Disabling Services via reg file in Windows 2003 server

I want to disable the following services by a reg file but cannot find the entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services for the life of me and even if I could, I’m unsure of the value to assign to disable it.

Hopefully points reflect the effort anyone can go to give this to help me out.

Services are:

•      Automatic Updates.
•      Error Reporting Service.
•      Messenger.
•      Remote Access Connection Manager.
•      Remote Desktop Help Session Manager.
•      Smart Card.
•      Wireless Configuration.
•      NetMeeting

Many thanks

Who is Participating?
Look at the value for DWord "Start"

•     Automatic Updates:                                Wuauserv
•     Error Reporting Service:                          ERSvc
•     Messenger:                                            Messenger
•     Remote Access Connection Manager:       RASAuto
•     Remote Desktop Help Session Manager:   RDSessMgr
•     Smart Card:                                          SCardSvr
•     Wireless Configuration:                          WZCSVC (Wireless Zero Configuration)
•     NetMeeting:                                          mnmsrvc
 - set 'Start' key = 4

 - set 'Start' key = 4

 - set 'Start' key = 4

 - set 'Start' key = 4

 - set 'Start' key = 4

 - set 'Start' key = 4

Pete LongTechnical ConsultantCommented:
^^^^^ outstanding answer Neal

If you want to distribute the change to all of your machines................

How to distribute a Registry Change

From Windows 2000 Magazine April 2001

You can use one of three methods: imported registration (.reg) files, regini.exe, or group or system policies.

***Option 1: Create or Export Registration Files ***

You can distribute .reg files that users can then import into the registries of target computers. All you need to do is create—or use regedit to export, then edit—the .reg files, then distribute them. (Registration files have one serious shortcoming, however: They can't delete anything in the registry. Format the registration file's contents as follows:

<Blank line>

Is whichever version of regedit.exe you're using. This entry identifies the file as a registration file. Regedit automatically adds this information when you export a .reg file, but you must manually enter the information when you create a .reg file. For Windows 2000, the RegistryEditorVersion is Windows Registry Editor Version 5.00; for NT 4.0, the version is Regedit4.

Blank line
Identifies the beginning of a new registry path. (Each individual key or sub key is a new registry path.) When you export a key, the .reg file displays a blank line before each key or sub key. If you have multiple keys in your .reg file, blank lines can help you examine and troubleshoot the contents. (Microsoft's instructions state that the blank line is necessary. However, when I create .reg files and inadvertently forget the blank lines, the files still merge successfully.)

Is the path to the key that holds the values you're importing. Enclose the path in square brackets, and separate each level of the hierarchy by a backslash—for example, [HKEY_LOCAL_ MACHINE\SOFTWARE\Policies\Microsoft\ Windows\System]. A .reg file can contain multiple registry paths.
When the bottom of the hierarchy that you enter in the path statement doesn't exist in the registry, you're creating a new subkey. Registry files' contents are sent to the registry in the order in which you enter them. Therefore, if you want to create a new key and a subkey below that key, be sure to enter the lines in the proper order. (However, the only reason to create new keys is because you've written software that looks for those keys. Creating new keys isn't a task you perform for system maintenance.)

Is the data item you want to import. When a data item in your file doesn't exist in the registry, the .reg file adds it (with its value). When a data item does exist, the value in your .reg file overwrites the existing value. Quotation marks enclose the name of the data item. An equal sign (=) immediately follows the name of the data item.  

(i.e., the imported item's data type) immediately follows the equal sign, unless the data type is of REG_SZ (REG_SZ types are strings). For all data types other than REG_SZ, a colon immediately follows the data type. Table 1 shows the entries for five common data types. (Nine data types exist, but the types in Table 1 are likely to be the only ones you'll use for system maintenance.) For information about these data types, see the sidebar "Registry Data Types" (see below).

Data Type         Registration File DataType Entry
REG_BINARY        hex

REG_DWORD         dword

REG_EXPAND_SZ     hex(2)

REG_MULTI_SZ      hex(7)

REG_SZ            none

(i.e., the value you want to import) immediately follows the colon and must be in the appropriate format (i.e., string or hexadecimal—use hex format for binary data items). You can enter multiple data-item lines for the same registry path. For example, the data-item lines


reflect the hex entries that these data items require: 00000014 is the hex equivalent of 20, and 0000000f is the hex equivalent of 15. If you're uncomfortable with hex or other nonreadable data, restrict your .reg file creation efforts to items that are neither binary nor hex format.
The registry doesn't have a Boolean data type (although it should, and I can't believe Microsoft hasn't gotten around to this yet). However, Boolean type data is usually a DWORD (4 byte) or String (2 byte) item type in the registry. If you're using your .reg file to change values, check the data item in the registry to make sure you match the data type. You don't need to enter the full string in your .reg file; you can omit leading zeros for all numeric values.

****A Registration File Drawback ****

Registration (.reg) files can't delete anything in the registry

****Here's an Example*****

Windows Registry Editor Version 5.00


****Option 2: Get More Editing Power with Regini.exe*****
If scripts are your favourite tools for configuration and setup tasks, you can use regini.exe to apply your scripting skills to registry edits. Regini provides more power than .reg files can muster, including the ability to delete subkeys and data items and to set permissions on registry keys. You can find Regini in the Microsoft Windows 2000 Server Resource Kit and the Microsoft Windows NT Server 4.0 Resource Kit. (I've successfully used the Windows 2000 version of regini.exe on NT machines, and vice versa.) The resource kits also contain full documentation (i.e., regini.doc) for this nifty utility. Regini uses the following syntax:

regini <ScriptFileName>

where ScriptFileName is the path to a script file you've written to perform a specific registry edit. You can use Uniform Naming Convention (UNC) in the path statement if the script is on a network share.

To distribute registry changes that use Regini, you must make the program available to each target computer (assuming that you haven't installed the resource kits across your enterprise). You can use a batch file to map Regini's UNC path and then run the program. For example, if Regini resides on a network share named ResKit on a server named Tools1, you can create the following batch file:

Net use x: \\tools1\reskit
x:\ regini <ScriptFileName>
Net use x: /delete

Regini Features
Regini gives you several options for data manipulation. For example, DELETE is a regini.exe keyword that requires only the name of the data item. To remove a data item, enter the following syntax as the second (i.e., data item) line of your script:

DataItemName = DELETE

Putting It All Together
As an example of a complete command, review the following script. This command changes computer settings so that the most recent user's name doesn't appear in the Logon dialog box.

DontDisplayLastUserName = REG_DWORD 1

*****Option 3: Use Policies *****

You can also distribute registry changes by creating system policies that manipulate the registries of target users. The process you use varies between Windows 2000 (which uses the Microsoft Management Console—MMC—GPE snap-in) and earlier versions of Windows (which use SPE), but in either case, you can build administration (.adm) files to send registry changes to selected computers.

The easiest way to create an .adm file is to use an existing .adm template as a starting point. Templates are text files, and you can open them in Notepad or any text editor. Before you do anything with existing templates, back up the originals. When you modify a template, save the new version with a new filename, even if you've backed up the original. And you must test your new .adm files in a lab environment before you unleash your creation on the enterprise. (See Reader to Reader, ".adm Files and the Headaches They Can Cause," October 1999, for a description of the consequences you might face if you ignore this advice.)

Of course, to implement a registry change through an .adm template, you need to know which registry key to target. The resource kits' registry documentation is rather sparse. To learn my way around the registry, I used a lab environment to plunge in and make system changes with existing policies and Control Panel applets. I used Sysinternals' regmon.exe (available from http://www.sysinternals.com ) to track the resulting registry changes. Eventually, I learned quite a bit about the registry's organization and registry entries' data types.

Where are the Administrative Templates (ADM) located?


HOW TO: Add, Modify, or Delete Registry Subkeys and Values by Using a Registration Entries (.reg) File

Distributing Registry Changes

Specify a Script to Run on Startup Shutdown Logon Logoff
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

aha...too slow again!

ps. look at 'Display Name' to see what the service displays as in the Control Panel. If you do a search in HLKM\System\CCS\Services for the name of the service, it should hit the right key for you pretty much right away
Pete LongTechnical ConsultantCommented:
cheers JP - I lifted that straight out of Technet :)
Just thought I would share some of the info I have been putting together for locking down windows 2003.. part of this was to understand the services and what they performed along with how to disable them in the registry so I hope this is of some use to anybody else out there.. unfortunatley it is not keeping the table formatting which wold make it so much easier to read.  cheers.. Wayne

Service Name      Default Startup Type      Recommended Startup Type      Comment
Alerter      Disabled      Disabled      Notifies selected users and computers of administrative alerts.
Application Layer Gateway Service      Manual      Disabled      Provides support for application-level plug-ins and enables network and protocol connectivity.
Application Management      Manual      Disabled      Provides software installation services for applications that are deployed in Add or Remove Programs in Control Panel.
On a dedicated Web server, this service can be disabled to prevent unauthorized installation of software.
ASP.NET State Service      Manual      Disabled      Provides support for out of process session states for ASP.NET.  If this service is stopped, out of process requests will not be processed.  If this service is disabled, any services that explicitly depend on it will fail to start.
Automatic Updates      Automatic      Disabled      Service should not be present – either disable or remove.

Provides the download and installation of critical Windows updates, such as security patches and hotfixes.
This service can be disabled when automatic updates are not performed on the Web server.
Background Intelligent Transfer Service      Manual      Disabled      Provides a background file-transfer mechanism and queue management, and it is used by Automatic Update to automatically download programs (such as security patches).
This service can be disabled when automatic updates are not performed on the Web server.
ClipBook      Disabled      Disabled      Enables the Clipbook Viewer to create and share data that can be reviewed by remote users.
COM+ Event System      Manual      Manual      Provides automatic distribution of events to COM+ components.
COM+ System Application      Manual      Manual      Manages the configuration and tracking of COM+-based components.
Computer Browser      Automatic      Disabled      Maintains the list of computers on the network, and supplies the list to programs that request the list.
Cryptographic Services      Automatic      Automatic      Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from the Web server; and Key Service, which helps in enrolling certificates.
DHCP Client      Automatic      Disabled      Required to automatically obtain IP configuration and to dynamically update records in DNS.
Distributed File System      Automatic      Disabled      Manages logical volumes that are distributed across a local area network (LAN) or wide area network (WAN).
On a dedicated Web server, disable Distributed File System.
Distributed Link Tracking Client      Automatic      Disabled      Maintains links between NTFS V5 file system files within the Web server and other servers in the domain.
On a dedicated Web server, disable Distributed Link Tracking.
Distributed Link Tracking Server      Manual      Disabled      Tracks information about files that are moved between NTFS V5 volumes throughout a domain.
On a dedicated Web server, disable Distributed Link Tracking.
Distributed Transaction Coordinator      Automatic      Automatic      Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.
DNS Client      Automatic      Automatic      Allows resolution of DNS names.
Error Reporting Service      Automatic      Disabled      Collects, stores, and reports unexpected application crashes to Microsoft. If this service is stopped, then Error Reporting will occur only for kernel faults.
On a dedicated Web server, disable Error Reporting Service.
Event Log      Automatic      Automatic      Writes event log messages that are issued by Windows-based programs and components to the log files.
Fax Service      Manual      Disabled      Service should not be present – either disable or remove.

Provides the ability to send and receive faxes through fax resources that are available on the Web server and network.
On a dedicated Web server, this service can be disabled because sending and receiving faxes is not a typical function of a Web Server.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax Service]
File Replication Service      Manual      Disabled      Enables files to be automatically copied and maintained simultaneously on multiple servers.
Help and Support      Automatic      Disabled      Enables Help and Support Center to run on the Web server.
HTTP SSL      Manual      Manual      Implements the Secure Hypertext Transfer Protocol (HTTPS) for the HTTP service by using SSL. HTTP.sys automatically starts this service when any Web sites require SSL.
Human Interface Device Access      Disabled      Disabled      Enables generic input to Human Interface Devices (HIDs), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices.
IIS Admin Service      Automatic      Automatic      Enables this server to administer web and ftp services.  If this service is stopped, the server will be unable to run web, ftp, nntp or smtp sites or configure IIS.  If this service is disabled, any services that explicitly depend on it will fail to start.
IMAPI CD-Burning COM Service      Disabled      Disabled      Manages CD recording by using the Image Mastering API (IMAPI).
Indexing Service      Manual      Disabled      Indexes content and properties of files on the Web server to provide rapid access to the file through a flexible query language.
On a dedicated Web server, disable this service unless Web sites or applications specifically leverage the Indexing Service for searching site content.
Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS)      Disabled      Disabled      Provides network address translation (NAT), addressing and name resolution, and intrusion detection when connected through a dial-up or broadband connection.
On a dedicated Web server, disable to prevent inadvertent enabling of NAT, which would prevent the Web server from communicating with the remainder of the network.
Intersite Messaging      Disabled      Disabled      Enables messages to be exchanged between computers running windows server sites.  If this service is stopped, messages will not be exchanged, nor will site routing information be calculated for other services.  If this service is disabled, any services that explicitly depend on it will fail to start.  It is Required by Distributed File System (DFS).
IPSec Services      Automatic      Automatic      Provides management and coordination of Internet Protocol security (IPSec) policies with the IPSec driver.
Kerberos Key Distribution enter      Disabled      Disabled      Provides the ability for users to log on using the Kerberos V5 authentication protocol.
License Logging Service      Disabled      Disabled      Monitors and records client access licensing for portions of the operating system, such as IIS, Terminal Services, and file and print sharing, and for products that are not a part of the operating system, such as Microsoft SQL Server or Microsoft Exchange Server.
On a dedicated Web server, this service can be disabled.
Logical Disk Manager      Automatic      Manual      Required to ensure that dynamic disk information is up to date.
Logical Disk Manager Administrative Service      Manual      Manual      Required to perform disk administration.
Messenger      Disabled      Disabled      Transmits net sends and Alerter service messages between clients and servers.
Microsoft Software Shadow Copy       Manual      Disabled      Manages software-based volume shadow copies taken by the Volume Shadow Copy service.
On a dedicated Web server, this service can be disabled when volume shadow copies are not used.
MSSQLServer      Automatic      Automatic      
MSSQLServerADHelper      Manual      Disabled      
Net Logon      Manual      Disabled      Maintains a secure channel between the domain controller, other domain controllers, member servers, and workstations in the same domain and trusted domains.
NetMeeting Remote Desktop Sharing      Manual      Disabled      Eliminates potential security threats by allowing domain-controller remote administration through NetMeeting.
Network Connections      Manual      Disabled      Manages objects in the Network Connections directory.
Network DDE      Disabled      Disabled      Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the Web server. This service can be disabled when no DDE applications are running locally on the Web server.
Network DDE DSDM      Disabled      Disabled      Used by Network DDE. This service can be disabled when Network DDE is disabled.
Network Location Awareness (NLA)      Manual      Disabled      Collects and stores network configuration and location information, and notifies applications when this information changes.
NTLM Security Support Provider      Manual      Manual      Provides security to RPC programs that use transports other than named pipes, and enables users to log on using the NTLM authentication protocol.
Performance Logs and Alerts      Manual      Manual      Collects performance data for the domain controller, writes the data to a log, or generates alerts. This service can be set to automatic when you want to log performance data or generate alerts without an administrator being logged on.
Plug and Play      Automatic      Automatic      Required to automatically recognize and adapt to changes in the Web server hardware with little or no user input.
Portable Media Serial Number Service      Manual      Disabled      Retrieves the serial number of any portable media player that is connected to the computer.
Print Spooler      Automatic      Disabled      Manages all local and network print queues and controls all print jobs.
On a dedicated Web server, this service can be disabled when no printing is required.
Protected Storage      Automatic      Automatic      Protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users.
This service is used on a dedicated Web server for smart-card logon.
Remote Access Auto Connection Manager      Manual      Disabled      Detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection.
On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated.
Remote Access Connection Manager      Manual      Disabled      Manages VPN and dial-up connection from the Web server to the Internet or other remote networks.
On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated.
Remote Desktop Help Sessions Manager      Manual      Disabled      Manages and controls Remote Assistance.
On a dedicated Web server, this service can be disabled. Use Terminal Services instead.
Remote Procedure Call (RPC)      Automatic      Automatic      Serves as the RPC endpoint mapper for all applications and services that use RPC communications.
Remote Procedure Call (RPC) Locater      Manual      Disabled      Enables RPC clients using the RpcNs* family of application programming interfaces (APIs) to locate RPC servers and manage the RPC name service database.
This service can be disabled if no applications use the RpcNs* APIs.
Remote Registry Service      Automatic      Disabled      Enables remote users to modify registry settings on the Web server, provided the remote users have the required permissions. By default, only members of the Administrators and Backup Operators groups can access the registry remotely.
Removable Storage      Manual      Disabled      Manages and catalogs removable media, and operates automated removable media devices, such as tape auto loaders or CD jukeboxes.
This service can be disabled when removable media devices are directly connected to the Web server.
Resultant Set of Policy Provider      Manual      Disabled      Enables a user to connect to a remote computer, access the Windows Management Instrumentation (WMI) database for that Web server, and then either verify the current Group Policy settings or check the settings before they are applied.
Routing and Remote Access      Disabled      Disabled      Enables LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services.
Secondary Logon      Automatic      Disabled      Allows you to run specific tools and programs with different permissions and user rights than the default permissions and user rights of the account under which you logged on.
Security Accounts Manager      Automatic      Automatic      A protected subsystem that manages user and group account information.
Server      Automatic      Disabled      Provides RPC support, file sharing, print sharing, and named pipe sharing over the network.
Shell Hardware Detection      Automatic      Disabled      Provides notification for AutoPlay hardware events.
Smart Card      Manual      Disabled      Manages and controls access to a smart card that is inserted into a smart card reader attached to the Web server.
Special Administration Console Helper      Manual      Disabled      Allows administrators to remotely access a command prompt by using Emergency Management Services.
This service can be disabled when Emergency Management Services is not being used to remotely manage the Web server.
SQLServerAgent      Automatic      Automatic      
System Event Notification      Automatic      Automatic      Monitors system events and notifies subscribers to the COM+ Event System of these events.
Task Scheduler      Automatic      Disabled      Provides the ability to schedule automated tasks on the Web server.
TCP/IP NetBIOS Helper Service      Automatic      Disabled      Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients.
Telephony      Manual      Disabled      Provides Telephony API (TAPI) support of client programs that control telephony devices and IP-based voice connections.
On a dedicated Web server, this service can be disabled when TAPI is not used by applications.
Telnet      Manual      Disabled      Enables a remote user to log on and run applications from a command line on the Web server.
To reduce the attack surface, disable Telnet unless it is used for remote administration of branch offices or of Web servers that have no keyboard or monitor directly attached (also known as headless Web servers). Because Telnet traffic is plaintext, Terminal Services is the preferred method for remote administration.
Terminal Services      Manual      Disabled      Allows multiple remote users to be connected interactively to the Web server, and provides display of desktops and run applications.
To reduce the attack surface, disable Terminal Services unless it is used for remote administration of branch offices or headless Web servers.
Terminal Services Session Directory      Disabled      Disabled      Enables a user connection request to be routed to the appropriate terminal server in a cluster.
Themes      Disabled      Disabled      Provides user-experience theme management.
Uninterruptible Power Supply      Automatic      Disabled      Manages an uninterruptible power supply (UPS) that is connected to the Web server by a serial port.
Upload Managers      Manual      Disabled      Manages the synchronous and asynchronous file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. The Driver Feedback Server asks for the permission of the client to upload the hardware profile of the Web server and then search the Internet for information about how to obtain the appropriate drivers or how to get support.
To reduce the attack surface, disable this service on dedicated Web servers.
Virtual Disk Services      Manual      Disabled      Provides software volume and hardware volume management service.
Volume Shadow Copy      Manual      Disabled      Manages and implements volume shadow copies that are used for backup and other purposes.
This service can be disabled when volume shadow copies are used on the Web server.
WebClient      Disabled      Disabled      Enables Windows-based programs to create, access, and modify Internet-based files.
Windows Audio      Disabled      Disabled      Manages audio devices for Windows-based programs.
Windows Image Acquisition (WIA)      Disabled      Disabled      Provides image acquisition services for scanners and cameras.
Windows Installer      Manual      Disabled      Adds, modifies, and removes applications that are provided as a Windows Installer (.msi) package.

NOTE: You may need to set this service to Manual when you apply patches to this server.  Deployments may fail if you do not set this.  Do NOT leave as manual as this will increase your risk of attack.
Windows Management Instrumentation      Automatic      Automatic      Provides a common interface and object model to access management information about the Web server through the WMI interface.
Windows Management Instrumentation Driver Extensions      Manual      Manual      Monitors all drivers and event trace providers that are configured to publish WMI or event trace information.
Windows Time      Automatic      Automatic      Sets the Web server clock, and maintains date and time synchronization for all computers in the network.
WinHTTP Web Proxy Auto-Discovery Service      Manual      Disabled      Implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP services (WinHTTP) and enables an HTTP client to automatically discover a proxy configuration.
On dedicated Web servers, this service can be disabled
Wireless Configuration      Automatic      Disabled      Enables automatic configuration for IEEE 802.11 adapters.
On dedicated Web servers without wireless network adapters, this service can be disabled.
WMI Performance Adapter      Manual      Disabled      Provides performance library information from WMI providers to clients on the network.
On dedicated Web servers that do not use WMI to provide performance library information, this service can be disabled.
Workstation      Automatic      Disabled      Creates and maintains client network connections to remote servers.
WWW Publishing Service      Automatic      Automatic      
hotsoxAuthor Commented:
Sorry about this one. i thought I closed it already!

Points went were I wanted anyway so thanks and I'll try to watch this behaviour
Group policy is the cleanest way to make any of the requested changes.  It will make the registry changes for you without the oops factor.

gpedit.msc on a local machine.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.