11.4 HKLM\SYSTEM
HKLM\SYSTEM is where Windows 2000 and
NT keeps their crown jewels: the configuration settings that boot the
current incarnation of the machine, as well as a number of ancillary
settings that govern pretty much everything the OS and kernel
services do.
There are four subkeys of interest directly beneath HKLM\SYSTEM:
 Disk
This subkey stores
information about the physical and logical disk volumes on your
machine. When you run the Disk Administrator utility for the first
time, this key is created; subsequent runs of Disk Administrator
update the key's data, which is then keeps track of how your
disks are configured. - MountedDevices
This Windows 2000 subkey
replaces the Disk subkey used in NT 4.0. It's used by the NTFS
filesystem to link volume names with the internal identifiers of the
volumes, which are usually comprised of a volume's disk
signature. - Select
Ever wonder how a
Windows 2000/NT system keeps track of which control set is the
"last known good" set? Here's the answer! Each of
the four values is a REG_DWORD that contains the ordinal index of a
ControlSetXXX entry under HKLM\SYSTEM:
- Current
Contains the ID of the control set currently in use; this set is the
one linked to HKLM\SYSTEM\CurrentControlSet. - Default
Contains the ID of the control set that boots the machine next time,
unless you manually intervene during the boot process. - LastKnownGood
Contains the ID of the "last known good" set; this ID
changes only when a boot fails. - Failed
Contains the ID of the control set in force the last time a boot
failed. - Setup
This key holds settings that the Windows
2000/NT setup installer uses to figure out which installation phases
have been completed and where the installation is currently.
 |
Experimenting with the Setup key may bring you a visit from the Blue
Screen of Death with a SYSTEM_LICENSE_VIOLATION fault code.
|
|
- SetupType
Indicates whether the setup program is running in GUI mode, in text
mode, or not at all. - SystemSetupInProgress
This REG_DWORD is 1 if the system is in the middle of a setup, and
otherwise. The system uses this value to figure out what to do after
a reboot; that's how it knows what to do when you reboot
partway through setup. - SystemPartition
Contains the ARC path (e.g.,
\Device\HarddiskVolume1) to the system
partition. - OsLoaderPath
Points to the path (relative to SystemPartition) where the Windows
2000/NT boot loader lives. On x86 machines, this is usually
"\", but on Alpha machines, it may point elsewhere. - NetcardDlls
This REG_MULTI_SZ stores the names of the DLLs needed for the network
cards detected in the final phase of the system's setup
operation.
11.4.1 SYSTEM\CurrentControlSet\Hardware Profiles
Hardware profiles let you establish
multiple "personalities" for a single machine that may
have different configurations. For example, my desktop box has a
BusLogic SCSI card that runs the boot disk and some additional
external hardware. I occasionally need to add a second SCSI
controller. If I left the second card's driver permanently
installed, it would fail to start at boot time, and the system would
complain about a driver failure. Instead, I create a new hardware
profile and enable the card driver for that profile only.
By default, CurrentControlSet\Hardware Profiles has two subkeys:
0001 (the
first profile on the machine) and CurrentProfile, which links to one
of the available profiles. When you add a new hardware profile for
Windows 2000 in the System control panel's Hardware tab
(Hardware Profiles tab, for NT), the system creates a new subkey of
Hardware Profiles for you. You can then customize the profile with
the System control panel or the Devices and Services control
panels.
The actual contents of the hardware profile keys are pretty sparse:
they consist of small subtrees of HKLM\SOFTWARE and
HKLM\SYSTEM\CurrentControlSet. The profiles include only flags that
have been changed from the base hardware profile; for example, the
only difference in my one-SCSI and two-SCSI profiles is that the
one-SCSI profile has an entry for the second card's driver that
tells the driver it's disabled.
11.4.2 SYSTEM\CurrentControlSet\Control
This key's named
Control for a good reason: its subkeys and values control much of the
kernel's functionality.
11.4.2.1 Control\BackupRestore
This Windows 2000 subkey contains
values that specify to the system which files Backup should not back
up and which keys Backup should not restore. These values are
separated into two subkeys, namely, FilesNotToBackup and
HKLKeysNotToRestore.
11.4.2.2 Control\BootVerificationProgram
The BootVerificationProgram
specifies a program that is run by the Windows 2000/NT service loader
at boot time. Its job is to judge whether a boot was successful or
not; if not, the machine can be rebooted using the last known good
control set instead. Additionally, this program can call
Bootok.exe, a Windows 2000 executable, which
informs the operating system the boot was successful.
The only value under this key is ImagePath, which you use to specify
the full path to the boot verification program you want to run.
11.4.2.3 Control\Class
The Control\Class key lists instances of devices such as mice, SCSI
controllers, and sound cards. Each class of device has a subkey,
named with the CLSID class identifier. These CLSID keys may have
subkeys; for example, the modem key (whose CLSID is the
unpronounceable
"{4D36E96D-E325-11CE-BFC1-08002BE-10318}") has one subkey
for each installed modem, and each of these subkeys in turn has its
own parameters stored as subkeys and values.
11.4.2.4 Control\CrashControl
Much as Microsoft would like to pretend otherwise, Windows 2000 and
NT machines crash just like any other kind. What happens when a crash
occurs depends on the values set in the CrashControl key. You
normally adjust these values on the Startup and Recovery dialog
through the Advanced tab (Startup/Shutdown tab on NT machines) of the
System control panel, but setting them directly in the Registry (or
via a policy editor) gives you an easy way to control what happens
during a crash.
- LogEvent
When this REG_DWORD is set to 1, a crash generates an entry in the
system event log. When it's 0, as it is by default on Windows
2000 Professional and NT machines, no event log entry is created. - SendAlert
This REG_DWORD causes an administrative alert message to be broadcast
when it's set to 1; its default value is 0. - CrashDumpEnabled
Windows 2000 and NT systems may or may not generate their equivalent
of a core file when a crash occurs. You decide which it is by setting
this REG_DWORD to
(don't generate a dump file) or 1 (do generate one). These
files can be loaded by a variety of postmortem debuggers you can use
to isolate the cause of a particular or persistent crash. The default
is
on Windows 2000 Professional and NT machines, and 1 on Windows 2000
Servers. - AutoReboot
You can have a crashed machine reboot itself automatically by
changing this REG_DWORD value from its default of
to 1. - DumpFile
This REG_EXPAND_SZ specifies where the crash dump should go. By
default, it ends up in the system directory with a name of
memory.dmp. - Overwrite
When this REG_DWORD is 1, the crash dump file is overwritten when a
new crash occurs; when it's 0, the dump file is preserved, and
a new one created. - KernelDumpOnly
This REG_DWORD specifies whether the entire contents of system memory
are dumped (value of 0) or only that portion of memory that is used
by the operating system kernel (value of 1). By default, the entire
contents of memory are copied to the dump file. - NMICrashDump
This value specifies whether a nonmaskable interrupt (NMI), caused by
a hardware error, triggers software error processing. When this
REG_DWORD value is 0, as it is by default, only a hardware
malfunction message appears. When set to 1, standard software error
processing follows the hardware message.
11.4.2.5 Control\Enum
Subkeys of this
key contain information about every driver, device, or service that
might potentially be attached to the machine. For example,
Control\Enum contains entries for the ATAPI driver even on machines
with no ATAPI interface. These keys are used by the system to map
devices and services with their drivers and configuration data.
11.4.2.6 Control\FileSystem
These values control the Windows 2000/NT
filesystem's naming behavior.
The
filesystem itself is self-tuning and doesn't store any
parameters out in the open where they can be tweaked, so you'll
have to content yourself with these.
- Win31FileSystem
If you set this REG_DWORD to 1, any FAT volumes suddenly start acting
like old-style Win3.x volumes: neither long filenames nor
access/modification times are created or updated. By default, this
option is off, but you may need to turn it on if you're using
Win3.x or DOS applications that can't handle even a hint of
long filenames. - NtfsDisable8dot3NameCreation
By default (i.e., when this value's set to 0), NTFS creates 8.3
names for long filenames. This slows things down. Set this value to 1
to prevent NTFS from creating 8.3 names; this means that DOS
applications and computers using different languages from yours may
not be able to access files on an NTFS share. - NtfsDisableLastAccessUpdate
NTFS keeps track of when each file and directory was last accessed.
This time-stamp is even updated when you get a directory listing or
otherwise traverse a directory; as you might expect, this imposes a
performance penalty. Set this REG_DWORD to 1 to turn the last-access
timestamp off or to
(the default) to turn it on. - NtfsAllowExtendedCharacterIn8dot3Name
This DWORD controls whether characters outside the standard printable
ASCII set (including characters from languages other than the system
language) may be used in 8.3 names on NTFS volumes. If the value is
(the default), 8.3 names can contain only legal ASCII characters; if
it's 1, any nonreserved character may be used. - Win95TruncatedExtensions
Win95 honors only the first three characters of file extensions. By
default, this REG_DWORD is set to 0, which forces Windows 2000 and NT
to truncate extensions to the first three characters. Set it to 1 and
reboot to take advantage of full-length extensions on NTFS volumes. - NtfsEncryptionService
New to Windows 2000, NTFS provides confidentiality to files and
directories by way of encryption. This REG_SZ value determines which
encryption service NTFS should use to protect its files. Currently
the default and only allowable value is Efs, which specifies the
encryption filesystem (EFS) provided by Windows 2000. The presence or
absence of this value in the Windows 2000 Registry affects whether
files and directories are encrypted or decrypted. That determination
can be made selectively through Windows Explorer.
11.4.2.7 Control\Hivelist
This subkey holds the locations of the
system's hive files. See Chapter 2, for a discussion of hive
files. It's important to leave these values alone; if you
don't, you can prevent the system from finding one or more
necessary hive files, which will probably render your machine
unbootable.
11.4.2.8 Control\LSA
The Local Security Authority, or
LSA, is the Windows 2000 and NT security component charged with
enforcing access controls on local objects. For the most part it does
an admirable job; however, there's one significant security
problem this key causes.
The Notification Packages value contains a list
of DLLs that are notified any time a user changes an account
password. This is supposed to allow seamless synchronization of
NetWare and system passwords; the default value for this entry is
"FPNWCLNT," which is the name of the File and Print
Services for NetWare DLL. However, if you're not running the
NetWare module, an attacker can load his own
FPNWCLNT.DLL and use it to steal passwords.
To guard against this, set the Registry ACL on this key to limit any
nonadministrator access. If you're not running the NetWare
services, remove FPNWCLNT from this value. If you are, set a file ACL
on the FPNWCLNT.DLL file so it can't be
removed or replaced.
11.4.2.9 Control\Print
Control\
Print, rather unsurprisingly, contains
configuration and settings data for the Windows 2000 and NT printing
subsystem. One handy feature of the Windows 2000/NT print mechanism
is that it supports remote printer drivers, meaning that you can
install drivers for Win95, Win3.x, and various flavors of NT on a
central server and feed them to clients as needed. These drivers are
registered in the Environments subkey of this key; there are also
some useful values directly beneath Control\Print:
- MajorVersion and MinorVersion
These two REG_DWORD values specify the major and minor version of the
printer subsystem. - DisableServerThread
This value controls whether printer shares advertise themselves over
the network. You have to manually add this REG_DWORD value and set it
to 1 to turn off the thread; if it doesn't exist, or if its
value is 0, the thread remains active. - SchedulerThreadPriority
This value raises or lowers the priority of the printer scheduling
thread. It's a REG_DWORD, and its default value of
means "leave the thread at normal priority." You can set
this value to either 1 (which raises the thread's priority) or
0xFFFFFFFF (which lowers it). - BeepEnabled
If you want notification when a remote print job fails, set this
REG_DWORD to 1, and your system will beep every 10 seconds when a
remote print job error occurs. The default value of
prevents any unnerving beeping from disturbing you while working. - NoRemotePrinterDrivers
You might find it desirable to tell NT not to
serve remote drivers for some devices. The default value of this
REG_SZ is "Windows NT Fax Driver," meaning that
particular driver won't ever be offered to remote clients.
11.4.2.10 Control\SecurePipeServers
This key allows you to restrict remote access to the Registry, which
I strongly recommend you do. See Section 9.3 in Chapter 9.
11.4.2.11 Control\Session Manager
The Session Manager key contains a group of private configuration
parameters Windows 2000 and NT use for internal housekeeping.
Microsoft warns against editing these values.
- ObjectDirectories
This REG_MULTI_SZ names the object directories that the system
creates at boot time. Do not edit them at the risk of rendering your
machine unbootable. -
BootExecute
This REG_SZ value specifies the applications, services and commands
run at boot time. The Windows 2000 default value runs
Autochk.exe. After a crash it's set to run
CHKDSK, and after you convert a FAT volume to
NTFS it's set to autocheck autoconv \DosDevices\x:
/FS:NTFS. - ProcessorControl
This REG_DWORD value indicates whether the
system has run a processor check routine to determine if the
processor supports advanced memory management features. This value
should not be modified or deleted. - RegisteredProcessors
This REG_DWORD controls how many processors the system attempts to
use. The default value is 4 on Windows 2000 Server machines and 2 on
machines running Windows 2000 Professional. - LicensedProcessors
This value specifies how many processors this version of the
operating system is licensed to handle. Editing it may cause a
blue-screen crash with SYSTEM_LICENSE_VIOLATION.
11.4.2.12 Control\Session Manager\
Memory Management
This key deserves its own section even though nearly all values are
disabled by default on Windows 2000 machines, and most NT machines
won't ever even have this subkey. One alleged advantage of NT
over some Unix variants is that NT self-tunes its virtual memory
system for maximum performance. Part of this tuning is calculating
how big a pagefile to use and how much physical RAM to reserve as a
sort of rainy-day fund. The algorithm that actually performs the
tuning takes into account how much physical RAM your machine has.
Article Q126402 in the Microsoft knowledge base provides a
complicated formula you can use to approximate what this algorithm
does.
A few of the values within the Memory Management subkey are present
to override the normally calculated system values. The PagedPoolSize
and NonPagedPoolSize values, if present, override the self-tuning
mechanism; if their values are 0, the self-tuning goes back into
effect. The PagedPoolQuota and NonPagedPoolQuota values also override
system calculations. They hold the maximum space a process can
allocate in the paged pool and nonpaged pool, respectively. Again, a
setting of
allows the system to calculate an optimum value. I strongly recommend
leaving these values alone unless you see a Knowledge Base article or
other reliable suggestion to do otherwise.
11.4.3 SYSTEM\CurrentControlSet\Services
Many Windows 2000 and NT
components are implemented as services,
which are roughly equivalent to Unix daemons or NetWare
NLMs--small faceless programs that run in the background, even
when no users are logged in. Services can be device drivers,
application servers, or any other kind of background task, and they
can run in the local system context or be bound to run under a
particular account.
By convention, standard and optional Windows 2000 and NT's
system services store their parameters under the Services subkey of
the current control set. Third-party services may store their
settings here, or they may choose to use HKLM\SOFTWARE.
All the services whose settings live in
SYSTEM\CurrentControlSet\Services have some combination of the
following values attached to them:
- DependOnGroup
This REG_MULTI_SZ names all the prerequisite groups for this service.
For example, a SCSI PC Card reader might name
"SCSIMiniport" here to indicate that its service
shouldn't be started until at least one service in the
"SCSIMiniport" group has been successfully started. - DependOnService
Like DependOnGroup, this REG_MULTI_SZ contains a list of
prerequisites for a service; the difference is that this value
contains names of services that must be started first, not entire
groups. - ImagePath
This REG_EXPAND_SZ specifies where the actual executable for this
service is located. Device drivers usually don't have this
value, but standalone services such as the DHCP, DNS, and WINS
servers usually do. - PlugPlayServiceType
I don't know what this does. - DisplayName
Some services include a "friendly" name suitable for
display in the Services control panel. Those that do store it here as
a REG_SZ. - ObjectName
Background services may be run under a particular account. By
default, services always run as LocalSystem ;
some services (like the printer spooler, scheduler, and Services for
Macintosh package) are usually run under their own account.
ObjectName stores the name of the account under which the service is
run, if any. For kernel drivers, this value specifies which kernel
object is used to load the driver. - Type
This REG_DWORD specifies the kind of service or driver this is; it
must always be one of the values in Table 11.2. At
boot time, the system loads drivers according to their type:
kernel-mode drivers first, then filesystem drivers, and on down the
list.
Table 11.2. The Type Value Specifies the Service Type
|
0x01
|
This item is a kernel-mode device driver.
|
|
0x02
|
This item is a kernel-mode device driver that implements filesystem
services.
|
|
0x04
|
This item is a bundle of arguments used by a network adapter.
|
|
0x08
|
This item is a filesystem driver service.
|
|
0x10
|
This item is a Win32 service that should be run as a standalone
process.
|
|
0x20
|
This item is a Win32 service that can share address space with other
services of the same type.
|
|
0x110
|
This item is a Win32 service that should be run as a standalone
process and can interact with users.
|
|
0x120
|
This item is a Win32 service that can share address space with other
services of the same type and interact with users.
|
- Start
This REG_DWORD specifies when the subject service should actually be
started. When you open a service in the Services control panel, you
can assign the start type with a set of five radio buttons whose
labels correspond to the "Start Type" column in Table 11.3.
Table 11.3. The Start Value Controls When Services Are Loaded
|
0x00
|
Boot
|
The kernel loader loads this driver first because it's required
to utilize the boot volume device.
|
|
0x01
|
System
|
This service should be loaded by the I/O subsystem when the kernel is
brought up.
|
|
0x02
|
Autoload
|
This service should always be loaded and run, no matter what.
|
|
0x03
|
Manual
|
This service should be loaded, but the user must start it manually
from a control panel or the command line.
|
|
0x04
|
Disabled
|
This service should be loaded but may not be started by the system or
the user.
|
- Group
Birds of a feather flock together, and so do Windows 2000 and NT
services. Any items with the same value in their Group key are
considered to belong to the same group; when it's time to start
services within a group, group members' Tag values decide which
group members should be loaded first. Services without this entry do
not belong to a group and are loaded after all services in service
groups are loaded. - Tag
The REG_DWORD Tag value specifies the load order within a single
group. For example, if there are five devices in the "SCSI
Miniport" group, the one with the lowest Tag value is loaded
first, then the next highest, and so on. - ErrorControl
Some services are more important than others. The ErrorControl value
is proof, since it lets critical services be marked as such. If a
service fails to load, or fails during startup, what happens next is
governed by that service's ErrorControl value. Possible values
are listed in Table 11.4.
Table 11.4. ErrorControl Governs What Happens on a Failure
|
0x00
|
If this driver can't be loaded or started, don't worry;
ignore the failure and don't display any warnings.
|
|
0x01
|
Act normally. If this driver fails during startup, produce a warning
message but proceed with the boot process.
|
|
0x02
|
Be afraid. If the startup process is currently using the last known
good control set, continue on; if it's not, switch to the last
known good set.
|
|
0x03
|
Play "Taps." Record the current startup as a failure. If
this startup is using the last known good set, run a diagnostic. If
not, switch to the last known good set and reboot.
|
There are also six subkeys commonly found beneath subkeys of Services:
- Linkage
Network adapters can be bound to
multiple protocols and services. Every network card driver has a
Linkage subkey, which stores the bindings data for that particular
card. Disabled bindings are stored in Linkage\Disabled . None of the
binding subkeys or values are directly editable; you should change
them only via the Network control panel. - Parameters
Parameters is a catch-all subkey that lets drivers and services store
their private settings. Some components store their settings in
HKLM\SOFTWARE. Device drivers (particularly those for network cards)
can store hardware-specific settings such as their preferred IRQ and
DMA ranges; other drivers and services can store whatever they want
here. - Performance
Services that offer Performance
Monitor counters advertise them by creating a Performance key.
Beneath this key, there are several values that tell the Performance
Monitor which DLL to load to activate the counters and what routines
the service offers for collecting performance data. - Security
The values in this key contain permission information for Windows
2000 services and drivers. - Enum
This Windows 2000 key contains values that store hardware information
for devices that the service controls or interacts with. - networkprovider
The Windows 2000 network provider subkey may appear for network
services where the Group value is NetworkProvider. The values under
this subkey contain information about the network provider, such as
the provider name and order.
Of course, any individual service is free to store additional values
either as part of its key or in subkeys added to the ones listed
here.
11.4.3.1 Services\Browser
The Browser service controls
NetBIOS browsing, including allowing
the machine to act as a master browser when requested. (For a
complete description of how NetBIOS browsing actually works, see
article Q102878 in the Microsoft knowledge base.) The
Services\Browser\Parameters subkey contains five particularly
interesting values:
- MaintainServerList
This REG_SZ can assume three values: "Auto" (the
default), "Yes," and "No." When it's
"No," the system doesn't cache the list of browser
announcements it hears, so it can't become a Browse Server.
When it's "Auto," the list is cached, and the
computer may force an election (which it can win) for a new master
browser when necessary. When it's "Yes," the
computer always acts as a Browse Server. - BackupPeriodicity
REG_DWORD value, in seconds (legal values range from 300-4294967, or
about 48 days), which specifies how often a backup browse server
should contact the master browser for an update. - MasterPeriodicity
Like BackupPeriodicity, except that it controls how often a master
browser should contact the domain master browser. - IsDomainMaster
IsDomainMaster is just what its name implies: a REG_SZ that indicates
whether this computer is, or is not, a domain master browser. Legal
values are TRUE and FALSE. - QueryDriverFrequency
This REG_DWORD value represents the interval (0-900, in seconds)
after which a browser decides that its name cache is invalid and
requests a new copy of the available browser server list. Increasing
this value speeds up browsing at the cost of keeping stale data in
the cache longer; conversely, decreasing it keeps data fresher at the
expense of bandwidth.
11.4.3.2 Services\DHCPServer
The Dynamic Host Configuration Protocol, or DHCP, is becoming more
and more widespread because it offers an easy way to manage TCP/IP
networks. The DHCP server's parameters are stored under its
Parameters key. In the Windows NT 4.0 Registry, however, these values
are found in the Parameters key under Services\DHCP:
- BackupDatabasePath
The DHCP server keeps a backup copy of its database. This
REG_EXPAND_SZ value lets you specify where it's kept. By
default, it goes in SystemRoot\System32\dhcp\backup. You should edit
this to move the backup database to another volume on the same
machine to protect against disk failures.
- BackupInterval
This REG_DWORD specifies the interval in minutes at which DHCP backs
up its database. By default, backups happen every 60 minutes, but you
may specify any interval. - DatabaseCleanupInterval
DHCP leases and reservations expire. Good housekeeping practices
dictate that these old records be scavenged from the DHCP database;
DatabaseCleanupInterval (a REG_DWORD whose default value is 1440
minutes or 1 day) specifies how many minutes should pass between
scavenging runs. - DatabaseLoggingFlag
Performance will suffer, but you can log DHCP transactions if you
feel it necessary. A value of 1 in this REG_DWORD enables logging,
while
turns it off. - DatabasePath and DatabaseName
By default, these REG_SZ values combine to point to a file named
dhcp.mdb in
%systemroot%\system32\dhcp. If needed, you can
edit these values to put the DHCP database somewhere else. - RestoreFlag
This value can restore the DHCP database from the backup copy.
However it's not quite implemented in Windows 2000 and should
not be changed.
Besides these parameters, you can instruct the DHCP server which
TCP/IP configuration parameters to deliver to clients. Once you do
this (using the DHCPOptions Scope command in the DHCP server manager), one
or more subkeys under DHCP\Parameters\Options appear--one subkey
per option, each named after the option number. These new keys tell
the server where to get the values that are being broadcast to the
client machines. Don't edit them.
11.4.3.3 Services\EventLog
The Event Logger service in Windows 2000 has three subkeys under
Services\EventLog: one for the application log, one for the system
log, and one for the security log. In addition, Windows services
creates subkeys for their own logs. The Windows 2000 and Windows
services subkeys are named after their respective logs and can
contain a combination of seven values that can be edited via the
Event Viewer application:
- File
This REG_EXPAND_SZ supplies the full path to the event file. If you
want to store your event logs on a secure partition, you can edit
this value to do so. - MaxSize
Specifies the maximum size, in bytes (64-KB increments), that the log
can grow to before it's marked as full. - Retention
This REG_DWORD represents the number of seconds entries are retained
before they're overwritten. The default is seven days (or, more
exactly, 604,800 seconds). - Sources
Each system component that logs event messages can supply its own
message file. This makes it possible for logged messages to be very
specific, since the component that generated them has extensive
knowledge about why the entry was logged. This REG_MULTI_SZ holds a
list of names. Each name is interpreted as a subkey of
EventLog\Application, EventLog\Security, or EventLog\System . Each of
these subkeys in turn contains two values that specify which message
file to use for that named component. - DisplayNameFile
This REG_EXPAND_SZ value specifies the file that holds the event
log's localized name. By default, this file is
%systemroot%\system32\els.dll. - DisplayNameID
This REG_DWORD value holds an ID number between
and 0xFFFFFFFF. Used in combination with DisplayNameFile, it
specifies a message ID number for the log name. - PrimaryModule
The keys under Services\EventLog are associated with different logs.
The PrimaryModule value (REG_SZ) indicates the subkey where default
values are stored for log source entries within these logs.
11.4.3.4 Services\LanmanServer
The Server service actually does all the
hard work of sharing files and printers under Windows 2000/NT. Its
parameters live under Services\LanmanServer, and there certainly are
a lot of them! Most parameters are automatically tuned by Windows
2000 and NT based on the server load, but some must be tweaked
manually. Here they are:
- AutoDisconnect
You can automatically force idle clients to disconnect by setting
this REG_DWORD value to the number of minutes of idle time
you're willing to allow. Clients who have open files or
searches on a connection aren't disconnected, but completely
idle clients will be. The default idle time allowed is 15 minutes. - AutoShareServer and AutoShareWks
Windows 2000 Server, by default, creates administrative shares of
your local disks. Windows 2000 Professional and NT can be made to do
so as well. These REG_DWORD values, when set to 1, tell the system to
map local drives to hidden shares on computers running either Windows
2000 Server (AutoShareServer) or Windows 2000 Professional
(AutoShareWks). When these values are 0, no such shares are created. - Comment
This REG_SZ holds the comment displayed next to this machine's
name when users browse the network. -
DiskSpaceThreshold
The DiskSpaceThreshold value controls when Windows 2000 and NT
reports that a disk is low on space. The value represents a minimum
percentage of free space; when the space available drops below that
percentage, a warning alert is generated. This value's a
REG_DWORD and can range from 1-99%. The default value is 10. - Hidden
If you want to hide a server or workstation from network browsers,
set this REG_BINARY value to 1, and the machine disappears. Clients
who know it's there can still access it, but it won't
show up in Explorer or any of the other browsing tools. - RestrictNullSessionAccess
LAN Manager, NT's ancient ancestor, allowed users to connect
with a NULL session to get some types of information from a
server, including a list of available shares and account names.
Because this is a security vulnerability, Microsoft now offers a way
to deny NULL session access to network resources--this value.
Set it to
if you want to allow NULL session access (not recommended), or 1 if
you want to deny it. When set to 1, the shares and pipes specified in
NullSessionShares and NullSessionPipes can still use NULL sessions.
- NullSessionShares and NullSessionPipes
These two REG_MULTI_SZ values list any file shares and/or pipes NULL
session-using clients may access. By default, NullSessionShares lists
COMCFG DFS$ as accessible when RestrictNullSessionAccess is turned
on; The default contents of NullSessionPipes are COMNAP, COMNODE,
SQL\QUERY, SPOOLSS, LLSRPC, EPMAPPER, and LOCATOR. - Users
This REG_DWORD controls how many users may simultaneously log on to
your server. Its legal range is from 1 to 0xFFFFFFFE (representing a
number of users), or 0xFFFFFFFF (the default) denoting no limit. As a
practical matter, you should probably set this to some value less
than or equal to the number of actual licenses you have for your
server.
11.4.3.5 Services\NetBt
You can run the NetBIOS protocol over
a TCP/IP connection; this combination is called NBT or (occasionally)
NetBT. NBT makes NetBIOS traffic routable. It can also provide a
performance boost, and with the advent of the Internet it makes it
possible to offer NetBIOS services over an Internet connection. The
NetBT service handles encapsulating NetBIOS data into TCP/IP packets,
and its Parameters key contains several values that govern the
overall operation of the NetBT service:
- DhcpXXX
There are several values whose names begin with Dhcp. These are set
automatically by the DHCP client service. Any Dhcp value can be
overridden by its non-DHCP counterpart: for example, DhcpScopeID is
overridden by ScopeID. Don't change any of the Dhcp values, or
DHCP will stop working properly. - EnableDNS
This REG_DWORD indicates whether DNS name resolution is enabled. When
it's 1, the default, NetBT uses DNS to resolve names that
can't be resolved via WINS, lmhosts, or
broadcast queries; when it's 0, DNS won't be used.
Microsoft warns against changing this value in the Registry; instead,
you should use the Network control panel. - EnableLMHOSTS
This REG_DWORD value indicates whether lmhosts
are used to resolve names that can't be resolved via WINS or
broadcast queries. Like EnableDNS, you shouldn't modify it
directly. - EnableProxy
This DWORD controls whether this computer answers WINS proxy
requests; these proxy requests come from computers not running WINS
and allows connections across subnets. Don't change this value
directly either. - LmhostsTimeout
You can control the timeout period for DNS and
lmhosts name queries by adjusting this REG_DWORD
value. It represents the timeout period in milliseconds; the default
value of 6000 allows a 6-second timeout, but you can adjust it from
1000-0xFFFFFFFF. Tweaking this value lets you accommodate slow DNS
servers, so it might make a good system policy entry. - NameSrvQueryCount
"If at first you don't succeed, try, try again"
applies to name resolution, too. By default, NetBT issues three WINS
queries for a name before deciding that the name can't be
resolved. You can change this REG_DWORD's value to anything
between
and 65,535 to change the number of requests. - NameSrvQueryTimeout
A single WINS query can either be answered or not. This REG_DWORD
controls the number of milliseconds after which a query is judged to
have timed out. Its default value of 1500 allows for a 1.5-second
timeout, but you may use any value from 1000-0xFFFFFFFF. The maximum
time it can take to decide a name can't be resolved via WINS is
thus equal to NameSrvQueryCount multiplied by NameSrvQueryTimeout. - WinsDownTimeout
If no WINS servers can be contacted, the system can automatically
wait a prescribed period before trying to contact a WINS server
again. The length of this period is controlled by WinsDownTimeout,
which is a REG_DWORD number of milliseconds. By default, the system
waits 15 seconds after failing to catch a WINS server before it tries
again, but you can modify this interval to any value between 1000 and
0xFFFFFFFF milliseconds.
In addition to these settings, each adapter card to which NetBT is
bound has its own adapter-specific settings, which may supplement or
override the ones in Services\NetBt\Parameters. These settings are
stored under the Services\NetBt\Adapters subkey; each adapter has a
subkey named after its driver. These keys have the same DhcpXXX
values as the Services\NetBt\Parameters key. In addition, their
NameServer and NameServerBackup values specify the IP addresses of
the primary and backup WINS servers for that adapter. If present and
nonblank, these values are used instead of the corresponding
systemwide entries.
11.4.3.6 Services\Netlogon
The Netlogon service handles communications
between Windows 2000 machines (whether it's a workstation or a
server) and domain controllers. For the sake of backward
compatibility, Netlogon additionally handles replicating the user
account database to backup domain controllers running NT 3.x/NT 4.
NetLogin doesn't manage replication between two Windows 2000
servers. There are eight significant values in
Services\Netlogon\Parameters:
- DisablePasswordChange
To secure conversations between domain controllers and domain
computers, each computer in the domain uses a unique, randomly
generated password to log on to the domain. By default on Windows
2000 machines, this password is regenerated every 30 days. Normally
you leave this alone, but there are instances where you might want to
force Windows 2000/NT not to change the password, for example, if
you're dual-booting more than one copy (or version) of the
operating system on a single machine. Keeping the account password
unchanged ensures that each copy of Windows 2000 and NT can be a
member of the domain without anyone changing the domain password
behind its back.
By default, this REG_DWORD is set to 0, meaning that the system
changes its computer account password regularly. Setting it to 1 on a
machine prevents that machine from automatically changing its
computer account password, although you can still change it manually.
- RefusePasswordChange
As an alternative to setting DisablePasswordChange on lots of
machines, you can set the REG_DWORD RefusePasswordChange value to 1
on all domain controllers in the domain. This forces the DC to refuse
any password change request from its Windows 2000/NT 4 clients. It
doesn't stop the clients from trying, however. See article
Q154501 in Microsoft's knowledge base for a full explanation of
this parameter and its ramifications. - Pulse
This REG_DWORD, and the pulse and replication settings that follow,
are used for replication under NT 4.0, or under Windows 2000 when an
NT 4.0 (or earlier) server is involved. Pulse controls how often a
change notification is sent from the primary domain controller (PDC)
to each backup domain controller (BDC). All the changes occurring
between pulses are collected together; when the pulse interval
expires, the changes are sent to any domain controller that needs an
update. Up-to-date domain controllers don't get a pulse. The
default interval is 300 seconds, but you may specify any number of
seconds from 60 to 48 hours' worth (172,800). - PulseConcurrency
When a PDC has updates and sends pulses to each BDC that needs the
update, the BDC responds by asking for the updated data. The number
of pulses a PDC can queue at one time is controlled by this
REG_DWORD; the default value of 10 means that 10 BDCs can be pulsed.
Thus the PDC may have to deal with 10 update requests at one time.
You can specify any value from 1 to 500; the bigger the number, the
more load may be placed on the PDC. - PulseMaximum
Specifies a maximum interval after which a BDC will be sent an update
pulse, even if it doesn't need an update. The default value is
7200 seconds, or two hours, but you may specify any interval in
seconds, from 60 to 172,800. - PulseTimeout1 and PulseTimeout2
These two values control how long a PDC waits when pulsing a BDC
before it considers the BDC unresponsive. PulseTimeout1 regulates how
long the BDC has to answer a pulse; it can be anywhere from 1-120
seconds. PulseTimeout2 specifies how long the PDC waits for the BDC
to finish absorbing the update data once it's sent, from
60-3600 seconds. - ReplicationGovernor
Under ordinary circumstances, Netlogon uses a
128-KB buffer for copying the SAM database and replicates the
database whenever a preset number of changes accumulate. For domain
controllers on a WAN or slow local link, these settings can consume a
significant amount of your bandwidth. The REG_DWORD
ReplicationGovernor value can range from
to 100; its value represents a percentage of both the buffer size and
the amount of time an outstanding replication request is in progress.
For example, a ReplicationGovernor value of 25 specifies that a BDC
use a 32-KB buffer (25% of 128 KB), and that a replication request
can be on the Net no more than 25% of the time. You must make this
setting on every BDC you want to affect; it has no effect on the PDC.
Do not set this value to zero! If you do, the PDC never synchronizes
with the affected BDC. - Scripts
This REG_SZ value specifies the full path to the Net Login shared
directory on the domain controller where logon scripts are kept. - Update
Ordinarily, the SAM database is synchronized only after a number of
changes have accumulated. You can force Netlogon
to completely synchronize the database when the service starts by
setting this REG_SZ value to "Yes." The default value,
"No," allows synchronization to happen when needed.
11.4.3.7 Services\RasMan
The Dial-Up Networking (née RAS)
subsystem lets you dial into remote computers and communicate using
Microsoft's protocols, IPX, or TCP/IP. The RasManservice is the component that actually handles making
over-the-modem network connections on outbound calls. There are only
two significant values for this service's Parameters subkey:
- DisableSavedPasswords
Normally, each user may choose whether she wants DUN to save her
passwords or not. You can compel DUN not to cache these passwords by
adding this REG_DWORD value and setting its value to 1. When you do,
DUN doesn't display the "Save password" checkbox,
and it forgets any passwords it has previously stored. - Logging
When this REG_DWORD is 1, the DUN dial-up component logs its
interaction with whatever serial device it's using. This is a
great way to troubleshoot connection problems; DUN logs to the
%systemroot%\system32\ras\device.log file until
a connection is established. The log file is cleared when you stop
and restart DUN components or when its size exceeds about 100 KB.
The Services\RasMan\PPP key has all the really useful DUN settings,
including:
- NegotiateTime
This value specifies the time, in seconds, the PPP module allows for
a successful connection negotiation. If the two sides can't
complete negotiation in this period, the connection fails. The
default value is 150 seconds, but you may set it to any DWORD value.
A value of
means the connection never fails. - Logging
When this REG_DWORD is set to 1, each PPP connect, disconnect, or
failure event is logged to
\%systemroot%\system32\ras\ppp.log. - ForceEncryptedPassword
PPP servers may specify what types of authentication they support.
The ForceEncryptedPassword value forces a RAS server to request CHAP
authentication from its clients instead of the less secure PAP. Set
this REG_DWORD to 1 to force CHAP authentication or
to allow PAP. This value has no effect on computers that aren't
RAS servers.
11.4.3.8 Services\Replicator
The Directory Replicator service (usually
called just "the replicator") can mirror directories on
one server in a domain to other workstations and servers. Any machine
may import replicated directories, and any server may export them.
What gets replicated and when is controlled by values under the
Services\Replicator key. First of all, the Exports and Imports keys
contain one value entry for each exported or imported directory. You
manage these lists with the Directory Replication dialog in the NT
Server Manager.
 |
In Windows 2000, the NT Server Manager functionality is replaced by
Active Directory Users and Computers.
|
|
The Parameters subkey contains parameters (also settable through the
Server Manager) that control how the replication process actually
runs:
- ExportPath
This REG_SZ contains the full path to the directory being exported.
Any given machine may export only a single directory; on domain
controllers, this is almost always the directory where logon scripts
are stored, but it can be anything. - GuardTime
GuardTime tells the replicator service how long to wait after the
last file change before sending a new change notice. Its value can
range from
(send changes immediately) to half of the value of Interval. This
value has no effect unless you specify that the export files should
be "Stabilized" in the Server Manager. - ImportPath
This value specifies the full path to the directory where imported
files and directories are stored on the local machine. - Interval
This REG_DWORD value specifies how often an export computer should
check its export directory for changes. The default is 5 minutes, but
the value may range from 1 to 60 minutes. - Pulse
Pulse controls when the export computer rebroadcasts change notices.
These change notices are sent even when no changes occur so that
importers know whether they missed any updates due to network
outages. The value of Pulse may range from 1 to 10; it's used
as a multiplier of Interval. A Pulse value of 3 (the default)
combined with an Interval of 60 (minutes) means that redundant change
notices are sent every 3 hours. - Replicate
This REG_DWORD controls what replication role this machine plays. A
value of 1 means this machine exports files; a value of 2 means it
imports from other exporters, and a value of 3 (the default) means it
can do both.
11.4.3.9 Services\Tcpip
TCP/IP
is a complicated protocol, so it's not surprising that there
are a large number of values in Services\Tcpip\Parameters. In keeping
with Microsoft's hands-off approach, most parameters that
affect how the TCP/IP stack allocates resources are self-adjusting,
and I haven't documented them here because there's really
no reason to ever adjust them.
|
It may be tempting to adjust some of these parameters on all your
machines by building a policy file, but it's a better idea to
use DHCP, which is designed specifically for this task. As a side
bonus, DHCP works with non-Windows computers too.
|
|
- DatabasePath
This REG_SZ contains the path where the TCP/IP stack should look for
its hosts, lmhosts,
networks, and protocols
files. By default it points to%systemroot%\system32\drivers\etc. - DefaultTTL
The Time-To-Live (TTL) value determines how long an IP packet can
remain on the network before it either reaches its destination or is
discarded. By default, Windows 2000 marks its packets with a TTL of
128 (NT's default is 32), but this may be too short for some
applications. This REG_DWORD value has a range of between 1 and 255
seconds. - Domain
This REG_SZ contains the suffix for the primary Domain Name System,
which is used in DNS name registration and name resolution. - Hostname
This REG_SZ contains the hostname you entered in the TCP/IP
Properties dialog. - NameServer
This single REG_SZ contains a list of IP addresses (with a space
between each address) indicating which DNS servers you've
configured for DNS-based address resolution. This value, if any,
overrides the name server list provided via DHCP. - IPEnableRouter
This REG_DWORD determines if IP forwarding is enabled. When this
DWORD is 1, the system attempts to route IP packets between the
subnets attached to its network adapter cards; when it's
(or when you only have one NIC) no routing takes place. - SearchList
This REG_SZ value contains a space-separated list of domain names to
append to any hostname that's missing a suffix and can't
be resolved. - EnableSecurityFilters
When set to 1, this REG_DWORD enables the TCP/IP stack to filter
incoming connections according to the ports specified in
TcpAllowedPorts and UdpAllowedPorts in the next list. - PersistentRoutes
Starting with NT 3.51, you could add persistent static routes with
the route add command. Should you do so, each
route is stored as a REG_SZ value under the
Services\Tcpip\PersistentRoutes subkey. Each route has its own value
entry, constructed as a REG_SZ:
destinationAddr,subnetMask,routeGateway, routeMetric
The entries' names contain all the useful data; their contents
are empty.
In addition to these parameters, each network adapter card to which
TCP/IP is bound has its own individual set of parameters stored in
the card's key under
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<interface-name>
(or
HKLM\SYSTEM\CurrentControlSet\Services\adapter\Parameters\Tcpip on
Windows NT machines).
-
IPAddress
This REG_MULTI_SZ contains the actual IP addresses assigned to the
physical adapter card. If the first address in the list is
"0.0.0.0," the address is assigned by a DHCP server. You
can add multiple addresses to a single adapter card by adding them
here. - DefaultGateway
This REG_MULTI_SZ specifies an ordered list of default targets for
packets that aren't destined for one of the addresses on the
IPAddress list. - DontAddDefaultGateway
This REG_DWORD (which doesn't get created automatically) can be
either
or 1. When it's 1, Windows 2000 and NT won't use a
default gateway entry for this adapter. Microsoft warns that
"PPTP users must add this Registry entry for each adapter that
is not connected to the Internet" to prevent accidentally
routing unintended traffic across a PPTP link. - EnableDHCP
If this REG_DWORD is 1, the system asks the DHCP client service to
configure the first IP address on this adapter. - SubnetMask
Since IPAddress allows multiple addresses, SubnetMask is a
REG_MULTI_SZ too; it needs to accommodate one subnet mask per IP
address! If the first mask is "0.0.0.0," all the mask
data is retrieved from DHCP. You should have one subnet mask for
every IP address specified in IPAddress. - TcpAllowedPorts and UdpAllowedPorts
These two REG_MULTI_SZ values allow you to specify a set of ports on
which connections are accepted. When EnableSecurityFilters equals 0,
these values are ignored; when it equals 1, connections from these
ports are allowed, but connections from all other
ports are rejected.
|
