Troubleshooting Windows with Selectel Rescue

Any user can run into serious issues: viruses, physical disk damage, errors updating the system, etc. In these situations, most Windows resources aren’t terribly useful. There is, however, another way to troubleshoot these errors: by using Linux.

Any client of our dedicated server service can access Rescue Mode directly from the control panel. To troubleshoot Windows, a Linux system is launched in the server’s memory. Our Rescue Mode has been loaded with all the utilities necessary to perform a diagnosis, so there is no need to install any additional software.

We’ll talk about fixing the most common issues below. We hope not only our users, but new system administrators and tech support employees find these materials useful as well.

Dynamic Disks: Idmtool

Servers managed with Windows often use what are called dynamic disks. In terms of capabilities, they’re similar to Linux LVM volumes. The technology behind dynamic disks lets you consolidate individual disks in a single volume, share data with multiple disks, and duplicate data across several disks to increase reliability and fault-tolerance (RAID0, RAID1, RAID5 functions).

These dynamic disks can be managed in a Linux environment using Idmtool.

Let’s take the following case: a server has stopped loading and to avoid any losses, we need immediate access to the data stored on it.

This problem can be easily solved with Idmtool. First we load up Rescue Mode and scan the system for dynamic volumes:

# ldmtool scan

The output from this command will present information on the disk groups found in JSON format:

[
 "cc085e40-8ddd-11e5-80b9-003048db0adf"
]

For more detailed information, we enter the following command:

$ ldmtool show diskgroup cc085e40-8ddd-11e5-80b9-002048db0adf

{
 "name" : "CS18298-Dg0",
 "guid" : "cc085e40-8ddd-11e5-80b9-002048db0adf",
 "volumes" : [
  "Volume2",
  "Volume1",
  "Volume3"
 ],
 "disks" : [
  "Disk1",
  "Disk2"
 ]
}

# ldmtool show volume cc085e40-8ddd-11e5-80b9-002048db0adf Volume2


{
 "name" : "Volume2",
 "type" : "mirrored",
 "size" : 235536384,
 "chunk-size" : 0,
 "hint" : "C:",
 "partitions" : [
  "Disk1-02",
  "Disk2-02"
 ]
}
# ldmtool show partition cc085e40-8ddd-11e5-80b9-002048db0adf Disk1-01


{
 "name" : "Disk1-02",
 "start" : 718785,
 "size" : 235536384,
 "disk" : "Disk1"
}

Now we can mount the volume we need:

# we create the device mapper
# ldmtool create cc085e40-8ddd-11e5-80b9-002048db0adf

Afterwards, the volume will be available at /dev/mapper/ldm_vol_FOOBAR-Dg0_Volume1, and it can be mounted using ntfs-3g.

Working with NTFS File Systems: ntfs-3g

As we’ve already mentioned, NTFS partitions can be mounted using ntfs-3g, a free implementation of the Windows NTFS file system with read and write support.

The ntfs-3g package contains the ntfsprogs utility package. This package contains useful tools for repairing damaged NTFS volumes and backing up and restoring data.

Before we start working with NTFS, we need to mount the appropriate partition. This can be done using the traditional mount command:

# mount -t ntfs /dev/mapper/ldm_vol_FOOBAR-Dg0_Volume1 /mnt/

We can also access ntfs-3g directly:

# ntfs-3g /dev/mapper/ldm_vol_FOOBAR-Dg0_Volume1 /mnt

Once the drive has been mounted, we can start restoring data. This is where the ntfsprogs tools will come in handy.

To check the file system and repair any inconsistencies, we use ntfsfix. Below is an example of how it is used:

# to unmount the NTFS partition
# umount /dev/sda2

# to launch ntfsfix
# ntfsfix /dev/sda2
Mounting volume... OK
Processing of $MFT and $MFTMirr completed successfully.
NTFS volume version is 3.1.
NTFS partition /dev/sda2 was processed successfully.


# to remount the NTFS partition
# mount /dev/sda2

ntfsclone creates an image of the file system, which can later be deployed on another server:

# ntfsclone -o win.img /dev/sda2

If we suspect the disk has been physically damaged, we can use the option –rescue:

# ntfsclone --rescue -o win.img /dev/sda2

Resetting Passwords: chntpw

It’s not uncommon for a user to forget his Windows password and thus be unable to access his server. In this situation, we can use Linux to reset or “blank” the password. Rescue Mode includes a tool just for this: chntpw. The process is as follows: load Rescue Mode, mount the partition with the Windows folder, then execute:

# cd /media/win/Windows/System32/config/
# chntpw SAM

That’s it. Once the password has been reset, we can again log into the server.

Editing the Registry: chntpw and registry-tools

Most errors in Windows can only be fixed by editing the registry. For this, we’ll again be using chntpw.

We load up Rescue Mode and mount the NTFS partition like we did before. Then, we execute:

# chntpw -l /media/win/Windows/System32/config/software

Now we can make changes to the registry. To jump branches, we use the command cd; for example:

cd Microsoft/Windows NT/CurrentVersion/Winlogon

To view keys, we use the command dir; to edit them, we use ed:

ed Shell

We can also edit the registry with regshell from the registry-tools package.

When we launch regshell, the register command line will open. To switch register branches, we use the command ck (or cd). We can delete keys and values with the commands rmkey and rmval respectively. A new key can be created using the command mkkey. More details on regshell commands can be found in the official manual.

Conclusion

In this article, we gave a summary of the main utilities for diagnosing and fixing Windows issues from a Linux environment. If you’ve experienced any of the scenarios that we described, we’d like to hear about it. And if you know of any other useful utilities that we overlooked, please tell us about them in the comments below.