Przeczytaj w języku angielskim

Udostępnij za pośrednictwem

Don't disable system services! (unless you REALLY know what you are doing)

  • Artykuł

(1) The problem

While searching the newsgroups I found out an interesting issue. It seems that many people are manually disabling some System Services, like "Volume Shadow Copy" (VSS) or "MS Software Shadow Copy Provider" (SWPRV). While this seems to be an innocent action, it will cause later subtle failures in other OS components, like NTBackup or Shadow Copies for Shared Folders.

For example, if you manually disable VSS or SWPRV, you will get a weird and apparently unrelated NTBackup error in the backup report which looks like this:

 =====================<BEGIN NTBACKUP LOG FILE>=====================

Backup Status
Operation: Backup
Active backup destination: File
Media name: "Small Business Server Backup (01).bkf created 12/22/2004 at
1:00 AM"

Error returned while creating the volume shadow copy:800423f4
Reverting to non-shadow copy backup mode.
Backup of "C: "
Backup set #1 on media #1
Backup description: "SBS Backup created on 12/22/2004 at 1:00 AM"

Also, if you try to enable Shadow Copies for Shared Folders you might also get various errors in the Application event log:

Event Type: Error
Event Source: VSS
Event Category: None
Event ID: 8193
Date: 12/26/2004
Time: 12:20:11 AM
User: N/A
Computer: AOLTEAN-H4
Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80070422.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 55 45 43 58 4d 4c 43 BUECXMLC
0008: 33 35 33 32 00 00 00 00 3532....
0010: 42 55 45 43 58 4d 4c 43 BUECXMLC
0018: 33 34 39 34 00 00 00 00 3494....

There are even more subtle variations on the same problem. VSS uses under the cover other System Services, like RPCSS, COM+ Event System, etc. If any of these services is disabled, then you will get errors like the one above. But, you still have a clue on where to start the investigation. In all these cases, there will be an associated VSS error in the Application event log (like the one above) and another DCOM error in the system event log. These things are easy to spot with the Event Viewer.

(2) The cause

So, how did you ended up with such a system? In many cases that I've investigated, it looks like many users are disabling these services by mistake in their effort to get a better security or better overall performance.  

First, I would like to mention that manually disabling services is something that you should try on your own risk. Usually this is not a supported scenario. You might end up with a system that has weird failures in unexpected places...

Second, there are several web sites out there are mistakenly recommending disabling VSS and SWPRV as a "safe" setting. Some examples:
- https://www.theeldergeek.com/volume_shadow_copy.htm 
- https://www.theeldergeek.com/ms_software_shadow_copy_provider.htm 
- https://users.accesscomm.ca/gbraun/wxp/services.htm

So if you are experiencing these types of VSS failures, it might be a good idea to check if you didn't disabled these services previously. Look especially for 0x80070422 or 0x8007042c which almost always indicates a disabled service.

(3) Under the cover

We saw these errors in the event log: 0x80070422 or 0x8007042c. What are these cryptic errors? 

First thing we note, they start with 0x80070... so they are simply COM-specific error codes (HRESULTs in COM language) which denote Win32 failures. To manually transform such a HRESULT into its corresponding error code, do the following:
a) Isolate the last four digits in the hex number above. In our case 0x422 or 0x42c.

b) Transform this number in decimal. The "SET /A" command line comes handy here:

E:\>set /A 0x422
1058

c) Then, cut & paste the error code above into the parameters of the NET HELPMSG command:

E:\>net helpmsg 1058

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Windows programmers might recognize these errors immediately... for example 1058 is ERROR_SERVICE_DISABLED, and 0x80070422 is nothing else than HRESULT_FROM_WIN32(ERROR_SERVICE_DISABLED).

(4) The solution

Please check that the following services are enabled:
- "Remote Procedure Call" (RPCSS) should be enabled, Automatic
- "COM+ Event System" (EventSystem) should be enabled, Manual
- "System Event Notification Service" (SENS) should be enabled, Automatic
- "Volume Shadow Copy" (VSS) should be enabled, Manual
- "Microsoft Software Shadow Copy Provider" (SWPRV) should be enabled, manual.

If you have any of these services disabled or not in the state mentioned above, then you will get the 0x8007042c VSS error in the event log above. You can change the enable/disable status of various system services through the Services section in "Computer Management" applet in MMC. To open it, just right-click on the "My computer" and select "Manage".

(5) Disabling services the right way

There is a tool shipped by Microsoft called "Security Configuration Wizard" (SCW) which can be used to disable various (unused) OS services and therefore harden the system. More information about the one for Windows Server 2003 can be found here. Note that Windows Server 2003 SP1 will have an improved version of SCW, apparently not installed by default, but available through Control Panel, Add/Remove Programs, Add/Remove Windows Components.

Comments

  • Anonymous
    December 26, 2004
    The site is really good.may i have the code?
    i want to use it at http://www.aagg.net and http://www.aaff.net.
  • Anonymous
    December 26, 2004
    The code for this blog site is a blogging engine written in C#/ASP.NET called .Text

    The code for .Text can be found at http://www.gotdotnet.com/Workspaces/Workspace.aspx?id=e99fccb3-1a8c-42b5-90ee-348f6b77c407

    The author is Scott Watermasysk - you can find his blog at http://scottwater.com/blog


    Thanks, Adi
  • Anonymous
    December 26, 2004
    If you have windbg installed you can also use the !error extension to translate error codes. It automatically handles standard HRESULTs, as well as win32 and native NT codes:

    c:debuggers> cdb.exe notepad
    0:000> !error 8007042c
    Error code: (HRESULT) 0x8007042c (2147943468) - The dependency service or group failed to start.
    0:000> q

  • Anonymous
    December 26, 2004
    So how do I disable backup using shadow copy?
    It's very annoying, after each backup I have to reboot the server since shadow copy services eats up most available memory :(

    I asked about this problem in newsgroups, no one had been able to help. It seems no one else even noticed backup enabling shadow copy making services.exe grow its memory usage big time.

    Sam
  • Anonymous
    December 27, 2004
    Happy a new year
  • Anonymous
    December 27, 2004
    Hi Sam,

    Unfortunately I never heard about this problem. But my take would be that disabling shadow copies would be the wrong approach - we should find first what's wrong and try to fix it (if possible).

    Can you give me more details about the symptoms?
    1) Is this Windows XP or Server 2003?
    2) What are visible efects after shadow copy creation (i.e. is the computer slow? etc)
    3) What is the memory consumption from services.exe? What type of memory is consumed? (i.e. is this virtual memory, commited memory, private pages or the working set?)
    4) What is the size of your event logs? (I ask this because services.exe hosts the event log service - which are dumped during backup-style shadow copy creation)

    BTW, for quicker resolution of you problem, you can contact directly the VSS team at VSSAPP@microsoft.com (for informal support) but for formal support you might want to contact the PSS support team.

    Thanks, Adi

  • Anonymous
    January 13, 2005
    The comment has been removed
  • Anonymous
    January 13, 2005
    To re-enable RPCSS, you can just run the following command:

    sc config rpcss start= auto

    Then, reboot, and see if it works...

    Thanks, Adi
  • Anonymous
    January 13, 2005
    all set and done, i fixed it from the registry.

    change the DWORD for rpcss to 2 to make it automatic.
  • Anonymous
    January 20, 2005
    The comment has been removed
  • Anonymous
    March 28, 2005
    Microsoft's support knowledge base (KB) both helps and hurts MS' reputation. On one hand, they freely provide a great deal of information that other companies charge for. On the other hand, the number and pervasiveness of Microsoft software (especially Windows,...