Recover NT4 filesystem after NTOSKRNL.EXE error

Our voicemail system died after what may have been a power blip.  Black screen, “ntoskrnl.exe not found”.

clip_image001

This is a Nortel CallPilot NT4 Workstation system on a Nortel Meridian rack.  Essentially, it’s a motherboard and CPU with a parallel IDE hard drive mounted on the chassis.  Knowing this particular error from the past, I thought I could repair it with Windows NT Setup repair option.  I had three very big problems:

1. This is a Windows NT4 system, so the chance of outside help was slim to none. 

2. There is no CD drive and no way to connect one.

3. This system does not have USB either, and USB boot support in a system this old was not a hopeful proposition.  The only peripheral is a SCSI tape drive for the voicemail backups. 

We do have backups of the voicemail system on tape, but no extra parallel drives to clone this one (for a backup of the original system) and of course no time to rebuild it (system setup takes 6-8 hrs according to our fabulous Nortel tech).  I pulled the drive from the blade and connected it to my laptop with an external reader and power supply.  We found a Windows NT4 CD in the archives.  Maybe we can fix this manually?

clip_image002

Here’s what the first partition on the system looked like:

clip_image003

See anything missing?  This should be the Windows partition, but there’s no Windows directory (or Win4, or NT4, or WINNT).  Hopefully there’s a clue somewhere in that OSSetup.log file

clip_image004

… and there is!  This is the OS drive.  The WINNT folder is missing, along with all its subfolders.

Running a chkdsk on the drive resulted in a handful of the dreaded found000x.chk files which, as we all know, may or may not contain anything useful.  With an entire Windows directory missing, I’m betting there is something useful in there.

Out of an abundance of caution I’m setting up a NT4 VM to confirm the folder hierarchy is what I remember it to be.

The setup process offers some hope (the default Windows directory name is “WINNT”).

clip_image005

Enjoy some LOL at the simple CD key (remember, this is years before “Product Activation”)

clip_image006

Here’s what the WINNT folder should look like.  I’m looking for folders named Config, Profiles, system, and system32. 

clip_image007

Back to the drive.  I searched for the ntoskrnl.exe file we know is supposed to be in a \system32 folder. 

NTOSKRNL.exe is there, but hidden in a .chk folder

clip_image008

Right-click and open file location, you can browse .chk folders this way in Windows 7.

clip_image009

… and it looks like “found.000\dir0001.chk\” is actually the System32\ folder.  I made a WINNT folder on the drive and a \system32\ folder inside that.

clip_image010

found.000\dir0000.chk\Profiles is the c:\winnt\Profiles folder, so I moved that as well.

clip_image011

found.000\dir0000.chk is the remainder of the contents of the WINNT folder.  Moved it to the WINNT folder.

clip_image012

Cross my fingers and plug it all back in.  It boots!  We don’t see the ntoskrnl.exe error anymore, but we see that a rather important folder is missing.  Herp a derp, I didn’t recover the Windows registry… the Config folder is empty.

clip_image013

Back to my desk with the drive.  I searched for a file called SECURITY (or DEFAULT, or SAM).  It turns out found.000\dir0002.chk\ is the system32\config folder.  May as well replace that too.

clip_image014

I replaced the drive, plugged it into the Meridian rack and… we have Windows!  CallPilot starts up, voicemail is back.  This system will be backing up to disk from now on.

Thanks to Dylan for finding the NT4 CD and reminding me that IDE drives require power.  Thanks to Danny for finding the Administrator password and for moral support!

Hope you enjoyed the read.

Office 2013 / 2016 Start Screen, Themes and that Weird “Smooth Text” Feature

Office is what we’d call a “productivity” application.  Which leads me to wonder why Microsoft keeps sticking these road bumps in the way of… you know, getting productive.

One of my least favorite features is the first thing you see when you open an Office 2013 or 2016 application – the start screen.  Never mind that Word takes an additional 5-10 seconds to load now (find a copy of Office 2003 if you don’t believe me – there is absolutely no lag time, it starts instantly).  Your first view is the insulting “Start Screen”, a continuous reminder that Microsoft really cares “what do you want to do today?”

image

Let’s get rid of it.  You’ll have to open a blank document, then hit File –> Options

image

And there it is, plain as day.  Uncheck “Show the Start screen when this application starts”.

image

This also works with Excel and other Office applications.

While we’re in here, let’s get rid of that ridiculous theme and do something about that horribly washed out look of this program (whoever thought light gray on white was a good contrast scheme should be taken out and shot).

Those silly decorations are good for nothing.  The minimalist window resize buttons are hard enough to see as it is.

Choose “No Background” and “Dark Gray” for the Office Theme.

image

I sure wish Microsoft had more options for themes.  I’ve never had so many uninstall requests as the month my company rolled out Office 2013 – all because of the washed out color scheme.

Last, let’s talk about that weird animated-typing thing.  It used to be that your cursor would progress to the next space as soon as you typed a character.  Not anymore!  Microsoft is sure you want the cursor to smoothly drag across the page as you type, in direct contrast to the action of typing a single character on a keyboard.

This, unfortunately, is a Windows setting. 

  • Go to your system properties (Windows Key + R, type “sysdm.cpl”
    image
  • Go to the Advanced tab and click “Settings” under Performance
    image
  • Click “Custom” to change individual settings, and uncheck “Animate controls and elements inside windows”
    image

OK your way out of System Properties.

You’ll have to log off and back on for the settings to take effect, but now your cursor will advance one space with each keystroke as it used to.

NACHA “ACH Transaction Canceled” Email… Fraud!

Here’s one from the vault:  I used to regularly receive emails with the ominous subject line “ACH transfer rejected”:


nachaLogo
The ACH transfer (ID: 2010xxxxxxxxxx), recently initiated from your checking account (by you or any other person), was rejected by the Electronic Payments Association.

Canceled transfer
Transaction ID: 2010xxxxxxxxxx
Rejection Reason: See details in the report below
Transaction Report: report_20102828938591.pdf.exe (self-extracting archive, Adobe PDF)

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 (703) 561-1100
2011 NACHA – The Electronic Payments Association


Nw, my first indications that these emails might not be completely legit were the default font (it showed up in Times New Roman) and an email address showing up in the Sender’s name field (as opposed to the name of a person or department).  Another indication was the double file extension on the transaction report (.pdf.exe). 

I decided to do a little research.  First, my bank account had no activity at all for the previous three days, and in fact no payment had been initiated or rejected.  I was safe.  But wait… what is this “NACHA”, and why haven’t I ever heard of this ELECTRONIC PAYMENTS ASSOCIATION?

NACHA is in fact a real association responsible for maintaining backbone of the ACH network.  You’ve seen this initialism on your bank statement if you’ve ever used your debit card anywhere.  It stands for “Automated Clearing House”, where banks get together and settle their balances with each other.  However, NACHA will not send you an email in the event of a transaction failure because NACHA doesn’t handle individual ACH transactions at all (that’s your bank’s job).  A warning regarding this phishing scam was posted on the NACHA site as early as February of 2010. 

So to be safe, never click a link in an email if you don’t know or don’t trust the sender – especially if the email has anything to do with your identity, money or passwords.  And if you receive an email from NACHA notifying you of a canceled or rejected transaction, just delete it and share this info with your friends!

Recover NT4 filesystem after NTOSKRNL.EXE error

Our voicemail system died after what may have been a power blip.  Black screen, “ntoskrnl.exe not found”.

clip_image001

This is a Nortel CallPilot NT4 Workstation system on a Nortel Meridian rack.  Essentially, it’s a motherboard and CPU with a parallel IDE hard drive mounted on the chassis.  Knowing this particular error from the past, I thought I could repair it with Windows NT Setup repair option.  I had three very big problems:

1. This is a Windows NT4 system, so the chance of outside help was slim to none. 

2. There is no CD drive and no way to connect one (do you have a SCSI CD-ROM drive lying around?)

3. This system does not have USB either, and USB boot support in a system this old was not a hopeful proposition.  The only peripheral is a SCSI tape drive for the voicemail backups. 

We do have backups of the voicemail system on tape, but no extra parallel drives to clone this one (for a backup of the original system) and of course no time to rebuild it (system setup takes 6-8 hrs according to our fabulous Nortel tech).  I pulled the drive from the blade and connected it to my laptop with an external reader and power supply.  We found a Windows NT4 CD in the archives.  Maybe we can fix this manually?

clip_image002

Here’s what the first partition on the system looked like:

clip_image003

See anything missing?  This should be the Windows partition, but there’s no Windows directory (or Win4, or NT4, or WINNT).  Hopefully there’s a clue somewhere in that OSSetup.log file

clip_image004

… and there is!  This is the OS drive.  The WINNT folder is missing, along with all its subfolders.

Running a chkdsk on the drive resulted in a handful of the dreaded found000x.chk files which, as we all know, may or may not contain anything useful.  With an entire Windows directory missing, I’m betting there is something useful in there.

Out of an abundance of caution I’m setting up a NT4 VM to confirm the folder hierarchy is what I remember it to be.

The setup process offers some hope (the default Windows directory name is “WINNT”).

clip_image005

Enjoy some LOL at the simple CD key (remember, this is years before “Product Activation”)

clip_image006

Here’s what the WINNT folder should look like.  I’m looking for folders named Config, Profiles, system, and system32. 

clip_image007

Back to the drive.  I searched for the ntoskrnl.exe file we know is supposed to be in a \system32 folder. 

NTOSKRNL.exe is there, but hidden in a .chk folder

clip_image008

Right-click and open file location, you can browse .chk folders this way in Windows 7.

clip_image009

… and it looks like “found.000\dir0001.chk\” is actually the System32\ folder.  I made a WINNT folder on the drive and a \system32\ folder inside that.

clip_image010

found.000\dir0000.chk\Profiles is the c:\winnt\Profiles folder, so I moved that as well.

clip_image011

found.000\dir0000.chk is the remainder of the contents of the WINNT folder.  Moved it to the WINNT folder.

clip_image012

Cross my fingers and plug it all back in.  It boots!  We don’t see the ntoskrnl.exe error anymore, but we see that a rather important folder is missing.  Herp a derp, I didn’t recover the Windows registry… the Config folder is empty.

clip_image013

Back to my desk with the drive.  I searched for a file called SECURITY (or DEFAULT, or SAM).  It turns out found.000\dir0002.chk\ is the system32\config folder.  May as well replace that too.

clip_image014

I replaced the drive, plugged it into the Meridian rack and… we have Windows!  CallPilot starts up, voicemail is back.  This system will be backing up to disk from now on.

Thanks to Dylan for finding the NT4 CD and reminding me that IDE drives require power.  Thanks to Danny for finding the Administrator password and for moral support!

Hope you enjoyed the read.

Can’t add Workstation to Server 2012 or Server 2008 Domain

I’ve run into this a handful of times:  new server, new workstation, new domain.  No existing accounts for the workstation in AD, pings and traceroute resolve OK.  I have valid credentials.  I even get the authentication prompt when I try to add the workstation to the new domain… but the workstation just won’t join to the new Server domain I’ve created.

image  image image

The workstation can locate the domain controller (this is why you actually see the authentication prompt) but can’t resolve the domain.  What could be wrong?  DNS.

While there are other workarounds, I’ve found this to be the simplest: add your domain controller as the only static DNS server.

In the system tray, right-click the network icon and select “Network and Sharing Center” (the left-click doesn’t work the way it did in Windows 7)
image  

Click “Change adapter settings”

image

Right-click your Ethernet adapter, click “Properties”

image

Click “Internet Protocol Version 4” then “Properties” (or double-click it)

image

If you have network connection and you can resolve your AD server, leave “Obtain an IP Address Automatically” selected.
On to DNS settings:  my AD server is at 192.168.2.21, so I enter that and hit “OK”.

image

Now try adding the machine to the domain using the above steps, and…

image

Reboot and log in to your domain.

Enabling Remote Desktop Connection in Server 2012

Installing Windows Server 2012 can be simple enough, especially if you are experimenting with a virtual machine.

After renaming the machine and getting it connected to the network, how do you enable RDP?  As with many features in the new Windows family, there are at least 3 ways to get RDP enabled on your new Server 2012 installation.  As with any administrative task, make sure you are logged on as an administrative user to make these changes.

1. SYSDM.CPL
First, my favorite approach:  either hit Win+R to summon the Run prompt, then type “sysdm.cpl” or “SystemPropertiesRemote” and click “OK”.  Alternatively, you can type either into Powershell or command prompt.
image

Click the “Remote” tab (you will already be here if you chose “SystemPropertiesRemote”)
image

Click “Allow remote connections to this computer”
image

You will be presented with a firewall warning, click OK:
image

For your testing environment, it is probably safe to uncheck the “Allow connections only from computers running Remote Desktop with Network Level authentication”, but if you’re only using Windows 7 computers to connect to this server, it is safe to leave it checked.
image

Click OK, and your Windows Server 2012 installation is RDP-enabled.

2. Command Line
None of the above will help you if you’ve chosen either a minimal or Core installation Sad smile

Luckily, there is a single line that turns on RDP in Server 2012 Full or core editions:

cscript scregedit.wsf /ar 0

image

That’s it.  To view your RDP settings, use cscript scregedit.wsf /ar /v and to turn off RDP, type cscript scregedit.wsf /ar 1.

Getting and Setting Hostname and IP address in Server 2012

First things first:  your server needs a name and a static IP address.

Setting the hostname in Server 2012 is easy enough (just use the command prompt or Powershell, this only takes a second!)

To set the IP address:

netsh interface ip set address name = "Ethernet" static 192.168.2.23 255.255.255.0 192.168.2.1

This uses the netsh command to give your default Ethernet connection a name (“Ethernet”), specify the address type (always static for servers) and then the address, subnet mask and gateway.

To set the hostname:

netdom renamecomputer %computername% /newname <NewName>

Here, use the netdom command to give your server a meaningful name according to your naming convention.  The syntax is netdom renamecomputer  <currentComputerName>  /newname <newName> .  Use the system variable %computername% if you don’t want to attempt replicating Windows’ default naming schema for new servers; this is usually a strange random string of characters.

image

To confirm your settings “stuck”, check them out with ipconfig and hostname:

image

image

Microsoft Access 2010: Where’s the Switchboard Manager?

The Microsoft Access switchboard manager was easy to find until Office 2007.  In Access 2003, you could simply click Tools—> Database Utilities –> Switchboard Manager, and Access would create a new switchboard for your database if it didn’t already have one.

The Microsoft Office ribbon did consolidate and – dare I say – simplify many tasks, but users were often left searching for that one menu item that used to be right HERE!  The switchboard manager is hiding, but you can place it on the ribbon permanently.  Here’s how to add the Switchboard Manager to your “Database Tools” ribbon group:

  • Right-click any place on the ribbon. 
  • Click “Customize the Ribbon”.
  • You are brought to the “Access Options” screen, and “Customize Ribbon” should be selected on the left.
  • In the “Choose Commands From” drop-down box, select “Commands not in the ribbon”.

 

  • Now you have to give the ribbon a place to put the Switchboard Manager button.
  • In the “Customize the Ribbon” drop-down box, select “Main Tabs”.  Click “Database Tools” in the right window, then click the “New Group” button below.  Name your group “Switchboard”.
  • Find “Switchboard Manager

To do that, follow these steps:

  • Right-click anywhere on the Ribbon and click Customize the Ribbon to open the Customize area.
  • Select “Commands Not On Ribbons” and find the Switchboard Manager option
  • Add that command to one of the existing Ribbon groups or create your own Ribbon group and add it there.
  • Launch Switchboard Manager.

Delete Folders, Subfolders and Files Recursively from the Command Prompt

I like to use command prompt wherever I can.

One of my favorite housekeeping tasks is to wipe out the Temporary Internet Files for a specific user.  This is a helpful triage step in the case of persistent malware or virus infection (*unless the user’s icons and programs seem to be missing… do not delete temp files in this case!)

It used to be that you could delete these folders directly and manually using the GUI (up to XP SP2 if I’m not mistaken) but I’ve never known how to delete these folders recursively.  Here is how you would do this in Windows 7, 8 or 10:

From an elevated command prompt:

c:\users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5> for /d %D in (.) do (rd /s /q  "%D")
image

What this does is exactly what I wanted.  Looking at the script from back to front:

  • rd /s /q is “remove directory”.  The /s switch performs a recursive remove while the /q performs it in “quiet” (non-verbose) mode.
  • %D is the DOS-style variable I set to represent each directory.  You could set this variable as %foo or %
  • the “.” represents the current directory.

Depending on the size and depth of the folder, this operation may take a while. 

Internet Explorer Error 217 Fix

Machine:  Dell Vostro 1500 Notebook
OS: Windows XP Home
Specs: Core2Duo 1.4GHz, 1GB RAM, 120GB HD

** Read to the end! **

internet-explorer1On an older  notebook today I found a new error (for me, at least).  Whenever Internet Explorer would start, an error would pop up simply titled “Error” , with the message “Runtime error 217 at 011d378b” and an “OK” button.  That’s it – no publisher information and no helpful hyperlink for more information.  After dismissing the error message, Internet Explorer would then start and browse normally.

For Internet Explorer to throw this error at startup, I was fairly sure the error was due to an add-on (or plugin) that could no longer start.  This machine recently had a severe virus infection cleared up with the subsequent uninstallation of extraneous helper programs and toolbars.

The 217 error is, in fact, due to a missing or corrupt Internet Explorer add-on.  Newer versions of IE will allow you to disable add-ons on a per-session basis, but this won’t fix or even identify the problem.  So…

The Fix
First let’s see where add-ons are managed in IE: 

  • if you can run Internet Explorer, click Tools –> Internet Options
  • If you cannot run Internet Explorer (this machine would not), go to Control Panel –> Network and Internet Connections –> Internet Options.  If you are using Classic View, just click Internet Options.
  • Click the Programs tab.  At the bottom of this tab in IE6 you will find two buttons:  Reset Web Settings and Manage add-ons.  In IE7 and IE8 you will find Manage add-ons; the Reset Web Settings is under the “Advanced” tab.
  • Click the Manage Add-ons button.  Here you will see the add-ons IE currently has installed. 

Any add-on you don’t want, or an add-on belonging to an uninstalled program, should be disabled.  Right-click any one of them and disable it.  Some have dependencies, so you may be asked to confirm.  This particular laptop previously had “MyFunCards” installed, but I also found entries for “AVG Safe Search” from AVG 9.0.  Here are entries I disabled:

  • MyFunCards (MindSpark)
  • AVG Safe Search
  • Toolbar BHO (MindSpark)
  • Search Assistant BHO (MindSpark)

The problem seemed to be found, fixed and resolved.  All I needed to do was restart IE, right?

Wrong.  the IE window would pop up for a split second and exit.  Turns out Comodo Antivirus and it suite of overprotective agents were preventing IE from starting at all!  I disabled the Comodo modules, started IE, ran through the welcome screens and started applying updates.  We’re back in business.