Troubleshooting Theory, OSs, and Security Chapter Twenty-Two Troubleshooting Theory, OSs, and Security
220-902 Objectives Covered 4.1 Given a scenario, troubleshoot PC operating system problems with appropriate tools. 4.2 Given a scenario, troubleshoot common PC security issues with appropriate tools and best practices. 4.3 Given a scenario, troubleshoot common mobile OS and application issues with appropriate tools. 4.4 Given a scenario, troubleshoot common mobile OS and application security issues with appropriate tools. 5.5 Given a scenario, explain the troubleshooting theory.
Troubleshooting Theory Identify the problem: Question the user and identify user changes to computer and perform backups before making changes. Establish a theory of probable cause (question the obvious): If necessary, conduct external or internal research based on symptoms. Test the theory to determine cause: Once theory is confirmed determine next steps to resolve problem. If theory is not confirmed re-establish new theory or escalate. Establish a plan of action to resolve the problem and implement the solution. Verify full system functionality and if applicable implement preventive measures. Document findings, actions, and outcomes. Some solutions may actually cause another problem on the system Carry a personal notebook and take notes
Common OS Problems Proprietary Crash Screens (BSOD/Pin Wheel)/Kernel Panic Failure to Boot Improper Shutdown Spontaneous Shutdown/Restart Device Fails to Start/Detected. Missing DLL Message Service Fails to Start. BSOD More likely than not the problem is related to a misconfigured driver or misconfigured hardware. Try booting Windows in Safe Mode. In Safe Mode, Windows loads only basic drivers, such as a standard VGA video driver and the keyboard and mouse Pinwheel (Apple), Kernel Panic (Linux) Failure to Boot To troubleshoot boot problems, you must understand the Windows boot process – Page 1112 BOOTMGR (Win7/8/8.1) and NTLDR (XP) – first file to load/bootstrap Improper Shutdown Not shutting down properly can result in lost data from open applications or corrupted operating system files Spontaneous Shutdown/Restart While it could be indicative of a hardware problem (malfunctioning motherboard, for example), it can also indicate a setting misconfiguration problem. Check the sleep settings for hibernation and disable those to see if it makes a difference. If the problem continues, start looking at drivers. Device Fails to Start/Not Detected Windows driver that must be loaded in order for Windows to be able to use any device. If you have just updated a driver and the device isn’t functioning, rolling back the driver installation can sometimes solve the problem. Missing DLL Message The dynamic link library (DLL) files are required. (They were mentioned earlier in the section “Failure to Boot.”) The problem of missing DLL files can also occur with applications when you attempt to start them, and the solution involves finding a copy of the DLL (online, on a backup, and so on) and replacing it Service Fails to Start This problem can come from any number of sources, including an improper installation, a software conflict, or system instability NTOSKRNL.EXE The Windows OS kernel. The solution to a corrupted NTOSKRNL .EXE file is to boot from a startup disk and replace the file from the setup media.
Common OS Problems (cont.) Compatibility Error Slow System Performance Boots to Safe Mode File Fails to Open Missing NTLDR Missing Boot Configuration Data Missing Operating System Compatibility Error If Microsoft does not digitally sign your device driver—that is, it hasn’t been tested for compatibility with your version of Windows Slow Performance In Windows, choose Start ➢ Control Panel ➢ Troubleshooting ➢ Check For Performance Issues (under System And Security). The Performance Troubleshooter will look for common problems, such as more than one virus detection program running, multiple users logged into the same machine, visual settings affecting performance, and so on. Scan for virus, delete programs that are never run, remove items from startup, defragment the hard drive, Boots to Safe Mode often associated with a damaged/missing driver Fix - boot to the last known good configuration or resort to the recovery DVD File Fails to Open When a file fails to open, it is often due to corruption Missing NTLDR Missing boot.ini essential to the boot process The file can be retrieved from the Recovery Console or from bootable media (recovery DVD, repair disk, and so on). Missing Boot Configuration Data BOOT.INI is used to identify the operating systems installed, their locations, and the boot options to use. This text-based file can be (re)created using any text editor. When it is missing or damaged, you can recover it by booting into the Recovery Console, hoose Startup Repair (or type BOOTREC /REBUILDBCD at the command prompt Missing GRUB/LILO If you are using GRUB (GRand Unified Bootloader) or LILO (LInux LOader) as a multiboot loader, you can encounter problems if they become corrupted or deleted. To solve it re-create the loader (and reconfigure it for your system) to be able to use it.
Common OS Problems (cont.) Missing Graphical Interface/GUI Fails to Load Missing GRUB/LILO Multiple Monitor Misalignment/Orientation GRUB (GRand Unified Bootloader) or LILO (LInux Loader - re-create the loader (and reconfigure it for your system) to be able to use it.
Operating System Tools BIOS/UEFI SFC Logs System Recovery Options Repair disks Pre-installation environments MSCONFIG BIOS/UEFI basic input/output system (BIOS) and Unified Extensible Firmware Interface (UEFI) firmware. Keeping the most current versions of firmware on these devices can sideline a plethora of problems. SFC The purpose of this utility is to keep the operating system alive and well. SFC.EXE automatically verifies system files after a reboot to see if they were changed to unprotected copies Logs Log files are created to record significant events. Those events can range from system problems to just normal user activity. System Recovery Options System Recovery Options allows for troubleshooting system problems Two of the most important commands are BOOTREC /FIXBOOT and BOOTREC /FIXMBR to work with the Master Boot Record. The utility BOOTCFG does a job similar to BOOTREC /REBUILDBCD, and it is a bit easier to work with Repair Disks If you want to recover your computer and bring it back to the point where it was when it was new (minus any files that you added since purchasing the machine), you can use the recovery CD set or DVD. With Dell computers, for example, this is known as the Reinstallation DVD, and it accompanies each machine shipped Pre-installation Environments The Windows Pre-installation Environment (Windows PE) is a minimal Win32 OS that is running the Windows kernel and is intended as a stub that can be run on a machine to allow it to begin an installation. As such, you can think of it as a bootable OS for the Windows Recovery Environment or for installation deployment through System Center Configuration Manager (SCCM), Systems Management Server (SMS), or Windows Deployment Services (WDS). MSCONFIG This utility helps troubleshoot startup problems by allowing you to selectively disable individual items that are normally executed at startup
Operating System Tools (cont.) DEFRAG REGSRV32 REGEDIT Event Viewer Safe mode Command prompt Uninstall/reinstall/repair DEFRAG When you save files to a hard drive, Windows will generally write the file into the first available space on the disk. Windows can store parts of a file in different locations – say when you edit and increase the size of the original file – fragmented file. Excessive fragmentation can slow down your system. Defragmenting a disk involves analyzing the disk and then consolidating fragmented files and folders so that they occupy a contiguous space, thus increasing performance during file retrieval Type defrag in search or: Start ➢ All Programs ➢ Accessories ➢ System Tools ➢ Disk Defragmenter REGSVR32 REGSVR32.EXE, known as the REGSVR32 tool, allows you to register and unregister modules and controls for troubleshooting purposes. It is often associated with Internet Explorer, but it can be used with any control or module REGEDIT The Registry Editor is used to change values and variables stored in a configuration database known as the Registry – very powerful Event Viewer This utility provides information about what’s been going on with the whole system to help you troubleshoot problems. Safe Mode If when you boot Windows won’t load completely (it hangs or is otherwise corrupted), you can often solve the problem by booting into Safe Mode. Safe Mode is a concept borrowed from Windows 95 wherein you can bring up part of the operating system by bypassing the settings, drivers, or parameters that may be causing it trouble during a normal boots
Common Symptoms Pop-ups Browser redirection Security alerts Slow performance Internet connectivity issues PC/OS locks up Application crash Pop-Ups Pop-ups (also commonly known as popups) are both frustrating and chancy. When a user visits a website and another instance (either another tab or another browser window) opens in the foreground, it is called a pop-up; if it opens in the background, it is called a pop-under Browser Redirection Pharming is a form of redirection in which traffic intended for one host is sent to another by changing entries in a DNS server (poisoning). Security Alerts phony threats disguised as security alerts to keep people on their toes When you receive a virus warning, you can verify its authenticity by looking on the website of the antivirus software you use, or you can go to several public Systems such as www.cert.org Lockups System lockups can occur when a computer is asked to process too many instructions at once with too little memory. Usually, the cure for a system lock-up is to reboot. If the lockups are persistent, it may be a hardware-related problem instead of a software problem. Application Crash When an application crashes, you want to isolate the cause of the crash—it could be a compatibility issue, hardware, or a host of other problems—and solve it. Patches/Updates
Common Symptoms (cont.) OS update failures Rogue antivirus Spam Renamed system files Files disappearing Hijacked email Access denied Invalid certificate (trusted root CA) OS Update Failures Failed updates for Windows—assuming that connectivity issues do not cause them—can often be traced to setting misconfigurations Spam While spam is not truly a virus or a hoax, it is one of the most annoying things with which an administrator must contend. Spam is defined as any unwanted, unsolicited email, Renamed System files When this occurs, the user can no longer perform the operation associated with the file, such as print, save, and so on Hijacked Email One of the easiest ways to spread malware is to capture the email contacts of a user and send the malware as an attachment to all of those in their circle Invalid Certificate PKI, or public key infrastructure, was discussed in Chapter 21, and it relies upon digital certificates for security. An invalid certificate usually means that the certificate that you have has expired. If this is the case, renew the certificate
Security Tools Antivirus software Antimalware software Recovery console Terminal System restore/Snapshot A restore point is a copy, or snapshot, of your system configuration at a given point in time. It’s like a backup of your configuration but not necessarily your data. Restore points are created in one of three ways: Automatically Manually During software installation
Best Practices of Malware Removal in Windows Identify malware symptoms. Quarantine infected system. Disable System Restore. Remediate infected systems. Schedule scans and updates. Enable System Restore and create a restore point. Educate the end user.
Common Mobile Problems Dim display Intermittent wireless No wireless connectivity No Bluetooth connectivity Cannot broadcast to external monitor Touchscreen non-responsive Apps not loading Intermittent wireless – 2 main reasons –low signal and interference Cannot broadcast to an external monitor - If auto-detection is disabled, or just not working, then you may need to configure the output device manually.
Common Mobile Problems (cont.) Slow performance Unable to decrypt email Extremely short battery life Overheating Frozen system No sound from speakers Inaccurate touchscreen response System lockout
Mobile Tools/Solutions Hard reset Soft reset Close running applications Reset to factory default Adjust configurations/settings Uninstall/reinstall apps Force stop Hard reset. A hard reset should always be done as a last resort. With Apple’s iPhone, iPad, and iPod Touch, forcing a restart on the device is done by pressing and holding the Sleep/Wake and Home buttons for at least 10 seconds until you see the Apple logo Soft reset. Not as forceful as a hard reset, a soft reset keeps the data of running applications. With Apple’s iPhone, iPad, or iPod Touch, press and hold the Sleep/Wake button until the red slider appears, and then drag the slider to turn the device off Reset to factory default. When you need to get to a safe state—such as when you are disposing of a device or assigning it to a new user—you can reset it to factory default settings. To do this, tap Settings and then General Adjust configurations/settings. Configurations and settings need to be personalized to the user using the device Force stop. When an app is unresponsive, you can do a force stop to close it. With iOS, press the Home button twice quickly and small previews of your recently used apps will appear. Swipe left to find the app that you want to close, and then swipe up on the app’s preview to close it using a force stop.
Common Mobile Security Issues Signal drop/weak signal Power drain Slow data speeds Unintended Wi-Fi connection Unintended Bluetooth pairing Leaked personal files/data Data transmission overlimit Signal drop/weak signal. Weak signals are a common culprit behind dropped signals. Before engaging in communication, signal strength on the device should be evaluated. If the signal is low (for example, no bars), then change location Power drain. While apps, usage, and so on can contribute to power drain, one of the biggest offenders is the search for a signal Slow data speeds. Slow data speeds can be caused by too much interference Unintended Wi-Fi connection. When autoconnect is enabled on devices, it is possible for them to seek out open Wi-Fi networks and try to connect to them automatically. Unintended Bluetooth pairing. When anonymous devices are allowed to connect to Bluetooth-enabled devices, this is known as unintended Bluetooth pairing and it represents a security threat Leaked personal files/data. When authorized users access devices through unintended connections or unauthorized users access absconded devices, they can access the data on the device. Every firm should have a policy for protecting data – encryption Data transmission overlimit. Going over the limits on data plans can be symptomatic of a hacked account. Closely monitor account usage
Common Mobile Security Issues (cont.) Unauthorized account access Unauthorized root access Unauthorized location tracking Unauthorized camera/microphone activation High resource utilization Unauthorized account access. Unauthorized account access can give users access to personal files and data to which they should not have access. Closely monitor account usage. Unauthorized root access. Security holes in mobile device operating systems can leave back doors into which users can get unauthorized root access. The majority of these holes are closed by patches and upgrades as soon as they are discovered Unauthorized location tracking. While location-based data can be very valuable when you are using maps and trying to find sites, it can also give away sensitive information if accessed by someone who should not have it Unauthorized camera/microphone activation. The camera and microphone can be activated remotely and allow a troublemaker to spy on you. It is suggested that, when not in authorized use, you cover the camera and microphone to keep them from providing any data if they are remotely accessed. High resource utilization. High resource utilization can be a telltale sign that a device is running more than you think it should be—perhaps the drives are being searched or the camera is recording your every move.
Mobile Security Tools Antimalware App scanner Wi-Fi analyzer Cell tower analyzer Backup/restore App scanner. Similar to anti-malware, an app scanner looks for problems with apps. On an Android phone, for example, the Lookout app automatically scans every app that you install, performs a full scan of all of the apps on your device every week, and downloads the latest definitions regularly. Wi-Fi analyzer. This is a tool that can show you the Wi-Fi channels, and it can be useful in problem detection. Cell tower analyzer. What the Wi-Fi analyzer can do for Wi-Fi, the cell tower analyzer can do for cell towers—showing a graphical representation of traffic and signals. Backup/Restore In the Apple world, there is iTunes/iCloud/Apple Configurator. The latter simplifies mass configuration and deployment on iPhone, iPad, and iPod Touch, and it is intended for use by schools, businesses, and institutions. In the Google world, there is Google Sync, which allows you to sync your phone, desktop, and tablet devices. Last, in the Microsoft world, there is OneDrive, which has been discussed previously.