D7‎ > ‎Online Manual‎ > ‎Usage‎ > ‎

Offline Ops



This tab is dedicated entirely to working with Offline Windows installations.  The tools on this tab live to operate on an installation of Windows that does not boot by itself, or cannot be repaired from within its own environment. In offline mode, D7 can be run from:
  • Tech Bench Computer (which I will refer to as a TBC from here on out) with an infected or troublesome Windows install attached as a slave hard drive or via USB dongle.  
  • A Windows PE based boot medium, where D7 has write access to its own directory.  e.g. a bootable network image or flash drive...  NOT when running FROM a CD, however it will work just fine FROM a flash drive when booted from a CD...
    • Windows PE any version should work, provided the VB6 runtimes are installed.  I currently use a VistaPE slim build over the network which I compiled from a package from … I think some Winbuilder site.  It works great in this environment. 
    • I can provide a workaround upon request if it doesn’t work in your favorite blend of WinPE...

Target Partition

You must select a target partition to operate on.  By default, if D7 detects a Windows installation that is not the current live system, it defaults to this partition.  Example, you attach a slaved drive to your TBC which is assigned by Windows a drive letter, pretend it is F: drive.  When you start D7 and switch to the Offline tab, it should automatically switch to the F: drive as the target.  

Note that if the drive letter was added to the TBC after you started D7, you may need to hit the refresh button next to the drop down box.  

Beside the Target Partition selection box, you have some information D7 attempts to gather from the target partition.  
  • Suspected OS - This will either be Windows XP or it will read Vista or 7.  I cannot detect any further than this currently.  
  • Windows Dir - This one is obvious, but what may not be, is that clicking on the label will open that directory!  
  • User Profile Dir - This one is obvious, but what may not be, is that clicking on the label will open that directory!  
  • Newest Minidump - Also obvious information, yet clicking on this label will launch Nirsoft's Blue Screen View (if in your 3rd Party Tools directory) and configure it to point to that partition automatically, letting you examine the minidumps with one click!  

D7 Auto Mode

This mode runs each item that is checked, in that order.  D7 Auto Mode on this tab only takes care of the Malware Removal portion on this tab.  

Beside the D7 Auto Mode Start button, in the current theme's highlighted text (usually light blue) you'll see several options that also utilize the check box configuration you have on this tab.  Like Select All and Select None, the Save Config and Load Defaults options apply only to the check box configuration on this tab.  

Malware Removal

These items are the same as their counterparts on the Malware tab, with the exception that they are operating on the offline installation of Windows.  YES, the Pre-Malware Scan and Malware Scan both run on the offline partition's file system AND registry!  There is but one addition:
  • Copy D7 to Desktop - Copies the D7 directory you are running D7 from, to the all users/public desktop of the target partition.  

Registry
  • Edit Offline Registry - D7 attempts to load the offline registry hives of the target partition, including all user hives.  All hives are loaded as their proper name, prefixed with guest_  (e.g. guest_system, guest_software, guest_username, etc.)  Regedit is launched when all hives are loaded.  
  • RegReplace (WinXP) - This function is designed as a quick and easy way to replace registry hives from the \System Volume Information directory where restore points are located on Windows XP.  The function will give  you a list of available restore points, from there choose the RP number you want (highest is latest) and RegReplace will automatically copy those hives to the \windows\system32\config directory and rename them properly, backing up the existing hives first!  
  • Disable AutoReboot on BSOD & Enable Minidumps - Turn on automatic restarts when a system blue screen occurs, and enable minidump creation. 

Data Retrieval
  • Get Minidumps - This just brings up a dialog box to copy minidumps from the target partition to the current one, if you are running from a flash drive or such.  
  • Find Files - An internal D7 function to find files - has various functions you can do with the found files.  
  • DataGrab - Again, please see the DataGrab section of this website!  
  • List Installed Apps - The same function as in DataGrab when "Get Installed Apps List" is checked, this feature loads an offline registry hive from a different partition/slaved hard drive, and retrieves a list of installed applications.  Although designed only for offline OS installations, when run on the local (currently running) OS and not an offline OS, it will output results; however on 64bit systems it won't output both 32 and 64bit installed apps.  This is something I don't plan on fixing, because when on a local OS why wouldn't you be using Nirsoft's app via the Info tab's Reporting button?!

Repair Tools
  • System File Checker - On Windows XP this option is not available.  On Vista/7 - launches the SFC wrapper form, enabling you to customize SFC parameters to scan OFFLINE Windows installations on other partitions, among other options.  
  • CheckDisk - Another utility on it's own right, please see the information on the CheckDisk page for information on this chkdsk.exe wrapper.    
  • FixIDE (WinXP) - This function is designed to fix an 0x7b Blue Screen when starting Windows XP after a motherboard swap, due to the hard drive controllers not matching up.  FixIDE has its own project page here.  This function force installs generic IDE controller drivers on the target partition.  It works 99% of the time, if not then your controller is in AHCI mode and you need to set it to IDE mode before this will work.  Once set there, you can get into Windows and install the actual controller drivers for your new motherboard.  
  • FixAMD - This function disables IntelPPM Driver.  This can fix Blue Screens related to the intel power management service after swapping an Intel to an AMD platform motherboard, or installing XP SP3 on an AMD based PC with Intel PPM service enabled.

Misc
  • Password Removal Tricks - This gives you the option to perform some tricks designed to allow you to gain access to the command prompt at the Windows login screen, so you can use "net user" commands to change/reset/remove passwords to user accounts.  
    • On Windows XP/Server 2003, the trick is to create an IFEO to run CMD.EXE in place of LOGON.SCR - so when you boot the live system, you wait at the login screen for the screen saver to start - in place of the screen saver, CMD.EXE will start instead!
    • On Windows Vista/7/Server 2008, the trick creates an IFEO in to run CMD.EXE in place of UTILMAN.EXE - so when you boot the live system and get o the login screen, you simply click the Accessibility button in the bottom corner of the screen, and in place of UTILMAN.EXE, CMD.EXE launches instead!  
    • Yes!  These tricks work in a DOMAIN environment for both workstations and servers; which really is the beauty of the idea since local password removal utilities don't work on domain workstations.  
    • To remove the modifications, once logged into the live system, simply fire up D7 > IFEO Modifier and remove the IFEOs for LOGON.SCR or UTILMAN.EXE