webpointmorpheus Computer Info
Windows

     Overview      Registry      Swap File      Text      Boot      PnP & Log Files
     Short Cuts      Recovery      NT Family      NT Boot Process      Backups

©2005 - material compiled by Bob Carnaghi, www.webpointmorpheus.com

Overview     Top of Page

The items listed below are some of the highlights of the Windows Operating System. Windows can be divided into two broad categories:

• 9x Systems - Windows 95, Windows 98, Windows ME
• NT Systems - Windows NT 4.0, Windows 2000, Windows XP

Please note that the focus of this document, as well as others in this series, is often slanted to the Windows NT Family of computers. The reason for this is that the preparation of these documents is the result of a study that was undertaken in, and that targeted, a Windows NT Family network environment. Please also keep in mind that the information, as listed, is in no particular order with regards to how the Windows Operating System runs or is built.

The Registry     Top of Page

The Windows Registry consists of two binary files called SYSTEM.DAT and USER.DAT. These two files hold virtually every setting that runs the Windows operating system. In essence, any of the applets that exist in the Control Panel save the changes made in the Registry, and the Control Panel should be the first line of Registry editing. For direct editing of the Registry, one must use the command 'regedt32' from the command prompt, or the older 'regedit' which has a more robust search feature. When opened with a registry editor, the binary files will render the Registry Hives, which differentiate the sections of Windows system settings. CAVEAT EMPTOR: Changes to the registry can be DISASTROUS! An otherwise functional system can be rendered useless by entering the wrong values, or the right values in the wrong place, in the Windows Registry. Be aware also that there are different implementations of the Regsitry used across different versions of Windows. A single map of the Registry may not apply in all cases.

The Registry Hives     Top of Page

1. HKEY_CLASSES_ROOT - a collection of settings for file, program, and class associations.
2. HKEY_CURRENT_USER - stores settings for the current logged-in user.
3. HKEY_LOCAL_MACHINE - stores settings for devices and hardware on the computer.
4. HKEY_USERS - stores settings for all the users who have accounts on the machine.
5. HKEY_CURRENT_CONFIG - more detailed settings for the hardware on the computer, as currently loaded.
6. HKEY_DYN_DATA(Not present in Windows 2k or XP) - Registry data stored in RAM to speed up system configuration.

Swap File     Top of Page

The Windows Swap file (also known as a Paging file) cis a portion of the hard drive that is set apart to assist with running programs. As programs are loaded into active RAM and the amount of RAM needed exceeds the amount available, a portion of the load in current RAM is written to the hard drive. This is Swapping, and is the function of the Swap File. The process is not noticeable to the user, but there is an effective performance hit.

Text Characters     Top of Page

ASCII Characters - 8 bit character map with 2⁸ (256) possibilities.

Unicode Characters - 16 bit character map with 2¹⁶ (65536) possibilities.

Boot Options     Top of Page

Immediately after the POST operation is finished, and before the Operating System takes control of the computer, it's possible to boot the computer into one of several diagnostic modes. These modes can be extremely helpful to troubleshoot an ailing system, and may include the following:

• Normal
• Logged (to Bootlog.txt, tells the real story, saved in the %SystemRoot% directory)
• Step-by-step confirmation (confirms each step of the loading of the OS, amazing)
• Command prompt
• Safe Mode
• Safe Mode with Network Support
• Safe Mode command prompt only

Boot Option Hot Keys
Operating System	Key	Result
Windows 98 (9x)	F4	Boot to previous OS
	F5	Safe Mode
	F6	Safe Mode with Networking
	F8	Forces a ScanDisk
	Left CTRL	Advanced Boot Options
Windows NT	F5, F8	Hopeless
	Spacebar	At correct time, permits 'Last Known Good Configuration'
	All others	Hopeless; verify per installation
Windows 2000, Windows XP	F5, F8	Advanced Boot Options

Plug & Play and Log Files     Top of Page

Plug & Play is designed for hardware installation to require no intervention from the user. Plug & Play requires the following:

• Plug & Play Operating System
• Plug & Play BIOS
• Plug & Play Hardware

Windows 9x Detection Log Files
Log File:	Purpose
SETUPLOG.TXT	Used to log installation of Windows 9x. Will note the last utility run prior to a system halt.
DETCRASH.LOG	Used to log hardware detection during setup. Readable only by setup to determine which module was running when the system halted.
DETLOG.TXT	The same as DETCRASH.LOG, but in a human-readable format.
NETLOG.TXT	Logs detected network component information.

Windows Shortcuts     Top of Page

In the history of the Computer, the mouse came along well into the development of the system. Originally, the keyboard was the sole item for user interaction. Even today, the keyboard is the fastest way to input data, and in times of duress, the only way. Listed here are some of the common key-combination shortcuts.

Windows Shortcut Keys
Press Key(s):	To Perform this Action
CTRL+A	Select all
CTRL+C	Copy
CTRL+X	Cut
CTRL+V	Undo
CTRL+Z	Undo;
CTRL+O	Open an item
CTRL+RIGHT ARROW	Move the insertion point to the beginning of the next word
CTRL+LEFT ARROW	Move the insertion point to the beginning of the previous word
CTRL+DOWN ARROW	Move the insertion point to the beginning of the next paragraph
CTRL+UP ARROW	Move the insertion point to the beginning of the previous paragraph
CTRL+SHIFT with any of the arrow keys	Highlight a block of text
CTRL while dragging an item	Copy selected item
CTRL+SHIFT while dragging an item	Create shortcut to selected item
CTRL+F4	Close the active document in programs that allow you to have multiple documents open simultaneously
CTRL+ESC	Display the Start menu
CTRL + SHIFT + ESC	Windows Task Manager
SHIFT + Dbl Click on a file or folder	Open the item
ALT + Dbl Click on file or folder	Open the item properties
ALT+ENTER	View properties for the selected item
ALT+F4	Close the active item, or quit the active program
ALT+TAB	Switch between open items
ALT+ESC	Cycle through items in the order they were opened
ALT+SPACEBAR	Display the System menu for the active window
ALT+Underlined letter in a menu name	Display the corresponding menu
RIGHT ARROW	Open the next menu to the right, or open a submenu
LEFT ARROW	Open the next menu to the left, or close a submenu
BACKSPACE	View the folder one level up in My Computer or Windows Explorer
ESC	Cancel the current task
DELETE	Delete
SHIFT+DELETE	Delete selected item permanently without placing the item in the Recycle Bin
SHIFT+F10	Display the shortcut menu for the selected item
SHIFT with any of the arrow keys	Select more than one item in a window or on the desktop, or select text within a document
SHIFT when you insert a CD into the CD-ROM drive	Prevent the CD from automatically playing
Underlined letter in a command name on an open menu	Carry out the corresponding command
F2	Rename selected item
F3	Search for a file or folder
F4	Display the Address bar list in My Computer or Windows Explorer
F5	Refresh the active window
F6	Cycle through screen elements in a window or on the desktop
F10	Activate the menu bar in the active program

The Recovery Console     Top of Page

The Windows Recovery Console provides a tech way to interact with the computer and perform some severe tests and diagnostics. The commands are similar to traditional DOS commands, with added spice. List is below.

   Installing the Recovery Console

The recovery console can be installed on Windows 2k and XP as a boot option by following the steps listed below. Although the recovery console doesn't have to be installed on the system, and can be run from the cd to repair a system, installing it will an option at boot time.

1. Log onto the system with administrator privileges.
2. Insert the Windows 2k or XP cd into the CD-Rom drive. If the autorun routine kicks in, say No.
3. Click on Start/Run, or press the Windows Key + R.
4. Type d:\i386\winnt32 /cmdcons
5. If your CD-Rom drive has a different drive letter assigned, make sure to substitute as required.

Windows Recovery Console Commands
Command	Description
attrib	Changes the attributes of selected file or folder
cd (chdir)	Displays the current directory or changes directories
chkdsk	Runs the CheckDisk utility
cls	Clears the screen
copy	Copies from removable media to system folders on hard disk. No wild cards
del (delete)	Deletes service or folder
dir	List the contents of selected directory on system partition only
disable	Disable a service or driver
diskpart	Replaces FDISK - creates/deletes partitions
enable	Enables a service or driver
extract	Extracts components from a .CAB file
fixboot	Writes new partition boot sector on system partition
fixmbr	Writes new Master Boot Record for partition boot sector
format	Formats the selected disk
listsvc	Lists all services on a system
logon	Lets one choose which Windows 2k installation to logon to if there is more than one available
map	Dispalys current drive letter settings
md (mkdir)	Create a directory
more (type)	Display the contents of a text file
rd (rmdir)	Removes a directory
ren (rename)	Renames a single file
systemroot	Makes the current directory system root of the drive logged onto
type	Displays a text file

Windows Command Line Start Options     Top of Page

Windows 9x (WIN.COM) can be started from the command line. Win.com is typically called by Io.sys after the Autoexec.bat file is processed, and starts the Windows 9x startup process. The following options can be employed. This article by Microsoft has more info.

Windows Command Line Start Options
Command	Description
win /b	Creates bootlog.txt while booting.
win /d	Complex switch used with other options.
win /f	Disables 32 bit disk access.
win /v	Starts without disk transfers.
win /m	Starts Windows in safe mode.
win /n	Starts Windows in safe mode with networking.
win /s	When starting, will not use the address space from F0000 to FFFFF.
win /x	When starting, will not use the address space from A000 to FFFF.

Windows NT Family     Top of Page

The Windows NT family of operating systems includes the original Windows NT (versions 3.5 and 4.0), Windows 2000, and Windows XP. These systems were designed from the outset for a secure networked environment. The file system that was introduced with these operating systmes (NTFS) provided a more powerful and robust architecture than the previous FAT16 and FAT32. NTFS 5.0 was introduced with Windows 2000, and added encryption, mount points, disk quotas, and dynamic disks. Windows NTFS offers the following excellent features:

1. Long Filenames - up to 255 characters
2. Redundancy - dual copies of the MFT (Master File Table) stored on the disk
3. Backward compatibility - no problem with DOS or Windows 9x Family files
4. Recoverability - Transaction logging, which keeps track of incomplete transfers and restores the original in the event of an incomplete transaction
5. Security - On a network as well as an individual machine using accounts, passwords, and permissions.

The NT Boot Process     Top of Page

The Windows NT Boot process differs dramatically from the Windows 9x process. One of the distinctions of the 9x family is that it's possible to boot directly to a command prompt, whereas in NT forces a boot to the GUI and then the possibility of a windowed command prompt. Additionally, the boot files and location of boot files are different. The NT Family makes a distinction between the files that start the PC and those that run the PC - the actual OS files themselves. Listed below are the NT Family system partition boot files, then an outline of the process.

1. NTLDR - This is the first Windows file that's invoked, pronounced NT Loader. It's called during the passing of events from BIOS through the MFT (see below.) This file is a compiled binary file, and it's sole purpose is to load just enough intelligence to read and interpret the BOOT.INI file.
2. BOOT.INI - This file is a text file that tells the NTLDR where to find the boot partition (actual location of the OS) for each of the OSs that are available. Note here that the actual OS's don't necessarily have to reside in the same location as the boot files, which are on the boot partition of the system. Also note that the actual systems that are listed in the Windows Root directory are only those that are capable of being interpreted by the Windows OS. In other words, if the disk was partitioned by a utility that will enable more than one primary partition with other operating systems, they may not be available here. A sample of a BOOT.INI file follows.

   [boot loader]
   timeout=10
   default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
   [operating systems]
   multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
   C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows 2000 Recovery Console" /cmdcons
   

3. BOOTSECT.DOS - If the NTLDR determines that another OS was chosen, such as Windows 98, this file is invoked to locate the IO.SYS file in order to load that OS.
4. NTDETECT.COM - If the Windows NT/2000/XP OS was called, that OS is loaded into protected mode, and this file is invoked to detect the installed hardware on the system.
5. NTBOOTDD.SYS - only needed for SCSI controllers that don't have their own ROM BIOS
6. Note that this list DOES NOT include IO.SYS, MSDOS.SYS, CONFIG.SYS, COMMAND.COM, or AUTOEXEC.BAT. The Windows NT Family does not use these files to boot or run, but they may be present in the root directory if the system is set up to dual-boot.

Here's the sequence of events when the PC boots:

1. When the user hits the 'on' switch, power to CPU deemed sufficient.
2. The CPU wakes up. POST (Power On Self Test) is run to determine the state of base system hardware.
3. The CPU loads and runs the BIOS(Basic Input/Output System) routines.
4. When finished, the BIOS sends out a query seeking a valid operating system in the MFT (Master File Table) of the boot sector of the primary, master hard drive. It searches in the order of boot options set in CMOS:
   1. Floppy
   2. CD-ROM
   3. Hard Drive
   4. Etc.
5. The MFT (Master File Table,) which lives in the boot sector of the C: drive, has listed the location of the files that will boot the machine.
6. The NT boot files (the ones listed above) live on the C: drive. By and of themselves, they cannot boot the system. However, they do perform preliminary tasks, and prepare to load NTOSKRNL.EXE, and other files, that comprise the actual OS.
7. Once all this has passed, the focus of attention is passed to the NTOSKRNL.EXE, HAL.DLL, the registry is loaded, device drivers are loaded, etc. from wherever they actually reside. After all this finishes, WINLOGON.EXE is loaded, the user logs in, and applications are ready to load.

Data Backup     Top of Page

Making consistent and current backups of data is of the utmost importance. Backups can be as simple as copying file(s) to a removable disk and storing the disk in a safe location, preferably away from the computer. More complex backups are scheduled and run (usually at night) when convenient, then the backup copy is stored offsite in a safe. The importance of backups becomes apparent when the nightmare of total data loss is realized.

Listed below are four types of data or stages that would be considered for backup:

1. Personal Data - personal files, pictures, documents, etc.
2. Applidation Data - email accounts, program files, address book, etc.
3. System or system state files - the Registry, etc.
4. The entire system

Archive Bit

An important part of the backup process is a file attribute called the archive bit. Backup programs use the archive bit to determine if a file has been changed since it was last backed up. This file attribute may be turned off for the file or folder based upon the backup type that takes place. The archive bit is turned on for a file anytime the file is opened or changed, thereby signaling to the backup program that it needs to be archived. By doing this, the backup program can determine if the file or folder has been accessed since the last backup, and save time and disk space by being selective during the backup process. The archive bit is visible for a file or folder when viewing its properties. The different types of backups, listed below, may change the archive bit for future reference.

Backup Types

1. Copy - copies only selected files and folders, does not turn off the archive bit.
2. Normal or Full - copies every file and floder, turns off the archive bit.
3. Differential - backs up only files and folders that have the archive bit turned on, does not turn off the archive bit.
4. Incremental - backs up only the data changed since the last backup, be it Full or Incremental. This would be the items with the archive bit turned on. Turns off the archive bit.
5. Daily or Daily Copy - Archives all the files that were changed that day. Does not change the archive bit.