Crash Recovery
Recovering a Crashed XP System
Contents
Advanced Options menu reached by pressing F8 after BIOS startup messages. If windows hangs at startup, press power or reset button: this should cause XP to reboot to the Startup Recovery menu.
Safe Mode: minimal required set of drivers to start system (USB mice and keyboards need to be enabled in the BIOS). Safe Mode ignores startup programs. 24-bit VGA driver used. In Safe Mode use event viewer and device manager to identify problems. Then you can rollback drivers, use system restore and remove newly installed programs. Try safe mode with networking also. If Safe Mode works, then problem must lie with other drivers or startup programs not used by Safe Mode. To add these options to the startup menu append the following lines:
- /safeboot:minimal /sos /bootlog
- /safeboot:networking /sos /bootlog
Last Known Good: Every time you start windows normally and logon, windows makes a record of all currently installed drivers and the contents of CurrentControlSet. Last Known Good restores the registry settings saved from the last logon, effectively removing the registry settings that are causing the problems (assuming you installed some new driver or changed some hardware setting). If you suspect a particular problem is hardware related, do not logon. If you do, XP resets the Last Known Good. Logon in Safe Mode does not reset Last Known Good.
Enable Boot Logging: windows starts up normally and creates a log file (%systemroot%\ntbtlog.txt) that lists the names and status of all drivers loaded into memory. If the problem is caused by a bad driver, then the last entry in this file may identify the culprit.
Enable VGA Mode: uses currently installed video driver in VGA mode. Use this option if problem is caused by incorrect display settings
Debugging Mode: kernel debugging mode. Connect another computer run compatible debugging tools to COM2.
System Restore: runs in the background monitoring essential files, folders and settings. Regularly takes registry snapshots. use it in the following situations:
- You install a program that causes conflict but uninstall does not fix it
- You install one or more updated drivers that cause problems. Alternative to driver rollback: restores all previously installed drivers
- Your system becomes unstable for no apparent reason: restore to a point when it was stable
Do not use system restore to recover from virus attacks. Restore points could be infected with the virus. You could end up restoring the virus.
System restore keeps a log of changes to files defined in %systemroot%\system32\restore\filelist.xml. Regularly copies system files to to hidden archives along with snapshots of system state (e.g. user accounts, hardware and software settings, startup files). System restore does not backup:
- pagefile of hiberfil.sys
- documents and settings
- graphics or data files
- emails
You can create a restore point manually or one is created automatically when:
- you install an unsigned driver
- install an application with an installer compatible with system restore (e.g. msi or InstallShield 6.1)
- install a windows update or patch
- you restore a prior configuration using System Restore
- you restore an NTBackup (will not protect deleted data files)
System restore creates a restore point every 24 hours. Deletes restore points after 90 days. See HKLM\MS\WinNT\CurrVer\SystemRestore. Restore an RP using Help and Support Centre. If restore no good you will have the option to undo restore. System restore does not remove programs, though it will remove exe's and dll's: uninstall programs before and reinstall after. Upgrading from XP Home to XP Pro, deletes old restore points. You can restore from Safe Mode, but you cannot create restore points. Service Packs offer the option to save or reset restore points. If you stop System Restore, all restore points are lost when you re-enable it.
Recovery Console
Top Bottom- Boot from CD and choose R at startup screen. Type administrator password at prompt. Type 'exit' to restart
- add recovery console to startup menu (winnt32 /cmdcons)
- access restricted to root directory of any volume, %systemroot% and subdirectories, cmdcons folder, removable media
- cannot access %programfiles%, Documents and Settings, disks or folders containing other installations
- no write access to removable media
- can't change administrator password
- no text editing tools available
Cut-down version of command console: no wildcards available. Type help or 'help command'.
| Command | Description |
|---|---|
| attrib |
|
| batch |
executes commands from text file |
| bootcfg |
scans all disks then configures and repairs boot.ini
/fastdetect (turns off com port mouse detection: used if you have another device connected to com ports /noguiboot (turns off progress bar bitmap) /sos (shows drivers as they load) /basevideo (use VGA mode with installed video driver) /bootlog (%systemroot%\ntbtlog.txt) /debug (loads kernel debugger when windows starts) /crashdebug (loads kernel debugger: only activated when a crash occurs) /nodebug (disables kernel debugging) /pcilock (lets BIOS handle resource assigment) /safeboot:[minimal | network | minimal(alternateshell)] /numproc=n (use only n processors) /burnmemory=n (reduce memory used by n megabytes) |
| cd or chdir |
|
| chkdsk |
chdsk will not do anything if it thinks the disk is good. Force checking with /p. |
| cls |
|
| copy |
|
| del or delete |
|
| dir |
|
| disable |
disables a service or driver |
| diskpart |
manage partitions on basic disks only |
| enable |
enable a service or driver (enable servicename starttype). |
| exit |
|
| expand |
extracts a file from a .cab |
| fixboot |
writes a new partition boot sector on to the drive specified |
| fixmbr |
repairs mbr |
| format |
|
| help |
|
| listsvc |
list all services and drivers |
| logon |
lists all detected installations, and allows logon |
| map |
list drive letters, fstype, size, and mappings to physical disks |
| md or mkdir |
|
| more |
|
| rd or rmdir |
|
| ren or rename |
|
| set |
must be enabled in Local Security Policy |
| systemroot |
cd to %systemroot% |
| type |
display a text file |
To access extra features in recovery console, change Group Policy settings in Computer\Windows Settings\Security Settings\Local Policies\Security Options\Recovery Console:
- Allow Floppy Copy
- Access all drives and folders
Then you can use set to:
- set allowwildcards = true
- set allowallpaths = true
- set allowremovablemedia = true
- set nocopyprompt = true
Typical Recovery Scenarios
- Boot.ini missing or corrupt. Run bootcfg /scan, bootcfg /rebuild, bootcfg /add
- Critical System Files missing. You can restore files using 'copy source dest' which will also expand compressed files. For .cab files use expand
- Boot Sector code Replaced. Use fixboot
- Registry knackered. Use following procedure. 1) cd system32\config ; 2) make backup copy of software or system files; 3) copy ..\..\repair\system or ..\..\repair\software. The files in repair may not be up to date, so do a system restore once the OS is running again
If Recovery console fails, try a repair from CD setup.
Blue Screen Of Death
Top BottomXP Pro Resource Kit for further details. BSOD layout
- symbolic error number
- trouble shooting recommendations
- error number and parameters
- driver details
Normally stop errors are also written to the eventlog. General advice:
- Look for driver name. If you can trace file to a particular device, try disabling, removing or rolling back the driver
- Don't rule out hardware problems. Damaged hard disks, defective RAM, overheating CPUs could be to blame. If errors occur at random and details vary, hardware problems could be indicated
- Ask 'what's changed?' Be suspicious of newly installed hardware or applications
- Search the knowledgebase using error code and parameters
- Check BIOS settings. Reset to defaults and check for updates
- Are you low on system resources? Check RAM and hardisks from safe mode
- Is a crucial system file corrupted? Reinstall from safe mode or use recovery condole
STOP Error Codes
Top Bottom| STOP Code | Meaning |
|---|---|
| 0x0a IRQ_NOT_LESS_OR_EQUAL | a kernel mode process or driver attempted to access a memory location without authorisation. Offending device driver often appears in STOP message |
| 0x1e KMODE_EXCEPTION_NOT_HANDLED | XP kernel detected an illegal or unknown processor instruction. Often result of invalid memory access violation caused by dodgy driver |
| 0x24 NTFS_FILE_SYSTEM | Problem occurred in filesystem driver. Indicates disk or controller failure. Check connections and run chkdsk |
| 0x2e DATA_BUS_ERROR | Often caused by defective RAM, VGA RAM, corrupted disk or motherboard damage |
| 0x3f NO_MORE_SYSTEM_PTES | Appears when system runs out of Page Table Entries. Possible causes are backup programs or buggy device driver |
| 0x50 PAGE_FAULT_IN_NONPAGED_AREA | Hardware driver or service requested data that was not in memory. Defective RAM or incompatible software, typically remote control or antivirus programs |
| 0x77 KERNEL_STACK_INPAGE_ERROR | System attempted to read kernel data from virtual memory and failed to find it. Various possible causes including defective RAM, bad HDD, disk controller or cable, corrupted data or virus |
| 0x79 MISMATCHED_HAL | Mismatch between HAL and system files |
| 0x7a KERNEL_DATA_INPAGE_ERROR | Kernel data not found in virtual memory. Bad disks or controllers, SCSI termination, badblocks, controller firmware. Try chkdsk |
| 0x7b INACCESSIBLE_BOOT_DEVICE | Windows unable to locate system partition or boot volume. May occur after repartitioning or adding new disks or disk drivers. Check disk configuration and try bootcfg from recovery console |
| 0x7f UNEXPECTED_KERNEL_MODE_TRAP | Hardware failure. Most common cause: defective or mismatched RAM, malfunctioning CPU or CPU fan failure |
| 0x9f DRIVE_POWER_STATE_FAILURE | A driver is in an inconsistent state after shutting down or suspending, or resuming from suspend. Not limited to hardware drivers. Can involve filesystem filter drivers, antivirus, backup or remote control utilities. Name of driver appears in stop error. |
| 0xc2 BAD_POOL_CALLER | Occurs when a kernel mode process or driver attempts to perform an illegal memory operation. Buggy driver, software or hardware device |
| 0xd1 DRIVER_IRQ_NOT_LESS_OR_EQUAL | driver accessing improper memory address. Check unsigned drivers, antivirus programs, disk utilities, backup programs |
| 0xd8 DRIVER_USED_EXCESSIVE_PTES | Buggy driver requested large amounts of kernel memory |
| 0xea THREAD_STUCK_IN_DEVICE_DRIVER | Video adapter or driver related: video adapter causes system to pause indefinitely. Replace card or driver. |
| 0xed UNMOUNTABLE_BOOT_VOLUME | Often occurs during install. Check disk cables and manufacturers drivers |
| 0xf2 HARDWARE_INTERRUPT_STORM | Kernel detects an interrupt storm when a device fails to release an IRQ: buggy device or firmware. Check driver information in STOP error, and check for other devices using same IRQ |
| 0xc000021a STATUS_SYSTEM_PROCESS_TERMINATED | Serious security problem in XP. Winlogon or CSRSS is compromised. Normally caused by third party program. Remove program. Can also be caused by a backup restore causing mismatched system files, or if permission changes deny System account access to system files |
| 0xc0000221 STATUS_IMAGE_CHECKSUM_MISMATCH | File or disk corruption or faulty hardware. Recovery console or Last Known Good |
Customise handling of STOP errors through sysdm.cpl
- autorestart
- kernel dump
- full memory dump
Following a crash, on system restart, dialogue appears to send report to Microsoft. Can be sent anonymously or via acknowledged upload using .Net Passport. You can also upload crash reports manually at http://oca.microsoft.com (Online Crash Analysis)
