hotsox
asked on
Disabling Services via reg file in Windows 2003 server
I want to disable the following services by a reg file but cannot find the entries under HKEY_LOCAL_MACHINE\SYSTEM\ CurrentCon trolSet\Se rvices for the life of me and even if I could, I’m unsure of the value to assign to disable it.
Hopefully points reflect the effort anyone can go to give this to help me out.
Services are:
• Automatic Updates.
• Error Reporting Service.
• Messenger.
• Remote Access Connection Manager.
• Remote Desktop Help Session Manager.
• Smart Card.
• Wireless Configuration.
• NetMeeting
Many thanks
H.
Hopefully points reflect the effort anyone can go to give this to help me out.
Services are:
• Automatic Updates.
• Error Reporting Service.
• Messenger.
• Remote Access Connection Manager.
• Remote Desktop Help Session Manager.
• Smart Card.
• Wireless Configuration.
• NetMeeting
Many thanks
H.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
^^^^^ outstanding answer Neal
If you want to distribute the change to all of your machines................
How to distribute a Registry Change
From Windows 2000 Magazine April 2001
You can use one of three methods: imported registration (.reg) files, regini.exe, or group or system policies.
***Option 1: Create or Export Registration Files ***
You can distribute .reg files that users can then import into the registries of target computers. All you need to do is create—or use regedit to export, then edit—the .reg files, then distribute them. (Registration files have one serious shortcoming, however: They can't delete anything in the registry. Format the registration file's contents as follows:
<RegistryEditorVersion>
<Blank line>
[<RegistryPath>]
"<DataItemName>"="<DataTyp e>:
<DataValue>"
RegistryEditorVersion
Is whichever version of regedit.exe you're using. This entry identifies the file as a registration file. Regedit automatically adds this information when you export a .reg file, but you must manually enter the information when you create a .reg file. For Windows 2000, the RegistryEditorVersion is Windows Registry Editor Version 5.00; for NT 4.0, the version is Regedit4.
Blank line
Identifies the beginning of a new registry path. (Each individual key or sub key is a new registry path.) When you export a key, the .reg file displays a blank line before each key or sub key. If you have multiple keys in your .reg file, blank lines can help you examine and troubleshoot the contents. (Microsoft's instructions state that the blank line is necessary. However, when I create .reg files and inadvertently forget the blank lines, the files still merge successfully.)
RegistryPath
Is the path to the key that holds the values you're importing. Enclose the path in square brackets, and separate each level of the hierarchy by a backslash—for example, [HKEY_LOCAL_ MACHINE\SOFTWARE\Policies\ Microsoft\ Windows\System]. A .reg file can contain multiple registry paths.
When the bottom of the hierarchy that you enter in the path statement doesn't exist in the registry, you're creating a new subkey. Registry files' contents are sent to the registry in the order in which you enter them. Therefore, if you want to create a new key and a subkey below that key, be sure to enter the lines in the proper order. (However, the only reason to create new keys is because you've written software that looks for those keys. Creating new keys isn't a task you perform for system maintenance.)
DataItemName
Is the data item you want to import. When a data item in your file doesn't exist in the registry, the .reg file adds it (with its value). When a data item does exist, the value in your .reg file overwrites the existing value. Quotation marks enclose the name of the data item. An equal sign (=) immediately follows the name of the data item.
DataType
(i.e., the imported item's data type) immediately follows the equal sign, unless the data type is of REG_SZ (REG_SZ types are strings). For all data types other than REG_SZ, a colon immediately follows the data type. Table 1 shows the entries for five common data types. (Nine data types exist, but the types in Table 1 are likely to be the only ones you'll use for system maintenance.) For information about these data types, see the sidebar "Registry Data Types" (see below).
Data Type Registration File DataType Entry
REG_BINARY hex
REG_DWORD dword
REG_EXPAND_SZ hex(2)
REG_MULTI_SZ hex(7)
REG_SZ none
DataValue
(i.e., the value you want to import) immediately follows the colon and must be in the appropriate format (i.e., string or hexadecimal—use hex format for binary data items). You can enter multiple data-item lines for the same registry path. For example, the data-item lines
"GroupPolicyRefreshTime"=d word:
00000014
"GroupPolicyRefreshTimeOff set"=
dword:0000000f
reflect the hex entries that these data items require: 00000014 is the hex equivalent of 20, and 0000000f is the hex equivalent of 15. If you're uncomfortable with hex or other nonreadable data, restrict your .reg file creation efforts to items that are neither binary nor hex format.
The registry doesn't have a Boolean data type (although it should, and I can't believe Microsoft hasn't gotten around to this yet). However, Boolean type data is usually a DWORD (4 byte) or String (2 byte) item type in the registry. If you're using your .reg file to change values, check the data item in the registry to make sure you match the data type. You don't need to enter the full string in your .reg file; you can omit leading zeros for all numeric values.
****A Registration File Drawback ****
Registration (.reg) files can't delete anything in the registry
****Here's an Example*****
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\Explor er]
"NoRecentDocsMenu"=dword:1
****Option 2: Get More Editing Power with Regini.exe*****
If scripts are your favourite tools for configuration and setup tasks, you can use regini.exe to apply your scripting skills to registry edits. Regini provides more power than .reg files can muster, including the ability to delete subkeys and data items and to set permissions on registry keys. You can find Regini in the Microsoft Windows 2000 Server Resource Kit and the Microsoft Windows NT Server 4.0 Resource Kit. (I've successfully used the Windows 2000 version of regini.exe on NT machines, and vice versa.) The resource kits also contain full documentation (i.e., regini.doc) for this nifty utility. Regini uses the following syntax:
regini <ScriptFileName>
where ScriptFileName is the path to a script file you've written to perform a specific registry edit. You can use Uniform Naming Convention (UNC) in the path statement if the script is on a network share.
To distribute registry changes that use Regini, you must make the program available to each target computer (assuming that you haven't installed the resource kits across your enterprise). You can use a batch file to map Regini's UNC path and then run the program. For example, if Regini resides on a network share named ResKit on a server named Tools1, you can create the following batch file:
Net use x: \\tools1\reskit
x:\ regini <ScriptFileName>
Net use x: /delete
Regini Features
Regini gives you several options for data manipulation. For example, DELETE is a regini.exe keyword that requires only the name of the data item. To remove a data item, enter the following syntax as the second (i.e., data item) line of your script:
DataItemName = DELETE
Putting It All Together
As an example of a complete command, review the following script. This command changes computer settings so that the most recent user's name doesn't appear in the Logon dialog box.
\registry\machine\software \micro
soft\windows\currentversio npolicies\ system
DontDisplayLastUserName = REG_DWORD 1
*****Option 3: Use Policies *****
You can also distribute registry changes by creating system policies that manipulate the registries of target users. The process you use varies between Windows 2000 (which uses the Microsoft Management Console—MMC—GPE snap-in) and earlier versions of Windows (which use SPE), but in either case, you can build administration (.adm) files to send registry changes to selected computers.
The easiest way to create an .adm file is to use an existing .adm template as a starting point. Templates are text files, and you can open them in Notepad or any text editor. Before you do anything with existing templates, back up the originals. When you modify a template, save the new version with a new filename, even if you've backed up the original. And you must test your new .adm files in a lab environment before you unleash your creation on the enterprise. (See Reader to Reader, ".adm Files and the Headaches They Can Cause," October 1999, for a description of the consequences you might face if you ignore this advice.)
Of course, to implement a registry change through an .adm template, you need to know which registry key to target. The resource kits' registry documentation is rather sparse. To learn my way around the registry, I used a lab environment to plunge in and make system changes with existing policies and Control Panel applets. I used Sysinternals' regmon.exe (available from http://www.sysinternals.com ) to track the resulting registry changes. Eventually, I learned quite a bit about the registry's organization and registry entries' data types.
Where are the Administrative Templates (ADM) located?
http://www.jsiinc.com/SUBK/tip5000/rh5052.htm
*****Links*****
HOW TO: Add, Modify, or Delete Registry Subkeys and Values by Using a Registration Entries (.reg) File
http://support.microsoft.com/?kbid=310516
Distributing Registry Changes
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/html/DistributingRegistryChanges.asp
Specify a Script to Run on Startup Shutdown Logon Logoff
http://techsupt.winbatch.com/TS/T000001048F90.html
If you want to distribute the change to all of your machines................
How to distribute a Registry Change
From Windows 2000 Magazine April 2001
You can use one of three methods: imported registration (.reg) files, regini.exe, or group or system policies.
***Option 1: Create or Export Registration Files ***
You can distribute .reg files that users can then import into the registries of target computers. All you need to do is create—or use regedit to export, then edit—the .reg files, then distribute them. (Registration files have one serious shortcoming, however: They can't delete anything in the registry. Format the registration file's contents as follows:
<RegistryEditorVersion>
<Blank line>
[<RegistryPath>]
"<DataItemName>"="<DataTyp
<DataValue>"
RegistryEditorVersion
Is whichever version of regedit.exe you're using. This entry identifies the file as a registration file. Regedit automatically adds this information when you export a .reg file, but you must manually enter the information when you create a .reg file. For Windows 2000, the RegistryEditorVersion is Windows Registry Editor Version 5.00; for NT 4.0, the version is Regedit4.
Blank line
Identifies the beginning of a new registry path. (Each individual key or sub key is a new registry path.) When you export a key, the .reg file displays a blank line before each key or sub key. If you have multiple keys in your .reg file, blank lines can help you examine and troubleshoot the contents. (Microsoft's instructions state that the blank line is necessary. However, when I create .reg files and inadvertently forget the blank lines, the files still merge successfully.)
RegistryPath
Is the path to the key that holds the values you're importing. Enclose the path in square brackets, and separate each level of the hierarchy by a backslash—for example, [HKEY_LOCAL_ MACHINE\SOFTWARE\Policies\
When the bottom of the hierarchy that you enter in the path statement doesn't exist in the registry, you're creating a new subkey. Registry files' contents are sent to the registry in the order in which you enter them. Therefore, if you want to create a new key and a subkey below that key, be sure to enter the lines in the proper order. (However, the only reason to create new keys is because you've written software that looks for those keys. Creating new keys isn't a task you perform for system maintenance.)
DataItemName
Is the data item you want to import. When a data item in your file doesn't exist in the registry, the .reg file adds it (with its value). When a data item does exist, the value in your .reg file overwrites the existing value. Quotation marks enclose the name of the data item. An equal sign (=) immediately follows the name of the data item.
DataType
(i.e., the imported item's data type) immediately follows the equal sign, unless the data type is of REG_SZ (REG_SZ types are strings). For all data types other than REG_SZ, a colon immediately follows the data type. Table 1 shows the entries for five common data types. (Nine data types exist, but the types in Table 1 are likely to be the only ones you'll use for system maintenance.) For information about these data types, see the sidebar "Registry Data Types" (see below).
Data Type Registration File DataType Entry
REG_BINARY hex
REG_DWORD dword
REG_EXPAND_SZ hex(2)
REG_MULTI_SZ hex(7)
REG_SZ none
DataValue
(i.e., the value you want to import) immediately follows the colon and must be in the appropriate format (i.e., string or hexadecimal—use hex format for binary data items). You can enter multiple data-item lines for the same registry path. For example, the data-item lines
"GroupPolicyRefreshTime"=d
00000014
"GroupPolicyRefreshTimeOff
dword:0000000f
reflect the hex entries that these data items require: 00000014 is the hex equivalent of 20, and 0000000f is the hex equivalent of 15. If you're uncomfortable with hex or other nonreadable data, restrict your .reg file creation efforts to items that are neither binary nor hex format.
The registry doesn't have a Boolean data type (although it should, and I can't believe Microsoft hasn't gotten around to this yet). However, Boolean type data is usually a DWORD (4 byte) or String (2 byte) item type in the registry. If you're using your .reg file to change values, check the data item in the registry to make sure you match the data type. You don't need to enter the full string in your .reg file; you can omit leading zeros for all numeric values.
****A Registration File Drawback ****
Registration (.reg) files can't delete anything in the registry
****Here's an Example*****
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Softwar
"NoRecentDocsMenu"=dword:1
****Option 2: Get More Editing Power with Regini.exe*****
If scripts are your favourite tools for configuration and setup tasks, you can use regini.exe to apply your scripting skills to registry edits. Regini provides more power than .reg files can muster, including the ability to delete subkeys and data items and to set permissions on registry keys. You can find Regini in the Microsoft Windows 2000 Server Resource Kit and the Microsoft Windows NT Server 4.0 Resource Kit. (I've successfully used the Windows 2000 version of regini.exe on NT machines, and vice versa.) The resource kits also contain full documentation (i.e., regini.doc) for this nifty utility. Regini uses the following syntax:
regini <ScriptFileName>
where ScriptFileName is the path to a script file you've written to perform a specific registry edit. You can use Uniform Naming Convention (UNC) in the path statement if the script is on a network share.
To distribute registry changes that use Regini, you must make the program available to each target computer (assuming that you haven't installed the resource kits across your enterprise). You can use a batch file to map Regini's UNC path and then run the program. For example, if Regini resides on a network share named ResKit on a server named Tools1, you can create the following batch file:
Net use x: \\tools1\reskit
x:\ regini <ScriptFileName>
Net use x: /delete
Regini Features
Regini gives you several options for data manipulation. For example, DELETE is a regini.exe keyword that requires only the name of the data item. To remove a data item, enter the following syntax as the second (i.e., data item) line of your script:
DataItemName = DELETE
Putting It All Together
As an example of a complete command, review the following script. This command changes computer settings so that the most recent user's name doesn't appear in the Logon dialog box.
\registry\machine\software
soft\windows\currentversio
DontDisplayLastUserName = REG_DWORD 1
*****Option 3: Use Policies *****
You can also distribute registry changes by creating system policies that manipulate the registries of target users. The process you use varies between Windows 2000 (which uses the Microsoft Management Console—MMC—GPE snap-in) and earlier versions of Windows (which use SPE), but in either case, you can build administration (.adm) files to send registry changes to selected computers.
The easiest way to create an .adm file is to use an existing .adm template as a starting point. Templates are text files, and you can open them in Notepad or any text editor. Before you do anything with existing templates, back up the originals. When you modify a template, save the new version with a new filename, even if you've backed up the original. And you must test your new .adm files in a lab environment before you unleash your creation on the enterprise. (See Reader to Reader, ".adm Files and the Headaches They Can Cause," October 1999, for a description of the consequences you might face if you ignore this advice.)
Of course, to implement a registry change through an .adm template, you need to know which registry key to target. The resource kits' registry documentation is rather sparse. To learn my way around the registry, I used a lab environment to plunge in and make system changes with existing policies and Control Panel applets. I used Sysinternals' regmon.exe (available from http://www.sysinternals.com ) to track the resulting registry changes. Eventually, I learned quite a bit about the registry's organization and registry entries' data types.
Where are the Administrative Templates (ADM) located?
http://www.jsiinc.com/SUBK/tip5000/rh5052.htm
*****Links*****
HOW TO: Add, Modify, or Delete Registry Subkeys and Values by Using a Registration Entries (.reg) File
http://support.microsoft.com/?kbid=310516
Distributing Registry Changes
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/html/DistributingRegistryChanges.asp
Specify a Script to Run on Startup Shutdown Logon Logoff
http://techsupt.winbatch.com/TS/T000001048F90.html
aha...too slow again!
ps. look at 'Display Name' to see what the service displays as in the Control Panel. If you do a search in HLKM\System\CCS\Services for the name of the service, it should hit the right key for you pretty much right away
ps. look at 'Display Name' to see what the service displays as in the Control Panel. If you do a search in HLKM\System\CCS\Services for the name of the service, it should hit the right key for you pretty much right away
Here's the link to Pete's article if you want to print it...
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/html/DistributingRegistryChanges.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnw2kmag01/html/DistributingRegistryChanges.asp
cheers JP - I lifted that straight out of Technet :)
Just thought I would share some of the info I have been putting together for locking down windows 2003.. part of this was to understand the services and what they performed along with how to disable them in the registry so I hope this is of some use to anybody else out there.. unfortunatley it is not keeping the table formatting which wold make it so much easier to read. cheers.. Wayne
Service Name Default Startup Type Recommended Startup Type Comment
Alerter Disabled Disabled Notifies selected users and computers of administrative alerts.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Al erter]
"Start"=dword:00000004
Application Layer Gateway Service Manual Disabled Provides support for application-level plug-ins and enables network and protocol connectivity.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\AL G]
"Start"=dword:00000004
Application Management Manual Disabled Provides software installation services for applications that are deployed in Add or Remove Programs in Control Panel.
On a dedicated Web server, this service can be disabled to prevent unauthorized installation of software.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Ap pMgmt]
"Start"=dword:00000004
ASP.NET State Service Manual Disabled Provides support for out of process session states for ASP.NET. If this service is stopped, out of process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\As pnet_State ]
"Start"=dword:00000004
Automatic Updates Automatic Disabled Service should not be present – either disable or remove.
Provides the download and installation of critical Windows updates, such as security patches and hotfixes.
This service can be disabled when automatic updates are not performed on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\wu auserv]
"Start"=dword:00000004
Background Intelligent Transfer Service Manual Disabled Provides a background file-transfer mechanism and queue management, and it is used by Automatic Update to automatically download programs (such as security patches).
This service can be disabled when automatic updates are not performed on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\BI TS]
"Start"=dword:00000004
ClipBook Disabled Disabled Enables the Clipbook Viewer to create and share data that can be reviewed by remote users.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Cl ipSrv]
"Start"=dword:00000004
COM+ Event System Manual Manual Provides automatic distribution of events to COM+ components.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Ev entSystem]
"Start"=dword:00000003
COM+ System Application Manual Manual Manages the configuration and tracking of COM+-based components.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\CO MSysApp]
"Start"=dword:00000003
Computer Browser Automatic Disabled Maintains the list of computers on the network, and supplies the list to programs that request the list.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Br owser]
"Start"=dword:00000004
Cryptographic Services Automatic Automatic Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from the Web server; and Key Service, which helps in enrolling certificates.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Cr yptSvc]
"Start"=dword:00000002
DHCP Client Automatic Disabled Required to automatically obtain IP configuration and to dynamically update records in DNS.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Dh cp]
"Start"=dword:00000004
Distributed File System Automatic Disabled Manages logical volumes that are distributed across a local area network (LAN) or wide area network (WAN).
On a dedicated Web server, disable Distributed File System.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Df s]
"Start"=dword:00000004
Distributed Link Tracking Client Automatic Disabled Maintains links between NTFS V5 file system files within the Web server and other servers in the domain.
On a dedicated Web server, disable Distributed Link Tracking.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Tr kWks]
"Start"=dword:00000004
Distributed Link Tracking Server Manual Disabled Tracks information about files that are moved between NTFS V5 volumes throughout a domain.
On a dedicated Web server, disable Distributed Link Tracking.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Tr kSvr]
"Start"=dword:00000004
Distributed Transaction Coordinator Automatic Automatic Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\MS DTC]
"Start"=dword:00000002
DNS Client Automatic Automatic Allows resolution of DNS names.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Dn scache]
"Start"=dword:00000002
Error Reporting Service Automatic Disabled Collects, stores, and reports unexpected application crashes to Microsoft. If this service is stopped, then Error Reporting will occur only for kernel faults.
On a dedicated Web server, disable Error Reporting Service.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\ER Svc]
"Start"=dword:00000004
Event Log Automatic Automatic Writes event log messages that are issued by Windows-based programs and components to the log files.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Ev entlog]
"Start"=dword:00000002
Fax Service Manual Disabled Service should not be present – either disable or remove.
Provides the ability to send and receive faxes through fax resources that are available on the Web server and network.
On a dedicated Web server, this service can be disabled because sending and receiving faxes is not a typical function of a Web Server.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Fa x Service]
"Start"=dword:00000004
File Replication Service Manual Disabled Enables files to be automatically copied and maintained simultaneously on multiple servers.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Nt Frs]
"Start"=dword:00000004
Help and Support Automatic Disabled Enables Help and Support Center to run on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\he lpsvc]
"Start"=dword:00000004
HTTP SSL Manual Manual Implements the Secure Hypertext Transfer Protocol (HTTPS) for the HTTP service by using SSL. HTTP.sys automatically starts this service when any Web sites require SSL.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\HT TPFilter]
"Start"=dword:00000003
Human Interface Device Access Disabled Disabled Enables generic input to Human Interface Devices (HIDs), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Hi dServ]
"Start"=dword:00000004
IIS Admin Service Automatic Automatic Enables this server to administer web and ftp services. If this service is stopped, the server will be unable to run web, ftp, nntp or smtp sites or configure IIS. If this service is disabled, any services that explicitly depend on it will fail to start.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\II SADMIN]
"Start"=dword:00000002
IMAPI CD-Burning COM Service Disabled Disabled Manages CD recording by using the Image Mastering API (IMAPI).
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Im apiService ]
"Start"=dword:00000004
Indexing Service Manual Disabled Indexes content and properties of files on the Web server to provide rapid access to the file through a flexible query language.
On a dedicated Web server, disable this service unless Web sites or applications specifically leverage the Indexing Service for searching site content.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\ci svc]
"Start"=dword:00000004
Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) Disabled Disabled Provides network address translation (NAT), addressing and name resolution, and intrusion detection when connected through a dial-up or broadband connection.
On a dedicated Web server, disable to prevent inadvertent enabling of NAT, which would prevent the Web server from communicating with the remainder of the network.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Sh aredAccess ]
"Start"=dword:00000004
Intersite Messaging Disabled Disabled Enables messages to be exchanged between computers running windows server sites. If this service is stopped, messages will not be exchanged, nor will site routing information be calculated for other services. If this service is disabled, any services that explicitly depend on it will fail to start. It is Required by Distributed File System (DFS).
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Is mServ]
"Start"=dword:00000004
IPSec Services Automatic Automatic Provides management and coordination of Internet Protocol security (IPSec) policies with the IPSec driver.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Po licyAgent]
"Start"=dword:00000002
Kerberos Key Distribution enter Disabled Disabled Provides the ability for users to log on using the Kerberos V5 authentication protocol.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\kd c]
"Start"=dword:00000004
License Logging Service Disabled Disabled Monitors and records client access licensing for portions of the operating system, such as IIS, Terminal Services, and file and print sharing, and for products that are not a part of the operating system, such as Microsoft SQL Server or Microsoft Exchange Server.
On a dedicated Web server, this service can be disabled.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Li censeServi ce]
"Start"=dword:00000004
Logical Disk Manager Automatic Manual Required to ensure that dynamic disk information is up to date.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\dm server]
"Start"=dword:00000003
Logical Disk Manager Administrative Service Manual Manual Required to perform disk administration.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\dm admin]
"Start"=dword:00000003
Messenger Disabled Disabled Transmits net sends and Alerter service messages between clients and servers.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Me ssenger]
"Start"=dword:00000004
Microsoft Software Shadow Copy Manual Disabled Manages software-based volume shadow copies taken by the Volume Shadow Copy service.
On a dedicated Web server, this service can be disabled when volume shadow copies are not used.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\sw prv]
"Start"=dword:00000004
MSSQLServer Automatic Automatic
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\MS SQLSERVER]
"Start"=dword:00000002
MSSQLServerADHelper Manual Disabled
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\MS SQLServerA DHelper]
"Start"=dword:00000004
Net Logon Manual Disabled Maintains a secure channel between the domain controller, other domain controllers, member servers, and workstations in the same domain and trusted domains.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Ne tlogon]
"Start"=dword:00000004
NetMeeting Remote Desktop Sharing Manual Disabled Eliminates potential security threats by allowing domain-controller remote administration through NetMeeting.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\mn msrvc]
"Start"=dword:00000004
Network Connections Manual Disabled Manages objects in the Network Connections directory.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Ne tman]
"Start"=dword:00000004
Network DDE Disabled Disabled Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the Web server. This service can be disabled when no DDE applications are running locally on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Ne tDDE]
"Start"=dword:00000004
Network DDE DSDM Disabled Disabled Used by Network DDE. This service can be disabled when Network DDE is disabled.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Ne tDDEdsdm]
"Start"=dword:00000004
Network Location Awareness (NLA) Manual Disabled Collects and stores network configuration and location information, and notifies applications when this information changes.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Nl a]
"Start"=dword:00000004
NTLM Security Support Provider Manual Manual Provides security to RPC programs that use transports other than named pipes, and enables users to log on using the NTLM authentication protocol.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Nt LmSsp]
"Start"=dword:00000003
Performance Logs and Alerts Manual Manual Collects performance data for the domain controller, writes the data to a log, or generates alerts. This service can be set to automatic when you want to log performance data or generate alerts without an administrator being logged on.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Sy smonLog]
"Start"=dword:00000003
Plug and Play Automatic Automatic Required to automatically recognize and adapt to changes in the Web server hardware with little or no user input.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Pl ugPlay]
"Start"=dword:00000002
Portable Media Serial Number Service Manual Disabled Retrieves the serial number of any portable media player that is connected to the computer.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Wm dmPmSN]
"Start"=dword:00000004
Print Spooler Automatic Disabled Manages all local and network print queues and controls all print jobs.
On a dedicated Web server, this service can be disabled when no printing is required.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Sp ooler]
"Start"=dword:00000004
Protected Storage Automatic Automatic Protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users.
This service is used on a dedicated Web server for smart-card logon.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Pr otectedSto rage]
"Start"=dword:00000002
Remote Access Auto Connection Manager Manual Disabled Detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection.
On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Ra sAuto]
"Start"=dword:00000004
Remote Access Connection Manager Manual Disabled Manages VPN and dial-up connection from the Web server to the Internet or other remote networks.
On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Ra sMan]
"Start"=dword:00000004
Remote Desktop Help Sessions Manager Manual Disabled Manages and controls Remote Assistance.
On a dedicated Web server, this service can be disabled. Use Terminal Services instead.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\RD SessMgr]
"Start"=dword:00000004
Remote Procedure Call (RPC) Automatic Automatic Serves as the RPC endpoint mapper for all applications and services that use RPC communications.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Rp cSs]
"Start"=dword:00000002
Remote Procedure Call (RPC) Locater Manual Disabled Enables RPC clients using the RpcNs* family of application programming interfaces (APIs) to locate RPC servers and manage the RPC name service database.
This service can be disabled if no applications use the RpcNs* APIs.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Rp cLocator]
"Start"=dword:00000004
Remote Registry Service Automatic Disabled Enables remote users to modify registry settings on the Web server, provided the remote users have the required permissions. By default, only members of the Administrators and Backup Operators groups can access the registry remotely.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Re moteRegist ry]
"Start"=dword:00000004
Removable Storage Manual Disabled Manages and catalogs removable media, and operates automated removable media devices, such as tape auto loaders or CD jukeboxes.
This service can be disabled when removable media devices are directly connected to the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Nt msSvc]
"Start"=dword:00000004
Resultant Set of Policy Provider Manual Disabled Enables a user to connect to a remote computer, access the Windows Management Instrumentation (WMI) database for that Web server, and then either verify the current Group Policy settings or check the settings before they are applied.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\RS oPProv]
"Start"=dword:00000004
Routing and Remote Access Disabled Disabled Enables LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Re moteAccess ]
"Start"=dword:00000004
Secondary Logon Automatic Disabled Allows you to run specific tools and programs with different permissions and user rights than the default permissions and user rights of the account under which you logged on.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\se clogon]
"Start"=dword:00000004
Security Accounts Manager Automatic Automatic A protected subsystem that manages user and group account information.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Sa mSs]
"Start"=dword:00000002
Server Automatic Disabled Provides RPC support, file sharing, print sharing, and named pipe sharing over the network.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\la nmanserver ]
"Start"=dword:00000004
Shell Hardware Detection Automatic Disabled Provides notification for AutoPlay hardware events.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Sh ellHWDetec tion]
"Start"=dword:00000004
Smart Card Manual Disabled Manages and controls access to a smart card that is inserted into a smart card reader attached to the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\SC ardSvr]
"Start"=dword:00000004
Special Administration Console Helper Manual Disabled Allows administrators to remotely access a command prompt by using Emergency Management Services.
This service can be disabled when Emergency Management Services is not being used to remotely manage the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Sa csvr]
"Start"=dword:00000004
SQLServerAgent Automatic Automatic
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\SQ LSERVERAGE NT]
"Start"=dword:00000002
System Event Notification Automatic Automatic Monitors system events and notifies subscribers to the COM+ Event System of these events.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\SE NS]
"Start"=dword:00000002
Task Scheduler Automatic Disabled Provides the ability to schedule automated tasks on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Sc hedule]
"Start"=dword:00000004
TCP/IP NetBIOS Helper Service Automatic Disabled Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Lm Hosts]
"Start"=dword:00000004
Telephony Manual Disabled Provides Telephony API (TAPI) support of client programs that control telephony devices and IP-based voice connections.
On a dedicated Web server, this service can be disabled when TAPI is not used by applications.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Ta piSrv]
"Start"=dword:00000004
Telnet Manual Disabled Enables a remote user to log on and run applications from a command line on the Web server.
To reduce the attack surface, disable Telnet unless it is used for remote administration of branch offices or of Web servers that have no keyboard or monitor directly attached (also known as headless Web servers). Because Telnet traffic is plaintext, Terminal Services is the preferred method for remote administration.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Tl ntSvr]
"Start"=dword:00000004
Terminal Services Manual Disabled Allows multiple remote users to be connected interactively to the Web server, and provides display of desktops and run applications.
To reduce the attack surface, disable Terminal Services unless it is used for remote administration of branch offices or headless Web servers.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Te rmService]
"Start"=dword:00000004
Terminal Services Session Directory Disabled Disabled Enables a user connection request to be routed to the appropriate terminal server in a cluster.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Ts sdis]
"Start"=dword:00000004
Themes Disabled Disabled Provides user-experience theme management.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Th emes]
"Start"=dword:00000004
Uninterruptible Power Supply Automatic Disabled Manages an uninterruptible power supply (UPS) that is connected to the Web server by a serial port.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\UP S]
"Start"=dword:00000004
Upload Managers Manual Disabled Manages the synchronous and asynchronous file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. The Driver Feedback Server asks for the permission of the client to upload the hardware profile of the Web server and then search the Internet for information about how to obtain the appropriate drivers or how to get support.
To reduce the attack surface, disable this service on dedicated Web servers.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Up loadmgr]
"Start"=dword:00000004
Virtual Disk Services Manual Disabled Provides software volume and hardware volume management service.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\VD S]
"Start"=dword:00000004
Volume Shadow Copy Manual Disabled Manages and implements volume shadow copies that are used for backup and other purposes.
This service can be disabled when volume shadow copies are used on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\VS S]
"Start"=dword:00000004
WebClient Disabled Disabled Enables Windows-based programs to create, access, and modify Internet-based files.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\We bClient]
"Start"=dword:00000004
Windows Audio Disabled Disabled Manages audio devices for Windows-based programs.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Au dioSrv]
"Start"=dword:00000004
Windows Image Acquisition (WIA) Disabled Disabled Provides image acquisition services for scanners and cameras.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\St iSvc]
"Start"=dword:00000004
Windows Installer Manual Disabled Adds, modifies, and removes applications that are provided as a Windows Installer (.msi) package.
NOTE: You may need to set this service to Manual when you apply patches to this server. Deployments may fail if you do not set this. Do NOT leave as manual as this will increase your risk of attack.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\MS IServer]
"Start"=dword:00000004
Windows Management Instrumentation Automatic Automatic Provides a common interface and object model to access management information about the Web server through the WMI interface.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\wi nmgmt]
"Start"=dword:00000002
Windows Management Instrumentation Driver Extensions Manual Manual Monitors all drivers and event trace providers that are configured to publish WMI or event trace information.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Wm i]
"Start"=dword:00000003
Windows Time Automatic Automatic Sets the Web server clock, and maintains date and time synchronization for all computers in the network.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\W3 2Time]
"Start"=dword:00000002
WinHTTP Web Proxy Auto-Discovery Service Manual Disabled Implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP services (WinHTTP) and enables an HTTP client to automatically discover a proxy configuration.
On dedicated Web servers, this service can be disabled
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Wi nHttpAutoP roxySvc]
"Start"=dword:00000004
Wireless Configuration Automatic Disabled Enables automatic configuration for IEEE 802.11 adapters.
On dedicated Web servers without wireless network adapters, this service can be disabled.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\WZ CSVC]
"Start"=dword:00000004
WMI Performance Adapter Manual Disabled Provides performance library information from WMI providers to clients on the network.
On dedicated Web servers that do not use WMI to provide performance library information, this service can be disabled.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\Wm iApSrv]
"Start"=dword:00000004
Workstation Automatic Disabled Creates and maintains client network connections to remote servers.
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\la nmanworkst ation]
"Start"=dword:00000004
WWW Publishing Service Automatic Automatic
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\S ervices\W3 SVC]
"Start"=dword:00000002
Service Name Default Startup Type Recommended Startup Type Comment
Alerter Disabled Disabled Notifies selected users and computers of administrative alerts.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Application Layer Gateway Service Manual Disabled Provides support for application-level plug-ins and enables network and protocol connectivity.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Application Management Manual Disabled Provides software installation services for applications that are deployed in Add or Remove Programs in Control Panel.
On a dedicated Web server, this service can be disabled to prevent unauthorized installation of software.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
ASP.NET State Service Manual Disabled Provides support for out of process session states for ASP.NET. If this service is stopped, out of process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Automatic Updates Automatic Disabled Service should not be present – either disable or remove.
Provides the download and installation of critical Windows updates, such as security patches and hotfixes.
This service can be disabled when automatic updates are not performed on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Background Intelligent Transfer Service Manual Disabled Provides a background file-transfer mechanism and queue management, and it is used by Automatic Update to automatically download programs (such as security patches).
This service can be disabled when automatic updates are not performed on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
ClipBook Disabled Disabled Enables the Clipbook Viewer to create and share data that can be reviewed by remote users.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
COM+ Event System Manual Manual Provides automatic distribution of events to COM+ components.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000003
COM+ System Application Manual Manual Manages the configuration and tracking of COM+-based components.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000003
Computer Browser Automatic Disabled Maintains the list of computers on the network, and supplies the list to programs that request the list.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Cryptographic Services Automatic Automatic Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from the Web server; and Key Service, which helps in enrolling certificates.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
DHCP Client Automatic Disabled Required to automatically obtain IP configuration and to dynamically update records in DNS.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Distributed File System Automatic Disabled Manages logical volumes that are distributed across a local area network (LAN) or wide area network (WAN).
On a dedicated Web server, disable Distributed File System.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Distributed Link Tracking Client Automatic Disabled Maintains links between NTFS V5 file system files within the Web server and other servers in the domain.
On a dedicated Web server, disable Distributed Link Tracking.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Distributed Link Tracking Server Manual Disabled Tracks information about files that are moved between NTFS V5 volumes throughout a domain.
On a dedicated Web server, disable Distributed Link Tracking.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Distributed Transaction Coordinator Automatic Automatic Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
DNS Client Automatic Automatic Allows resolution of DNS names.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
Error Reporting Service Automatic Disabled Collects, stores, and reports unexpected application crashes to Microsoft. If this service is stopped, then Error Reporting will occur only for kernel faults.
On a dedicated Web server, disable Error Reporting Service.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Event Log Automatic Automatic Writes event log messages that are issued by Windows-based programs and components to the log files.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
Fax Service Manual Disabled Service should not be present – either disable or remove.
Provides the ability to send and receive faxes through fax resources that are available on the Web server and network.
On a dedicated Web server, this service can be disabled because sending and receiving faxes is not a typical function of a Web Server.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
File Replication Service Manual Disabled Enables files to be automatically copied and maintained simultaneously on multiple servers.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Help and Support Automatic Disabled Enables Help and Support Center to run on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
HTTP SSL Manual Manual Implements the Secure Hypertext Transfer Protocol (HTTPS) for the HTTP service by using SSL. HTTP.sys automatically starts this service when any Web sites require SSL.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000003
Human Interface Device Access Disabled Disabled Enables generic input to Human Interface Devices (HIDs), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
IIS Admin Service Automatic Automatic Enables this server to administer web and ftp services. If this service is stopped, the server will be unable to run web, ftp, nntp or smtp sites or configure IIS. If this service is disabled, any services that explicitly depend on it will fail to start.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
IMAPI CD-Burning COM Service Disabled Disabled Manages CD recording by using the Image Mastering API (IMAPI).
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Indexing Service Manual Disabled Indexes content and properties of files on the Web server to provide rapid access to the file through a flexible query language.
On a dedicated Web server, disable this service unless Web sites or applications specifically leverage the Indexing Service for searching site content.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) Disabled Disabled Provides network address translation (NAT), addressing and name resolution, and intrusion detection when connected through a dial-up or broadband connection.
On a dedicated Web server, disable to prevent inadvertent enabling of NAT, which would prevent the Web server from communicating with the remainder of the network.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Intersite Messaging Disabled Disabled Enables messages to be exchanged between computers running windows server sites. If this service is stopped, messages will not be exchanged, nor will site routing information be calculated for other services. If this service is disabled, any services that explicitly depend on it will fail to start. It is Required by Distributed File System (DFS).
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
IPSec Services Automatic Automatic Provides management and coordination of Internet Protocol security (IPSec) policies with the IPSec driver.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
Kerberos Key Distribution enter Disabled Disabled Provides the ability for users to log on using the Kerberos V5 authentication protocol.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
License Logging Service Disabled Disabled Monitors and records client access licensing for portions of the operating system, such as IIS, Terminal Services, and file and print sharing, and for products that are not a part of the operating system, such as Microsoft SQL Server or Microsoft Exchange Server.
On a dedicated Web server, this service can be disabled.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Logical Disk Manager Automatic Manual Required to ensure that dynamic disk information is up to date.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000003
Logical Disk Manager Administrative Service Manual Manual Required to perform disk administration.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000003
Messenger Disabled Disabled Transmits net sends and Alerter service messages between clients and servers.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Microsoft Software Shadow Copy Manual Disabled Manages software-based volume shadow copies taken by the Volume Shadow Copy service.
On a dedicated Web server, this service can be disabled when volume shadow copies are not used.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
MSSQLServer Automatic Automatic
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
MSSQLServerADHelper Manual Disabled
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Net Logon Manual Disabled Maintains a secure channel between the domain controller, other domain controllers, member servers, and workstations in the same domain and trusted domains.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
NetMeeting Remote Desktop Sharing Manual Disabled Eliminates potential security threats by allowing domain-controller remote administration through NetMeeting.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Network Connections Manual Disabled Manages objects in the Network Connections directory.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Network DDE Disabled Disabled Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the Web server. This service can be disabled when no DDE applications are running locally on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Network DDE DSDM Disabled Disabled Used by Network DDE. This service can be disabled when Network DDE is disabled.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Network Location Awareness (NLA) Manual Disabled Collects and stores network configuration and location information, and notifies applications when this information changes.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
NTLM Security Support Provider Manual Manual Provides security to RPC programs that use transports other than named pipes, and enables users to log on using the NTLM authentication protocol.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000003
Performance Logs and Alerts Manual Manual Collects performance data for the domain controller, writes the data to a log, or generates alerts. This service can be set to automatic when you want to log performance data or generate alerts without an administrator being logged on.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000003
Plug and Play Automatic Automatic Required to automatically recognize and adapt to changes in the Web server hardware with little or no user input.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
Portable Media Serial Number Service Manual Disabled Retrieves the serial number of any portable media player that is connected to the computer.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Print Spooler Automatic Disabled Manages all local and network print queues and controls all print jobs.
On a dedicated Web server, this service can be disabled when no printing is required.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Protected Storage Automatic Automatic Protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users.
This service is used on a dedicated Web server for smart-card logon.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
Remote Access Auto Connection Manager Manual Disabled Detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection.
On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Remote Access Connection Manager Manual Disabled Manages VPN and dial-up connection from the Web server to the Internet or other remote networks.
On a dedicated Web server, this service can be disabled when no VPN or dial-up connections are initiated.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Remote Desktop Help Sessions Manager Manual Disabled Manages and controls Remote Assistance.
On a dedicated Web server, this service can be disabled. Use Terminal Services instead.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Remote Procedure Call (RPC) Automatic Automatic Serves as the RPC endpoint mapper for all applications and services that use RPC communications.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
Remote Procedure Call (RPC) Locater Manual Disabled Enables RPC clients using the RpcNs* family of application programming interfaces (APIs) to locate RPC servers and manage the RPC name service database.
This service can be disabled if no applications use the RpcNs* APIs.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Remote Registry Service Automatic Disabled Enables remote users to modify registry settings on the Web server, provided the remote users have the required permissions. By default, only members of the Administrators and Backup Operators groups can access the registry remotely.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Removable Storage Manual Disabled Manages and catalogs removable media, and operates automated removable media devices, such as tape auto loaders or CD jukeboxes.
This service can be disabled when removable media devices are directly connected to the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Resultant Set of Policy Provider Manual Disabled Enables a user to connect to a remote computer, access the Windows Management Instrumentation (WMI) database for that Web server, and then either verify the current Group Policy settings or check the settings before they are applied.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Routing and Remote Access Disabled Disabled Enables LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Secondary Logon Automatic Disabled Allows you to run specific tools and programs with different permissions and user rights than the default permissions and user rights of the account under which you logged on.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Security Accounts Manager Automatic Automatic A protected subsystem that manages user and group account information.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
Server Automatic Disabled Provides RPC support, file sharing, print sharing, and named pipe sharing over the network.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Shell Hardware Detection Automatic Disabled Provides notification for AutoPlay hardware events.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Smart Card Manual Disabled Manages and controls access to a smart card that is inserted into a smart card reader attached to the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Special Administration Console Helper Manual Disabled Allows administrators to remotely access a command prompt by using Emergency Management Services.
This service can be disabled when Emergency Management Services is not being used to remotely manage the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
SQLServerAgent Automatic Automatic
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
System Event Notification Automatic Automatic Monitors system events and notifies subscribers to the COM+ Event System of these events.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
Task Scheduler Automatic Disabled Provides the ability to schedule automated tasks on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
TCP/IP NetBIOS Helper Service Automatic Disabled Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Telephony Manual Disabled Provides Telephony API (TAPI) support of client programs that control telephony devices and IP-based voice connections.
On a dedicated Web server, this service can be disabled when TAPI is not used by applications.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Telnet Manual Disabled Enables a remote user to log on and run applications from a command line on the Web server.
To reduce the attack surface, disable Telnet unless it is used for remote administration of branch offices or of Web servers that have no keyboard or monitor directly attached (also known as headless Web servers). Because Telnet traffic is plaintext, Terminal Services is the preferred method for remote administration.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Terminal Services Manual Disabled Allows multiple remote users to be connected interactively to the Web server, and provides display of desktops and run applications.
To reduce the attack surface, disable Terminal Services unless it is used for remote administration of branch offices or headless Web servers.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Terminal Services Session Directory Disabled Disabled Enables a user connection request to be routed to the appropriate terminal server in a cluster.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Themes Disabled Disabled Provides user-experience theme management.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Uninterruptible Power Supply Automatic Disabled Manages an uninterruptible power supply (UPS) that is connected to the Web server by a serial port.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Upload Managers Manual Disabled Manages the synchronous and asynchronous file transfers between clients and servers on the network. Driver data is anonymously uploaded from these transfers and then used by Microsoft to help users find the drivers they need. The Driver Feedback Server asks for the permission of the client to upload the hardware profile of the Web server and then search the Internet for information about how to obtain the appropriate drivers or how to get support.
To reduce the attack surface, disable this service on dedicated Web servers.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Virtual Disk Services Manual Disabled Provides software volume and hardware volume management service.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Volume Shadow Copy Manual Disabled Manages and implements volume shadow copies that are used for backup and other purposes.
This service can be disabled when volume shadow copies are used on the Web server.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
WebClient Disabled Disabled Enables Windows-based programs to create, access, and modify Internet-based files.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Windows Audio Disabled Disabled Manages audio devices for Windows-based programs.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Windows Image Acquisition (WIA) Disabled Disabled Provides image acquisition services for scanners and cameras.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Windows Installer Manual Disabled Adds, modifies, and removes applications that are provided as a Windows Installer (.msi) package.
NOTE: You may need to set this service to Manual when you apply patches to this server. Deployments may fail if you do not set this. Do NOT leave as manual as this will increase your risk of attack.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Windows Management Instrumentation Automatic Automatic Provides a common interface and object model to access management information about the Web server through the WMI interface.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
Windows Management Instrumentation Driver Extensions Manual Manual Monitors all drivers and event trace providers that are configured to publish WMI or event trace information.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000003
Windows Time Automatic Automatic Sets the Web server clock, and maintains date and time synchronization for all computers in the network.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
WinHTTP Web Proxy Auto-Discovery Service Manual Disabled Implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP services (WinHTTP) and enables an HTTP client to automatically discover a proxy configuration.
On dedicated Web servers, this service can be disabled
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Wireless Configuration Automatic Disabled Enables automatic configuration for IEEE 802.11 adapters.
On dedicated Web servers without wireless network adapters, this service can be disabled.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
WMI Performance Adapter Manual Disabled Provides performance library information from WMI providers to clients on the network.
On dedicated Web servers that do not use WMI to provide performance library information, this service can be disabled.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
Workstation Automatic Disabled Creates and maintains client network connections to remote servers.
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000004
WWW Publishing Service Automatic Automatic
[HKEY_LOCAL_MACHINE\SYSTEM
"Start"=dword:00000002
ASKER
Sorry about this one. i thought I closed it already!
Points went were I wanted anyway so thanks and I'll try to watch this behaviour
Points went were I wanted anyway so thanks and I'll try to watch this behaviour
Group policy is the cleanest way to make any of the requested changes. It will make the registry changes for you without the oops factor.
gpedit.msc on a local machine.
gpedit.msc on a local machine.
- set 'Start' key = 4
HKLM\System\CurrentControl
- set 'Start' key = 4
HKLM\System\CurrentControl
- set 'Start' key = 4
HKLM\System\CurrentControl
- set 'Start' key = 4
HKLM\System\CurrentControl
- set 'Start' key = 4
HKLM\System\CurrentControl
- set 'Start' key = 4