TWikIWeThey (logo)
An experiment in collective intelligence. Stupidity. Whatever.

TWikIWeThey . Main . WindowsRescueDisk TWikIWeThey webs:
Main | TWiki | Know | Test
Main . { Welcome | Topics | FAQ | Changes | Index | Search | Go }


Table of Contents


With adware/spyware and viruses being an ongoing and growing problem for Windows systems, there's an urgent need for a freely-redistributable kit of software to diagnose and repair such systems.

There are, unfortunately, numerous limitations on both OS and tools available for Windows, such that this page cannot offer a full recovery solution. Instead, it points to some possibly useful tools.

Bootable disks, particularly CD-ROMs, are a now abundant and exceedingly useful resource for Linux. While they fit many bills, one common use is as a recovery disk: a single CD-ROM can hold 1,200+ packages and provide a full desktop, server, analysis, forensics, troubleshooting, and repair environment.

The situation is rather less generous for Windows users, particularly for NT-based variants using NTFS -- a proprietary filesystem for which only limited support exists.

This page details Windows/DOS-based options, their limitations, and concerns over general use, outlining Linux-based options that better serve the need, with pointers on advantages, disadvantages, and best use. Other recovery facilities are noted as well, with their pluses and minuses.

Advantages of Bootable Rescue Disks

Bootable rescue disks are an important resource, for several reasons:

Why So Few Windows Rescue Disks?

It boils down to legality, utility, and availability.

Microsoft Windows is a proprietary family of operating systems. The NT-based variants (NT, 2000, XP, 2003, and the proposed "Longhorn") are based on proprietary designs, including the filesystem itself. This greatly limits the ability to modify or repair the system outside itself, despite the advantages of bootable rescue disks as outlined above.

Where rescue and recovery tools do exist, they're often proprietary in nature, and encumbered by a wide range of restrictions. Above and beyond limiting making and distribution of copies, some claim to restrict any use for the benefit of third parties, and more. In all, the legal environment is uncertain, if not downright unfriendly.

While there is a wide range of FreeSoftware tools available, some have their applicability restricted to working on MS Windows systems. Certain operations can be performed only when booted to the natively installed system, some of these only following a full (rather than Safe Mode) boot.

The result is that there are few tools to begin with, they furnish modest utility at best, and lawful availability of comprehensive rescue systems is near nil.

Native Microsoft-Based Images

Tools for recovering legacy MS Windows-based systems under a DOS or MS Windows environment.

For FAT-Based Systems

For DOS-based Windows versions (DOS, Windows 3.11/95/98/ME), there are a number of options, using either DOS-based boot floppies, or Linux bootable disks. Because the underlying FAT fileystem is an open standard, the system can be booted from removable media, and directly analyzed and manipulated.

Examples of boot disks suitable for recovery on DOS-based systems include pretty much any GNU/Linux-based tools, or an MS-DOS compatible version of DOS. Several of these exist, including Microsoft's own DOS, DR-DOS, and FreeDOS; more below.

The primary limitations of a DOS-based system are the relatively few tools available, and the extreme primitiveness of the environment: no ability to multitask, an extremely limited toolset, and low display density (80x25 default).

NB: There are some multitasking environments for DOS, principally DESQview, formerly from Quarterdesk. The company was aquired by Symantec. DESQview can be found for download, however neither the company providing it nor Symantec are responsive to requests for clarification of copyright status (based on direct email communications with download site and Symantec's corporate counsel).

For NTFS-Based Systems

By contrast, Microsft have never released full specifications for their NTFS filesystem, for several reasons, among them nominal security. As a consequence, ability to read and modify the filesystem has traditionally been limited. As it turns out, Linux has been able to read NTFS since 1995 (as a patch later added to the mainstream kernel in 1997) -- shooting down the security argument, but native write support remains iffy. As of 2004, the Captive NTFS driver allows Linux to use an existing Windows NTFS filesystem driver with full read/write support. This requires presence of an NT/2K/XP/2003 installation, on the system being accessed.

There are proprietary DOS drivers for NTFS, including a relatively inexpensive read-only driver, and a rather more expensive read/write driver. See Sysinternals NTFSDOS.

The other option is to boot an NT-based Windows system from CD directly. There are very few alternatives in this category, largely as this requires licensing Microsoft or other proprietary technologies, a prospect markedly at odds with one's interests concerning and use of a rescue/recovery disk.

We've found a grand total of two generally available tools, and they tell the story pretty well.

One tool that looks reasonably promising is the 911 Rescue CD. But you can't simply download an ISO and burn it. From the site:

The 911 Rescue CD contains many copyrighted software [packages] that can't be distributed without firstly paying for them, so, currently, if you want a 911 Rescue CD with the full utilities, you need to purchase software [priced at] nearly $700 US dollars

...and is it available for download? No.

Why not?

Well, I am truly sorry, but I can't provide the final ISO due to three considerations:

And that's pretty much the end of story: a useful recovery disk would contain proprietary software priced at hundreds or thousands of dollars, and, because of licensing restrictions, the very people who'd be most likely to have the skill and inclination to provide such a tool (independent systems support vendors) have the least ability to provide the tool.

Instead, the 911 rescue disk is a disk build tool. It assumes you've got the software it wants to install. Of course, this also assumes that the licenses for that software allow such usage.

Contrast this with GNU/Linux, where both the OS and tools are generally freely available: there is a wide array of alternatives offering a rich set of tools, most of which are free to use, distribute, and adapt as needed.

Third-Party Tools

Two, that we've been able to determine. Neither is a disk image; rather they are tools to build a bootable disk from existing utilities. Note that licensing of the disk components may be questionable, and extensive sets of proprietary utilities may be required to create a full-featured version of the disks.

None of these disks have been used or evaluated by the authors of this article.

911 Rescue CD

Quoting the site:

The 911 Rescue CD is the Admin's Swiss Army knife: it is an integrated set of software designed for the emergency situations when the system doesn't function properly or when assembling a new PC and no pre-installed operating systems or software are found.

The 911 Boot Disks are a set of startup disks based on the ModBoot framework, they have mouse-driven user interface and greatly simplify the process of setting up and recovering failed systems, and allow the user to diagnose problems and assist in the fixing steps.

The system is bootable, and presents a menu with various options to run.

It's not clear from documentation how the 911 Rescue CD boots or what it is running. It does make use of several FreeSoftware tools, however.


Bart's PE Builder helps you build a "BartPE" (Bart Preinstalled Environment) bootable Windows CD-ROM or DVD from the original Windows XP or Windows Server 2003 installation/setup CD, very suitable for PC maintenance tasks.

It will give you a complete Win32 environment with network support, a graphical user interface (800x600), and FAT/NTFS/CDFS filesystem support. Very handy for burn-in testing systems with no OS, rescuing files to a network share, virus scan, and so on. This will replace any DOS bootdisk in no time!

Among the more troubling aspects of BartPE is its legality: The disk makes use of several files taken from Windows installation media. The BartPE Web site claims the right to do this under existing US copyright law exemptions for backup media, but the validations are at best dubious, particularly if claims by Microsoft that its software is licensed, not sold (and hence: further restricting licensees' rights under copyright) are taken at face value.

Note too that BartPE is not a tool that would allow use by those lacking rights to the products from which it is based, on multiple systems, or on third-party systems.

There are further technical restrictions on BartPE:

Compared to, say, Knoppix, these are severe restrictions. Knoppix allows running a full OS; running the installed OS under a chroot or UML instance; unlimited processes (to system maximum); unlimited uptime; state persistance by way of user and system data stored on floppy; and screen resolutions to system maximum, generally automatically configured, along with multiple console logins, and remote access.

Related project: Windows UBCD, the Ultimate Boot CD for Windows.

From Microsoft: Windows Preinstallation Environment (Windows PE)

You may have heard of WinPE. This is apparently Microsoft's official response to the bootable Linux CD phenomenon, but there are severe restrictions to this tool:

Note in particular the restrictive EULA:

..."You may only install and use the SOFTWARE PRODUCT if you are an active Microsoft Software Assurance Member ("SAM") for the systems product pool or servers product pool, if you currently have license coverage for Microsoft Windows operating system (OS) Upgrades via a Campus Agreement or School Agreement, or if you are a current or former participant in the Windows XP Joint Development Program, Windows XP Rapid Adoption Program, Windows .NET Server Joint Development Program, or Windows .NET Server Rapid Adoption Program. If you do not meet one or more of the requirements listed above, you may not install or use this SOFTWARE PRODUCT and you must terminate the installation of this SOFTWARE PRODUCT immediately"...

Non-Recovery Disks

A word of warning to purchasers of OEM (preloaded) legacy MS Windows systems. The so-called "recovery disks" which ship with these systems are not, in fact, recovery disks in the sense you want. Rather than rescuing your system, they instead typically wipe away all changes made to your hard drive since installation and restore the default system preload. This is almost certainly not what you want. You may find it necessary to purchase a full version of your OS and applications disks in order to properly recover your system.

What's to Want in a Rescue Disk?

Fundamentally, a rescue environment should provide the ability to:

Most, though not all, of these features can be readily provided.

A particular limitation of Windows is that it's exceptionally difficult to install/remove software unless booted to the full native system: more on this below.

What We'd Put on a Rescue Disk

As mentioned above: there are restrictions to what can be provided by way of a rescue disk. One approach is to create an archive disk containing tools of use in recovering from or avoiding problems facing Windows users. And such is what an author of this page has created. Rather than a bootable rescue environment, it's mostly a collection of applications, utilities, and data to aid in recovery. And a few additional touches.

Most of the actual diagnostic, analytic, and repair activities should be performed either under a Linux bootable disk (Knoppix, LNX-BBC, etc.), or booting the existing Windows system in either safe or full modes. Some activities can only be performed under a full Windows boot. More on this below.

Brief contents

The following list summarizes tools for inclusion:

A compilation such as this runs to about 570 MB, leaving nearly 130 MB free for additional tools, utilities, and/or software, if desired.


A large number of problems with Microsoft platforms trace themselves to three fundamental utilities:

Fortunately there are replacements for each of these, and they are all FreeSoftware:

From the links above, you can download freely redistributable installers. Putting these programs on target systems, and disabling or removing the corresponding Microsoft products, will vastly reduce the vulnerability profile of the system.


Most antivirus products are proprietary, though there are several free "personal use" versions available. The rights to freely copy and distribute these is generally not clear.

One alternative that is freely distributable, however, is ClamWin, the Windows version of the popular 'Nix-based antivirus package ClamAV.

In particular, unlike many freeware/personal AV solutions, ClamWin supports both scheduled scans and scheduled virus definition updates. Its principal weaknesses are lacking "on access" virus filtering (detecting viruses as they are read from disk), and lacking the ability to disinfect a given file. (An infected file is moved to quarantine, and might have to be restored from installation media.)

Prior to burning your disk, you'll want to grab the latest update file, so you don't have to establish a network connection from the target system itself. These are main.cvd and daily.cvd, from the ClamAV page.

Experiences with ClamWin are:

AdWare Removal

We are not aware of any FreeSoftware adware/spyware detection and removal programs (though ClamWin will detect some executables associated with spyware/adware).

The top-rated removal programs are, however, freely available (though redistribution terms aren't clearly delineated). A rescue kit should include the installers for:

A note on adware/spyware defenses: this is a field of much deception. Beware of rogue / suspect spyware & adware products.


Though Windows XP now comes with an integrated firewall, other versions of the OS do not. One reasonably good, free software firewall for Windows is Kerio Personal Firewall. It includes a suprisingly well written 109-page User's Guide, written using DocBook. (We consider this a good sign.)

Note that Kerio's license agreement restricts you from further distributing its software:

you may not make additional copies of the Software, nor distribute them.


There are a number of utilities that can be useful in managing or cleaning up Windows systems, among them the following FreeSoftware tools:

Additionally, the following tools are freely available, though not FreeSoftware:

Additional Utilities List:

There's a good list of additional utilities at

Rick notes in particular that QtParted and ntfsresize are included on the following live GNU/Linux CDs:

Note too that NTFS can be resized from Linux using ntfsresize, for WinNT/2K/XP/2003, and the upcoming Longhorn release. There's extensive discussion of this at The ntfsresize Frequently Asked Questions page. In particular, "because it can also resize fragmented NTFS safely, there isn't even need for defragmentation in advance".

CleanSoftware offers downloads of largely FreeSoftware for Win32 environments, some mentioned here, some not.

Virus Information & Cleanup Utilities

We'd really like to tell you where you can find a comprehensive archive of the most common viruses and worms of the past five years, a list of all of same which hit the top-ten list for at least one month in the interval, information on each, and removal tools. Unfortunately, a bit of licensing sophistry from the source states:

You are not permitted to .... use the Licensed Products for the provision of any service for the benefit of third parties.

So, in the interests of license compliance, we'll omit mention of specific resources, no matter how useful they might be.

However, that said, it would be very useful if you could have, at your fingertips, a directory of common viruses, information, and removal tools.

Windows XP Service Pack 2

Simply: downloading this on an uprotected system is a gross security risk as compromise may occur in as few as four minutes. An anecdote from a friend: fifteen seconds to infect, on dialup. Not to talk of download time: slow over DSL, untenable on dialup. So you might want to download WinXP SP 2 for updating systems. (Download site)

Note that at 267 MiB, this is the largest single component on your disk, but...

Linux Tools & Disk Images

...even with the bloated, festering bulk of SP2, you've got plenty of space left over. How to fill it? Well, you could counterbalance it with some useful software... Linux mini-CD ISO images. These weigh in at about less than 50 MiB each (35 MiB for a current Debian netinst).

While the tools here aren't directly accessible from the rescue disk, having them available means they can be burnt to disk and used if necessary.

Documentation & Propaganda

A README.TXT describing the contents of your disk would be helpful.

Additionally, there is a large volume of literature describing benefits of Linux and/or FreeSoftware tools over Microsoft and proprietary offerings. Inclusion of some of these might be useful for educational purposes.

Suggestions for inclusion here are welcome.

Making Do With Linux Tools

Linux itself makes a capable recovery system with certain advantages:

Linux Rescue / Recovery / Bootable Disks

There are a number of Linux-base boot disks, in floppy, business-card/mini-CD, full-CD, and DVD formats. These may run in RAM (if sufficient memory is available) freeing removable media drives, or on disk. Typically, floppy systems run in RAM by default; CD/DVD systems run from disk, though they may be capable of being run in RAM. Typically, > 128 MB required for mini-CD format, > 800 MB required for full CD-ROM.

Among those found particularly useful:

Others are listed in LWN's comprehensive Linux distributions list, see the floppy, CD, and Zip categories in particular.

Recovery Tasks Possible Under Linux

This section isn't going to detail the step-by-step process for these tasks, though it will walk you up to the water. Drinking horses are two doors down the hall.....

Things You Cannot Do Via Linux Rescue Disks

...noting the inevitable Linux caveat: easily. As there's almost always an exception.

Any information to the contrary gratefully appreciated.

Things Too Numerous to Mention

Linux has a huge number of available tools. Moreover, they can often be combined in flexible and powerful ways through scripting, pipes, and other facilities of the Linux environment. A large number of these tools are specifically designed for file management, text and data manipulation, networking, and low-level system poking and prodding.

So: there's a lot you can do with really simple tools: cp, tar, cpio, find, dd. And scripting with bash, awk, Perl, Python, and other languages. Very literally, too many to enumerate.

Suffice to say that some people consider the Linux/Unix environment to be one very large development/administration interface.

Many of the recovery systems below include system documentation. The floppy-based systems may only offer command-line help -- the arguments -h =-help= or --help= will generally provide at least basic syntax. For Knoppix and other full systems, the man command and other documentation may also be available.

Data Backup & Recovery

For a dead / dying / unbootable system, or for transferring data to a new disk or remote networked system. Boot your Linux rescue disk. Generally, you should be able to mount the Windows partition(s) read-only, and copy the data to the desired location. The target could be another locally installed drive, CD or DVD burner, or a remote or networked location via various protocols, including FTP, HTTP, SSH, NFS, or SMB/CIFS/Samba.

Note that Linux can access Windows "shares" (SMB/CIFS) through a utility called Samba.

Emergency Server

It's possible to run a server on an emergency basis using Linux recovery disks.

Basic network services (gateway, router, DNS, DHCP) are pretty straightforward. While it's possible to provide file share, domain server, Web server, and mail services, drop-in replacements for an existing Windows server are non-trivial. Emergency functionality might be possible, but a true migration takes somewhat more advanced preparation.

Memory Test / CPU Test / Disk Test

Recent (3.4+) versions of Knoppix, and some other bootable distros, include memtest86+, a bootable memory test utility. (You're not running an OS, just the tester.) If you suspect faulty memory, allow this to run for at least several cycles: 4-8 hours would not be unreasonable. The test runs multiple data patterns through memory; some errors may only be caught with some patterns.

cpuburn is a user-space program that exercises a system's CPU. Running this for 10-20 minutes should be sufficient to unearth any thermal stress issues on most systems. Included in Knoppix.

For disk testing and profiling, hdparm, bonnie, and smartmontools either provide diagnostic information or stress the disk subsystem.

hdparm provides information on current disk configuration, and shows performance. Does not require a writable hard drive.

bonnie is a disk subsystem burn-in utility. May require a writable hard drive.

smartmontools access the S.M.A.R.T. (self-monitoring analysis and reporting technology) built into most modern (~1998+) ATA and SCSI disks. SMART can be used to provide advanced warning of disk failure via short (~1-5 minutes) and long (~20-60 minutes) tests.

If you are either excessively masochistic, or truly know what you are doing, see also: Cerberus Test Control System (slightly enhanced version available at California Digital), though this requires a writable Linux filesystem for operation and must be run within a fairly tool-rich Linux runtime environment, which most straightforwardly means Linux installed to and booted from a hard disk. There is a FAQ, and some tips. According to Rick Moen: "Torture-tests pretty much everything on your system, really hard, for as many hours or days as you like. Cerberus is absolutely Hackware(tm) and not for shiny-happy people."

NT Password Reset

Actually refers to the NT "New Technology" Microsoft Windows OS varients: NT, 2000, XP, 2003, and ongoing.

Possible using the Offline NT Password & Registry Editor Bootdisk (directions on site) or Knoppix as described, or using chntpw on Knoppix-STD.

Partition Repair

Several partitioning tools exist under Linux, among them:

Virus Scan

While removal of viruses requires write access, you can run the ClamAV virus scanner with read-only access to your Windows disk(s). Supported under multiple bootdisks. Note that you should run 'freshclam' or otherwise update your virus definition files prior to running the scan.

Windows Alternatives to Rescue Disks

Microsoft provides several facilties that are meant to substitute, somewhat, for a full recovery / bootable disk environment. These include:

While of some utility, these features all impose severe limitations.

Rescue disks rarely provide more than a few DOS commands and the ability to copy data on or off disks, and run rudimentary diagnostic/repair tools.

The Windows Recovery Console is in one author's experience, all but useless.

Safe Mode boots differ somewhat by specific version of Windows in question. Generally, a GUI session is provided, but with a minimum of services and drivers loaded. Some versions allow for networking, allowing software downloads, but restrict the ability to install/remove software through the Control Panel => Add/Remove Software panel. Generally, however, it's possible (and often necessary) to run antivirus or spyware/adware removal tools in Safe Mode. Safe Mode is accessed by holding down the F8 key at boot. The user is presented with a dialog of boot options. Generally "Safe Mode" or "Safe Mode with networking" should be selected.

Tom's Hardware has published a reasonably good guide to Windows recovery tools including both onboard recovery and 3rd party tools. Now if Tom's would realize the multi-page format is a drag.

ToDo: Link to references on use of these tools, distinctions between DOS (95/98/ME) and NT (NT/2K/XP/2K3) capabilities & use.


OK, initial composition is mostly complete.

A few points:

-- KarstenSelf - 24 Dec 2004

-- KarstenSelf - 22 Dec 2004

Topic WindowsRescueDisk . { Edit | Attach | Ref-By | Printable | Diffs | r1.20 | > | r1.19 | > | r1.18 | More }

Revision r1.20 - 29 Mar 2005 - 06:37 GMT - RickMoen

Additional IWeThey channels: zIWETHEY (forums), Mailing list, Jabber at, RSS.
Copyright © 2001-2006 by the contributing authors. All material on TWikIWeThey is the property of the contributing authors. This content may be freely distributed, copied, or modified, with attribution, and this notice. Works are provided AS IS with NO WARRANTY and NO LIABILITY for consequences of use.

Ideas, requests, problems regarding TWikIWeThey? Send feedback.

Will stain.