Boot Problems

If problems occur while Windows is starting, there is a good chance that device drivers are at fault. A driver is a file or a set of files that tells an OS (operating system) how to interact with a particular device. During startup, Windows loads a driver for every device, from your high-speed DVD burner to your coffee-stained, dusty keyboard. Problems that occur during startup can be frustrating and difficult to troubleshoot. The hypnotically animated startup screens conceal all of the events that occur during this process-intense period. By enabling boot logging, Windows will create a plain-text log file to record which device drivers are loading and whether they successfully loaded. WinXP will automatically store this information when you boot into Safe Mode, but you'll need to boot into WinXP regularly because Safe Mode loads only the minimal drivers needed to start the OS. You can enable boot logging during startup by pressing F8 as soon as you see the first WinXP startup screen. The Windows Advanced Options Menu will appear, offering several useful boot options. Select Enable Boot Logging and WinXP will continue to boot normally, loading drivers for all previously installed devices. Windows will now record the results of each attempt to load a device driver into an easily accessible text file, Ntbtlog.txt, which is in your C:\WINDOWS directory. Windows will add this information to a currently existing log, so you'll find recent information toward the end of the file. Load the Ntbtlog.txt file into Notepad and examine it for errors. If the computer is locking up during startup, either restart into Safe Mode to view the file or boot from your WinXP installation disc and use the Recovery Console to view the file. (See Microsoft Knowledge Base [http://support.microsoft.com] article 314058 for more information on using the Recovery Console.) If the log specifies that a file name for a driver that was not loaded, either the file is missing, corrupt, dependent upon another driver that did not load successfully, or is set to manually load upon the request of another driver. It is also possible that the corresponding device may have been disabled in Windows' Device Manager. You may need to reinstall, update, or enable the device drivers before the problem is solved. Although Boot Logging is a great place to investigate startup issues, it does have limitations. If the error occurs too early or too late during the startup process, or is not related to a device driver, the boot log will not help you track down your problem. A more powerful tool called the Event Viewer constantly records vital information that may assist you in tracking down your problem.

The Event Viewer

The Event Viewer is a great tool to use when troubleshooting computer problems, and best of all, it's included free with Windows. The Event Viewer is accessible through the Administrative Tools icon in Control Panel (Classic View) or by right-clicking My Computer, selecting Manage, and expanding System Tools. Events are classified into three categories: Application, Security, and System.

Application. This category contains events that occur in your applications. For example, an application event may record a configuration change, a missing file, or a severed remote connection.

System. The system log shows all events that pertain to Windows. This is the virtual diary Windows uses to keep track of all actions for each system component, including background services, devices, and networking components.

Security. The security category records all events that pertain to security policies. Security events, such as file access and creation, user logons, and policy changes, will be shown here. By default, security logging is not enabled in WinXP. An administrator must install a security logging package into the OS and specify which types of security events to monitor. Configuring this type of logging is a bit beyond the scope of this article, so we'll focus mainly on accessing and utilizing log files themselves.

When troubleshooting an error, it's important to view events in each category. Notice that there are five types of events: Information, Warning, Error, Success Audit, and Failure Audit. Informational events record actions that perform successfully, such as services starting or devices the system has stopped. Warning events, marked with a yellow icon, indicate that Windows had complications performing a task, but it was able to deal with the problem itself. These events are subtle indicators that something is not quite right and could possibly lead to problems. Error events show that a critical error occurred, and Windows could not correct the problem. These events, marked with the dreaded red icon, show that something is definitely not working properly and that the problem is impacting your computer now. Success Audits denote successful security access, such as logging on to the system, while Failure Audits are events such as failure to access a drive. Try to find events that will help solve your problem by sorting the events by either the time that a suspected error occurred, the type of event that occurred, or the source component that logged the event. You may also sort the events according to their category, event number, or the names of computers and users who were affected. To sort the events, click the column heading of the field you wish to sort by. If your logs contain a lot of data, the View menu will let you specify search criteria to find an event. You can also filter the events list to show only the events that match certain criteria, such as event type or source. We've found that filtering events by time and date is extremely helpful, as it provides a digital time line of system activities during a specified time period.

Once you've found a suspicious event, simply double-click the event to open the Event Properties dialog box. All the information about the event will be displayed, and the Description box will show more detailed information about the event. If the event seems to coincide with your particular problem, click the link to the Help And Support Center. This will take you online for more information about the error and will include steps to help you resolve the problem. Although the Help And Support Center provides information that Microsoft has retained about an error, you can find a global answer using your favorite search engine. Enter the error message verbatim into a search engine to find a solution based on someone else's experience with the same problem. Chances are good that you're not the first person to encounter an error and someone who has resolved the issue was kind enough to publish her findings. Internet newsgroups and support forums are a hive for this type of information, and asking for help will most certainly flood your inbox with ideas and suggestions for solving the problem.

Over time the Event Viewer logs can become quite large, so it's a good idea to clear the log files every once in awhile. The Action menu will allow you to save, open, export, and clear the log files. If you are having a lot of problems with your computer or would like to archive your event logs, save them to a file before clearing out the lists. Include the current date with the file name when saving a log file so that you can easily retrieve it if later needed. Saved log files can only be viewed by opening them in Event Viewer, but you may export a log file to a plain-text file instead. Exporting the log file will not only allow you to email or print your error logs, but also cut and paste the data for easier online transmission.

Track Down The Problem

Now that you know how to track events in WinXP, you'll hopefully find yourself more comfortable using your computer. Learning to troubleshoot and repair computers doesn't require a magician's sleight of hand, superhuman memory, or a computer science degree. The ability to analyze an error and find an answer is the true skill, and log files are an essential resource in connecting the problem to a solution.

by Greg Robinson