Previous Page | Next Page

  1. Introduction
  2. Capabilities
  3. Structure
  4. The Registry
  5. System and Configuration Files
  6. Security
  7. Application Support
  8. Requirements
  9. Installation
  10. Unattended Installation
  11. Booting
  12. Filesystems
  13. Programs
  14. Control Panel
  15. Tool
  16. Commands
  17. Customization
  18. Environment Variables
  19. Printing
  20. Performance
  21. System Services
  22. Permissions
  23. Groups
  24. User Rights and Auditing
  25. User Profiles
  26. Policies
  27. Network Model
  28. Resource Access
  29. Network Browsing
  30. Protocol Support
  31. RAS
  32. Networking
  33. Backups
  34. Events
  35. Error Handling
  36. Diagnostic Tools
  37. Items to Memorize
  38. Terms
  39. Credits

Windows NT Workstation Error Handling

To perform an emergency repair requires:

  1. Startup disk, otherwise called a boot floppy
  2. Emergency Repair disk

To perform the repair, the system must be booted using the boot floppy then the emergency repair disk must be used when prompted.

Boot Floppy

There are two ways to make a boot floppy:

  1. Format a floppy from NT with the command "format a: /s". Copy the BOOT.INI, NTLDR.EXE, NTDETECT.COM, BOOTSECT.DOS files to the floppy. Possibly copy NTBOOTDD.SYS if the hard drive is a SCSI drive without BIOS enabled. It is also a good idea to copy NTOSKRNL.EXE for a kernel backup.
  2. Access the installation file directory and on a command prompt, type "WINNT /O". It will create three setup disks.

Emergency Repair Disk

The command line utility, RDISK.EXE, is used to create and/or update an emergency repair disk. Important information stored on the disk includes:

  • Source file locations
  • Computer configuration Information
  • The SAM database
  • The system and security registry hives.

Therefore it may be used to restore corrupt files or recover user account information. The emergency repair disk should be updated after user accounts are created or modified and when there are any configuration changes such as a change to the hard drive partitions. The ERD backs up:

  • HKEY_LOCAL_MACHINE\SYSTEM registry entries.
  • HKEY_LOCAL_MACHINE\SOFTWARE registry entries.
  • HKEY_LOCAL_MACHINE\SECURITY registry entries.
  • HKEY_LOCAL_MACHINE\SAM registry entries.
  • The default profile in \WINNTROOT\profile\default user\ntuser.dat
  • \WINNTROOT\System32\autoexec.nt
  • \WINNTROOT\System32\config.nt
  • Setup.log - List of installed files.
  • HKEY_USERS\DEFAULT registry entries.

The Repair Process

To restore a damaged installation, boot the emergency repair disk (ERD). When the repair option is chosen, the following options are presented:

  1. Inspect Registry Files - Allows System and SAM registry files to be displayed and optionally replaced. A system backup and restore is a better method of recovering user account or security information.
  2. Inspect Startup Environment - The BOOT.INI file is copied from the repair disk to the system drive if one was not found on the system.
  3. Verify Windows NT System Files - Tests to be sure the original NT system files are on the system drive. The integrity of the files is also tested. Any installed service packs must be re-installed after this repair.
  4. Inspect Boot Sector - Restores NTLDR on the master boot record of the system disk if it is missing or corrupt.

Recovery Options

Recovery options are controlled using the Control Panel, System applet. The Startup/Shutdown tab is used to select four recovery options.

  1. Write the event to the system log.
  2. Send an administrative alert - An alert is sent to administrators telling them a what computer a stop error occurred on.
  3. Write debugging Information to: - Debug information is written to the file specified in the text box. Debug information includes all memory registers. Microsoft technical support can analyze this file
  4. Automatically reboot - The computer is restarted automatically.

Blue Screen Debugging

Blue screen stop message parts:

  1. When kernel debugger is used, debug port status is displayed.
  2. Error location.
  3. Modules already loaded successfully
  4. Modules on the stack due to be loaded
  5. When the kernel debugger is used, whether a dump file was made along with confirmation of communications parameters is shown.

Stop code meanings:

  • 0x00000000 - Divide by 0 error - Examine memory dump to learn cause.
  • 0x0000000A - IRQL was too high - An application tried to access memory using an invalid IRQL. The cause of this problem is a device driver using improper addresses. REplace or update the driver.
  • 0x0000001E - A driver bug. The second parameter indicates the driver and exception that caused the message.
  • 0x00000051 - Registry error. The registry is corrupt.
  • 0x0000007B - Root device could not be accessed. Caused by a virus, device driver, or hardware failure.
  • 0x0000007F - Unexpected kernel mode trap - RAM or BIOS hardware problem or possible corrupted system drivers.

Kernel Debugger

The I386KD.EXE program is the kernel debugger. Requirements:

  • Running the kernel debugger requires two computers. A host computer receives information from the target computer when the target computer is booting.
  • Both computers must be running the same version of NT.
  • The host computer requires files from the installation CDROM support\debug\platform\symbols directory and software from \support\debug\platform.
  • The following environment variables must be set on the host computer:
    • _NT_DEBUG_PORT - COM1 or 2
    • _NT_SYMBOL_PATH - Where the symbols directory is, normally \WINNTROOT\Symbols.
  • The target computer boot.ini file must include the /DEBUG or /CRASHDEBUG option enabled.

A null modem cable or serial line to RAS on the host computer is used to connect the two computers. If using RAS, the REMOTE command must be used on both computers. The DUMPEXAM.EXE program may be used to view the dump information on the host computer.

Memory Dumping

Memory dumping is enabled using the Control Panel, System appled, Startup/Shutdown tab. The dump file is written to the pagefile.sys file in the system root directory. Requirements for a memory dump are:

  • Paging file must be 1M larger than physical RAM and on the system partition.
  • There must be enough hard drive space to hold the paging file.

The contents of the dump is written to the paging file then to:


DUMPEXAM.EXE can be used to view this file. The application DUMPCHK will check to see if the dump file was correctly made. Syntax of these commands is:

dumpchk [options] Filename

dumpexam [options] Filename

The dumpflop program is used to copy the dumpfile to floppy to send to Microsoft.

dumpflop [options] drive:[Filename]