Microsoft® Windows® 2000 Professional Resource Kit

Author Microsoft Corporation Pages 1792 Disk 1 Companion CD(s) Level Int/Adv Published 02/02/2000 ISBN 9781572318083 ISBN-10 1-57231-808-2 Price(USD) $69.99 To see this book's discounted price, select a reseller below.	More Information About the Book Table of Contents Sample Chapter Index Related Series Related Books About the Author Support: Book & CD Rate this book

Chapter 31: Troubleshooting Tools and Strategies (continued)

Maintenance and Update Tools

Windows 2000 provides tools that you can use to maintain and update your system. Some of the most useful of these tools are detailed in this section, as shown in Table 31.6.

Table 31.6 Maintenance and Update Troubleshooting Tools

Tool	Overview	Location
Check Disk (Chkdsk.exe)	Scans for and repairs physical problems, such as bad blocks, as well as logical structure errors, such as lost clusters, cross-linked files, or directory errors, on volumes on the hard disk.	%SystemRoot%\System32
Disk Defragmenter (Dfrg.msc)	Rearranges files, folders, programs, and unused space on the hard disk to optimize disk performance.	%SystemRoot%\System32
AVBoot (Makedisk.bat)	Scans for and removes MBR and boot sector viruses from the computer's memory and disk.	\VALUEADD\3RDPARTY\CA_ANTIV on the Windows 2000 operating system CD
Windows Update (Wupdmgr.exe)	Serves as an online extension of Windows 2000. It provides a central location to find customized files and product enhancements, including Service Packs, system files, device drivers, and new Windows 2000 features.	%SystemRoot%\System32

Chkdsk

Chkdsk is a command-line tool that scans and repairs volumes on the hard disk for physical problems, such as bad blocks, and logical structure errors, such as lost clusters, cross-linked files, or directory errors.

Run Chkdsk from a command prompt rather than from Windows Explorer to see the resulting display.

The command-line syntax for Chkdsk is as follows:

chkdsk [volume[[path]filename]]] [/f] [/v] [/r] [/x] [/i] [/c]
       [/l[:size]]

Used without parameters, Chkdsk displays the status of the disk in the current volume.

Table 31.7 lists all Chkdsk command-line switches.

Table 31.7 Chkdsk Switches

Switch	Effect
filename	FAT only. Specifies the file or set of files to check for fragmentation. Wildcard characters (* and ?) are allowed.
path	FAT only. Specifies the location of a file or set of files within the folder structure of the volume.
size	NTFS only. Changes the log file size to the specified number of kilobytes. Must be used with the /l switch.
volume	FAT only. Specifies the drive letter (followed by a colon), mount point, or volume name.
/c	NTFS only. Skips checking of cycles within the folder structure.
/f	Fixes errors on the volume. The volume must be locked. If Chkdsk cannot lock the volume, it offers to check it the next time the computer starts.
/i	NTFS only. Performs a less vigorous check of index entries.
/l	NTFS only. Displays current size of the log file.
/r	Locates bad sectors and recovers readable information (implies /f). If Chkdsk cannot lock the volume, it offers to check it the next time the computer starts.
/v	On FAT. Displays the full path and name of every file on the volume. On NTFS. Displays cleanup messages, if any.
/x	NTFS only. Forces the volume to dismount first, if necessary. All opened handles to the volume are then invalid (implies /f).
/?	Displays this list of Chkdsk switches.

Using the /i or /c switch skips certain checks of the NTFS volume and reduces the amount of time required to run Chkdsk.

Use Chkdsk occasionally on each volume to check for errors. You must be logged on as a member of the Administrators group.

Chkdsk creates and displays a status report for a volume, based on the file system used. Chkdsk also lists and corrects errors on the volume.

The following are sample Chkdsk reports for volumes using each hard disk file system supported by Windows 2000. Each of these tests were run using the /f switch, although no errors were reported on any of the volumes.

Following is an example Chkdsk report from an NTFS volume:

The type of the file system is NTFS.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
CHKDSK is verifying security descriptors (stage 3 of 3)...
Security descriptor verification completed.
Windows has checked the file system and found no problem.

   4096543 KB total disk space.
    639500 KB in 3206 files.
       692 KB in 113 indexes.
         0 KB in bad sectors.
     26427 KB in use by the system.
     22544 KB occupied by the log file.
   3429924 KB available on disk.

      4096 bytes in each allocation unit.
   1024135 total allocation units on disk.
    857481 allocation units available on disk.

An example of a Chkdsk report from a FAT32 volume:

The type of the file system is FAT32.
Volume FAT32 created 8/7/1999 11:19 AM
Volume Serial Number is 1067-3B1C
Windows is verifying files and folders...
File and folder verification is complete.
Windows has checked the file system and found no problem.

2,618,732,544 bytes total disk space.
     286,720 bytes in 29 hidden files.
     401,408 bytes in 86 folders.
  307,101,696 bytes in 2,179 files.
2,310,938,624 bytes available on disk.

        4,096 bytes in each allocation unit.
      639,339 total allocation units on disk.
      564,194 allocation units available on disk.

An example of a Chkdsk report from a FAT16 volume:

The type of the file system is FAT.
Volume FAT16 created 8/7/1999 11:23 AM
Volume Serial Number is 0CE5-DBB4
Windows is verifying files and folders...
File and folder verification is complete.
Windows has checked the file system and found no problem.

1,340,538,880 bytes total disk space.
    1,933,312 bytes in 50 hidden files.
    3,407,872 bytes in 103 folders.
  705,921,024 bytes in 3,158 files.
  629,276,672 bytes available on disk.

       32,768 bytes in each allocation unit.
       40,910 total allocation units on disk.
       19,204 allocation units available on disk.

Chkdsk only runs on local floppy disks, hard disks, and removable, read/writable disks. It does not support CD-ROM and DVD-ROM disks.

If errors exist on the volume, Chkdsk alerts you by using a message and, if the /f switch was used, corrects the errors.

Chkdsk cannot correct found errors when there are open files on the volume because Chkdsk cannot lock the volume. In this case, Chkdsk offers to check the volume automatically the next time the computer is started. This is typical behavior for the boot volume. When the boot volume is checked, the computer is automatically restarted after the volume check is completed.

Because some repairs, such as correcting lost clusters (also knows as allocation units) or cross-linked files, change a volume's file allocation table and can cause data loss, Chkdsk first prompts you with a confirmation message similar to the following:

10 lost allocation units found in 3 chains.
Convert lost chains to files?

If you press N, Windows 2000 fixes the errors on the volume but does not save the contents of the lost clusters. If you press Y, Windows 2000 attempts to identify the folder to which they belong. If the folder is identified, the lost cluster chains are saved there as files. If the folder cannot be identified or if the folder does not exist, it saves each chain of lost clusters in a folder called Found.xxx, where xxx is a sequential number starting with 000. If no folder Found.000 exists, one is created at the root. If one or more sequential folders called Found.xxx (starting at 000) exists, one using the next number in the sequence is created.

After the storage folder has been identified or created, one or more files with a name in the format Filennnn.chk (the first saved file is named File0000.chk, the second is named File0001.chk, and so on in sequence) are saved. When Chkdsk finishes, you can examine the contents of these files with a text editor to see whether they contain any needed data (if the converted chains came from corrupted binary files, they are of no value). You can delete the CHK files after you have saved any useful data.

If you do not use the /f switch, Chkdsk alerts you if it detects a file that needs to be fixed by indicating that it needs to be rerun with the /f switch to fix the errors.

If you use the /f switch on an extremely large volume (for example, 70 GB) or a volume with a very large number of files (in the millions), Chkdsk can take a long time (perhaps days) to complete. The volume is not available during this time, since Chkdsk does not relinquish control until it is done. If the system volume is being checked during the startup process, the computer is not be available until the Chkdsk process is complete.

Bad sectors reported by Chkdsk were marked when your volume was first prepared for operation. The fact that they are marked as bad means that the system prevents the disk from using them, so previously identified bad sectors pose no danger to your data.

Disk Defragmenter

Disk Defragmenter is a Windows-based tool that rearranges files, folders, programs, and unused space on your computer's hard disk. This is occasionally necessary because of the way files are stored on disk.

When files are edited and outgrow their original space on the disk, the file is broken into fragments, with latter fragments stored in open spots elsewhere on disk. In addition, when files are deleted on FAT16 and FAT32 volumes, only the entries in the file allocation table itself are deleted. The formerly occupied space is marked as open and can be used by other files. When other files use the empty space, if it is not large enough to accommodate the remaining data of the file, the file is again broken up with the remainder stored in another open space on disk. This process occurs with every new and edited file that is stored to disk.

While this process makes storage faster and more efficient when the file is saved, it takes much longer to read and write fragmented files than unfragmented files. Creating new files and folders also takes longer because the space available on the volume is scattered. Windows must then save new files and folders to various locations on the volume. When many files on disk become badly fragmented, performance notably suffers.

Disk Defragmenter remedies this problem by rewriting the files on disk back into contiguous segments. To start Disk Defragmenter, from the Start menu, point to Programs, Accessories, and System Tools, and then click Disk Defragmenter.

You can analyze the volume to see how many fragmented files and folders there are and then decide whether or not to defragment the volume.

The amount of time that the defragmentation process takes to run depends on several factors, including the size of the volume, the number of files on the volume, the amount of fragmentation, and the available local system resources.

Disk Defragmenter defragments volumes formatted with FAT16, FAT32, and NTFS.

The Disk Defragmenter tool display is split into two main areas, as shown in Figure 31.1. The upper portion lists the volumes on the local computer. The lower portion shows how fragmented the volume is. The colors indicate the condition of the volume:

• Red areas show fragmented files.
• Blue areas show contiguous (unfragmented) files.
• White areas show free space on the volume.
• Green areas show system files, which cannot be moved by Disk Defragmenter. These system files are not part of the Windows operating system but include files belonging to NTFS (when applicable) and the system paging file.



Figure 31.1 Disk Defragmenter

By comparing the Analysis Display band to the Defragmentation Display band, you can see the improvement in your volume after defragmenting. Always analyze volumes before defragmenting them. After the analysis is complete, a dialog box tells you if you need to defragment the volume.

You can defragment local file system volumes only, and you can only run one Disk Defragmenter console at a time. In addition, you must be logged on as an administrator or a member of the Administrators group. If your computer is connected to a network, network policy settings might also prevent you from completing this procedure.

AVBoot

InoculateIT Antivirus AVBoot version 1.1 is a command-line tool that scans the computer's memory and all locally-installed disk drives for MBR and boot sector viruses. If a virus is found, AVBoot can remove the virus. AVBoot is located in the \VALUEADD\3RDPARTY\CA_ANTIV folder of the Windows 2000 operating system CD.

1. Insert the Windows 2000 operating system CD into the CD-ROM drive.
2. Insert an empty, high-density 3.5 - inch floppy disk into the floppy disk drive.
3. From the Start menu, click Run.
4. Browse the CD-ROM drive in the Look in list box, and navigate to the \VALUEADD\3RDPARTY\CA_ANTIV folder.
5. Double-click Makedisk.bat, and then click OK.
6. When the process is complete, remove the floppy disk, label it "AVBoot," and then store it in a safe location. Record the creation date in a log book.

Makedisk.bat is used to create a startup floppy disk that runs AVBoot.

To run AVBoot, insert the AVBoot startup floppy disk and restart the computer. AVBoot automatically starts when the computer has completed the startup process from the floppy disk.

When the AVBoot menu appears, press 1. It displays a report showing the version number and the date of the installed virus-scanning engine and the data or antivirus signature files. The next line displays the results of a virus scan in memory. Below that, a Boot Sector Summary report is displayed, showing the results of the scan on the installed floppy disk drives and all hard disks. If a second floppy disk drive or hard disk is not installed, the report states "Not Installed". Press any key to return to the AVBoot menu. Following is an example:

InoculateIT AntiVirus Avboot V1.1
Copyright 1997-99 Computer Associates International, Inc.
 and/or its subsidiaries. All Rights Reserved.

Engine version: 4.22 06/01/1999
Data version:   4.22 06/14/1999

No Viruses Were Detected In Workstation Memory


Boot Sector Summary:

Floppy Drive A... No Boot Sector Viruses Detected
Floppy Drive B... Not Installed
Hard Disk 1...... No Boot Sector Viruses Detected
Hard Disk 2...... Not Installed

It is extremely important that you regularly update your antivirus program. In most cases, antivirus programs are unable to reliably detect and clean viruses of which they are unaware resulting in false negative reports. Most commercial antivirus software manufacturers offer monthly updates. Use the latest download to ensure that your system is protected with the latest virus defenses.

Windows Update

Windows Update is an online extension of Windows 2000. It provides a central location to find customized files and product enhancements, such as Service Packs, system files, device drivers, and new Windows 2000 features, that have been selected to work with your computer's configuration.

Windows 2000 creates a Start menu shortcut to the Windows Update Web page. Windows Update uses Active Setup and Microsoft® ActiveX® controls that are downloaded and installed on your system when you connect to the Windows Update Web page.

The controls scan your system, comparing system files and device drivers on your computer with a database of the files on the Windows Update server. Windows Update then generates a list of items that can be added and updated, and offers to install any files that are found to be newer than your current set.

To closely control the programs that users download, you can prohibit user access the Windows Update Web page. By using Group Policy, you can remove the Windows Update icon both from the Start menu and from the Tools menu in Microsoft® Internet Explorer. Enabling the policy prevents users from accessing the Windows Update Web page from a computer running Windows 2000 Professional.

1. Start the Group Policy snap-in.

2. Expand Local Computer Policy.
3. Expand User Configuration and Administrative Templates, and then click Start Menu & Taskbar.
4. Double-click Disable and remove links to Windows Update.
5. In the Disable and remove links to Windows Update Properties dialog box, on the Policy tab, select Enabled, and then click OK.

System File and Driver Tools

Windows 2000 Professional provides tools to help you troubleshoot problems with devices and drivers. Many of the most helpful tools for troubleshooting these issues, are discussed in this section, as shown in Table 31.8.

For more information about troubleshooting problems with Plug and Play and other devices, see "Device Management" in this book.

Table 31.8 Device and Driver Troubleshooting Tools

Tool	Overview	Location
System File Checker (Sfc.exe)	As part of Windows File Protection, scans protected system files and replaces files overwritten with correct versions provided by Microsoft.	%SystemRoot%\System32
Driver Verifier (Verifier.exe)	Runs a series of checks in the Windows 2000 kernel to help readily expose errors in kernel mode drivers.	%SystemRoot%\System32
Driver Signing (Sigverif.exe)	Verifies that device drivers have passed a series of rigorous tests administered by the Windows Hardware Quality Lab (WHQL).	%SystemRoot%\System32

System File Checker

System File Checker (SFC) is a command-line tool that scans protected system files and replaces files overwritten with the correct system files provided by Microsoft. It is part of the Windows File Protection feature of Windows 2000.

The Windows File Protection (WFP) feature protects your system files with two mechanisms. The first runs in the background: WFP is implemented when it is notified that a file in a protected folder is modified. After this notification is received, WFP determines which file was changed, and if it is protected, looks up the file signature in a catalog file to determine if the new file is the correct Microsoft version or if the file is digitally signed. If it is not, a replacement file is retrieved from either the %SystemRoot%\System32\Dllcache folder or the Windows 2000 operating system CD. By default, WFP displays the following message to an administrator and logs it to the System event log:

A file replacement was attempted on the protected system file <file
name>. To maintain system stability, the file has been restored to the
correct Microsoft version. If problems occur with your application,
please contact the application vendor for support.

The second WFP mechanism is SFC, which allows an administrator to scan all protected files to verify their versions. SFC also checks and repopulates the Dllcache folder. If the Dllcache folder becomes damaged or unusable, use SFC with the /purgecache switch to repair its contents. Most SYS, DLL, EXE, TTF, FON and OCX files on the Windows 2000 operating system CD are protected. However, for disk space considerations, maintaining cached versions of all of these files in the Dllcache folder is not always preferable on computers with limited available storage space.

SFC also checks all catalog files used to track correct file versions. If any catalog files are missing or damaged, WFP renames the affected catalog file and retrieves a cached version of that file from the Dllcache folder. If a cached copy of the catalog file is not available, WFP requests that you insert the Windows 2000 operating system CD to retrieve a new copy of the catalog file.

The command-line syntax for SFC is as follows:

sfc [/scannow] [/scanonce] [/scanboot] [/cancel] [/enable] [/purgecache] 
    [/cache size=x] [/quiet]

The SFC switches are listed in Table 31.9.

Table 31.9 SFC Switches

Switch	Description
/scannow	Scans all protected system files immediately.
/scanonce	Scans all protected system files at the next system start.
/scanboot	Scans all protected system files at every start.
/cancel	Cancels all pending scans of protected system files.
/enable	Enables WFP for normal operation.
/purgecache	Purges the file cache and scans all protected system files immediately.
/cachesize=x	Sets the file cache size, in megabytes.
/quiet	Replaces incorrect file versions without prompting the user.
/?	Displays this list.

Driver Verifier

Driver Verifier is a Windows-based tool that runs a series of checks in the Windows 2000 kernel to expose errors in kernel-mode drivers. It can gather statistics from the kernel, which are displayed by the GUI or logged in a file.

Driver Verifier can be run as a Windows 2000 application (called the "Driver Verifier Manager"), as a command-line tool, or as a debugger option in the system debugger WinDbg.

The command-line syntax for Driver Verifier is as follows:

verifier [/flags value [/iolevel level]] /all
verifier [/flags value [/iolevel level]] /driver name [name ...]
verifier /volatile /flags value
verifier /reset
verifier [/query]
verifier /log log_file_name [/interval seconds]

The Run dialog box switches of Driver Verifier are listed in Table 31.10.

Table 31.10 Driver Verifier Command-Line Switches

Switch	Description
/all	Verifies all installed drivers.
/driver	Verifies the driver specified in the name argument.
/flags	Runs the checks specified in the /value argument.
/interval	Records log file entries in x second increments. The default interval is 30 seconds.
/iolevel	Specifies the level of I/O verification.
level	Specifies between a high-level scan and a full scan: 1 Only detects problems that will immediately cause the computer to fail. 2 A superset of level 1, it also detects problems that will cause failures from which the system can likely recover. This is the recommended setting.
/log	Creates a log file to hold memory, Interrupt Request Level (IRQL), and spin lock information.
/query	Causes the current data to be displayed on the screen. Data includes a count of memory allocations, IRQL raises, spin locks, and other data relevant to Driver Verifier options.
/reset	Erases all the current Driver Verifier settings.
/volatile	Used to change the Driver Verifier settings without restarting the system. Any new settings are lost when the system is restarted.
log_file_name	Name of the log file.
name	Name of the driver file. Multiple driver files can be listed in sequence, separated by spaces, but wildcards (* and ?) are not supported.
seconds	Number of seconds in the interval.
value	A decimal combination of bits representing the available flags: 0x01 Special pool checking 0x02 Force IRQL checking 0x04 Low resources simulation 0x08 Pool tracking 0x10 I/O checking Bits can be freely combined. The default is 3.
/?	Displays this list.

Running Driver Verifier with no command-line switches starts Driver Verifier Manager which uses a tabbed dialog box to separate the options it offers for testing device drivers, as shown in Figure 31.2.

Figure 31.2 Driver Verifier Manager

The following list shown in Table 31.11 contains a description of each tab in the Driver Verifier Manager dialog box:

Table 31.11 Driver Verifier Manager Dialog Box Tabs

Tab	Definition
Driver Status	Displays which drivers are loaded and being verified, and which Driver Verifier options are active.
Global Counters	Displays statistics that assist in monitoring Driver Verifier actions.
Pool Tracking	Displays information about paged and nonpaged pool allocations (both current amounts and peak amounts).
Settings	Lists the drivers that are loaded and can be verified, as well as Verification type options available for use.
Volatile Settings	Provides a list of verified drivers and a list of Verification type options used for each driver.

1. Open Driver Verifier Manager.
2. Click the Driver Status tab, and then select the driver that you want to verify.

3. Check the verification techniques that you want to enable in Verification Type. It is recommended that you enable all techniques for general testing.
4. Click Apply and Exit, and then restart the computer for the changes to take effect.
5. Reopen Driver Verifier Manager and make sure that the driver you want to test is shown in the Driver Status tab.
6. Start an application that uses the device driver that you want to test.

Run a series of tests that use the full capability of the device driver in question.

If the Windows 2000 kernel detects any driver errors during startup or during the user tests, it generates a Stop message and displays information useful to support personnel on the screen and the kernel debugger host (if one is connected).

If no errors are found, reset the Driver Verifier Manager so it does not continue to test the drivers.

1. Reopen Driver Verifier Manager.
2. In the Additional Drivers text box, enter the driver's full file name and file name extension (without its path; if multiple drivers were tested, separate file names by using spaces).
3. Clear all options in Verification Type.
4. Click Apply and Exit, and then restart the computer.

Driver Signing

Driver signing is a multifaceted process in which device drivers are verified through a series of tests administered by the Windows Hardware Quality Lab (WHQL). Drivers that earn this certification are more robust and cause fewer problems with Windows 2000. Microsoft digitally signs drivers that pass the WHQL tests so they are recognized natively by Windows 2000 Professional. Devices covered include:

• Keyboard
• Hard disk controller
• Multimedia device
• Video display
• Modem
• Mouse
• Network adapters
• Printer
• SCSI adapter
• Smart card reader

The system files provided with Windows 2000 have a Microsoft digital signature, which indicates that the files are original, unaltered system files and that they have been approved by Microsoft for use with Windows 2000.

Windows 2000 Professional can warn or prevent users from installing unsigned code. If a file has not been digitally signed and resides in one of the mentioned device driver classes, a message alerts the user, and asks if they want to continue.

All drivers included with Windows 2000 are digitally signed by Microsoft. You can verify that third-party drivers have met the WHQL standards and that they have not been modified since they were tested. To ensure that device drivers are compatible with Windows 2000, look for vendors offering drivers signed by Microsoft.

Windows 2000 includes the File Signature Verification tool and Signature Checking to identify files that have been signed.

The File Signature Verification tool determines whether a file is signed and allows you to do the following:

• View the certificates of signed files to ensure that the file has not been tampered with after being certified.
• Search for signed files in a specific location.
• Search for unsigned files in a specific location.

To run the File Signature Verification tool, from the Start menu, click Run, and then type:

sigverif

To customize the behavior of the File Signature Verification tool, in the File Signature Verification dialog box, click Advanced. The Advanced File Signature Verification Settings dialog box provides the following options:

• The Search tab allows you to search all drivers or specify the name and location of your driver search.
• The Logging tab saves the program's results as a log file, in which you can specify the file name, whether to overwrite or append to an existing file, and view the existing log.

The log file, Sigverif.inc, is stored in the %SystemRoot% folder by default, and records the following information about the files it scans:

• Name
• Modification date
• Version number
• Signed status
• Location

Signature Checking can be enabled by system administrators to ensure that Windows 2000 inspects files for digital signatures whenever drivers are installed.

Signature Checking has three levels:

• Level 0 disables digital signature checking. The dialog box that identifies a digitally signed driver does not appear, and all drivers are installed whether they are signed or not.
• Level 1 determines whether the driver has passed WHQL testing. A message appears whenever a user tries to install a driver that fails the signature check.
• Level 2 blocks installation of a driver that fails the signature check. The user is notified that the driver cannot be installed because it is not digitally signed.

You can start the Signature Checking feature by using the Hardware tab of the System Properties dialog box.

Drivers

Drivers is a command-line tool that lists all of the drivers currently running on the computer from the %SystemRoot%\System32\Drivers folder. You can use this tool to identify a driver that might be causing problems due to corruption or because it is missing, not loaded, or outdated.

Drivers is part of the Resource Kit Tools collection on the Windows 2000 Professional Resource Kit companion CD. For more information about Drivers, see Rktools.chm in the folder C:\Program Files\Resource Kit.

Run Drivers from a command prompt, rather than from Windows Explorer, to see the resulting display. Drivers has no command-line switches.

drivers > drivers_M-D-Y.inc

where M is the numerical month, D is the day, and Y is the year that the report was run. Keep this file in a safe location or print it and record the date on the page.

Table 31.12 describes the output from the Drivers tool. The most important field is Module Name, which is the name of the component.

Table 31.12 Column Names and Descriptions of the Drivers Tool Output

Column	Definition
ModuleName	The driver's file name.
Code	The nonpaged code in the image.
Data	The initialized static data in the image.
Bss	The uninitialized static data in the image. This is data that is initialized to 0.
Paged	The size of the data that is paged.
Init	Data not needed after initialization.
LinkDate	The date that the driver was linked.

The following is a sample portion of a Drivers output:

ModuleName    Code    Data     Bss   Paged    Init          LinkDate
------------------------------------------------------------------------------
ntoskrnl.exe  423680   61952       0  730432  136448  Sun Aug 22 14:47:30 1999
     hal.dll   33536    5536       0   31648   15488  Sat Aug 21 12:39:25 1999
 BOOTVID.dll    6048    2464       0       0     448  Sat Aug 21 12:34:13 1999
     pci.sys   12128    1536       0   30816    4576  Fri Aug 20 15:36:35 1999
  isapnp.sys   14432     832       0   23200    2080  Wed Aug 18 18:29:07 1999
intelide.sys    1760      32       0       0     128  Sun Aug 22 14:17:56 1999
 PCIIDEX.SYS    4512     480       0   10848    1632  Sun Aug 22 14:17:56 1999
MountMgr.sys    1088       0       0   22496    2176  Mon Aug 02 17:26:33 1999
  ftdisk.sys    4640      32       0   95776    3392  Sun Aug 22 14:18:00 1999
Diskperf.sys    1440      32       0    2016     992  Sun Aug 22 14:17:59 1999
  WMILIB.SYS     480       0       0    1152     192  Sat Jul 31 11:29:42 1999
  dmload.sys    2848      64       0       0     608  Fri Aug 20 14:29:47 1999
...
   ntdll.dll  282624   16384       0   16384       0  Sun Aug 22 14:57:40 1999
------------------------------------------------------------------------------
       Total 3831648  306848       0 2966016  403552