An experiment in collective intelligence. Stupidity. Whatever.

WindowsRescueDisk

Summary

With adware/spyware and viruses being an ongoing and growing problem for Windows systems, there's an urgent need for a freely-redistributable kit of software to diagnose and repair such systems.

There are, unfortunately, numerous limitations on both OS and tools available for Windows, such that this page cannot offer a full recovery solution. Instead, it points to some possibly useful tools.

Bootable disks, particularly CD-ROMs, are a now abundant and exceedingly useful resource for Linux. While they fit many bills, one common use is as a recovery disk: a single CD-ROM can hold 1,200+ packages and provide a full desktop, server, analysis, forensics, troubleshooting, and repair environment.

The situation is rather less generous for Windows users, particularly for NT-based variants using NTFS -- a proprietary filesystem for which only limited support exists.

This page details Windows/DOS-based options, their limitations, and concerns over general use, outlining Linux-based options that better serve the need, with pointers on advantages, disadvantages, and best use. Other recovery facilities are noted as well, with their pluses and minuses.

Advantages of Bootable Rescue Disks

Bootable rescue disks are an important resource, for several reasons:

• Known-good environment. By booting from an unwritable disk, you greatly reduce the risk of having viruses or other malicious code running in your rescue environment.
• Consistent environment. Particularly when working on third-party systems, your toolkit on a rescue medium is a known constant: you know what tools you have, and they're available for you. This also applies to various "rescue", "safe mode", or other facilities on Windows systems that vary greatly in offerings, though in general they fall far short of what would actually prove useful.
• Lack of file locking. Microsoft Windows's design makes it impossible to delete files being accessed by a running process (program). This can be inconvenient when, say, attempting to remove adware/spyware or viruses. Bootable media generally mean you're not running such programs, and can delete their associated files.
• Extensive toolkit. Most rescue disks allow a large selection of software to be accessed either directly or through add-on options.

Why So Few Windows Rescue Disks?

It boils down to legality, utility, and availability.

Microsoft Windows is a proprietary family of operating systems. The NT-based variants (NT, 2000, XP, 2003, and the proposed "Longhorn") are based on proprietary designs, including the filesystem itself. This greatly limits the ability to modify or repair the system outside itself, despite the advantages of bootable rescue disks as outlined above.

Where rescue and recovery tools do exist, they're often proprietary in nature, and encumbered by a wide range of restrictions. Above and beyond limiting making and distribution of copies, some claim to restrict any use for the benefit of third parties, and more. In all, the legal environment is uncertain, if not downright unfriendly.

While there is a wide range of FreeSoftware tools available, some have their applicability restricted to working on MS Windows systems. Certain operations can be performed only when booted to the natively installed system, some of these only following a full (rather than Safe Mode) boot.

The result is that there are few tools to begin with, they furnish modest utility at best, and lawful availability of comprehensive rescue systems is near nil.

Native Microsoft-Based Images

Tools for recovering legacy MS Windows-based systems under a DOS or MS Windows environment.

For FAT-Based Systems

For DOS-based Windows versions (DOS, Windows 3.11/95/98/ME), there are a number of options, using either DOS-based boot floppies, or Linux bootable disks. Because the underlying FAT fileystem is an open standard, the system can be booted from removable media, and directly analyzed and manipulated.

Examples of boot disks suitable for recovery on DOS-based systems include pretty much any GNU/Linux-based tools, or an MS-DOS compatible version of DOS. Several of these exist, including Microsoft's own DOS, DR-DOS, and FreeDOS; more below.

The primary limitations of a DOS-based system are the relatively few tools available, and the extreme primitiveness of the environment: no ability to multitask, an extremely limited toolset, and low display density (80x25 default).

NB: There are some multitasking environments for DOS, principally DESQview, formerly from Quarterdesk. The company was aquired by Symantec. DESQview can be found for download, however neither the company providing it nor Symantec are responsive to requests for clarification of copyright status (based on direct email communications with download site and Symantec's corporate counsel).

For NTFS-Based Systems

By contrast, Microsft have never released full specifications for their NTFS filesystem, for several reasons, among them nominal security. As a consequence, ability to read and modify the filesystem has traditionally been limited. As it turns out, Linux has been able to read NTFS since 1995 (as a patch later added to the mainstream kernel in 1997) -- shooting down the security argument, but native write support remains iffy. As of 2004, the Captive NTFS driver allows Linux to use an existing Windows NTFS filesystem driver with full read/write support. This requires presence of an NT/2K/XP/2003 installation, on the system being accessed.

There are proprietary DOS drivers for NTFS, including a relatively inexpensive read-only driver, and a rather more expensive read/write driver. See Sysinternals NTFSDOS.

The other option is to boot an NT-based Windows system from CD directly. There are very few alternatives in this category, largely as this requires licensing Microsoft or other proprietary technologies, a prospect markedly at odds with one's interests concerning and use of a rescue/recovery disk.

We've found a grand total of two generally available tools, and they tell the story pretty well.

One tool that looks reasonably promising is the 911 Rescue CD. But you can't simply download an ISO and burn it. From the site:

The 911 Rescue CD contains many copyrighted software [packages] that can't be distributed without firstly paying for them, so, currently, if you want a 911 Rescue CD with the full utilities, you need to purchase software [priced at] nearly $700 US dollars

...and is it available for download? No.

Why not?

Well, I am truly sorry, but I can't provide the final ISO due to three considerations:

• I don't have 700 MB of Web space.
• I don't use a broadband connection [that] can upload such a file.
• It contains copyrighted materials that I can't distribute.

http://www.911cd.net/911cd/details.html

And that's pretty much the end of story: a useful recovery disk would contain proprietary software priced at hundreds or thousands of dollars, and, because of licensing restrictions, the very people who'd be most likely to have the skill and inclination to provide such a tool (independent systems support vendors) have the least ability to provide the tool.

Instead, the 911 rescue disk is a disk build tool. It assumes you've got the software it wants to install. Of course, this also assumes that the licenses for that software allow such usage.

Contrast this with GNU/Linux, where both the OS and tools are generally freely available: there is a wide array of alternatives offering a rich set of tools, most of which are free to use, distribute, and adapt as needed.

Third-Party Tools

Two, that we've been able to determine. Neither is a disk image; rather they are tools to build a bootable disk from existing utilities. Note that licensing of the disk components may be questionable, and extensive sets of proprietary utilities may be required to create a full-featured version of the disks.

None of these disks have been used or evaluated by the authors of this article.

911 Rescue CD

Quoting the site:

The 911 Rescue CD is the Admin's Swiss Army knife: it is an integrated set of software designed for the emergency situations when the system doesn't function properly or when assembling a new PC and no pre-installed operating systems or software are found.

The 911 Boot Disks are a set of startup disks based on the ModBoot framework, they have mouse-driven user interface and greatly simplify the process of setting up and recovering failed systems, and allow the user to diagnose problems and assist in the fixing steps.

The system is bootable, and presents a menu with various options to run.

It's not clear from documentation how the 911 Rescue CD boots or what it is running. It does make use of several FreeSoftware tools, however.

BartPE

Bart's PE Builder helps you build a "BartPE" (Bart Preinstalled Environment) bootable Windows CD-ROM or DVD from the original Windows XP or Windows Server 2003 installation/setup CD, very suitable for PC maintenance tasks.

It will give you a complete Win32 environment with network support, a graphical user interface (800x600), and FAT/NTFS/CDFS filesystem support. Very handy for burn-in testing systems with no OS, rescuing files to a network share, virus scan, and so on. This will replace any DOS bootdisk in no time!

Among the more troubling aspects of BartPE is its legality: The disk makes use of several files taken from Windows installation media. The BartPE Web site claims the right to do this under existing US copyright law exemptions for backup media, but the validations are at best dubious, particularly if claims by Microsoft that its software is licensed, not sold (and hence: further restricting licensees' rights under copyright) are taken at face value.

Note too that BartPE is not a tool that would allow use by those lacking rights to the products from which it is based, on multiple systems, or on third-party systems.

There are further technical restrictions on BartPE:

• BartPE automatically stops the shell and reboots after 24 hours of continuous use.
• No more than six processes (including the shell) may run simultaneously.
• Distributed File System (DFS) name resolution is not supported.
• Drive letter assignments are not persistant across reboots.
• Screen resolution is limited to a maximum of 800x600 with VGA support; otherwise, 640x480.

Compared to, say, Knoppix, these are severe restrictions. Knoppix allows running a full OS; running the installed OS under a chroot or UML instance; unlimited processes (to system maximum); unlimited uptime; state persistance by way of user and system data stored on floppy; and screen resolutions to system maximum, generally automatically configured, along with multiple console logins, and remote access.

Related project: Windows UBCD, the Ultimate Boot CD for Windows.

From Microsoft: Windows Preinstallation Environment (Windows PE)

You may have heard of WinPE. This is apparently Microsoft's official response to the bootable Linux CD phenomenon, but there are severe restrictions to this tool:

• It's restricted to "active Microsoft Software Assurance Members" (SAMs), or specific other limited users.
• It's principally designed as an installation aid, not as a recovery/rescue tool.
• Functionality and adaptability are highly limited.

Note in particular the restrictive EULA:

..."You may only install and use the SOFTWARE PRODUCT if you are an active Microsoft Software Assurance Member ("SAM") for the systems product pool or servers product pool, if you currently have license coverage for Microsoft Windows operating system (OS) Upgrades via a Campus Agreement or School Agreement, or if you are a current or former participant in the Windows XP Joint Development Program, Windows XP Rapid Adoption Program, Windows .NET Server Joint Development Program, or Windows .NET Server Rapid Adoption Program. If you do not meet one or more of the requirements listed above, you may not install or use this SOFTWARE PRODUCT and you must terminate the installation of this SOFTWARE PRODUCT immediately"...

Non-Recovery Disks

A word of warning to purchasers of OEM (preloaded) legacy MS Windows systems. The so-called "recovery disks" which ship with these systems are not, in fact, recovery disks in the sense you want. Rather than rescuing your system, they instead typically wipe away all changes made to your hard drive since installation and restore the default system preload. This is almost certainly not what you want. You may find it necessary to purchase a full version of your OS and applications disks in order to properly recover your system.

What's to Want in a Rescue Disk?

Fundamentally, a rescue environment should provide the ability to:

• Copy/recover data to external, remote, or removable media.
• Correct disk issues including MBR, partitioning, and/or filesystem configuration.
• Defragment FAT and NTFS filesystems.
• Check for hardware defects (memory, CPU, disk, other).
• Check for malware: viruses, adware/spyware.
• Provide emergency functionality, including network services.
• Provide a safe environment from which to install (or at least download) software.

Most, though not all, of these features can be readily provided.

A particular limitation of Windows is that it's exceptionally difficult to install/remove software unless booted to the full native system: more on this below.

What We'd Put on a Rescue Disk

As mentioned above: there are restrictions to what can be provided by way of a rescue disk. One approach is to create an archive disk containing tools of use in recovering from or avoiding problems facing Windows users. And such is what an author of this page has created. Rather than a bootable rescue environment, it's mostly a collection of applications, utilities, and data to aid in recovery. And a few additional touches.

Most of the actual diagnostic, analytic, and repair activities should be performed either under a Linux bootable disk (Knoppix, LNX-BBC, etc.), or booting the existing Windows system in either safe or full modes. Some activities can only be performed under a full Windows boot. More on this below.

Brief contents

The following list summarizes tools for inclusion:

• AdWare detection, removal
  • AdAware
  • SpyBot Search and Destroy
• Virus detection, removal
  • ClamWin
    • Signatures (update these prior to burning disk)
• Applications
  • AbiWord
  • Mozilla * FFX-Extensions
  • OpenOffice.org
• Documentation
• Firewall
  • Kerio Personal Firewall
• Floppy Images
  • FreeDOS
  • NT-Recovery
  • Tom's Root Boot
• GNU/Linux
  • Damn Small Linux
  • Debian
  • LNX-BBC
• Utilities
  • 7-Zip
  • Belarc
  • Burn4Free
  • DOS
    • rawwrite
  • PuTTY
• Windows XP Service Pack 2

A compilation such as this runs to about 570 MB, leaving nearly 130 MB free for additional tools, utilities, and/or software, if desired.

Applications

A large number of problems with Microsoft platforms trace themselves to three fundamental utilities:

• Microsoft Internet Explorer (MSIE) Web browser exploits
• Microsoft Outlook / Outlook Express email client virus/worm attacks
• Microsoft Office suite macro viruses.

Fortunately there are replacements for each of these, and they are all FreeSoftware:

• Firefox Web browser
• Thunderbird email client
• OpenOffice.org office suite

From the links above, you can download freely redistributable installers. Putting these programs on target systems, and disabling or removing the corresponding Microsoft products, will vastly reduce the vulnerability profile of the system.

AntiVirus

Most antivirus products are proprietary, though there are several free "personal use" versions available. The rights to freely copy and distribute these is generally not clear.

One alternative that is freely distributable, however, is ClamWin, the Windows version of the popular 'Nix-based antivirus package ClamAV.

In particular, unlike many freeware/personal AV solutions, ClamWin supports both scheduled scans and scheduled virus definition updates. Its principal weaknesses are lacking "on access" virus filtering (detecting viruses as they are read from disk), and lacking the ability to disinfect a given file. (An infected file is moved to quarantine, and might have to be restored from installation media.)

Prior to burning your disk, you'll want to grab the latest update file, so you don't have to establish a network connection from the target system itself. These are main.cvd and daily.cvd, from the ClamAV page.

Experiences with ClamWin are:

• It is effective in detecting viruses.
• Performance may be somewhat slower than with other Windows-based antivirus solutions.

AdWare Removal

We are not aware of any FreeSoftware adware/spyware detection and removal programs (though ClamWin will detect some executables associated with spyware/adware).

The top-rated removal programs are, however, freely available (though redistribution terms aren't clearly delineated). A rescue kit should include the installers for:

• AdAware
• Spybot Search & Destroy

A note on adware/spyware defenses: this is a field of much deception. Beware of rogue / suspect spyware & adware products.

Firewall

Though Windows XP now comes with an integrated firewall, other versions of the OS do not. One reasonably good, free software firewall for Windows is Kerio Personal Firewall. It includes a suprisingly well written 109-page User's Guide, written using DocBook. (We consider this a good sign.)

Note that Kerio's license agreement restricts you from further distributing its software:

you may not make additional copies of the Software, nor distribute them.

http://www.kerio.com/us/kpf_license_agreement.html

Utilities

There are a number of utilities that can be useful in managing or cleaning up Windows systems, among them the following FreeSoftware tools:

• 7-Zip: a comprehensive compression and archive creation/extraction tool.
• RAWRITE.EXE : is a utility for writing floppy images to disk.
• PuTTY: a free SSH client / utility set. Useful for encrypted, authenticated connections to your Linux server. Note that PuTTY won't protect you against software or hardware keyloggers. Use RSAKey authentication, one-time passwords, or similar systems to avoid password compromise, and don't ssh from one remote host to another.
• Diskeeper Lite: Microsoft filesystems have a peculiar trait of becoming fragmented. Diskeeper is worlds beyond native defrag utilities. The Lite version lacks automation features, but is useful for one-time or interactive work. (The freeware Lite version is still available for download at the link here but currently only the Pro version is available from Executive Software's own site.)

Additionally, the following tools are freely available, though not FreeSoftware:

• Belarc: A system inventory tool. Belarc creates an HTML report of Windows system characteristics, including hardware, OS configuration, and installed software.
• Burn4Free: A "freeware" CD-burning program.

Additional Utilities List:

There's a good list of additional utilities at

• users.pandora.be/Robvdb/freeware.htm. As the page notes: though the software available free of cost, distribution and usage may be restricted.
• Tech Republic feedback: What is on your recovery/utility CD?: List of tools, with links.
• NTFS tools: Rick Moen maintains a list of tools for dealing with NTFS filesystems geared at GNU/Linux users, The NTFS Problem for Linux Installers. Recommended reading.

Rick notes in particular that QtParted and ntfsresize are included on the following live GNU/Linux CDs:

• Timo's Rescue CD
• Knoppix
• Kurumin

Note too that NTFS can be resized from Linux using ntfsresize, for WinNT/2K/XP/2003, and the upcoming Longhorn release. There's extensive discussion of this at The ntfsresize Frequently Asked Questions page. In particular, "because it can also resize fragmented NTFS safely, there isn't even need for defragmentation in advance".

CleanSoftware offers downloads of largely FreeSoftware for Win32 environments, some mentioned here, some not.

Virus Information & Cleanup Utilities

We'd really like to tell you where you can find a comprehensive archive of the most common viruses and worms of the past five years, a list of all of same which hit the top-ten list for at least one month in the interval, information on each, and removal tools. Unfortunately, a bit of licensing sophistry from the source states:

You are not permitted to .... use the Licensed Products for the provision of any service for the benefit of third parties.

So, in the interests of license compliance, we'll omit mention of specific resources, no matter how useful they might be.

However, that said, it would be very useful if you could have, at your fingertips, a directory of common viruses, information, and removal tools.

Windows XP Service Pack 2

Simply: downloading this on an uprotected system is a gross security risk as compromise may occur in as few as four minutes. An anecdote from a friend: fifteen seconds to infect, on dialup. Not to talk of download time: slow over DSL, untenable on dialup. So you might want to download WinXP SP 2 for updating systems. (Download site)

Note that at 267 MiB, this is the largest single component on your disk, but...

Linux Tools & Disk Images

...even with the bloated, festering bulk of SP2, you've got plenty of space left over. How to fill it? Well, you could counterbalance it with some useful software...

...like Linux mini-CD ISO images. These weigh in at about less than 50 MiB each (35 MiB for a current Debian netinst).

• LNX-BBC: a technically oriented bootable distro, sized for a "business card" format CD. With loopback encryption, ~100 MiB of data in 50 MiB of space.
• Damn Small Linux: A business-card sized (50 MiB) bootable Live CD Linux distribution. Despite its minuscule size, it strives to have a functional and easy-to-use desktop.
• Debian Sarge netinst image: A bootable CD-ROM allowing an installation of Debian GNU/Linux via a network connection. Note that, if you want to install to architectures other than x86, you should see the Debian-Installer page.
• Tom's Root Boot: (aka tomsrtbt), a floppy-based Linux distribution. It packs a small, but surprisingly useful number of tools into 1.7 MiB, on a single floppy disk. Use RAWRITE.EXE (above) to create a disk image under DOS/Windows.
• FreeDOS: A complete, free, 100% MS-DOS compatible operating system. Use RAWRITE.EXE (above) to create a disk image under DOS/Windows.
• Offline NT Password & Registry Editor, Bootdisk / CD: A Linux-based bootable floppy that can be used to reset (not recover) passwords on Windows NT-based systems. Per the Web site: NT 3.51, NT 4 (all versions and SP), Windows 2000 (all versions), Windows XP (all versions, also SP2), Windows Server 2003 (at least Enterprise).

While the tools here aren't directly accessible from the rescue disk, having them available means they can be burnt to disk and used if necessary.

Documentation & Propaganda

A README.TXT describing the contents of your disk would be helpful.

Additionally, there is a large volume of literature describing benefits of Linux and/or FreeSoftware tools over Microsoft and proprietary offerings. Inclusion of some of these might be useful for educational purposes.

Suggestions for inclusion here are welcome.

Making Do With Linux Tools

Linux itself makes a capable recovery system with certain advantages:

• There are many available pre-built systems, in a range of formats including floppy, Jaz, USB, CD-ROM, and DVD media.
• The OS and tools are almost all FreeSoftware, and hence free to copy, modify, and distribute.
• For many technical types, the toolsets are a familiar working environment.
• The systems generally place few restrictions on operations: unlimited processes, unlimited users, unlimited uptime, local or remote access. It's not unheard of to run a server off a boot disk for days at a time.

Linux Rescue / Recovery / Bootable Disks

There are a number of Linux-base boot disks, in floppy, business-card/mini-CD, full-CD, and DVD formats. These may run in RAM (if sufficient memory is available) freeing removable media drives, or on disk. Typically, floppy systems run in RAM by default; CD/DVD systems run from disk, though they may be capable of being run in RAM. Typically, > 128 MB required for mini-CD format, > 800 MB required for full CD-ROM.

Among those found particularly useful:

• tomsrtbt: Single-floppy Linux bootable system, one of the original bootable Linux systems. Runs in RAM.
• trinux: Multi-floppy Linux bootable system. Base disk loads OS; additional disks provide additional tools/drivers. More flexible than tomsrtbt, slightly less convenient. Runs in RAM.
• Offline NT Password & Registry Editor, Bootdisk / CD: Specialized boot floppy allowing editing of Windows Registry settings. See discussion, above.
• LNX-BBC: Mini-CD (50 MB) technical rescue disk, including X11. Runs from CD by default.
• Damn Small Linux: Mini-CD (50 MB) desktop system. Comparable to LNX-BBC, though intended more as a user system than as a technical disk. Runs from CD by default.
• Knoppix: Full CD (700 MB) bootable desktop. Despite its desktop focus, contains an amazing array of recovery, analysis, and forensics tools.
• Knoppix-STD: Full CD (700 MB). Based on Knoppix, STD is "Security Tools Distribution". Emphasis on encryption, analysis, and forensics.
• Helix - Incident Response & Computer Forensics: a customized distribution of the Knoppix Live Linux CD that includes customized Linux kernels (2.4.27 & 2.6.7), excellent hardware detection, and many applications dedicated to incident response and forensics. Helix also has a special Windows autorun side for incident response and forensics. Helix is used by SANS for training in Track 8: System Forensics, Investigation and Response.

Others are listed in LWN's comprehensive Linux distributions list, see the floppy, CD, and Zip categories in particular.

Recovery Tasks Possible Under Linux

This section isn't going to detail the step-by-step process for these tasks, though it will walk you up to the water. Drinking horses are two doors down the hall.....

Things You Cannot Do Via Linux Rescue Disks

...noting the inevitable Linux caveat: easily. As there's almost always an exception.

• Install/remove software. Windows's software installation system requires a booted system. Simply deleting files and/or installation directories is not generally recommended.
• Detect/remove spyware / adware. There are not presently any Linux-based adware/spyware scanners.

Any information to the contrary gratefully appreciated.

Things Too Numerous to Mention

Linux has a huge number of available tools. Moreover, they can often be combined in flexible and powerful ways through scripting, pipes, and other facilities of the Linux environment. A large number of these tools are specifically designed for file management, text and data manipulation, networking, and low-level system poking and prodding.

So: there's a lot you can do with really simple tools: cp, tar, cpio, find, dd. And scripting with bash, awk, Perl, Python, and other languages. Very literally, too many to enumerate.

Suffice to say that some people consider the Linux/Unix environment to be one very large development/administration interface.

Many of the recovery systems below include system documentation. The floppy-based systems may only offer command-line help -- the arguments -h =-help= or --help= will generally provide at least basic syntax. For Knoppix and other full systems, the man command and other documentation may also be available.

Data Backup & Recovery

For a dead / dying / unbootable system, or for transferring data to a new disk or remote networked system. Boot your Linux rescue disk. Generally, you should be able to mount the Windows partition(s) read-only, and copy the data to the desired location. The target could be another locally installed drive, CD or DVD burner, or a remote or networked location via various protocols, including FTP, HTTP, SSH, NFS, or SMB/CIFS/Samba.

Note that Linux can access Windows "shares" (SMB/CIFS) through a utility called Samba.

Emergency Server

It's possible to run a server on an emergency basis using Linux recovery disks.

Basic network services (gateway, router, DNS, DHCP) are pretty straightforward. While it's possible to provide file share, domain server, Web server, and mail services, drop-in replacements for an existing Windows server are non-trivial. Emergency functionality might be possible, but a true migration takes somewhat more advanced preparation.

Memory Test / CPU Test / Disk Test

Recent (3.4+) versions of Knoppix, and some other bootable distros, include memtest86+, a bootable memory test utility. (You're not running an OS, just the tester.) If you suspect faulty memory, allow this to run for at least several cycles: 4-8 hours would not be unreasonable. The test runs multiple data patterns through memory; some errors may only be caught with some patterns.

cpuburn is a user-space program that exercises a system's CPU. Running this for 10-20 minutes should be sufficient to unearth any thermal stress issues on most systems. Included in Knoppix.

For disk testing and profiling, hdparm, bonnie, and smartmontools either provide diagnostic information or stress the disk subsystem.

hdparm provides information on current disk configuration, and shows performance. Does not require a writable hard drive.

bonnie is a disk subsystem burn-in utility. May require a writable hard drive.

smartmontools access the S.M.A.R.T. (self-monitoring analysis and reporting technology) built into most modern (~1998+) ATA and SCSI disks. SMART can be used to provide advanced warning of disk failure via short (~1-5 minutes) and long (~20-60 minutes) tests.

If you are either excessively masochistic, or truly know what you are doing, see also: Cerberus Test Control System (slightly enhanced version available at California Digital), though this requires a writable Linux filesystem for operation and must be run within a fairly tool-rich Linux runtime environment, which most straightforwardly means Linux installed to and booted from a hard disk. There is a FAQ, and some tips. According to Rick Moen: "Torture-tests pretty much everything on your system, really hard, for as many hours or days as you like. Cerberus is absolutely Hackware(tm) and not for shiny-happy people."

NT Password Reset

Actually refers to the NT "New Technology" Microsoft Windows OS varients: NT, 2000, XP, 2003, and ongoing.

Possible using the Offline NT Password & Registry Editor Bootdisk (directions on site) or Knoppix as described, or using chntpw on Knoppix-STD.

Partition Repair

Several partitioning tools exist under Linux, among them:

• fdisk / cfdisk: standard interactive (console/ncurses) partitioning tools. Use to create/delete partitions, or to restore a damaged partition table if you know the boundaries of the partitions to be restored. If you don't know a disk's partitioning and need to restore/recover it, consider...
• gpart: "guess partition". A tool that looks for partition boundaries on disk. Usually does a pretty good job, though you should rely on backups, not lucky magick.
• parted: "partition editor". More interactive and featureful than fdisk/cfdisk.
• qtparted: a GUI front-end to parted and the ntfsresize command-line utility. Largely equivalent to the proprietary Partition Magic.

Virus Scan

While removal of viruses requires write access, you can run the ClamAV virus scanner with read-only access to your Windows disk(s). Supported under multiple bootdisks. Note that you should run 'freshclam' or otherwise update your virus definition files prior to running the scan.

Windows Alternatives to Rescue Disks

Microsoft provides several facilties that are meant to substitute, somewhat, for a full recovery / bootable disk environment. These include:

• Windows Rescue Disks: official recovery/rescue disks created via system tools that generally allow a system to be booted to a minimal mode.
• "Windows Recovery Console"
• "Safe Mode": a boot mode in which a minimal set of services and/or features are enabled.

While of some utility, these features all impose severe limitations.

Rescue disks rarely provide more than a few DOS commands and the ability to copy data on or off disks, and run rudimentary diagnostic/repair tools.

The Windows Recovery Console is in one author's experience, all but useless.

Safe Mode boots differ somewhat by specific version of Windows in question. Generally, a GUI session is provided, but with a minimum of services and drivers loaded. Some versions allow for networking, allowing software downloads, but restrict the ability to install/remove software through the Control Panel => Add/Remove Software panel. Generally, however, it's possible (and often necessary) to run antivirus or spyware/adware removal tools in Safe Mode. Safe Mode is accessed by holding down the F8 key at boot. The user is presented with a dialog of boot options. Generally "Safe Mode" or "Safe Mode with networking" should be selected.

Tom's Hardware has published a reasonably good guide to Windows recovery tools including both onboard recovery and 3rd party tools. Now if Tom's would realize the multi-page format is a drag.

ToDo: Link to references on use of these tools, distinctions between DOS (95/98/ME) and NT (NT/2K/XP/2K3) capabilities & use.

Discussion

OK, initial composition is mostly complete.

A few points:

• Comments on the various Windows recover modes (rescue disks, recovery console, safe mode) should propagate to their own pages.
• Any factual corrections greatly appreciated.
• Any experience with 911 Rescue CD, BartPE, etc., appreciated.
• Additional tools or specific tasks appreciated.
• Any known spyware/adware scanners for Linux would be welcome additions.
• Any known Linux bootdisks supporting diagnostics/repair specifically would be appreciated.

-- KarstenSelf - 24 Dec 2004

-- KarstenSelf - 22 Dec 2004

Will stain.