Wednesday, 20 June, 2007

Fixing Windows using a Live Linux CD

Try as we might, we sometimes get Windows in such a bind that we can’t run it. Virus attacks, trojans, and malware just go with the territory. Don’t feel bad, as even the geekiest of us sometimes get Windows hopelessly wedged, even to where we can’t boot it in safe mode.

If this happens to you often and you’re tired of re-installing Windows or can’t re-install because you don’t have the original disk, we’re going to walk you through the strategies for obtaining a live Linux CD, which you can then boot and get your machine running long enough to fix the problem.

First off, the Windows user will probably be daunted at the huge selection of Linux distros. The difference between one distro and another is actually only a matter of what other software comes installed with it. You’d have to imagine if Microsoft made a “Windows for graphics artists” distribution that came with Adobe Photoshop, Illustrator, and Maya 3D included. Or a “Gamer’s Windows” with a selection of the top popular games installed and the latest Direct Draw/sound card/graphics card drivers to ensure everything runs smoothly. Really, that’s all that’s going on with the various Linux distributions.

The top Linux live CDs to recommend for a Windows repair emergency:

  1. The Trinity Rescue Kit: a whole Linux distro specifically for our purpose of fixing Windows. Amongst it’s many abilities, it can easily reset Windows passwords, includes four different virus-scan products, has full NTFS write support, can even clone an NTFS file system over the network, has an easy script to find all local file systems, and can do recovery and undeletion of files. The only downside here is that it’s a command-line based distro - if you’re not handy with a command line (such as Windows Power Shell), you’re going to be intimidated.
  2. Knoppix and Mepis: Knoppix and Mepis are both desktop-oriented distros with all the flashy features of the latest KDE desktop, and are both full-service systems for general purposes. The KDE desktop will feel very familiar to Windows users, and both of these distros are specifically aimed at people who are used to Windows. Knoppix has much more software installed on it than Mepis, while Mepis has more focus on high-end hardware support.
  3. Linspire: Those who are least sure of their computer skills should try the Linspire live CD. Since they openly advertise “the world’s easiest desktop Linux” and recommend it as “perfect for Windows users”, it seems their goal is to come as close to copying Windows as they can without getting sued. The desktop will even give you familiar icons including the file manager named “My Computer”, a Windows-like start menu, and so on.

For our purposes for the rest of this series, any one of these four will be enough. If you want to explore further, a site like DistroWatch and LinuxQuestions will be helpful.

OK, let’s say you’ve picked your distro and downloaded it. Now you have a file ending in “.iso” on your computer, and you have a blank CD in your hand.

An .iso file is a disk image file, and it’s nothing like other files you might burn to a CD. Of course, you need a CD-RW (CD Read Write) to be able to write anything on a CD, and you want a special utility that can handle the .iso standard. Nero is a popular all-in-one utility that can handle any CD writing task, including .iso’s. It used to be shareware but it looks paid commercial now. A better solution is BurnCDCC, a freeware app which just burns .iso images and nothing more. It has about two buttons on it, and takes about one second to figure out.

Of course, you can also buy live CDs from online distributors (about two bucks apiece, most places) or get them in the back of a book (Ubuntu and Knoppix books have this), but CD burners are becoming the most popular option because everybody’s getting them these days.

When you have the CD finished, take a deep breath, reboot Windows with the CD in the drive. If all goes well, the PC will come back up as Linux. If not, be sure your BIOS is set up to check the CD drive first for a system before it checks the hard drive. Granted that you have stuck with one of the distros we recommended, you should get it up and running with no problems.

The thing to remember with a live CD is that it will do nothing permanent to your computer until you tell it to. Everything on your hard drive is still right where you left it; in fact, you can bring up a live CD even if you remove the hard drive altogether. In most cases, the live systems we’ve recommended will automatically mount the hard drive, which just means it’s found the Windows partition and is ready for action.

Check with the website for each distro to find out the specifics. Before you try the CD, look at the website’s documentation, and ask questions in the forum for it so that you know what to do. But generally, you’ll be working in either the KDE Konqueror file manager or roughing it from the command line.

An example, in command line terms, is /dev/hda1 mounted to /mnt/hda1/ The “dev” stands for “device”, “hda1″ is the first partition of the first drive found, and “mnt” is the “mounted” systems. When this is enacted, what you previously called “C:\” is now “/mnt/hda1/”. Try finding it in the file manager interface for the desktop systems (or ‘cd /mnt/hda1/’ from the command line) and there you are in your C:\ drive. Browse around.

One thing to keep in mind is that Linux doesn’t heed the Windows convention of hidden, system, and archive files like Windows Explorer does. Everything is a plain old file to Linux. This is a good thing, since lots of malware and trojans exploit these features to keep you from finding and deleting them! Also, Linux programs will happily allow you to open any text file (that includes .DOS, .BAT, .INI, .SYS, etc.) edit it, and change it without worrying that you broke something. Since viruses and malware frequently write entries for themselves in these text configuration files, that also comes in handy.

Now to the actual usage of a Linux CD!

The Trinity Rescue Kit has a very complete manual, both too in-depth to repeat here, and too comprehensive to leave out. That’s here. Note that it’s a printing version, but you can also click ‘cancel’ when the dialog pops up and just read it online. The TRK docs are geared at getting you up to speed with the Linux command line and using the CD to perform virus scans and so on. For a DOS/Windows user’s-eye view of Linux commands, see the “From DOS/Windows to Linux HOWTO

If you picked an easier system to comprehend, these Knoppix instructions cover how to use Knoppix to mount your Windows hard drive, install the f-prot virus checker, and get your system clean. It takes a while, but it is much easier to use a familiar mouse/windows interface. Similar methods will work from Xandross and Mepis.

Now, ‘mounting a Windows system’ is a pretty generic term. Windows NT and its descendants Windows 2000, Windows XP, Windows Server 2003, and currently Vista all use NTFS. Previous versions of Windows used FAT (in various forms of FAT12, FAT16, and FAT32). And a new WinFS file system is planned for either the future of Vista or the next Windows release. Currently, the distros I’ve listed previously should have no problems supporting the newer systems, but support might be scattered for something like Win95!

But beyond using the tools described in the links above, what about simply looking at your Windows file system to determine what the heck is going on in there, and possibly fixing it? Virus and malware removal is never a clean task. So for extra support, on either the KDE desktop or the KDE menu, look for a little picture of a house. That will open Konqueror to your home folder. Look for the icon for mounted file systems (media) or the ‘root’ folder and go from there to ‘mnt’; one of the folders within the /mnt directory will contain your Windows C:\ drive. Click that to open it, browse around. Konqueror is neatly integrated with the office tools, so any text file that you click on in Konqueror will automatically open a text editor.

You can now edit your configuration files (IF YOU KNOW what you’re doing!) to remove unwanted entries in the registry. Similar methods can be used for repairing AUTOEXEC.BAT, etc. But again, you should not save any changes unless you’re sure that that’s the right thing to do.

You can safely browse through the rest of your Windows directories. Investigate any new folders with names you don’t recognize. One warning sign that you might be looking at malware you didn’t ask to have installed, is if it has no documentation included nor an uninstall program. If it’s in the programs directory, is unrecognizable, and seems very secretive, Google the folder and file names to see if anybody out there has caught it misbehaving. You can delete anything in Konqueror merely by the standard right-click-delete form the menu action, just like in Windows.

A lot of this is stuff you should take very slowly indeed. When in doubt, just stick with the standard anti-virus measures detailed in the documents I linked you to above and hope for the best.

So far, we’re trying to move you through the steps to repair your system when damage has already occurred. But the best way to maintain a Windows system with Linux is to perform system audits, because you will track changes from one audit to the next and it will be much easier to track what’s going on.

A system audit isn’t any kind of professional measure. Simply, we’re going to make a record of how your system looks today. Save that record and check back in another week, and make a new record. Compare record A with record B. Is something different? If so, is it something you, personally, installed or changed? You get the idea.

A system audit can be performed from the command line. If you’re on the desktop, hit Control-Alt-F2 to get a console (you can also just open a terminal on the desktop, which is the same thing.). Start by typing,


to see what’s already mounted. If your Windows system is mounted, it will usually show up as being /mnt/hda1 . If it isn’t, type

mount /dev/hda1 /mnt/hda1

Next type

ls -R /mnt/hda1 > WinSystem

To break that down: ‘ls’ is the ‘list’ command similar to ‘dir’ in DOS. -R is the option meaning ‘recursively list all sub-directories under that directory’ The ‘>’ is a re-direction operator; normally ls prints to the screen. The WinSystem is the name of the file you’re going to dump the result to. You can call it whatever you want (even WINFILES.TXT). You might want to append the date to the file name like so: WinSystem_3_16_07 . Depending on how big your Windows install is and how many files you have, this could take a while to finish - possibly hours for a 100-Gig drive!

While that’s happening, you can always hit Alt-F3 to go to another console (you can even hit Alt-F7 to pop back to the desktop and open a terminal. Or just stay on the desktop and open another terminal.) Now just type

ls /mnt/hda1/

to see all files in the C:\ drive of Windows. Anything there that applies as AUTOEXEC.BAT, CONFIG.SYS, IO.SYS, and so on, copy it over to your home directory with

cp /mnt/hda1/NAMEOFFILE ./

‘./’ is always your current directory. In fact, a lot of this will seem familiar to a DOS user, except that the \ and / are backwards from each other.

Once you have all the copies of configuration files plus the textfile with your directory listing, pick a way to save them. Either to floppy or a folder on Windows or to a usb drive. Mount a floppy with

mount /dev/fd0 /mnt/floppy

and a USB thumb drive with

mount /dev/sda1 /mnt/sda1

and to move all files from your current directory to storage media, type

mv ./* /mnt/media

where ‘media’ is either floppy or USB or your Windows folder where you want to send the files. You might also want to make a folder with the date in the name and keep the whole sheebang in there.

Now you have a record of how things were the last you checked. Now, when checking the record next time, keep in mind that Windows scribbles stuff in some places all the time. Your Internet Explorer updates it’s cookie file, you IE cache changes from day to day and so on. Not everything is a sign of intrusion. But you have the basic workings of a system to keep tabs on what programs are doing what behind your back.

No comments: