] [/d user [...]]
Parameters:
filename
Displays ACLs of specified files.
/T
Changes ACLs of specified files in the current directory and all subdirectories.
/E
Edits an ACL instead of replacing it.
/C
Continues changing ACLs, ignoring errors.
/G user:perm
Grant specified user access rights. Perm can be:
R » Read
W » Write
C » Change (Write)
F » Full Control
/R user
Revoke specified user's access rights <only valid with /E>.
/P user:perm
Replace specified user's access rights. Perm can be:
N » None
R » Read
W » Write
C » Change (Write)
F » Full Control
/D user
Denies specified user access.
Wildcards can be used to specify more than one one file in a command. You can specify more than one file or user in a command.
«195» How To Move A Windows Installation To Different Hardware
The Microsoft Knowledge Base Article 249694 describes how to move a Windows 2000 installation to new or different hardware. You can use the information in this article to migrate a working Windows operating system and installed programs to a different or more powerful computer with minimal downtime. You can also use this procedure to replace a small system/boot disk drive to a larger system/boot disk drive, or to restore a Windows backup from a non-working computer to a different computer for disaster recovery purposes.
«196» How To Create A Log Using System Monitor
In Windows 2000, System Monitor is part of the Performance tool. You can use System Monitor to collect and view data about current memory, disk, processor, network, and other activity in graph, histogram, or report form. Through Performance Logs and Alerts (a related tool) you can configure logs to record performance data and set system alerts to notify you when a specified counter's value is above, below, or equal to a defined threshold. Click on: Start | Programs | Accessories | Administrative Tools | Performance. Click on Performance Logs and Alerts.
To create a new log:
1. Right-click Counter Logs, click New Log Settings, type a name for the log, and then click OK.
2. On the General tab, click Add to add the counters you want.
3. On the Log Files tab, click the logging options you want.
4. On the Schedule tab, click the scheduling options you want.
You can set similar options in Alerts. For example, you can configure the alert to send a message, start a performance data log, or run a program, if a counter exceeds a certain value.
NOTES:
» If you are troubleshooting a performance issue or an issue that looks like a memory leak, the objects that Performance Monitor should log include, but are not limited to, the following items.
Memory resource issues:
Cache
Memory
Objects
Paging file
Process
Processor
System
Terminal Services (if a Terminal Server)
For all other resource issues, add additional counters:
Logical disk
NBT Connections
Network interface
Physical disk
Redirector
Server
Server work queues
Thread (do NOT capture if a Terminal Server)
All Terminal Server counters (if a Terminal Server)
All Protocol counters bound to network adapters
» Physical Disk counters are present by default on Windows 2000.
[ Article ID: 248345 ]
«197» FreeWare Utility «» metapad
by Alexander Davidson
If you are like me, one of the most useful programs for everyday use is Microsoft Notepad. I realized that Notepad was quite powerful and did almost everything I wanted in a simple text editor. Yet I found the UI to be unlike most 32-bit Windows applications and actually quite poor...
'metapad' is a small, fast (and completely free) text editor for Windows 9x and Windows NT (2000) with similar features to Microsoft Notepad but with many extra (and rather useful) features. It was designed to completely replace Notepad since it includes (just about) all of Notepad's features and much, much more. [ To see how you can install metapad to replace Notepad see the metaFAQ page on the metapad web site, number (17) - Windows 2000. ]
New and improved features include:
» Persistent window placement
» Dirty file notification
» Intelligent Find and Replace
» External viewer support (e.g. web browser)
» Usable accelerator keys (Ctrl+S, Ctrl+N, etc.)
» Dual customizable font support
» Optional Quick Exit (Esc key)
» Configurable tab stop setting
» Auto-indent mode
» Go to Line/Column
» Seamless UNIX text file support
» Block indent and unindent (Tab, Shift+Tab)
» Recent files list
» WYSIWYG printing
» Snazzy status bar & funky toolbar
» No file size limit! (under Win9x)
» Hyperlink support
«198» Description of the Windows Recovery Console
The functionality and limitations of the Windows Recovery Console are described in Knowledge Base Article 229716. The Windows Recovery Console is designed to help you recover when your Windows-based computer does not start properly or does not start at all.
When you use the Windows Recovery Console, you can obtain limited access to NTFS, FAT, and FAT32 volumes without starting the Windows graphical interface. In the Windows Recovery Console you can:
» Use, copy, rename or replace operating system files and folders.
» Enable or disable services or devices from starting when you next start your computer.
» Repair the file system boot sector or the Master Boot Record (MBR).
» Create and format partitions on drives.
Note that only an Administrator can obtain access to the Windows Recovery Console so that unauthorized users cannot use any NTFS volume.
«199» How to Install the Windows Recovery Console
To install the Windows Recovery Console after Windows is already installed on your computer:
1. Click Start, click Run, and then type CD-ROM drive letter :\i386\winnt32.exe /cmdcons in the Open box, where CD-ROM drive letter is the drive letter assigned to your CD-ROM drive.
2. Click OK, follow the instructions on the screen to finish Setup, and then restart your computer.
To delete the Recovery Console:
1. Restart your computer. Double-click My Computer, and then double-click the hard disk on which you installed the Recovery Console.
2. On the Tools menu, click Folder Options, and then click the View tab.
3. Click Show hidden files and folders, click to clear the Hide protected operating system files check box, and then click OK.
4. At the root folder, delete the Cmdcons folder and the Cmldr file.
5. At the root folder, right-click the Boot.ini file, and then click Properties.
6. Click to clear the Read-only check box, and then click OK.
7. WARNING: Modifying the Boot.ini file incorrectly may prevent your computer from restarting. Be sure to delete only the entry for the Recovery Console. Also, it is recommended that you change the attribute for the Boot.ini file back to a read-only state after you complete this procedure. Open the Boot.ini file in Microsoft Windows Notepad, and remove the entry for the
Recovery Console. It looks similar to this:
C:\cmdcons\bootsect.dat="Microsoft Windows Recovery Console" /cmdcons
Save the file and close it.
For additional details on this subject, please see the following Knowledge Base article:
KB216417: Install the Recovery Console in Windows 2000
«200» Description of the SET Command in Recovery Console
You can use the set command in Recovery Console to display or modify four environment variables. You can set each of the four environment variables to TRUE or FALSE. TRUE is turned on; FALSE is turned off and is always the default setting.
The Syntax for the set command is:
set variable = true or false
NOTE: Be sure to use a space on each side of the equal sign. If you do not, the set command returns a "syntax error" message and does not work.
The variables, when set to TRUE, have the following meanings:
» allowwildcards: Allows you to use wildcards with some commands (such as "del *.bak".
» allowallpaths: Allows you to change directories (the cd command) to include all folders on all drives.
» allowremovablemedia: Allows you to copy files from the hard disk to a floppy disk or other recognized removable media.
» nocopyprompt: Allows you to copy files without being prompted to continue when you are overwriting an existing file.
When you attempt to use the set command to change any of the these variables from FALSE to TRUE, you may receive the following error message:
The SET command is currently disabled. The SET command is an optional Recovery Console command that can only be enabled by using the Security Configuration and Analysis snap-in.
Before you can change any of the environment variables to TRUE, you must enable the set command option using one of the following Windows security tools:
» The Security Configuration and Analysis snap-in in Microsoft Management Console (MMC)
» The Domain Controller Security Policy in Administrative Tools.
» The Domain Security Policy in Administrative Tools.
» The Local Security Policy in Administrative Tools.
After you start one of these security tools (as applicable to your computer's environment), look under the Local Policies, Security Options heading and locate the following two security policies pertaining to Recovery Console.
» Recovery Console: Allow Automatic Administrative Logon.
» Recovery Console: Allow floppy copy and access to all drives and all folders.
The first policy allows you to start Recovery Console without prompting for the administrative password stored in the local computer's account database. The second policy enables the set command while you are using Recovery Console. This is the policy you want to enable, and allows you to change any of the four environment variables to TRUE during a Recovery Console session.
After you enable the security policy, it must be applied (possibly across the domain) before becoming the effective policy on the local computer. This is necessary before the set command is truly enabled and available for use during a Recovery Console session.
You can run the following command to force a refresh of the local computer's policy after performing the policy change listed above:
secedit /refreshpolicy machine_policy
After the local policy is refreshed and the enabled Recovery Console security policy is in effect, you should be able to start Recovery Console and use the set command to enable any of the four environment options.
| ~ Includes previous work and rights from Ted Quantrill's Tip Quarry ~ |
