Windows Recovery

There are many tools included with Windows designed to help you troubleshoot and repair just about any issue that might come up. Before getting into the exact issues you might face, let’s discuss some of these advanced repair and preinstallation environment repair tools, what they do, and where you can access them. We’ll start with the Windows Recovery Environment.

Windows Recovery Environment (Windows RE)

Windows RE (or WinRE) is a set of tools included in Windows whose purpose is to recover Windows from errors that prevent it from booting; these tools can also be instrumental in fixing issues that cause a computer to “freeze up.” There are several possible ways to access Windows RE; each method varies according to the version of Windows being used.

In Windows 10 and 8, Windows RE is accessed through the Boot Options menu. You can get to Boot Options in a variety of ways, including the following:

• ▸ Right-click the Start button, select Shut down or sign out, and while holding the Shift key, select Restart.

• ▸ In the Command Prompt, type shutdown /r /o and then press Enter.

• ▸ In Windows 10, go to Start > Settings > Update & security > Recovery, and under Advanced Startup click Restart now.

• ▸ Boot to various recovery or boot media; for example, a recovery partition, a Windows USB flash drive or DVD, or the Windows Preinstallation Environment (WinPE), which can be booted from flash drive, disc, and via the Preboot eXecution Environment (PXE). WinPE can be used to run recovery tools such as WinRE, as well as for running drive-cloning utilities. To use WinPE you must first download the Windows Assessment and Deployment Kit (ADK), and then the Windows PE add-on. You can get them from this link: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/download-winpe--windows-pe

Note

In Windows 7, you either boot from the installation media or boot to a special partition on the hard drive that has Windows RE installed. We’ll be focusing on Windows 10 and 8 for this section.

Once the system has rebooted, you should see the Choose an option screen. Selecting Troubleshoot will present several options, including

• ▸ Refresh your PC (Windows 8 only), which saves personal files but removes all programs installed to the desktop and resets PC settings.

• ▸ Reset your PC, which in Windows 8 removes all files and essentially performs a factory reset. In Windows 10 it allows you to keep personal files or remove everything.

• ▸ Advanced Options. Selecting Advanced Options brings up the main tools that a technician will use to troubleshoot a system.

Figure 36.1 shows the Advanced options screen in Windows 10 (version 1803), where the main recovery tools are available. In Windows 7 the equivalent is called System Recovery Options. Table 36.1 describes these options in more depth.

Recovery Option	Description
System Restore	Restores the computer’s system files to an earlier point in time. It’s a way to undo system changes to your computer without affecting your personal files, such as e-mail, documents, or photos. Note: If you use System Restore when the computer is in Safe Mode, you cannot undo the restore operation. However, you can run System Restore again and choose a different restore point, if one exists.
Go back to the previous version	(Windows 10 only.) This allows you to go back to an earlier build of Windows; for example, going back to Windows 10 version 1607 from version 1803. You can also do this from Settings in Windows.
System Image Recovery	These programs are used to restore a hard drive from a backup in select editions of Windows.
Startup Repair	When clicked, this automatically fixes certain problems, such as missing or damaged system files that might prevent Windows from starting correctly. When you run Startup Repair, it scans your computer for the problem and then tries to fix it so your computer can start correctly.
Command Prompt	Advanced users can use Command Prompt to perform recovery-related operations and also run other command-line tools for diagnosing and troubleshooting problems. You will have to log on as an administrator.
UEFI Firmware Settings	(Windows 10 and 8.) Allows a user to access the UEFI from the OS to make changes. (Requires UEFI compatible BIOS.)
Startup Settings	(Windows 10 and 8.) Enables booting to a variety of modes that are explained later in the chapter. To access this in Windows 10, click See more recovery options. This is known as the Advanced Boot Options menu in Windows 7.
Windows Memory Diagnostic	(Windows 7 only.) Scans the computer’s memory for errors. In Windows 10 and 8 this can simply be run from the Command Prompt option with the mdsched command.

ExamAlert

Memorize the different Windows RE options in Windows.

Note

To learn more about WinRE for Windows 10, see this link: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference

To learn more about WinRE for Windows 8, see this link: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/hh825173(v=win.10)

One thing to keep in mind is that Windows will attempt to do a self-repair if it senses a boot issue. This will occur first when you start, or restart, the system. If this automatic repair does not fix the problem, the Windows Recovery Environment is your next stop. But in some cases, you need to boot the system in a different way in order to fix a problem. Let’s discuss advanced booting now.

Startup Settings and Advanced Booting

If Windows is not functioning properly, the culprit might be a video driver, new configuration, or other system issues. There are several startup options—such as Safe Mode—that can aid in fixing these problems. Historically, these options were accessed by pressing the F8 key immediately after the computer starts up. When you do so it displays the Windows Advanced Boot Options menu, which is what you need to use in Windows 7. These are effectively the same options as shown in the WinRE Startup Settings in Windows 10/8, with slight name changes and rearrangement.

While the F8 keypress is still supported by Microsoft, and it works in Windows 7 by default, it does not work in Windows 10/8 by default. To enable F8 functionality in Windows 10 and 8, type the following into the Command Prompt (as an admin):

Click here to view code image

bcdedit /set {default} bootmenupolicy legacy

That effectively replaces the Startup Settings version. To disable it, and go back to the Startup Settings version, use the same command but replace legacy with standard.

The Startup Settings window and the Advanced Boot Options menu have essentially the same options, with one difference—the Advanced Boot Options menu includes the Repair Your Computer option, which will automatically attempt to fix Windows issues for you. That’s not included in the Startup Settings window because there are several automated repair options elsewhere in WinRE. You will most likely use Startup Settings more often, so let’s show and describe that. Figure 36.2 shows an example of the Startup Settings window as displayed in Windows 10. Table 36.2 describes the options as listed in the Startup Settings window. Note that you can use the F1–F9 function keys to select the corresponding startup options.

Startup Setting	Description
1) Enable debugging	Enables the use of a debug program to examine the system kernel for troubleshooting.
2) Enable boot logging	Logs the boot process and creates a ntbtlog.txt file. This is stored in the %systemroot%.
3) Enable low-resolution video	Uses a standard VGA driver in place of a GPU-specific display driver but uses all other drivers as normal, typically at 640×480 resolution.
4) Enable Safe Mode	Starts system with a minimal set of drivers; used in case one of the drivers fails. Safe Mode is a good option when attempting to use System Restore and when scanning systems for viruses. It is also a good option if you encounter a Blue Screen of Death (BSOD) error, and you need to roll back a driver. You can also initiate Safe Mode (and its derivatives) by opening the System Configuration utility (Run > msconfig), accessing the Boot tab, checking Safe boot, and restarting the computer.
5) Enable Safe Mode with Networking	Starts system with a minimal set of drivers and enables network support.
6) Enable Safe Mode with Command Prompt	Starts system with a minimal set of drivers but loads Command Prompt instead of the Windows GUI.
7) Disable driver signature enforcement	Enables drivers containing improper signatures to be installed.
8) Disable early launch anti-malware protection	(Windows 10/8 only.) Rootkits can infect a system early on as it boots and some anti-malware programs are designed to check for these early on in the boot process. But in some cases, you need to disable these anti-malware programs to diagnose and fix the system; for example, when using System Restore.
9) Disable automatic restart after failure	Prevents Windows from automatically restarting, if an error causes Windows to fail. Choose this option only if Windows is stuck in a loop in which Windows fails, attempts to restart, and fails again repeatedly.

ExamAlert

Know the various Startup Settings (such as Safe Mode) and know what they do.

Boot Errors

There are various reasons why a computer will fail to boot. If it is operating system-related, you usually get some type of message that can help you to troubleshoot the problem. Windows uses the bootmgr and BCD files during the startup process. If these files are corrupted or missing, you will get a corresponding error message. Two common errors are “Bootmgr is missing” and “The Windows Boot Configuration Data file is missing required information.” Let’s talk about each of these now.

Bcdedit /export C:BCD_Backup
ren c:ootcd bcd.old
Bootrec /rebuildbcd

Improper and Spontaneous Shutdowns

You’ve probably seen a Windows computer fail and reboot with a message such as Windows was shut down improperly. Improper shutdowns and spontaneous shutdowns could happen for a variety of reasons: brownouts or blackouts, power surges, hardware failures, a user inadvertently unplugging the computer, or perhaps a virus or other malware. It can be a disturbing phenomenon to users and one that could be going on for a while, so be patient with the user (and the computer) when troubleshooting this problem.

Some of the methods you can use to troubleshoot these issues include

• ▸ Check the Event Viewer: Look in the System log to see if there are any alerts about hardware failures, service failures, and so on. If there is an alert, consider upgrading the driver for the affected hardware or upgrading the software that the service is dependent on. Ensure the computer is running the latest updates.

• ▸ Use MSConfig (System Configuration utility): On the General tab, select the Selective startup checkbox and the Load startup items checkbox. To weed out third-party program issues, click the Services tab, click the Hide all Microsoft services checkbox, and then click Disable all. Restart the system and see if the same issues return or if events are still written to the Event Viewer. Remember to restore Normal startup in MSConfig when finished troubleshooting.

• ▸ Boot into Safe Mode: Use Safe Mode to further investigate the problem. Safe Mode uses only the most basic drivers, so if it is a driver issue, this could help you find out about it. Don’t forget, you can also use Safe boot in MSConfig.

• ▸ Run a virus scan: Run a scan for malware and quarantine anything unusual. Update the antivirus software when you are finished.

• ▸ Check power: Make sure the AC outlet is wired properly and is supplying clean power. Verify that the power plug is firmly secured to the computer. If necessary, you might have to check the power supply. Intermittent and unexplainable shutdowns can sometimes be linked to power supplies or other hardware failures.

• ▸ Use Windows RE: If necessary, use the Windows Recovery Environment to troubleshoot spontaneous shutdowns.

Stop Errors

A stop error (also known as a Blue Screen of Death [BSOD]) is the worst type of error that can happen while Windows is operating. It completely halts the operating system and displays a blue screen with various text and code. (In Window 10, you might see a sad face with a QR code, among other things.) Anything you were working on is, for the most part, lost. In some cases, it reboots the computer after a memory dump has been initiated. (This is also known as auto-restart.) If not, you need to physically turn off the computer off with the Power button and turn it back on. Some BSODs happen only once, and if that is the case, you need not worry too much. But if they happen two or three times or more, you should investigate. Quite often they are due to a hardware issue, such as improperly seated memory or a corrupt driver file. If you see two columns of information with a list of drivers and other files, a driver issue could be the culprit. Look at the bottom of the second (or last) column and identify the driver that has failed (for example, ntfs.sys). These drivers can become corrupt for a variety of reasons and would need to be replaced when you boot into Windows. Or if you can’t boot into Windows and Windows does not auto-repair the file, you can replace the driver from within Windows RE’s Command Prompt. Less commonly, a BSOD might be caused by a memory error that will have additional code that you can research on Microsoft’s websites (Microsoft Support and TechNet).

By default, three things happen when a stop error occurs:

1. An event will usually be written to the System log within the Event Viewer, if that option has been selected in the Startup and Recovery window, as shown in Figure 36.3. When a stop error is written to the System log, it may be listed as an Information entry, not as an Error entry. The stop error will be listed as “The computer has rebooted from a bugcheck. The bugcheck was: error number.” Use the error number to look up the problem—and hopefully find a solution—on Microsoft Support and/or TechNet.

   

   The settings shown in Figure 36.3 can be accessed from the Advanced tab in the System Properties dialog box (which you can access directly via Run > SystemPropertiesAdvanced.exe). Click the Settings button in the Startup and Recovery area to access the Startup and Recovery window.

2. Windows will write debugging information to the hard drive for later analysis with memory dump debugging programs; this debugging information is essentially the contents of RAM. The default setting in Windows is to only write a portion of the contents of RAM, known as a Kernel Memory Dump. The Kernel Memory Dump is saved as the file %SystemRoot%Memory.dmp. You can also select a Small Memory Dump; this is written to %SystemRoot%Minidump. Windows supports the option for a Complete Memory Dump, which dumps the entire contents of RAM to a file again named Memory.dmp. To support the Complete Memory Dump, the paging file must be large enough to hold all the physical RAM plus 1 MB.

   Note

   For more information about the various dump files, visit https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/varieties-ofkernel-mode-dump-files

3. The computer automatically restarts (if that option is selected, which is the default in Windows).

Restoring Windows

Beyond even stop errors, a complete system failure is when a system cannot be repaired. When this happens, the only options are to reinstall Windows or to restore Windows. There are several methods for restoring Windows, including

• ▸ All Windows: Boot to the Windows installation media (USB flash drive, DVD, etc.), then click the repair option. At the main Windows RE Advanced options (or System Recovery Options) window, select System Image Recovery. Provide backup media.

• ▸ Windows 7: Boot to the Windows installation media, then click the repair option, and at the first System Recovery Options window (with the possible list of operating systems), select the Restore your computer using a system image that you created earlier option (you will be required to provide the backup media).

• ▸ All Windows: Reset the system to a factory image stored on a separate partition of the hard drive. This is common on laptops, especially ones that do not have optical drives. Or use third-party tools such as Symantec Ghost or Acronis True Image. Remember, the image needs to be created before the disaster!

There are various other ways to access the utilities mentioned. Refer to earlier parts of this chapter for details or refer to the documentation that came with your third-party software.

Common Windows Symptoms and Solutions

We mentioned a lot of issues and solutions already, but there are a good number of other symptoms that you will encounter when working on Windows. What makes troubleshooting difficult is that there are often several potential solutions to a problem. Let’s fill the gaps by listing some of those symptoms and potential solutions in Table 36.3.

Cram Quiz Answers

1. C. Safe Mode starts the operating system with a minimal set of drivers. Windows RE (WinRE) is the recovery environment used to repair Windows; it exists outside the operating system. System Restore is used to revert back to an earlier point in time of the OS. Debugging mode is one of the Advanced boot options.

2. B. Windows RE includes Startup Repair. File History is the backup and restore feature of Windows 10 and 8. Safe Mode is part of the Startup Settings screen (Windows 10 and 8) and the Advanced Boot Options menu (Windows 7). System Restore is a different tool that is also available in Windows RE; it can be used to restore the computer’s settings to a previous point in time.

3. C. bootrec /rebuildbcd is one of the methods you can try to repair bootmgr in Windows. Msconfig is used to modify how the OS starts up but cannot repair bootmgr.exe. Bootrec /fixboot is used to repair the boot sector. In rare cases, it might be able to fix the bootmgr file. Bootcd is where the boot configuration store is located.

4. D. You should boot into Safe Mode and roll back the drivers of the device in the Device Manager. The drivers that the customer installed were probably corrupt and caused the stop error. There’s no need to remove the device and install it anywhere just yet. Debugging mode probably won’t be necessary for this; it is more commonly used to analyze issues during boot. Never purchase new equipment until you have exhausted all other ideas!

5. B. You should select Refresh your PC. In Windows 8.1 this removes programs that were installed and resets PC settings but it saves personal files. When you select Reset your PC (in Windows 8.1), all files are removed and the system is reset to the original state. In Windows 10, Reset your PC gives you both options. System Recovery Options in Windows 7 is where the Windows Recovery Environment tools are found. The Command Prompt is used to run specific commands (either from within the OS or from Windows RE) and isn’t the best answer for this scenario.

6. A. A BSOD (Blue Screen of Death) is what results from a stop error in Windows. The proper name for it is a stop error.

7. B and C. System Restore is the tool used to restore a computer to an earlier point in time. While this doesn’t completely restore from an image, it is still a form of restoration. System Image Recovery is the Windows 7 solution for restoring an image. File History is used in Windows 10 and 8 to locate files from backup and restore them to the system. Msconfig is used to modify how Windows boots and which services are run.

8. C. Bad drivers could cause a blue screen error (stop error). Blue screens could also be caused by improperly seated RAM, among other hardware issues. A faulty DVD-ROM drive would not cause a blue screen. A CPU installed without a fan would overheat, causing the system to shut down. Incompatible programs simply don’t run.

9. B. Taskkill ends the underlying process of an application, closing the application. Tasklist is used to view which processes are running, their process IDs, and the memory used by each. Shutdown is a command used to turn off the computer in a variety of ways. Convert is used to alter a FAT32 partition to NTFS.

10. A and D. Try cleaning up temp files and cookies (either with a cleanup program or manually). Then, make sure that the client computer’s time is synchronized to the domain controller. Disabling unnecessary services is always a good idea, but it is unlikely that doing so will slow the logon process to the domain that much, especially if the local logon is quick. Updating the BIOS boot order isn’t necessary because the system is booting to Windows just fine. Releasing and renewing the IP address shouldn’t be necessary in this scenario, but it can be helpful when troubleshooting no (or limited) connectivity issues. Remember, troubleshooting is what we do. It’s all about persistence–keep searching for the answer!