Offline Ops

This tab is dedicated entirely to working with Offline Windows installations. The tools on this tab live to operate on an installation of Windows that does not boot by itself, or cannot be repaired from within its own environment. In offline mode, d7 can be run from:

A Tech Bench Computer (which I will refer to as a TBC from here on out) with an infected or troublesome Windows install attached as a slave hard drive or via USB dongle.
A Windows PE based boot medium, where d7 has write access to its own directory. e.g. a bootable network image or flash drive… NOT when running FROM a CD, however it will work just fine FROM a flash drive when booted from a CD…
- Windows PE any version should work, provided the VB6 runtimes are installed. I currently use a VistaPE slim build over the network which I compiled from a package from … I think some Winbuilder site. It works great in this environment.
- I can provide a workaround upon request if it doesn’t work in your favorite blend of WinPE…

Target Partition

You must select a target partition to operate on. By default, if d7 detects a Windows installation that is not the current live system, it defaults to this partition. Example, you attach a slaved drive to your TBC which is assigned by Windows a drive letter, pretend it is F: drive. When you start d7 and switch to the Offline tab, it should automatically switch to the F: drive as the target.

Note that if the drive letter was added to the TBC after you started d7, you may need to hit the refresh button next to the drop down box.

Beside the Target Partition selection box, you have some information d7 attempts to gather from the target partition.

Suspected OS – This will either be Windows XP or it will read Vista or 7. I cannot detect any further than this currently.
Windows Dir – This one is obvious, but what may not be, is that clicking on the label will open that directory!
User Profile Dir – This one is obvious, but what may not be, is that clicking on the label will open that directory!
Newest Minidump – Also obvious information, yet clicking on this label will launch Nirsoft’s Blue Screen View (if in your 3rd Party Tools directory) and configure it to point to that partition automatically, letting you examine the minidumps with one click!

Auto Mode

This mode runs each item that is checked, in that order. d7 Auto Mode on this tab only takes care of the Malware Removal portion on this tab.

Beside the d7 Auto Mode Start button, in the current theme’s highlighted text (usually light blue) you’ll see several options that also utilize the check box configuration you have on this tab. Like Select All and Select None, the Save Config and Load Defaults options apply only to the check box configuration on this tab.

Malware Removal

These items are the same as their counterparts on the Malware tab, with the exception that they are operating on the offline installation of Windows. YES, the Pre-Malware Scan and Malware Scan both run on the offline partition’s file system AND registry! There is but one addition:

Copy d7 to Desktop – Copies the d7 directory you are running d7 from, to the all users/public desktop of the target partition.

Registry

Edit Offline Registry – d7 attempts to load the offline registry hives of the target partition, including all user hives. All hives are loaded as their proper name, prefixed with guest_ (e.g. guest_system, guest_software, guest_username, etc.) Regedit is launched when all hives are loaded.
Replace Registry with a Backup – This function is designed as a quick and easy way to replace registry hives from the System Volume Information directory where restore points are located on Windows XP. The function will give you a list of available restore points, from there choose the RP number you want (highest is latest) and will automatically copy those hives to the windowssystem32config directory and rename them properly, backing up the existing hives first!
Disable AutoReboot on BSOD & Enable Minidumps – Turn on automatic restarts when a system blue screen occurs, and enable minidump creation.

Data Retrieval

Get Minidumps – This just brings up a dialog box to copy minidumps from the target partition to the current one, if you are running from a flash drive or such.
List Installed Apps – The same function as in DataGrab when “Get Installed Apps List” is checked, this feature loads an offline registry hive from a different partition/slaved hard drive, and retrieves a list of installed applications. Although designed only for offline OS installations, when run on the local (currently running) OS and not an offline OS, it will output results; however on 64bit systems it won’t output both 32 and 64bit installed apps. This is something I don’t plan on fixing, because when on a local OS why wouldn’t you be using Nirsoft’s app via the Info tab’s Reporting button?!

Repair Tools

CheckDisk – Another utility on it’s own right, please see the information on the CheckDisk page for information on this chkdsk.exe wrapper.
FixIDE (WinXP) – This function is designed to fix an 0x7b Blue Screen when starting Windows XP after a motherboard swap, due to the hard drive controllers not matching up. FixIDE has its own project page here. This function force installs generic IDE controller drivers on the target partition. It works 99% of the time, if not then your controller is in AHCI mode and you need to set it to IDE mode before this will work. Once set there, you can get into Windows and install the actual controller drivers for your new motherboard.
FixAMD – This function disables IntelPPM Driver. This can fix Blue Screens related to the intel power management service after swapping an Intel to an AMD platform motherboard, or installing XP SP3 on an AMD based PC with Intel PPM service enabled.

Misc

d7 Locksmith – Yet another Windows password removal tool, this one should succeed when others fail!
- On Windows XP/Server 2003, a system service is installed to the offline Windows OS that will remove ALL user passwords when Windows gets to the Welcome screen. You must wait about 30 seconds or so after the Welcome screen appears, at which time there will still be a password prompt box, however clicking the user leaving that box blank will log you in!
- On Windows Vista/7/Server 2008, this creates an IFEO in to run a d7 Locksmith interface in place of UTILMAN.EXE – so when you boot the live system and get o the login screen, you simply click the Accessibility button in the bottom corner of the screen, and in place of UTILMAN.EXE, d7 Locksmith launches instead allowing you to selectively remove passwords!

Latest News

Windows 10/11 built-in Ransomware Protection (Controlled Folder Access) and CryptoPrevent (repost) CryptoPrevent version 21.7.23 adds a new setting for “Controlled...
Read More
CryptoPrevent v21.7.1 Released! CryptoPrevent v21.7.1 has been released and is ready for update...
Read More
d7x v21.6.29 Release Notes Updated various d7x functions for the Windows 11 Insider Preview,...
Read More
d7x v21.6.24 Release Notes The “Check Auto-Start Services” alert on the System Info tab...
Read More
d7x v21.6.23 Release Notes Corrected a recent issue with the last few versions reporting...
Read More
Lockdown v1.1.2 Released with Downloads fix I just received report of a Lockdown user not being...
Read More
d7x v21.6.20 Release Notes Updated Windows Update Repair routines for Windows 10. v21.6.19.x (Repost)...
Read More
d7x v21.6.17 Release Notes d7x Auto Mode previously only resumed automatically after a reboot...
Read More
d7x v21.6.15 Release Notes Updated delete temp internet files, history, and cookies routines to...
Read More
d7x v21.6.11 Release Notes d7x Event Log Viewer improvements: – You can now display...
Read More

Latest News

Subscribe to Blog via Email

Brian Agland

Joseph E. Pint (NYS Licensed Private Investigator, Digital Forensics Division: UID #: 11000192051, Sr. Data Recovery Technician, Sr. Digital Forensics Examiner)

Cody

Marcin from Ireland

Fuera Castro