tool and utility software suites are available to help information technology
professionals administer and recover failed systems. iolo technologies’ System Mechanic 6
Mobile Toolkit
is one such example. While a competent suite for small
business troubleshooters, System Mechanic doesn’t necessarily scale well to
enterprise-size environments in which remote administration and Active
Directory configuration are often required.

Winternals’ Administrator’s Pak offers enterprise
administrators just such a toolset. In addition to offering a wide array of
more intensive utilities, the Administrator’s Pak supports numerous remote
administration capabilities. However, there’s a price to be paid. Winternals’ Administrator’s Pak’s list price is $1,439,
considerably more than System Mechanic 6 (list price $299 on Amazon).

additional cost will prove wise within enterprise environments, though, as all
of the following utilities are included in Winternals’
Administrator Pak 5.0:

  • ERD Commander 2005
  • Remote Recover
  • NTFSDOS Professional
  • Crash Analyzer Wizard
  • FileRestore
  • Filemon Enterprise Edition
  • Regmon Enterprise Edition
  • Insight for Active Directory
  • AD Explorer
  • TCP Tools (TCPView
    Professional and TCPVStat)

Figure A

Winternals’ Administrator’s Pak includes a
Navigator menu for accessing its many tools and utilities.

a quick rundown of each utility.

ERD Commander 2005

Winternals’ ERD Commander 2005 supports creating a bootable CD to
simplify system and data recovery. Using an ERD Commander rescue CD,
administrators gain access to powerful recovery utilities, including disk
management, command line, networking and other tools, on a wide variety of
Windows systems (including Windows NT 4.0/2000/XP and Server 2003 platforms).

Commander 2005 works by bypassing the installed operating system and booting to
a self-contained graphic interface providing access to the system’s hard drives
and configuration settings (including the Windows registry). In addition to
powering a Console for processing batch files and other commands,
administrators using ERD Commander 2005 benefit from a host of additional

the Event Log helps determine system, security and application errors that may
be fouling a system’s performance. The Hotfix
Uninstall Wizard enables undoing Windows service pack, update and hotfixes that may be preventing a system from booting or
operating properly. A Locksmith tool, meanwhile, enables changing Administrator
and local user passwords, which can prove a lifesaver when locked out of a
critical PC or server.

Remote Recover

Recover simplifies recovering data on remote systems or configuring remote
systems for new installations. The ability to mount and administer remote
system hard disks saves administrators the trouble of having to travel to
systems across town or on a different floor when data must be recovered over
the network, removing malicious files from a remote system using a local
antivirus or antispyware application and more. Remote
Recover supports creating bootable CDs and floppy disks, as well as a PXE boot
option for systems without an operating CD or floppy drive.

NTFSDOS Professional

NTFS errors is much easier when you can actually access the NTFS-formatted disk
in question. NTFSDOS Professional enables the creation of a boot diskette
administrators can use to access and repair NTFS volumes on Windows NT 4.0 and
newer operating systems.

Figure B

Several Administrator’s Pak utilities include
their own wizards that walk administrators through the process of specifying
custom configuration options to be used with a tool.

providing full read and write access to NTFS-formatted volumes, damaged NTFS
partitions can be repaired by virtue of NTFSDOS Professional’s ability to boot
nonfunctioning NTFS drives and create an environment in which checkdisk, antivirus and third-party recovery programs can
be executed.

Crash Analyzer Wizard

Winternals’ Crash Analyzer Wizard interprets Windows crash logs to
help determine the cause of system lockups and crashes. The Crash Analyzer
works in tandem with Microsoft’s Debugging Tools for Windows to trace errant
drivers. The wizard displays not only the driver likely responsible for a
system crash, but also a friendly description, the drive’s file location, the
publisher and other diagnostic data.


FileRestore provides administrators with a tool that makes quick work
of searching for and recovering deleted data from hard disks and other media.
Despite being deleted by system applications, processes, users or utilities,
many files remain on a hard disk, flash drive or other media. FileRestore offers a solution for searching FAT, FAT32 and
NTFS volumes on Win9x/Me/NT 4.0/2000/XP and Server 2003 systems for file
remnants and recovering previously deleted data.

Filemon Enterprise Edition

Filemon Enterprise Edition monitors file activity. Using Filemon, IT professionals can track file activity on both
local and remote systems. Further, Filemon tracks the
applications that access files and records the data in real time to simplify
troubleshooting problematic applications and file access issues. Filemon works with the Windows NT 4.0/2000/XP and Server
20003 operating systems.

Figure C

Filemon lists processes, requests, disk paths and

Filemon’s captured file activity data can be filtered according to a
number of criteria to help narrow searches to specific criteria. Once the
appropriate information is captured, the file activity events can be output as
a text file or printed for review.

Regmon Enterprise Edition

stray and problematic registry errors can prove maddening. Regmon
Enterprise Edition monitors registry access in real time, which greatly
simplifies not only determining which applications are accessing the registry
when problems occur but also in determining the actual registry keys in
question. Regmon can monitor both local registries
and those on remote systems.

utility captures data according to filters you specify. Once captured, Regmon data can be output to a text file and printed, just
as with Filemon.

Insight for Active Directory

faulty Active Directory configuration issues is much easier with Insight for
Active Directory, which monitors LDAP calls (and the results of those directory
requests) made from any system on the network. Using the data Insight for
Active Directory collects, administrators can review the causes of
authentication and access issues, research logon, file sharing and application
errors and determine the source of replication failures.

Figure D

Insight For Active Directory lists processes,
requests, input information and more. When an event is selected, additional
information associated with the event is displayed in the bottom pane.

AD Explorer

potent Active Directory troubleshooting tool included within Winternals’ Administrator’s Pak, AD Explorer, provides a
time-saving utility for finding, removing and editing objects and attributes
within Active Directory. Using AD Explorer, administrators can also insert new
objects within an existing Active Directory domain, view object properties and
configure security settings.

Explorer is a powerful accompaniment to Insight for Active Directory.
Double-clicking an entry from within Insight for Active Directory’s Event Pane
prompts AD Explorer to open the item. The linked behavior helps Winternals’ two Active Directory utilities work together
and simplifies Active Directory troubleshooting by ensuring that additional
information about an event, object or attribute is never more than a few clicks

TCP Tools (TCPView Professional and TCPVStat)

Winternals’ TCP Tools combine two networking applications into a
single utility.

TCPView Professional supports monitoring network traffic on Windows
9x/NT 4.0/2000/XP and Server 2003 platforms. While Windows’ native netstat command provides basic networking monitoring
capabilities, TCPView Professional reveals additional
data associated with network traffic, including the application responsible for
generating specific network activity. TCPView
Professional’s ability to display activity listed by process in real time makes
it easy to diagnose which application or endpoint is congesting a network. The
utility possesses several filtering options and can log data to a text file to
aid troubleshooting efforts associated with specific systems, actions and

TCPVStat provides an additional console-based utility for monitoring
network traffic. Using TCPVStat, additional
information (such as the process that opened the endpoint connection or the
amount of data transferred using that endpoint) can be displayed for a TCP
endpoint. TCPVStat can also perform DNS name
resolution to reveal the friendly name of a system associated with an endpoint
or process.

TCPVStat nor TCPView
Professional are installed by default with Winternals’ Administrator’s Pak. I suspect this is due to
conflicts that can occur when the utilities are loaded on networks that also
use Norton Antivirus software. When installing the Winternals’
Administrator’s Pak, you must select a Custom installation and specify that the
two network monitoring tools are installed with the other Adminisrtator’s
Pak utilities.

Mid to large support

tools and utilities included in Winternals’
Administrator’s Pak are geared toward IT professionals supporting midsize to
large organizations. The tools’ remote configuration capabilities certainly
contribute to the software suite’s cost, but the ease of use and flexible
administrative options they add justify the expense.

installments will explore in greater detail the steps required to maximize ERD
Commander 2005’s recovery tools, the file and registry monitoring utilities and
the Active Directory applications.