klworley
asked on
Recovering an NT Workstation (BSOD)
I have a user who went in and arbitrarily started deleting user accounts on his machine. One of the ones he deleted was a previous administrator who had appearently done some of the administrative work on the machine through his account. Once this account was deleted and he re-booted, he got the BSOD.
As I went to work on the machine -- I first ask him for the copy of the ERD which I leave taped to each machine. "Oh that disk from the side -- I couldn't remember what it was for so I formatted it and used it for something" was the response.
So, now I have no ERD. I went through the steps of recovering an NT setup through the installation disks. Because all I really am interested in recovering for him is two particular data files on his drive (which he of course had no backup of!)
Right now, I've got the machine to boot by doing the recove options through setup. I did NOT restore the default SAM though -- however at the login screen no matter what user ID I try to use, I get the error messege that "The system cannot log you on (C00000DF). Please contact your system administrator"
So here is the question. If I reload the default SAM because then his account won't be there -- and I would lose access to the files in question right????
Is there anyway to get to those particular files??
As I went to work on the machine -- I first ask him for the copy of the ERD which I leave taped to each machine. "Oh that disk from the side -- I couldn't remember what it was for so I formatted it and used it for something" was the response.
So, now I have no ERD. I went through the steps of recovering an NT setup through the installation disks. Because all I really am interested in recovering for him is two particular data files on his drive (which he of course had no backup of!)
Right now, I've got the machine to boot by doing the recove options through setup. I did NOT restore the default SAM though -- however at the login screen no matter what user ID I try to use, I get the error messege that "The system cannot log you on (C00000DF). Please contact your system administrator"
So here is the question. If I reload the default SAM because then his account won't be there -- and I would lose access to the files in question right????
Is there anyway to get to those particular files??
If you reinstall NT, the new administrator account will be able to access those files.
One tip for the future that a long-time NT admin friend of mine suggested. Tape the ERD on the INSIDE of the case somewhere. :)
Not necessarily - if the files are in the profiles directory they will be deleted by a reinstall.
Put the hard disk as a slave into another machine that you have Administrator rights on and take ownership of this hard disk. Then you'll be able to take anything you want off it.
Put the hard disk as a slave into another machine that you have Administrator rights on and take ownership of this hard disk. Then you'll be able to take anything you want off it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Like I said - if you reinstall and the files are held inside the profiles directory (this includes the My Documents directory) the reinstall deletes them.
The answer I proposed was the slave idea.
The answer I proposed was the slave idea.
ASKER
But you can reinstall to a different directory. ie. winnt2 and boot the machine as tim_holman suggested...and the files are there. However, appearently he deleted a personal account of his own as well (you know how NT sometimes creates additional accounts for indivduals like user.001, user.002 etc.)and the NT thinks the files are open.
BUT !!!!! Tim_holmans suggestion about the winternals product did work!!!
I downloaded the product and created the boot diskette and installed the product on the diskette. When I booted with the diskette. I could run the program provided by the download which invokes a NTFS driver. This allowed me to access the files without the security telling me they were already open. I copied them over to a diskette and took them to another computer and they are fine.
Thanks again Tim!!!! Kudos!!
Therefore I will be accepting Tim_Holmans answer. It was easier and just as effective. It also didn't involve me taking two machines apart.
Thanks for the answer though Macros. In another situation it might be the answer.
BUT !!!!! Tim_holmans suggestion about the winternals product did work!!!
I downloaded the product and created the boot diskette and installed the product on the diskette. When I booted with the diskette. I could run the program provided by the download which invokes a NTFS driver. This allowed me to access the files without the security telling me they were already open. I copied them over to a diskette and took them to another computer and they are fine.
Thanks again Tim!!!! Kudos!!
Therefore I will be accepting Tim_Holmans answer. It was easier and just as effective. It also didn't involve me taking two machines apart.
Thanks for the answer though Macros. In another situation it might be the answer.
ASKER
Adjusted points from 50 to 75
ASKER
I downloaded the product NTFSDOS from www.sysinternals.com and created the boot disk like it says and then loaded the program to a diskette.
Upon booting the PC with the product it allowed me to access the files I needed to get to.
Thanks Tim!!
I'm even throwing in an extra 25 points because it was so easy to use!!!!
Upon booting the PC with the product it allowed me to access the files I needed to get to.
Thanks Tim!!
I'm even throwing in an extra 25 points because it was so easy to use!!!!
Glad that answer worked for you. I must check out that program as well. Do you know if it works with NTFS5?