The advanced system-recover toolkit

Susan bradley By Susan Bradley

You probably know and use various real-time antivirus tools, but there are also advanced security tools that work under the operating system.

Many of these are based on Linux and help scan, fix, or even reset Windows passwords.

A recent Wall Street Journal article reported that small businesses are increasingly the target of cyber attacks. That made me think about the tools I use to secure the computer I use for online banking, which has to be as secure as possible (and practical). The report also reminded me to keep a more watchful eye on what my system is doing.

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



If you want to build an advanced system-cleaning and -recovery toolkit, here are my recommendations. Some of these tools have been around for a while, and some are in beta. Test them out and see what you find — you might be surprised.

Making it more difficult for malware to hide

Microsoft Standalone System Sweeper. Microsoft finally has its own offline tool — currently in beta — that lets you build bootable media and scan a system without running the installed (and possibly corrupted) version of Windows. Historically, this capability has required Linux and a third-party app. It’s nice to see Microsoft stepping up to the bar and offering its own version.

The System Sweeper (shown in Figure 1) scans for malware from a clean, protected environment. After you reboot your PC with the System Sweeper–created media, it’s considerably harder for malware to trick the operating system. Try it out. Go to System Sweeper’s home site and download it, then follow the instructions in a Security Garden blog. System Sweeper can boot from a USB flash drive or a CD-ROM.

System sweeper alert
Figure 1. Microsoft’s System Sweeper makes it difficult for malware to stay hidden on your PC.

Kaspersky Rescue Disk. This tool, shown in Figure 2, has been around for a while and works much like Microsoft System Sweeper: you download an ISO file from the Kaspersky site and build bootable media — either CD or USB. But because you’re downloading an ISO file, creating a bootable rescue disk is more complicated than with System Sweeper.

With the Kaspersky utility, you’re booting an alternative operating system. That helps with malware detection because a virus built for one operating system may not be clever enough to hide from another OS. Once you’ve created the rescue disc, it’s relatively easy to have Kaspersky’s app scan the hard drives and clean the system.

Kaspersky rescue disk
Figure 2. Kaspersky Rescue Disk works below Windows to scan and clean a PC.

Windows Recovery Console. Often overlooked by PC users, Windows Recovery Console was highlighted in a recent Microsoft Malware Protection Center blog as a way to clean and repair Windows’ master boot record. For example, if you get flagged as having the Win32/Popureb.E Trojan (description), Microsoft strongly recommends following the instructions in the blog. Once you’ve launched the Recovery Console, run the command bootrec.exe /fixmbr to replace the master boot record with a clean version.

For more on this topic, see Lincoln Spector’s July 8, 2010, story, “Rescue Windows with a bootable flash drive,” in the paid section of Windows Secrets online.

Password-recovery apps and other useful tools

Online NT Password & Registry Editor. We’ve covered password recovery tools before, notably in Ryan Russell’s April 22, 2010, item, “Recovering lost passwords using boot CDs” (paid content). But I want to recommend Peter Nordahl’s password-recovery tool (info/download site), which resets the Windows admin password and works on all versions of Windows from NT Version 3.5 on. It’s not new, but it’s still effective when you get locked out of your PC. It even re-enables a disabled administrator account.

Now, before you jump to the conclusion that this tool opens up a huge security hole, remember that you must have physical access to your computer to use it. It cannot be run remotely. This tool uses Linux to boot a PC without launching Windows (see Figure 3). It edits the Windows Security Accounts Manager files and then puts them back with the passwords edited or removed.

Beware: If you have Windows BitLocker drive encryption or an encrypted file system, note that once you remove or change your password you can kiss those files goodbye — you’re not getting back into them until you remember the original password.

Online nt password & registry editor
Figure 3. Peter Nordahl’s admin password-reset tool uses Linux to bypass Windows.

Knoppix bootable disks. I’d be remiss if I didn’t mention the suite of Knoppix security apps (info/download site). Many of these tools had their beginnings in forensic investigations. In computer forensics, you want to make a byte-by-byte replica of the suspect system, or you want to ensure you’re reading the operating system you’re investigating — that you’re not in any way changing the original data. (When I say computer forensics, I’m referring to your own investigation using bootable media — not necessarily to forensics needed as evidence in a court case or to obtain a subpoena. Those investigators typically use data-acquisition techniques that rely on replicating a drive via USB or a parallel port.)

Before downloading and using any of these miscellaneous advanced recovery and diagnostics tools, read their recommendations and instructions to ensure the app does what you intend it to do. Most Linux download sites include an md5 or Sha1 hash value, which indicates that no one has tampered with the files. (Free utilities have occasionally been maliciously modified to transport Trojans and backdoor viruses onto PCs.) I also recommend trying out these apps on a spare computer, first — not your main machine.

To verify that a utility I download is unchanged from the one the author posted online, I use Microsoft’s File Checksum Integrity Verifier (FCIV) tool, available through MS Support article 841290. (Note: According to the site, MS offers the tool but does not support it.)

To use the app, download the FCIV file and in a command window enter:

fciv.exe {the utility’s filename}.

Next, compare the value displayed with that given on the utility’s website. The Knoppix Security Tools Distribution site, for example, gives a checksum value of de03204ea5777d0e5fd6eb97b43034cb. As long as the values always match, I’m comfortable using the tools. Note: An overly aggressive antivirus app might flag the Knoppix tools as potential malware. As long as you’ve run the checksum value check, you can safely ignore any warning about these utilities.

So there you go — just a few of the many advanced security tools that allow you to take a closer look at your systems.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.

Susan Bradley has been named an MVP (Most Valuable Professional) by Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
= Paid content

All Windows Secrets articles posted on 2011-07-28:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.