Link to home
Start Free TrialLog in
Avatar of PAMurillo
PAMurilloFlag for United States of America

asked on

Windows Server 2003 not starting - ntoskrnl.exe file

Hi Everyone,

I was thrown into fixing several IT issues at a new-to-me client. Currently, they have a Dell PowerEdge 1950 Server running Windows Server Standard 2003 (I am laughing as well). When I try to boot it, I get the error:
Windows could not start because the file is missing or corrupt: <Windows root>\system32\ntoskrnl.exe. Please reinstall a copy of the above file.


I think I know what to do, but I would like some guidence. Thanks!

Avatar of Dr. Klahn
Dr. Klahn

If the kernel file is corrupt it's a good bet that others are too, and the possibility of an infection is also raised.

If they're running Server 2003 then there are probably no recent full backups.

Will it boot to Safe Mode?  If so, then you can run SFC.

If not, then things become more complicated.  And I personally would want to replace that system drive with something newer and known to be error-free.  A 20 year old hard drive is not something to use as a primary system disk, particularly not if it has been spinning for 20 years.
i would check the hardware to make sure there are no disk issues - especially on a server that old
i was buying those and 2950s some 15 years ago

failing that, do they have a good backup?  try last known good config?
there are other things beyond that like the recovery console, boot config, etc.

How to Fix Ntoskrnl.exe Missing or Corrupt Error

https://www.wikihow.com/Fix-Ntoskrnl.exe-Missing-or-Corrupt-Error
Most probably the disk or disk array has been damaged (wear & tear), has bad sectors, or the file system was corrupted.
Replacing the file, will probably result in the next  file error, and you'll be wasting a lot of time.
If possible, get to know why this server has to be up and running (because of this app or this service), and think how you can migrate only that job to a totally new server (preferably with reliable newer components, which may also be *gasp* still in warranty?)
Avatar of PAMurillo

ASKER

This is a tale of technical woe. I just started working with this client and was amazed at the age and condition (bad) of their equipment. This is their Exchange Server. Another server hosted their thin clients plus two more servers devoted to other duties. A few days after I assessed their equipment a ransomware hit their thin client server and took it out-likely someone opened an attachment. 

When I was notified I disconnected The Exchange Server from their office and moved it to my office . After turning it on I got an error stating the hard drives had changed (which was not true). I shut it down and reseated all internal components including the hard drives. After restarting, I now get the current error.

Tomorrow I will try to start in safe mode and update.

My objective is to see if I can get the server functioning so I can recover their email accounts to push them to O365. I realize this could be a lost case and the ransomware may have trashed this server as well but I have to at least try.

And if you are wondering... of course there is no backup. 
Ransomeware potentially corrupted the boot portion, do you have 2003 media, or another server running the same OS from which you could copy hal.exe and notskernel.

Try, boot the system other media, see whether the ntoskernel is corrupted
The first thing you will need to do is get an XP era WinPE boot disk so you can see what disks/partitions Windows can see and if any of the partitions have a \WINDOWS or \WINNT folder on them.  On the root of C:, there's a hidden file called boot.ini and it will have a line like this:

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

If the disks got moved around and re-assigned, that's going to be problem and Windows will not boot if it's pointed to a disk/partition that doesn't contain the OS boot files.

For WinPE based on XP/2003, I would suggest using ERD Commander 2003 if you have it, if not, see if you can find MSDaRT50Eval.msi via Google. This was a 30 day trial of MS DaRT (successor to ERD Commander).  You'll need a WinXP boot CD to build the rescue disk.  You can also inject critical boot drivers using the disk build wizard, so if this thing is using RAID, you can inject those drivers right into the boot disk (of course, you'll have to find the XP/2003 era RAID drivers).

You can probably use a newer WinPE disc based on Vista and beyond if you want to just look at data, but do NOT use any of the boot recovery/repair tools in these later versions (6.0+) as it will make the problem much worse.  The MS DaRT version is usually mapped one to one to the OS version, so if you are using Server 2012, you would use DaRT 8, 2012R2 use DaRT 8.1, etc.
I had the great good fortune *koff koff* to work on one of these about 20 years ago.  The customer insisted on using the RAID for the system volume, despite my pointing out that 2-drive RAID offered no advantage over a single drive.

All I can say is:  If the system is configured RAID for the boot volume, you got some work cut out for you.  Part of which is that you can be sure the RAID manager hasn't been run in at least ten years and there's no telling what shape the set is in.
1950 is either perc6 or perc5 the

The most difficulty with windows 2003 is the presenting of drivers .....
Myguess is the system was also subjected to the ransomeware and the ntoskernel was encrypted and this will lead to the issue. replacing it with the correct version unencrypted should resolve the issue.

If you have backups of the Exchange data store, and you have the installers exchange 2003?

If you have resources to load it as a VM,
Once you get the system to boot, you may see other issues .... applications/program files, etc. that got similarly encrypted.....
I am prepping to fire up the server so I want to make sure I have all the tools ready. I understand I need to install Microsoft Exchange Mailbox Merge Wizard. Does anyone know where I can download this? I believe it is (was) running Exchange 2007
Does anyone know where I can download this?

exmerge is long gone from microsoft
might be looking at a 3rd party tool

Extract Mailbox from EDB to PST

https://www.stellarinfo.com/gdc/edb/extract-mailbox-from-edb-to-pst.php
@Seth Simmpons
Thanks! I'll put it in my arsenal
Well, I found a Windows Server Std 2003 R3 install disk and booted to it. It says it doesn't see any hard drives so I suspect it needs the RAID driver. Hmmm... I am a little discouraged.

Apart from this Exchange Server, I am trying to resuscitate I fired up their Thin Client-Server and found all their files were encrypted with extensions ending with .qbw (weird they chose a QuickBooks file extension) and the HTML and TXT files providing instructions. It may be a lost cause.

Windows 2003 Server can't load drivers after booting from it, so you need to slipstream the drivers. A laborious job. But now that you found the cryptoware, it sounds indeed like it's a lost cause.

As a last ditch effort, get 2 encrypted files and hope it's being detected AND there's a decryption tool for it:

https://www.nomoreransom.org/crypto-sheriff.php?lang=en

Please note, there are not a lot of decryption tools. ONLY if the original author was caught by the authorities and the keys were found in the seized electronics can a tool be made. And obviously the chances of that happening are extremely low.
Kimputer, using F6 will provide an option to load drivers, the deficiency if memory serves it looks for drivers on a floppy.

Dell provides the boot media through which you can complete the install task, or OS repair.

Entering the wrong key might be how to get to the repair part.

Don't remember if you load drivers on a CD/DVD whether it can be used to load drivers...
The 1950 might be bootable ..
I was thinking - I can start the server using Ubuntu and copy/paste the ntoskrnl.exe file from the Install Disk to the computer. Any caveats?
yes, you need to have the same SP level.
i.e.e your OS might be the original retail, but the installed is SP2 it could run afoul.
windows 2003 did lend itself to be run as a repair install.
skipp the first repair options, proceed and then when it lists the partitions, you have an option to install or repair....i think that is how it goes.
oyu can try a dry run, makes ure when you use the OS deployment not to put the correct product key, or it will run as an install. Also, make sure not to make changes to the RAID or it will wipe it.

In a situation where you experienced a ransomeware,..
Guys, Sorry for the slow update. I am in the field 80% of the time so getting time to focus on this issue becomes a little difficult. My attempt to copy/paste/overwrite whatever you want to call it didn't work.

I am thinking that the server has been set up as a RAID1. With that, is it possible to get one of the drives, connect it to another computer, locate the folder that contains the email account file, copy them to an external hard drive then convert them to PST files?
Yes, a sata drive can be pulled and access the sata, not sure I follow the conversion to pst, outlook file the issue is whether the rNsomeware that encrypted the ntkernel spared the exchange edb files or those might have been encrypted or destroyed before ntkernel got encrypted/crashed the system....
I'm also concerned that if i am able to retrieve all of the email files, convert, then upload them, somewhere within  resides the culprit email that triggered the ransomware. 

Since I am not all familiar with Exchange 2007, are the email files saved as OST files or something else? And where are they stored? 
Exchange has a DB type file storage
If the DB store went untouched, you would still need to have a functional exchange setup, to be in a position to restore the DB/and potentially extract individual mailboxes to PST format for each user.

You have to deal with one thing at a time. You could boot the server, access the drives and look for the exchange data repository and just confirm whether it is viable, or you have to rely on backups to restore...
Since you are 80% travelling to other destinations, it seems that you do not have the time to dedicate/mock around going step by step trying to get to the .......
Do you have a spare server in your inventory to bring them back to normal operating mode? Agree to terms ...
That would be my thought, restrore what they have onto the spare, once they know what they have access to and what the possible loss is, they may decide to just wipe and reinstall and be done with that.
or they will want you to try and restore what is missing, by regaining access to the other.
The issue besides ntkernel other system files may have been corrupted as well which prevent the bootup.
somewhere within  resides the culprit email that triggered the ransomware.  

It doesn't matter if the email is still there or not. Just make sure you do a better job than the previous admin. Since cryptoware was found ON THE SERVER SYSTEM FILES, it probably means, the users didn't cause it, the admin did (either by excecuting it himself, or by leaving too many security holes open for remote code execution).
Obviously to limit cryptoware, you might wanna start restricting access to executable/scripting files for ALL users (Software Restriction Policy or AppLocker), even though for this instance, it wasn't their fault.
Having good antivirus software is the next step (though restricting as above, probably catches 99.999% of all malware if the antivirus was to fail).
ASKER CERTIFIED SOLUTION
Avatar of PAMurillo
PAMurillo
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial