Don't let a blue screen stop you. Here's a guide to get your server back online quickly.

Resurrection, Step by Step

Don't let a blue screen stop you. Here's a guide to get your server back online quickly.

Here's a guide we developed in our disaster recovery tests to resurrect machines hit with the bluescreen error. This procedure can be used on Windows NT 4.0 Server, Workstation and Enterprise and Windows 2000 Professional, Server and Advanced Server installations.

  1. Once you receive the bluescreen that I describe in the main article, make a note of the RAID device (.sys file) that failed to load. Find this information at the top of the screen. This will be the device that is causing the conflict.
  2. Install a parallel copy of Windows NT into another directory on the local C:\ partition. Call this installation WINNTSOS.
    By pressing the F6 key repeatedly when the first blue screen appears during setup, you can bypass the NT setup's auto-detect feature and manually specify which driver you want to load for the RAID device.
  3. Log into this newly built parallel copy of Windows NT as the administrator.
  4. Click on Start|Run and type Regedt32. Open the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services key .
  5. Scroll down until you find the key that contains the name of the RAID controller that is physically present in the system you are working (shown in the following figure). If you do not know the name of your device, you can look in the devices control panel applet to identify which RAID device is started. You could also use a text editor like Notepad.exe to review the .INF file on your manufacturer's driver diskette to identify the device key name.

    bluescreen 1
  6. Use this table to identify the device key name associated with your hardware:
Compaq controller type Controller type
Compaq 3200 & Smart2 RAID devices CPQARRAY
Compaq 4200 Series RAID devices CPQARRAY2
Compaq 5300 Series RAID devices CPQCISSM
  1. Highlight the key and click on Registry|Save Key. Save this key with the same name as is displayed in the registry. This will avoid confusion later. For example: Save a key named HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cpqcissm as c:\cpqcissm.reg
  2. Scroll back up now and go to the key named HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root.
  3. Look for the name of the LEGACY key associated with the driver. For example: HKLM\System\ControlSet001\Enum\Root\LEGACY_CPQCISSM.
  4. Follow the procedures in Step 5 and save the key in the same location using the same naming convention. Example: c:\legacy_cpqcissm.reg
  5. Scroll up to the top of the window and highlight the HKEY_LOCAL_MACHINE key.
    Note: It is important to determine the name of the system root directory that was in use by the restored (target) computer. By default this name would have been c:\WINNT. If there were previously multiple installations of NT present on the system, this will have to be identified before proceeding. When performing Steps 10 and 11 you must know where the registry hives for the restored (target) build are located (%systemroot%\system32\config). If you modify the wrong registry file, results can vary from having no effect at all, to rendering the OS not bootable.
  6. On the menu bar go to Registry| Load Hive as shown here:

bluescreen 2

  1. A box will appear requesting the location of the hive to be loaded. Browse to the location of the system hive from the restored (target) build and open the file named "system." This file will usually be found in c:\winnt\system32\config and will not have an extension. It will just be named "system."
  2. When prompted for a key name, type in your name. This is a display name that you will use to differentiate between the active system hive and the hive you just loaded. The name chosen cannot be "system," as that name is in use already by HKEY_LOCAL_MACHINE.
  3. Once you load the hive it should be visible in the list directly under the root of HKEY_LOCAL_MACHINE. Scroll down to key named "select" under the hive you just loaded.
  4. Double click on this key to reveal the values associated with this key on the detail pane of the registry window. Verify which control set is being used to boot the target system by looking at the value listed as "Current." The number following REG_DWORD: 0x will indicate which control set the target build is scheduled to boot from. For example: A value of 0x1 would indicate that the system uses ControlSet001, and a value of 0x2 would indicate that the system uses ControlSet002:

bluescreen 3
  1. Once you've identified the "current control set" for the target build double click on it and scroll down until you get to the key named "Services."
  2. Highlight the "services" key and go to Edit|Add Key. Give this key the same name as the key you identified earlier in Step 5. For example, if the key was HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cpqcissm the new key name would be cpqcissm. Leave the class field blank for this key.
  3. Highlight the new key you just created and go to Security|Permissions. Set the permissions for "Everyone" to "Full Control." Press OK to accept the settings.
  4. With the newly created key still highlighted, go to Registry|Restore. Browse to the .reg file you created earlier in Step 6. Select Open to restore this file over the newly created key:

bluescreen 4

  1. With the newly restored key still highlighted go back and reset the security permissions on this key for "Everyone" to "Read." Make sure you select the "Replace Permission on Existing Subkeys" option. (This is because the restore performed in Step 20 added new subkeys that inherited the previous "Full Control" permissions.)
  2. Verify that the startup type for this new device is "0" as shown in the following figure. There are five different start values for devices. 0=boot, 1=System, 2=Automatic, 3=Manual, 4=Disabled. Note the driver file name referenced in the ImagePath.

bluescreen 5

  1. Scroll back up to the loaded hive and highlight the subkey named ControlSet00x\Enum\Root. Go to Security- Permissions and change "Everyone" to "Full Control." Make sure you select the "Replace Permission on Existing Subkeys" option as shown here:

bluescreen 6

  1. With the "Root" key highlighted, go to Edit|Add Key. Give this key the same name as the key you identified earlier in Step 9. This key is case sensitive and should be in upper case such as "LEGACY_CPQCISSM." Leave the class field blank for this key. This will create a new key under "Root" with the name HKLM\YourName\ControlSet00x\Enum\Root\LEGACY_DEVICENAME.
  2. Scroll Down to this newly created key and go to Registry|Restore. Browse to the legacy .reg file you created earlier in Step 10. Select Open to restore this file over the newly created legacy key.
  3. Scroll back up and highlight the "Root" key. Reset the security permissions on this key for "Everyone" to "Read." Make sure you select the "Replace Permission on Existing Subkeys" option.
  4. Go to HKLM\YourName\ControlSet00x\Services and select the key associated with the device that is causing the bluescreen identified in Step 1. Notice that the startup type will be "0" as shown here:

bluescreen 7

  1. Double click on the "Start" value for this key and a box will appear allowing you to change the value.
  2. Change this value to "4" and select OK as shown here:

bluescreen 8

  1. Go to HKLM\YourName. Highlight this key and go to Registry|Unload Hive as shown in the last figure below. This will save the YourName hive under the name "system" from the location you originally loaded it from in Step 11. (%Systemroot%\system32\config\system).

bluescreen 9

  1. Copy the device driver file from the C:\WINNTSOS\System32\drivers directory (noted earlier in Step 20) to the %Systemroot%\system32\drivers directory for the target build (usually c:\winnt).
  2. Reboot the system and select the restored target build when prompted. The system should now boot normally. Any additional devices that cause the system to bluescreen can also be modified using this procedure.

Remember to remove the C:\WINNTSOS directory and all of its contents once you've booted successfully. Also remember to modify the c:\boot.ini file and remove any references to C:\WINNTSOS.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus