| Miscellaneous Tools for Windows NT/2K | |||||||||||||||||||||||||||||||||||||
| Copyright © 1997-2000 Mark Russinovich | |||||||||||||||||||||||||||||||||||||
| Last Updated October 6, 2000 |
|||||||||||||||||||||||||||||||||||||
| Table of Contents | This page presents a
continuously growing collection of applets that fill holes in the functionality
that NT comes with out of the box.
|
||||||||||||||||||||||||||||||||||||
| Autologon | Windows
NT/2K provides Registry settings that can be set so that a user is
automatically logged in the next time the system would otherwise put up the
logon dialog box. However, the Registry values are hidden very deep, and are a
pain to configure. This program, Autologon, will do the Registry configuration
for you, and allow you to enable and disable auto-logon when you want.
Autologon easy enough to use. Just run autolog.exe, fill in the dialog, and hit Enable. To turn off auto-logon, hit Disable. If the DefaultPassword is NULL, autologon will only occur once and then be disabled. Also, if the shift key is held down before the system performs an autologon, the autologon will be disabled for that logon. |
||||||||||||||||||||||||||||||||||||
| AutoRuns v1.2 | This
applet shows you what programs are configured to run during system bootup or
login. These programs include ones in your startup folder, Run, RunOnce, and
other Registry keys. You'll probably be surprised at how many executables are
launched automatically. AutoRuns works on Windows 9x and Windows NT/2K.
(The complete list of auto-run locations was obtained from
David Solomon's "Windows 2000
Internals" seminar) |
||||||||||||||||||||||||||||||||||||
| ClockRes | Ever
wondered what the resolution of the system clock was, or perhaps the maximum
timer resolution that your application could obtain? The answer lies in a
simple function named GetSystemTimeAdjustment, and the ClockRes
applet performs the function and shows you the result. See "Inside Windows NT High Resolution Timers" for
information on increasing the resolution. ClockRes works on Windows
NT/2K only, and does not take any command-line arguments. |
||||||||||||||||||||||||||||||||||||
| EFSDump | Windows
2000 introduces the Encrypting File System (EFS) so that users can protect
their sensitive data. Several new APIs make their debut to support this
factility, including one - QueryUsersOnEncryptedFile - that lets you see who
has access to encrypted files. This applet uses the API to show you what
accounts are authorized to access encrypted files. Full source code is
included. Usage: efsdump [-s] <file or directory> -s Recurse subdirectories. EFSDump takes wildcards e.g. 'efsdump *.txt'. |
||||||||||||||||||||||||||||||||||||
Hostname |
Hostname is a very simply utility that takes either an IP
address (e.g. 123.456.7.8), or a host name (e.g. ftp.ntinternals.com), and
performs a translation into its inverse form. For example, if you pass
hostname an IP address, you'll get back a host name, and if you pass it
a host name it will give you the corresponding IP address. It runs under
Windows 95/98 and Windows NT/2K. Usage: hostname [IP address, hostname] |
||||||||||||||||||||||||||||||||||||
| IsTrial | Microsoft
makes available a 120-day time-locked version of Windows NT, and their Beta
versions expire 240 days after they are installed. However, Microsoft does not
provide any means of determining if the version of NT you are running is a
time-locked version or not. Many organizations run into problems when an
installation they had forgotten was a trial version suddenly announces it is
shutting down. This applet will tell you whether your systems are running trial
versions of NT, and if they are, their exact expiration times. Usage: istrial |
||||||||||||||||||||||||||||||||||||
| Junction | Win2K's
version of NTFS supports directory symbolic links, where a directory serves as
a symbolic link to another directory on the computer. For example, if the
directory D:\SYMLINK specified C:\WINNT\SYSTEM32 as its target, then an
application accessing D:\SYMLINK\DRIVERS would in reality be accessing
C:\WINNT\SYSTEM32\DRIVERS. Directory symbolic links are known as NTFS junctions
in Win2K. Unfortunately, Win2K comes with no tools for creating junctions - you
have to purchase the Win2K Resource Kit, which comes the linkd program for
creating junctions. I therefore decided to write my own junction-creating tool:
Junction. Junction not only allows you to create NTFS junctions,
it allows you to see if files or directories are actually reparse points.
Reparse points are the mechanism on which NTFS junctions are based, and they
are used by Win2K's Remote Storage Service (RSS), as well as volume mount
points. If you want to view reparse information, the usage for Junction is the following: Usage: junction [-s] <directory or file name> -s Recurse subdirectories. If you want to create or delete a junction, use Junction like this:Usage: junction [-d] <junction directory> [<junction target>] To delete a junction specify the -d switch and the junction name. |
||||||||||||||||||||||||||||||||||||
| LoadOrder | This
applet shows you the order that a Windows NT or Windows 2000 system loads
device drivers. Note that on Windows 2000 plug-and-play drivers may actually
load in a different order than the one calculated, because plug-and-play
drivers are loaded on demand during device detection and enumeration.
|
||||||||||||||||||||||||||||||||||||
| Streams | The NTFS
file system provides applications the ability to create alternate data streams
of information. By default, all data is stored in a file's main unnamed data
stream, but by using the syntax "file:stream", you are able to read
and write to alternates. Not all applications are written to access alternate
streams, but you can demonstrate streams very simply. First, change to a
directory on a NTFS drive from within a command prompt. Next, type
"echo hello >
test:stream". You've
just created a stream named 'stream' that is associated with the file 'test'.
Note that when you look at the size of test it is reported as 0, and the file
looks empty when opened in any text editor. To see your stream enter
"more <
test:stream" (the
type command doesn't accept stream syntax so you have to use
more). NT does not come with any tools that let you see which NTFS files have streams associated with them, so I've written one myself. Streams will examine the files you specify and inform you of the name and sizes of any named streams it encounters within those files. Streams makes use of an undocumented native function for retrieving file stream information. Full source code is included. Usage: streams [-s] <file or directory> -s Recurse subdirectories. Streams takes wildcards e.g. 'streams *.txt'. |
||||||||||||||||||||||||||||||||||||
Strings |
Working
on NT and Win2K means that executables and object files will many times have
embedded UNICODE strings that you cannot easily see with a standard ASCII
strings or grep programs. So we decided to roll our own. Strings just
scans the file you pass it for UNICODE (or ASCII) strings of a default length
of 3 or more UNICODE (or ASCII) characters. Note that it works under Windows 95
as well. Usage: strings [-s] [-a] [-n X] <file or directory> Strings takes wild-card expressions for file names, and additional command line parameters are defined as follows:
To search one or more files for the presence of a particular sting using strings use a command like this: strings * | findstr /i TextToSearchFor |
||||||||||||||||||||||||||||||||||||
| Sync | UNIX
provides a standard utility called sync, which can be used to direct the
operating system to flush all file system data to disk in order to insure that
it is stable and won't be lost in case of a system failure. Otherwise, any
modified data present in the cache would be lost. Here is a an equivalent that
I wrote, called Sync, that works on both Windows NT/2K and Windows
95/98. Use it whenever you want to know that modified file data is safely
stored on your hard drives. Unfortunately, Sync requires administrative
privileges to run. This version, 2.0, also lets you flush removable drives such
as ZIP drives. Source code to the NT-only version of Sync is available
on the Dr. Dobb's Journal Systems
Internals CD-ROM
Usage: sync [-r | drive letter list] -r Flush removable drives. Specifying specific drives (e.g. "c e") will result in Sync only flushing those drives. |
||||||||||||||||||||||||||||||||||||
| VolumeID | While
WinNT/2K and Windows 9x's built-in Label utility lets you change the
labels of disk volumes, it does not provide any means for changing volume ids.
This utiltity, Volumeid, allows you to change the ids of FAT and NTFS
disks (floppies or hard drives) on both Windows NT/2K and Windows 9x.
Usage: volumeid <driveletter:> xxxx-xxxx Note that changes on NTFS volumes won't be visible until the next reboot. In addition, you should shut down any applications you have running before changing a volume id. NT may become confused and think that the media (disk) has changed after a FAT volume id has changed and pop up messages indicating that you should reinsert the original disk (!). It may then fail the disk requests of applications using those drives. |
||||||||||||||||||||||||||||||||||||