Thursday, July 3, 2008

Pointsec for PC: Recover from installation failure

A couple weeks ago I talked about customizing the Pre-Boot Environment in Pointsec for PC and how you can use this information to troubleshoot some Pointsec problems. Essentially what I was saying is that before you move into aggressive troubleshooting, you need to make sure that you've tried the easy fixes first. Well, what if the easy fixes don't work? In this post I'll talk about how to deal with a computer that is somewhat broken.

What do I mean by somewhat broken? Sometimes when you install Pointsec for PC, the computer will reboot, install the Pre-Boot code, reboot again, and then come to a black screen, or even a blue STOP error. This happened to me today, which is what prompted me to write this entry. The computer is somewhat broken because it will not boot, but the disk hasn't been encrypted. That means that you can boot the computer to an alternate operating system and read the contents of the drive.

Essentially Pointsec for PC consists of two parts: the Pre-Boot Environment that authenticates users, and the Windows drivers that allow the operating system to read the encrypted disk. In the situation I described above it is the Pre-Boot Environment that is broken, but the operating system is intact. What we need to do is remove or get past the Pre-Boot environment, get into the operating system and completely remove Pointsec. Here is how you do that.

I think the easiest way to do it is to boot the computer to a Windows XP or Vista CD, whichever applies to your operating system. When the installation starts you can opt to repair an existing installation of windows. You will be brought to a command prompt that will ask you which instance of Windows you want to repair (most of the time there is only one to choose from). Then you can enter the administrator password for that Windows instance and you get a command prompt.

You may be tempted to run fixmbr and see if that does anything for you. It wont, and the reason is that Pointsec for PC does not make changes to the Master Boot Record; it makes changes to the Partion Boot Record. So instead of running fixmbr, run fixboot. That will put the Partition Boot Record back the way it was. Now boot the computer and you should get into Windows. Go to add and remove programs and remove Pointsec for PC.

This morning when this happened to me and I went to remove Pointsec with Add & Remove Programs it gave me an error that an installation was in progress and it wouldn't let me go on. I've noticed with Pointsec that sometimes when it gives you an error, you can just wait for a minute and try again and things will work fine for you. However, in this case I was in a hurry so I decided to start shutting down services to see if that would help me. I went into the local services and disabled the Pointsec service and the Pointsec Start service. Then I was able to remove Pointsec completely.

Once I had completely removed Pointsec, I ran the installation again and everything worked properly. I'm not sure why it failed the first time. Maybe something didn't copy right or maybe there was a bad block in the disk. Either way, the computer was fit for full duty in about 15 minutes. And now if you're having this problem you've got some tips for fixing it.

By the way, Pointsec for PC ships with a tool called reco_img.exe that you can use to create bootable media that will strip away the Pointsec Pre-Boot code. Essentially it does the same thing as the procedure that I described above. I like to use the Windows CD because reco_img doesn't always work for me. Sometimes I've got a computer that doesn't want to boot to a USB stick and I don't have a floppy disk. Also, reco_img makes you jump through some hoops to expose hidden options to remove Pointsec. I haven't had anyone explain to me yet why I should use reco_img instead of the Windows CD, so that's what I use.

5 comments:

Owen said...

I had the very same problem today with a managed installation of Pointsec. Once it rebooted I got the stop error and had to pull out the Vista CD.

However when I try to uninstall it doesn't allow me to enter the password for the two admin accounts or when it does it ask for the Challenge when we are not using the fobs.

Did you just strip out pointsec from the registry and start again? I'm thinking since the installation never completed it should be all right to go ahead but a second opinion whould be appreciated.

Black Fist said...

I've only tried to manually strip Pointsec out of the registry one time, and it didn't work. I ended up reimaging the machine.

If you're not able to uninstall using add and remove programs, then you might have to create a recovery disk, boot from that, and remove the encryption that way. After that is done, see if you can remove pointsec from Add & Remove Programs

David said...

Thanks for writing about this problem. I encountered the exact same error at work while installing Pointsec on a 2 drive Adaptec SCSI configuration. Fixboot from the Windows Recovery Console resolved the problem and I was relieved.
Attempted the install again and received the same error about ntoskrnl.exe missing or corrupt. Does Pointsec have a problem being installed on 2 SCSI drives, which are set by the Adaptec SCSI as one logical drive?

Black Fist said...

David:
I don't know for sure, but I can see how that might cause a problem for Pointsec. We're talking about software that has to operate at a very low level of the hardware. I also wonder if the PreBoot Environment needs to have a driver for the Adaptec drive.

Alessandro said...

I don't know how to say THANK YOU!!
This fixed my problem!!!

Just for your information, it applies also to Win7 :-)