Tip – How to break into registry to explore HKLM\SAM and HKLM\SECURITY keys?

This article explains how you can use Psexec.exe to execute registry editor to explore SAM and SECURITY registry hives.

Read more here…


Tip – A Quick Tip to designate a domain controller for client authentications.

This article explains the use of SRV priority. This applies to Windows 2000, Windows 2003 and Windows Server 2008.

Read more here…


McaFee File System Filter Driver may cause STOP Error on Windows Server 2003

After analysing one of the dump on production box I realized that McaFee filter driver which sits between Kernel Mode and File System may cause a STOP error on Windows Server 2003 systems. Generally, this is caused by all anti-virus software.

The module for File System Filter Driver of McaFee is: naiavf5x.sys and filter drivers are: NaiFiltr and NaiFsRec. These drivers provide the real time protection for file systems (AKA files and folders). They sit between Kernel Mode and User Mode and runs with Windows NT Executives. The main purpose of this driver is to filter the I/O Operations for all the file systems (C:,D:,E, etc).

The reason for unexpected shutdown is : PAGE_FAULT_IN_NONPAGED_AREA (50). Generally, this STOP error message occurs when there are some issues with: RAM, corrupted NTFS volume or Anti-virus software (Filter drivers). There could be other possibilities of the above mentioned STOP error message but once we have found the root cause (naiavf5x.sys) after checking the memory.dmp, we should eliminate the other possibilities. 

Why this happens:

The file system filter driver of anti-virus keeps the data of its own in the Pagefile area or hard-coded memory. Other Windows processes (specially NTKRNLPA.exe) keep locking this page area when different I/O Operations occur. For example, one application or service is trying to access a file on drive D:\, the Antivirus file system filter driver invokes itself and checks the file (integrity, suspicious file etc) before it can allow application/service to access the file. Since the File System driver is a TSR program (Terminate and Stay Resident), it has to keep its non-volatile data in RAM or pagefile memory area. It retrieves these data at the time of performing I/O Operation (performing an operation when application/service tries to access the file). If this data is not found or not available or locked by other processes then Windows will throw a STOP error message. Okay..you may ask why Windows throws STOP error message, it can also log an event in System log instead of shutting down the system? It doesn’t because any the change occurred in Kernel Mode processes/services always result in system crash. The crashed Kernel Mode processes need to re-initialise itself in order to make itself alive back in the system and this is only possible (only for Kernel Mode processes) when whole system is rebooted (this is as per Windows kernel architecture – first Windows Kerenel mode processes initialise and then User Mode processes. Please note – in Unix,  this is not the case as Linux/Unix Kernel has been separated from processes or third party services. You can always use INIT or other commands to re-initialise processes). Kernel mode processes always run using Realtime Priority that means they can fight with each other when a conflict raises between functions executed by them.

McaFee filter drivers can be located at:

HKLM\SYSTEM\CurrentControlSet\Services – you can find the McaFee filter drivers for naiavf5x.sys under this key. There is also one more way to check this using Device Manager by clicking on View > Show Hidden Devices and then expand Non-Plug and Play Drivers to find the Antivirus drivers.


1. Update the NTKRNLPA.exe – A patch is available from Microsoft. As per below article, this is a recommended patch for the above mentioned STOP error message.


2. Update or reduce the functionality of McaFee filter driver: Only one of two can be used.

    a. We can upgrade the McaFee filter driver by installing the latest patch.
    b. Fall back to previous version of  naiavf5x.sys.


1. Disable the McaFee filter driver temporarily by changing the Start value in above mentioned registry key and then setting the value to 4 = SERVICE_DISABLED – This solution is not recommended as this is required in order to allow McaFee to provide real time protection.

In fact, system will already disable the driver on server:

IMAGE_NAME:  naiavf5x.sys
FAULTING_MODULE: bae27000 Ntfs

Revisiting – Communication Protocols: Why services work on TCP or UDP or Both

This article explains why some services work on TCP or UDP or both the protocols. In this article, we will explain the two most commonly services used in network environment: DNS and LDAP.

We often discuss why services use both the protocols i.e. TCP and UDP. These services can also relay on TCP instead of UDP because TCP is a connection-oriented protocol whereas UDP is connection-less then why uses UDP?

There are several reasons explained in this article:

The DNS works on TCP because TCP is a connection-oriented protocol and it requires data to be consistent at the destination whereas UDP is a connection-less protocol and doesn’t require data to be consistent or don’t need a connection to be established with host for consistency of data.

UDP packets are smaller in size and they can not be greater then 512 bytes. So any application needs data to be transferred greater than 512 bytes uses TCP. 

For example, DNS uses both TCP and UDP for valid reasons described below: Note that UDP messages are not larger than 512 Bytes and are truncated when greater than this size. So DNS uses TCP for Zone transfer and UDP for name queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes. If a client doesn’t get response from DNS it must retransmit the data using TCP after 3-5 seconds of interval.

We all know that there shouldn’t be any inconsistency in DNS zones – to make this happen DNS always transfer Zone data using TCP because TCP is reliable and make sure zone data is consistent by transferring the full zone to other DNS servers who has requested the data.

The problem occurs when Windows 2000 server and Advanced Server products uses Dynamic ports for all above 1023. In this case your DNS server should not be Internet facing i.e. doing all standard queries for client machines on the network. The router (ACLs) must permit all UDP inbound traffic to access any high UDP ports for it to work.

LDAP: LDAP always uses TCP. LDAP doesn’t use UDP because LDAP and Netlogon services at client side requires a secure channel to be established between KDC server and Client computer to send the data and this can be done only using TCP not UDP. UDP is only used when finding a domain controller (Kerberos) for authentication.

Windows Default User and All Users folders are missing.

The following knowledgebase article explains the situation in which new users can not log on to local computer or domain.


The following may be the scenario:

1. Newly created users can not log on to the system

2. All Users and Default User profile is corrupted.

3. All Users and Default User profile is pointing to a different location in the registry.


By default, when Windows 2000 is installed it creates the two default folders. These two folders are: All Users and Default User. The logon process of user creates the user profile of the newly created user in the \Documents and Settings folder. The logon process uses these two folders to copy the contents to new profile. Windows identifies these two folders by looking at the following registry location:

HKLM\Software\Microsoft\Windows NT\ProfileList

In the right pane, Windows will have the following entries:

ProfilesDirectory REG_EXPAND_SZ %SystemDrive%\Documents and Settings

DefaultUserProfile REG_SZ Default User

AllUsersProfile REG_SZ All Users


You may need to take the following action to correct the abovementioned issues with the user profile:

1. Copy the All Users and Default User from a working computer to problematic computer.

2. Change the location of All Users and Default User profile in registry so that it points to the correct location.

How to Create A Service Dependable on Another Service.

The following knowledgeable article will explains the procedure you can use to make a service dependable on another service.

You need to know the following things before you can proceed with this:

  1. Short name of the service you are making dependent of.
  2. The registry location of the service.

For example, we have two services: Alerter and ThirdPartyService. Both the Services must exist in registry in order to make this work.

We need to find out the short name of ThirdPartyService. Now, navigate to the following location in registry to locate the short name of ThirdPartyService:

HKLM\System\CurrentControlSet\Services\thirdpartysvc — this would be the short name of ThirdPartyService.

Next, navigate to the following location in registry:


In the right pane, create a Multi SZ entry as explained below:

Right Click > select Multi-String Value

Then create a entry DependOnService entry and put the short service name of ThirdPartyService as a value of this entry.

Exit the registry editor and restart the Alerter service.

Net Config Server command.

The following knowledgebase will help you analyze the information useful when typed Net Config Server command. The Net Config Server command is the subset or command line tool to configure the Computer Property page in System applet. This command is very useful to check couple of things.

You can configure the following settings using the Net Config Server command:

  1. Configure the computer description to be shown when browsing through network.
  2. Make server hidden when browsing network.
  3. Configure maximum connection time for the client computers to this server.


The above is an example of Net Config Server command. The above output from this command shows the Server Name, Server Comment etc. You can change the Server comment by using the following command:

Net Config Server /SRVCOMMENT: “Internet Information Server”

In the same way, you can use the following command to change the server’s visibility in network:

Net Config Server /HIDDEN: Yes / No

The “Maximum Logged On Users” displays the number of connections this server can accept over the network. It displays maximum 10 that means only 10 users can log on to this server or access files over the network. You can not change this.

The “Idle session time (min)” is the time up to which users can be active on this server. After expiry of this time, the users will be disconnected automatically and they have to log on to again to access files. By default, it is 10 minutes but you can change it to as per your requirement. To change the idle time setting, please use the following command:

Net Config Server /AUTODISCONNECT: 50

How To View The Available Servers On A NetWare Network Using Command Line

This knowledgebase will tell you how you can view a network servers list on NetWare network.

The following command can be used to display a lit of servers running on a NetWare Network:

Net View /Network:NW

Please use the following command if you want to see the list of resources on a server running in the NetWare Network:

Net view \\computer_name /Network:NW

If you omit the /Network:NW, the command will display the resources shared on specified computer.

How To See the Print Jobs On A Remote Computer Using Command Line

The following knowledgebase can be used to see the print jobs running on remote or local computer and their size.

Net Print

You can also use do the following using the Net Print command:

  1. Control a Print Job.
  2. Hold a print job for printing.
  3. Delete a print job
  4. Reactive a print job that is held.

The following options can be used with Net Print command:

NET PRINT \\computername\sharename [\\computername] job# [/HOLD | /RELEASE | /DELETE]

\\computername Is the name of the computer sharing the printer queue(s).

sharename Is the name of the shared printer queue.

job# Is the identification number assigned to a print job. A computer the one or more printer queues assigns each print job a unique number.

/HOLD Prevents a job in a queue from printing. The job stays in the printer queue, and other jobs bypass it until it is released.

/RELEASE Reactivates a job that is held.

/DELETE Removes a job from a queue.