Advanced Advanced Troubleshooting Troubleshooting

TechniquesTechniques

Chris Conlon- Fall 2002Chris Conlon- Fall 2002

MacintoshMacintosh

►Have your system Have your system CDCD

►Dump PrefsDump Prefs

WindowsWindows

► 2 Easy Steps2 Easy Steps ReformatReformat ReinstallReinstall

Overview of TopicsOverview of Topics

►Troubled beginnings- when computers Troubled beginnings- when computers don’t startdon’t start

►Lost but not forgotten- Data RecoveryLost but not forgotten- Data Recovery►Your friend and mine- the Registry Your friend and mine- the Registry

EditorEditor►How to succeed as a UA without really How to succeed as a UA without really

trying- Automating Taskstrying- Automating Tasks

Troubled BeginningsTroubled Beginnings

Fixing Startup ErrorsFixing Startup Errors

If you can’t get to WindowsIf you can’t get to Windows

► Safe Mode- F8Safe Mode- F8► Boot off of the CDBoot off of the CD

Recovery Console (2k/XP) vs Repair OptionRecovery Console (2k/XP) vs Repair Option Security Policy Setting –otherwise you’re locked outSecurity Policy Setting –otherwise you’re locked out

► BIOSBIOS Delete, F1, F2Delete, F1, F2 Escape first to disable silent bootEscape first to disable silent boot

► Quick boot is the enemyQuick boot is the enemy Resetting the NVRAM/PnP dataResetting the NVRAM/PnP data Boot Sector virus protection vs OS reinstallBoot Sector virus protection vs OS reinstall

► Check Beep Codes – RAM or Video Card?Check Beep Codes – RAM or Video Card? Doc Memory on Tools CD—RAM testingDoc Memory on Tools CD—RAM testing

Basics- Tools of the TradeBasics- Tools of the Trade

►MSConfigMSConfig Best method-easily repairedBest method-easily repaired

►Startup Group and Run and Run- keyStartup Group and Run and Run- key►Services in NT/2000/XPServices in NT/2000/XP►.INI Files.INI Files

Basics- Tools of the TradeBasics- Tools of the Trade

►SyseditSysedit Can edit old startup filesCan edit old startup files

►Autoexec.bat, Config.sys, System.ini, win.iniAutoexec.bat, Config.sys, System.ini, win.ini►Good for Multimedia drivers, and old thingsGood for Multimedia drivers, and old things►That pesky Norton Uninstall (navapw32.dll is That pesky Norton Uninstall (navapw32.dll is

missing…)missing…)

Startup CPLStartup CPL

► Installed as Installed as control control panel utilitypanel utility

► Similar to Similar to MSConfigMSConfig

► Easy to useEasy to use

Analyzing the Boot LogAnalyzing the Boot Log

►Use the BLA on the Tools CDUse the BLA on the Tools CD►Reads the Bootlog.txt file generated Reads the Bootlog.txt file generated

by Windows and “decodes” it.by Windows and “decodes” it.►Maybe it’s useful to you…Maybe it’s useful to you…

That Pesky DriverThat Pesky Driver

Windows installs the same bad driver over and Windows installs the same bad driver over and over….over….

► Finding the hidden folderFinding the hidden folder C:\windows\inf\catC:\windows\inf\cat Deleting the .inf fileDeleting the .inf file Only works for unsigned drivers not shipped on Only works for unsigned drivers not shipped on

windows CDwindows CD

►Delete from device managerDelete from device manager► Always try to “Update Driver” not “Reinstall Always try to “Update Driver” not “Reinstall

Driver”Driver”

Escaping DLL-HellEscaping DLL-Hell

►DLL Show Utility on PC CDsDLL Show Utility on PC CDs

When all else fails…the BIOSWhen all else fails…the BIOS

►Entering the BIOSEntering the BIOS►Seek and Destroy!Seek and Destroy!

Eliminate Quick BootEliminate Quick Boot Turn off Power SavingTurn off Power Saving Resetting PnP DataResetting PnP Data

►Disabling un-needed peripheralsDisabling un-needed peripherals IR, COM, Parallel, integratedIR, COM, Parallel, integrated

►Low-Level FormatLow-Level Format

Showing Hidden DevicesShowing Hidden Devices

►Use the registry file on tools CD to Use the registry file on tools CD to show hidden devices in device show hidden devices in device managermanager

►What’s a hidden device you ask?What’s a hidden device you ask? Unplugged PC Cards or USB devices, etc.Unplugged PC Cards or USB devices, etc. ““Ghosting” network adaptersGhosting” network adapters

Lost but not Lost but not forgotten…forgotten…

Data Recovery…Data Recovery…

Spying on YourselfSpying on Yourself

Security ToolsSecurity Tools

Port ScanningPort Scanning

► Port Scanning Port Scanning yourself is a yourself is a good way to good way to look for trojanslook for trojans

1.1. Superficial – Superficial – netstat /anetstat /a► ListeningListening► EstablishedEstablished► Port #’sPort #’s

Active PortActive Port

►Does not seem to work well with 2k/XPDoes not seem to work well with 2k/XP►Basic Port Scanning for older systemsBasic Port Scanning for older systems

Reasonable at looking for TrojansReasonable at looking for Trojans

SpyWorks or SpyWare?SpyWorks or SpyWare?

► Very Robust suite of Very Robust suite of somethingsomething

► Port ScanningPort Scanning► Intrustion Detection Intrustion Detection

ToolsTools► Intrusion Defense Intrusion Defense

ToolsTools► Key loggers and Key loggers and

other sketchinessother sketchiness

Hard Disk TroublesHard Disk Troubles

► Using Norton 2002Using Norton 2002 Disk Doctor (FAT32 Preferred)Disk Doctor (FAT32 Preferred)

►Repairs errorsRepairs errors Limitations under NTFSLimitations under NTFS

► Scandisk v. chkdsk /fScandisk v. chkdsk /f► fdisk, format (boot disk)fdisk, format (boot disk)

Lose all data and start over (6mo)Lose all data and start over (6mo)►FAT32 v. NTFSFAT32 v. NTFS

Fdisk /mbr (when switching OS’s)Fdisk /mbr (when switching OS’s)►DelPart.exe – Win 9x over NT/2KDelPart.exe – Win 9x over NT/2K

Low level formatLow level format

Scandisk and Chkdsk /fScandisk and Chkdsk /f

►Scandisk fixes simple errors on Scandisk fixes simple errors on floppies and HD’s (First Line of floppies and HD’s (First Line of Defense)Defense) Doesn’t fix things very wellDoesn’t fix things very well

►Chkdsk /fChkdsk /f Scorched Earth data recoveryScorched Earth data recovery Makes a mess- last resortMakes a mess- last resort

Norton UnEraseNorton UnErase

►2 Ways for HD’s2 Ways for HD’s Recycle Bin ProtectionRecycle Bin Protection Boot off the CD – works very wellBoot off the CD – works very well

►Can recover DELETED files quickly and VERY Can recover DELETED files quickly and VERY effectivelyeffectively

►Use NDD to recover Damaged files firstUse NDD to recover Damaged files first

Floppy RecoveryFloppy Recovery

►Same Basics, scandisk, chkdsk /f, nddSame Basics, scandisk, chkdsk /f, ndd►Can also use hex editor to grab TEXT Can also use hex editor to grab TEXT

ONLY from files.ONLY from files. Slow and TediousSlow and Tedious Use searchingUse searching

►Winhex on Tools CDWinhex on Tools CD

How to succeed as a UA How to succeed as a UA without really trying…without really trying…

Automating Tasks (or Automating Tasks (or borrowing)borrowing)

Network EnemaNetwork Enema

►New for Fall 2002New for Fall 2002►Safer on Windows XPSafer on Windows XP►Less filling same great tasteLess filling same great taste

The Big Finale…The Big Finale…

This year’s new tool!!!This year’s new tool!!!

Which would you rather Which would you rather have?have?

► Netconfig.exeNetconfig.exe Instantly enables DHCPInstantly enables DHCP Removes Proxy Removes Proxy

SettingsSettings Configures for LANConfigures for LAN Removes DNS entriesRemoves DNS entries Removes Static IPRemoves Static IP Releases and RenewsReleases and Renews No reboot –runs in 10sNo reboot –runs in 10s

Additional ResourcesAdditional Resources

►AdvTeam webpageAdvTeam webpage►Chris’ webpage (Chris’ webpage (http://fas/~cconlonhttp://fas/~cconlon) IE ) IE

only!only!►www.driverguide.comwww.driverguide.com (drivers:all) (drivers:all)►www.regedit.comwww.regedit.com