77 Restore Corrupted System Files





Restore Corrupted System Files

figs/expert.gif figs/hack77.gif

Extract important drivers and other system files from .cab files on your Windows system from within Knoppix.

One of the functions of the Windows Recovery CD is to restore system files that have been corrupted. Basically, the CD extracts the default versions of these drivers from .cab files stored on the CD and overwrites the versions on your system. If you have applied service packs since you have installed Windows, drivers updated by the service package are overwritten with these old ones. If you don't have a Windows Recovery CD handy or you want to use files from a service pack, restore important system files by using the .cab files that are already on your system with Knoppix. If you don't have the necessary .cab files, download the security patches from Microsoft's site, and extract the files you need [Hack #79] .

1 Call a Cab

Before you can restore a system file, you have to locate the .cab file that stores it. Don't worry. It's much easier and faster to find a .cab with Knoppix than to find one in New York City.

In this example, the goal is to replace a corrupted ntdll.dll file, a very important Windows system file. First, find which .cab files on your system it is in. Mount the Windows partition under Knoppix (in this example, the partition is mounted under /mnt/hda1), and then use the Linux find command combined with cabextract (a Linux utility that can extract files from .cab files):

[email protected][knoppix]$ find /mnt/hda1/ -name *.cab -exec sh -c 

"if cabextract -l \"{}\" 2>/dev/null | grep ntdll.dll

; 

then echo \"{}\"; fi; " \;

    481040 | 27.10.1999 12:06:10 | ntdll.dll

/mnt/hda1/winnt/Driver Cache/i386/driver.cab

    491792 | 19.06.2003 12:05:04 | ntdll.dll

/mnt/hda1/winnt/ServicePackFiles/i386/sp4.cab

Basically, the script finds all .cab files on your Windows partition, and then searches through the files they contain for the file you are looking for. In this example, I found two .cab files that contain ntdll.dll: /mnt/hda1/winnt/Driver Cache/i386/driver.cab and /mnt/hda1/winnt/ServicePackFiles/i386/sp4.cab. Notice that the files have different sizes and different dates. A good rule of thumb is to use the most current version of the file; in this case, it is in sp4.cab.

While this magic spell might seem complicated, you only need to focus on the grep command. Reuse this command to find other files by simply replacing ntdll.dll with the filename you are searching for.


If you can't seem to find a .cab file on your system with the files you need, you can also use cabextract to extract files directly from Microsoft's official Service Packs. As [Hack #79] mentions, Microsoft's TechNet page (http://www.microsoft.com/technet) allows you to download full standalone executable patches for your system, including Service Packs. Use the search engine on TechNet's page to find Service Packs for your version of Windows. For instance, if you type "Windows 2000 Service Pack," the first few links direct you to the latest Service Packs. Even though these files end in ".exe," these Service Packs are actually self-extracting .cab files, and cabextract works with them the same way.

If you are given a choice between the Express Install version and the Network Install version, choose the Network Install. The Express Install does not actually contain all the system files and instead runs a program that downloads the ones your particular system needs. You want to extract specific files, so download the Network Install, which includes all the system files.


If you have not yet mounted your system with write permissions, right-click on the icon on the desktop and click ActionsChange Read/Write Mode, or in the case of an NTFS partition, follow the steps in [Hack #73] .

Once you choose the .cab file to use, change to the directory that contains your corrupted file. If you aren't sure where it is, type:

[email protected][knoppix]$ find /mnt/hda1 -name ntdll.dll

 -print

/mnt/hda1/winnt/system32/ntdll.dll

After you change to that directory, use cabextract to extract the file and overwrite the corrupted version:

[email protected][knoppix]$ cd /mnt/hda1/winnt/system32/

[email protected][system32]$ sudo cabextract -F ntdll.dll 

"/mnt/hda1/winnt/ServicePackFiles/i386/sp4.cab"

Extracting cabinet: /mnt/hda1/winnt/ServicePackFiles/i386/sp4.cab

  Extracting ntdll.dll



All done, no errors.

[email protected][system32]$

Now change to a directory outside of your windows partition, unmount it, and then reboot.

[email protected][system32]$ cd

[email protected][system32]$ sudo umount /mnt/hda1


     Python   SQL   Java   php   Perl 
     game development   web development   internet   *nix   graphics   hardware 
     telecommunications   C++ 
     Flash   Active Directory   Windows