Finding Service And Device Driver Information In The Registry
When you install a service under Windows NT on your computer, the setup program for the service creates service-specific subkeys under the HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\ServiceOrDeviceName key, where ServiceOrDeviceName is the name of the installed service or device. If you look at the Server service key (in the registry as LanmanServer), as shown in Figure 12.4, you can see some of the system-specific keys you might encounter while traversing the registry.
Figure 12.4 Examining a service key with the Registry Editor.
A services root key contains service-specific information that you can use to determine various dependencies, the services display name, the services startup type, the executable file for the service, and various other bits of information. This information can be extremely valuable in troubleshooting a failed service or gaining a fuller understanding of how Windows NT functions. The basic subkeys you might find of interest include the following:
- DependsOnGroupSpecifies that the service or device depends on other services or devices before it can be started. While not all inclusive, Table 12.2 includes a list of service and device dependencies for the base Windows NT product.
Table 12.2 Windows NT Server DependsOnGroup values.
|
Service Or Device
| Depends On Group
| Display Name
|
4mmdat
| SCSI miniport
| N/A
|
bh
| NDIS
| Network Monitor Agent Driver
|
Cdfs
| SCSI CDROM Class
| N/A
|
Cdrom
| SCSI miniport
| N/A
|
Disk
| SCSI miniport
| N/A
|
DLC
| NDIS
| DLC Protocol
|
LanmanServer
| TDI
| Server
|
LanmanWorkstation
| TDI
| Workstation
|
LmHosts
| Network Provider
| TCP/IP NetBIOS Helper
|
NetBIOS
| TDI
| NetBIOS Interface
|
Parallel
| Parallel arbitrator
| N/A
|
ParVDM
| Parallel arbitrator
| N/A
|
Scsiprnt
| SCSI miniport
| N/A
|
Scsiscan
| SCSI miniport
| N/A
|
Sfloppy
| SCSI miniport
| N/A
|
SimpTcp
| TDI
| Simple TCP/IP Services
|
Streams
| NDIS
| Streams Environment
|
|
- DependsOnServiceSpecifies that the service depends on other services before it can be started. While not all inclusive, Table 12.3 includes a list of service dependencies for the base Windows NT product.
Table 12.3 Windows NT Server DependsOnService values.
|
Service
| Depends On Service(s)
| Display Name
|
Alerter
| LanmanWorkstation
| Alerter
|
Browser
| LanmanWorkstation, LanmanServer, LmHosts
| Browser
|
ClipSrv
| NetDDE
| Clipbook Server
|
DHCP
| Afd, NetBT, TCPIP
| DHCP Client
|
DHCP Server
| Rpcss, NTLMSSP
| DHCP Server
|
DNS
| Afd, NetBT, TCPIP, Rpcss, NTLMSSP
| Microsoft DNS Server
|
GopherSvc
| Rpcss, NTLMSSP
| Gopher Publishing Service
|
LdapSVC
| Rpcss
| Microsoft LDAP Service
|
Messenger
| LanmanWorkstation, NetBIOS
| Messenger
|
MSFTPSvc
| Rpcss, NTLMSSP
| FTP Publishing Service
|
NetBT
| TCPIP
| WINS Client(TCP/IP)
|
NetDDE
| NetDDEDSDM
| Network DDE
|
NetLogon
| LanmanWorkstation, LmHosts
| Net Logon
|
NmAgent
| bh
| Network Monitor Agent
|
NsoSvc
| Rpcss, NTLMSSP
| Microsoft Netshow OnDemand Server Service
|
Parallel
| Parport
| N/A
|
ParVDM
| Parport
| N/A
|
RASArp
| TCPIP
| Remote Access ARP Service
|
RASAuto
| RasMan
| Remote Access Autodial Manager
|
RASMan
| tapisrv
| Remote Access Connection Manager
|
Remote Access
| Lanman Server, RasMan, NetBIOS, NetBt, Nbf
| Remote Access Server
|
Replicator
| LanmanServer, LanmanWorkstation
| Replicator
|
RPCLocator
| LanmanWorkstation, RDR
| Remote Procedure Call (RPC) Locator
|
SimpTcp
| Afd
| Simple TCP/IP Services
|
SNMP
| TCPIP, EventLog
| SNMP Service
|
SNMPTrap
| TCPIP, EventLog
| SNMP Trap Service
|
W3Svc
| Rpcss, NTLMSSP
| World Wide Web Publishing Service
|
WINS
| Rpcss, NTLMSSP
| Windows Internet Name Service
|
|
- DisplayNameSpecifies the full text-based name used for display purposes.
- ErrorControlSpecifies a value that is used to determine how Windows NT will handle an error during a service or device startup. If the value is 0x0 (No Error), no error will be reported. If the value is 0x1 (Normal), an error will be reported, but the system startup process will continue. If the value is 0x2 (Severe Error) or 0x3 (Critical Error), an error will be reported, and the Last Known Good Configuration will be used.
- GroupFor convenience, device drivers can be ranked in a group. This group specifies a load order for the device drivers at startup time. While not all inclusive, the following list includes the service groups for the base Windows NT product:
- BASEBeep, KsecDD, Null
- Boot Files SystemFastfat, Fs_Rec
- Event LogEventLog
- Extended BaseModem, Parallel, Scsiprnt, Serial
- File SystemCdfs, Msfs, Npfs, Ntfs
- FilterCdaudio, Changer, Diskperf, Ftdisk, Simbad
- Keyboard ClassKbdclass
- Keyboard Porti8042prt
- NDISEE16, NDIS
- NetBIOSGroupNetBIOS
- NetDDEGroupNetDDE
- NetworkMup, Rdr, Srv
- NetworkProviderLanmanWorkstation
- Parallel ArbitratorParport
- PCI ConfigurationPCIDump
- PlugPlayPlugPlay
- Pointer ClassMouclass
- Pointer PortBusmouse, Inport, Sermouse
- PortNone
- PNP_TDINetBT, Tcpip
- Primary DiskAbiosdsk, Atdisk, Floppy, Sfloppy
- RemoteValidationNetLogon
- SCSI CDROM ClassCdrom
- SCSI ClassDisk, Scsiscan
- SCSI MiniportAha154x, Aha174x, aic78xx, Always, ami0nt, amsint, Arrow, atapi, BusLogic, Cpqarray, dac960nt, dce376nt, Delldsa, DptScsi, dtc329x, Fd16_700, Fd7000ex, Fd8xx, mitsumi, mkecr5xx, Ncr53c9x, Ncrc700, Ncrc710, ncrc810, Oliscsi Ql10wnt slcd32, Sparrow, Spock, T128, T13B, tmv1, Ultra124, Ultra14f Ultra24f, Wd33c93
- SpoolerGroupSpooler
- Streams DriversNone
- System Bus ExtenderPcmcia
- TDIAfd, DHCP
- VideoAti, Cirrus, Dell_DGX, Et400, Jazzg30, Jazzg364, Jzvxl484, mga, mga_mil, ncr77c22, psidisp, qv, s3, tga, v7vram, VgaSave, wd90c24a, wdvga, weitekp9, Xga
- Video InitVgaStart
- Video SaveVgaSave
- ImagePathSpecifies the full path and file name of the application to load.
- StartSpecifies the startup value for the service or device driver. These values include:
- 0x0Only applicable to device drivers and specifies that the device driver is a Boot time device. Boot time devices are considered part of the driver stack and are loaded automatically as part of the boot loader process.
- 0x1Only applicable to device drivers and specifies that the device driver is a System device loaded by the I/O subsystem at kernel initialization.
- 0x2Specifies that the service or device is an Auto Load service or device and is started at system startup by the Service Control Manager.
- 0x3Specifies that the service or device is a Load On Demand service or device and can be started at any time by the Service Control Manager.
- 0x4Specifies that the service or device is a Disabled service or device and can be loaded at any time by the Service Control Manager, but not started.
- TypeSpecifies the type of service or device driver. These values include:
- 0x1A kernel mode device driver.
- 0x2A file system device driver. File system device drivers are also kernel mode drivers.
- 0x4An argument list for a hardware device.
- 0x10A Win32 application that operates in its own process address space and provides an interface to the Service Control Manager. This allows the Service Control Manager to start, stop, pause, and continue a service. Not all services support the pause and continue commands.
- 0x20A Win32 service that can operate in a shared address space with other Win32 services.
Note: You might also encounter the key ObjectName in a service key. This key contains the account name the service will use to log on to the computer when started, if the type is a Win32 service (0x10 or 0x20). If the type is a kernel mode device driver (0x1) or file system device driver (0x2), then the key contains the driver object name that the Windows NT I/O Manager will use to load the device driver.
|