Use BOOTLOG.TXT to Find a Missing Driver and Use EXTRACT to Replace it

Using BOOTLOG.TXT and EXTRACT to Find and Replace a Missing File

Materials:

Working complete PC

Blank Diskette

Student Diskette, "New Boot A Ver 2.0+"

Student CD-ROM, "Room 6359"
Objectives:

The student will become familiar with the Windows 9x Diagnostic Boot Menu, and

Learn how to use the "Boot Logged" Diagnostic Boot Method, and

Become familiar with how to open and analyse the contents of the boot up log file, and

Be able to use the EXTRACT utility to locate, extract, and replace a missing Windows component from the installation CAB files.
Competency:
The student will understand the nature and function of the Diagnostic Boot Menu of Windows 98 and the functionality of each menu choice as well as using the "Boot Logged" method to create a boot up log file. The student will learn how to open and analyze this boot up log file in order to identify a missing or corrupt Windows component and then will learn to use the EXTRACT utility to replace the missing or corrupt driver and restore functionality to the operating system.

Preparation for the Lab

Before using EXTRACT.EXE in this Lab exercise, the system must first be damaged. Restart in MS-DOS mode and switch to the C:\WINDOWS\SYSTEM directory. List all files that end in ".DRV". There are quite a few so use the alphabetical order and pause switches:

C:\WINDOWS>cd system
C:\WINDOWS\SYSTEM>dir *.drv /o /p
Press any key to advance the listing until the file VGA.DRV is encountered. It should be near the bottom of the listing. Back at the DOS prompt, rename the file to VGA.DR!:

C:\WINDOWS>ren vga.drv vga.dr!
C:\WINDOWS\SYSTEM>_
Now reboot the PC and allow Windows to boot up. It will begin to load, then the Windows splash screen will disappear leaving the following disconcerting screen:

Error loading user.exe. You must reinstall Windows.
_

Procedures

Reboot the system (it has locked up on purpose and must be either reset or powered off and powered back on). Just after the BIOS screens press the [F8] key ( or the [Ctrl] key alone) to display the Windows 98 boot up menu, or if you have modified MSDOS.SYS to display it, that's even better. Select choice number 2, "Logged" then press [Enter]:

Microsoft Windows 98 Startup Menu

   1. Normal
   2. Logged (\BOOTLOG.TXT)
   3. Safe Mode
   4. Step-by-step confirmation
   5. Command prompt only
   6. Safe mode command prompt only

Enter a choice: 2

F5=Safe mode  Shift+F5=Command prompt  Shift+F8=Step-by-step confirmation [N]
Windows will complain that it was not shutdown properly on the prior boot up and show the boot menu again recommending the choice "Safe Mode." Change it back to "Logged" and hit [Enter] again, thus forcing it to proceed with the logged boot up. Windows will crash like before but this time it recorded the boot up events in the file BOOTLOG.TXT in the root of the C: drive.
Now the system must be rebooted by another DOS kernel. (It can be booted to Command Prompt Only as well but Safe Mode Command Prompt Only will overwrite the first copy of BOOTLOG.TXT) This is to avoid overwriting the BOOTLOG.TXT file which would be done if you rebooted to the installed Windows 98 kernel and selected Safe Mode Command Prompt Only. Reboot to the student CD-ROM or any bootable Windows 98 diskette that has EDIT.COM and ATTRIB.EXE on it.
Change to the C: drive and remove the hidden attribute from the file BOOTLOG.TXT:

C:\>a:\attrib -h bootlog.txt
C:\>_
Now open the file in EDIT.COM:

C:\>a:\edit bootlog.txt

This opens the file in EDIT. With it displayed on screen and the cursor still at the top, open the Search main menu choice by hitting [Alt]+[S]. Now down arrow to the Find choice and hit [Enter]. This opens the Find text dialog box. The situation should look something like this:

BOOTLOG.TXT

Cancel

Help

[00107784] Loa

[00107783] LoadSuccess = vnetsup.vxd
[00107784] Loading Vxd = ndis.vxd
[00107783] LoadSuccess = ndis.vxd
[00107783] Loading Vxd = ndis2sup.vxd
[00107783] LoadFailed = ndis2sup.vxd
[00107783] Loading Vxd = JAVASUP.VXD
[00107783] LoadSuccess = JAVASUP.VXD
[00107783] Loading Vxd = CONFIGMG
[00107784] LoadSuccess = CONFIGMG
[00107784] Loading Vxd = NTKERN
[00107785] LoadSuccess = NTKERN
[00107785] Loading Vxd = VWIN32

Type in the word "fail" (without the quotes please!) as you see it above and press [Enter]. If the string is matched Edit will scroll down to the match highlight it and leave the cursor on it. If the line that contains the word also contains a reference to a file name record that file name. It is a potential contributor to the system's problems:

BOOTLOG.TXT

[00107703] Loading Device = C:\WINDOWS\SETVER.EXE
[00107703] LoadSuccess = C:\WINDOWS\SETVER.EXE
[00107703] Loading Device = C:\WINDOWS\HIMEM.SYS
[00107703] LoadSuccess = C:\WINDOWS\HIMEM.SYS
[00107703] Loading Device = C:\CDROM\OAKCDROM.SYS
[00107743] LoadSuccess = C:\CDROM\OAKCDROM.SYS
[00107743] Loading Device = C:\WINDOWS\DBLBUFF.SYS
[0010773B] LoadSuccess = C:\WINDOWS\DBLBUFF.SYS
[0010773B] Loading Device = C:\WINDOWS\IFSHLP.SYS
[0010773A] LoadSuccess = C:\WINDOWS\IFSHLP.SYS
[00107784] Loading Vxd = VMM
[00107787] LoadSuccess = VMM
[00107787] Loading Vxd = C:\WINDOWS\SMARTDRV.EXE
[00107783] LoadSuccess = C:\WINDOWS\SMARTDRV.EXE
[00107784] Loading Vxd = vnetsup.vxd
[00107783] LoadSuccess = vnetsup.vxd
[00107784] Loading Vxd = ndis.vxd
[00107783] LoadSuccess = ndis.vxd
[00107783] Loading Vxd = ndis2sup.vxd
[00107783] LoadFailed = ndis2sup.vxd
[00107783] Loading Vxd = JAVASUP.VXD
[00107783] LoadSuccess = JAVASUP.VXD
[00107783] Loading Vxd = CONFIGMG
[00107784] LoadSuccess = CONFIGMG
[00107784] Loading Vxd = NTKERN
[00107785] LoadSuccess = NTKERN
[00107785] Loading Vxd = VWIN32

Repeat the last find with the [F3] key. Proceed doing this, finding fails and recording file names if in the lines until Find reports that there are no more occurences of the word in within BOOTLOG.TXT. Move back to the start of the file by pressing [CTRL]+[Home]. Now move to the end of the file by pressing [CTRL]+[End]. The end of the file looks like this:

BOOTLOG.TXT

InitDone = Final USER
Init = Installable Drivers
InitDone = Installable Drivers
Init = TSRQuery
InitDone = TSRQuery
[00107576] Enumerating Standard Floppy Disk Controller (BIOS\*PNP0700\0C)
[00107578] Enumerated Standard Floppy Disk Controller (BIOS\*PNP0700\0C)
LoadStart = C:\WINDOWS\SYSTEM\USER32.DLL
LoadSuccess = C:\WINDOWS\SYSTEM\USER32.DLL
LoadStart = COOL.DLL
LoadSuccess = COOL.DLL
Init = KEYBOARD
InitDone = KEYBOARD
Init = Mouse
Status = Mouse driver installed
InitDone = Mouse
Init =
LoadStart = vga.drv
LoadFail = vga.drv Failure code is 0002
LoadStart = USER.EXE
LoadFail = USER.EXE Failure code is 0001

Terminate = KERNEL
Terminate = Win32
EndTerminate = Win32
EndTerminate = KERNEL

These four lines mean that the error that occurred immediately prior to them was so bad that Windows shut itself down. Immediately above these four lines are two failures loading files that should have been spotted in the previous section searching for the word "fail." Both of these have failure codes associated with them which also elevates the severity of the failure. The lower the number the worse the severity of the code. In this case then it appears that the two files that are most likely causing the system to crash and shut itself off during the boot process are: vga.drv and USER.EXE. Armed with this information the Windows 98 installation CABs can now be searched for them.
However, EDIT.COM may not always be available. In that case, having already removed the hidden attribute from BOOTLOG.TXT with the ATTRIB command, use the TYPE command to display the end of the file (the rest will scroll off screen, but the end of the file is important to see if the major failure that caused Windows to shutdown was recorded):

C:\>type bootlog.txt
[00107578] Enumerated Standard Floppy Disk Controller (BIOS\*PNP0700\0C)
LoadStart = C:\WINDOWS\SYSTEM\USER32.DLL
LoadSuccess = C:\WINDOWS\SYSTEM\USER32.DLL
LoadStart = COOL.DLL
LoadSuccess = COOL.DLL
Init = KEYBOARD
InitDone = KEYBOARD
Init = Mouse
Status = Mouse driver installed
InitDone = Mouse
Init =
LoadStart = vga.drv
LoadFail = vga.drv Failure code is 0002
LoadStart = USER.EXE
LoadFail = USER.EXE Failure code is 0001

Terminate = KERNEL
Terminate = Win32
EndTerminate = Win32
EndTerminate = KERNEL

C:\>_
If the FIND command is available it can be used to isolate the lines that contain the characters "fail" also:

C:\>find /i "fail" bootlog.txt

---------- bootlog.txt
[000CA57B] LoadFailed = ndis2sup.vxd
[000CA6AC] INITCOMPLETEFAILED = SDVXD
LoadFail = vga.drv Failure code is 0002
LoadFail = USER.EXE Failure code is 0001

C:\>
The file VGA.DRV will be checked out and if necessary replaced on the system first. That is, the files will be handled in the order in which they appear. It should be noted that the file NDIS2SUP.VXD is a network driver that always gives this error on the machines in the classroom. The 3COM NIC drivers apparently bypass it in favor of their own version of the file. In the field the technician cannot be aware of this anomaly and would have to search for and replace it as well. In our environment, to save time it will be ignored for the sake of time constraints. It will turn out that the failure of USER.EXE was entirely because it depended on VGA.DRV. Once VGA.DRV is replaced then USER.EXE will be capable of running and no further work will have to be undertaken. This is often the case that one Windows component is completely dependent on the other one.

First let's search for the file. Be sure that SMARTDRV.EXE is loaded (it is a disk caching utility that greatly speeds up hard drive access and depends on HIMEM.SYS which means your technician's repair floppy now needs these two files and a CONFIG.SYS and AUTOEXEC.BAT to load them), then use the DIR command to search the entire C: drive for the problem driver file:

C:\>smartdrv

C:\>dir vga.drv /s

File not found
C:\>_
In some cases, the file will be found, in that case it should be "quarantined" This simply means that the file is corrupt which is why Windows is having a problem with it. First try to rename it which would be: REN C:\WINDOWS\SYSTEM\VGA.DRV VGA.DR! If this results in an error ("Cannot rename the file C:\WINDOWS\SYSTEM\VGA.DRV" or "File Not Found") then the problem has definitely been found and either the file system or the occupied sectors (or both!) are damaged. This might be a job for a data recovery.
moving right along, the reason that an error occurred in this case while loading this driver is because it is gone. Therefore it must be found. The first place to search is the Windows 98 installation *.CABs. These are not normally on the hard drive of the user's PC and can be found in the WIN98 folder of a full OEM version of the CD-ROM. Now it looks like the technician's diskette will have to feature full CD-ROM support as well. With the CD-ROM drivers already launched and refering to the CD-ROM as the Q: drive, change into the Q: drive and then into the WIN98 folder. Be aware that the DOS environmental variables will have to changed since this session booted the PC from a floppy:

C:\>q:

Q:\>set TMP=C:\

Q:\>set TEMP=C:\

Q:\>_
The system is almost ready for the EXTRACT command to be used. If the file is on the floppy the DOS PATH environmental variable should be set to point to the floppy drive. If the diskette is known to be the exact same version of the operating system as that which is on the hard drive (i.e. it is a boot diskette created on this PC prior to its getting damaged) then this PATH can be set:

Q:\>path=C:\WINDOWS\COMMAND

Q:\>_
Now EXTRACT can be used. It will be used to determine which of the Windows 98 installation *.CABs holds the missing Windows component. (You should issue the command as extract /? to get a fast help screen on how to use it)In this case the "/a" switch is used which means to process all of the subsequent CABs so if the first one is named in the command then ALL of the CABs will be processed. The "/d" switch will also be used which instructs EXTRACT not to perform any actual file extraction but rather to just display the contents of the CABs. Used together "/a /d" means then to display the contents of all of the CABs when the first one is named in the command. The first Windows 98 installation CAB is BASE4.CAB. The command can be passed the optional 2^nd parameter naming the file in particular that should be extracted (or displayed in this case). Since there are almost 100 CABs this will scroll off of the screen. Therefore the output to the screen of the display contents usage of EXTRACT will be "piped" to the MORE command which acts as an output text filter catching everything and then displaying it all to the screen one full screen at a time and pausing allowing the user to press any key to continue:

Q:\WIN98>extract /a /d base4.cab vga.drv | more

Microsoft (R) Cabinet Extraction Tool - Version (16) 1.00.603.0 (08/14/97)
Copyright (c) Microsoft Corp 1994-1997. All rights reserved.

Cabinet base4.cab

Cabinet BASE5.CAB

Cabinet BASE6.CAB

Cabinet NET7.CAB

Cabinet NET8.CAB

Cabinet NET9.CAB

Cabinet NET10.CAB

-- More --_
Press any key until the entry in the *.CABs appears on screen. Directly above it is the name of the *.CAB file that holds the driver. If it is not found in the Windows 98 installation *.CABs then it is a driver file provided by the manufacturer of the device involved. In this case, if the system will not at least boot up in safe mode it could be quite difficult to extract it from the manufacturer's CD-ROM or diskette:

Cabinet WIN98_42.CAB

Cabinet WIN98_43.CAB

Cabinet WIN98_44.CAB <= Here is the CAB that contains the driver

04-23-1999 10:22:00p A--- 52,080 vga.drv <= Here is the driver

Cabinet WIN98_45.CAB

Cabinet WIN98_46.CAB

Cabinet WIN98_47.CAB

Cabinet WIN98_48.CAB

-- More --^C
Q:\WIN98>_
In our case the file was found within the file WIN98_44.CAB. It can now be extracted from the *.CAB. But the extraction process will create a new file in the current directory (in simple usage) so change to the root of the C: drive and then perform the extraction (don't forget to supply the filename with a complete absolute reference to it):

Q:\WIN98>C:
C:\>extract q:\win98\win98_44.cab vga.drv

Microsoft (R) Cabinet Extraction Tool - Version (16) 1.00.603.0 (08/14/97)
Copyright (c) Microsoft Corp 1994-1997. All rights reserved.

Cabinet win98_44.cab

Extracting vga.drv

C:\>_
Now the driver is located in the root directory of the C: drive which is rarely a good place for a driver. It was only done for simplicity's sake. It must be copied into several directories of the Windows system. This is because there is no fixed rule concerning where such a driver should go. Fortunately amid the maze of folders that comprise Windows only a few have to be commited to memory for this operation. Any attempt to replace a driver manually like this will involve copying the driver into: C:\WINDOWS, C:\WINDOWS\SYSTEM, C:\WINDOWS\SYSTEM32, C:\WINDOWS\SYSTEM\VMM32, and C:\WINDOWS\SYSTEM\IOSUBSYS. Copy the file into each of these destinations (usage of the [F3] command line shortcut key will greatly ease the pain):

C:\>copy vga.drv windows

1 file(s) copied
Press [F3], then add \system, then [Enter]
C:\>copy vga.drv windows\system

1 file(s) copied
Press [F3], then add 32, then [Enter]
C:\>copy vga.drv windows\system32

1 file(s) copied
Press [F3], backspace the 32, add \vmm32[Enter]
C:\>copy vga.drv windows\system\vmm32

1 file(s) copied
Press [F3], backspace VMM32, add \iosubsys[Enter]
C:\>copy vga.drv windows\system\iosubsys

1 file(s) copied
C:\>_
At this point the problem driver has been successfully isolated, located, extracted, and replaced into the operating system folders. The PC can now be rebooted. If all went well the system should boot up to the desktop once again.

Review Questions

What are the possible ways of getting to the Windows 98 Diagnostic Boot Menu (aside from editing the MSDOS.SYS file)?
If Step-by-Step Confirmation does not reveal the problem (Windows hangs or shuts down after the last "Y") what choice can be taken from the boot menu to isolate the cause?
What troublesome file attribute does the system place on BOOTLOG.TXT which may need to be removed in order to view it?
What key text string can be searched for within the BOOTLOG.TXT that can isolate problems?
BOOTLOG.TXT is always created by Windows whether it is requested or not form the boot menu. To avoid overwriting the one requested how should the system be booted?
Before searching the entire drive for a file or before using EXTRACT what utility should be loaded first?
Right the alternative command besides using EDIT that can search BOOTLOG.TXT for the problems?
Write the command that will search all CABs in the C:\WIN98 directory for the missing file SHDOCVW.DLL?
What five directories should an EXTRACTed Windows driver or component nbe copied into to be sure that it will land in the right place?