because you can verify from the digital signature that it came from the vendor it claims to be from. Digital signatures also guarantee that the driver hasn’t been altered in any way since it was released by the vendor.
Digital signatures use a code-signing certificate to encrypt the hash of a file. (Hashes are unique thumbprints — any change to the file will change the hash.) That encrypted hash is then bundled with the certificate and the executable for the driver. When the end user installs the driver, the hash of the file is decrypted with the public key in the certificate. The file gets hashed again on the end user’s system, and the new hash is compared to the decrypted hash. If they match, the driver hasn’t been tampered with.
If you choose to disable driver signature enforcement, you’ll be able to load unsigned drivers. Choose this option at your own risk: You could end up installing malware that presents itself as an unsigned driver.
Disable Early Launch Anti-Malware Driver
Malware that installs after Windows has booted will most likely be seen by the antivirus software that is installed on the system. But the problem is, virus writers began writing malware called rootkits. These rootkits can be very difficult to get rid of because they install and execute before the operating system has booted. Many of the more sophisticated rootkits began installing drivers that start really early in the boot process of the system. This can make them extremely difficult to find and remove.
Microsoft does its best to evolve and respond to threats and prevent them whenever possible. In this case, it came up with the early launch anti-malware (ELAM) driver. Certified antivirus vendors whose products support early launch can get their products’ drivers to launch before the Windows boot drivers, which allows them to scan for malicious processes on boot. Pretty cool, right?
But what happens if a legitimate boot driver for Windows gets flagged as malicious? Your server won’t boot. So, Microsoft gives you the ability to turn off this feature, by choosing Disable Early Launch Anti-Malware Driver, to allow the boot driver to launch like normal.
This feature is a great one to have on. Only disable it if you absolutely have to, and then only until the issue is resolved.
Performing a Memory Test
What happens if your server is crashing unexpectedly or throwing blue screens when you least expect it? That can be a difficult question to answer. These symptoms could occur because of corrupted software or because of hardware failure. Memory is a great place to start with your troubleshooting efforts, and Windows Server 2022 includes a built-in memory diagnostic utility called the Windows Memory Diagnostics Tool.
You can run the Windows Memory Diagnostics Tool by pressing the Windows Key+R, typing mdsched.exe, and clicking OK. If you do nothing, the Windows Memory Diagnostics Tool will run in Standard mode. You can interrupt it at any time by pressing F1 to enter the Options screen and change the settings. Your options are as follows (see Figure 2-5):
Test Mix: The test mix is the set of tests you want the tool to run:Basic: Runs three tests on your memory and is the fastest option.Standard: Runs the same tests on your memory as Basic, and adds five additional tests. It takes longer to complete than Basic.Extended: Runs the same tests as Standard and adds nine additional tests. This test is the most detailed and takes the longest to complete. If you don’t know what each of these tests is looking for, Standard is a good starting point for your tests. Extended takes longer, so if you don’t need the extra tests, you may not get any worthwhile information from running them. That said, it won’t hurt your server to run any of the three tests.
Cache: Cache sets the cache setting (cache is used to improve the speed of memory access for things that are frequently accessed by the CPU) for each test you’re going to run. The cache should be disabled if you’re running tests that require direct access to the memory. Your options are as follows:Default: In most cases, Default is the appropriate setting. It selects the correct cache setting for the test that’s being run.On: Forces the cache on for the tests.Off: Forces the cache off for the tests.
Pass Count (0–15): Pass count controls how many times the whole test mix you selected will run. If it’s set to 5, the selected test mix will run through its tests five times. The default for this setting is to make two passes.
After you’ve made your selections, press F10 to apply the settings, and the scan will restart.
FIGURE 2-5: Windows Memory Diagnostics Tool options.
Using the Command Prompt
When all else fails, the Command Prompt is always there. I’ve had to troubleshoot many issues over the years where I was saved because the Command Prompt was available. Corrupted system files? Open the Command Prompt and run sfc /scannow
. Damaged hard drive? Open the Command Prompt and type chkdsk /f /r.
In Table 2-1, I list some of the most helpful tools that I've used over the years. The majority of these commands need the Command Prompt to be running with administrator credentials. To run the Command Prompt as an administrator, choose Start⇒ Windows System, right-click Command Prompt, click More, and then select Run as Administrator, or if you can bring up Task Manager, you can choose File⇒ Run New Task and type cmd.exe.
TABLE 2-1 Troubleshooting with the Command Prompt
Name | Command | Description |
---|---|---|
System File Checker |
sfc /scannow
|
This utility checks system files to see if they match what’s expected by comparing the signature of the system file on the server with the signature of a cached copy of the same file. The cached files are stored in a compressed folder located at C:\Windows\System32\dllcache . If a corrupt system file is found, it's replaced.
|
Check Disk |
chkdsk /f /r
|
This utility repairs file system errors and marks bad sectors so the operating system doesn’t use them anymore. The /f will tell the utility to fix any issues it finds, and the /r will locate the bad areas (sectors) on the disk. This can take a while. Kick it off, and grab a cup of coffee.
|
Driverquery |
driverquery
|
This utility queries the system for all the hardware drivers that are installed on Windows. This can be very helpful if you're running into issues with systems that have similar hardware and you want to know if they have a driver in common. |
BCDEdit |
bcdedit
|
This utility is covered in depth in Book 1, Chapter 4. For now, just know that it allows you to edit the
|