On the Server Side: Help Utilities for Win NT and 2000

Ryan looks at Winternals Software's new Administrator's Pak, a collection of its most popular NT/2000 utilities.

Winternals Software has bundled some of its most popular NT/2000 utilities into the Administrator’s Pak. This set of utilities is an excellent collection that most administrators of NT or Win 2000 systems will find very useful. The Administrator’s Pak consists of nine programs. I’ll look at a few of them now and the rest in next month’s column.

FileMon and RegMon are tools to monitor the file system and registry of any Win 2000 system on the network. The utilities consist of a monitoring program and a client program. The client can be installed on any machine on the network.

The monitoring program is then used to connect either to the local machine or to a machine running the client software via TCP/IP. Once the monitoring program is running, any and all activity on the target systems is recorded, not just changes. This is really useful for seeing what particular programs are doing. For instance, when starting Internet Explorer, my system logged 1,648 separate accesses of the registry. Each phase of the access to the registry was recorded.

Because of the sheer amount of data being logged, the monitoring programs offer good searching and filtering tools. The search tool will look for a particular string in the log and the filter tool will pare down the log to include or exclude particular entries. For instance, you can include every change to the registry except those made by explorer.exe (MS Internet Explorer). Since many programs save their states to the registry when exiting, this can allow you to build a filter that will just show changes made by certain programs. This is useful for debugging code under development. You can also use the filter feature to highlight particular entries in the color of your choice, allowing you to zero in on relevant entries with a quick glimpse of the log. The programs will log entries to screen, disk or both.

Both programs have some unique features. RegMon features a registry jump that allows you to highlight a log entry, then jump to the Registry Editor and automatically select the registry key in question. If you find a key that has been changed in error, you can jump directly to the key and fix it. Similarly, FileMon has an Explorer jump which uses NT Explorer to locate the file in question. FileMon offers options to log activity on all or only certain drives. It also can log activity to the disk by name of system calls (FASTIO_READ) or in a more user-friendly format (READ).

NT Recover is used to gain access to systems that fail to boot. It consists of a host and client arrangement. The client is the dead system. NT Recover creates a boot disk with the client program. Your client program can even use a DOS startup disk with drivers necessary for accessing special devices. To recover a dead system, connect the dead system and a functioning system together via a serial cable. Boot the client (the dead system) with the client disk. The host (the good system) then accesses the client via the serial cable, and mounts the client system disk with a drive letter. After the client is mounted, you can use check disk, explorer or any other utility on the client. Even if you can’t get the dead system running again, you can copy files to the good system and use them on a new or rebuilt system.

NT Locksmith is an add-on to NT Recover. It allows access to a system when the administrator’s password has been lost. The program uses the connection established by NT Recover to access the machine you can’t log in to, navigate to the drive of the remote machine and change the password. The attributes of the administrator account are preserved and nothing else appears to be affected. This is very useful for pesky workstation users who change their passwords and promptly forget.

BlueSave is designed to save the infamous Blue Screen of Death (BSOD) information that appears when a serious hardware or software error causes NT to crash. It’s the only software in the Administrator’s Pak that works exclusively under NT 4.0, since the BSOD in not a part of Win 2000. The program installs quickly and simply sits waiting for a BSOD to occur. When it does, a message appears on the BSOD saying that BlueSave has written the screen contents to a file. The file is called BLUESCRN.TXT and placed in the system root directory, usually \WINNT. That’s it. If your system doesn’t boot after the crash, you can use NT Recover to get the file. If necessary, the file can be e-mailed to Microsoft support and you can get your machine running again.

The programs are small (delivered on a floppy disk, of all things) and feature very straightforward interfaces. The help files actually help and feature step by step instructions on how to use the software.

Pricing for the Administrator’s Pak is $699 and is available from Winternals Software LP (800) 408-8415; or visit www.winternals.com.

Must Read Articles