Windows

Get IT Done: Learn why the Last Known Good Menu isn't always the best way to perform system recovery

Explore the drawbacks of Last Known good Menu for system recovery in Windows NT

Almost every technician is familiar with the Windows NT’s “Last Known Good Menu” (LKGM). If you’re faced with a restore, or a rebuild of a system, it can pull your buns out of the oven before they start to burn. However, the LKGM isn’t always a foolproof answer. While the LKGM can be a lifesaver, it can sometimes cause problems even worse than the original one.

Using the LKGM
Activating the LKGM is simple. During the boot process, press the space bar when prompted and follow the directions on the screen. The LKGM is supposed to get your system back to an operational state by restoring something in the registry. The reason why many NT administrators are leery of LKGM is that after using it, their computer becomes an inexplicable mismatch of missing drivers and lost services.

The cause for this dismay stems from the process behind the allegedly “good” menu. To understand why things can go awry, you first have to understand what is happening behind the scenes.

The registry’s role in the Last Known Good Menu
Your system has registry keys named HKLM\System\ControlSetnnn where nnn is a number from 001 to 004. (Most systems only have two of these control set keys, but you can have up to four.) The registry key that most of you are familiar with—HKLM\System\CurrentControlSet—is actually nothing more than a pointer to one of these four registry keys.

There is another section of the registry under HKLM\System\Select that is used to determine the role of each of the four control sets. The value names under this key are CURRENT, DEFAULT, FAILED, and LASTKNOWNGOOD. These keys hold a value between one and four.
  • CURRENT points to the ControlSetnnn that was used to boot the system last. A copy of ControlSetnnn is created at boot time and named HKLM\System\CurrentControlSet.
  • DEFAULT indicates which ControlSetnnn will be used to boot the system next.
  • LASTKNOWNGOOD points to the last ControlSet that successfully booted the system.
  • FAILED is used by the system to indicate a ControlSet that didn’t successfully boot the system and required an automated fallback to LASTKNOWNGOOD. Under certain circumstances, the system will automatically revert to the “Last Known Good Menu.”

When you select the LKGM option, you are actually replacing the CURRENT pointer with the LASTKNOWNGOOD pointer.

Although this explains the mechanics of the LKGM, you still don’t have enough information to effectively figure out what went wrong when you tried to use it. To understand the problems it creates, you need two more pieces of information about LKGM.

How the LKGM affects services and drivers
First, you have to know what parts of the system the HKLM\System key affects. The answer is primarily services and drivers. The HKLM\System key contains all of the information about which device drivers and services are necessary to boot the system. Software configuration and user information is not stored in this key. Manipulating the key will not have any impact on either of them. Rolling back this key will not uninstall any software, but it may remove any drivers or services installed by the software.

The last piece of process information you need to understand is the definition of a so-called ”Good Menu.” The LASTKNOWNGOOD pointer is only updated if all services and drivers load without generating any stop or warning messages and you successfully log on to the computer.

Problems created by the LKGM
The most common reason for problems created by the LKGM is services or drivers that fail to load. When NT doesn’t start the way it thinks it should, it doesn’t update the LASTKNOWNGOOD pointer. After six months of the user ignoring messages about services or drivers failing to load, the LASTKNOWNGOOD pointer will be referencing a ControlSetnnn key that bears little resemblance to the CurrentControlSet. Now the next time you see the message “At least one Service or Driver failed to load,” you’ll understand why it is important to correct the problem.

Wrapping up
The Last Known Good Menu is a good tool but not a perfect solution for all problems. While it can undo the installation of bad drivers and services, it won’t totally restore a computer’s configuration. Remember this and you won’t be disappointed when you call on it for help.
Do you think Windows NT’s Last Known Good Menu is the “cat’s meow” when it comes to troubleshooting? Let us know. Leave a comment below, or send Mike an e-mail.
0 comments

Editor's Picks