Windows 2003 Server - Worst-Case Scenarios - Useful Tip
Do you know what a System Administrator fears the most when it comes to Windows Server 2003? The infamous Blue Screen of Death (BSoD). An appropriate name. But, there is something worse. You ask, 'what could be worse than the infamous BSoD?
A system corruption.
Yes, a system corruption is vastly worse than the BSoD - unless you've actually taken the time and effort to provide yourself with some useful disaster recovery tools in a worse-case scenario.
The worst part of a system corruption is actually when a file in the Windows System 32 folder has been destroyed.
The System32 folder is the guts of the Windows OS. Without it... well, it won't work.
Let me give you an example.
The other day, I got this message when I had to do a cold restart on a computer:
Windows could not start becuase the following file is missing or corrupt:
[windows_root]\system32\ntoskrnl.ex e. Please reinstall a copy of the above file.
Okay, something missing? Well, that's a job for Windows Recovery Console (WRC)! Okay, just pop in your CD, press the key to boot to it... and press 'r' when prompted... okay, now what I have to do is type a specific code, to copy the file from the CD over to the System32 folder. Since the file stored on the server is in the i386 folder, it is non-executable (extension is *.ex_ - if you don't understand this, don't worry about it, it's not important). Therefore the 'copy' command is useless.
You need to use 'expand'.
expand [CD]In my case:
\i386\ntoskrnl.ex_ [System] \ windows\system32
expand d:\i386\ntoskrnl.ex_ c:\windows\system32Then press enter.
Access is DeniedWHAT? (I shouted to the heavens) That cannot be true, for I am Admin, god of the server! How is it possible? So, I pressed the 'up' arrow on the keyboard, tried to enter the command again.
Access is DeniedThen I typed 'set'. This is what I saw:
AllowWildCards = FALSEOn different versions of Windows, this command does different things. On Windows Server 2003, it lists a bunch of settings that is created in the group policy editor in the Windows environment. What that means is that unless you have access to the system, you cannot change these settings. Which means, if you system is corrupt, as it was for me, you cannot do anything about it. As you can see, 'AllowAllPaths = FALSE'. that means that the path to Windows/System32 is not allowed, which means, even as Administrator, I cannot have access to this folder. So, I cannot fix the problem with the simple 'expand' key, which would have fixed it by the time you stopped reading this paragraph.
AllowAllPaths = FALSE
AllowRemovableMedia = FALSE
NoCopyPrompt = FALSE
But noooooooooooooo. Windows wants to make it difficult.
What I had to do was restore from a backup, but if I had done proper preparations, then this would have been solved in about 2 minutes! So, to prevent you from suffering my gruesome fate, follow these easy steps.
In order to prevent this absurdity, you must set these properties to be true while your Windows 2003 is running. This setting should be ENABLED by default, not the other way around. Why would they disable such a vital and important command! It's ridiculous! I understand that it's about security, but a malicious user would need to be physically on your machine, and then there are numerous other ways to bypass a system than using the WRC! Stupid, stupid, stupid.
So, this is what you have to do.
- Go to: Start > Run > Type 'gpedit.msc'
- In the left-pane, expand 'Local Computer Policy'
- click on the small + button to expand the menus
If you have done this correctly, open a command line (Start > Run > Type 'cmd') and type 'set'.
You should see:
AllowWildCards = TRUEIf you do not see this, then there is high probability you will need to restart your machine (as sometimes group policies are updated upon a restart).
AllowAllPaths = TRUE
AllowRemovableMedia = TRUE
NoCopyPrompt = TRUE
Trust me. This is useful. If you're worried about someone using the recovering console to take over your system, then do yourself a favor and put the server in a vault or a secure room, because this isn't going to do anything to stop someone who knows what they're doing.