This section describes using information in the Control and Services subkeys to troubleshoot problems with your computer. The next screen shot shows the CurrentControlSet and its subkeys.
When you install Windows NT, it creates the Control and Services subkeys for each control set in HKEY_LOCAL_MACHINE\SYSTEM. Some information, such as which services are part of which group, and the order in which to load the groups, is the same for all Windows NT computers. Other information, such as which devices and services to load when you start your computer, is based on the hardware installed on your computer and the network software that you select for installation.
Each control set has four subkeys:
You can see the order in which device drivers should be loaded and initialized by viewing the Registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder. Individual drivers that are members of a service group are loaded in this order:
"Service Groups," presented later in this chapter, lists drivers that are in each group.
The Registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service name controls how services are loaded. This section describes some of the value entries for this subkey, with an explanation of their values. The next screen shot shows the subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation and its value entries.
Figure 8.1. The Registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
When a subkey has a value for the DependOnGroup value entry, at least one service from the group must be loaded before this service is loaded. This table shows services that have a value for DependOnGroup. The LanmanWorkstation service, shown in Figure 8.1, has a value for the DependOnGroup value entry.
Service | Depends on |
Cdfs | SCSI CDROM Class |
Cdrom | SCSI miniport |
Disk | SCSI miniport |
LanmanServer | TDI |
LanmanWorkstation | TDI |
LmHosts | Network Provider |
NetBIOS | TDI |
Parallel | Parallel arbitrator |
Scsiprnt | SCSI miniport |
Scsiscan | SCSI miniport |
Sfloppy | SCSI miniport |
This value entry identifies specific services that must be loaded before this service is loaded. The "Troubleshooting Example," presented later in this chapter, shows how you can use information in the DependOnService value entry to determine which services need to be started.
This table lists the services on the example computer that have a value for DependOnServices.
Service | Depends on | ||
Alerter | LanmanWorkstation | ||
Browser | LanmanWorkstation | LanmanServer | LmHosts |
ClipSrv | NetDDE | ||
DHCP | Afd | NetBT | TCP/IP |
Messenger | LanmanWorkstation | NetBIOS | |
NetBT | TCP/IP | ||
NetDDE | NetDDEDSDM | ||
NetLogon | LanmanWorkstation | LmHosts | |
Parallel | Parport | ||
Replicator | LanmanServer | LanmanWorkstation |
By knowing the dependencies, you can troubleshoot a problem more effectively. For example, if you stop the Workstation service, the Alerter, Messenger, and Net Logon services are also stopped, because they are dependent upon the Workstation service. If an error occurs when you try to start the Workstation service, any of the files that are part of Workstation service could be missing or corrupt. This is also why, if you start one of the services that depend on Workstation service, the Service Control Manager will automatically start the Workstation service if it is not already running.
This value entry controls whether an error during the startup of this driver will cause the system to switch to the LastKnownGood control set. If the value is 0 (ignore, no error is reported) or 1 (normal, error reported), startup proceeds. If the value is 2 (severe) or 3 (critical), an error is reported and LastKnownGood control set will be used.
The ErrorControl value for LanmanWorkstation is 0x1, which indicates that if there was an error starting LanmanWorkstation, an error would be logged in the event log, but Windows NT would complete startup.
This value entry identifies the path and file name of the driver. You can use My Computer or Windows NT Explorer to verify the existence of the named file. The ImagePath for LanmanWorkstation is %SystemRoot%\system32\services.exe.
This value entry determines when services are loaded during system startup. If a service is not starting, you need to know when and how it should be starting. Then look for the services that should have been loaded prior to this service. The values are described as follows:
Value | Meaning | Description |
0 | Boot | Loaded by the boot loader (NTLDR or OSLOADER) during the startup sequence. |
1 | System | Loaded at Kernel initialization during the load sequence. |
2 | Auto Load | Loaded or started automatically at system startup. |
3 | Load On Demand | Driver is manually started by the user or another process. |
4 | Disabled | Driver is not to be started under any condition. If a driver is accidentally disabled, reset this value by using the Services option in Control Panel. File System drivers are the one exception to the Start value. They are loaded even if they have a start value of 4. |
The Type value entry helps you know where the service fits in the architecture. These are its possible values:
Value | Description |
0x1 | Kernel device driver. |
0x2 | File System driver, which is also a Kernel device driver. |
0x4 | Set of arguments for an adapter. |
0x10 | A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself. |
0x20 | A Win32 service that can share a process with other Win32 services. |
Many of the services that have a Type value of 0x20 are part of the Services.exe. For example, if your network protocol is TCP/IP, and you are configured to use a DHCP server to get IP addresses, these services that have a Type value of 0x20 are in the Services.exe:
These services are part of the Netdde.exe:
Many device drivers are arranged in groups to make startup easier. When device drivers are being loaded, Windows NT loads the groups in the order defined by ServiceGroupOrder. The next table shows which drivers are in each group.
Group name | Services | ||
BASE | Beep | KSecDD | Null |
Boot Files System | Fastfat | Fs_Rec | |
Event log | EventLog | ||
Extended Base | Modem | Scsiprnt | Serial |
File System | Cdfs | Npfs | Ntfs |
Filter | Cdaudio | Diskperf | Simbad |
Keyboard Class | Kbdclass | ||
Keyboard Port | i8042prt | ||
NDIS | EE16 | NDIS | |
NetBIOSGroup | NetBIOS | ||
NetDDEGroup | NetDDE | ||
Network | Mup | Rdr | Srv |
NetworkProvider | LanmanWorkstation | ||
Parallel Arbitrator | Parport | ||
PCI Configuration | PCIDump | ||
PlugPlay | PlugPlay | ||
Pointer Class | Mouclass | ||
Pointer Port | Busmouse | Inport | Sermouse |
Port | none | ||
PNP_TDI | NetBT | Tcpip | |
Primary Disk | Abiosdsk | Floppy | Sfloppy |
RemoteValidation | NetLogon | ||
SCSI CDROM Class | Cdrom | ||
SCSI Class | Disk | Scsiscan | |
SCSI Miniport | Aha154x | Delldsa | Oliscsi Ql10wnt slcd32 |
SpoolerGroup | Spooler | ||
Streams Drivers | none | ||
System Bus Extender | Pcmcia | ||
TDI | Afd | DHCP | |
Video | Ati | mga | v7vram |
Video Init | VgaStart | ||
Video Save | VgaSave |
This section describes using information in the DependOnGroup and DependOnService to find the cause of the following error message that you see after you log on.
You can use the Event Viewer to see which services or drivers did not start.
1. Click the Start button.
2. Click Programs.
3. Click Administrative Tools (Common).
4. Double-click Event Viewer.
5. If the screen is displaying a log other than System Log, on the Log menu, click System.
The event log shows the following entries:
Sometimes, as you can see by the preceding System Log screen shot, several events are logged at approximately the same time. In this example, the newest event is entered at the top. Usually, if you look at the oldest event, you will find the reason that all of the events are logged. In the preceding example, the fourth entry from the top was the first one logged at 1:41:24. Double-clicking on it results in this event detail.
But if you look in the Registry there is no subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation. You have two methods that you can use.
You can use Regedit.exe to find the name anywhere in the control set.
1. Click the Start button.
2. Click Run, and enter Regedit.exe.
3. Double-click HKEY_LOCAL_MACHINE, double-click SYSTEM, double-click CurrentControlSet, and click Services.
4. On the Edit menu, click Find.
5. In the Find what box, enter Workstation and check the Keys and Data checkboxes. Clear Match whole string only.
6. Click Find.
7. If the match is not what you are looking for, on the Edit menu, click Find Next until you find the correct key.
If you think that the service name is part of the key name, you can use the Windows NT Registry Editor.
1. Click the Start button.
2. Click Run, and enter Regedt32.exe.
3. Double-click HKEY_LOCAL_MACHINE, double-click SYSTEM, double-click CurrentControlSet, and click Services.
4. On the View menu, click Find key.
5. In the Find what box, enter Workstation. Clear Match whole word only and Match case.
6. Click Find Next.
Both Registry editors find a match on the subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation. The DisplayName value entry contains the name that you see when you use the Services icon in Control Panel, or the Services tab in the Windows NT Diagnostics administrative tool, to view information about services.
Therefore, this subkey is the one you are searching for. Its Start value is 0x4, which means it is disabled. It should be set to 0x2, which indicates it would start automatically when you start Windows NT.
As it turns out, you specifically disabled the Workstation service by using the Services icon in Control Panel and setting the Startup Type to Disabled. Then, the computer was restarted to see what happened.
But what about the other errors that are in the event log? If you double-click each of the first three entries, you find the following descriptions:
Changing the LanmanWorkstation service to start automatically will solve the problem with the Messenger service failing to start.
The Computer Browser and TCP/IP NetBIOS errors are both the result of no member of the NetworkProvider group starting. How do you find what services are in the NetworkProvider group? Regedt32.exe doesn't have an option to search for data, so you can use the Regedit.exe to find the NetworkProvider group.
1. Click the Start button.
2. Click Run, and enter Regedit.exe.
3. Double-click HKEY_LOCAL_MACHINE, double-click SYSTEM, double-click CurrentControlSet, and click Services.
4. On the Edit menu, click Find.
5. In the Find what box, enter NetworkProvider and check the Data checkbox.
6. Click Find Next.
The only subkey that has a Group value of NetworkProvider is LanmanWorkstation. Changing LanmanWorkstation to start automatically will also solve these problems.