Windows Registry backups
You can find old registry of the computer here:
How a file is stored in Windows?
Windows traces the free space or files with the help of Master File Table. When a file is deleted, Windows marks the blocks as unused but it does not delete those files. If you add new files into the system, Windows will overwrite the data in these block.
Important Windows files and folders
$Recycle.bin – Found in Windows Vista and above. Holds the files that are deleted. Deleting the contents inside this folder would help recover free space. This is a hidden folder.
Recycler – Found in Windows NT, 2000 and XP.
- Both $Recycle.bin and Recycler functions very similar. They were given different names in the different OS versions.
System Volume Information – This is a hidden folder by default. To see, Open My computer -> Menu -> Tools -> Folder options -> View -> Uncheck “Hide protected operating system files (Recommended)”. Now you can see System Volume information in C:\.
However, you still cannot open it. To open it, you need to get ownership for this folder.
Contains systems restore points. System Volume information is a protected folder. Even Antivirus will face issue to clear if there are any virus in it.
Turning off System Restore completely will remove all your restore points from the System Volume Information folder, removing anything malicious attached to them. After turning System Restore off, restart your computer and then re-enable it again once your system is free of viruses. It will then create a new and clean restore point.
Important Executable file location in Windows
C:\Windows\System32 is the important location where you can find all the OS executables. Examples are telnet.exe, taskmgr.exe (Task manager), Regedit (Registry), Nslookup.exe, taskschd.msc (Task Scheduler), Notepad.exe etc.
Task Manager -> C:\Windows\System32\taskmgr.exe
You can invoke Task manager from Command prompt and Run:
cmd -> taskmgr
Win + R -> Run -> taskmgr
hosts file – A hosts file typically supports DNS resolving entries. We can edit this file in Notepad and add hostname and IP address if the details are not available in the DNS server.
WinSXS – This folder contains the old versions of system files, patches, DLLs etc. This is useful in case if we revert a Windows patch. WinSXS folder or its contents should not be removed. We can however, perform a disk cleanup using disk cleanup tool. This will remove only unwanted files.
Microsoft made changes from INF based to componentization. A component in Windows is one or more binaries, a catalog file, and an XML file that describes everything about how the files should be installed. From associated registry keys and services to what kind security permissions the files should have.
All of the components in the operating system are found in the WinSxS folder (called component store). Each component has a unique name that includes the version, language, and processor architecture that it was built for. The WinSxS folder is the only location that the component is found on the system, all other instances of the files that you see on the system are “projected” by hard linking from the component store.
Hiberfil.sys – This file stores the RAM data when we perform Hibernate in Windows. When it is enabled state, Windows hibernation uses quite lot of system memory and it depends on the amount of RAM installed on the system.
To enable / disable, open command prompt run as administrator. Issue the commands
powercfg.exe /hibernate on
powercfg.exe /hibernate off
More detailed information on Pagefile
CBS.Log and CBSPersist.log –
CBS.log contains information about missing or corrupted file system these were detected while running System File Checker. The CBS.persist.log should be generated when the CBS gets to be around 50 meg in size. CBS.log should be copied to cbs.persist.log and a new cbs.log file should be started.
sfc – System file checker is used to repair missing or corrupted file system. sfc logs are stored is CBS.logs under C:\Windows\Logs\CBS
sfc / scannow
A screenshot showing CBS logs
Other files / folders
MSOcache hidden folder – MSOcache holds installation files of Microsoft Office copied from the installation DVD during installation. It used by MS office for repair operations. It is recommended NOT to delete this folder.
Windows Server timelines
Because Windows Server 2008 is based on the Windows NT 6.0 Service Pack 1 kernel, the RTM (Release To Manufacturing) release is considered to be Service Pack 1; accordingly, the first service pack is called Service Pack 2
Basic disks are the storage types most often used with Windows. The term basic disk refers to a disk that contains partitions, such as primary partitions and logical drives, and these in turn are usually formatted with a file system to become a volume for file storage.
Dynamic disks were first introduced with Windows 2000 and provide features that basic disks do not, such as the ability to create volumes that span multiple disks (spanned and striped volumes) and the ability to create fault-tolerant volumes (mirrored and RAID-5 volumes). Like basic disks, dynamic disks can use the MBR or GPT partition styles on systems that support both.
Dynamic disks offer greater flexibility for volume management because they use a database to track information about dynamic volumes on the disk and about other dynamic disks in the computer. Because each dynamic disk in a computer stores a replica of the dynamic disk database, Windows Server 2003can repair a corrupted database on one dynamic disk by using the database on another dynamic disk.
More on basic vs dynamic disks: https://msdn.microsoft.com/en-us/library/aa363785%28VS.85%29.aspx
MBR (Master Boot Record) and GPT (GUID Partition Table) are two different ways of storing the partitioning information on a drive. This information includes where partitions start and begin, so your operating system knows which sectors belong to each partition and which partition is bootable.
MBR is a special boot sector located at the beginning of a drive. This sector contains a boot loader for the installed operating system and information about the drive’s logical partitions. The boot loader is a small bit of code that generally loads the larger boot loader from another partition on a drive. If you have Windows installed, the initial bits of the Windows boot loader reside here — that’s why you may have to repair your MBR if it’s overwritten and Windows won’t boot. If you have Linux installed, the GRUB boot loader will typically be located in the MBR.
MBR works with disks up to 2 TB in size, but it can’t handle disks with more than 2 TB of space. MBR also only supports up to four primary partitions — if you want more, you have to make one of your primary partitions an “extended partition” and create logical partitions inside it. This is a silly little hack and shouldn’t be necessary.
GPT is a partition table format, which was created as a successor of the MBR.
NTFS is a file system, other file systems are FAT32, EXT4 etc.
Now, the first one defines the partitions on an hard drive, being an ssd or a hhd. Each partition is formatted to a particular file system so the OS can be installed.
Partition vs File System
Partition is a logical boundary of a drive while a file system defines how a file is stored in the disk. Partition can such as Dynamic partition can exist across multiple Hard drives such as RAID.
So GPT, MGR are all Partitions while NTFS, FAT, FAT 32, EXT are all File systems.
Primary, Extended and Logical Partitions
A disk with a traditional partition table can only have up to four partitions. Extended and logical partitions are a way to get around this limitation.
However, let’s say you want six partitions on a single drive. You’d have to create three primary partitions as well as an extended partition. The extended partition effectively functions as a container that allows you to create a larger amount of logical partitions. So, if you needed six partitions, you’d create three primary partitions, an extended partition, and then three logical partitions inside the extended partition. You could also just create a single primary partition, an extended partition, and five logical partitions — you just can’t have more than four primary partitions at a time.
Max partition / disk size in Windows
Windows XP and the original release of Windows Server 2003 have a limit of 2TB per physical disk, including all partitions.
For Windows Server 2003 SP1, Windows XP x64 edition, and later versions, the maximum raw partition of 18 exabytes can be supported. (Windows file systems currently are limited to 256 terabytes each.)
Windows server core
Windows Backup (XP)
|Copy||Backups all selected files||Archive bit is not cleared or Does not mark files are backed up|
|Daily||Backups files that are modified the day||Archive bit is not cleared|
|Differential||Backups files that are created or changed after last normal or incremental backups||Archive bit is not cleared|
|Incremental||Backups files that are created or changed after last normal or incremental backups||Archive bit is cleared|
|Normal||Backups all selected files||Archive bit is cleared|
A system state backup takes a backup of the following items:
- Boot files (Boot.ini, NTLDR, NTDetect.com
- Windows registry including COM settings
- SYSVOL (Group policy & Logon scripts)
- AD (NTDS.DIT)
- Certificate store
- Cluster service information
The above will be backuped up only if the server is configured with the necessary services / apps.
To restore system state backup we have to reboot the server and boot into Directory services restore mode (F8 key).
NTLDR (abbreviation of NT loader) is the boot loader for all releases of Windows NT operating system up to and including Windows XP and Windows Server 2003. NTLDR is typically run from the primary hard disk drive, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.
NTLDR requires, at the minimum, the following two files to be on the system volume:
> ntldr, the main boot loader itself
> NTDETECT.COM, required for booting an NT-based OS, detects basic hardware information needed for successful boot
An additional important file is boot.ini, which contains boot configuration (if missing, NTLDR will default to \Windows on the first partition of the first hard drive).
NTLDR is launched by the volume boot record of system partition, which is typically written to the disk by the Windows FORMAT or SYS command.
ntdetect.com is a component of Microsoft Windows NT-based operating systems that operate on the x86 architecture. It is used during the Windows NT startup process, and is responsible for detecting basic hardware that will be required to start the operating system.
“New Technology Directory service.Directory Information Tree” is an Active Directory database.
Registry is a database that contains configuration settings and options on Windows Operating system. Prior to Registry, ini files were used. .Ini files stores each program settings into a text file.
A Failover cluster is a group of independent computers that work together to increase the availability of applications and services.
File server: Branchcache
Branchcache is a feature in Windows 2008 R2 and Windows 7 that enables clients in a branch office to securely retrieve files that are cached locally. BranchCache is usually implemented in a branch office where the connection to the main office is connected with a slow WAN.
BranchCache -> Hosted Cache Mode and Distributed Cache Mode.
Process, Service in Windows
Processes: A Process is an instance of an executable file. Process usually have some desktop interaction. Ex: Opened Firefox will showup in Task manager processes list etc.
However, some apps such as Intel Audio may be visible in desktop but are running in the background and visible in quick launch. These apps are also shown in processes tab in Task manager.
Applications such as Anti-Virus usually run as a service. Many Windows services run as an instance svchost.exe.
svchost.exe is a process that host other services. Ex: Windows Defender uses a service that is hosted by a svchost.exe process. There can be multiple instance of svchost run on a single computer. Also DLLs use svchost.exe for execution.
Important file locations:
$Recycle.bin – C:\
System Volume Information –
MSOCache – C:\
hiberfil.sys – C:\
Pagefile.sys – C:\
Windows executables such as Notepad, Task manager – C:\Windows\System32
Hosts file – C:\Windows\System32\Drivers\etc\
CBS.log and CBS.persist.log – C:\Windows\Logs\CBS
Service packs vs Revisions
Service Packs usually contains patches, fixes on top of the OS while Revisions contains service packs with changes at the Kernel level.
Ex: Windows 2003 SP2, Windows 2003 R2.
A Windows 2003 R2 is the latest OS compared to Windows 2003 SP2.
Windows Event Viewer
Event viewer is used to see the computer’s Application, Security, Setup and System logs.
Win 7 event viewer contains additional logs such as PowerShell, Symantec Endpoint Protection (if installed) status details as shown below etc.
Security events: Login / Logoff and authentication failure events are recorded here.
Setup: Windows patch installation events
System: Group policy, Time synchronization details with NTP server (DC), System service such as Volume shadow copy service state, Disk defragmenter service state details.
Disks related info from: