Network Undelete

by Matthew Holbrook ()

This article first appeared in the October 1998 issue of Computer Shopper

Recently Windows NT hasintroduced a different working environment - with a tightercontrol on what applications can be run and security applied atevery stage. Even so, we've shown in the past that you canvirtually drive a coach and horses through Windows NT's security.With Windows NT came the frustration that files could not beundeleted from local drives and that network undeletes wereimpossible as before.

Executive Software hasgained the reputation of filling the holes Microsoft has left inWindows NT. We've already seen how its Diskeeper product has donesterling work making up for the fact that Windows NT has neverhad a defragmenter and yet has a major fragmentation problem.Diskeeper was the first product of its kind for Windows NT and alite version of Diskeeper will be a standard feature of Windows2000. Now, Executive brings us Network Undelete.

Network Undelete isdesigned for Windows NT 4 Server and Workstation and Service Pack3 is recommended, although not essential. The product arrives onCD-Rom and is quick to install although you must be anadministrator to complete the task. Running the supplied Setuproutine requests whether you want to install the standardUndelete software or the Emergency Undelete routine. You thenchoose the installation directory and wait a few seconds forinstallation to complete. A reboot is required after this and youare then up and running. Sadly, there is no automatic method forinstalling Network Undelete on remote PCs.

The Network Undelete Administrator tool canconnect to remote PCs and recover files

Dangerous game

When most files aredeleted from Windows NT, they are not normally deletedimmediately. Instead they are copied to the Recycle Bin. TheRecycle Bin was introduced with Windows NT 4 and has beenavailable since Windows 95. It saves copies of deleted filesuntil the user says the Bin should be emptied. Loading this willshow the contents of the bin, allowing files to be restored orfor the bin to emptied. But the Recycle Bin is only part of thesolution when it comes to file recovery. As Windows 95 users willknow, the Recycle Bin does not capture all files. Additionally,many users get used to holding down Shift before they deletesomething - the file then bypasses the Recycle Bin.

Only files deleted throughthe Explorer interface or 32-bit applications are aware of theRecycle Bin. Older applications will still delete files in thenormal way. Even the old File Manger (Winfile.exe - stillsupplied with Windows NT) does not support the Recycle Bin.Likewise, anything deleted from the Dos command line will alsonot make it. But perhaps surprisingly, files on remote networkshares are not sent to the Recycle Bin at all - even if theservers or workstations they relate to have their own RecycleBins.

Basically, if the file hasnot been sent to the Recycle Bin, Windows NT has provided no wayto recover such files. This has probably been put forward as asecurity feature - rather than the more acceptable allegation ofa missing feature. Additionally, the Recycle Bin has no knowledgeof networking. This means a system administrator is not able toconnect to a user PC when help is needed. And, what we currentlyknow about Windows 2000 suggests things don't improve in thatrelease.

I should be solucky

Network Undelete replacesthe Windows NT Recycle bin with its own Recovery Bin. As well asthe different name, a slightly different icon shows on the screen.This is able to capture a wider range of deleted files. All filesdeleted within applications are now captured - even those notsupporting the Windows NT Recycle Bin. As well as this, theRecovery Bin will store files that have been deleted with the oldFile Manager as well as files deleted from the Dos command line.

Where local Windows NTusers are concerned, the Recovery Bin works in a similar mannerto the existing Recycle Bin. However, Network Undelete allowssupport staff to make remote connections to the Recovery Bin.Windows NT security is observed and only administrators and fileowners are able to perform undelete actions. Administrators caneasily configure the behavior of all the remote Recovery Bins onthe network. For support staff to perform remote undelete actions,the remote PC must be running the Network Undelete software.

When files are deletedfrom remote shared drives, they are sent to the Recovery Bin ontheir host. Files deleted by any user will be saved here. SupportStaff can then use the Network Undelete Administrator to attachto these hosts and recover files for users on request.

But as any user will see,there will be circumstances when files have been deleted and theyare not in the Recovery Bin. The Bin might have been emptiedbefore the user realised a file was needed. Alternatively, thefile may have been prevented from going there in the first place.Network Undelete is still able to help - by recovering the filedirectly from the NTFS or Fat partition. This feature, notsurprisingly, is known as 'Undelete From Disk'.

Some kind of bliss

As expected, deleted filesare simply marked as free space. This space will eventually betaken by other files as and when the space is required. As withusing more traditional forms of Undelete, the process is best runas soon as the problem is acknowledged. Any disk activity couldoverwrite the deleted file, making recovery impossible. This ismore likely to be the case on Windows NT because of the largeamount of disk activity that takes place.

This facility requiresadministrator privilege to run. And, as before, support staffconnect using Network Undelete Administrator and perform theaction for the user. But the whole process is restricted toaccounts with administrator rights - even file owners cannot usethe Undelete From Disk feature. Still, in tests I was surprisedto be able to salvage Shopper columns from five months previously!

When files are offered forrecovery, the folder relationship is not apparent. This means youhave to manually select the required files if you are attemptingto restore a whole folder. Additionally, files purged from theRecovery Bin will return there if salvaged with Undelete FromDisk. Restoring them to their correct location is another manualstep. The recovery of deleted files cannot be guaranteed withthis feature - particularly on PCs with a bad case of Windows NTfragmentation.

A companion feature isEmergency Undelete. This allows the recovery of files even ifNetwork Undelete has not been installed. To guard against diskactivity overwriting deleted files, Emergency Undelete can be rundirectory from the Network Undelete CD-Rom. This is a usefulcompanion to the product and will be essential on machines whenthe main software is not being used.

As each minute goes by,the chance of recovering a deleted file declines. You should notsave any files to the disk. Executive recommends removing thenetwork cable if one is present - to guard against other userswriting their own files to the PC. When the deleted file is foundby Emergency Undelete, it should be saved to another partition -in case the recovery process itself overwrites the rest of thedeleted file. If Emergency Undelete is to be installed, onlyaround 8K of information is written to the system. This includesregistry changes and a program group. This very small amount ofcode should not overwrite delete files in most cases.

Network Undelete can search through an NTdisk for anything that looks like a file

Where in the world

As with other ExecutiveSoftware products, Network Undelete is available as a timelimited demonstration from its Web site. Go to either www.execsoft.co.ukor www.executive.com. Complete the registration document and youcan then download the software. Unzip the file that wasdownloaded into a temporary directory and then run the resultingSetup.exe in the normal way. Strangely, I found the US site to bemuch quicker than the UK offering. Indeed the UK site waspositively unhelpful. Executive told me that work was underway tosignificantly improve the UK service.

As noted earlier, NetworkUndelete is available in two forms - administrator and client.The administrator version is for use on networks where supportstaff will be connecting to user PCs. The client version forindividual networked and non networked forms of Windows NT.Either can be run on both Server and Workstation forms of WindowsNT.

The Network UndeleteClient is priced at £41.12 per user with the Administratorversion at £164.50. A networking starter pack is also available.This consists of the Administrator version plus five clients - atan inclusive cost of £276.12. All prices include VAT.

The Network Undeletedocumentation comprises a 50 page pamphlet. Surprisingly, it isindexed although the illustrations stretch to just fourscreenshots. It was considered to be adequate considering theease of use of the software.

Conclusion

Trawling through a backuptape looking for a single user file is the job all systemadministrators hate. Network Undelete could mean that's a thingof the past. Of course, recovery is not guaranteed but thisproduct is one of a kind. Salvaging a single file will probablymean the product has been worthwhile. But you should nevertotally rely on any Undelete product - nothing is certain in thisgame.

As with previous ExecutiveOfferings, Network Undelete fills another major hole in aMicrosoft operating system. It has been specifically designed tosolve this big problem with Windows NT. Of course, it would havebeen nice if Network Undelete had been Windows 95/98 compatibleas well. But we can't have everything I guess.