What are the Safe Mode options? When should I use them?

If you are unable to start your system by using Last Known Good Configuration, Windows XP Professional, Windows 2000 and Windows Server 2003 provides safe mode, a startup option that disables startup programs and nonessential services to create an environment useful for troubleshooting and diagnosing problems. In safe mode, Windows XP/2000/2003 starts a minimal set of drivers that the operating system needs to function. Support for devices such as audio devices, most USB devices, and IEEE 1394 devices is disabled to reduce the variables that you need to account for when diagnosing the cause of startup problems, Stop messages, or system instability.

Logging on to the computer in safe mode does not update Last Known Good Configuration information. Therefore, if you log on to your computer in safe mode and then decide you want to try Last Known Good Configuration, the option to do so is still available.

Essential drivers and system services enabled in safe mode include the following:

• Drivers for serial or PS/2 mouse devices, standard keyboards, hard disks, CD-ROM drives, and standard VGA devices. Your system firmware must support universal serial bus (USB) mouse and USB keyboard devices in order for you to use these input devices in safe mode.
  


• System services for the Event Log, Plug and Play, remote procedure calls (RPCs), and Logical Disk Manager.
  

Enabling only components needed for basic functionality allows the operating system to start in the following situations:

• The computer consistently stops responding: You can restart the operating system in safe mode and use the tools described in this appendix to diagnose and resolve problems.


• The computer starts with a blank or distorted video display: You can start your computer in safe mode and then use Control Panel to select video adapter settings that are compatible with your monitor. New settings take effect when you restart the computer.


• The computer does not start normally after you install new hardware or software: If recently installed hardware or software prevents you from starting Windows XP Professional in normal mode, you can use safe mode to uninstall software, or to remove or roll back device drivers.

Safe mode helps you diagnose problems. If a symptom does not reappear when you start in safe mode, you can eliminate the default settings and minimum device drivers as possible causes. If a newly added device or a changed driver is causing problems, you can use safe mode to remove the device or reverse the change.

There are circumstances where safe mode will not be able to help you, such as when Windows system files that are required to start the system are corrupted or damaged. In this case, the Recovery Console may help you.

Safe Mode also bypasses startup programs. Bypassing startup programs reduces system complexity and enables you to see whether a startup program is the source of the problem.

In safe mode, the operating system does not run network-based startup programs. To enable network logon scripts in safe mode, select Safe Mode with Networking on the Windows Advanced Options Menu.

To start your computer in safe mode:

1. Remove all floppy disks and CDs from your computer, and then restart your computer.
   


2. When prompted, press F8. If Windows XP Professional starts without displaying the Please select the operating system to start menu, restart your computer. Press F8 after the firmware POST process completes, but before Windows displays graphical output.
   


3. From the Windows Advanced Options Menu, select a safe mode option listed in the following list:

Safe Mode: Loads the minimum set of device drivers and system services required to start Windows XP/2000/2003. User specific startup programs do not run.

Safe Mode with Networking: Includes the services and drivers needed for network connectivity. Safe mode with networking enables logging on to the network, logon scripts, security, and Group Policy settings. Nonessential services and startup programs not related to networking do not run.

Safe Mode with Command Prompt: Starts the computer in safe mode, but displays the command prompt rather than the Windows GUI interface.

Enable Boot Logging: Creates a log file (Ntbtlog.txt) in the systemroot folder, which contains the file names and status of all drivers loaded into memory. Systemroot is an environment variable that can vary from one system running Windows XP/2000/2003 to another.

Enable VGA Mode: Starts the computer in standard VGA mode by using the current video driver. This option helps you recover from distorted video displays caused by using incorrect settings for the display adapter or monitor.

Last Known Good Configuration: Restores the registry and driver configuration in use the last time the computer started successfully.

Debugging Mode: Starts Windows XP/2000/2003 in kernel debugging mode, which allows you to use a kernel debugger for troubleshooting and system analysis.

Start Windows Normally: Starts Windows XP/2000/2003 in normal mode.

Reboot: Restart the computer.

Updating Windows: critical/optional updates

After you have installed Windows, the device drivers, a firewall and setup the internet connection, the first thing to do is updating the Windows software. Updating Windows is actually very easy, first you visit the Windows Update website: Start, All Programs, Windows Update (or visit the Windows Update website with the following link: windowsupdate.microsoft.com). By visiting the Windows Update website, you will have two options:

Install critical updates only (Express Install, High Priority updates)
Install both the critical and optional software updates (Custom Install, High Priority and Optional Updates).

High priority Windows updates

It is very important to install all the critical updates. Without these critical updates, you have some important security issues, which need to be fixed as soon as possible. Install the critical updates before you visit other websites! On the Windows Update website, use one of the above options and install all the High priority updates. After you installed the high priority critical updates, restart Windows and visit the Windows Update website again.

These updates can be massive, especially if service pack 2 is not installed yet. If you have SP2 on CD-ROM, you can install it without installing SP1 first. SP2 is provided with and auto update function for critical updates (the yellow shield in the system tray) and the Security Center (the red shield in the system tray) which is actually not needed at all. On the page how to optimize the Windows services, you can read how to disable the Security Center.

Optional software updates

If all critical updates are installed, check the optional updates to enhance your Windows system. You will find updates for the Media Player, Outlook Express, DirectX .NET Framework and more. After you installed the optional Windows updates, reboot and check the Windows Update website again until all needed optional and all critical Windows Updates are installed!
Optional hardware updates

You are also able to download updated drivers for the hardware. Although Windows has many build-in device drivers, I prefer to install or update the device drivers with the most recent drivers from the manufacturer.
I have frequently seen, things going wrong (blue screen) after updating device drivers from the Windows update website. That's why you better install one device driver update at a time. If the new driver is giving a BSOD (Bleu Screen Of Death), boot in safe mode (press F8 at reboot), Control Panel, System, tab Hardware, button Device Manager, right click the updated hardware, choose Properties, tab Driver, button Roll Back Driver.

Microsoft-Updates (like MS-Office)
Besides installing the Windows updates, you can choose to update all Microsoft products like MS-Office. Therefore, you go to the Windows Update page and choose for Microsoft-Updates in the menubar. The update procedure is similar to Windows Update.

Service Pack's
If you have just reinstalled Windows XP, it's wise to update directly with the latest available Service Pack. You can download (and install) the Service Pack files directly from the Windows Update site or download the Service Pack file first from the Microsoft downloadcentre (www.microsoft.com/windowsxp/sp2/default.mspx). You can directly install the latest service pack, there is no need to install the previous service pack's!

TIP: After the installation of SP2 there are still many updates to download and install. These updates are also available in one file from the site http://www.autopatcher.com/. AutoPatcher contains all essential and optional updates, which is handy if you have to update multiple Windows installations.

Deleting update files
If all updates are installed (or if you have troubles with the Windows Update website), you can safely delete the files in the following folders:C:\Windows\System32\Catroot2C:\WINDOWS\SoftwareDistribution\Download

I can't imagine you would like to roll back the installed high priority Windows updates. To delete the undo files, remove all the hidden folders starting with a "$" in the folder C:\WINDOWS (this can free a lot of hard disk space!) If you are still having Windows update problems, try to turn off and on the Windows update function (Control Panel, Automatic Updates).

NOTE: These files are hidden in the Windows Explorer! To unhide: Tools, Folder Options, tab View, enable Display the content of system folders, enable Show hidden files and folders, disable Hide extensions for known file types and disable Hide protected operating system files.
Saving update files (optional for a slow internet connection)

With the new Windows Update software, all updates are stored in the folder C:\WINDOWS\SoftwareDistribution\Download. By copying these files to a safe location, you have a backup for a new Windows installation. This can save a lot of download time, especially if you have a slow internet connection.

NOTE: The files don't have an extension and the name doesn't make you happy as well. Add the extension .exe or .msi to get them working (you can rename to recognize them if you wish). The folder C:\WINDOWS\Downloaded Installations also contains downloaded software updates!

What is the Sasser worm? and How To Fix it?

The Sasser worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines along with Windows NT and Windows Server 2003.

The patch from Microsoft known as the MS04-011 Security Update fixes the following vulnerabilities:
LSASS Vulnerability
LDAP Vulnerability
PCT Vulnerability
Winlogon Vulnerability
Metafile Vulnerability
Help and Support Center Vulnerability
Utility Manager Vulnerability
Windows Management Vulnerability
Local Descriptor Table Vulnerability
H.323 Vulnerability
Virtual DOS Machine Vulnerability
Negotiate SSP Vulnerability
SSL Vulnerability
ASN.1 “Double-Free” Vulnerability


What are the Symptoms of the Sasser worm?
You'll see a screen similar to the one below when you are infected, this will countdown to zero and literally shut down the system completely. The warning will state "This shutdown was initiated by NT AUTHORITY\SYSTEM". The message will state that the system process lsass.exe terminated unexpectedly.

The message may be prefaced by another message:

You can disable this shutdown by following the steps below during the countdown

1. Click on Start, Run
2. Type in CMD and press ENTER
3. Type in the following command and press EnterSHUTDOWN -A
This will terminate the shutdown, however in most cases the system may be to unstable to try to recover and may need to be rebooted anyway.

How Does Sasser Infect My Computer?
When W32.Sasser.Worm runs, it does the following:

1) Attempts to create a mutex named Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.

2) Copies itself as to the %Windir% directory. This is usually the C:\WINDOWS or C:\WINNT directory.

3) Adds the value:"avserve.exe"="%Windir%\avserve.exe""avserve2.exe"="%Windir%\avserve2.exe""skynetave.exe"= "%Windows%\skynetave.exe"to the following registry key, so that the worm runs on Windows startup.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4) Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.

5) Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

6) Iterates through all the host IP addresses, looking for addresses without any of the following:
127.0.0.1
10.x.x.x
172.16.x.x - 172.31.x.x (inclusive)
192.168.x.x
169.254.x.x

7) Using one of these IP addresses, the worm then generates a random IP address. 52% of the time, the IP address is completely random. 23% of the time, the last three octets are changed to random numbers. 25% of the time, the last two octets are changed to random numbers.
Because the worm can create completely random addresses, any IP range can be infected. This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.

8) Connects to the randomly generated IP address on TCP port 445 to determine if a remote computer is online.

9) If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.

10) Uses the shell on the remote computer to connect back to the infected computer's FTP server, running on TCP port 5554, and retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.

11) The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in 1 minute.

12) Creates a file at C:\win.log that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.
How Can I Remove the Sasser worm?

Follow these steps in removing the Sasser worm.
1) Disconnect your computer from the local area network or Internet
2) Terminate the running program
Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab on WinNT/2000/XP machines.
Locate one of the following programs (depending on variation), click on it and End Task or End Process
avserve.exeavserve2.exeskynetave.exeany process running with the "_up.exe" suffix
Close Task Manager
3) Activate the Windows XP Firewall (if running Windows XP) or another firewall to prevent the worm from shutting your system down while downloading the patches.

To activate the Windows XP firewall, follow these steps.
1. Click on Start, Control Panel
2. Double-click on Networking and Internet Connections, then click on Network Connnections
3. Right-click on the connection you use to access the Internet and choose Properties
Click on the Advanced Tab and check the box"Protect my computer and network by limiting or preventing access to this computer from the Internet"
4. Click OK and close out of the Network and Control Panel

Remove the Registry entries

1. Click on Start, Run, Regedit
2. In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
3. In the right panel, right-click and delete the following entry
"avserve.exe"="%Windir%\avserve.exe""avserve2.exe"="%Windir%\avserve2.exe""skynetave.exe"= "%Windows%\skynetave.exe"
Close the Registry Editor

4) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)
5) Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the file names:avserve.exeavserve2.exeskynetave.exeC:\win2.log
6) Click Find Now or Search Now.
7) Delete the displayed files & Empty the Recycle bin

Repair or Reinstall Internet Explorer6 and Outlook Express 6

According to Microsoft, if you are having trouble with either Internet Explorer 6 or Outlook Express 6 because of damaged files or missing registration information (XP registration trouble, not your name and address) you will need to either reinstall or repair the affected installation. I'm going to go over two ways that Microsoft suggests for dealing with IE6 and OE6 problems. Read over the entire article before making a decision about which method to use. At the end of Method II I've mentioned what I'd consider the best solution to this problem.

Method I
One likely cause of IE6 and OE6 not functioning properly is a corrupted file. Microsoft says this is the "most" likely cause, but I think that's wishful thinking. To run a check on the files and see if one or more is corrupted use the System File Checker that is included with Windows XP.

Click [Start] [Run] and type sfc /scannow in the [Open] box.(Note that there is a space between sfc and /scannow)

In all likelihood you will be prompted to insert the Windows XP CD ROM. If you don't have it available there is no point in continuing unless you have the files available on your hard drive and have changed the location of the XP installation files in the registry. If you do have the files copied to the hard drive, the default install location may be modified using the registry edit shown below.

[Start] [Run] [Regedit]

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SetupModify/Create the Value Data Type(s) and Value Name(s) as detailed below.

Data Type: REG_SZ (String Value) // Value Name: SourcePath

Setting for Value Data: [Set using the path to the installation files, i.e. G:\WXPCCP_EN]Exit Registry and Reboot

Running System File Checker is not a fast process. The machine I use for the majority of my everyday work is only a P-III 866 with 784MB RAM and a 20GB/5400 RPM C drive and it took between 7-8 minutes running off the hard drive. Expect much longer times if you run from the CD. Once the System File Checker has finished, reboot and test to see if the problem has been resolved. If the problem still exists you have three choices.

- In-place upgrade of Windows XP
- Repair Windows XP
- Reinstall Windows XP

Since I'm 100% against upgrade installations of XP I won't recommend that option. A repair of Windows XP may solve the problem, but the fact the problem arose in the first place makes me suspect of the current installations overall integrity. I suggest a complete reinstall of XP after backing up all data files. However, before you select any of the above choices, look at Method II below.


Method II

The second method to try and correct the problem involves editing the registry and reinstalling Internet Explorer 6. The standard cautions apply whenever you are editing the registry

If you are having problems only with Internet Explorer 6, proceed as follows:

[Start] [Run] [Regedit]

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

Modify/Create the Value Data Type(s) and Value Name(s) as detailed below.

Data Type: DWORD // Value Name: IsInstalled

Setting for Value Data: [Change the Value from 1 to 0]

Exit Registry

If you are having problems only with Outlook Express 6, proceed as follows:

[Start] [Run] [Regedit]

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}Modify/

Create the Value Data Type(s) and Value Name(s) as detailed below.

Data Type: DWORD // Value Name: IsInstalled

Setting for Value Data: [Change the Value from 1 to 0]

Exit Registry

If you are having problems with both Internet Explorer 6 and Outlook Express 6, proceed as follows:

Change the values in both of the registry keys as outlined above.

Exit Registry

Once you have made the appropriate registry changes use the link below to download and install Internet Explorer 6. The Internet Explorer 6 download includes Outlook Express 6. Reboot and test for proper operation

How To Create a Bootable USB Flash Drive

Create Bootable USB Flash Drive
Requirements:

- A computer with a BIOS that allows for booting from a USB port.

- A Bootable floppy disk or CD.
I used a Windows 98 bootable CD. For those who have Dell systems, you can also use the bootable Windows XP CD that is used to reinstall your system with Windows XP.
- Utilities with the ability to create a master boot record, create partitions, set active partitions, and format and transfer boot files to the active partition
- Of course, the USB drive that you want to make bootable
I used a 256MB SanDisk Cruzer Mini USB Flash Drive.

Directions

1. Make the USB drive the first in the drive sequence.

Why?? fdisk does not allow for a partition to be set as ACTIVE (bootable) unless it is the first drive. It is most likely that your hard drive(s) is set as the first drive. This needs to be changed.

How?? Setting your USB drive to be the first in the drive sequence can be done by following ONE of the methods below. No matter which method you follow, the computer MUST be booted with the USB drive plugged in into the computer. Take a note of how the options that you are about to change were set before, as they will need to be changed back later.

Method # 1. BIOS drive sequence option.
Depending on your BIOS, there may be an option to change the drive sequence. On mine, there was an option labeled "Hard-Disk Drive Sequence". If your BIOS has this or a similar option, make sure you change the sequence so that the USB Drive is listed first.

Method # 2. Disabling other hard drives.
Again, this is done from the BIOS. Different BIOS's may have different options to disable the hard drive. On mine, the system had just one hard drive. I changed the option labeled "Primary Drive 0" to "OFF".

Method # 3. Unplugging the hard drives.
If your BIOS doesn't have an option to change the drive sequence or to turn off the hard drive, you can turn off your computer and unplug your hard drive(s). Make sure you know what you are doing here. Opening your computer case may result in voiding your computer warranty if you have one.

2. Boot the computer from the boot floppy/CD into the command prompt with the USB Drive plugged in.

3. Run fdisk

4. Use fdisk's "Set Active Partition" (option 2) to set the primary partition on the USB Drive to ACTIVE.
This step assumes that a primary partition already exists on the USB Drive. If this is not the case, use fdisk to create one. As noted in step # 1, fdisk will not allow for setting the the partition to ACTIVE unless the drive the partition is on is the FIRST in the drive sequence.

5. Exit fdisk.

6. Reboot the computer from boot floppy/CD into the command prompt with the USB Drive plugged in.

7. At the command prompt enter the following command: dir c:
This step is just to verify that the C: drive is actually the primary partition on the USB Drive. Regardless of the result that the command generates whether it be a listing of files or an error message, what is important here is to make sure that the size of the primary partition on the USB Drive is roughly equal to the sum of the empty space and the used space.

8. Format and copy the boot files to the primary partition.
At the command prompt, from the directory where FORMAT.COM is located, enter: format /s c:
9. Run fdisk /mbr
"fdisk /mbr" writes the master boot record, in this case to the USB drive, without altering the partition table information.

10. Restart the computer and choose booting from the USB Drive. If all goes well, you should see a C:> command prompt.

11. Change the computer settings back to what they were before step # 1.

I had a few people e-mail me with an error message "No fixed disks present..." which they encountered when they ran fdisk.. Personally, I did not run into this issue or know what is causing it on other people's machines.

Error Message When You Run ScanDisk or Fdisk: No Fixed Disks Present

SYMPTOMS

When you attempt to run the MS-DOS command-line utility fdisk.exe, or when you run ScanDisk from within Windows, you may receive an error message similar to the following:

No fixed disks present. NOTE: This error message may occur intermittently, and you may receive this error message even though your computer's hard disk is detected in the computer Power On Self Test (POST).

CAUSE: This behavior can occur because of any of the following hardware issues:

• The hard disk is defective or too hot.
• The jumper settings on the hard disk are incorrectly configured.
• The hard disk data cable is defective or too long.
• The hard disk controller is defective or incorrectly configured in the computer BIOS.

How to Easily Copy an Excel formula without changing its cell references

If you copy a formula from one place to another, Excel will want to readjust the references to reflect the change. However, if you want the formulas to stay the same, Mary Ann Richardson can help end the confusion.

When working with a spreadsheet, when you copy a formula to another location, Excel automatically adjusts the cell references in that formula to the new location. If you do not want to have Excel adjust the cell references, you would have to make them absolute before copying them. Or, you could copy the formula to the clipboard as text before pasting it to its new location.

Follow these steps:
1. Click on the cell containing the formula you want to copy.
2. Press [F2].
3 Click and drag to select the entire formula.
4. Click the Copy button in the Standard toolbar.
5. Press [Enter].
6. Select the cell into which you want to paste the formula.
7. Click the Paste button in the Standard toolbar.

When you copy an Excel formula in this manner, the formula copies as text and will not adjust its cell reference. You can also copy part of a formula this way. For example, you may want to include the formula as part of an If statement in another part of the worksheet.