Tools for Security Troubleshooting – CompTIA A+ 220-902 – 4.2

Our operating systems include a number of tools that we can use to troubleshoot security issues. In this video, you’ll learn about some of the most common security tools for Windows, Linux, and Mac OS.

<< Previous: Troubleshooting Common Security IssuesNext: Best Practices for Malware Removal >>


If you’re using a computer, then you need to have anti-virus and anti-malware software installed on that system. This can stop known malware from executing on your computer, and protect your operating system. Very often, anti-virus and anti-malware are bundled together into a single application. A good example of this is the Windows Defender application that comes with Windows 8 and Windows 10 that includes both anti-virus and anti-malware in the same application.

These anti-virus and anti-malware applications work by comparing what’s running on your computer with known signatures of malware. So the only way to be assured that you’re up to date with all of the latest malware is to make sure that you are always updating the signatures in this anti-virus and anti-malware software.

One of the most powerful security tools you have in Windows is the Windows Recovery Console, and the command prompt that you can access before the operating system actually starts. This is a very powerful command prompt, but it’s also a very dangerous command prompt, because you have complete access to the operating system. So you need to know exactly what you’re doing inside the command prompt.

Once you’re in the command prompt, you can change almost anything about the operating system. You can copy, rename, or replace system files. You can change the way that services are starting whenever you start your computer. And you may even be able to remove malicious software from your computer before the operating system loads.

I have an entire video on using the recovery console in Windows Vista, Windows 7, and Windows 8. But as a reminder, you can get there in Windows Vista and 7 through the system recovery options, and choosing Command Prompt. In Windows 8 and 8.1 you choose the Troubleshoot options, Advanced options, and then Command Prompt.

In Linux and in Mac OS X, you have a similar function, which is the terminal screen of the operating system. This is very similar to that Windows command line, and it gives you access to everything in the operating system. You can change the way applications are configured. You can change what happens when you start your computer and when you shut it down. And you can change configuration files with the operating system itself.

In Windows, the System Restore utility can be a lifesaver. If you make any changes to the operating system that cause a problem, you can go back in time to a previous configuration and hopefully resolve that issue. To access System Restore in Windows Vista and Windows 7, you go to All Programs, Accessories, System Tools, and System Restore. In Windows 8 and 8.1 you can go to the Control Panel under System, and choose Advanced System Settings.

If you’re already infected with a virus or a malware, you may not want to use System Restore to go back in time to a previous configuration, because the malware knows that there are restore points on your system, and it will also infect the restore points as well. If you are trying to resolve a virus infestation or malware that might be on your system, you should try a virus or malware cleaner, or simply delete everything and restore from a known good backup.

In Linux there’s a similar function to the Windows System Restore. This is the Linux Logical Volume Manager. There’s a number of differences as well, but it’s the idea that you can go back in time to a previous configuration. This is very common to see on servers that are high availability, where a single change can cause outages. So you may need to revert to a previous version very quickly.

And that’s one thing that does happen very well with the LVM snapshots, is that you’re able to go back in time very, very fast. And the new snapshots are also taken very quickly. That’s because the initial snapshot is very comprehensive. And then every time you perform an additional snapshot, it’s only saving the things that have been changed. The more snapshots you have, the more options you’ll have to go back in time. So it’s very common to take a number of snapshots throughout the day so that you have many options on how to restore if you ever need to.

If you’ve ever run a Windows installation, or you’ve started Windows with an F8, and you’ve chosen the system recovery options, then you may have noticed that a Windows-like environment was loaded. This is a Windows pre-installation environment, which provides you with a minimal running Windows operating system so that you can still have the same user interface and functionality without all of the Windows features. This Windows PE allows you to load enough of the operating system so that you can access files that might be on your storage device so that you can resolve security issues, or be able to copy or change files that might be in the operating system.

Microsoft also gives you the option to create your own pre-installation environment by using the Windows Automated Installation Kit. And there are also a number of third-party PEs that you could download from the internet and load onto your system that have pre-built utilities that you could use to be able to recover or troubleshoot your system.

If you are trying to piece together what might be happening from a security perspective, then don’t forget that you have a comprehensive event viewer inside of Microsoft Windows. This is where all of the different events of operating system are consolidated into a single view. You can, of course, see a lot of security events in here, as well as things that might be happening with the operating system itself and the applications that are running in the OS.

You’ll find four different categories– the Application category, Security, Setup, and System. And you can look through those to determine what might be happening with this particular computer.

If you’re a long-term user of Microsoft Windows, then you know that over time the operating system tends to get a little bit bloated, and tends to become a little bit slower in its operations. In Windows 8 and Windows 8.1, you have a feature to help speed things up by refreshing or resetting what might be happening with your operating system. The Refresh function allows you to reinstall Windows, but to keep all of your personal files and all of your personal settings in place, effectively refreshing the operating system. This is a feature that was added in Windows 8 and 8.1. It’s something that’s not available in earlier versions of Windows.

If you don’t want to refresh the entire operating system, but you just want to go back to a previous date and time, then you may consider using the Windows System Restore function to go back to a previous restore point. You can find the Refresh option underneath Windows 8 and 8.1 by going to the Update and Recovery options. And you’ll see that the refresh your PC without affecting your files option is there.

Or you can press F8 while you’re starting your computer. Choose the Troubleshoot option. And inside there, you have the option as well to refresh your PC before the operating system loads.

When you’re troubleshooting a security problem, one of the tools you might want to use is the msconfig, or the system configuration tool. This is especially helpful for changing some of the boot parameters. For example, the safe boot minimal configuration will start the operating system in safe mode. It will provide you with the graphical user interface. But it won’t load network services. It will only give you a minimum operating system to work with.

Another option is the safe boot. But it’s only going to provide you with a command prompt, and not all of the other graphical user interface features you may be accustomed to inside of Windows. You also have the option to safe boot with Active Directory repair. If you’re in an environment that uses Active Directory, it might be useful to start this machine so that it has access to the network, access to File Explorer, and the ability to communicate with an Active Directory server. And lastly, you have the option to start in Safe Mode with the network capability, so that you can then access other devices that might be across the network.