| Miscellaneous Tools for Windows NT/2K |
| Copyright © 1997-2000 Mark Russinovich |
Last UpdatedJanuary 16, 2000
|
| Table of Contents |
This page presents a
continuously growing collection of applets that fill holes in the functionality
that NT comes with out of the box.
| |
Junction |
Create NTFS
directory junctions
|
| |
LoggedOn |
See who's logged
on to the local or a remote system |
| |
EFSDump |
Dump information
about Win2K encrypted files |
| |
Streams |
View NTFS file
stream information |
| |
IsTrial |
See if you have a
trial version of WinNT/2K, and if so, when it will expire |
| |
UpTime |
See how long the
local or a remote system has been up |
| |
VolumeId |
Change the volume
IDs of hard drives and floppy disks |
| |
Sync |
Flush the WinNT/2K
file system cache to disk |
| |
Autologon |
Configure WinNT/2K
auto-logon properties |
| |
Hostname |
Convert IP
addresses to host names and vice versa |
| |
Strings |
Search files for
ASCII or UNICODE strings |
|
| Junction |
Win2K's
version of NTFS supports directory symbolic links, where a directory serves as
a symbolic link to another directory on the computer. For example, if the
directory D:\SYMLINK specified C:\WINNT\SYSTEM32 as its target, then an
application accessing D:\SYMLINK\DRIVERS would in reality be accessing
C:\WINNT\SYSTEM32\DRIVERS. Directory symbolic links are known as NTFS junctions
in Win2K. Unfortunately, Win2K comes with no tools for creating junctions - you
have to purchase the Win2K Resource Kit, which comes the linkd program for
creating junctions. I therefore decided to write my own junction-creating tool:
Junction. Junction not only allows you to create NTFS junctions,
it allows you to see if files or directories are actually reparse points.
Reparse points are the mechanism on which NTFS junctions are based, and they
are used by Win2K's Remote Storage Service (RSS), as well as volume mount
points.
If you want to view reparse
information, the usage for Junction is the following:Usage: junction [-s] <directory or
file name>
-s Recurse
subdirectories.
If you want to create or delete a
junction, use Junction like this:Usage: junction [-d] <junction directory>
[<junction target>]
To delete a junction specify the -d
switch and the junction name. Download Junction
(16KB)
Download Junction Source (22KB)
|
| LoggedOn |
You can
determine who is using resources on your local computer with the
"net" command ("net session"), however, there is no
built-in way to determine who is using the resources of a remote computer. In
addition, NT comes with no tools to see who is logged onto a computer, either
locally or remotely. LoggedOn is an applet that displays both the
locally logged on users and users logged on via resources for either the local
computer, or a remote one. Full source code is included.
LoggedOn's definition of a
locally logged on user is one that has their profile loaded into the Registry,
so LoggedOn determines who is logged on by scanning the keys under the
HKEY_USERS key. For each key that has a name that is a user SID (security
Identifier), LoggedOn looks up the corresponding user name and displays
it. To determine who is logged onto a computer via resource shares,
LoggedOn uses the NetSessionEnum API. Note that LoggedOn
will show you as logged on via resource share to remote computers that you
query because a logon is required for LoggedOn to access the Registry of
a remote system.Usage:
loggedon [\\computername]
computername Specifies
the name of a remote computer.
Download LoggedOn (18KB)
Download LoggedOn Source (26KB)
|
| EFSDump |
Windows
2000 introduces the Encrypting File System (EFS) so that users can protect
their sensitive data. Several new APIs make their debut to support this
factility, including one - QueryUsersOnEncryptedFile - that lets you see who
has access to encrypted files. This applet uses the API to show you what
accounts are authorized to access encrypted files. Full source code is
included. Usage:
efsdump [-s] <file or directory>
-s Recurse
subdirectories.
EFSDump takes wildcards
e.g. 'efsdump *.txt'.
Download EFSDump (23KB)
|
| Streams |
The NTFS
file system provides applications the ability to create alternate data streams
of information. By default, all data is stored in a file's main unnamed data
stream, but by using the syntax "file:stream", you are able to read
and write to alternates. Not all applications are written to access alternate
streams, but you can demonstrate streams very simply. First, change to a
directory on a NTFS drive from within a command prompt. Next, type
"echo hello >
test:stream". You've
just created a stream named 'stream' that is associated with the file 'test'.
Note that when you look at the size of test it is reported as 0, and the file
looks empty when opened in any text editor. To see your stream enter
"more <
test:stream" (the
type command doesn't accept stream syntax so you have to use
more). NT does
not come with any tools that let you see which NTFS files have streams
associated with them, so I've written one myself. Streams will examine
the files you specify and inform you of the name and sizes of any named streams
it encounters within those files. Streams makes use of an undocumented
native function for retrieving file stream information. Full source code is
included.
Usage: streams [-s] <file
or directory>
-s Recurse
subdirectories.
Streams takes wildcards
e.g. 'streams *.txt'.
Download Streams (19KB)
|
| IsTrial |
Microsoft
makes available a 120-day time-locked version of Windows NT, and their Beta
versions expire 240 days after they are installed. However, Microsoft does not
provide any means of determining if the version of NT you are running is a
time-locked version or not. Many organizations run into problems when an
installation they had forgotten was a trial version suddenly announces it is
shutting down. This applet will tell you whether your systems are running trial
versions of NT, and if they are, their exact expiration times. Usage: istrial
Download IsTrial (13KB)
|
| Uptime |
This
applet will tell you how long an NT system has been up. It uses the Performance
Data Helper library to easily read the System Up Time performance counter on
the local machine or the machine you specify by name on the command line. Full
source code is included and I've included a copy of PDH.DLL, a Microsoft DLL
that comes with the SDK. Contrary to what Microsoft's documentation implies, it
doesn't appear that this DLL is included in a standard NT 3.51 or 4.0
distribution (it is in NT 5.0). Usage: uptime [computer name]
Download
Uptime (57KB)
|
| VolumeID |
While NT
and Windows 9x's built-in Label utility lets you change the labels of
disk volumes, it does not provide any means for changing volume ids. This
utiltity, Volumeid, allows you to change the ids of FAT and NTFS disks
(floppies or hard drives) on both Windows NT/2K and Windows 9x. Usage: volumeid <driveletter:>
xxxx-xxxx
Note that changes on NTFS
volumes won't be visible until the next reboot. In addition, you should shut
down any applications you have running before changing a volume id. NT may
become confused and think that the media (disk) has changed after a FAT volume
id has changed and pop up messages indicating that you should reinsert the
original disk (!). It may then fail the disk requests of applications using
those drives.
Download
VolumeID (15KB)
|
| Sync |
UNIX
provides a standard utility called sync, which can be used to direct the
operating system to flush all file system data to disk in order to insure that
it is stable and won't be lost in case of a system failure. Otherwise, any
modified data present in the cache would be lost. Here is a an equivalent that
I wrote, called Sync, that works on both Windows NT and Windows 95/98.
Use it whenever you want to know that modified file data is safely stored on
your hard drives. Unfortunately, Sync requires administrative privileges
to run. This version, 2.0, also lets you flush removable drives such as ZIP
drives. Source code to the NT-only version of Sync is available on the
Dr. Dobb's Journal Systems
Internals CD-ROM
Usage: sync [-r |
drive letter list]
-r Flush
removable drives.
Specifying specific drives (e.g.
"c e") will result in Sync only flushing those drives.
Download
Sync (18KB)
Download Sync for Compaq Alpha (39KB)
|
| Autologon |
NT 3.51
and 4.0 provides Registry settings that can be set so that a user is
automatically logged in the next time the system would otherwise put up the
logon dialog box. However, the Registry values are hidden very deep, and are a
pain to configure. This program, Autologon, will do the Registry configuration
for you, and allow you to enable and disable auto-logon when you want.
Autologon easy enough to
use. Just run autolog.exe, fill in the dialog, and hit Enable. To turn
off auto-logon, hit Disable. If the DefaultPassword is NULL, autologon
will only occur once and then be disabled. Also, if the shift key is held down
before the system performs an autologon, the autologon will be disabled for
that logon.
Download Autologon (8KB)
Download Autologon Source (21KB)
|
Hostname
|
Hostname is a very simply utility that takes either an IP
address (e.g. 123.456.7.8), or a host name (e.g. ftp.ntinternals.com), and
performs a translation into its inverse form. For example, if you pass
hostname an IP address, you'll get back a host name, and if you pass it
a host name it will give you the corresponding IP address. It runs under
Windows 95 or Windows NT. Usage: hostname [IP address, hostname]
Download hostname (11KB)
|
Strings
|
Working
on NT means that executables and object files will many times have embedded
UNICODE strings that you cannot easily see with a standard ASCII strings or
grep programs. So we decided to roll our own. Strings just scans the
file you pass it for UNICODE (or ASCII) strings of a default length of 3 or
more UNICODE (or ASCII) characters. Note that it works under Windows 95 as
well. Usage: strings
[-s] [-a] [-n X] <file or directory>
Strings takes wild-card
expressions for file names, and additional command line parameters are defined
as follows:
| -s |
Recurse
subdirectories. |
| -a |
Scan for ASCII instead of
UNICODE |
| -n X |
Strings must be a minimum of X
characters in length. |
To search one or more files for
the presence of a particular sting using strings use a command like
this:
strings * | findstr /i
TextToSearchFor
Download strings (14KB)
|
|
 |