Wednesday, August 1, 2012

Using Hiren's BootCD for Remote Support


                Hiren's BootCD is used for various fixes that we need to perform outside of the Windows environment. It is an extremely useful set of tools and can be used for a wide variety of repair operations that would otherwise need a technician to have physical access to the PC. This tutorail is designed to give a general idea of what the BootCD can be used for when doing remote support, and to show you how to perform repiars using the BootCD. 

                When should we send the BootCD out? If the PC is unable to boot, but the client gets an error message, it is time to send the CD out. These error messages include:
  • Blue Screens 
  • File Missing (such as hal.dll, c:\windows\system\config, etc) 
  • Operating system not Found 
  • the system boots to a blinking cursor in the upper-left hand corner
  • and especially boot loops (unless you are in Vista/7, then follow my blog post
TheBootCD will not help us in situations where:
  • the client gets the error "Unmountable boot volume" 
  • when the PC cannot boot any further than the BIOS screen 

                So in a nut shell, if the PC can see AND access the hard drive, a BootCD would be useful for our remote repairs.

Booting Up Hiren's BootCD (Mini Windows XP)

                Once the client has the BootCD, the PC needs to be configured to boot from the CD/DVD drive as the first device in the list. Since every BIOS is different, that is up to you to work out. Once configured properly, go ahead and boot the PC. We want to select "Mini Windows XP" from the first splash screen:


                This usually takes about 5 mins to boot all the way up, depending on the speed of the PC. Once booted, the screen looks like this:


                Network support is already started by default. If the internet connection is hardwired, internet access takes no extra configuration. If the internet connection is wireless, the "Wireless Setup" Icon on the first screen will take you here:


                Once here, the wireless adapter will need to be selected form the dropdown menu, then we will need to go into the "Wifi" tab and select the correct wireless network. This process is fairly straight-forward. Once internet is connected, we are able to get our remote connection via our "internet" icon in the lower-left hand corner of the desktop.

Repairing the Master Boot Record (MBR)

               One of the most common reasons that Hiren's BootCD is sent out is for boot loops. When repairing the MBR, MbrFix is the most reliable tool. When opening up the BootCD menu, MbrFix can be found in Partition/Boot/MBR > Commandline > MbrFix:



                As the menu selection implies, MbrFix is a command line tool. Use of the tool to fix a Windows XP MBR looks like this:
MbrFix /drive 0 fixmbr

                This assumes that the disk that we want to repair the MBR on is mounted as disk 0. This can be checked using:
MbrFix /drive 0 listpartitions
                
                For repairing Vista/7 MBR, my other blog post is recommended. In the event that the BootCD is needed, we can repair the MBR in these other operating systems using the associated switches:

MbrFix /drive 0 fixmbr /vista
MbrFix /drive 0 fixmbr /win7



                That's it! Finish up any other tasks that we need to do before reboot, then reboot the PC and we should be able to boot the OS now.

Repairing the file system (chdksk)

                When using Hiren's BootCD, the command prompt looks a bit different then when a PC is booted normally in Windows. The command prompt is usually set to the BootCD's file system (X:\). To perform various operations such as chkdsk on the system drive, the syntax just has to be changed around a bit. Open up command prompt and set your chkdsk command up like this:

chkdsk c: /x


                That's it! File system has been repaired. Reboot the PC and check your results.



Editing Startup Processes (Autoruns)

                When using Hiren's BootCD to repair the MBR or fix severe malware, editing startup entries can be beneficial before rebooting the OS back into Windows. To do this, we need to open Autoruns from the Hiren's Menu > Startup > AutoRuns:


                When Autoruns loads, we will notice that it loads the default Hiren's startup info. We want to view/edit the startup info from the offline system. We now need to go to file > Analyze Offline System...


                Next Autoruns will ask us to select the Windows directory of the offline system, as well as the user profile that we want to load. By default, just selecting the Windows directory will automatically load the default user profile. Since we want to make sure our client's profile is clear of malware, we need to find the "ntuser.dat" for the profile that we want to manipulate, then point the "User Profile" section to the folder that contains that file. In the example below, the user profile that I want to edit is the "Administrator" profile.


                That's it! Now that Autoruns is loaded with the offline system, we can make the necessary changes to our startups.

Restoring the Registry (Reg Restore Wizard)

                Sometimes we may find ourselves in a situation where we need to roll back some registry changes that were recently made and system restore is failing. In this case, as long as the PC has restore points available, we can use the Registry Restore Wizard. This will not do exactly what system restore does (since system restore restores some files as well), but if we need to roll back changes to the registry only, this is our tool. To open it, from the Hiren's BootCD menu > Registry > Registry Restore Wizard:


                The next step in this process is to select the Windows directory of the offline PC that we want to restore.


                Once we have selected our Windows directory, we should see a list of restore points. Select the restore point for the corresponding date that we want to restore to, then click next. 


                Registry Restore Wizard will then do the rest of the work and restore the registry. If our window looks like this after the operation has completed, then the restore was successful.



                That's it! Reboot the PC and verify that the issue has been resolved.

Editing an Offline Registry (Registry Editor PE)

                There are some times when we will need to manually edit the offline registry. This can be done using the Registry Editor PE. To open the Registry Editor PE, open up the Hiren's BootCD Menu > Registry > Registry Editor PE


                We will then be asked to load the remote Windows directory. Locate the directory like this:


                Next we need to select our remote hives individually. They should all be located in the "C:\Windows\System32\Config" folder. Select each one by simply clicking "Open" when each new window pops up:


                Now we need to load our offline users. After all, we cannot edit an offline user profile without loading it right? We need to manually locate the ntuser.dat file that is located in the root of the userprofile that we want to load. 


                In my case, the account that I want to edit is the Administartor account. So i locate the ntuser.dat here:


                Since we have an offline registry loaded, we need to edit different areas of the registry than we usually would. Keep in mind that Hiren's BootCD has it's own registry settings that are also loaded. We will find our target registry keys start with "_REMOTE_". If we came across a time that we needed to import a .reg file to the offline registry, the "_REMOTE_" will need to be appended into the .reg file before importing.

                A regular .reg file will look like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework]
"InstallRoot"="C:\\Windows\\Microsoft.NET\\Framework64\\"
"Enable64Bit"=dword:00000001

                A .reg file that has been modified correctly for a remote registry import will look like this:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\_REMOTE_SOFTWARE\Microsoft\.NETFramework]
"InstallRoot"="C:\\Windows\\Microsoft.NET\\Framework64\\"
"Enable64Bit"=dword:00000001



                To edit the user profile, instead of it being located in HKEY_CURRENT_USER, it will now be located under HKEY_USERS. Below is a screenshot illustrating the different remote locations in Registry Editor PE:


                That's it! We can now edit the offline registry and make all necessary adjustments.

Resetting a Windows Password (NTPWEdit)

                There are some cases where a client forgets their Windows password. In these cases we have some really convenient tools that help quickly edit the user account passwords for Windows. To open NTPWEdit, got to the Hiren's BootCD Menu > Passwords/Keys > Windows Login > NTPWEdit:


                Next we will need to select our remote SAM hive. NTPWEdit will usually open right up to the correct folder that contains that SAM hive. If it does not, the SAM hive is located in the "C:\windows\system32\config" folder in the offline Windows hard drive:


                Once the SAM hive has been loaded, the options are fairly straight-forward. We select the offline user account that we want to modify, then enter the new password or unlock the account in the case of Vista/7 hidden Administrator accounts:


                That's it! The password has been changed and we should be able to log in to the user account with our new password.

                That is the end of our tutorial for now, if you would like to request a tutorial on any other tools/fixes that you come across for the Hiren's BootCD, please email me and I will add to it.