Tux Can Give Windows a Helping Hand with Knoppix

Bringing a new Windows machine up on the network can expose it to worms before you can even patch it. With the Knoppix Security Tools Distribution, you can use Linux to patch your Windows systems and even recover from lost Administrator passwords or corrupted registries, even when they're using NTFS.

By Carla Schroder | Posted Dec 21, 2004
Page of   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

As you faithful Enterprise Networking Planet readers know, Knoppix is a great all-purpose rescue CD for both Linux and Windows. A few months ago you read about using Knoppix to run a virus-scanner on Windows machines. The advantages of this are getting the most current virus definitions, running the scan from a guaranteed clean disk, memory-resident nasties are not present, and it's free of cost. However, it has one major downside — Linux support for writing to NTFS filesystems is not reliable. It's hard to say what percentage of Windows systems use NTFS, which is used by Windows NT/2000/XP, but it's sizable, so having full read/write access from outside Windows is essential.

The Knoppix Security Tools Distribution contains some additional useful Windows fixits, such as chntpw for when you lose your Administrator password, and it also edits the dreaded Windows registry.
As usual, events move quickly in Linux-land. Behold the Captive NTFS project. Supporting NTFS in the Linux kernel is difficult because the specification is kept secret. So the brainiacs behind Captive NTFS figured out how to use Windows' own system files to enable reliable writes from Linux.

Captive NTFS requires drivers from Windows XP SP1 for version 1.1.4, which is on Knoppix 3.4, or drivers from Windows XP SP2 for version 1.1.5, which is on Knoppix 3.6. If these are present on your system:

  • Boot up Knoppix. Go to the little penguin (Extra Software) in the taskbar and run Utilities -> Captive NTFS.
  • Next, you can either hit the Scan button and let the wizard find the files, or
  • Hit the Skip button. This takes you to a menu that lets you specify the file locations.
  • When you see the window that says "Windows Has Been Captivated" you're almost there.

You'll also see a rather cryptic message that says "Although essential modules ("ntoskml.exe" and "ntfs.sys") are available you may still get their better version and/or more modules." It doesn't say what modules you might want, or where to get them. Ignore this and click OK.

Next, you'll have to mount your NTFS volume from the command-line. To do this, open a terminal and su to root (su -); there is no password. Then create a mount directory, and mount the NTFS volume using the captive-ntfs file type:

# mkdir /mnt/captive-win
# mount -t captive-ntfs /dev/hda5 /mnt/captive-win

How do you know the /dev value? Look in /etc/fstab. Whatever you do, do not NOT try to mount the volume by clicking on the desktop icon. This icon is not linked to Captive NTFS, so it will use the unreliable Linux kernel drivers. Knoppix 3.6 won't let you do this in any case.

Windows NT/2000

For Windows NT/2000 machines, and XP machines without Service Packs, the Captive NTFS installer will download the necessary files from the Internet. It's a 29-megabyte download. Open the wizard, click Forward-Skip-Skip to get to the "Download From Microsoft.com" window, and click "Yes start the download." Then follow the steps above to mount the NTFS volume.

Unmounting NTFS Volumes

This is VERY IMPORTANT: Unmount your NTFS volumes before shutting down. If you don't, there is a risk of data corruption. If you get a "device is busy" error, run lsof (list open files) to see what is hanging it up. Be sure to specify the /dev name, not the mountpoint:

# lsof /dev/hda5

Chances are you will see lufs-bin gumming up the works. A quick and lethal way to kill it off is using kill -9:

# kill -9 [process-id-number]

If you see a number of these running with different PIDs, nail 'em all with this one-liner:

# kill -9 $(ps -ef | grep $lufs-bin | awk '{print $2}')

Use Knoppix To Download Service Packs And Patches

Poor ol' Windows gets caught on the horns of a dilemma when it comes time to downloading a Service Pack, security patch, or hotfix. It only takes a few minutes to become compromised — some folks claim as little as three minutes after connecting to the Internet — so obviously using an unpatched machine to download the updates is unwise. The problem is even more acute with a brand-new Windows installation. No problem, just boot up your trusty Knoppix disk, connect to Microsoft's download site, and start downloading directly to your Windows partition. If it is NTFS-formatted, follow the instructions above to run the Captive NTFS installer first and mount the NTFS partition.

When the download is completed, unmount the NTFS partition and shut down. Disconnect the network cable. Boot up Windows and install the patches. Currently Microsoft makes Service Packs and other patches available at TechNet Downloads. Look for "Network Installation" downloads. These are the full .exe files, and are not intended to be downloaded individually for every single PC on your network. Once the files are downloaded, distribute them to your other Windows PCs via local transit. I recommend copying them to a CD to avoid putting unpatched machines on your network.

Scan And Disinfect

Now you can use Knoppix to run a virus scan-and-disinfect. First install F-Prot and download the updates from Utilities -> Install Software -> f-prot. Then run this from the command line, as root:

# f-prot -disinf -list /mnt/captive-win

Go have a nice cup of tea, because this will take a few minutes. When it's done, you will have a nice clean Windows PC. For a few minutes, at least.

Knoppix Security Tools Distribution

The Knoppix STD 0.1 (Security Tools Distribution) contains some additional useful Windows fixits, such as chntpw for when you lose your Administrator password, and it also edits the dreaded Windows registry. This alone makes it worth having. Very handy when you cannot boot your Windows system, and the Windows Recovery disk proves to be less-than-helpful, as it usually does. It also contains a number of intrusion-detection and forensics tools, and network management utilities. An added bonus: Knoppix STD is designed to be lightweight, so it's suitable for less-powerful systems. A final bonus is the whole notion of finding superior Windows repair tools in Linux.

Resources

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter