By Larry Seltzer
I was a customer of the original Norton Utilities versions back in the days when Peter Norton actually wrote the code. (I actually wrote him fan mail, and he replied. I was thrilled!) Norton looked at how the FAT file system actually worked at its lowest levels and wrote standalone utilities that added value to what DOS did with it. The most famous standalone utility was the then-revolutionary ability to "unerase" a file or, conversely, to delete a file permanently, leaving no trace of it on the disk.
Ever since Windows came out, Norton Utilities has been useful, but for expert users, it's not as useful as when it was a purely DOS-based product. While the Windows version is a relatively technical program in terms of the overall market, it's designed to be accessible to nonexpert users. Part of what made the original Norton Utilities really useful was that it was designed for experts.
These days, that role belongs to Winternals Software of Austin, TX, founded and run by Mark Russinovich and Bryce Cogswell, a couple of Ph.D.s who have also written extensively about Windows programming. Back when Peter Norton was The Man, the distinction between users and administrators wasn't as clear and meaningful as it is now. Everyone essentially had to be an administrator of his or her own system. The tools that Winternals Software sells are squarely aimed at network administrators, and end users shouldn't be allowed anywhere near them. I'll focus on Administrator's Pak, a bundle of many of their tools that costs $699.
Not yet ready for XP
Many of the tools do not work on Windows XP yet. Programs such as these work at a level where you have to deal with version-to-version incompatibilities in Windows, so it appears that they just haven't got around to making XP-compatible versions. Some of the tools work under XP despite the fact that their documentation indicates that they don't. Others such as Regmon aren't so flexible—running Regmon on Windows XP causes the system to reboot.
System monitoring made easy
Speaking of which, Regmon is a seriously cool tool for developers and administrators. It monitors and reports on access to the registry. (If you've ever bought one of those Windows registry books that fills in the gaps in Microsoft's documentation, the author undoubtedly used Regmon to gather the information that made the book possible.) The Filemon tool performs similar monitoring for access to the file system.
Because the Win32 environment is designed to prevent activities such as letting applications access certain programs and areas of the disk, many of the Winternals tools can also work in other environments that are more permissive. Some work on a system booted with the Windows NT/2000 Emergency Repair Disk (ERD). Some work from DOS. Winternals also provides two tools, NTRecover and Remote Recover, which let you work on systems remotely.
With NTRecover, you create a special boot disk for the system you want to repair and then connect to that system over a null-modem serial cable, the kind you would get with a copy of LapLink. NTRecover on the host system accesses the drives of the remote system over the cable as if they were network drives. Remote Recover works similarly but over a network, so you have to create a DOS boot disk that provides a DOS TCP/IP stack for the remote system. I had problems setting up both these programs. NTRecover can't work with disks with capacities greater than 8 GB, and setting up a DOS TCP/IP stack is a pain. But once you're set up, they are very cool.
Bear in mind that when you're accessing a remote system in this way, you are bypassing the operating system altogether. This means that you don't need a password to gain access to any file on the system. You do need physical access to the system and the ability to boot a floppy on it, which just goes to show that without physical security, no system is secure. Neither program can access a system running Windows' Encrypting File System (EFS) though. But bypassing the operating system's security can be advantageous for situations such as when you've lost the password. This is a major advantage of Winternals' tools over the Windows 2000 Recovery Console, a built-in facility for accessing and repairing broken systems that requires a login. The fact that Winternals' tools don't require a login underscores the point that without physical security, there is no security.
No password? No problem
Speaking of which, an especially shocking capability that Winternals implements through NTRecover or Remote Recover is Locksmith, a program that resets the password of any user account on the remote system. Once you're connected through NTRecover or Remote Recover, you run Locksmith and browse the remote system to its system directory (probably c:winnt), and Locksmith produces a list of users with local accounts, including Administrator. You select one, and Locksmith resets the password to '12345'.
At first I was shocked at this, but it's really not all that surprising. It doesn't read the passwords; it just resets the password to a known value. It gives access only to the local system, not the network. I also found out that there are several other companies, among them Passware and Sunbelt Software, who sell similar products.
Crash recovery: Not perfect, but possible
Let's say you want to run a version of Windows 2000 (or whatever OS you're using), but the system won't boot. For this problem, you can use the ERD Commander tool to extend the Emergency Repair Disk facility to make a command-line environment, in which you can perform repairs and run many programs. Other products can do this too, but ERD Commander can make a boot CD that's much easier to use than the four to six floppies necessary for a floppy-based boot of Windows NT/2000/XP. Be forewarned that the CD-making process didn't work right for me and apparently doesn't usually work. Search the Winternals Knowledge Base for additional tools you would need to get it to work correctly.
Disk Commander lets you access and recover data from disks that Windows cannot access due to corruption or other damage. It can also recover deleted files. Winternals recently released FileRestore, a separate tool used to unerase files with a more straightforward UI.
The bottom line
They're not cheap, they're not easy, and they're definitely not perfect—but if you're a Windows system administrator, the Winternals tools can be a lifesaver for many tough spots. You owe it to yourself at least to look them over. Like the original Norton Utilities, they probably do something you wouldn't have thought possible.
This article was originally published by ZDNet Tech Update on Jan. 3, 2002.
Thumbs up or thumbs down?
Have you used Winternals? What's your take? Do you have another favorite Windows administration tool? Post a comment to this article and share your thoughts.