You may do exactly the same things using a Windows PE CD
....which we are not allowed access to; thanks, MS...
I've done that using Bart's PE CD, which is the only "PE builder type
CD" I know of that I have legal access to. I specifically tried the
"open hive" approach, and it was greyed out.
Although if you load the registry into your PE's regedit, you
should be able to access the areas commonly affected by malware.
See above. I would dealy have a PE builder CD, but MS lock that down
to large OEMs only. Even MSDN doesn't qualify.
The somewhat intelligent user would run Chkdsk first to see if there are
any errors, then run it again with the /f switch to repair them. Not
terribly different from Scandisk from the enduser point of view.
ChkDsk C: will throw up spurious errors because C: is always "in use".
So you have a choice between a safe ChkDsk you know you can't trust,
and an off-the-leash ChkDsk /F you *have* to trust.
Just load the registry hive off the disk in question manually. Yes,
regedit opens with the PE CD's registry loaded. You wouldn't want to
automatically try and load a hive from a client's machine.
I understand that, and looked for the usual menu approach to load the
HD's hives, and found it was greyed out.
If you are unable to build a PE CD properly you can always get ERD
Commander from Winternals.com.
Cost?
http://www.winternals.com/products/repairandrecovery/ is the
URL, and if I remember from prior correspondence with them, the cost
is exhorbitant.
It is preconfigured to allow you to manipulate the
registry on the client machines.
I'll check it out, thanks... yes, BTDT...
<paste>
Within thirty days, you must convert the temporary license to a
permanent license that will be restricted for use on one (1) specific
named machine only. The permanent license will not function on any
other machine. Or you may apply the amount of the purchase price
toward the purchase of an enterprise version of Administrator's Pak or
ERD Commander 2003. Please contact a Winternals representative
</paste>
It's locked to one system, so completely useless for a field tech who
has to work on arbitrary systems. The normal costly option is geared
to sysadmins woring within one org (domain-locked, I think it was)
which is also useless for field techs. The licensing fees for
free-ranging uses as per "consultants" are waaay off-scale.
So are you saying it's OK as long as you're a warez-bunny?
NTFS write support for Linux isn't marked dangerous or experimental with
kernel 2.6. Besides, there are other drivers you could use with Linux
like the one from Paragon (
http://www.ntfs-linux.com).
Seems like an awful lot of 3rd-party hoops to jump through just to
support a "better", "more secure" file system. I'd rather not depend
on the quality of some arbitrary 3rd-party's reverse-engineered
drivers, thanks... it's like the bad old days of NT; "buy this
expensive professional-grade server OS, and resort to shareware
add-ons if you want to defrag the file system".
Call me back if you ever do complete the product
No, but you can use it to repair many virus problems if you know which
files to delete or replace.
If the thing lets you access those files. And how do you know which
files to access and replace if you can't formally scan the system?
Have you actually ever used it?
Yep.
It doesn't sound like you've tried from your description.
It's fine for quick-fixes, such as FixBoot, FixMBR etc. On a
multi-volume HD, you soon stub your toe on the fact that you aren't
allowed access to the data you purposely kept off C: for safety.
I read up on that, and learned about the resgistry settings you have
to add (beforehand!) to enable the four Set commands that RC supports.
Once in place, you can use these to actually get access to your data,
so that RC can actually recover something. But even with these in
place, the Copy command will NOT do bulk (wildcard) copies.
The main point of using the recovery console is you can
access it even when safe mode is too corrupted by a virus to function.
No, wildcards don't function like in DOS but this is NT. You can copy,
rename or replace system files and folders, disable or enable services and
devices. It can repair the system boot sector or the MBR and partition
and format drives.
Yep. But as a data evacuation tool, it is useless, not so? And as it
is not an OS, you can't host more compitent tools, nor can you run a
virus scanner. So it's exactly what I called it - a non-OS, but
useful collection of tools nonetheless. If there's no built-in tool
for what you want to do, you're stuffed - and the two "biggies" (data
evacuation and formal malware scanning and cleanup) aren't there.
That's much more powerful than some weak DOS utility that just tries to
disinfect files.
Nope, because it can't scan everything to find anything. If you'd
already done a formal scan, detected the malware, looked it up,
determined what registry settings to fix and files to extract into
place, then RC may be up for it - but until you've done that formal
scan, you have no idea of the bounds of what you are dealing with.
To me, NTFS is so much more stable and so much safer that I would never go
back to FAT16 or FAT32.
Well, good luck. Some of us don't accept darkness as the standard.
-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
