Trial Guide
Published November 2010
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Important Notice
Copyright
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these patents,
trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses,
logos, people, places, and events depicted in examples herein are fictitious. No association with any real
company, organization, product, domain name, e-mail address, logo, person, place, or event is intended
or should be inferred.
 2010 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveX, Excel, SoftGrid, SQL Server, Windows, Windows PowerShell, and
Windows Vista are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Page | 2
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Contents
IMPORTANT NOTICE .............................................................................................................................................. 2
COPYRIGHT....................................................................................................................................................................2
INTRODUCTION TO THE TRIAL GUIDE .................................................................................................................... 5
AUDIENCE FOR THIS GUIDE...............................................................................................................................................5
PRODUCT DOCUMENTATION .............................................................................................................................................5
OVERVIEW OF MICROSOFT DIAGNOSTICS AND RECOVERY TOOLSET ..................................................................... 6
CRASH ANALYZER ...........................................................................................................................................................6
ERD COMMANDER .........................................................................................................................................................6
SYSTEM RECOVERY OPTIONS.............................................................................................................................................6
DART TOOLS .................................................................................................................................................................7
TRIAL SYSTEM REQUIREMENTS .............................................................................................................................. 8
MICROSOFT DIAGNOSTICS AND RECOVERY TOOLSET DESKTOP CLIENT ......................................................................................8
MINIMUM HARDWARE REQUIREMENTS ..............................................................................................................................8
CHECKLIST OF TASKS .............................................................................................................................................. 9
BEFORE YOU GET STARTED...............................................................................................................................................9
BASIC TASKS ..................................................................................................................................................................9
ADDITIONAL INFORMATION ............................................................................................................................................10
INSTALLING MICROSOFT DIAGNOSTICS AND RECOVERY TOOLSET ....................................................................... 11
DOWNLOAD AND CREATE MDOP ISO .............................................................................................................................11
INSTALL DART TOOLS ....................................................................................................................................................12
REVIEW DART INSTALLATION..........................................................................................................................................15
Crash Analyzer Wizard .........................................................................................................................................15
CREATING DART BOOT MEDIA ............................................................................................................................. 17
HOW TO CREATE THE DART BOOT MEDIA ........................................................................................................................17
USING DART BOOT MEDIA TOOLS ........................................................................................................................ 19
BITLOCKER DRIVE ENCRYPTION .......................................................................................................................................19
SYSTEM RECOVERY OPTIONS...........................................................................................................................................20
Startup Repair ......................................................................................................................................................20
System Restore ....................................................................................................................................................20
System Image Recovery .......................................................................................................................................20
Windows Memory Diagnostics ............................................................................................................................21
Page | 3
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Command Prompt ................................................................................................................................................21
MICROSOFT DIAGNOSTICS AND RECOVERY TOOLSET............................................................................................................23
TROUBLESHOOTING............................................................................................................................................. 40
COMMON ERRORS ON THE MICROSOFT DIAGNOSTICS AND RECOVERY TOOLSET CLIENT .............................................................40
You might need to manually extract and install 64-bit definition updates for Standalone System Sweeper: .....40
Unicode characters are not displayed in some circumstances: ...........................................................................40
DaRT 6.5 command-line installation will silently fail if run with the quite mode option unless it is run using
elevated administrator permissions: ...................................................................................................................41
File search fails to move a folder to a different volume: .....................................................................................41
There is no Input Method Editor (IME) support on ERD: ......................................................................................41
Some data may not be available on machines where the drive letters are remapped: ......................................41
ACCESSING THE MICROSOFT SUPPORT KNOWLEDGE BASE .................................................................................. 42
CONTACTING MICROSOFT TRAINING ................................................................................................................... 42
Page | 4
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Introduction to the Trial Guide
This trial guide is designed to help you quickly set up and evaluate Microsoft ® Diagnostics and Recovery
Toolset (DaRT) in a test environment. This guide provides details of the steps necessary to install DaRT
components. You will install Microsoft Diagnostics and Recovery Toolset, create an Emergency Repair
Disk, and then review the DaRT tools that will help you accelerate desktop repair.
To help this process flow as smoothly as possible, we recommend that you read this guide carefully
before installing Microsoft DaRT.
Audience for This Guide
This guide was written for Microsoft Windows® system administrators and PC technician support
professionals. As an information technology (IT) professional, you should have sufficient knowledge and
experience to accomplish the following tasks:

Installing software

Creating ISOs and boot disks

Troubleshooting system startups
Product Documentation
Comprehensive documentation is available in the Microsoft Diagnostics and Recovery Toolset Help.
Release Notes for Microsoft Diagnostics and Recovery Toolset 6.5:
http://go.microsoft.com/fwlink/?linkid=163338
A Tour of the Diagnostics and Recovery Toolset:
http://technet.microsoft.com/en-us/windows/ee526596.aspx
Page | 5
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Overview of Microsoft Diagnostics and Recovery Toolset
Many IT departments take a proactive approach to backing up network data, but tend to be reactive in
planning for desktop system failures because they have no tools or processes in place that enable them
to be prepared. Instead, they typically reimage problem machines, but that can result in a loss of user
settings, personalization, and data. Microsoft Diagnostics and Recovery Toolset can help you save time
and reduce the challenges associated with troubleshooting and repairing system failures on Windowsbased desktops. Administrators can easily restore PCs that have become unusable, rapidly diagnose
probable causes of issues, and quickly repair unbootable or locked-out systems, all faster than the
average time it takes to reimage the machine. When necessary, you can also quickly restore critical lost
files. This helps IT teams make PCs safer to use, keeps employees productive, and makes desktops
easier and less expensive to manage.
Microsoft Diagnostics and Recovery Toolset 6.5 is a complete suite of powerful and versatile tools that
allow you to repair unbootable or locked-out systems, restore lost data, and diagnose system and
network issues while the system is safely offline. Microsoft DaRT includes the following tools:
Crash Analyzer
This lets you examine a Windows crash dump file, helping you determine the problem that caused the
system to fail. For more information about how to analyze a system crash, see the Crash Analyzer section
in this guide.
ERD Commander
This is tool is used to create the DaRT disk, a boot disk that adds functionality to the Windows Recovery
Environment (Windows RE), which provides utilities and wizards that help perform system diagnosis and
repair procedures, such as recovering data, disabling problematic drivers, and removing hotfixes. For
more information about diagnosing and repairing systems, see the Creating DaRT Boot Media section in
this guide.
System Recovery Options
Once you start the computer with the DaRT boot media, Windows RE is launched, and presents the
administrator with questions to initialize the environment, including initializing the network adapters as
well as selecting the language and Windows installation for repair. After preparing the environment, you
see the System Recovery Options dialog box, which contains the following options:

Startup Repair

System Restore

System Image Recovery

Windows Memory Diagnostics

Command Prompt
Page | 6
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
A detailed description of each of these options can be found later in this guide.
DaRT Tools
When booting from DaRT boot media, an additional option to the normal Windows Recovery Environment
menu is presented, the “Microsoft Diagnostics and Recovery Toolset” link. When you click this link, you
are presented with an additional 14 tools, including a Solutions Wizard, to help you decide which tool is
best to use in your current scenario, and a Help link. These tools are listed below in Table 1, and detailed
individually later in this guide:
Task
Edit the Registry
Solution
The ERD Registry Editor utility provides information about the registry
that can help you repair a system.
Regain access to a system
Diagnose a system failure
Salvage and repair
partitions or volumes
Recover deleted files
Erase disks or volumes
Search for particular files
Browse drives
Perform administrative
tasks to manage the
computer
Configure TCP/IP
Uninstall Windows hotfixes
and service packs
Check and repair system
files
Use an antimalware tool
The Locksmith wizard can be used to list the local user accounts and
change passwords.
The Crash Analyzer can be used to diagnose the cause of a system
crash and identify the driver that caused the failure.
The Disk Commander can be used to salvage or repair partitions, or
volumes.
The File Restore utility can be used to find and restore deleted files from
any supported Windows-based file system.
The Disk Wipe utility can be used to securely erase disks or volumes.
The Search utility allows you to restrict the scope of your search by
specifying part of the name, search location, estimated size of the file, or
the time when the file was modified.
The Explorer utility allows you to browse folders and files that are stored
on various drives.
The Computer Management utility provides recovery tools to help you:

Disable problematic drivers or services.

View event logs.

Partition and format hard disk drives.

Get information about Autoruns.

Get information about the computer.
The TCP/IP Config utility helps you to display and set a TCP/IP
configuration.
Hotfix Uninstall can be used to remove Windows hotfixes or service
packs from a system that cannot be started.
The SFC Scan utility helps you check system files and repair any that are
corrupt or missing.
The Standalone System Sweeper utility helps detect malware or other
unwanted software, and alerts you to potential risks.
Table 1: List of tools included in the DaRT Boot Disk
Page | 7
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Trial System Requirements
For this evaluation, one computer will run Microsoft Windows 7. You can use virtual machines on a single
physical computer that meets the system requirements of this trial.
In this trial, it is important that you set up Microsoft Diagnostics and Recovery Toolset in a test machine
that is not your production workstation since you may be performing tasks that may disrupt the use of this
system. The purpose of this trial is for you to gain an understanding of the tools available to
administrators with DaRT. You can address any questions relating to integration into your production
environment, such as which tools to give to administrators, developing a process for updating the
antivirus and antimalware definition files, and developing documentation for IT staff.
The following section lists the computer systems used for this trial evaluation.
Microsoft Diagnostics and Recovery Toolset Desktop Client

Windows 7 Enterprise or Ultimate Editions

Windows Server® 2008 R2
Minimum Hardware Requirements

1GHz 32-bit (x86) or 64-bit (x64) processor

1GB of system memory

CD or DVD drive (writeable CD or DVD drive required to create ERD CD or DVD)

BIOS support for starting the computer from a CD or DVD drive
Page | 8
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Checklist of Tasks
The following table lists all the tasks that need to be completed in the correct order. If you have not
worked with DaRT before, it is strongly recommended that you follow this sequence of tasks carefully to
ensure a successful installation and test of the DaRT system. If you complete all the tasks listed under
“Basic Tasks” you will have successfully completed the basic system evaluation. If you want to continue
with evaluating other system components, refer to the list of tasks under “Additional Information.”
Before You Get Started
Task
Pre-Requisite
Tip
Creating DaRT
Windows 7 or Windows Server 2008 R2 installation
Copy installation media to a
Boot Disk
media
network share or local
directory prior to running the
ERD Commander Boot Media
Wizard
Windows Debugging Tools
Download from
http://www.microsoft.com/whdc
/devtools/debugging/default.ms
px
Download from
Windows Symbol Files
http://www.microsoft.com/whdc
/devtools/debugging/symbolpk
g.mspx
Basic Tasks
Area
DaRT 6.5 Tools
Task
Create
Method
Download MDOP ISO
en_desktop_optimization_pack_2010_x86_x64_dv
d_x16-58156.iso
Crash Analyzer
Establish access to DaRT tools
Install DaRT Tools
Look at results of the DaRT installation process
Review DaRT Install
Go through the Crash Analyzer process
Examine Crash Analyzer
Page | 9
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
for DaRT 6.5
DaRT Boot Media
Establish access to a failed system by creating the
for DaRT 6.5
DaRT Boot Media
Review DaRT Tools
DaRT Boot Media
DaRT Tools
Additional Information
Area
Task
Crash Analyzer for
Test Crash Analyzer process with
DaRT 6.5
demo crash dump files
Method
Crash Files
Page | 10
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Installing Microsoft Diagnostics and Recovery Toolset
The section guides you through the step-by-step process of installing Microsoft Diagnostics and Recovery
Toolset.
Note: You must use the software and operating system versions listed in the following section to ensure
that the instructions and screen shots are accurate for the purposes of your testing and evaluation.
Download and Create MDOP ISO
MSDN and TechNet subscribers can download DaRT and use in a proof-of-concept (POC) or test
environment. In order to download the Microsoft Desktop Optimization Pack (MDOP) to license for
production use, you must be a Software Assurance (SA) customer. For more information on becoming an
SA customer, go to http://www.microsoft.com/licensing/software-assurance/default.aspx.
Existing SA customers can download MDOP, and the entire suite of tools that it includes, at any of the
following Microsoft sites:
Volume Licensing Service Center (VLSC):
https://www.microsoft.com/licensing/servicecenter/
MSDN:
http://msdn.microsoft.com/en-s/subscriptions/downloads/default.aspx?PV=42:178
TechNet:
http://technet.microsoft.com/en-us/default.aspx.
Once you have downloaded the MDOP ISO file, burn the ISO to CD or DVD media. Then simply start the
media, and install Microsoft Diagnostics and Repair Toolset.
Page | 11
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Install DaRT Tools
Installing the DaRT tools is a simple process. Simply insert the MDOP media and the click the link for
Microsoft Diagnostics and Repair Toolset, as seen in Figure 1. If your company policy disables Autorun
features on CD and DVD media, browse to the Launcher directory and then click Launcher.hta.
Figure 1: Splash screen displayed when the MDOP 2010 media is run from CD or DVD media.
Once you click on the Microsoft Diagnostics and Repair Toolset link, you will be presented with another
screen, with options to install different versions of DaRT for the different operating systems supported, as
well as options for 32-bit or 64-bit OS support. See Figure 2 for a complete list of options available. Make
sure you select the appropriate version for the desktop or server you need to recover. For the purpose of
this guide, in the DaRT 6.5 for Windows 7 and Windows Server 2008 R2 section, select Install DaRT 6.5
(32-bit) or (64-bit) based on the Windows version installed.
Page | 12
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Figure 2: Microsoft Diagnostics and Recovery Toolset can be installed to support many operating systems
and versions.
Note: Documentation for each of the available options can be found on the MDOP media by browsing to the
x:\DaRT\Documents folder (where x is the letter assigned to your CD/DVD Rom drive).
Page | 13
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
When you click Install DaRT 6.5 (32-bit), the Microsoft Diagnostics and Recovery Toolset 6.5 Setup
Wizard will launch.
1. On the Welcome to the Microsoft Diagnostics and Recovery Toolset 6.5 Setup Wizard page click
Next.
2. On the End-User License Agreement page, click I agree.
3. On the Select Installation Folder page, accept the default installation folder, and in the Install
Microsoft Diagnostics and Recovery Toolset 6.5 for section, click AllUsers if other users will log onto
this computer and need access to DaRT. Otherwise, leave the default setting and then click Next.
4. On the Choose Setup Type page, select Complete to install the Crash Analyzer Wizard and the
ERD Commander Boot Media Wizard.
5. On the Ready to Install page, click Install.
6. On the Completing the Microsoft Diagnostics and Recovery Toolset 6.5 Setup Wizard page, click
Finish.
Page | 14
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Review DaRT Installation
When DaRT has been successfully installed, you will see the Microsoft Diagnostics and Recovery
Toolset program group on your Start\All Programs menu. Within the program group you will notice four
(4) available options:

Crash Analyzer Wizard

ERD Commander Boot Media Wizard

Help

Release Notes
The Help link will open a Microsoft Compiled HTML file (CHM) file with step-by-step instructions on using
the two available tools. The Release Notes link will open the relnotes.htm file, which is also available in
the C:\Program Files\Microsoft Diagnostics and Recovery Toolset directory.
Crash Analyzer Wizard
The Crash Analyzer Wizard helps you to analyze a crash dump file to identify the driver that caused the
system to fail. You can use Crash Analyzer to review crash dump files, e.g., crash dump files that may be
a result of a Blue Screen of Death (BSoD) incident.
Before using the Crash Analyzer tool, you should download and install the Microsoft Debugging Tools for
Windows and Symbol Files. Microsoft Debugging Tools for Windows can be downloaded from
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#a. You will also need a crash dump
file to analyze.
The following is a list of options available for ensuring you have access to the Symbol Files:



Copy the Dump File to another system: If the Symbol Files cannot be downloaded due to a
lack of an internet connection, copy the crash dump file to another system that does have an
internet connection, and run the Crash Analyzer Wizard from that system.
Access the Symbol Files from another system: Download the Symbol Files from a system that
does have an internet connection, and then copy the Symbol Files to the system that has the
crash dump file you wish to analyze. Alternatively, you can download the Symbol Files to a
system that has an internet connection and share the folder that contains the Symbol Files. Then
from the system that contains the crash dump file you wish to analyze, map a network drive to
that shared folder.
Access the Symbol Files through an HTTP proxy server: If the symbols cannot be
downloaded because an HTTP proxy server must be accessed, use the following steps to access
an HTTP proxy server:
o In DaRT 6.5, the Crash Analyzer Wizard has a new setting available on the Specify
Symbol Files Location page, marked Proxy server (optional, using the format
"server:port"). You can use this text box to specify a proxy server. Enter the proxy
address in the form <hostname>:<port>, where the <hostname> is a DNS name or IP
address, and the <port> is a TCP port number, usually 80. There are two modes in which
the Crash Analyzer can be run:
 Online mode: In this mode, if the proxy server field is left blank, the wizard uses
the proxy settings from Internet Options in Control Panel. If you enter a proxy
address in the text box that is provided, that address will be used, and it will
override the setting in the Internet Options.
Page | 15
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide

Windows Recovery Environment: When the Crash Analyzer is run from DaRT,
there is no default proxy address. If the computer is directly connected to the
Internet, a proxy address is not required, so you can leave this field blank in the
wizard setting. If the computer is not directly connected to the Internet, and it is in
a network environment with a proxy server, you must set the proxy field in the
wizard to access the symbol store. The proxy address can be obtained from the
network administrator. Setting the proxy server is essential only when the public
symbol store is connected to the Internet. If the symbols are already on the ERD
disk, or if they are accessible locally, setting the proxy server is not required.
How to Open and Run the Crash Analyzer
1. Click Start\All Programs\Microsoft Diagnostics and Recovery Toolset\Crash Analyzer
Wizard.
2. On the Welcome to the Crash Analyzer Wizard page, click Next.
3. On the Specify Microsoft Debugging Tools for Windows page, type the path to the directory
containing the Microsoft Debugging Tools for Windows, or click the download link to download the
package, if you have not pre-downloaded the tools and have an Internet connection, and then
click Next.
4. On the Specify Symbol Files Location page, select the appropriate option, as described above,
and then click Next.
5. On the Specify Dump File page, browse to the location of the crash dump file you wish to
analyze, and then click Next.
6. On the Analysis Summary page, click to view the details of the summary, and then when you are
finished, click Next.
7. On the Recommendations page, review the recommended actions, and then click Finish.
Page | 16
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Creating DaRT Boot Media
The tools included in the DaRT boot disk will allow a desktop support technician to quickly recover lost
files, uninstall Windows patches and drivers, modify registry keys, reset local user passwords, and much
more. For example, a new application or driver introduces an incompatibility with the current
configuration, or the inability to logon to a reclaimed system because you do not have the local
administrator password, would result in a desktop support technician re-imaging the affected system.
However, by using DaRT, the technician can often fix the issue in less time than the re-image would take,
and without losing any local files or personalization settings which exist on the system.
Creating the DaRT boot media can be done with a wizard interface or through a Command Prompt.
Creating the media using the Command Prompt allows you to set an expiration on the ISO file. This is
useful to ensure that only updated virus definitions are ever included on the DaRT DVD.
How to Create the DaRT Boot Media
Before you create the DaRT Boot Media, you will need access to the Windows 7 or Windows Server 2008
R2 media. Copy the DVD onto a local directory on the computer from which you plan to create the DaRT
Boot media, or place the DVD into the system’s DVD writer drive. Additionally, you should have the
Debugging Tools for Windows downloaded onto either the system from which you plan to create the
DaRT Boot Media, or the system which you wish to repair.
If you want to set an expiration date on the DaRT DVD, open a Command Prompt window and type
C:\Program Files\Microsoft Diagnostics and Recovery Toolset\ERDC.exe /numDays (where
numDays is the number of days that the bootable media will be useable). The wizard will launch just as if
you launched it from the Start menu, except the DVD will have an expiration date. All of the rest of the
steps are the same as detailed below.
1. Click Start\All Programs\Microsoft Diagnostics and Recovery Toolset\ERD Commander
Boot Media Wizard
Page | 17
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
2. On the Welcome to the ERD Commander Boot Media Wizard, click Next.
3. On the Select Boot Image page, browse to the location of the Windows 7 or Windows Server
2008 R2 media, and then click Next.
4. On the Preparing the Files page, click Next.
5. On the Tools Selection page, click Next.
6. On the Crash Analyzer Wizard page, browse to the directory where you downloaded the
Debugging Tools for Windows, and then click Next.
7. On the Standalone System Sweeper Definition Download page, select Next if you have an
Internet connection. Otherwise select the No, manually download definitions later option and
then click Next.
8. On the Standalone System Sweeper Definition Download page, when the status displays as
Definition download succeeded, click Next.
9. On the Additional Driver page, add any additional drivers which may be necessary to repair the
affected system, and then click Next.
10. On the Additional Files page, browse to add any additional files which will be needed on the
DaRT Boot media, and then click Next.
11. On the Create Startup Image page, click Browse to specify the location where you want the
startup image to be created, and then click Next.
12. On the Burn to a recordable CD page, select the drive containing the recordable CD or DVD
drive, and then click Next.
13. On the ERD Commander Boot Media Wizard page, click Finish. Note that you can also explore
the contents of the media by clicking the Explore button.
Page | 18
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Using DaRT Boot Media Tools
In order to successfully use the tools included on the DaRT Boot media, the BIOS of the affected system
must support booting from a CD or DVD Rom drive. Ensure the BIOS allows for booting to the CD or DVD
Rom drive. Once confirmed, follow these steps to use the DaRT Boot media, and the tools which it
contains:
1. Insert the DaRT Boot Media into the DVD drive of the system which you would like to repair, and
restart the system.
2. In the NetStart dialog box, click Yes to initialize network connectivity in the background.
3. In the NetStart dialog box, click Yes to remap the drive letters to match the mappings from the
target operating system.
4. In the System Recovery Options dialog box, select the appropriate keyboard input method, and
then select Next. For the purpose of this guide, select US.
5. In the System Recovery Options dialog box, there are several options. Select the appropriate
option and then click Next:
o Use recovery tools that can help fix problems starting Windows: Use this option to
be presented with a list of tools included on the DaRT Boot media.
 DaRT Boot media will scan the system for all installed operating systems and list
them here.
 If the operating system that you need to repair is not listed in this dialog, then
click the Load Drivers button to load the appropriate drivers for the hard drive
containing the affected operating system.
o Restore your computer using a system image that you created earlier: A system
image is an exact copy of your hard drive, which can be created by using Windows
Backup.
6. When you select to use the recovery tools, the System Recovery Options dialog will appear.
BitLocker Drive Encryption
If the system you are repairing has been encrypted with BitLocker ® Drive Encryption, you must have your
BitLocker Recovery Key available. When prompted, insert your USB drive with the BitLocker Recovery
Key and then select Load key from removable media. Alternatively, you can select Manually input the
key, and then enter the 48-digit Recovery Key.
Page | 19
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
WinRE BitLocker partition unlocking tool will only unlock one BitLocker volume. If multiple volumes are
locked by BitLocker, Standalone System Sweeper, File Restore, and Explorer will only be able to process
files on one locked volume. This may result in a file not being found when trying to restore a file from
multiple volumes, or may result in malware not getting detected when a user specifies a “full scan” to scan
all drives on a computer. To work around this issue, only work with a single volume at a time.
System Recovery Options
The System Recovery Options dialog box contains links to different tools to repair different issues. These
are the same System Recovery Options that are available on the Windows 7 installation media, except for
the Microsoft Diagnostics and Recovery Toolset, which is only available here. The tools include:

Startup Repair: Automatically fix problems that are preventing Windows from starting.

System Restore: Restore Windows to an earlier point in time.

System Image Recovery: Recover your computer using a system image you created earlier.

Windows Memory Diagnostics: Check your computer for memory hardware errors.

Command Prompt: Open a command prompt window.

Microsoft Diagnostics and Recovery Toolset: Launch various DaRT recovery tools.
Startup Repair
This tool can be used to restore a system that will not boot due to corrupt, missing, or damaged system
files. If problems are found, Startup Repair will fix them automatically. In some cases, Startup Repair will
fix the immediate problem of the system not booting properly, and then another tool may have to be used
to recover any missing files or data.
System Restore
Each time a Windows Update is installed, or a program is installed or removed, Windows automatically
creates a Restore Point. In the unlikely event that the installation of a Windows patch or the installation or
removal of software has made the system unable to boot properly, the System Restore tool will allow you
to restore your system to an earlier point in time, using a Restore Point previously created. This is a very
useful tool when the system cannot boot either normally, or even in Safe Mode.
System Image Recovery
A system image is a copy of the drives required for Windows to run. It can also include additional drives.
A system image can be used to restore the computer if the hard drive or computer ever stop working;
however, you cannot choose individual items to restore. You create a system image backup using
Backup and Restore Program in the Control Panel.
When you click the System Image Recovery tool, you are presented with a wizard interface, with several
options:
Page | 20
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide


Use the latest available system image (recommended): If a system image is found, the details
of the system image will be displayed in the fields on this page. Otherwise, this option is grayed
out.
Select a system image: When this option is selected, or if it is the only option available, you will
be presented with additional options to help System Image Restore locate the appropriate system
image. Select this option and then click Next.
o If the system image is on an external drive or a DVD, insert the external drive or DVD
before clicking Next.
o If the system image is on a network location or you need to install a driver for a backup
device containing the system image, click Advanced. The Re-image Your Computer
dialog box will appear with the following options:
 Search for a system image on the network: If you select this option, you must
provide the network location of the system image.
 Install a driver: If you select this option, you must browse to the location of the
driver you wish to install, for the device containing the system image.
Note: When you restore a system using the system image, the entire hard drive will be overridden
with the contents of the system image. You cannot selectively decide what to restore, and what to
keep.
Windows Memory Diagnostics
The Windows Memory Diagnostics tool will scan your computer for memory hardware problems. When
you select this tool, you are presented with two options:


Restart now and check for problems (recommended): Select this option to reboot the system
immediately and scan for memory hardware problems upon the startup of the system.
Check for problems the next time I start my computer: Select this option to scan the system
the next time the computer is started. Use this option if you would like to continue working without
the interruption of a reboot.
Command Prompt
When you select this tool, the familiar Windows Command prompt opens in the Windows RE. From within
this environment, all of the useful command-line tools are available, from the networking tools, like
IPCONFIG and PING, to Disk utilities like DISKPART and NET USE.
Often, the system will not boot properly due to a corrupted master boot record, a corrupt boot sector, or a
corrupt Boot Configuration Data (BCD) store. If this is the case, you should try the Windows Startup repair
tool first.
To rebuild the BCD store using the bootrec.exe command:
1. In the Command Prompt window, type bootrec.exe and then press Enter.
2. Type attrib c:\boot\bcd –r –s –h
3. Type ren c:\boot\bcd bcd.old (you should always rename this file as to not overwrite or delete it
in case you need to revert back to it later).
4. Type bootrec /RebuildBcd

Other Bootrec.exe options include:
/FixMbr: This option writes a Windows 7 compatible MBR (Master Boot Record) to the system partition.
This option does not overwrite the existing partition table. This option is useful to resolve MBR corruption
issues, or to remove non-standard code from the MBR.
Page | 21
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide



/FixBoot: This option writes a new boot sector to the system partition. Use this option if one of the
following conditions is true:
o The boot sector has been replaced with a non-standard Windows 7 boot sector.
o The boot sector is damaged.
o An earlier Windows operating system (Windows XP or earlier) has been installed after
Windows 7 was installed. In this scenario, the computer starts using the Windows NT
Loader (NTLDR) instead of Windows Boot Manager (bootmgr.exe).
/ScanOS: This option scans all disks for installations that are compatible with Windows 7. Additionally, it
displays the entries that are currently not in the BCD store. Use this option, if your Windows 7 installation
is not listed in the BCD store.
/RebuildBcd: This option scans all disks for installations that are compatible with Windows 7, and lets
you select the installations that you want to add to the BCD store. Use this option when you need to
completely rebuild the BCD store.
Page | 22
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Microsoft Diagnostics and Recovery Toolset
As we have previously stated, this option will present you with a list of powerful tools to assist in getting
your system back online, usually in less time than a re-image. The 14 tools in this toolset are detailed
below.
Figure 3: Diagnostic and Recovery Toolset Tools
Page | 23
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
ERD Registry Editor
You can use the ERD Registry Editor to edit the registry of the Windows operating system that you are
repairing. This includes adding, removing, and editing keys and values, and importing .reg files. When
you open the ERD Registry Editor, the HKEY_LOCAL_MACHINE string does not contain a hardware key.
Additionally, there will be no HKEY_CURRENT_USER key, as no user has actually logged onto the
operating system. All edits are being performed through Windows RE.
Figure 4: ERD Registry Editor
Page | 24
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Locksmith
Locksmith is a simple tool that allows you to set the password for any local account on the Windows
operating system that you are repairing, including the administrator account. This tool is particularly
useful in the event that the password for a local account, such as the local administrator account, is
unknown.
You do not need to know the current password in order to change a password. However, the password
you set must comply with any requirements that a local Group Policy object (GPO) defines, including
password length and complexity.
Note: This tool cannot set passwords for domain accounts.
Figure 5: Locksmith Wizard
Page | 25
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Crash Analyzer
Crash Analyzer allows you to quickly determine the cause of an issue by analyzing the memory dump file
on the Windows operating system that you are repairing. Based on this information, you can take
corrective action. The Crash Analyzer Wizard can eliminate much of the guesswork involved in
diagnosing nonresponsive systems.
For example, if you install a piece of hardware which includes the driver MyFault.sys, and the computer
becomes unresponsive, the Crash Analyzer can read the dump file (C:\Windows\Memory.dmp file) for the
cause of the crash. You can then use this information to disable the device in Computer Management,
using the Services and Drivers node.
Figure 6: Crash Analyzer Wizard Analysis Summary
Page | 26
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
File Restore
In many cases, users delete files only to realize that they still need access to these files later. Fortunately,
the Windows Recycle Bin does not permanently delete files, and in most cases, users can simply open
the Recycle Bin and restore the needed file. However, after a user empties the Recycle Bin, if a file is too
big for the Recycle Bin, or if an application deletes the file, recovering the file is not as simple.
File Restore enables you to restore files in each of these scenarios. First, you must find the file that needs
to be restored, which is made easier through the File Restore interface, and the filtering capabilities. The
interface also allows for wildcards and exact path locations, files sizes, date ranges, etc. A deleted file
which resides in a deleted directory can also be found and recovered.
Note: When a file is deleted, the deleted file’s space on the drive is available to the operating
system to overwrite. Therefore it is important to recover the deleted file as soon as possible.
If the drive that you are recovering the file from is encrypted with BitLocker Drive Encryption, File Restore
gives you the opportunity to unlock the encrypted volume by manually providing the recovery password or
loading the recovery key from a file.
Figure 7: File Restore
Page | 27
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Disk Commander
The Disk Commander tool allows you to recover and repair disk partitions and volumes, restore the
master boot record using a GUI interface, restore partition tables from a backup, or save partition tables
to a backup.
Examples of where this tool could be useful include recovering the partition table after it has been lost
due to corruption or infection from a virus.
It is important to remember that two or more volumes on a single disk will share a partition table, so
changes to one volume may affect another volume on the same hard drive. For this reason, as a best
practice, always make a Disk Commander backup before attempting to repair the disk.
Figure 8: Disk Commander Wizard
Page | 28
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Disk Wipe
Often, an organization will simply format the computers’ hard drives prior to recycling, donating, or
discarding the computers. However, formatting the hard drive is not enough. A malicious user with the
right tools can still read the confidential data that still resides on the hard drive.
Disk Wipe can erase all data from a disk or from a single volume on a disk. There are two algorithms
available: Single pass overwrite and 4 pass overwrite, which meets the U.S. Department of Defense
standards.
Figure 9: Disk Wipe
Page | 29
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Computer Management
While many users are familiar with Computer Management in Windows, the Computer Management tool
included in DaRT is a subset of the familiar console. The console in DaRT is tailored to include only the
tools necessary to diagnose and repair problems preventing Windows from booting. The console includes
the following tools:





System Information: Includes useful information about the system you are diagnosing, including
number and type of processors, build number and version of the kernel, amount of RAM, etc.
Event Viewer: Displays logs about system and application activity.
Autoruns: Displays those services and processes that are configured to run at startup, and
allows you to disable them.
Services and Drivers: Displays all services, including the startup configuration and all drivers
loaded into the driver store. You can stop or disable any service, or uninstall any driver that may
be causing Windows to be unresponsive.
Disk Management: Displays information about the hard drives installed, the partitions and
volumes configured, and the file systems.
Figure 10: Computer Management
Page | 30
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Help
This documentation is in the form of Microsoft Compiled HTML (CHM) file. It is also available in the
C:\Program Files\Microsoft Diagnostics and Recovery Toolset directory.
Figure 11: DaRT Help
Page | 31
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Explorer
Before using the Disk Wipe tool or Computer Management tool to delete or format partitions, you may
need to store company sensitive data or user documents, as to not lose them in the repair process. The
Explorer tool allows you to open an Explorer window to gain access to the files and folders, mapped
network drives, and file systems of the system you are repairing. Since DaRT supports both network
connectivity, for mapping drives, and USB devices this makes recovering the data much easier if a disk
wipe or re-image becomes necessary.
Figure 12: DaRT Explorer
Page | 32
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Solution Wizard
With so many tools available in the DaRT toolset, determining the correct tool for your specific needs may
be challenging. The Solutions Wizard asks a series of questions and recommends the best tool based on
your answers, helping to make it easier for you to get familiar with the set of tools available. Once you
have been working with DaRT and have been using the tools, you will likely go directly to the tool that you
need. Until you are more familiar with the toolset, start with the Solution Wizard.
Figure 13: Solution Wizard
Page | 33
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
TCP/IP Config
When you boot the system using the DaRT boot media, you have the option of obtaining an IP address
from a Dynamic Host Configuration Protocol (DHCP) server. If DHCP is unavailable, you can manually
configure Transport Control Protocol/Internet Protocol (TCP/IP) information by using this tool. Simply
choose your network adapter and then configure the appropriate information, either TCP/IP version 4 or
TCP/IP version 6. Often, you will use this tool prior to using one of the other tools. When you click the
Advanced button, you are presented with additional information, such as the physical address (MAC
Address) of the network adapter, the IPv4 and IPv6 information, link speed, DNS information, etc.
Figure 14: TCP/IP Config
Page | 34
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Hotfix Uninstall
The Hotfix Uninstall Wizard can remove hotfixes and service packs from the Windows operating system
that you are repairing. Use this tool when you believe a recent patch or service pack is preventing
Windows from booting properly. It is recommended that you remove only one hotfix at a time, although
the tool allows you to uninstall more than one at a time.
Note: Some programs which were installed or updated after the hotfix was installed may need to be
repaired or reinstalled as well.
Figure 15: Hotfix Uninstall Wizard
Page | 35
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
SFC Scan
System File Checker can be used to help repair operating system files that are preventing your system
from properly booting. SFC Scan will verify your operating system files based on the signatures to ensure
they have not been altered. You can go through the process to verify and replace and files that may be
flagged as not compliant with the signature status of the original system files.
Figure 16: SFC Scan Wizard
Page | 36
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Search
In recovery scenarios, when repairing the installed operating system is not possible, you can use File
Search to find users’ documents and copy them from the computer. Although the Explorer tool can be
helpful, File Search can help you find documents when you do not know the file path or search for general
types of files across all the local hard disks. The interface is like the File Restore interface with the filters
and wildcards available to assist in finding the correct files prior to re-imaging the system.
Figure 17: Search
Page | 37
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Standalone System Sweeper
The Standalone System Sweeper can help detect malware and unwanted software and alert you to
security risks, while the system is offline and disconnected from the corporate network. When the
Standalone System Sweeper detects malicious or unwanted software, it prompts you to remove,
quarantine, or allow each item. You can use this tool to scan a computer for and remove malware while
the installed Windows operating system is not running.
Malware that uses rootkits can mask itself from the running operating system. A rootkit is a program, or a
set of programs, which gets installed onto a system and impersonates running services, making the
rootkit invisible to the installed operating system. If a rootkit-enabled virus or spyware makes its way to
the system, most real-time scanning and removal tools can no longer see it or remove it. Because DaRT
boots into Windows RE and the installed operating system is offline, you can attack the rootkit without it
hiding from you, and since the definitions can be updated at run-time, you will always have an updated
definitions file.
If you expect a machine may be compromised by malware, for example, if it is suddenly performing
unusually, but other anti-virus/anti-malware tools are not identifying a problem you can run the
Standalone System Sweeper determine if the machine has been infected with a rootkit.
During the creation of the DaRT boot media, you have the option of updating the Standalone System
Sweeper definitions, to ensure you always have an up-to-date definition file. Alternatively, if you are using
boot media which has been previously created, because DaRT has TCP/IP and networking support, you
have the option of updating the definition file during run-time. Note that these are the same definition files
that are available to other Microsoft antimalware products.
Page | 38
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Figure 18: Standalone System Sweeper
Page | 39
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Troubleshooting
This section addresses some of the most common issues you might encounter when you install,
configure, and test Microsoft Diagnostics and Recovery Toolset.
If you need additional help, search either the Microsoft Knowledge Base or the Diagnostics and Recovery
Toolset TechCenter.
Common Errors on the Microsoft Diagnostics and Recovery Toolset Client
The following sections list the most common errors encountered with Microsoft Diagnostics and Recovery
Toolset.
You might need to manually extract and install 64-bit definition updates for Standalone System
Sweeper:
The following is a known issue with the Standalone System Sweeper. As a temporary workaround, you
can follow these steps in order to install up-to-date definitions on the x64 version of the Standalone
System Sweeper.
1.
2.
3.
4.
5.
6.
7.
8.
From a browser on a computer that is connected to the Internet, go to the Microsoft Security
Portal and download the x64 version of Standalone System Sweeper definition updates.
Expand the contents of the definition package as follows. Open a command prompt, and
type: mpam-fex64 /x: <folder path> where <folder path> is the directory to which the
extracted contents need to be copied.
e.g., mpam-fex64.exe /x: “%ProgramFiles%\DefUpdates”.
Copy the extracted contents to a removable media device, such as a USB flash drive.
Insert the USB flash drive into the machine where you want to run the Standalone System
Sweeper.
Start DaRT and launch the Standalone System Sweeper.
From the DaRT menu, launch Explorer.
Copy MPASBase.vdm, MPASDlta.vdm, mpavbase.vdm, mpavdlta.vdm and mpengine.dll
into the Updates folder relative to the windows path of the operating system selected:
e.g., c:\Windows\Standalone System Sweeper\Definition Updates\Updates
Wait for a few seconds. The antimalware and antivirus version numbers on the Standalone
System Sweeper home page will be refreshed to show the new version numbers.
Unicode characters are not displayed in some circumstances:
If a user deletes a file that has Unicode characters in its file name and tries to restore the file using the
File Restore tool, the file will not be found. This only occurs when characters from a language other than
the language of the Windows 7 DVD are used to create the DaRT ERD CD.
Page | 40
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
DaRT 6.5 command-line installation will silently fail if run with the quiet mode option unless it is run
using elevated administrator permissions:
DaRT 6.5 installation supports the normal MSI options for command-line installation. Please refer to
Command-Line Options for more details about the various available switches.
File search fails to move a folder to a different volume:
While attempting to move a folder to a different volume in File Search, an error is returned stating "An
error occurred while writing the file [filename]. Ensure the drive has sufficient space and the destination
path is accessible.”
Moving folders between volumes is not supported by the File Search application. To work around this,
use the Explorer to move the folder.
There is no Input Method Editor (IME) support on ERD:
An input Method Editor allows you to type double-byte characters for languages such as Japanese. This
functionality would be provided by the Win PE/Win RE environment, but by default Win PE/Win RE does
not include support for IME. To enable IME support in Win RE and to turn on the ERD CD, follow the
steps from the following KB article to create a Win RE image that supports IME and then create the ERD
CD from the image.
http://support.microsoft.com/kb/926181/
When creating the Win PE/Win RE image, it is essential that the WinPE-SRT-Package is added using the
PEImg.exe tool. Failure to add this package to the image will prevent the generated ERD CD from
working. For information on how to use PEImg to add packages to a Windows PE image please see
Building a Windows PE Image.
Some data may not be available on machines where the drive letters are remapped:
This problem is known to occur on BitLocker-enabled machines as well as multi-boot machines. The
problem is that some information in the offline registry has hard-coded drive letters, and DaRT uses
different letters for the same volumes. The typical effects include not having access to certain local user
accounts in ERD Registry Editor or Autoruns. Additionally, some tools may not be able to get the
properties that rely on resolving file paths.
Page | 41
Microsoft Diagnostics and Recovery Toolset Version 6.5 Trial Guide
Accessing the Microsoft Support Knowledge Base
To access the Microsoft Support Knowledge Base and search for answers to the most frequently asked
questions, go to Microsoft Support.
Contacting Microsoft Training
To register for training courses, obtain course descriptions, and get information about Microsoft
certifications, go to Microsoft Training & Events.
Page | 42