Overview of Microsoft Diagnostics and Recovery Toolset
By Jerry Honeycutt
Published October 2009
By providing tools that help you quickly troubleshoot and repair Windows®-based desktops, Microsoft® Diagnostics and Recovery Toolset (DaRT) can reduce the time, cost, and frustration associated with recovering computers that will not boot. DaRT 6.5 adds support for the Windows 7 and Windows Server® 2008 R2 operating systems. This white paper gives an overview of DaRT: its benefits, its capabilities, and how to evaluate it.
Creating the DaRT Media
Starting the DaRT Media
Exploring the DaRT Tools
ERD Registry Editor
Standalone System Sweeper
A user frantically calls support and your manager sends you to fix the problem. At the user’s desk, you log on to the Windows operating system and use the variety of tools that are available for troubleshooting. You look in Event Viewer for clues about the problem. You determine that the problem is a faulty device driver, and so you use the Computer Management console to disable that driver. Windows includes many such tools to help you diagnose and fix problems, but what do you do if you cannot boot the computer in to Windows?
The Microsoft Desktop Optimization Pack (MDOP) for Software Assurance can help organizations reduce the cost of deploying applications, deliver applications as services, and better manage desktop configurations. Together, the MDOP applications that are shown in Figure 1 can give Software Assurance customers a highly cost-effective and flexible solution for managing desktop computers.
Figure 1. Microsoft Desktop Optimization Pack
To help recover Windows-based desktops that will not boot, MDOP offers the Microsoft Diagnostics and Recovery Toolset (DaRT). DaRT is a powerful set of tools that extend the Windows Recovery Environment (Windows RE). With DaRT, you can analyze an issue to determine its source, view the computer’s event log for more clues, disable a faulty device driver, and remove hotfixes even when you cannot start the installed Windows operating system. Additionally, DaRT includes tools that enable you to troubleshoot the installed Windows operating system when starting Windows would not be prudent. For example, you can restore deleted files and sweep the computer for malware.
DaRT can help you quickly recovery computers running both 32-bit and 64-bit versions of Windows, in less time and with less frustration than reimaging the computer. This white paper describes the tools, such as Locksmith and Crash Analyzer, that are in DaRT. The paper then describes how Software Assurance customers can begin evaluating DaRT today.
Creating the DaRT Media
Microsoft does not provide DaRT as a boot image. DaRT is not an .iso file that you download and burn to a CD. Instead, DaRT is a program that creates boot media, based on the Windows RE and a set of tools that DaRT provides. This boot media starts the Windows RE, from which you can start ERD Commander. ERD Commander provides a launch platform for the DaRT tools.
You use the ERD Commander Boot Media Wizard to create the ERD Commander boot media. To start the wizard, click Start, All Programs, Microsoft Diagnostics and Recovery Toolset, ERD Commander Boot Media Wizard. The ERD Command Boot Media Wizard will ask for the following:
- Windows 7 boot image.
- Tool selection.
Figure 2. ERD Commander Boot Media Wizard
- Debugging Tools for Windowshttp://go.microsoft.com/fwlink/?LinkId=99934
- Definitions for Standalone System Sweeper
- Additional drivers
- Additional files
At its completion, the ERD Commander Boot Media Wizard prompts you for the location and name of the image file to create. By default, the wizard creates the file ERD65.iso on your desktop. The wizard also prompts you to burn this image to a CD. You cannot copy this image to a USB flash disk.
ERD Commander in DaRT 6.5 supports Windows 7 and Windows Server® 2008 R2. Both x86 and x64 versions of DaRT 6.5 are available. DaRT does not support cross-platform boot media. Additionally, ERD Commander in DaRT 6.5 has the following, minimal hardware requirements:
- 1 GHz 32-bit (x86) or 64-bit (x64) processor
- 1 GB of system memory
- A CD drive
- BIOS support for starting the computer from a CD drive
Starting the DaRT Media
To start DaRT:
- Boot a physical computer by using the ERD Commander boot media.
- Boot a virtual machine by mounting the ERD Commander boot image to it.
After starting the computer by using the ERD Commander boot media, Windows RE asks a few simple questions to initialize the environment. These include whether to initialize network connectivity in the background by using DHCP (you can manually configure network connectivity later by using the TCP/IP Config tool), which drive letters map to the Windows operating system that you are repairing, and which language and keyboard you want to use. Finally, you choose the Windows operating system to repair.
After preparing the environment, you see the System Recovery Options window, shown in Figure 3. Clicking Microsoft Diagnostics and Recovery Toolset opens the ERD Commander, which provides a launch platform for all of the DaRT tools that you included in the boot media.
Figure 3. System Recovery Options
Exploring the DaRT Tools
Figure 4 shows the ERD Commander. From this window, you can launch any of the individual tools that you included in the ERD Commander boot media. You can also use the Solution Wizard to choose the best tool, based on a brief interview. Click Help to see detailed instructions for using each tool. The following sections provide an overview of each tool.
Figure 4. ERD Commander
ERD Registry Editor
You can use ERD Registry Editor, shown in Figure 5, to edit the registry of the Windows operating system that you are repairing. This includes adding, removing, and editing keys and values and importing .reg files.
ERD Registry Editor enables you to make registry edits that could help repair a system that will not boot. Additionally, you can use ERD Registry Editor to edit values that the installed Windows operating system locks while it is running.
Figure 5. ERD Registry Editor
Notice in Figure 5 that HKEY_CURRENT_USER is missing, because a user did not log on to the installed operating system. Instead, ERD Registry Editor populates HKEY_USERS with all the user hive files found in the target installation. Additionally, HKEY_LOCAL_MACHINE does not contain a HARDWARE key.
Warning Serious problems might occur if you modify the registry incorrectly by using ERD Registry Editor. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
The Locksmith Wizard is a simple tool that allows you to set the password for any local account on the Windows operating system that you are repairing, as Figure 6 shows. You do not need to know the current password. However, the password you set must comply with any requirements that a local Group Policy object (GPO) defines, including password length and complexity. Use this tool in the event that the password for a local account, such as the local Administrator account, is unknown. This tool cannot set passwords for domain accounts.
Figure 6. Locksmith Wizard
By using the Crash Analyzer Wizard, you can quickly determine the cause of an issue by analyzing the memory dump file on the Windows operating system that you are repairing. Based on this information, you can take corrective action. The Crash Analyzer Wizard can eliminate much of the guesswork involved in diagnosing nonresponsive systems.
For example, if the Crash Analyzer Wizard reports that a device driver called MyFault.sys is the cause, as shown in Figure 7, you can disable the device driver by using the Services and Drivers item in Computer Management (see the section “Computer Management”). After discovering and disabling the faulting device driver, you can try to start the repaired Windows operating system.
Figure 7. Crash Analyzer Wizard
The Crash Analyzer Wizard requires the Debugging Tools for Windows. As described in the section “Creating the DaRT Media,” you can include the Debugging Tools for Windows in the ERD Commander boot media or you can install them on each computer that you are repairing. Microsoft recommends that you include the tools in the ERD Commander boot media. Otherwise, you must locate the Debugging Tools for Windows each time you use the Crash Analyzer Wizard to diagnose a computer that is not responding.
In addition to the Debugging Tools for Windows, the Crash Analyzer Wizard requires symbol files for the operating system that you are repairing. Symbol files map memory addresses to names, helping to provide meaningful information for troubleshooting. You can include the symbol files on your ERD Commander boot media or you can download the symbol files when you use the Crash Analyzer Wizard to repair a computer (in which case, an Internet connection is required while troubleshooting).
Even if you plan to reimage the computer, running the Crash Analyzer Wizard to determine the cause of the issue is a good idea. The image might have a bad driver that is causing intermittent problems in your environment. Running the Crash Analyzer Wizard can help you to see these patterns and improve your image stability.
Note If you do not have access to symbols or the Debugging Tools for Windows on the computer that you are repairing, then you can copy the memory dump file to another computer and use the standalone version of the Crash Analyzer Wizard to diagnose the issue. By enabling you to analyze memory dump files remotely, this tool is also useful when you are diagnosing an issue that does not prevent Windows from starting. To run the standalone version of the Crash Analyzer Wizard on the computer that contains DaRT, click Start, All Programs, Microsoft Diagnostics and Recovery Toolset, ERD Commander Boot Media Wizard.
In Windows, the Recycle Bin helps prevent users from deleting files by mistake. However, users sometimes realize that they need a particular file only after emptying the Recycle Bin. In other cases, files are too big to fit in the Recycle Bin, or an application deletes the files.
File Restore enables you to attempt to restore all of these deleted files. Figure 8 shows the File Restore user interface. First, you must find the file you want to restore; File Restore has filtering capabilities to help expedite this process. For instance, you can use a file mask to search for specific file-name patterns. Additionally, you can limit results to a certain path, date range, or size range. File Restore can even find files in deleted directories. For each file that File Restore finds, it indicates whether recovery is likely or unlikely.
Figure 8. File Restore
File Restore is not limited to regular disk volumes. File Restore can find and restore files on lost volumes or on volumes that are encrypted by Windows BitLocker™ Drive Encryption. In the first case, File Restore can scan for and locate lost volumes, which you can then search for deleted files. In the second case, File Restore gives you the ability to unlock BitLocker-encrypted volumes by manually providing the recovery password or loading the recovery key from a file.
By using Disk Commander, you can recover and repair disk partitions or volumes. As Figure 9 shows, you can choose from the following recovery processes:
- Restore the Master Boot Record (MBR).
- Recover one or more lost volumes.
- Restore partition tables from Disk Commander backup.
- Save partition tables to Disk Commander backup.
Figure 9. Disk Commander
Warning Microsoft recommends that you back up a disk before using Disk Commander to repair it. By using Disk Commander, you can potentially damage volumes and make them inaccessible. Additionally, changes to one volume can affect other volumes because volumes on a disk share a partition table.
Many organizations simply format computers’ hard disks when they donate, recycle, or discard them. However, just formatting the hard disk does not destroy sensitive company or personal data on that disk. As various news accounts have shown, malicious users can get their hands on computers that companies discard and can recover sensitive data.
Disk Wipe, shown in Figure 10, can erase all data from a disk or volume. Two algorithms are available. You can use a single- or four-pass overwrite, which meets U.S. Department of Defense standards. After wiping a disk or volume, you cannot recover the data. Thus, verify the size and label of a volume before erasing it.
Figure 10. Disk Wipe
The Computer Management console, shown in Figure 11, is familiar to any information technology (IT) professional. The console is tailored to diagnose and repair problems that can prevent the Windows operating system from booting. The items in this console include the following:
- System Information.
- Event Viewer.
- Services and Drivers.
- Disk Management.
Figure 11. Computer Management
Sometimes, before you attempt to repair or reimage a system, you need to remove business-critical information that the user stored on a local drive. In DaRT, you can use Explorer to browse the computer’s file system and network shares. Because you can map drive letters to network shares, you can easily copy and move files from the system to the network for safekeeping or from the network to the system to restore them. Figure 12 shows Explorer.
Figure 12. Explorer
With so many tools in DaRT, figuring out which one to use can often be challenging. The Solution Wizard, shown in Figure 13, asks you a series of questions and then recommends the best tool for the job, based on your answers. This wizard helps you determine which tool to use when you are not familiar with the tools in DaRT. After becoming familiar with DaRT, you are more likely to start the correct tool for each job, without the help of the Solution Wizard.
Figure 13. Solution Wizard
When you start the ERD Commander boot media, it optionally obtains its TCP/IP configuration (IP address and DNS server) from Dynamic Host Configuration Protocol (DHCP). If DHCP is unavailable, you can manually configure TCP/IP by using the TCP/IP Configuration tool, shown in Figure 14. First, you choose a network adapter, and then you configure the IP address and DNS server for that adapter. Click Advanced to configure advanced TCP/IP settings.
Figure 14. TCP/IP Configuration
Shown in Figure 15, the Hotfix Uninstall Wizard can remove hotfixes or service packs from the Windows operating system that you are repairing. Use this tool when a hotfix or service pack is potentially preventing the operating system from starting. Microsoft recommends that you use this tool to uninstall only one hotfix at a time, even though the tool allows you to uninstall more than one at a time. Be aware that programs that you have installed or updated after installing the hotfix might not work correctly after you uninstall the hotfix.
Figure 15. Hotfix Uninstall Wizard
Use the System File Repair Wizard to repair system files that are preventing the installed Windows operating system from starting. The System File Repair Wizard can automatically repair system files that are corrupted or missing. Alternatively, the wizard can prompt you before performing any repairs.
Figure 16. System File Repair Wizard
Before reimaging a computer, recovering files from the local hard disk is important—particularly when the user might not have backed up or stored the files elsewhere. Although the Explorer tool can be helpful, File Search can help you to find documents when you do not know the file path or to search for general types of files across all the local hard disks. File Search, shown in Figure 17, enables you to search the computer for files. You can search for specific file-name patterns in specific paths. Additionally, you can limit results to a date range or size range. In recovery scenarios, when repairing the installed operating system is not possible, you can use File Search to find users’ documents and copy them from the computer.
Figure 17. File Search
Standalone System Sweeper
Having a good antivirus and anti-malware strategy in your organization is crucial. Although real-time scanner tools such as Microsoft Forefront™ Client Security are vital, today’s ever-changing landscape requires many different tools to defend your network.
Malware that uses rootkits can mask itself from the running operating system. If a rootkit-enabled virus or spyware makes its way to the system, most real-time scanning and removal tools can no longer see it or remove it. Because DaRT boots from a CD and the installed operating system is offline, you can attack the rootkit without it hiding from you.
Figure 18 shows the Standalone System Sweeper. This tool can help detect malware and unwanted software and alert you to security risks. When the Standalone System Sweeper detects malicious or unwanted software, it prompts you to remove, quarantine, or allow each item. You can use this tool to scan a computer for and remove malware while the installed Windows operating system is not running.
Figure 18. Standalone System Sweeper
DaRT is an add-on license available only to Software Assurance customers. Begin your evaluation today:
· Download and evaluate DaRT as part of MDOP.
MDOP is available to Volume Licensing customers, Microsoft Development Network (MSDN®) subscribers, and Microsoft TechNet subscribers.
· See MDOP on Microsoft.com.
To learn how DaRT and MDOP for Software Assurance can help you better manage GPOs, see http://go.microsoft.com/fwlink/?LinkId=160297.
· See MDOP on TechNet.
For technical information about DaRT and MDOP for Software Assurance, see http://www.microsoft.com/technet/mdop on TechNet.