Solved

Disabling Services via reg file in Windows 2003 server

Posted on 2004-08-11
11
1,097 Views
Last Modified: 2008-03-06
I want to disable the following services by a reg file but cannot find the entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services for the life of me and even if I could, I’m unsure of the value to assign to disable it.

Hopefully points reflect the effort anyone can go to give this to help me out.

Services are:


•      Automatic Updates.
•      Error Reporting Service.
•      Messenger.
•      Remote Access Connection Manager.
•      Remote Desktop Help Session Manager.
•      Smart Card.
•      Wireless Configuration.
•      NetMeeting

Many thanks

H.
0
Comment
Question by:hotsox
11 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 400 total points
Comment Utility
Look at the value for DWord "Start"
2-Automatic
3-Manual
4-Disabled

•     Automatic Updates:                                Wuauserv
•     Error Reporting Service:                          ERSvc
•     Messenger:                                            Messenger
•     Remote Access Connection Manager:       RASAuto
•     Remote Desktop Help Session Manager:   RDSessMgr
•     Smart Card:                                          SCardSvr
•     Wireless Configuration:                          WZCSVC (Wireless Zero Configuration)
•     NetMeeting:                                          mnmsrvc
0
 
LVL 16

Expert Comment

by:JammyPak
Comment Utility
HKLM\System\CurrentControlSet\Services\Messenger
 - set 'Start' key = 4

HKLM\System\CurrentControlSet\Services\wuauserv
 - set 'Start' key = 4

HKLM\System\CurrentControlSet\Services\RasMan
 - set 'Start' key = 4

HKLM\System\CurrentControlSet\Services\ScardSvr
 - set 'Start' key = 4

HKLM\System\CurrentControlSet\Services\WZCSVC
 - set 'Start' key = 4

HKLM\System\CurrentControlSet\Services\mnmsrvc
 - set 'Start' key = 4





0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
^^^^^ outstanding answer Neal

If you want to distribute the change to all of your machines................

How to distribute a Registry Change

From Windows 2000 Magazine April 2001

You can use one of three methods: imported registration (.reg) files, regini.exe, or group or system policies.

***Option 1: Create or Export Registration Files ***

You can distribute .reg files that users can then import into the registries of target computers. All you need to do is create—or use regedit to export, then edit—the .reg files, then distribute them. (Registration files have one serious shortcoming, however: They can't delete anything in the registry. Format the registration file's contents as follows:

<RegistryEditorVersion>
<Blank line>
[<RegistryPath>]
"<DataItemName>"="<DataType>:
<DataValue>"

RegistryEditorVersion
Is whichever version of regedit.exe you're using. This entry identifies the file as a registration file. Regedit automatically adds this information when you export a .reg file, but you must manually enter the information when you create a .reg file. For Windows 2000, the RegistryEditorVersion is Windows Registry Editor Version 5.00; for NT 4.0, the version is Regedit4.

Blank line
Identifies the beginning of a new registry path. (Each individual key or sub key is a new registry path.) When you export a key, the .reg file displays a blank line before each key or sub key. If you have multiple keys in your .reg file, blank lines can help you examine and troubleshoot the contents. (Microsoft's instructions state that the blank line is necessary. However, when I create .reg files and inadvertently forget the blank lines, the files still merge successfully.)

RegistryPath
Is the path to the key that holds the values you're importing. Enclose the path in square brackets, and separate each level of the hierarchy by a backslash—for example, [HKEY_LOCAL_ MACHINE\SOFTWARE\Policies\Microsoft\ Windows\System]. A .reg file can contain multiple registry paths.
When the bottom of the hierarchy that you enter in the path statement doesn't exist in the registry, you're creating a new subkey. Registry files' contents are sent to the registry in the order in which you enter them. Therefore, if you want to create a new key and a subkey below that key, be sure to enter the lines in the proper order. (However, the only reason to create new keys is because you've written software that looks for those keys. Creating new keys isn't a task you perform for system maintenance.)

DataItemName
Is the data item you want to import. When a data item in your file doesn't exist in the registry, the .reg file adds it (with its value). When a data item does exist, the value in your .reg file overwrites the existing value. Quotation marks enclose the name of the data item. An equal sign (=) immediately follows the name of the data item.  

DataType
(i.e., the imported item's data type) immediately follows the equal sign, unless the data type is of REG_SZ (REG_SZ types are strings). For all data types other than REG_SZ, a colon immediately follows the data type. Table 1 shows the entries for five common data types. (Nine data types exist, but the types in Table 1 are likely to be the only ones you'll use for system maintenance.) For information about these data types, see the sidebar "Registry Data Types" (see below).

Data Type         Registration File DataType Entry
 
REG_BINARY        hex

 
REG_DWORD         dword

 
REG_EXPAND_SZ     hex(2)

 
REG_MULTI_SZ      hex(7)

 
REG_SZ            none

DataValue
(i.e., the value you want to import) immediately follows the colon and must be in the appropriate format (i.e., string or hexadecimal—use hex format for binary data items). You can enter multiple data-item lines for the same registry path. For example, the data-item lines

"GroupPolicyRefreshTime"=dword:
00000014
"GroupPolicyRefreshTimeOffset"=
dword:0000000f

reflect the hex entries that these data items require: 00000014 is the hex equivalent of 20, and 0000000f is the hex equivalent of 15. If you're uncomfortable with hex or other nonreadable data, restrict your .reg file creation efforts to items that are neither binary nor hex format.
The registry doesn't have a Boolean data type (although it should, and I can't believe Microsoft hasn't gotten around to this yet). However, Boolean type data is usually a DWORD (4 byte) or String (2 byte) item type in the registry. If you're using your .reg file to change values, check the data item in the registry to make sure you match the data type. You don't need to enter the full string in your .reg file; you can omit leading zeros for all numeric values.

****A Registration File Drawback ****

Registration (.reg) files can't delete anything in the registry

****Here's an Example*****

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRecentDocsMenu"=dword:1


****Option 2: Get More Editing Power with Regini.exe*****
 
If scripts are your favourite tools for configuration and setup tasks, you can use regini.exe to apply your scripting skills to registry edits. Regini provides more power than .reg files can muster, including the ability to delete subkeys and data items and to set permissions on registry keys. You can find Regini in the Microsoft Windows 2000 Server Resource Kit and the Microsoft Windows NT Server 4.0 Resource Kit. (I've successfully used the Windows 2000 version of regini.exe on NT machines, and vice versa.) The resource kits also contain full documentation (i.e., regini.doc) for this nifty utility. Regini uses the following syntax:

regini <ScriptFileName>

where ScriptFileName is the path to a script file you've written to perform a specific registry edit. You can use Uniform Naming Convention (UNC) in the path statement if the script is on a network share.

To distribute registry changes that use Regini, you must make the program available to each target computer (assuming that you haven't installed the resource kits across your enterprise). You can use a batch file to map Regini's UNC path and then run the program. For example, if Regini resides on a network share named ResKit on a server named Tools1, you can create the following batch file:

Net use x: \\tools1\reskit
x:\ regini <ScriptFileName>
Net use x: /delete

Regini Features
 
Regini gives you several options for data manipulation. For example, DELETE is a regini.exe keyword that requires only the name of the data item. To remove a data item, enter the following syntax as the second (i.e., data item) line of your script:

DataItemName = DELETE

Putting It All Together
 
As an example of a complete command, review the following script. This command changes computer settings so that the most recent user's name doesn't appear in the Logon dialog box.

\registry\machine\software\micro
soft\windows\currentversionpolicies\system
DontDisplayLastUserName = REG_DWORD 1

*****Option 3: Use Policies *****


You can also distribute registry changes by creating system policies that manipulate the registries of target users. The process you use varies between Windows 2000 (which uses the Microsoft Management Console—MMC—GPE snap-in) and earlier versions of Windows (which use SPE), but in either case, you can build administration (.adm) files to send registry changes to selected computers.

The easiest way to create an .adm file is to use an existing .adm template as a starting point. Templates are text files, and you can open them in Notepad or any text editor. Before you do anything with existing templates, back up the originals. When you modify a template, save the new version with a new filename, even if you've backed up the original. And you must test your new .adm files in a lab environment before you unleash your creation on the enterprise. (See Reader to Reader, ".adm Files and the Headaches They Can Cause," October 1999, for a description of the consequences you might face if you ignore this advice.)

Of course, to implement a registry change through an .adm template, you need to know which registry key to target. The resource kits' registry documentation is rather sparse. To learn my way around the registry, I used a lab environment to plunge in and make system changes with existing policies and Control Panel applets. I used Sysinternals' regmon.exe (available from http://www.sysinternals.com ) to track the resulting registry changes. Eventually, I learned quite a bit about the registry's organization and registry entries' data types.


Where are the Administrative Templates (ADM) located?
http://www.jsiinc.com/SUBK/tip5000/rh5052.htm


*****Links*****

HOW TO: Add, Modify, or Delete Registry Subkeys and Values by Using a Registration Entries (.reg) File
http://support.microsoft.com/?kbid=310516


Distributing Registry Changes
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/html/DistributingRegistryChanges.asp


Specify a Script to Run on Startup Shutdown Logon Logoff
http://techsupt.winbatch.com/TS/T000001048F90.html
0
 
LVL 16

Expert Comment

by:JammyPak
Comment Utility
aha...too slow again!

ps. look at 'Display Name' to see what the service displays as in the Control Panel. If you do a search in HLKM\System\CCS\Services for the name of the service, it should hit the right key for you pretty much right away
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 16

Expert Comment

by:JammyPak
Comment Utility
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
cheers JP - I lifted that straight out of Technet :)
0
 

Expert Comment

by:wayne186
Comment Utility
Just thought I would share some of the info I have been putting together for locking down windows 2003.. part of this was to understand the services and what they performed along with how to disable them in the registry so I hope this is of some use to anybody else out there.. unfortunatley it is not keeping the table formatting which wold make it so much easier to read.  cheers.. Wayne

Service Name      Default Startup Type      Recommended Startup Type      Comment
Alerter      Disabled      Disabled      Notifies selected users and computers of administrative alerts.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]
"Start"=dword:00000004
Application Layer Gateway Service      Manual      Disabled      Provides support for application-level plug-ins and enables network and protocol connectivity.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG]
"Start"=dword:00000004
Application Management      Manual      Disabled      Provides software installation services for applications that are deployed in Add or Remove Programs in Control Panel.
On a dedicated Web server, this service can be disabled to prevent unauthorized installation of software.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt]
"Start"=dword:00000004
ASP.NET State Service      Manual      Disabled      Provides support for out of process session states for ASP.NET.  If this service is stopped, out of process requests will not be processed.  If this service is disabled, any services that explicitly depend on it will fail to start.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Aspnet_State]
"Start"=dword:00000004
Automatic Updates      Automatic      Disabled      Service should not be present – either disable or remove.

Provides the download and installation of critical Windows updates, such as security patches and hotfixes.
This service can be disabled when automatic updates are not performed on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000004
Background Intelligent Transfer Service      Manual      Disabled      Provides a background file-transfer mechanism and queue management, and it is used by Automatic Update to automatically download programs (such as security patches).
This service can be disabled when automatic updates are not performed on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"Start"=dword:00000004
ClipBook      Disabled      Disabled      Enables the Clipbook Viewer to create and share data that can be reviewed by remote users.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv]
"Start"=dword:00000004
COM+ Event System      Manual      Manual      Provides automatic distribution of events to COM+ components.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem]
"Start"=dword:00000003
COM+ System Application      Manual      Manual      Manages the configuration and tracking of COM+-based components.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
"Start"=dword:00000003
Computer Browser      Automatic      Disabled      Maintains the list of computers on the network, and supplies the list to programs that request the list.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser]
"Start"=dword:00000004
Cryptographic Services      Automatic      Automatic      Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from the Web server; and Key Service, which helps in enrolling certificates.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
"Start"=dword:00000002
DHCP Client      Automatic      Disabled      Required to automatically obtain IP configuration and to dynamically update records in DNS.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp]
"Start"=dword:00000004
Distributed File System      Automatic      Disabled      Manages logical volumes that are distributed across a local area network (LAN) or wide area network (WAN).
On a dedicated Web server, disable Distributed File System.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dfs]
"Start"=dword:00000004
Distributed Link Tracking Client      Automatic      Disabled      Maintains links between NTFS V5 file system files within the Web server and other servers in the domain.
On a dedicated Web server, disable Distributed Link Tracking.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks]
"Start"=dword:00000004
Distributed Link Tracking Server      Manual      Disabled      Tracks information about files that are moved between NTFS V5 volumes throughout a domain.
On a dedicated Web server, disable Distributed Link Tracking.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkSvr]
"Start"=dword:00000004
Distributed Transaction Coordinator      Automatic      Automatic      Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC]
"Start"=dword:00000002
DNS Client      Automatic      Automatic      Allows resolution of DNS names.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache]
"Start"=dword:00000002
Error Reporting Service      Automatic      Disabled      Collects, stores, and reports unexpected application crashes to Microsoft. If this service is stopped, then Error Reporting will occur only for kernel faults.
On a dedicated Web server, disable Error Reporting Service.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]
"Start"=dword:00000004
Event Log      Automatic      Automatic      Writes event log messages that are issued by Windows-based programs and components to the log files.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog]
"Start"=dword:00000002
Fax Service      Manual      Disabled      Service should not be present – either disable or remove.

Provides the ability to send and receive faxes through fax resources that are available on the Web server and network.
On a dedicated Web server, this service can be disabled because sending and receiving faxes is not a typical function of a Web Server.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax Service]
"Start"=dword:00000004
File Replication Service      Manual      Disabled      Enables files to be automatically copied and maintained simultaneously on multiple servers.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs]
"Start"=dword:00000004
Help and Support      Automatic      Disabled      Enables Help and Support Center to run on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]
"Start"=dword:00000004
HTTP SSL      Manual      Manual      Implements the Secure Hypertext Transfer Protocol (HTTPS) for the HTTP service by using SSL. HTTP.sys automatically starts this service when any Web sites require SSL.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTPFilter]
"Start"=dword:00000003
Human Interface Device Access      Disabled      Disabled      Enables generic input to Human Interface Devices (HIDs), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidServ]
"Start"=dword:00000004
IIS Admin Service      Automatic      Automatic      Enables this server to administer web and ftp services.  If this service is stopped, the server will be unable to run web, ftp, nntp or smtp sites or configure IIS.  If this service is disabled, any services that explicitly depend on it will fail to start.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN]
"Start"=dword:00000002
IMAPI CD-Burning COM Service      Disabled      Disabled      Manages CD recording by using the Image Mastering API (IMAPI).
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ImapiService]
"Start"=dword:00000004
Indexing Service      Manual      Disabled      Indexes content and properties of files on the Web server to provide rapid access to the file through a flexible query language.
On a dedicated Web server, disable this service unless Web sites or applications specifically leverage the Indexing Service for searching site content.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cisvc]
"Start"=dword:00000004
Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS)      Disabled      Disabled      Provides network address translation (NAT), addressing and name resolution, and intrusion detection when connected through a dial-up or broadband connection.
On a dedicated Web server, disable to prevent inadvertent enabling of NAT, which would prevent the Web server from communicating with the remainder of the network.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start"=dword:00000004
Intersite Messaging      Disabled      Disabled      Enables messages to be exchanged between computers running windows server sites.  If this service is stopped, messages will not be exchanged, nor will site routing information be calculated for other services.  If this service is disabled, any services that explicitly depend on it will fail to start.  It is Required by Distributed File System (DFS).
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IsmServ]
"Start"=dword:00000004
IPSec Services      Automatic      Automatic      Provides management and coordination of Internet Protocol security (IPSec) policies with the IPSec driver.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"Start"=dword:00000002
Kerberos Key Distribution enter      Disabled      Disabled      Provides the ability for users to log on using the Kerberos V5 authentication protocol.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc]
"Start"=dword:00000004
License Logging Service      Disabled      Disabled      Monitors and records client access licensing for portions of the operating system, such as IIS, Terminal Services, and file and print sharing, and for products that are not a part of the operating system, such as Microsoft SQL Server or Microsoft Exchange Server.
On a dedicated Web server, this service can be disabled.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LicenseService]
"Start"=dword:00000004
Logical Disk Manager      Automatic      Manual      Required to ensure that dynamic disk information is up to date.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmserver]
"Start"=dword:00000003
Logical Disk Manager Administrative Service      Manual      Manual      Required to perform disk administration.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmadmin]
"Start"=dword:00000003
Messenger      Disabled      Disabled      Transmits net sends and Alerter service messages between clients and servers.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Start"=dword:00000004
Microsoft Software Shadow Copy       Manual      Disabled      Manages software-based volume shadow copies taken by the Volume Shadow Copy service.
On a dedicated Web server, this service can be disabled when volume shadow copies are not used.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swprv]
"Start"=dword:00000004
MSSQLServer      Automatic      Automatic      
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLSERVER]
"Start"=dword:00000002
MSSQLServerADHelper      Manual      Disabled      
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSSQLServerADHelper]
"Start"=dword:00000004
Net Logon      Manual      Disabled      Maintains a secure channel between the domain controller, other domain controllers, member servers, and workstations in the same domain and trusted domains.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon]
"Start"=dword:00000004
NetMeeting Remote Desktop Sharing      Manual      Disabled      Eliminates potential security threats by allowing domain-controller remote administration through NetMeeting.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc]
"Start"=dword:00000004
Network Connections      Manual      Disabled      Manages objects in the Network Connections directory.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman]
"Start"=dword:00000004
Network DDE      Disabled      Disabled      Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the Web server. This service can be disabled when no DDE applications are running locally on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE]
"Start"=dword:00000004
Network DDE DSDM      Disabled      Disabled      Used by Network DDE. This service can be disabled when Network DDE is disabled.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm]
"Start"=dword:00000004
Network Location Awareness (NLA)      Manual      Disabled      Collects and stores network configuration and location information, and notifies applications when this information changes.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla]
"Start"=dword:00000004
NTLM Security Support Provider      Manual      Manual      Provides security to RPC programs that use transports other than named pipes, and enables users to log on using the NTLM authentication protocol.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtLmSsp]
"Start"=dword:00000003
Performance Logs and Alerts      Manual      Manual      Collects performance data for the domain controller, writes the data to a log, or generates alerts. This service can be set to automatic when you want to log performance data or generate alerts without an administrator being logged on.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog]
"Start"=dword:00000003
Plug and Play      Automatic      Automatic      Required to automatically recognize and adapt to changes in the Web server hardware with little or no user input.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPlay]
"Start"=dword:00000002
Portable Media Serial Number Service      Manual      Disabled      Retrieves the serial number of any portable media player that is connected to the computer.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN]
"Start"=dword:00000004
Print Spooler      Automatic      Disabled      Manages all local and network print queues and controls all print jobs.
On a dedicated Web server, this service can be disabled when no printing is required.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"Start"=dword:00000004
Protected Storage      Automatic      Automatic      Protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users.
This service is used on a dedicated Web server for smart-card logon.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage]
"Start"=dword:00000002
Remote Access Auto Connection Manager      Manual      Disabled      Detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection.
On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto]
"Start"=dword:00000004
Remote Access Connection Manager      Manual      Disabled      Manages VPN and dial-up connection from the Web server to the Internet or other remote networks.
On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan]
"Start"=dword:00000004
Remote Desktop Help Sessions Manager      Manual      Disabled      Manages and controls Remote Assistance.
On a dedicated Web server, this service can be disabled. Use Terminal Services instead.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr]
"Start"=dword:00000004
Remote Procedure Call (RPC)      Automatic      Automatic      Serves as the RPC endpoint mapper for all applications and services that use RPC communications.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs]
"Start"=dword:00000002
Remote Procedure Call (RPC) Locater      Manual      Disabled      Enables RPC clients using the RpcNs* family of application programming interfaces (APIs) to locate RPC servers and manage the RPC name service database.
This service can be disabled if no applications use the RpcNs* APIs.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator]
"Start"=dword:00000004
Remote Registry Service      Automatic      Disabled      Enables remote users to modify registry settings on the Web server, provided the remote users have the required permissions. By default, only members of the Administrators and Backup Operators groups can access the registry remotely.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000004
Removable Storage      Manual      Disabled      Manages and catalogs removable media, and operates automated removable media devices, such as tape auto loaders or CD jukeboxes.
This service can be disabled when removable media devices are directly connected to the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc]
"Start"=dword:00000004
Resultant Set of Policy Provider      Manual      Disabled      Enables a user to connect to a remote computer, access the Windows Management Instrumentation (WMI) database for that Web server, and then either verify the current Group Policy settings or check the settings before they are applied.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSoPProv]
"Start"=dword:00000004
Routing and Remote Access      Disabled      Disabled      Enables LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess]
"Start"=dword:00000004
Secondary Logon      Automatic      Disabled      Allows you to run specific tools and programs with different permissions and user rights than the default permissions and user rights of the account under which you logged on.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"Start"=dword:00000004
Security Accounts Manager      Automatic      Automatic      A protected subsystem that manages user and group account information.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SamSs]
"Start"=dword:00000002
Server      Automatic      Disabled      Provides RPC support, file sharing, print sharing, and named pipe sharing over the network.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver]
"Start"=dword:00000004
Shell Hardware Detection      Automatic      Disabled      Provides notification for AutoPlay hardware events.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ShellHWDetection]
"Start"=dword:00000004
Smart Card      Manual      Disabled      Manages and controls access to a smart card that is inserted into a smart card reader attached to the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr]
"Start"=dword:00000004
Special Administration Console Helper      Manual      Disabled      Allows administrators to remotely access a command prompt by using Emergency Management Services.
This service can be disabled when Emergency Management Services is not being used to remotely manage the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sacsvr]
"Start"=dword:00000004
SQLServerAgent      Automatic      Automatic      
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SQLSERVERAGENT]
"Start"=dword:00000002
System Event Notification      Automatic      Automatic      Monitors system events and notifies subscribers to the COM+ Event System of these events.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS]
"Start"=dword:00000002
Task Scheduler      Automatic      Disabled      Provides the ability to schedule automated tasks on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]
"Start"=dword:00000004
TCP/IP NetBIOS Helper Service      Automatic      Disabled      Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"Start"=dword:00000004
Telephony      Manual      Disabled      Provides Telephony API (TAPI) support of client programs that control telephony devices and IP-based voice connections.
On a dedicated Web server, this service can be disabled when TAPI is not used by applications.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv]
"Start"=dword:00000004
Telnet      Manual      Disabled      Enables a remote user to log on and run applications from a command line on the Web server.
To reduce the attack surface, disable Telnet unless it is used for remote administration of branch offices or of Web servers that have no keyboard or monitor directly attached (also known as headless Web servers). Because Telnet traffic is plaintext, Terminal Services is the preferred method for remote administration.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000004
Terminal Services      Manual      Disabled      Allows multiple remote users to be connected interactively to the Web server, and provides display of desktops and run applications.
To reduce the attack surface, disable Terminal Services unless it is used for remote administration of branch offices or headless Web servers.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
"Start"=dword:00000004
Terminal Services Session Directory      Disabled      Disabled      Enables a user connection request to be routed to the appropriate terminal server in a cluster.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tssdis]
"Start"=dword:00000004
Themes      Disabled      Disabled      Provides user-experience theme management.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
"Start"=dword:00000004
Uninterruptible Power Supply      Automatic      Disabled      Manages an uninterruptible power supply (UPS) that is connected to the Web server by a serial port.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS]
"Start"=dword:00000004
Upload Managers      Manual      Disabled      Manages the synchronous and asynchronous file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. The Driver Feedback Server asks for the permission of the client to upload the hardware profile of the Web server and then search the Internet for information about how to obtain the appropriate drivers or how to get support.
To reduce the attack surface, disable this service on dedicated Web servers.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Uploadmgr]
"Start"=dword:00000004
Virtual Disk Services      Manual      Disabled      Provides software volume and hardware volume management service.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VDS]
"Start"=dword:00000004
Volume Shadow Copy      Manual      Disabled      Manages and implements volume shadow copies that are used for backup and other purposes.
This service can be disabled when volume shadow copies are used on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS]
"Start"=dword:00000004
WebClient      Disabled      Disabled      Enables Windows-based programs to create, access, and modify Internet-based files.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]
"Start"=dword:00000004
Windows Audio      Disabled      Disabled      Manages audio devices for Windows-based programs.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AudioSrv]
"Start"=dword:00000004
Windows Image Acquisition (WIA)      Disabled      Disabled      Provides image acquisition services for scanners and cameras.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\StiSvc]
"Start"=dword:00000004
Windows Installer      Manual      Disabled      Adds, modifies, and removes applications that are provided as a Windows Installer (.msi) package.

NOTE: You may need to set this service to Manual when you apply patches to this server.  Deployments may fail if you do not set this.  Do NOT leave as manual as this will increase your risk of attack.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer]
"Start"=dword:00000004
Windows Management Instrumentation      Automatic      Automatic      Provides a common interface and object model to access management information about the Web server through the WMI interface.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt]
"Start"=dword:00000002
Windows Management Instrumentation Driver Extensions      Manual      Manual      Monitors all drivers and event trace providers that are configured to publish WMI or event trace information.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi]
"Start"=dword:00000003
Windows Time      Automatic      Automatic      Sets the Web server clock, and maintains date and time synchronization for all computers in the network.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
"Start"=dword:00000002
WinHTTP Web Proxy Auto-Discovery Service      Manual      Disabled      Implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP services (WinHTTP) and enables an HTTP client to automatically discover a proxy configuration.
On dedicated Web servers, this service can be disabled
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc]
"Start"=dword:00000004
Wireless Configuration      Automatic      Disabled      Enables automatic configuration for IEEE 802.11 adapters.
On dedicated Web servers without wireless network adapters, this service can be disabled.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WZCSVC]
"Start"=dword:00000004
WMI Performance Adapter      Manual      Disabled      Provides performance library information from WMI providers to clients on the network.
On dedicated Web servers that do not use WMI to provide performance library information, this service can be disabled.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmiApSrv]
"Start"=dword:00000004
Workstation      Automatic      Disabled      Creates and maintains client network connections to remote servers.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation]
"Start"=dword:00000004
WWW Publishing Service      Automatic      Automatic      
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC]
"Start"=dword:00000002
0
 

Author Comment

by:hotsox
Comment Utility
Sorry about this one. i thought I closed it already!

Points went were I wanted anyway so thanks and I'll try to watch this behaviour
0
 

Expert Comment

by:medtox
Comment Utility
Group policy is the cleanest way to make any of the requested changes.  It will make the registry changes for you without the oops factor.

gpedit.msc on a local machine.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Learn about cloud computing and its benefits for small business owners.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now