@Macarlo, Inc. Internet Services

The new Fizzer Virus—a sophisticated worm that sends itself to all contacts in the Windows Address Book (with a backdoor that uses mIRC to communicate with remote attackers and can even keep track of all keystrokes typed on a user's system)—is reported to be spreading like wildfire through e-mail and the KaZaA mp3 file-sharing network. System Administrators unfortunately may have to do some major clean-up work on their networks due to workstations that contain the KaZaA software (to read the full story from Internetweek.com click here)

If the KaZaA software is removed from a network, system administrators could possibly avoid the chances of an attack from Fizzer. In March we published an article entitled "A Cure for KaZaA" by Michael Materie. The subject of content piracy and copyright liability through file sharing has been a hot topic as it threatens to become out of control if not handled within companies' networks. And now the dangers of viruses ripping through systems by means of the KaZaA software further threaten networks. But the System Administrator footwork involved in a project to clear a site of KaZaA is a laborious, time-consuming one. Fortunately, Michael wrote an easy, quick solution using simply an .exe file and Executive Software's SITEKEEPER™ Systems Management Software—Simplified™. To read the full article on how to remove KaZaA from your site click here.

Have you ever wondered "Why doesn't Diskeeper result in a fragmentation display showing all the files in one place and all the spaces consolidation into another place?" Or, maybe you've asked yourself "Why does Diskeeper say my disk does not need to be defragmented when I can see from the display that the files are scattered all over the disk?"

The answer to both these questions is found in the fact that our primary concern with Diskeeper is the performance of your computer. The disk drives are the primary bottleneck in your computer's performance. Diskeeper restores the disks to top speed by eliminating fragmentation.

It is a common misconception that a defragmented disk should look very neat and tidy in the analysis screen, with solid blue bars all the way across the screen (representing fragmentation-free files) and the rest white space (representing consolidated space).

Clearly, the speed of the disk, meaning how fast you can access the data on it, is more important than the prettiness of the display or the consolidation of all the free space into one place. Free space consolidation might be important if you have to create one gigantic contiguous file, but it has no effect on performance. So Diskeeper uses algorithms that achieve the highest speed from your drive regardless of the arrangement of the free spaces on the drive and on the screen. And it does so without wasting time on excessive consolidation of free space. We simply go for the fastest possible file access times and then stop.

Even so, you might ask why we don't continue and rearrange the files further to get a neat display? The answer is, "Because it takes computer power to do so." We long ago decided that it would be wrong to consume more of your computer's performance than we give back. So Diskeeper defragments until the disk is in top shape PERFORMANCE-wise and then stops. Any further work is a waste of your computer resources.

Now this might not be a big deal if you like to watch the display as Diskeeper defragments your drive, but it is a very big deal to people who depend on their computers for their work. They need all the performance they can get and can't hold up production while the defragmenter pretties up the disk. This is why Diskeeper is designed to run in the background at the lowest possible priority, giving way to any other program that needs to run. And it is also why Diskeeper STOPS defragmenting when maximum performance has been achieved.

Last week, I went through some hard times and I thought I would share them (and the final solution) with you. My main development system, running Windows XP, used an IBM DTLA-307045 IDE/ATA 46.1GB disk drive, manufactured October 2000, as a Master on IDEcontroller 0. It had several partitions, but it used the first partition (C:,~6GB) as an NTFS system and boot volume* with 4096-byte clusters, and the second partition (D:,~10GB) was an NTFS boot volume with 16K-byte clusters (I decided to go with 16K clusters on the D: drive since Windows XP supports defragmentation of volumes with cluster sizes up to 64K bytes).

As is my practice (and as I have recommended in our newsletter), I used the D: volume as my primary boot, and used the C: volume as a backup boot. The rest of the disk was a volume containing my development tools and source. On Wednesday, I came in and flipped my system on. Windows XP took an awfully long time to go through its boot sequence, and sat at the screen with the pulsing progress bar for about 10 more minutes than usual. Then a blue-background screen appeared and told me "Inaccessible boot device". Gulp.

I shooed everyone out of my office and began the diagnosis. Yes, the drive was installed. Yes, the BIOS saw it. Yes, the BIOS disk geometry parameters were right. Reboot. "Inaccessible boot device". This was not good. Of course, I have a backup boot, so I booted to it. It took a long time, but it came up! The drive with my sources on it was accessible, so I copied the recently modified files to the server and began looking further. Any attempt to access the D: drive was met with a four-pulse buzzing sound and a locked-up system for about 10 minutes, then I could use the C: boot again.

At this point I couldn't afford to dawdle over the disk drive; I had to have a workable development environment operational on that machine right away to get the salvaged code into the day's build. I spent the rest of the day reinstalling software onto a new drive that wasn't having hardware problems. Later (much later!) the next day I had enough time to look into the problems on the drive. I connected the drive to a totally different machine (as a slave drive, not the system drive) and got the same symptoms. The D: drive simply would not mount, and every file on it was apparently lost. But I don't give up that easily. I copied a tool called DSKPROBE to the machine I was working on and set to work finding out exactly why this particular partition wouldn't mount.

It's also available in the Windows NT®4 Resource Kit. The neat thing about DSKPROBE is that it can read "raw" drives; accessing the "unmountable" drive presented no problems. In the boot-sector for NTFS volumes is a pointer to the MFT and the MFTMirr. Both of these areas on the volume contain NTFS metadata, and I knew that the problem had to be in the metadata, because otherwise the drive would mount. I was actually suspecting that the problem was in the $Volume file (NTFS metadata file 3) because that's a key file for determining the volume parameters. But, being methodical, I made sure that the first 1024 sectors on the volume could be read; they could. This meant a key piece of data needed for booting XP was accessible. Then I tried reading the first 1024 sectors of the MFT (by using the MFT pointer in the boot-sector). Again, all accessible. Then I tried reading 1024 sectors of the disk starting at the MFTMirr location. BANG! It failed (and I had to sit through another ten minutes of the drive making that dreadful buzzing noise).

When I got control of the machine back, I started narrowing down the sector that the problem was occurring in by using a "bracketing" technique. You know: I read in 512 sectors at the same starting address and the problem didn't occur. Then I read in 750 sectors and it did. So I read in 600 and it didn't. And so forth. I finally ended up with sector 632 being the culprit. Any attempt to read sector 632 resulted in the error. Reading sector 631 or 633 didn't produce a problem. So I looked at the contents of sectors 631 and 633 and saw that they contained pieces of the volume bitmap (The NTFS file $BITMAP contains a bitmap of the usage of clusters on the volume). So I read in sector 631, changed its contents to have all bits turned on (to indicate that all clusters in that range are in use), and told DSKPROBE to write it back to sector 632. Poof. It wrote without error. Then I exited DSKPROBE and went back to the Disk Management tool and asked it to rescan the disks.

Sure enough, the problem drive now mounted without problems, and all files on it were accessible. This story went down this way because I kept my cool, reserved the evidence (the "bad" disk), and figured out what I was looking at each step of the way. If this problem had happened during the installation of a piece of software, or while running a word processing program, it would have been very easy to claim that the installation had "caused" the problem or that the word processor had "caused" the problem. And if I'd panicked and reinstalled everything, the vexatious sector would have gotten overwritten (just like I did with DSKPROBE) and the blame would have been laid incorrectly on the shoulders of the installation program or the word processor. So why did this happen? I guess I should have been watching the Internet a little closer, or I might have picked up this article: http://www.tech-report.com/onearticle.x/3035.

Apparently I'm not the only one experiencing failures on this model of drive, and it looks like I was lucky to have the drive survive two years...others didn't get that much life out of theirs. Regardless, the key point is that I was able to recover everything and isolate and locate the correct problem primarily by keeping my cool. And I have yet another postscript for those loyal fans who wrote in to tell me that Windows XP is immune from 1023-cylinder problems. See this Knowledge Base article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;282191

* (definitions taken from the Windows 2000 online glossary)
Boot Partition: The partition that contains the Windows 2000 operating system and its support files. The boot partition can be, but does not have to be, the same as the system partition.
Boot Volume: The volume that contains the Windows 2000 operating system and its support files. The boot volume can be, but does not have to be, the same as the system volume.
System Partition: The partition that contains the hardware-specific files needed to load Windows 2000 (for example, Ntldr, Osloader, Boot.ini, Ntdetect.com). The system partition can be, but does not have to be, the same as the boot partition.
System Volume: The volume that contains the hardware-specific files needed to load Windows 2000. The system volume can be, but does not have to be, the same volume as the boot volume.

"Having recently upgraded to Windows XP, I can assure you that Diskeeper is a "must have" tool for my computer. Its intuitive interface is a snap, and it optimizes the hard disk for performance and stability. I haven't experienced a single program lockup since the installation of Diskeeper, and my computer is as stable as a rock. I highly recommend it as an essential tool for Windows XP and Windows NT. It's hard to improve upon perfection. Undoubtedly, this is the best hard disk utility on the market."
—Gary Smith, SOHO
Hampton, VA

"With my major brand antivirus protection updated the evening before, I opened an email which appeared to be from a friend who emails me from time to time. I opened the attachment and was hit with a revised version of the bloodhound virus. By the time it was detected, I had lost my hard drive, which is a work station on a network, with the workstation using Windows 98. The Server is NT and other viruses were apparently piggybacked to the first. Those hit the server and took out exe files and data files. I got on the internet, found you, downloaded the Undelete trial version, discovered a number of missing files, ordered your product and recovered most all of what we had lost. It was the one thing which went right that day."
—Ron Chapman, Murphy & Chapman
Charlotte, NC

"Sitekeeper is a wonderful product. I wish I would have bought this product earlier. It can do audits in minutes, which used to take me weeks to accomplish by hand. It does exactly what I need. I really like the fact that I do not have to load a client on each of 70 workstations. I have just gotten started with it and I love it already. I can see a lot of potential for this product."
—Kevin Woods, Louis Companies
Information Technology Director
Arlington, TX

Our customers are improving conditions every day with Executive Software products. To find out how these products can improve conditions in your company, network, and even your home computer, call your local reseller or contact an ESI representative at 800-829-6468.

IDC has released the new White Paper "Reducing Downtime and Reactive Maintenance: The ROI of Defragmenting the Windows Enterprise".

This in-depth report reveals the IDC findings that system delays and unresponsiveness are not only inconvenient in the enterprise, they are extremely costly in terms of lost productivity, and help desk and IT time required to debug reactive maintenance issues.

Servers and workstations running the various Windows operating systems including the latest, Windows Server™ 2003, are being deployed more than ever within the enterprise. However, an often-overlooked element of the Windows operating system, file fragmentation, causes an overall degradation in system performance and reliability. Downtime or slow downs are unacceptable; particularly when these can be easily remedied using automated defragmentation software.

This white paper covers the performance and potential reliability implications of file fragmentation as well as its associated costs and investigates defragmentation as a solution to unnecessary or premature hardware upgrades.

Read the full white paper and see how Diskeeper Automatic Disk Defragmenter for Windows illustrates IDC's opinion that defragmentation of computer hard disks resolves the issues of maintaining reliability and stability in a system. (click here)

If you want to learn the basics of computer programming or just need a refresher, buy and read The Craft of Computer Programming by Craig Jensen. Craig is not only the founder and CEO of Executive Software, he is also the author of Diskeeper disk defragmenter, one of the best-selling utilities in the world.

Originally sold in hardcover, this new edition of The Craft of Computer Programming has been updated and republished in an easy-to-read electronic format which includes custom bookmarking, the ability to annotate text and highlighting. A detailed, hyperlinked index and glossary help you locate the exact information you need.

Go to http://www.craftof.com/ for a free preview or to buy a copy now at a special introductory price of $14.95, a 25% discount off the regular price.

http://www.jsifaq.com/
The JSI FAQ site has miles of tips for NT, XP, 2000, and even 2003 Server!

For more information on our products click here or call an Executive Software representative at 800-829-6468.

Contact your favorite reseller, or contact us directly: Executive Software International is located at 7590 N. Glenoaks Blvd., Burbank, CA 91504. U.S. and Canada: 1-800-829-6468

Central and South America, Pacific Rim and Asia: 1-818-771-1600. Fax for both of the above: 1-818-252-5514; e-mail for both of the above: infodesk@executive.com

All of our back issues are posted. You can read them online or download as many as you like.

If you don't have Web access or have trouble getting the issues you want, please send an e-mail message, containing which issues you would like, to editor@executive.com

INSIGHT ON WINDOWS NT/2000/XP is electronically published monthly by Executive Software International.

Editor: Lisa Engber
editor@executive.com
Please contact me with questions or comments about the eLetter.

Over the last five years, more than 4,000,000 INSIGHT ON WINDOWS NT/2000/XP eLetter issues have been distributed to some of the best technical people throughout the world. The success of this eLetter is based in large part on the quality of technical communication and recommendations we have sought to provide. Part of maintaining that quality has been that if a recommendation required correction we immediately did so. Should there ever be the need to do so now or in the future, it will be corrected and provided it in the next or subsequent editions.

The user assumes the entire risk as to the accuracy and the use of this document.

For reprint permission for any of the articles in the eLetter, please contact me at editor@executive.com.

NOTICE: We periodically send new product information electronically or survey those individuals who voluntarily give us their e-mail address. We hope you enjoy receiving this timely information. However, if you would like to remove yourself from this list, please do not reply to this e-mail to be removed.

© 2003 Executive Software International, Inc. All Rights Reserved. Executive Software, Diskeeper, Systems Management Software—Simplified, Sitekeeper and Undelete are registered trademarks and/or trademarks owned by Executive Software International, Inc. Microsoft, Windows, Windows Server 2003 and Windows NT are registered trademarks or trademarks owned by Microsoft Corporation. All other trademarks are property of their respective owners.

@Macarlo, Inc.
@Macarlo's Shareware & Web
OS/2
Java Lobby Member
Java Site Accredited