Description of the Dr. Watson for Windows (Drwtsn32.

exe) Tool

Dr. Watson for Windows is a program error debugger that gathers information about your computer

when an error (or user-mode fault) occurs with a program. Technical support groups can use the

information that Dr. Watson obtains and logs to diagnose a program error. When an error is

detected, Dr. Watson creates a text file (Drwtsn32.log) that can be delivered to support personnel

by the method they prefer. You also have the option of creating a crash dump file, which is a binary

file that a programmer can load into a debugger.

Note Windows XP also provides an Error Reporting service that monitors your computer for both

user-mode and kernel-mode faults ("stop" error messages or error messages that are displayed on

a blue screen, as well as improper shutdown events) that affect both the operating system and any

programs. This service allows you to send error reports to Microsoft when an error occurs. Because

all error reports are confidential and anonymous, Microsoft Support Professionals do not have access

to any error report that you have sent to Microsoft over the Internet using the Error Reporting

service. As a result, you may need to send a Dr. Watson for Windows log file to a support

professional. For additional information about Error Reporting Service in Windows XP, click the

article number below to view the article in the Microsoft Knowledge Base:

310414 HOW TO: Configure and Use Error Reporting in Windows XP

If a program error occurs, Dr. Watson for Windows starts automatically. To configure Dr. Watson,

follow these steps:

1. Click Start, and then click Run.

2. Type drwtsn32, and then click OK.

By default, the log file created by Dr. Watson is named Drwtsn32.log and is saved in the following

location:

drive:\Documents and Settings\All Users.WINNT\Application Data\Microsoft\Dr Watson

Note Drwatson.exe is an older program error debugger that was included with earlier versions of

Windows NT. Microsoft recommends that you use Drwtsn32.exe instead of Drwatson.exe in Windows

XP.
How to disable Dr. Watson for Windows

Important This section, method, or task contains steps that tell you how to modify the registry.

However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure

that you follow these steps carefully. For added protection, back up the registry before you modify

it. Then, you can restore the registry if a problem occurs. For more information about how to back

up and restore the registry, click the following article number to view the article in the Microsoft

Knowledge Base:

322756 How to back up and restore the registry in Windows

Note Because there are several versions of Microsoft Windows, the following steps may be different

on your computer. If they are, see your product documentation to complete these steps.

Back to the top

To disable Dr. Watson

1. Click Start, click Run, type regedit.exe in the Open box, and then click OK.

2. Locate and click the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\AeDebug

NOTE: Steps three and four are optional, but they necessary if you want to restore the

default use of Dr. Watson.

3. Click the AeDebug key, and then click Export Registry File on the Registry menu.

4. Enter a name and location for the saved registry file, and then click Save.

5. Delete the AeDebug key.

Registry entries for debugger programs are located in the AeDebug key in Windows. The Dr. Watson

program is installed by default in Windows, and is configured to run when an application error

occurs (with a data value of 1 for the Auto value). The default values are:

Value Name = Auto

Type = String (REG_SZ)

Data Value = 1 or 0. (Default is 1)

Value Name = Debugger

Type = String (REG_SZ)

Data Value = drwtsn32 -p %ld -e %ld -g

NOTE: This data value (drwtsn32 -p %ld -e %ld -g) is specific to Dr. Watson. Alternative debuggers

will have their own values and parameters.

Back to the top

To enable Dr. Watson

1. At a command prompt, type the following line, and then press ENTER:

drwtsn32 -i

2. Double-click the .reg file you created in steps three and four above.
ABOUT DR. WATSON

Dr. Watson is a software utility included with Microsoft Windows that is used to
help detect, decode and log errors that are encountered while windows or
windows programs are running.

A user can run Dr. Watson by clicking Start / Run and typing "drwatson" and
clicking ok. The Windows NT and 2000 Version of Dr. Watson can be run by
clicking Start / Run and typing "drwtsn32". When running Dr. Watson, you should
see either a new task on your toolbar or on your systray indicating that Dr.
Watson is running in the background. If errors are frequently occurring, run Dr.
Watson to help get additional information about the error.

When Dr. Watson encounters an error, the error is logged under the file
"drwtsn32.log" or "user.dmp" when running Microsoft Windows NT or Windows
2000. When running Microsoft Windows 95, 98 or ME, the file is logged with a
.WLG file extension and stored under the \Windows\Drwatson or \Documents and
Settings\All Users\Documents\DrWatson folder. For example, 10.wlg and
drwtsn32.txt are examples of Dr. Watson files.

Tip: If your computer is encountering errors often, load Dr. Watson into the
startup folder to load the program each time the computer boots.

TROUBLESHOOTING

Dr. Watson basic troubleshooting

1. If errors are being encountered with a specific program, ensure that the
latest software updates have been downloaded for that program.
2. Users running Microsoft Windows 95, 98 can double-click the Dr. Watson
icon on the systray to view errors and obtain a system snapshot of the
computer. Additional detailed information can also be seen by clicking
the View option and selecting the Advanced view.
3. Users running Microsoft Windows NT, Windows 2000, or Windows XP can
decode the error by reviewing our below instruction on how to decode
Dr. Watson errors.
4. Verify that another program running in the background is not causing the
problem by end tasking all TSRs. Additional information about TSRs can
be found on document CHTSR.
5. If after following the above steps you continue to receive Dr. Watson
errors, attempt to reinstall the application you are running and/or
contact the manufacturer or developer of the software program or
computer.

How do I disable Dr. Watson in Windows NT?

Dr. Watson by default is always running on computers running Microsoft
Windows NT. To disable Dr. Watson remove it from the registry. Note: Please
review our Registry page for additional information about the registry and its
dangers.

Open the below folders and keys.

HKEY_LOCAL_MACHINE\
Software\
Microsoft\
WindowsNT\
CurrentVersion\

Locate and delete the key AeDebug.

HOW TO DECODE DR. WATSON ERRORS

The below information applies to users who are running Microsoft Windows NT,
Windows 2000, or Windows XP and viewing the drwtsn32.log file. Each Dr.
Watson error is appended to the end of the drwtsn32.log file. Therefore, you
may need to scroll to the end of the file to determine the exact error.

Application exception occurred:

App: .\Release\Mcshield.exe (pid=508)
When: 11/3/2001 @ 13:54:08.489
Exception number: c0000005 (access violation)

The first portion of the drwtsn32.log file, as shown in the above example, gives
us information about the program, the time and the exception. As you can see
from the above example, this error is occurring in mcshield.exe, which is a part
of McAfee Virus Scan. We next see the date and time when this error occurred
and the exception number.

Unless the proper symbol is loaded on the computer, you will be limited to the
above information to determine what is causing the issue. As you can see from
the below example, the function has no symbols; therefore, you would be
unable to determine what function caused the error to occur. Additional
information about symbols can be found on Microsoft's DDK page, Microsoft
Q141465 or through your system administrator.

function: <nosymbols>
01500878 89d5 mov ebp,edx
0150087a 89de mov esi,ebx
0150087c 890c24 mov [esp],ecx
ss:0172eae8=000000af
0150087f 85db test ebx,ebx
01500881 7c15 jl 01503998
 01500883 31c0 xor eax,eax
01500885 8a02 mov al,[edx]
ds:0000001c=??
01500887 01d8 add eax,ebx
01500889 8d50ff lea edx,[eax+0xff]
ds:00a7d5d2=????????
0150088c 8b4704 mov eax,[edi+0x4]
ds:0279a0a8=????????
FAULT ->0150088f 8b08 mov ecx,[eax]
ds:00000000=????????
01500891 ff511c call dword ptr [ecx+0x1c]
ds:00a7d681=????????
01500894 39c2 cmp edx,eax
01500896 7604 jbe 0150399c
01500898 31c0 xor eax,eax
0150089a eb54 jmp 01508bf0
0150089c 837c241400 cmp dword ptr [esp+0x14],0x0
ss:021ac0bb=????????
015008a1 7513 jnz 015093b6
015008a3 8b5c2418 mov ebx,[esp+0x18]
ss:021ac0bb=????????
015008a7 89f2 mov edx,esi
015008a9 31c9 xor ecx,ecx
015008ab 89f8 mov eax,edi
*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name

0172F0B8 C9CAE3C0 8DD7C0C1 F99FC687 CBCCD2F9 D6D2CAC1 !<nosymbols>
D1C0C91D 00000000 00000000 00000000 00000000 00000000 <nosymbols>

If a function is found, attempt to search for the function through Microsoft's

support database or contact the software developer to obtain additional
information about why the error is occurring.

Users running other versions of Windows can view the Dr. Watson information
by opening the Dr. Watson program (c:\winnt\system32\drwtsn32.exe NOT
drwatson.exe) and viewing the diagnostics information and suggestions. A
snapshot of the system configuration can also be seen by clicking the View
option and selecting "Advanced View".
System File Checker

Windows 2000 & XP comes with a very handy tool called the system file checker. The
SFC tool itself will scan your computer for system files that may have been replaced
when some old or poorly made program was installed. This usually happens because the
programmer who made the software did not create it to check the versions of each system
file it replaces.

To protect your computer from old system files, Microsoft created a special service that is
built into the operating system. This service monitors your system files, and if one is
replaced or deleted, ICS will automatically restore the system file.

SFC works in conjunction with a utility called Windows File Protection that keeps the
system file cache: (%Systemroot%\System32\Dllcache) uppdated with the newest
Microsoft Approved files as they are installed on your system. I prefer to use the
system backup for the ability to roll back to a former configuration however.

To manually invoke the system file checker, be sure you have administrative access then
go to the command prompt and type:

sfc /scannow

The system will immediately begin to check all the current system files and restore the
cached approved copies. You may be asked to insert the Windows CD as well during the
restore.

Clue: Keep in mind that after you perform a system file restore you should install the newest
service pack so you are running the most current, Microsoft approved system files.

For you XP users, SFC should be used as a last resort. If you have been creating system
restore points, first roll back to your latest restore point and see if that fixes your problem
Disable Windows File Protection (Windows 2000/XP) Popular

Windows 2000 and XP include a feature called Windows File Protection (WFP), part of
the System File Checker, which is intended to avoid some of the common DLL
consistency issues. This feature may also block valid attempts to change system files and
it can therefore be disabled using this tweak.

Open your registry and find the key below.

Change the value of "SFCDisable" to equal "ffffff9d" to disable WFS or "0" to enable it.
The other valid hexadecimal values are:

1 - disabled, prompt at boot to re-enable

2 - disabled at next boot only, no prompt to re-enable
4 - enabled, with popups disabled
ffffff9d - for completely disabled

Restart Windows for the change to take effect.

Additional Steps for Windows 2000 Service Pack 2 and Windows XP

This setting is disabled in Windows 2000 SP2 and Windows XP, and needs to re-enabled
using a hex editor and changing SFC.DLL (or SFC_OS.DLL for Windows XP) following
these instructions:

Windows 2000 SP2

1. Make a backup the SFC.DLL in the C:\WINNT\SYSTEM32 directory.

2. Make an additional copy of SFC.DLL called SFC1.DLL and open it in a hex
editor.
3. At offset 00006211 (6211h) you should find the values "8B" and "C6". Do not
continue if you are unable to find these values.
4. Change the values "8B C6" to read "90 90" and save the changes.
5. Run these commands to update the system files:
6. copy c:\winnt\system32\sfc1.dll c:\winnt\system32\sfc.dll /y
7. copy c:\winnt\system32\sfc1.dll
c:\winnt\system32\dllcache\sfc.dll /y
8. If you are prompted to insert the Windows CD, click Cancel.
9. Restart Windows for the change to take effect.

Windows XP

1. Make a backup the SFC_OS.DLL in the C:\WINDOWS\SYSTEM32 directory.

2. Make an additional copy of SFC_OS.DLL called SFC_OS1.DLL and open it in a
hex editor.
3. Windows XP (no Service Pack)
At offset 0000E2B8 (0E2B8h) you should find the values "8B" and "C6".
 Windows XP (Service Pack 1)
At offset 0000E3BB (0E3BBh) you should find the values "8B" and "C6".
4. Do not continue if you are unable to find these values.
5. Change the values "8B C6" to read "90 90" and save the changes.
6. Run these commands to update the system files:
7. copy c:\windows\system32\sfc_os1.dll
c:\windows\system32\sfc_os.dll /y
8. copy c:\windows\system32\sfc_os1.dll
c:\windows\system32\dllcache\sfc_os.dll /y
9. If you are prompted to insert the Windows CD, click Cancel.
10. Restart Windows for the change to take effect.

Once these files have been updated apply the registry setting above.

Note: You must manually modify the operating system files using a hex editor to allow
this tweak to disable SFC on Windows 2000 (SP1+) or Windows XP.

(Default) REG_SZ (value not set)

SFCDisable REG_DWORD 0xffffff9d (4294967197)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVers...

Registry Settings
System Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]
Value Name: SFCDisable
Data Type: REG_DWORD (DWORD Value)
Value Data: 0 = enabled (default), ffffff9d = disabled
 File sharing in Windows XP Next
Advantages
File sharing involves making the content of one or more directories available through the network. All
Windows systems have standard devices making it easy to share the content of a directory. However, file
sharing may lead to security problems since, by definition, it gives other users access to the content of a part
of the hard drive.
As a result, it is essential that you share only directories for which it would not be extremely important if their
content were revealed (or destroyed), Furthermore, you are strongly advised against sharing a whole
partition of your hard drive. This operation is strongly discouraged if you do not trust the other network
users!
Machine names
Firstly, you need to give a specific machine name. To do so, simply to go Control panel/System, then to the
"Computer name" tab and then "Change...".

You need to have administrator privileges to perform this

operation.

Simple file sharing

Simple file sharing is the sharing mode that is activated by default (and the only mode available in Windows
XP Home, or Windows XP family edition). It makes it possible to globally share, for the whole workgroup, a
directory's files, with no restrictions or passwords.
It is simple to use. In Windows XP however, you need to enable simple file sharing by opening My computer
then Tools/Folder options... /View.. At the bottom of the scrollable list, make sure the Use simple file sharing
(recommended) option is checked.
To share a folder, simply right-click the directory you want to share, then select the Share tab:
 Administrative shares and hidden shares
When the name of a shared resource ends with the character "$", that means it is hidden, or that it doesn't
appear in the list of resources.
By default, Microsoft Windows systems have hidden administrative shares to let the administrator of a
machine access the machine's resources through the network.
The default administrative shares, which can be accessed only by the administrator, are as follows:

• C$: Access to the root partition or volume. The other partitions are also accessible by their letter followed by
the "$" character;
• ADMIN$: Access to the %systemroot% directory, making it possible to manage a machine on the network.
• IPC$: Enables communication between network processes.
• PRINT$: Remote access to printers.

To view and manage the computer's administrative shares, simply go to Control panel/Administrative
tools/Computer management/Shared folders/Shares. An alternative is to right-click My computer and select
Manage.
Advanced file sharing
Advanced file sharing, available only in Windows XP and higher, involves defining access permissions to
shared resources by user or group of users. Unlike simple file sharing, users have to be identified before
shared resources can be accessed.
To set up advanced file sharing, you firstly need to disable simple file sharing by opening My computer, then
Tools/Folder options... /View.. At the bottom of the scrollable list, make sure the Use simple file sharing
(recommended) option is unchecked.

Secondly, you need to create as many user accounts as necessary. To create user accounts, simply click
User accounts in the control panel, then Add. If an identical account (with the same password) exists on the
remote machine, used by the user, he will not need to enter his password to access the share.
When sharing a resource (right-click, then Sharing and security), simply click the button Permissions:
 To restrict access to the shared resource, you need to remove access to "Everyone" and then give access
only to authorized users. Anonymous access may potentially be created thanks to the "Guest" account.
Using a shared resource
There are two methods for using a shared folder:

• Direct use of the resource via its address. The address of a shared resource has the following form:

\\computer\share_name

computer represents the computer's name or IP address and share_name corresponds to the name given to
the shared resource.

• The connection of a network drive, making it possible to link the shared resource to a virtual drive letter. To
connect a network drive, simply open the file browser (Start/Run/"browse"), then in the Tools menu, select
Connect a network drive... Choose an available drive letter and enter the folder name.

Diagnostics
If access to shared resources doesn't work, it may be due to one of the following reasons:

• The network connection between the machines is incorrect. In this case diagnose the network;
• The users do not belong to the same domain.
• The computers on the local area network must have the same subnet mask. You can easily check this using
the ipconfig command.
• A firewall (or antivirus) on the computer sharing the resource, on the computer accessing the resource or on
the network is blocking access. Check the firewall's settings, and if necessary temporarily disable the firewall
to find out whether the problem is related;
• The maximum number of users is 5 in Windows XP family and 10 in Windows XP professional. For more
information:
o Limite du nombre de connexions d'entrée dans Windows XP - Article F314882 de la base de connaissance
Microsoft
• A special character (such as a space) in the name of a shared resource can block access for older operating
systems.
• The rights of the NTFS file system can interfere with sharing rights since restrictions have priority over
permissions.