Winternals: Norton Utilities for experts
Ever since Windows came out, Norton Utilities has been useful, but for expert users, not as useful as when it was a purely DOS-based product. While it's a relatively technical program in terms of the overall market, the Windows version is designed to be accessible to normal users. Part of what made the original Norton Utilities really useful was that it was designed for experts.
These days, that role belongs to Winternals Software of Austin, TX. Founded and run by Mark Russinovich and Bryce Cogswell--a couple of Ph.D.'s who have also written extensively about Windows programming. Back when Peter Norton was The Man, the distinction between users and administrators wasn't as clear and meaningful as it is now. Everyone essentially had to be an administrator of their own system. The tools that Winternals Software sells are squarely aimed at network administrators, and regular users shouldn't be allowed anywhere near them. I'll focus on the Administrator's Pak, a bundle of many of their tools that costs $699.
Many of the tools do not work on Windows XP yet. Programs such as these work at a level where you have to deal with version-to-version incompatibilities in Windows, so it appears that they just haven't got around to making XP-compatible versions yet. Some of the tools work under XP in spite of their documentation (which indicates that they don't), while others such as Regmon aren't so flexible; running Regmon on Windows XP causes the system to reboot.
Speaking of which, Regmon a seriously cool tool for developers and administrators. It monitors and reports on access to the registry. (If you've ever bought one of those Windows registry books that fills in the gaps in Microsoft's documentation, the author undoubtedly used Regmon to gather the information that made the book possible.) The Filemon tool performs similar monitoring for access to the file system.
Because the Win32 environment is designed to prevent activities such as letting applications access certain programs and areas of the disk, many of the Winternals tools can also work in other environments that are more permissive. Some work on a system booted with the Windows NT/2000 Emergency Repair Disk (ERD). Some work from DOS. Winternals also provides two tools, NTRecover and Remote Recover, which let you work on systems remotely.
With NTRecover you create a special boot disk for the system you want to repair, and then connect to that system over a null-modem serial cable, the kind you would get with a copy of LapLink. NTRecover on the host system accesses the drives of the remote system over the cable as if they were network drives. Remote Recover works similarly but over a network, so you have to create a DOS boot disk that provides a DOS TCP/IP stack for the remote system. I had problems setting up both these programs. NTRecover can't work with disks with capacities greater than 8GB, and setting up a DOS TCP/IP stack is a pain, but once you're set up they are very cool.
Bear in mind that when you're accessing a remote system in this way, you are bypassing the operating system altogether. This means that you don't need any password to gain access to any file on the system. You do need physical access to the system and the ability to boot a floppy on it, which just goes to show that without physical security no system is secure. Neither program can access a system running Windows' Encrypting File System (EFS) though. But bypassing the operating system's security can be advantageous for situations such as when you've lost the password. This is a major advantage of Winternals' tools over the Windows 2000 Recovery Console, a built-in facility for accessing and repairing broken systems, but which requires a login. The fact that Winternals' tools don't require a login underscores the point that without physical security there is no security.
Speaking of which, an especially shocking capability that Winternals implements through NTRecover or Remote Recover is Locksmith, a program that resets the password of any user account on the remote system. Once you're connected through NTRecover or Remote Recover you run Locksmith, browse the remote system to its system directory (probably c:winnt) and Locksmith produces a list of users with local accounts, including Administrator. You select one and Locksmith resets the password to '12345'.
At first I was shocked at this, but it's really not all that surprising. It doesn't read the passwords; it just resets the password to a known value. It gives access only to the local system, not the network. I also found out that there are several other companies, among them Passware and Sunbelt Software, who sell similar products.
Let's say you want to run a version of Windows 2000 (or whatever OS you're using), but the system won't boot. For this you can use the ERD Commander tool to extend the Emergency Repair Disk facility to make a command-line environment, in which you can perform repairs and run many programs. Other products can do this, too, but ERD Commander can make a boot CD that's much easier to use than the 4 to 6 floppies necessary for a floppy-based boot of Windows NT/2000/XP. Be forewarned that the CD making process didn't work right for me and apparently doesn't usually work. Search the Winternals Knowledge Base for additional tools you would need to get it to work correctly.
Disk Commander lets you access and recover data from disks that Windows cannot access due to corruption or other damage. It can also recover deleted files. Winternals recently released FileRestore, a separate tool used to unerase files with a more straightforward UI.
They're not cheap, they're not easy, and they're definitely not perfect--but if you're a Windows system administrator, the Winternals tools can be a lifesaver for many tough spots. You owe it to yourself at least to look them over. Like the original Norton Utilities, they probably do something you wouldn't have thought possible.
Do you have experience with Winternals? What's your take? E-mail Larry or post your thoughts in our Talkback forum below.