Finding Service and Device Dependencies

This section describes using information in the Control and Services subkeys to troubleshoot problems with your computer. The next screen shot shows the CurrentControlSet and its subkeys.

When you install Windows NT, it creates the Control and Services subkeys for each control set in HKEY_LOCAL_MACHINE\SYSTEM. Some information, such as which services are part of which group, and the order in which to load the groups, is the same for all Windows NT computers. Other information, such as which devices and services to load when you start your computer, is based on the hardware installed on your computer and the network software that you select for installation.

Each control set has four subkeys:

ServiceGroupOrder Subkey

You can see the order in which device drivers should be loaded and initialized by viewing the Registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder. Individual drivers that are members of a service group are loaded in the following order:

"Service Groups," presented later in this chapter, lists drivers that are in each group.

Services Subkey

The Registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service name controls how services are loaded. This section describes some of the value entries for this subkey, with an explanation of their values. The next screen shot shows the subey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation and its value entries.

Figure 36.1 The Registry subkey HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\LanmanWorkstation

DependOnGroup Value Entry

When a subkey has a value for the DependOnGroup value entry, at least one service from the group must be loaded before this service is loaded. This table shows services that have a value for DependOnGroup. The LanmanWorkstation service, shown in Figure 36.1, has a value for the DependOnGroup value entry.

Service

Depends on

Cdfs

SCSI CDROM Class

Cdrom

SCSI miniport

Disk

SCSI miniport

LanmanServer

TDI

LanmanWorkstation

TDI

LmHosts

Network Provider

NetBIOS

TDI

Parallel

Parallel arbitrator

Scsiprnt

SCSI miniport

Scsiscan

SCSI miniport

Sfloppy

SCSI miniport


DependOnService Value Entry

This value entry identifies specific services that must be loaded before this service is loaded. The "Troubleshooting Example," presented later in this chapter, shows how you can use information in the DependOnService value entry to determine which services need to be started.

This table lists the services on the example computer that have a value for DependOnServices.

Service

Depends on

Alerter

LanmanWorkstation

Browser

LanmanWorkstation

LanmanServer

LmHosts

ClipSrv

NetDDE

DHCP

Afd

NetBT

TCP/IP

Messenger

LanmanWorkstation

NetBIOS

NetBT

TCP/IP

NetDDE

NetDDEDSDM

NetLogon

LanmanWorkstation

LmHosts

Parallel

Parport

Replicator

LanmanServer

LanmanWorkstation


By knowing the dependencies, you can troubleshoot a problem more effectively. For example, if you stop the Workstation service, the Alerter, Messenger, and Net Logon services are also stopped, because they are dependent upon the Workstation service. If an error occurs when you try to start the Workstation service, any of the files that are part of Workstation service could be missing or corrupt. This is also why, if you start one of the services that depend on Workstation service, the Service Control Manager will automatically start the Workstation service if it is not already running.

ErrorControl Value Entry

This value entry controls whether an error during the startup of this driver will cause the system to switch to the LastKnownGood control set. If the value is 0 (Ignore, no error is reported) or 1 (Normal, error reported), startup proceeds. If the value is 2 (Severe) or 3 (Critical), an error is reported and LastKnownGood control set will be used.

The ErrorControl value for LanmanWorkstation is 0x1, which indicates that if there was an error starting LanmanWorkstation, an error would be logged in the event log, but Windows NT would complete startup.

ImagePath Value Entry

This value entry identifies the path and file name of the driver. You can use My Computer or Windows NT Explorer to verify the existence of the named file. The ImagePath for LanmanWorkstation is %SystemRoot%\System32\Services.exe.

Start Value Entry

This value entry determines when services are loaded during system startup. If a service is not starting, you need to know when and how it should be starting. Then look for the services that should have been loaded prior to this service. The values are described as follows:

Value

Meaning

Description

0

Boot

Loaded by the boot loader (NTLDR or OSLOADER)
during the startup sequence.

1

System

Loaded at Kernel initialization during the load sequence.

2

Auto Load

Loaded or started automatically at system startup.

3

Load On Demand

Driver is manually started by the user or another process.

4

Disabled

Driver is not to be started under any condition. If a driver is accidentally disabled, reset this value by using the Services option in Control Panel. File System drivers are the one exception to the Start value. They are loaded even if they have a start value of 4.


Type Value Entry

The Type value entry helps you know where the service fits in the architecture. These are its possible values:

Value

Description

0x1

Kernel device driver.

0x2

File System driver, which is also a Kernel device driver.

0x4

Set of arguments for an adapter.

0x10

A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself.

0x20

A Win32 service that can share a process with other Win32 services.


Many of the services that have a Type value of 0x20 are part of the Services.exe. For example, if your network protocol is TCP/IP, and you are configured to use a DHCP server to get IP addresses, these services that have a Type value of 0x20 are in the Services.exe:

These services are part of the NETDDE.exe:

Service Groups

Many device drivers are arranged in groups to make startup easier. When device drivers and services are being loaded, Windows NT loads the groups in the order defined by ServiceGroupOrder. The next table shows which drivers are in each group.

Group name

Services

BASE

Beep

KSecDD

Null

Boot Files System

Fastfat

Fs_Rec

Event log

EventLog

Extended Base

Modem
Parallel

Scsiprnt

Serial

File System

Cdfs
Msfs

Npfs

Ntfs

Filter

Cdaudio
Changer

Diskperf
Ftdisk

Simbad

Keyboard Class

Kbdclass

Keyboard Port

i8042prt

NDIS

EE16

NDIS

NetBIOSGroup

NetBIOS

NetDDEGroup

NetDDE

Network

Mup

Rdr

Srv

NetworkProvider

LanmanWorkstation

Parallel Arbitrator

Parport

PCI Configuration

PCIDump

PlugPlay

PlugPlay

Pointer Class

Mouclass

Pointer Port

Busmouse

Inport

Sermouse

Port

none

PNP_TDI

NetBT

Tcpip

Primary Disk

Abiosdsk
Atdisk

Floppy

Sfloppy

RemoteValidation

NetLogon

SCSI CDROM Class

Cdrom

SCSI Class

Disk

Scsiscan

SCSI Miniport

Aha154x
Aha174x
aic78xx
Always
ami0nt
amsint
Arrow
atapi
BusLogic
Cpqarray
dac960nt
dce376nt

Delldsa
DptScsi
dtc329x
Fd16_700
Fd7000ex
Fd8xx
mitsumi
mkecr5xx
Ncr53c9x
Ncrc700
Ncrc710
ncrc810

Oliscsi Ql10wnt slcd32
Sparrow
Spock
T128
T13B
tmv1
Ultra124
Ultra14f Ultra24f
Wd33c93

SpoolerGroup

Spooler

Streams Drivers

none

System Bus Extender

Pcmcia

TDI

Afd

DHCP

Video

Ati
Cirrus
Dell_DGX
Et400
Jazzg30
Jazzg364
Jzvxl484

mga
mga_mil
ncr77c22
psidisp
qv
s3
tga

v7vram
VgaSave
wd90c24a
wdvga
weitekp9
Xga

Video Init

VgaStart

Video Save

VgaSave


Troubleshooting Example

This section describes using information in the DependOnGroup and DependOnService value entries to find the cause of the following error message that you see after you log on.

You can use the Event Viewer to see which services or drivers did not start.

To run Event Viewer

1. Click the Start button

2. Click Programs

3. Click Administrative Tools (Common)

4. Double-click Event Viewer

5. If the screen is displaying a log other than System Log, on the Log menu, click System

The event log shows the following entries.

Sometimes, as you can see by the preceding System Log screen shot, several events are logged at approximately the same time. In this example, the newest event is entered at the top. Usually, if you look at the oldest event, you will find the reason that all of the events are logged. In this example, the fourth entry from the top was the first one logged at 1:41:24. Double-clicking on it results in this event detail.

But you look in the Registry there is no subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Workstation. How do you find it? You have two methods that you can use.

You can use Regedit.exe to find the name anywhere in the control set.

To use Regedit.exe to find the Workstation service

1. Click the Start button.

2. Click Run, and enter Regedit.exe.

3. Double-click HKEY_LOCAL_MACHINE, double-click SYSTEM, double-click CurrentControlSet, and click Services.

4. On the Edit menu, click Find.

5. In the Find what box, enter Workstation and check the Keys and Data checkboxes. Clear Match whole string only.

6. Click Find.

7. If the match is not what you are looking for, on the Edit menu, click Find Next until you find the correct key.

If you think that the service name is part of the key name, you can use the Windows NT Registry Editor.

To use Regedt32.exe to find the Workstation service

1. Click the Start button.

2. Click Run, and enter Regedt32.exe.

3. Double-click HKEY_LOCAL_MACHINE, double-click SYSTEM, double-click CurrentControlSet, and click Services.

4. On the View menu, click Find key.

5. In the Find what box, enter Workstation. Clear Match whole word only and Match case.

6. Click Find Next.

Both Registry editors find a match on the subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation. The DisplayName value entry contains the name that you see when you use the Services icon in Control Panel, or the Services tab in the Windows NT Diagnostics administrative tool, to view information about services.

Therefore, this subkey is the one you are searching for. Its Start value is 0x4, which means it is disabled. It should be set to 0x2, which indicates it would start automatically when you start Windows NT.

As it turns out, you specifically disabled the Workstation service by using the Services icon in Control Panel and setting the Startup Type to Disabled. The computer was restarted to see what happened.

But what about the other errors that are in the event log? If you double-click each of the first three entries, you find the following descriptions:


The Messenger service depends on the Workstation service which 
failed to start because of the following error. The specified service is disabled and cannot be started. The Computer Browser service depends on the TCP/IP NetBIOS
Helper service which failed to start because of the following error. The dependency group or service failed to start. The TCP/IP NetBIOS Helper service depends on the NetworkProvider
group and no member of this group started.

Changing the LanmanWorkstation service to start automatically will solve the problem with the Messenger service failing to start.

The Computer Browser and TCP/IP NetBIOS errors are both the result of no member of the NetworkProvider group starting. How do you find what services are in the NetworkProvider group? Regedt32.exe doesn't have an option to search for data, so you can use the Regedit.exe to find the NetworkProvider group.

To use Regedit.exe to find the NetworkProvider group

1. Click the Start button.

2. Click Run, and enter Regedit.exe.

3. Double-click HKEY_LOCAL_MACHINE, double-click SYSTEM, double-click CurrentControlSet, and click Services.

4. On the Edit menu, click Find.

5. In the Find what box, enter NetworkProvider and check the Data checkbox.

6. Click Find Next.

The only subkey that has a Group value of NetworkProvider is LanmanWorkstation. Changing LanmanWorkstation to start automatically will also solve these problem.