Tuesday, September 14, 2010

User Account Control in Windows 7 Best Practices

Applies To: Windows 7, Windows Server 2008 R2
noteNote
This document contains detailed information about User Account Control (UAC) in Windows 7 for the IT professional. If you need help and how-to information for using User Account Control in Windows 7 at home, see the following:

This document provides additional information about UAC that can help IT professionals develop UAC best practices for their Windows 7 and Windows Server 2008 R2 environments. This document does not include comprehensive information for administering UAC.

Do not disable UAC

It is recommended that UAC prompting not be turned off in Group Policy settings or by changing the slider setting.
Although the elevation prompt is the most visible part of UAC, UAC also provides the underlying components that allow for increased security with a minimal amount of disruption, especially for standard users. Two of these benefits include:
  • Protected Mode in Internet Explorer
  • File and registry virtualization
If UAC is disabled to avoid the elevation prompt, all UAC functionality is disabled. Instead, consider configuring UAC to elevate without prompting. In this case, applications that have been marked as administrator applications, as well as setup applications, will automatically run with the full administrator access token. All other applications will automatically run with the standard user token. The additional functionality of UAC is maintained.

The UAC slider in the enterprise

  • The slider setting on each Windows 7 client computer is derived from Group Policy.
  • Standard users can view and change the slider settings only by providing the credentials for a local administrator account in the User Account Control credential prompt.
  • Users that are running as a local administrator receive a consent prompt when viewing or changing the slider settings.
  • Turning UAC off in Group Policy or setting the slider to Never notify requires a restart, which refreshes and reapplies Group Policy settings.
The following table provides equivalent Group Policy settings for each slider setting. Refer to the Configure UAC Group Policy settings section for information and recommendations about the Group Policy settings.

 

Slider setting Equivalent Group Policy settings
Always notify
  • The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent on the secure desktop.
  • The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled.
Notify only when programs try to make change to the computer (default)
  • The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent for non-Windows binaries.
  • The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled.
Notify only when programs try to make change to the computer (without secure desktop)
  • The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent for non-Windows binaries.
  • The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is disabled.
  • The Behavior of the elevation prompt for standard users policy setting is set to Prompt for credentials.
Never notify
noteNote
This setting requires a restart to take effect.

  • The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Elevate without prompting.
  • The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is disabled.
  • The User Account Control: Run all administrators in Admin Approval Mode policy setting is disabled.
  • UAC is disabled.

Use standard user accounts

Users should always run as standard users with the following exceptions:
Make the primary user account a standard user account. For users who are allowed to perform administrative tasks on their client computers, create a local administrator account for performing those administrative tasks. When a user is logged on as a standard user and attempts to perform an administrative task, the credential prompt is presented. The user must enter an administrator user name and password, and then click Yes to perform the task.
When users are logged on as standard users and need to perform administrative tasks, they can also quickly switch between the two accounts by using the Fast User Switching feature. Fast User Switching is a feature in Windows that allows a user to switch to a different user account without closing programs or files first. The user can quickly transition to the administrator account without disrupting their current activities.

To switch users without logging off

  1. Click Start, and then click the arrow to the right of the Shut down button.
  2. Click Switch user.
  3. Click the user account that you want to use.
    ImportantImportant
    Although it is not necessary to close programs or files before switching users, it is a good idea to save any open files before switching users. If the user switches to a second user and the second user shuts down the computer, any unsaved changes made by the first user may be lost.

Configure UAC Group Policy settings

There are 10 Group Policy settings that control the behavior of UAC. As a best practice, configure UAC Group Policy settings appropriately for your environment. The following table describes best practices for the UAC Group Policy settings.

 

Group Policy setting Default Best practice
User Account Control: Admin Approval Mode for the built-in Administrator account
Disabled
When this policy setting is disabled, it is the equivalent to Never notify on the slider when a user is logged on as the built-in administrator.
While using the built-in administrator account is not recommended, if it is used, this policy setting should be enabled so that the user receives a UAC prompt. Disable this policy setting only when there are critical legacy applications that are not UAC compliant and that cannot be fixed with any other solution. For information about how to fix application compatibility issues, see User Account Control: Planning and Deploying Application Compatibility Databases for Windows 7 (http://go.microsoft.com/fwlink/?LinkID=148442).
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
Disabled
When this policy setting is disabled, the elevation prompt is displayed on the secure desktop. If you plan to use the Remote Assistance feature, this policy setting should be enabled. If the policy setting is not enabled, the remote assistant receives a blank screen when the elevation prompt is displayed on the secure desktop of the remote computer.
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
Prompt for consent for non-Windows binaries
The default setting (Prompt for consent for non-Windows binaries) only prompts for consent to run non-Windows executable files and applications.
The Prompt for consent setting is recommended in a less secure environment where credentials are not required.
The Prompt for credentials setting is recommended in high security environments where credentials are required but the additional security of the secure desktop is not required.
The Prompt for consent on the secure desktop setting is recommended in less secure environments where credentials are not required but the additional security of the secure desktop is required.
noteNote
Some issues with video drivers can result in a delay when switching to the secure desktop.

The Prompt for credentials on the secure desktop setting is recommended in high security environments where credentials and the additional security of the secure desktop are required.
noteNote
Some issues with video drivers can result in a delay when switching to the secure desktop.

The Elevate without prompting setting turns UAC off. This setting should be used only on a domain controller or server for advanced users or server administrators. This setting should not be applied to a client computer.
noteNote
Users should not use the Internet when this setting is applied.

User Account Control: Behavior of the elevation prompt for standard users
Prompt for credentials on the secure desktop
The default setting (Prompt for credentials on the secure desktop) allows standard users to perform tasks that require elevation of privilege by presenting the credential prompt on the secure desktop. The user must provide valid credentials to continue. This setting is not recommended for managed environments. The Automatically deny elevation requests setting is recommended for managed environments. Elevations are automatically denied, and a configurable access denied message is displayed.
User Account Control: Detect application installations and prompt for elevation
Enabled (home)
Disabled (enterprise)
This policy setting should be disabled if you have standard users and use Group Policy Software Installation or Microsoft System Center Configuration Manager to deploy applications. When this policy setting is disabled, application installation package detection does not occur.
User Account Control: Only elevate executables that are signed and validated
Disabled
If there are applications in your environment that are not signed and validated, this policy setting should not be enabled. When this policy setting is enabled, only signed applications and other executable files are permitted to run. Depending on the behavior of the elevation prompt settings for the user account, a consent or credential prompt is presented.
User Account Control: Only elevate UIAccess applications that are installed in secure locations
Enabled
When this policy setting is enabled, only UIAccess applications that are installed in secure locations in the file system are allowed to run. Secure locations are limited to:
  • Program Files\, including subfolders
  • Windows\System32\
  • Program files (x86)\, including subfolders (for 64-bit versions)
This is the recommended setting.
User Account Control: Run all administrators in Admin Approval Mode
Enabled
This policy setting must be enabled and related UAC policy settings must be set appropriately to allow the built-in Administrator account and all other user accounts that are members of the Administrators group to run in Admin Approval Mode.
When disabled, Admin Approval Mode and all related UAC policy settings are disabled.
noteNote
If this policy setting is disabled, the Security Center notifies the user that the overall security of the operating system is reduced.

User Account Control: Switch to the secure desktop when prompting for elevation
Enabled
Prompt behavior policy settings are used for administrators and standard users to determine whether the elevation prompt is presented on the interactive desktop or the secure desktop.
When this policy setting is enabled, all elevation requests are presented on the secure desktop regardless of the prompt behavior settings for administrators and standard users. Users must respond to the prompt before they can continue. This setting is not recommended for managed environments.
When this policy setting is disabled, requests for privilege elevation are allowed to go the interactive desktop. Prompt behavior policy settings for administrators and standard users are used. The prompt remains on the interactive desktop until the user responds to it, but the user can continue working without responding to the prompt.
User Account Control: Virtualize file and registry write failures to per-user locations
Enabled
When this policy setting is enabled, application write failures are redirected at run time to defined user locations. Enable this policy setting in environments where legacy applications need to run as if they were running in Windows XP.
When this policy setting is disabled, applications that attempt to write in privileged resources, such as the Program Files folder, fail. Disable this policy setting in environments where file and registry virtualization is not required.
For more information about UAC Group Policy settings, see User Account Control in Windows 7 Technical Reference (http://go.microsoft.com/fwlink/?LinkID=146195).

Windows 7: Troubleshooting and Support

Known Issues

For a list of the known issues in Windows 7 and their workarounds, see Release Notes: Important Issues in Windows 7 and Things to Know About Windows 7.

General Troubleshooting

For troubleshooting Windows 7 issues, see the Windows 7 forums at Microsoft TechNet Forums.
For help troubleshooting general Windows issues, see the information in the Microsoft Product Solutions Centers.

Troubleshooting Events and Errors

For information on troubleshooting specific Windows 7 system events and errors, see the following:
Events and Errors (describes how the error and event troubleshooting information is organized)
Core Operating System (covers Display Drivers, Plug and Play Devices, Name resolution for peer communication, and Service Control Manager)
File Services (covers technologies that help manage storage, perform backup and recovery tasks, enable file replication, manage shared folders, and enable access for UNIX client computers)
Core Security (covers system security functionality, such as authentication, authorization, and access control features, built into the Windows operating system, e.g., BitLocker Drive Encryption, CryptoAPI 2.0, Code Integrity, Kerberos protocol, Software Restriction Policies, and Windows Initialization)
Management Infrastructure (covers system performance, scheduled tasks, remote management)
Reliability Infrastructure (covers operating system components that support reliability monitoring and diagnosis)
Setup Infrastructure (covers installation of optional components, packages, and language packs)
Windows Firewall with Advanced Security (covering the Windows components that help protect your computer from unwanted network traffic)
Networking (covers the Windows networking components)
Printing Infrastructure (covers print devices and printing infrastructure)
Windows Update (covers the component that runs on each client computer and checks for availability of updates)

Wednesday, September 8, 2010

Function of a Computer

A general purpose computer has four main components: the arithmetic logic unit (ALU), the control unit, the memory, and the input and output devices (collectively termed I/O). These parts are interconnected by busses, often made of groups of wires.
Inside each of these parts are thousands to trillions of small electrical circuits which can be turned off or on by means of an electronic switch. Each circuit represents a bit (binary digit) of information so that when the circuit is on it represents a "1", and when off it represents a "0" (in positive logic representation). The circuits are arranged in logic gates so that one or more of the circuits may control the state of one or more of the other circuits.
The control unit, ALU, registers, and basic I/O (and often other hardware closely linked with these) are collectively known as a central processing unit (CPU). Early CPUs were composed of many separate components but since the mid-1970s CPUs have typically been constructed on a single integrated circuit called a microprocessor.

Control unit

Diagram showing how a particular MIPS architecture instruction would be decoded by the control system.
The control unit (often called a control system or central controller) manages the computer's various components; it reads and interprets (decodes) the program instructions, transforming them into a series of control signals which activate other parts of the computer.[22] Control systems in advanced computers may change the order of some instructions so as to improve performance.
A key component common to all CPUs is the program counter, a special memory cell (a register) that keeps track of which location in memory the next instruction is to be read from.
The control system's function is as follows—note that this is a simplified description, and some of these steps may be performed concurrently or in a different order depending on the type of CPU:
  1. Read the code for the next instruction from the cell indicated by the program counter.
  2. Decode the numerical code for the instruction into a set of commands or signals for each of the other systems.
  3. Increment the program counter so it points to the next instruction.
  4. Read whatever data the instruction requires from cells in memory (or perhaps from an input device). The location of this required data is typically stored within the instruction code.
  5. Provide the necessary data to an ALU or register.
  6. If the instruction requires an ALU or specialized hardware to complete, instruct the hardware to perform the requested operation.
  7. Write the result from the ALU back to a memory location or to a register or perhaps an output device.
  8. Jump back to step (1).
Since the program counter is (conceptually) just another set of memory cells, it can be changed by calculations done in the ALU. Adding 100 to the program counter would cause the next instruction to be read from a place 100 locations further down the program. Instructions that modify the program counter are often known as "jumps" and allow for loops (instructions that are repeated by the computer) and often conditional instruction execution (both examples of control flow).
It is noticeable that the sequence of operations that the control unit goes through to process an instruction is in itself like a short computer program—and indeed, in some more complex CPU designs, there is another yet smaller computer called a microsequencer that runs a microcode program that causes all of these events to happen.

Arithmetic/logic unit (ALU)

The ALU is capable of performing two classes of operations: arithmetic and logic.
The set of arithmetic operations that a particular ALU supports may be limited to adding and subtracting or might include multiplying or dividing, trigonometry functions (sine, cosine, etc.) and square roots. Some can only operate on whole numbers (integers) whilst others use floating point to represent real numbers—albeit with limited precision. However, any computer that is capable of performing just the simplest operations can be programmed to break down the more complex operations into simple steps that it can perform. Therefore, any computer can be programmed to perform any arithmetic operation—although it will take more time to do so if its ALU does not directly support the operation. An ALU may also compare numbers and return boolean truth values (true or false) depending on whether one is equal to, greater than or less than the other ("is 64 greater than 65?").
Logic operations involve Boolean logic: AND, OR, XOR and NOT. These can be useful both for creating complicated conditional statements and processing boolean logic.
Superscalar computers may contain multiple ALUs so that they can process several instructions at the same time. Graphics processors and computers with SIMD and MIMD features often provide ALUs that can perform arithmetic on vectors and matrices.

Memory

Magnetic core memory was the computer memory of choice throughout the 1960s, until it was replaced by semiconductor memory.
A computer's memory can be viewed as a list of cells into which numbers can be placed or read. Each cell has a numbered "address" and can store a single number. The computer can be instructed to "put the number 123 into the cell numbered 1357" or to "add the number that is in cell 1357 to the number that is in cell 2468 and put the answer into cell 1595". The information stored in memory may represent practically anything. Letters, numbers, even computer instructions can be placed into memory with equal ease. Since the CPU does not differentiate between different types of information, it is the software's responsibility to give significance to what the memory sees as nothing but a series of numbers.
In almost all modern computers, each memory cell is set up to store binary numbers in groups of eight bits (called a byte). Each byte is able to represent 256 different numbers (2^8 = 256); either from 0 to 255 or −128 to +127. To store larger numbers, several consecutive bytes may be used (typically, two, four or eight). When negative numbers are required, they are usually stored in two's complement notation. Other arrangements are possible, but are usually not seen outside of specialized applications or historical contexts. A computer can store any kind of information in memory if it can be represented numerically. Modern computers have billions or even trillions of bytes of memory.
The CPU contains a special set of memory cells called registers that can be read and written to much more rapidly than the main memory area. There are typically between two and one hundred registers depending on the type of CPU. Registers are used for the most frequently needed data items to avoid having to access main memory every time data is needed. As data is constantly being worked on, reducing the need to access main memory (which is often slow compared to the ALU and control units) greatly increases the computer's speed.
Computer main memory comes in two principal varieties: random-access memory or RAM and read-only memory or ROM. RAM can be read and written to anytime the CPU commands it, but ROM is pre-loaded with data and software that never changes, so the CPU can only read from it. ROM is typically used to store the computer's initial start-up instructions. In general, the contents of RAM are erased when the power to the computer is turned off, but ROM retains its data indefinitely. In a PC, the ROM contains a specialized program called the BIOS that orchestrates loading the computer's operating system from the hard disk drive into RAM whenever the computer is turned on or reset. In embedded computers, which frequently do not have disk drives, all of the required software may be stored in ROM. Software stored in ROM is often called firmware, because it is notionally more like hardware than software. Flash memory blurs the distinction between ROM and RAM, as it retains its data when turned off but is also rewritable. It is typically much slower than conventional ROM and RAM however, so its use is restricted to applications where high speed is unnecessary.
In more sophisticated computers there may be one or more RAM cache memories which are slower than registers but faster than main memory. Generally computers with this sort of cache are designed to move frequently needed data into the cache automatically, often without the need for any intervention on the programmer's part.

Input/output (I/O)

Hard disk drives are common storage devices used with computers.
I/O is the means by which a computer exchanges information with the outside world. Devices that provide input or output to the computer are called peripherals. On a typical personal computer, peripherals include input devices like the keyboard and mouse, and output devices such as the display and printer. Hard disk drives, floppy disk drives and optical disc drives serve as both input and output devices. Computer networking is another form of I/O.
Often, I/O devices are complex computers in their own right with their own CPU and memory. A graphics processing unit might contain fifty or more tiny computers that perform the calculations necessary to display 3D graphics[citation needed]. Modern desktop computers contain many smaller computers that assist the main CPU in performing I/O.

Multitasking

While a computer may be viewed as running one gigantic program stored in its main memory, in some systems it is necessary to give the appearance of running several programs simultaneously. This is achieved by multitasking i.e. having the computer switch rapidly between running each program in turn.
One means by which this is done is with a special signal called an interrupt which can periodically cause the computer to stop executing instructions where it was and do something else instead. By remembering where it was executing prior to the interrupt, the computer can return to that task later. If several programs are running "at the same time", then the interrupt generator might be causing several hundred interrupts per second, causing a program switch each time. Since modern computers typically execute instructions several orders of magnitude faster than human perception, it may appear that many programs are running at the same time even though only one is ever executing in any given instant. This method of multitasking is sometimes termed "time-sharing" since each program is allocated a "slice" of time in turn.
Before the era of cheap computers, the principle use for multitasking was to allow many people to share the same computer.
Seemingly, multitasking would cause a computer that is switching between several programs to run more slowly — in direct proportion to the number of programs it is running. However, most programs spend much of their time waiting for slow input/output devices to complete their tasks. If a program is waiting for the user to click on the mouse or press a key on the keyboard, then it will not take a "time slice" until the event it is waiting for has occurred. This frees up time for other programs to execute so that many programs may be run at the same time without unacceptable speed loss.

Multiprocessing

Cray designed many supercomputers that used multiprocessing heavily.
Some computers are designed to distribute their work across several CPUs in a multiprocessing configuration, a technique once employed only in large and powerful machines such as supercomputers, mainframe computers and servers. Multiprocessor and multi-core (multiple CPUs on a single integrated circuit) personal and laptop computers are now widely available, and are being increasingly used in lower-end markets as a result.
Supercomputers in particular often have highly unique architectures that differ significantly from the basic stored-program architecture and from general purpose computers. They often feature thousands of CPUs, customized high-speed interconnects, and specialized computing hardware. Such designs tend to be useful only for specialized tasks due to the large scale of program organization required to successfully utilize most of the available resources at once. Supercomputers usually see usage in large-scale simulation, graphics rendering, and cryptography applications, as well as with other so-called "embarrassingly parallel" tasks.

Networking and the Internet

Visualization of a portion of the routes on the Internet.
Computers have been used to coordinate information between multiple locations since the 1950s. The U.S. military's SAGE system was the first large-scale example of such a system, which led to a number of special-purpose commercial systems like Sabre.
In the 1970s, computer engineers at research institutions throughout the United States began to link their computers together using telecommunications technology. This effort was funded by ARPA (now DARPA), and the computer network that it produced was called the ARPANET. The technologies that made the Arpanet possible spread and evolved.
In time, the network spread beyond academic and military institutions and became known as the Internet. The emergence of networking involved a redefinition of the nature and boundaries of the computer. Computer operating systems and applications were modified to include the ability to define and access the resources of other computers on the network, such as peripheral devices, stored information, and the like, as extensions of the resources of an individual computer. Initially these facilities were available primarily to people working in high-tech environments, but in the 1990s the spread of applications like e-mail and the World Wide Web, combined with the development of cheap, fast networking technologies like Ethernet and ADSL saw computer networking become almost ubiquitous. In fact, the number of computers that are networked is growing phenomenally. A very large proportion of personal computers regularly connect to the Internet to communicate and receive information. "Wireless" networking, often utilizing mobile phone networks, has meant networking is becoming increasingly ubiquitous even in mobile computing environments.

What is Computer

A computer is a programmable machine that receives input, stores and manipulates data//information, and provides output in a useful format.

While a computer can, in theory, be made out of almost anything (see misconceptions section), and mechanical examples of computers have existed through much of recorded human history, the first electronic computers were developed in the mid-20th century (1940–1945). Originally, they were the size of a large room, consuming as much power as several hundred modern personal computers (PCs).[1] Modern computers based on integrated circuits are millions to billions of times more capable than the early machines, and occupy a fraction of the space.[2] Simple computers are small enough to fit into mobile devices, and can be powered by a small battery. Personal computers in their various forms are icons of the Information Age and are what most people think of as "computers". However, the embedded computers found in many devices from MP3 players to fighter aircraft and from toys to industrial robots are the most numerous.

Misconceptions

A computer does not need to be electric, nor even have a processor, nor RAM, nor even hard disk. The minimal definition of a computer is anything that transforms information in a purposeful way.

Main article: Unconventional computing

Computational systems as flexible as a personal computer can be built out of almost anything. For example, a computer can be made out of billiard balls (billiard ball computer); this is an unintuitive and pedagogical example that a computer can be made out of almost anything. More realistically, modern computers are made out of transistors made of photolithographed semiconductors.

Historically, computers evolved from mechanical computers and eventually from vacuum tube transistors.

There is active research to make computers out of many promising new types of technology, such as optical computing, DNA computers, neural computers, and quantum computers. Some of these can easily tackle problems that modern computers cannot (such as how quantum computers can break some modern encryption algorithms by quantum factoring).
Computer architecture paradigms

Some different paradigms of how to build a computer from the ground-up:

RAM machines

    These are the types of computers with a CPU, computer memory, etc., which understand basic instructions in a machine language. The concept evolved from the Turing machine.
Brains
    Brains are massively parallel processors made of neurons, wired in intricate patterns, that communicate via electricity and neurotransmitter chemicals.
Programming languages
    Such as the lambda calculus, or modern programming languages, are virtual computers built on top of other computers.
Cellular automata
    For example, the game of Life can create "gliders" and "loops" and other constructs that transmit information; this paradigm can be applied to DNA computing, chemical computing, etc.
Groups and committees
    The linking of multiple computers (brains) is itself a computer

Logic gates are a common abstraction which can apply to most of the above digital or analog paradigms.

The ability to store and execute lists of instructions called programs makes computers extremely versatile, distinguishing them from calculators. The Church–Turing thesis is a mathematical statement of this versatility: any computer with a certain Turing-complete is, in principle, capable of performing the same tasks that any other computer can perform. Therefore any type of computer (netbook, supercomputer, cellular automaton, etc.) is able to perform the same computational tasks, given enough time and storage capacity.

Limited-function computers


Conversely, a computer which is limited in function (one that is not "Turing-complete") cannot simulate arbitrary things. For example, a simple four-function calculators cannot simulate a real computer without human intervention. As a more complicated example, without the ability to program a gaming console, it can never accomplish what a programmable calculator from the 1990s could (given enough time); the system as a whole is not Turing-complete, even though it contains a Turing-complete component (the microprocessor). Living organisms (the body, not the brain) are also limited-function computers designed to make a copies of themselves; they cannot be reprogrammed without genetic engineering.

Virtual computers

A "computer" is commonly considered to be a physical device. However, one can create a computer program which describes how to run a different computer, i.e. "simulating a computer in a computer". Not only is this a constructive proof of the Church-Turing thesis, but is also extremely common in all modern computers. For example, some programming languages use something called an interpreter, which is a simulated computer built on top of the basic computer; this allows programmers to write code (computer input) in a different language than the one understood by the base computer (the alternative is to use a compiler). Additionally, virtual machines are simulated computers which virtually replicate a physical computer in software, and are very commonly used by IT. Virtual machines are also a common technique used to create emulators, such game console emulators.

Monday, September 6, 2010

Description About Computer Management


Event Viewer:
In Windows XP, an event is any significant occurrence in the system or in a program that requires users to be notified, or an entry added to a log. The Event Log Service records application, security, and system events in Event Viewer. With the event logs in Event Viewer, you can obtain information about your hardware, software, and system components, and monitor security events on a local or remote computer. Event logs can help you identify and diagnose the source of current system problems, or help you predict potential system problems.

Event Log Types

A Windows XP-based computer records events in the following three logs:
  • Application log

    The application log contains events logged by programs. For example, a database program may record a file error in the application log. Events that are written to the application log are determined by the developers of the software program.
  • Security log

    The security log records events such as valid and invalid logon attempts, as well as events related to resource use, such as the creating, opening, or deleting of files. For example, when logon auditing is enabled, an event is recorded in the security log each time a user attempts to log on to the computer. You must be logged on as Administrator or as a member of the Administrators group in order to turn on, use, and specify which events are recorded in the security log.
  • System log

    The system log contains events logged by Windows XP system components. For example, if a driver fails to load during startup, an event is recorded in the system log. Windows XP predetermines the events that are logged by system components.

How to View Event Logs

To open Event Viewer, follow these steps:
  1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
  2. In the console tree, click Event Viewer.

    The Application, Security, and System logs are displayed in the Event Viewer window.

How to View Event Details

To view the details of an event, follow these steps:
  1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
  2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.
  3. In the details pane, double-click the event that you want to view.

    The Event Properties dialog box containing header information and a description of the event is displayed.

    To copy the details of the event, click the Copy button, then open a new document in the program in which you want to paste the event (for example, Microsoft Word), and then click Paste on the Edit menu.

    To view the description of the previous or next event, click the UP ARROW or DOWN ARROW.

How to Interpret an Event

Each log entry is classified by type, and contains header information, and a description of the event.

Event Header

The event header contains the following information about the event:
  • Date

    The date the event occurred.
  • Time

    The time the event occurred.
  • User

    The user name of the user that was logged on when the event occurred.
  • Computer

    The name of the computer where the event occurred.
  • Event ID

    An event number that identifies the event type. The Event ID can be used by product support representatives to help understand what occurred in the system.
  • Source

    The source of the event. This can be the name of a program, a system component, or an individual component of a large program.
  • Type

    The type of event. This can be one of the following five types: Error, Warning, Information, Success Audit, or Failure Audit.
  • Category

    A classification of the event by the event source. This is primarily used in the security log.

Event Types

The description of each event that is logged depends on the type of event. Each event in a log can be classified into one of the following types:
  • Information

    An event that describes the successful operation of a task, such as an application, driver, or service. For example, an Information event is logged when a network driver loads successfully.
  • Warning

    An event that is not necessarily significant, however, may indicate the possible occurrence of a future problem. For example, a Warning message is logged when disk space starts to run low.
  • Error

    An event that describes a significant problem, such as the failure of a critical task. Error events may involve data loss or loss of functionality. For example, an Error event is logged if a service fails to load during startup.
  • Success Audit (Security log)

    An event that describes the successful completion of an audited security event. For example, a Success Audit event is logged when a user logs on to the computer.
  • Failure Audit (Security log)

    An event that describes an audited security event that did not complete successfully. For example, a Failure Audit may be logged when a user cannot access a network drive.

How to Find Events in a Log

The default view of event logs is to list all its entries. If you want to find a specific event, or view a subset of events, you can either search the log, or you can apply a filter to the log data.

How to Search for a Specific Log Event

To search for a specific log event, follow these steps:
  1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
  2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.
  3. On the View menu, click Find.
  4. Specify the options for the event that you want to view in the Find dialog box, and then click Find Next.
The event that matches your search criteria is highlighted in the details pane. Click Find Next to locate the next occurrence of an event as defined by your search criteria.

How to Filter Log Events

To filter log events, follow these steps:
  1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
  2. In the console tree, expand Event Viewer, and then click the log that contains the event that you want to view.
  3. On the View menu, click Filter.
  4. Click the Filter tab (if it is not already selected).
  5. Specify the filter options that you want, and then click OK.
Only events that match your filter criteria are displayed in the details pane.

To return the view to display all log entries, click Filter on the View menu, and then click Restore Defaults.

How to Manage Log Contents

By default, the initial maximum of size of a log is set to 512 KB, and when this size is reached, new events overwrite older events as needed. Depending on your requirements, you can change these settings, or clear a log of its contents.

How to Set Log Size and Overwrite Options

To specify log size and overwrite options, follow these steps:
  1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
  2. In the console tree, expand Event Viewer, and then right-click the log in which you want to set size and overwrite options.
  3. Under Log size, type the size that you want in the Maximum log size box.
  4. Under When maximum log size is reached, click the overwrite option that you want.
  5. If you want to clear the log contents, click Clear Log.
  6. Click OK.

How to Archive a Log

If you want to save your log data, you can archive event logs in any of the following formats:
  • Log-file format (.evt)
  • Text-file format (.txt)
  • Comma-delimited text-file format (.csv)
To archive a log, follow these steps:
  1. Click Start, and then click Control Panel. Click Performance and Maintenance, then click Administrative Tools, and then double-click Computer Management. Or, open the MMC containing the Event Viewer snap-in.
  2. In the console tree, expand Event Viewer, and then right-click the log in which you want to archive, and then click Save Log File As.
  3. Specify a file name and location where you want to save the file. In the Save as type box, click the format that you want, and then click Save.
The log file is saved in the format that you specified.


Shared Folders
With Windows XP, you can share files and documents with other users on your computer and with other users on a network. There is a new user interface (UI) named Simple File Sharing and a new Shared Documents feature. This article describes the new file sharing UI and discusses the following topics:
  • How to turn Simple File Sharing on and off.
  • How to manage and configure levels of access to shares and files.
  • Guidelines for file sharing in Windows XP.
  • How to troubleshoot file sharing problems.
Windows XP Home Edition-based computers always have Simple File Sharing enabled.
For information about how to configure file sharing in Windows Vista, visit the following Microsoft Web site:

On a Windows XP-based computer, you can share files among both local and remote users. Local users log on to your computer directly through their own accounts or through a Guest account. Remote users connect to your computer over the network and access the files that are shared on your computer.

You can access the Simple File Sharing UI by viewing a folder's properties. Through the Simple File Sharing UI, you can configure both share and NTFS file system permissions at the folder level. These permissions apply to the folder, all the files in that folder, subfolders, and all the files in the subfolders. Files and folders that are created in or copied to a folder inherit the permissions that are defined for their parent folder. This article describes how to configure access to your files, depending on permission levels. Some information that this article contains about these permission levels is not documented in the operating system files or in the Help file.

MORE INFORMATION

Note If you are not comfortable with the information that is presented in this s...


With file sharing in Windows XP, you can configure five levels of permissions. You can configure Levels 1, 2, 4, and 5 by using the Simple File Sharing UI. To do this, right-click the folder, and then click Sharing and Security to open the Simple File Sharing UI. To configure Level 3, copy a file or a folder into the "Shared Documents" folder under "My Computer." This configuration does not change when you turn on or turn off Simple File Sharing. Level 1 is the most private and secure setting, while Level 5 is the most public and the most changeable (nonsecure) setting.

Turning on and turning off Simple File Sharing

Simple File Sharing is always turned on in Windows XP Home Edition-based computers. By default, the Simple File Sharing UI is turned on in Windows XP Professional-based computers that are joined to a workgroup. Windows XP Professional-based computers that are joined to a domain use only the classic file sharing and security interface. When you use the Simple File Sharing UI (that is located in the folder's properties), both share and file permissions are configured.

If you turn off Simple File Sharing, you have more control over the permissions to individual users. However, you must have advanced knowledge of NTFS and share permissions to help keep your folders and files more secure. If you turn off Simple File Sharing, the Shared Documents feature is not turned off.

To turn Simple File Sharing on or off in Windows XP Professional, follow these steps:
  1. Double-click My Computer on the desktop.
  2. On the Tools menu, click Folder Options.
  3. Click the View tab, and then select the Use Simple File Sharing (Recommended) check box to turn on Simple File Sharing. (Clear this check box to turn off this feature.)
To view a video about how to turn Simple File Sharing on or off, click the Play button (
Collapse this imageExpand this image
) on the following Windows Media Player viewer:


Note To view this video, you must have Microsoft Windows Media Player 7.0 or a later version on your computer.


Managing levels of access to shares and to files

You can use Simple File Sharing to configure five levels of access to shares and files:
  • Level 1: My Documents (Private)
  • Level 2: My Documents (Default)
  • Level 3: Files in shared documents available to local users
  • Level 4: Shared Files on the Network (Readable by Everyone)
  • Level 5: Shared Files on the Network (Readable and Writable by Everyone)
Notes
  • By default, files that are stored in "My Documents" are at Level 2.
  • Levels 1, 2, and 3 folders are available only to a user who is logging on locally. Users who log on locally include a user who logs on to a Windows XP Professional-based computer from a Remote Desktop (RDP) session.
  • Levels 4 and 5 folders are available to users who log on locally and remote users from the network.
The following table describes the permissions:
Collapse this table Expand this table
Access Level
Everyone (NTFS/File)
Owner
System
Administrators
Everyone (Share)
Level 1
Not available
Full Control
Full Control
Not available
Not available
Level 2
Not available
Full Control
Full Control
Full Control
Not available
Level 3
Read
Full Control
Full Control
Full Control
Not available
Level 4
Read
Full Control
Full Control
Full Control
Read
Level 5
Change
Full Control
Full Control
Full Control
Full Control

Level 1: My Documents (Private)

The owner of the file or folder has read and write permission to the file or folder. Nobody else may read or write to the folder or the files in it. All subfolders that are contained in a folder that is marked as private remain private unless you change the parent folder permissions.

If you are a Computer Administrator and create a user password for your account by using the User Accounts Control Panel tool, you are prompted to make your files and folder private.

Note The option to make a folder private (Level 1) is available only to a user account in its own My Documents folder.

To configure a folder and all the files in it to Level 1, follow these steps:
  1. Right-click the folder, and then click Sharing and Security.
  2. Select the Make this Folder Private check box, and then click OK.
Local NTFS Permissions:
  • Owner: Full Control
  • System: Full Control
Network Share Permissions:
  • Not Shared

Level 2 (Default): My Documents (Default)

The owner of the file or folder and local Computer Administrators have read and write permission to the file or folder. Nobody else may read or write to the folder or the files in it. This is the default setting for all the folders and files in each user's My Documents folder.

To configure a folder and all the files in it to Level 2, follow these steps:
  1. Right-click the folder, and then click Sharing and Security.
  2. Make sure that both the Make this Folder Private and the Share this folder on the network check boxes are cleared, and then click OK.
Local NTFS Permissions:
  • Owner: Full Control
  • Administrators: Full Control
  • System: Full Control
Network Share Permissions:
  • Not Shared

Level 3: Files in shared documents available to local users

Files are shared with users who log on to the computer locally. Local Computer Administrators can read, write, and delete the files in the Shared Documents folder. Restricted Users can only read the files in the Shared Documents folder. In Windows XP Professional, Power Users may also read, write, or delete any files in the Shared Documents Folder. The Power Users group is available only in Windows XP Professional. Remote users cannot access folders or files at Level 3. To allow remote users to access files, you must share them out on the network (Level 4 or 5).

To configure a file or a folder and all the files in it to Level 3, start Microsoft Windows Explorer, and then copy or move the file or folder to the Shared Documents folder under My Computer.

Local NTFS Permissions:
  • Owner: Full Control
  • Administrators: Full Control
  • Power Users: Change
  • Restricted Users: Read
  • System: Full Control
Network Share Permissions:
  • Not Shared

Level 4: Shared on the Network (Read-Only)

Files are shared for everyone to read on the network. All local users, including the Guest account, can read the files. But they cannot modify the contents. Any user can read and change your files.

To configure a folder and all the files in it to Level 4, follow these steps:
  1. Right-click the folder, and then click Sharing and Security.
  2. Click to select the Share this folder on the network check box
  3. Click to clear the Allow network users to change my files check box, and then click OK.
Local NTFS Permissions:
  • Owner: Full Control
  • Administrators: Full Control
  • System: Full Control
  • Everyone: Read
Network Share Permissions:
  • Everyone: Read

Level 5: Shared on the network (Read and Write)

This level is the most available and least secure access level. Any user (local or remote) can read, write, change, or delete a file in a folder shared at this access level. We recommend that this level be used only for a closed network that has a firewall configured. All local users including the Guest account can also read and modify the files.

To configure a folder and all the files in it to Level 5, follow these steps:
  1. Right-click the folder, and then click Sharing and Security
  2. Click to select the Share this folder on the network check box, and then click OK.
Local NTFS Permissions:
  • Owner: Full Control
  • Administrators: Full Control
  • System: Full Control
  • Everyone: Change
Network Share Permissions:
  • Everyone: Full Control
Note All NTFS permissions that refer to Everyone include the Guest account.

All the levels that this article describes are mutually exclusive. Private folders (Level 1) cannot be shared unless they are no longer private. Shared folders (Level 4 and 5) cannot be made private until they are unshared.

If you create a folder in the Shared Documents folder (Level 3), share it on the network, and then allow network users to change your files (Level 5), the permissions for Level 5 are effective for the folder, the files in that folder, and the subfolders. The other files and folders in the Shared Documents folder remain configured at Level 3.

Note The only exception is if you have a folder (SampleSubFolder) that is shared at Level 4 inside a folder (SampleFolder) that is shared at Level 5. Remote users have the correct access level to each shared folder. Locally logged-on users have writable (Level 5) permissions to the parent (SampleFolder) and child (SampleSubFolder) folders.

Guidelines

We recommend that you only share folders on the network that remote users on other computers must access. We recommend that you do not share the root of the system drive. When you do this, your computer is more vulnerable to malicious remote users. The Sharing tab of the drive's Properties dialog box contains a warning when you try to share a root folder (for example, C:\). To continue, you must click the If you understand the risk but still want to share the root of the drive, click here link. Only computer administrators can share the root of the drive.

Files on a read-only device such as a CD-ROM shared at Level 4 or 5 are available only if the CD-ROM is in the CD drive. Any CD-ROM that is in the CD drive is available to all users on the network.

A file's permission may differ from the parent folder if one of the following conditions is true:
  • You use the move command at a command prompt to move a file into the folder from a folder on the same drive that has different permissions.
  • You use a script to move the file into the folder from a folder on the same drive that has different permissions.
  • You run Cacls.exe at a command prompt or a script to change file permissions.
  • Files existed on the hard disk before you installed Windows XP.
  • You changed a file's permissions while Simple File Sharing was turned off on Windows XP Professional.
Note NTFS permissions are not maintained on file move operations when you use Windows Explorer with Simple File Sharing turned on.

If you turn on and turn off Simple File Sharing, the permissions on files are not changed. The NTFS and share permissions do not change until you change the permissions in the interface. If you set the permissions with Simple File Sharing enabled, only Access Control Entries (ACEs) on files that are used for Simple File Sharing are affected. The following ACEs in the Discretionary Access Control List (DACL) of the files or folders are affected by the Simple File Sharing interface:
  • Owner
  • Administrators
  • Everyone
  • System

Advanced troubleshooting for configuring file sharing in Windows XP

Note This section is intended for advanced computer users. If you are not comfortable with advanced troubleshooting, ask someone for help or contact support. For information about how to contact support, see the Microsoft Help and Support contact information Web site:

Expected upgrade behavior

A Windows 2000 Professional-based or a Windows NT 4.0-based computer that is joined to a domain or a workgroup that is upgraded to Windows XP Professional maintains its domain or workgroup membership respectively and has the classic file sharing and security UI turned on. NTFS and share permissions are not changed with the upgrade.

By default, if you upgrade a computer that is running Microsoft Windows 98, Windows 98 Second Edition, or Windows Millennium Edition that has "per share" sharing permissions to Windows XP, Simple File Sharing is always turned on. Shares that have passwords assigned to them are removed, and shares that have blank passwords remain shared after the upgrade.

If you upgrade a computer that is running Windows 98, Windows 98 Second Edition, or Windows Millennium Edition to Windows XP Professional and that computer is logged on to a domain, if that computer has share level access turned on and joins the domain while the Setup program is running, the computer starts with Simple File Sharing turned off.
By default, a Windows 98, Windows 98 Second Edition, or Windows Millennium Edition-based computer that is upgraded to Windows XP Home has Simple File Sharing turned on.

Known issues

For remote users to access files from the network (Levels 4 and 5), the Internet Connection Firewall (ICF) must be disabled on the network interface that the remote users connect through.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
When Simple File Sharing is turned on, remote administration and remote registry editing does not work as expected from a remote computer, and connections to administrative shares (such as C$) do not work because all remote users authenticate as Guest. Guest accounts do not have administrative rights. When Simple File Sharing is turned on, if you configure specific user ACEs, remote users are not affected when Simple File Sharing is turned on because all remote users authenticate as Guest when Simple File Sharing is turned on.

Remote users may receive an "Access Denied" message on a share that they had connected to successfully before. This behavior occurs after the hard disk is converted to NTFS. This behavior occurs on Windows XP-based computers that have Simple File Sharing turned on that were upgraded from Windows 98, Windows 98 Second Edition, or Windows Millennium Edition. This behavior occurs because the default permissions of a hard disk that is converted to NTFS do not contain the Everyone group. The Everyone group is required for remote users who are using the Guest account to access the files To reset the permissions, stop sharing, and reshare the affected folders.

Behavior that is affected when Simple File Sharing is turned on

  • The Simple File Sharing UI in the properties of a folder configures both share and file permissions.
  • Remote users always authenticate as the Guest account.

    For more information, click the following article number to view the article in the Microsoft Knowledge Base:
  • Windows Explorer does not keep permissions on files that are moved in the same NTFS drive. The permissions are always inherited from the parent folder.
  • On Windows XP Professional-based computers that have Simple File Sharing turned on and Windows XP Home Edition-based computers, the Shared Folders (Fsmgmt.msc) and Computer Management (Compmgmt.msc) tools reflect a simpler sharing and security UI.
  • In the Computer Management and Shared Folders consoles, the New File Share command is unavailable when you right-click the Shares icon. Also, if you right-click any listed share, the Properties and Stop Share commands are unavailable.

Behavior that is not caused by turning on Simple File Sharing

  • In Windows XP Home Edition, the Computer Management snap-in does not display the Local Users and Groups node. The Local Users and Groups snap-in cannot be added to a custom snap-in. This behavior is a limitation of Windows XP Home Edition. It is not caused by Simple File Sharing.
  • If you turn off the Guest account in the User Accounts Control Panel tool, only the guest's ability to log on locally is affected. The account is not disabled.
  • Remote users cannot authenticate by using an account that has a blank password. This authentication is configured separately.
  • Windows XP Home Edition cannot join a domain. It can only be configured as a member of a workgroup.

    For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Local Users and Groups:

Local Users and Groups is a tool you can use to manage local users and groups. It is available on the following operating systems:
Windows 2000 Professional
Windows XP Professional
Member servers running Windows 2000 Server
A local user or group is an account that can be granted permissions and rights from your computer. Domain or global users and groups are managed by your network administrator. You can add local users, global users, and global groups to local groups. However, you cannot add local users and groups to global groups
Local Users and Groups is an important security feature because you can limit the ability of users and groups to perform certain actions by assigning them rights and permissions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. A permission is a rule associated with an object (usually a file, folder, or printer) and it regulates which users can have access to the object and in what manner.
Local Users and Groups is not available on domain controllers. Use Active Directory Users and Computers to manage global users and groups.
For more information, see:
Working with MMC console files
Groups overview
Users overview
Create a new user account
Create a new local group
Default security settings

Performance Logs and Alerts:
Performance Logs and Alerts overview
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Performance Logs and Alerts overview

With Performance Logs and Alerts you can collect performance data automatically from local or remote computers. You can view logged counter data using System Monitor or export the data to spreadsheet programs or databases for analysis and report generation. The following list explains the capabilities of Performance Logs and Alerts:
  • New in the Microsoft® Windows Server 2003 family is the ability to run log collections under different accounts. For example, if you need to log data from a remote computer that requires administrative credentials, you can specify an account with the necessary credentials.
  • Also new in the Windows Server 2003 family are two new security groups that help you to ensure that only trusted users can access and manipulate sensitive performance data. These are the Performance Log Users group and the Performance Monitor Users group.
  • The Windows Server 2003 family supports log files greater than 1 GB in size, and with its new log-file format, you can append performance data to an existing log file.
  • Performance Logs and Alerts collects data in a comma-separated or tab-separated format for easy import to spreadsheet programs. A binary log-file format is also provided for circular logging or for logging instances such as threads or processes that may begin after the log starts collecting data. (Circular logging is the process of continuously logging data to a single file, overwriting previous data with new data.)
  • You can also collect data in an SQL database format. This option defines the name of an existing SQL database and log set within the database where the performance data will be read or written. This file format is useful when collecting and analyzing performance data at an enterprise level rather than on a per-computer basis. Logging data directly to a SQL database is supported through open database connectivity (ODBC).
  • Counter data collected by Performance Logs and Alerts can be viewed during collection as well as after collection has stopped.
  • Because logging runs as a service, data collection occurs regardless of whether any user is logged on to the computer being monitored.
  • You can define start and stop times, file names, file sizes, and other parameters for automatic log generation.
  • You can manage multiple logging sessions from a single console window.
  • You can set an alert on a counter, thereby defining that a message be sent, a program be run, an entry made to the application event log, or a log be started when the selected counter's value exceeds or falls below a specified setting.
Similar to System Monitor, Performance Logs and Alerts supports defining performance objects, performance counters, and performance object instances. It also supports setting sampling intervals for monitoring data about hardware resources and system services. Performance Logs and Alerts also offers other options related to recording performance data:
  • Start and stop logging either manually on demand or automatically based on a user-defined schedule.
  • Configure additional settings for automatic logging, such as automatic file renaming, and set parameters for stopping and starting a log file based on the elapsed time or the file size.
  • Create trace logs. Using the default Windows Server 2003 family data provider or another application provider, trace logs record detailed system application events when certain activities, such as a disk I/O operation or a page fault, occurs. When the event occurs, your operating system logs the system data to a file specified by the Performance Logs and Alerts service. This differs from the operation of counter logs; when counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event. A parsing tool is required to interpret the trace log output. Developers can create such a tool using application programming interfaces (APIs) provided in the MSDN Library on the Microsoft Web site.
  • You can also produce trace analysis reports from trace log output files using the Tracerpt tool. Use this tool to process kernel, Active Directory, and other transactional based trace event logs, and to generate trace analysis reports and .csv files from binary logs.
  • Define a program that runs when a log is stopped.
  • If you want to export log data to Microsoft Excel, the Performance Logs and Alerts service must be stopped because Microsoft Excel requires exclusive access to the log file. Most other programs are not known to require this exclusive access; therefore, in general you can work with data from a log file while the service is collecting data to that file.

Device Manager

Screenshot of the Device Manager tool under  Windows Vista.

Screenshot of the Device Manager tool under Windows Server 2003 showing hardware components organized under categories.
The Device Manager is a Control Panel applet in Microsoft Windows operating systems. It allows users to view and control the hardware attached to the computer. When a piece of hardware is not working, the offending hardware is highlighted for the user to deal with. The list of hardware can be sorted by various criteria.
For each device, users can:
  • Supply device drivers for the hardware
  • Enable or disable devices
  • Tell Windows to ignore malfunctioning devices
  • View other technical properties
Device Manager was introduced with Windows 95 and later added to Windows 2000 by Ruben Ashimbanga. In NT-based versions, it is included as a Microsoft Management Console snap-in.


Storage types and partition styles

Windows XP Professional and offer two types of disk storage: basic disk and dynamic disk.

Basic disks

A basic disk is a physical disk that contains primary partitions, extended partitions, or logical drives. You can perform the following tasks only on a basic disk:
Create and delete primary and extended partitions
Create and delete logical drives within an extended partition.
Format a partition and mark it as active
Check disk properties, such as capacity, available free space, and current status.
View volume and partition properties such as size, drive letter assignment, label, type, and file system.
Establish drive letter assignments for volumes or partitions, optical storage devices (for example CD-ROM), and removable drives.
Establish disk sharing and security arrangements for volumes and partitions formatted with NTFS.
Convert a basic disk to dynamic.
For more information about converting a disk from basic to dynamic, see Converting a basic disk to dynamic
For more information about basic disks and volumes, see Basic disks and volumes

Dynamic disks

Dynamic disks provide features that basic disks do not, such as the ability to create volumes that span multiple disks (spanned and striped volumes), and the ability to create fault-tolerant volumes (mirrored and RAID-5 volumes). All volumes on dynamic disks are known as dynamic volumes. You can perform the following tasks only on a dynamic disk:
Create and delete simple, spanned, striped, mirrored, and RAID-5 volumes.
Extend a simple or spanned volume.
Remove a mirror from a mirrored volume or split the volume into two volumes.
Repair mirrored or RAID-5 volumes.
Reactivate a missing or offline disk.
Check disk properties, such as capacity, available free space, and current status.
View volume and partition properties such as size, drive letter assignment, label, type, and file system.
Establish drive letter assignments for volumes or partitions, optical storage devices (for example CD-ROM), and removable drives.
Establish disk sharing and security arrangements for volumes and partitions formatted with NTFS.
Change a dynamic disk to basic.
For more information about dynamic disks and volumes, see Dynamic disks and volumes

Partition styles

Partition style refers to the method that Windows XP and use to organize partitions on the disk. All x86-based computers use the partition style known as master boot record (MBR) MBR contains a partition table that describes where the partitions are located on the disk. Because MBR is the only partition style available on x86-based computers, you do not need to choose this style; it is used automatically.
Itanium-based computers running Windows XP 64-Bit Edition, Whistler Advanced Server for Intel Itanium systems, or Whistler Datacenter Server for Intel Itanium systems use a new partition style called GUID partition table (GPT) There are some differences between GPT and MBR partition styles, but most disk-related tasks are unchanged. Basic disks and dynamic disks work the same way as in Windows 2000, and these storage types are available on disks that use either partition style. For more information about GPT disks, see GUID partition table (GPT)
Computers running Windows XP 64-Bit Edition, Whistler Advanced Server for Intel Itanium systems, or Whistler Datacenter Server for Intel Itanium systems require a GPT disk that contains an Extensible Firmware Interface (EFI) System partition and the files necessary to start the computer. You can also install MBR disks on Itanium-based systems, but you cannot start a system from them. For more information about EFI and EFI System partitions, see Extensible Firmware Interface
In order to more easily differentiate between disks that use the MBR and GPT partition styles, Disk Management labels disks that use the master boot record partition style as MBR disks, while disks that use the GUID partition table partition style are labeled GPT disks.
The following table depicts storage types and partition styles in Windows XP and :
Operating system
Storage types
Partition styles
Basic volumes
Dynamic simple, spanned, and stripped volumes
Dynamic mirrored and RAID-5 volumes


Windows XP Home Edition
X




Windows XP Professional
X
X



Whistler
X
X



Whistler Advanced Server
X
X



Whistler Server
X
X



Windows XP 64-Bit Edition
X
X



Whistler Advanced Server for Intel Itanium systems
X
X



Whistler Datacenter Server for Intel Itanium systems
X
X







Removable Storage
The data storage and management features in the Windows Server 2003 operating system provide you with various ways to manage and store data. With Removable Storage, a primary component of this feature set, you can track your removable storage media (tapes and optical disks) and manage the hardware libraries, such as changers and jukeboxes, which contain them.
With Removable Storage, you can:
  • Label, catalog, and track media.
  • Control library drives, slots, and doors.
  • Perform drive-cleaning operations.
Removable Storage works together with your data-management applications such as Backup. You use data-management applications to manage the actual data stored on the media. Removable Storage makes it possible for multiple applications to share the same storage media resources, which can reduce your costs. It also provides a common interface for managing those resources, so that you can manage your storage media more efficiently.
Removable Storage organizes all the media in your libraries into different media pools. A media pool is a logical collection of removable media that have the same management policies. Media pools are used by applications to control access to specific tapes or discs within libraries that are managed by Removable Storage. Removable Storage also moves media between media pools in order to provide the amount of data storage that your applications require
You cannot use Removable Storage to manage volumes, such as for media siding or striping. Also, you cannot use Removable Storage to manage files, such as for data backup or disk-extender operations. These services are performed by data-management applications such as Backup or Remote Storage. Remote Storage is not available on computers running Windows XP Professional; Windows Server 2003, Web Edition; or Windows Server 2003, Standard Edition.
You must run all your data-management applications on the same computer that connects to your library. Removable Storage does not support multiple data-management applications running on different computers that are connected to the same library.
Removable Storage is configured to start automatically when you start your computer. It is possible to change the service so that you can start it manually, but this is highly discouraged. Disabling the service causes several applications that are included in Windows Server 2003 (such as Backup and Remote Storage) to become inoperative.

Common Scenarios for Removable Storage

Removable Storage is commonly used in the following scenarios:
  • Managing stand-alone drive libraries
  • Managing automated libraries
Managing stand-alone drive libraries
In this scenario, you use Removable Storage to manage multiple single-drive libraries, such as CD-ROM or DVD-ROM drives.
In its simplest form, a library consists of data-storage media and the device that is used to read from and write to the media – for example, tape and a stand-alone tape drive. The group of libraries and associated media that you manage with a Removable Storage installation is called a Removable Storage system.
The main benefit to using Removable Storage is its efficiency: it is much easier to manage multiple libraries with a single tool, the Removable Management MMC snap-in, on behalf of different data-management applications, than it is to individually manage the same libraries with different sets of tools from those applications.
A further benefit of Removable Storage is that it organizes all the media in your libraries into different media pools, and also moves media between media pools in order to provide the appropriate amount of data storage your applications require.
Managing automated libraries
In this scenario, you use Removable Storage to manage one or more automated libraries.
Automated libraries are automated units that hold multiple tapes or disks, and some have multiple drives. These libraries are sometimes called changers or jukeboxes, and commonly use robotic subsystems to move media stored in the library’s storage slots.
You can also use Removable Storage to manage a combination of single-drive and automated libraries.
The benefits are the same as the ones described in the previous scenario.
Administrative Interface
The Removable Storage Microsoft Management Console (MMC) snap-in is an administrative interface that you can use to manage both stand-alone drive libraries and automated libraries.
Using the Removable Storage snap-in, you can:
  • Create media pools and set media pool properties.
  • Insert and eject media in an automated library.
  • Mount and dismount media.
  • Clean tape drives.
  • View the state of media and libraries.
  • Enable and disable drives and libraries.
  • Perform library inventories
  • Set security permissions for users.
  • Complete or refuse operator requests
  • Cancel work queue items.

Removable Storage Dependencies on or Interactions with Other Technologies

Removable Storage depends on, or interacts with, the following technologies:
  • Microsoft Management Console (MMC)
  • Backup (or similar, non-Microsoft data-management programs)
  • Win32 tape and disk management application programming interfaces (APIs)
  • The registry
  • Event Viewer
  • Group Policy
  • Media libraries

Removable Storage Logical Diagram

The first part of the following figure shows the inherent complexity in using multiple applications to manage multiple devices (each containing a different media-type) without the aid of Removable Storage.
The second part shows how you can reduce this complexity by using Removable Storage as the common interface for managing multiple devices.
Removable Storage Logical Diagram
Removable Storage Logical Diagram


This article describes how to assign, to change, or to remove drive letters on a drive, a partition, or a volume by using the Disk Management snap-in in Microsoft Windows XP.

The Disk Management snap-in is an administrative tool for managing hard disks and the volumes or partitions that they contain. Use the Disk Management snap-in when you want to add, to change, or to remove drive letters on drives, on partitions, or on volumes on your computer's hard disks, CD-ROM drives, and other removable media devices.

Your computer can use up to 26 drive letters, from A through Z. Use drive letters C through Z for hard disk drives. Drive letters A and B are reserved for floppy disk drives. However, if your computer does not have a floppy disk drive, you can assign these letters to removable drives.

Before you modify drive-letter assignments, note the following items:
  • Changing the drive letter of the system volume or the boot volume is not a built-in feature of the Disk Management snap-in.
  • Many MS-DOS-based and Microsoft Windows-based programs refer to specific drive letters for environmental or other variables. If you modify the drive letter, these programs may not function correctly.

How to assign a drive letter

To assign a drive letter to a drive, a partition, or a volume, follow these steps:
  1. Log on as Administrator or as a member of the Administrators group.
  2. Click Start, click Control Panel, and then click Performance and Maintenance.

    Note If you do not see Performance and Maintenance, go to step 3. Performance and Maintenance appears in Control Panel only if you use Category view. If you use Classic view, Performance and Maintenance does not appear.
  3. Click Administrative Tools, double-click Computer Management, and then click Disk Management in the left pane.
  4. Right-click the drive, the partition, the logical drive, or the volume that you want to assign a drive letter to, and then click Change Drive Letter and Paths.
  5. Click Add.
  6. Click Assign the following drive letter if it is not already selected, and then either accept the default drive letter or click the drive letter that you want to use.
  7. Click OK.
The drive letter is assigned to the drive, to the partition, or to the volume that you specified, and then that drive letter appears in the appropriate drive, partition, or volume in the Disk Management tool.

How to change a drive letter

To change an existing drive letter on a drive, on a partition, or on a volume, follow these steps:
  1. Log on as Administrator or as a member of the Administrators group.
  2. Click Start, click Control Panel, and then click Performance and Maintenance.
  3. Click Administrative Tools, double-click Computer Management, and then click Disk Management in the left pane.
  4. Right-click the drive, the partition, the logical drive, or the volume that you want to assign a drive letter to, and then click Change Drive Letter and Paths.
  5. Click Change.
  6. Click Assign the following drive letter if it is not already selected, click the drive letter that you want to use, and then click OK.
  7. Click Yes when you are prompted to confirm the drive letter change.
The drive letter of the drive, the partition, or the volume that you specified is changed, and the new drive letter appears in the appropriate drive, partition, or volume in the Disk Management tool.

How to remove a drive letter

To remove an existing drive letter on a drive, on a partition, or on a volume, follow these steps:
  1. Log on as Administrator or as a member of the Administrators group.
  2. Click Start, click Control Panel, and then click Performance and Maintenance.
  3. Click Administrative Tools, double-click Computer Management, and then click Disk Management in the left pane.
  4. Right-click the drive, the partition, the logical drive, or the volume that you want to assign a drive letter to, and then click Change Drive Letter and Paths.
  5. Click Remove.
  6. Click Yes when you are prompted to confirm the removal.
The drive letter is removed from the drive, from the partition, or from the volume that you specified.

Troubleshooting

  • When you try to change an existing drive letter, you receive the following error message:
The volume volume_label drive_letter is currently in use.
If you continue, the new drive letter will be assigned; but you can still use the old drive letter to access the volume until you restart your computer. The old drive letter will not be available for assignment until you restart.

Warning: Changing the drive letter of a volume could cause programs to no longer run.
This error message may appear if there are files that are in use on the drive, on the partition, or on the volume. These files may be in use by you or by other people on the network. To resolve this issue, use one of the following methods:
    • Click No when you receive the error message. Quit all the programs that are using the files on the volume, and then change the drive letter. To do this, right-click the volume, click Change Drive Letter and Paths, and then click Change.
    • Click Yes to continue with the drive letter change.
  • When you try to remove an existing drive letter, you receive the following error message:
The volume volume_label drive_letter is currently in use.
If you continue, the drive letter will be freed; however, it will still be available for use until you restart your computer.

Warning: Changing the drive letter of a volume could cause programs to no longer run.
This error message may appear if there are files that are in use on the drive, the partition, or the volume. These files may be in use by you or by other people on the network. To resolve this issue, use one of the following methods:
    • Click No when you receive the error message. Quit all the programs that are using the files on the volume, and then remove the drive letter. To do this, right-click the volume, click Change Drive Letter and Paths, and then click Remove.
    • Click Yes to remove the drive letter the next time that you start your computer.


Disk Defragmenter

Disk Defragmenter

A component of Microsoft Windows
Disk Defragmenter in Windows 7
Details




Disk Defragmenter is a computer program included in Microsoft Windows designed to increase access speed by rearranging files stored on a disk to occupy contiguous storage locations, a technique commonly known as  decrementing.  The purpose is to optimize the time it takes to read and write files to/from the disk by minimizing head travel time and maximizing the transfer rate. As of Windows XP, Disk Defragmenter is also used to improve system startup times.
:
Disk Management:

This step-by-step article describes how to use the Windows XP Disk Management snap-in to configure a basic disk and prepare it for use. This article also describes how to create and delete partitions, and how to format volumes with the FAT, FAT32, or NTFS file systems.









MORE INFORMATION

Basic disks and volumes Basic disk storage supports partition-oriented disks. A...

Basic disks and volumes

Basic disk storage supports partition-oriented disks. A basic disk is a physical disk that contains primary partitions, extended partitions, or logical drives. Partitions and logical drives on basic disks are also known as basic volumes. You can create up to four primary partitions, or three primary partitions and one extended partition, that contain logical drives.

If you are running Windows XP Professional and one or more of the following operating systems on the same computer, you must use basic volumes, because these operating systems cannot access data that is stored on dynamic volumes:
  • Windows XP Home Edition
  • Microsoft Windows NT 4.0 or earlier
  • Microsoft Windows Millennium Edition (Me)
  • Microsoft Windows 98
  • Microsoft Windows 95
  • MS-DOS

How to use Disk Management

To start Disk Management:
  1. Log on as administrator or as a member of the Administrators group.
  2. Click Start, click Run, type compmgmt.msc, and then click OK.
  3. In the console tree, click Disk Management. The Disk Management window appears. Your disks and volumes appear in a graphical view and list view. To customize how you view your disks and volumes in the upper and lower panes of the window, point to Top or Bottom on the View menu, and then click the view that you want to use.
NOTE: Microsoft recommends that you create a full back up of your disk contents before you make any changes to your disks or volumes.

How to create a new partition or a new logical drive

To create a new partition or logical drive on a basic disk:
  1. In the Disk Management window, complete one of the following procedures, and then continue to step 2:
    • To create a new partition, right-click unallocated space on the basic disk where you want to create the partition, and then click New Partition.
    • To create a new logical drive in an extended partition, right-click free space on an extended partition where you want to create the logical drive, and then click New Logical Drive.
  2. In the New Partition Wizard, click Next.
  3. Click the type of partition that you want to create (either Primary partition, Extended partition, or Logical drive), and then click Next.
  4. Specify the size of the partition in the Partition size in MB box, and then click Next.
  5. Decide whether to manually assign a drive letter, let the system automatically enumerate the drive, or do not assign a drive letter to the new partition or logical drive, and then click Next.
  6. Specify the formatting options you want to use by using one of the following procedures:
    • If you do not want to format the partition, click Do not format this partition, and then click Next.
    • If you want to format the partition, click Format this partition with the following settings, and then complete the following procedure in the Format dialog box:
a.       Type a name for the volume in the Volume label box. This is an optional step.
b.      Click the file system that you want to use in the File system box.

You can change the disk allocation unit size, and then specify whether to perform a quick format, or enable file and folder compression on NTFS volumes.
Click Next.
  1.  
  1. Confirm that the options that selected are correct, and then click Finish.
The new partition or logical drive is created and appears in the appropriate basic disk in the Disk Management window. If you chose to format the volume in step 6, the format process now starts.

How to format a basic volume

To format a partition, logical drive or basic volume:
  1. In the Disk Management window, right-click the partition or logical drive that you want to format (or reformat), and then click Format.
  2. In the Format dialog box, type a name for the volume in the Volume label box. This is an optional step.
  3. Click the file system that you want to use in the File system box. If you want, you can also change the disk allocation unit size, specify whether you want to perform a quick format, or enable file and folder compression on NTFS volumes.
  4. Click OK.
  5. Click OK when you are prompted to format the volume. The format process starts.

How to view the properties of a basic volume

To view the properties of a partition or logical drive:
  1. In the Disk Management window, right-click the partition or logical drive that you want, and then click Properties.
  2. Click the appropriate tab to view the appropriate property.

How to delete a partition or a logical drive

To delete a partition or logical drive:
  1. In the Disk Management window, right-click the partition or logical drive that you want to delete, and then click Delete Partition or Delete Logical Drive.
  2. Click Yes when you are prompted to delete the partition or logical drive. The partition or logical drive is deleted.
Important
  • When you delete a partition or a logical drive, all the data on that partition or logical drive, and the partition or the logical drive, are deleted.
  • You cannot delete the system partition, boot partition, or a partition that contains the active paging (swap) file.
  • You cannot delete an extended partition unless the extended partition is empty. All logical drives in the extended partition must be deleted before you can delete the extended partition.

Troubleshooting

Disk Management displays status descriptions in graphical view and under the Status column of list view to inform you of the current status of the disk or volume. Use these status descriptions to help you detect and troubleshoot disk and volume failures. The following is a partial list of disk and volume status descriptions:
  • Online
    This is the normal disk status when the disk is accessible and functioning correctly.
  • Healthy
    This is the normal volume status when the volume is accessible and functioning correctly.
  • Unreadable
    The disk is inaccessible because of possible hardware failure, corruption, or I/O errors.

    To troubleshoot this issue, restart the computer or rescan the disk to try and return the disk to Online status. To rescan the disk, open Computer Management, and then click Disk Management. On the Action menu, click Rescan Disks.
For a complete list of disk and volume status descriptions and troubleshooting procedures, see Disk Management Help. In the Disk Management snap-in or Computer Management window, click Help on the Action menu.






Services :
list of all the standard services [update: SP 2 defaults are shown in Green]
ServiceName
Service (Key)
Process
Description
Default Status & notes
Alerter
Alerter
Services.exe

[HKLM\SYSTEM\
CurrentControlSet\
Services\Alerter\Parameters]

[HKLM\SYSTEM\
CurrentControlSet
\Services\SysmonLog\Log Queries\<alertname>]
Distribute administrative alerts to specific users or machines.

e.g. Performance Monitor thresholds are distributed as alerts.

Requires the Messenger and Workstation services to be started.
Manual.
May be disabled if the alerts are not needed.
Application Layer Gateway Service
ALG
alg.exe
Support for Internet Connection Sharing and the Internet Connection Firewall
Manual
Application Management
appmgt
Services.exe or svchost.exe
Installation services (Add/Remove Programs) - Assign, Publish, and Remove.
Manual
Automatic Updates
wuaUserv
svchost.exe -k wugroup
Enable the download and installation of critical Windows updates.
Automatic.
If the service is stopped, the operating system can be manually updated at the Windows Update Web site.
Background Intelligent Transfer Service
BITS
svchost.exe -k BITSgroup
Transfer files using idle network bandwidth, maintain file transfers through network disconnections and computer restarts.
Automatic
switch to manual if you have problems - Q314862
Clipbook Server
Clipsrv
Clipsrv.exe
Provides support for the Clipbook Viewer, which allows the clipboard of the source machine to be accessed remotely.
Disabled
COM+ Event System
Event System
svchost.exe -k netsvcs
Automatic distribution of events to subscribing COM components.
Manual
Computer Browser
Browser
Services.exe
Collects the names of NetBIOS resources on the network, creating a list so that it can participate as a master browser or basic browser (one that takes part in browser elections).

This maintained list of resources (computers) is displayed in Network Neighborhood and Server Manager. If disabled you can still map drives, but can't browse the whole network.
Automatic.

If the machine is not connected to a LAN (stand-alone), or will not participate as a master browser or take part in elections, then feel free to change the status to manual (or disabled)

This does not equate to disabling TCP/IP so internet browsing is still possible.
Cryptographic Services
CryptSvc
svchost.exe
Management of Certification Authority certificates. Driver Catalog Database, Protected Root and Key certificate Services.
Automatic
DCOM Server Process Launcher
DcomLaunch
svchost.exe
Launch DCOM services
Automatic
DHCP Client
Dhcp
Services.exe or svchost.exe
Manage network configuration by registering and updating IP addresses and DNS names.
Automatic
On a stand-alone machine: Disable
Distributed Link Tracking Client
TrkWks
Services.exe or svchost.exe
Send notification of files moving between NTFS volumes in a network domain.
Automatic
Can be set to manual if you dont need this function.
Distributed Transaction Coordinator
msdtc
MSDTC.exe
Coordinate transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.
Manual
Can be set to Disabled if you dont need this function.
DNS Client
Dnscache
Services.exe
Resolves and caches Domain Name System (DNS) names.
Automatic
Directory Replicator (Server only)
Replicator
Lmrepl.exe
Replicate specified files & folders between computers.
The host is the export server, and the target machines are called import computers.
Replication is configured under Server in the Control Panel.
Automatic

Domain Controllers need this to replicate the Netlogon share.
Error Reporting Service
Ersvc
svchost.exe
Report errors back to Microsoft in Redmond.
Automatic
If you never want to report system crash info. to Microsoft set this to disabled.
EventLog
EventLog
Services.exe
Record System, Security, and Application Events.

Viewed with the MMC Event Viewer (eventvwr.exe in NT).
Automatic
Fast User Switching Compatibility
FastUserSwitching Compatibility
svchost.exe
Enable multiple users to login to the same PC simultaneously.
Manual
Fax Service
Fax
faxsvc.exe
Send and receive faxes
Automatic or Manual
Help and Support
helpsvc
svchost.exe
Help and Support Center
Automatic.
If stopped the help system will stop working.
Human Interface Device Access
HidServ
svchost.exe
Support for extra keyboard 'hot buttons' and other multimedia input devices.
Disabled
HTTP SSL
HTTPFilter
svchost.exe
Support for HTTPS (Secure Socket Layer) websites such as banking and e-commerce.
Manual
IMAPI CD-Burning COM Service
ImapiService
imapi.exe
CD-Rom Burning
Manual
If you have problems changing to Automatic may help.
Indexing Service
cisvc
cisvc.exe
Index the contents and properties of files on local and remote computers.
[ RESOURCE HOG ]
Manual
For improved performance Disable or
Uninstall thru C.Panel add/remove
IPSEC Policy Agent
PolicyAgent
lsass.exe
Manage IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Automatic
May be changed to Manual if IPSec is not needed.
License Logging Service (Server)
LicenseService
Llssrv.exe
License tracking on a server or DC (Domain Controller).
If disabled then licensing status alerts will not be generated.
Logical Disk Manager
Dmserver
services.exe or svchost.exe
Required by the MMC Disk Management plug-in.
Automatic
Logical Disk Manager Administrative Service
Dmadmin
dmadmin.exe /com
Administrative service for disk management requests
Manual
Message Queuing

mqsvc.exe
Message Queuing

Message Queuing Triggers

mqtgsvc.exe
Message Queuing

MS Software Shadow Copy Provider Service
swprv
dllhost.exe
Microsoft Backup Utility
Manual
Disable if you never use Shadow Copy features.
Messenger
Messenger
Services.exe
Process the receipt or delivery of pop-up messages sent via NET SEND.
Not related to Windows Messenger
Disabled
vulnerability once used to send pop-up spam.
Network Connections
Netman
svchost.exe -k netsvcs
Manage objects in the Network and Dial-Up Connections folder (LAN and remote connections.)
Manual
Net Logon
Netlogon
Lsass.exe
(Local Security Authority Subsystem)
Network Authentication: maintains a synced domain directory database between the PDC and BDC(s), handles authentication of respective accounts on the DCs, and authenticates domain accounts on networked machines.
Automatic
For stand-alone machines never connected to a domain set to Manual.
NetMeeting Remote Desktop Sharing
Nmnsrvc
mnmsrvc.exe
Allows authorized people to remotely access your Windows desktop using NetMeeting.
Manual.
A good idea to Disable unless you plan to allow remote connections.
Network DDE
NetDDE
Netdde.exe
Support the network transport of DDE (Dynamic Data Exchange) connections.
Requires Network DDE DSDM to be started. See Clipbook service
Disabled
Network DDE DSDM
NetDDEdsdm
Netdde.exe
Manage shared DDE conversations (from shares like: \\computername\ndde$).
See Clipbook service
Disabled
NLA - Network Location Awareness
nla
svchost.exe
Part of Internet Connection Sharing (ICS) and the Internet Connection Firewall (ICF)
Manual
Network Provisioning Service
xmlprov
svchost.exe
Manage XML configuration files on a domain basis
Manual
NT LM Security Support Provider
NtLmSsp
Services.exe
Extends NT security to Remote Procedure Call (RPC) programs using various transports other than named pipes.
RPC activity is quite common, and most RPC apps don't use named pipes.
Manual
Performance Logs and Alerts (XP)

Alerts and Performance Logs (Win 2K)
sysmonLog
smlogsvc.exe
Configure performance logs and alerts.
Manual. May be disabled if the alerts are not needed.
Plug and Play
PlugPlay
Services.exe
Plug and Play.
Do not disable this service.
Automatic
Universal Plug and Play Host
UPNPhost
svchost.exe
Device Host detect and configure external UPnP devices.
UPnP<>PnP
Manual
Portable Media Serial Number Service
WmdmPmSN
svchost.exe
Retrieves the serial number of any portable media player connected to this computer.
Manual
Disable if you never use DRM music devices.
Print Spooler or Spooler
Spooler
Spoolsv.exe
(Spoolss.exe in NT4)
The NT printing subsystem.
Automatic - If you print documents.

If no printing is ever done set to manual (or disabled)

Restarting this service will cancel all pending print jobs.
Protected Storage
ProtectedStorage
Pstores.exe
Encrypt and store secure info: SSL certificates, passwords for Outlook, Outlook Express, Profile Assistant, MS Wallet, and digitally signed S/MIME keys.
Automatic.
QoS RSVP
rsvp
rsvp.exe -s
Provide network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
Manual
Remote Access Auto Connection Manager
or
Remote Access AutoDial Manager
Rasauto
svchost.exe -k netsvcs
Activates automatic dial-up when a URL link is clicked.

Required for some but not all RAS, ADSL or Cable connections.
Manual
May be disabled if the machine has no internet access.
Remote Access Connection Manager
Rasman
svchost.exe -k netsvcs
Required for most but not all RAS, ADSL or Cable connections.
Manual.
Required for Internet Connection Sharing or accessing remote servers via RAS.
Remote Desktop Help Session Manager
RDSessMgr
sessmgr.exe
Remote Desktop Help Session Manager.
Manual
May be disabled if RDP is never used.
Remote Procedure Call (RPC) Service
or
Remote Procedure Call (RPC)
RpcSs
svchost -k rpcss
This RPC subsystem is crucial to the operations of any RPC activities taking place on a system (e.g. DCOM)
Automatic

Do not disable

Many essential services are dependent on RPC.
Remote Procedure Call (RPC) Locator
RpcLocator
Locator.exe
Maintain the RPC name server database, requires the RPC service (below) to be started. Database of available server applications.
Manual.
Remote Registry Service (XP Pro only)
RemoteRegistry
regsvc.exe
Allow remote registry manipulation.
Automatic
A good idea to disable this, unless you have some reason to allow remote registry editing.
Removable Storage
Ntmssvc
svchost.exe -k netsvcs
Manage removable media, drives, and libraries.
Manual.
RIP Listener
(XP - option)


Listen for RIP announcements from routers and modify the routing table accordingly.
To use the RIP Listener service, your adjacent routers must support the RIP v1 protocol. You'll find the RIP Listener service under Add/Remove Windows Components - Networking Services.
Routing and Remote Access
RemoteAccess
svchost.exe -k netsvcs
Allow incoming connections via dial in or VPN. (WAN Routing)
Disabled
Secondary Logon (Win XP)
RunAs (Win 2K)
secLogon
services.exe or svchost.exe
Enables starting processes under alternate credentials.
Automatic
You may want to stop this service if you never use RunAs
Security Accounts Manager (Win 2K)
SamSs
lsass.exe
Stores security information for local user accounts.
Automatic
Security Center
wscsvc
svchost.exe
Monitor system security settings and configurations.
Automatic
You may want to disable this if firewall and virus updates are controlled via other means.
Server
LanmanServer
Services.exe
Support for peer-to peer file sharing, print sharing, and named pipe sharing via SMB services.
Automatic
May be disabled if you dont host file or print shares. (Admin$ shares)
Shell Hardware Detection
ShellHWDetection
svchost.exe
CD Autoplay
Automatic.
Smart Card
ScardSrv
SCardSvr.exe
Manages and controls access to a smart card inserted into a smart card reader attached to the computer.
Manual
If you never use smart cards, Disable
Smart Card Helper
ScardDrv
SCardSvr.exe
legacy smart card readers
Removed in XP SP2
SNMP Service
Snmp
snmp.exe
Agents that monitor the activity in network devices and report to the network console workstation.
Automatic (if installed)
SSDP Discovery Service
SSDPSRV
svchost.exe
Simple Service Discovery Protocol.
Enables discovery of UPnP devices on your home network
Manual
May be disabled if as is likely you dont have any UPnP devices)
System Event Notification
SENS
svchost.exe -k netsvcs
Track system events such as Windows logon, network, and power events.
Notifiy COM+ Event System subscribers of these events.
Automatic.
System Restore Service
srservice
svchost.exe
Creates system snap shots.
[ RESOURCE HOG ]
Automatic

If the machine's configuration has been cloned/backed up - turn off System Restore in Control Panel, System.
Task Scheduler or Schedule
Schedule
atsvc.exe or mstask.exe
This service is required to schedule background tasks (run at a specific date & time)

Under NT it's a Resource Hog.
Under XP it's used by some auto-tuning operations.
Automatic
TCP/IP NetBIOS Helper
or
TCP/IP NetBIOS Helper Service
lmHosts
Services.exe
Support for name resolution in a Windows 2000 domain. (Netbios/Wins)
An alternative to DNS lookup.
Automatic
If not required may be set to manual.
Telephony
TapiSrv
Tapisrv.exe
Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections. e.g unimodem modems.
Manual
Telnet
(Win 2K)
TlntSvr
tlntsvr.exe
Allows a remote user to log on to the system and run console programs using the command line.
Disabled
Very insecure, presents a security risk when running.
Terminal Services
TermService
svchost.exe
Required for Fast User Switching, Remote Desktop and Remote Assistance
Manual
If not required may be Disabled
Themes
Themes
svchost.exe
XP Active Desktop Themes, and quick launch toolbars
[ RESOURCE HOG ]
Automatic
Set to Manual or Disabled if you dont like themes.
UPS or Uninterruptible Power Supply
UPS
Ups.exe
Support for an Uninteruptable Power Supply (UPS) physically connected to the machine.
Manual
Not every UPS will need or use this service.
Universal Plug and Play Host
UPNPhost
svchost.exe
Device Host detect and configure external UPnP devices.
UPnP<>PnP
Manual
Upload Manager
uploadmgr
svchost.exe
Upload Manager.
Removed in XP SP2
Volume Shadow Copy
VSS
vssvc.exe
MS Backup - A volume shadow copy is a picture of the volume at a particular moment in time. That means a computer can be backed up while files are open and applications running.
Manual
If not required may be disabled
see MS Software Shadow Copy Provider Service
WebClient
WebClient
svchost.exe
Allow access to web-resident disk storage from an ISP. WebDAV "internet disks" such as Apple's iDisk.
Automatic
If not required may be disabled
Windows Audio
AudioSrv
svchost.exe
Sound Driver
Note that disabling the sound driver won't stop sounds from playing - you just won't hear them.
Automatic
If no sound card fitted then disable.
Windows Firewall (XP SP2)
Internet Connection Firewall (XP)
Internet Connection Sharing (Win 2K)
SharedAccess
svchost.exe -k netsvcs
Network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.
Automatic.
For better protection consider adding a third party firewall.
Windows Image Acquisition
stisvc
svchost.exe
Required for some but not all cameras, scanners, and digital video cameras.
Manual
Windows Installer
MSIServer
MsiExec.exe /V
Install, repair and remove software according to instructions contained in .MSI files.
Manual
Windows Management Instrumentation
WinMgmt
C:\WINNT\System32
\WBEM\WinMgmt.exe
WMI provides system management information.
Automatic
Windows Management Instrumentation Driver Extensions
Wmi
svchost.exe
Provides systems management information to and from drivers.
Manual
Windows Time
W32time
services.exe
Update the computer clock by reference to an internet time source or a time server.
Automatic
Wireless Zero Configuration
WZCSVC
svchost.exe
Configure wireless network devices (802.11a/b/g).
Automatic
disable if you don't have any wireless devices.
WMI Performance Adapter
WmiApSrv
wmiapsrv.exe
Collect performance library information.
Manual
Workstation
lanmanworkstation
Services.exe
Communications and network connections.
Services dependent on this being started: Alerter, Messenger, and Net Logon.
Automatic
It is inadvisable to disable a service without being aware of the consequences, always start by setting the service to manual, reboot and test for any problems.
A service set to manual may be automatically restarted if another service is dependent on it.
A service set to disabled will not restart even if it's required to boot the machine!
Stopping or disabling a service will generally save a small amount of memory and will reduce the number of software interrupts (cpu message queue.) The main reason for tinkering with services is to harden the system against security vulnerabilities. Disable everything that you don't need or use - then any future problems with those services cannot affect the machine.
To document all the services currently installed:
SC QUERY state= all |findstr "DISPLAY_NAME STATE" >my_services.csv
Some XP services communicate and send data directly to Microsoft, this is not generally something to lose sleep over. Managing the running of these services may be a consideration if confidentiality/anonymity is highly important to you.
Removing a service completely
To delete a service, you may be tempted to hack the registry settings under (HKLM/SYSTEM/CurrentControlSet/Services) this is not a reliable or recommended method, far better is to use the SC command:
SC delete NameofServiceTodelete
Enable or Disable Ports
Many services and applications rely on the use of a specific PORT - to determine if a particular port is enabled for use, review the list of Service names and port numbers held in the "services" file ('windows\system32\drivers\etc\services')
Installing a good firewall is the easiest way to manage this.
"The service we render to others is really the rent we pay for our room on this earth. It is obvious that man is himself a traveler; that the purpose of this world is not 'to have and to hold' but 'to give and serve.' There can be no other meaning." - Sir Wilfred T. Grenfell

Windows XP Command Line Syntax

   Parameters    Command Line Parameters  %1  %~f1 
   Variables     Create/read environment variables
   Redirection   Spooling output to a file, piping input
   AND/OR Logic  Conditional Execution (If-Then-Else)
   Loops         Loops and Subroutines
   functions     How to package blocks of code
   Services     List of Windows XP Services
 
Evaluating expressions
   Using brackets to Group and expand expressions
   Delayed Expansion Manage <xml> and <html> text
   SET /A        Environment variable arithmetic
   VarSubstring  Extract part of a variable (substring)
   VarSearch     Search & replace part of a variable
   Escape chars, delimiters and quotes
   Wildcards     Match multiple files
 
Batch Files 
   DateMath      Add or subtract days from any date
   GetDate.cmd   Get todays date (any region, any OS)
   GetTime.cmd   Get the time now 
   GetGMT.cmd    Time adjusted to Greenwich Mean Time
   datetime.vbs  Get Date, Time and daylight savings 
   deQuote       Remove quotes from a string
   DelOlder.cmd  Delete files more than n days old
   StampMe.cmd   Rename a file with the date/time
   Which.cmd     Display full path to any command
   DragDrop.cmd  Drag and drop onto a batch script
 
Reference/How to
   RUN commands   Start-Run Snap-Ins and Control panel applets
   Slow Browsing  Speed up network browsing
   Printing       Printer connections and print drivers
   Qchange        Script to change Printer connections
   Desktop Heap   Memory configuration
   Permissions    Local vs Global workgroups
   Long Filenames NTFS filename issues
   WorkGroups     Built-In Users and Security Groups
   autoexec       Run commands at startup
   Recovery       The Recovery Console
   WinXP Registry   User interface settings

WMI Control overview

Windows Management Instrumentation (WMI) Control is a tool that enables you to configure WMI settings on a remote computer or local computer. Using the WMI Control, you can manage the following tasks remotely.

Authorize users or groups and set permission levels

You can enable an individual user, group, or namespace to access network objects and perform WMI tasks and services. For example, you can enable a group to manage WMI's Common Information Model (CIM) objects on their local computers.

Configure error logging

You can turn error logging on or off and, if turned on, set it to report errors only (the default) or all actions (verbose). Error logging can help you troubleshoot WMI problems. You can also define a maximum size for log files and their folder location.

Back up the repository

You can configure the WMI Control to back up your repository on a regular schedule, or you can do it manually at any time. The repository is the database of objects that you can access through WMI. You can also restore a previous version of the repository.

Change the default namespace for scripting

You can change the default namespace that is targeted in WMI scripts.

Indexing Service

Using Indexing Service

Indexing Service creates indexes of the contents and properties of documents on your local hard drive and on shared network drives. You can also control the information included in the indexes. Indexing Service is designed to run continuously and requires little, if any, maintenance.

To open Indexing Service

1.
Open Computer Management (Local)
2.
In the console tree, double-click Services and Applications.
3.
Double-click Indexing Service.

Note
To open Computer Management, click Start, and then click Control Panel. Click Performance and Maintenance, click Administrative Tools, and then double-click Computer Management.
For information about using Indexing Service, on the Action menu in Computer Management, click Help.










Note If you are not comfortable with the information that is presented in this section, ask someone for help or contact support. For information about how to contact support, see the Microsoft Help and Support contact information Web site:
http://support.microsoft.com/contactus (http://support.microsoft.com/contactus)