Manually Adding or Removing Services and Devices.
Introduction:
If you add new hardware or software to a system, the installation procedure will normally take care of adding the required Device Drivers or Services to NT4.0. In most circumstances it is unnecessary to know how to manually add or remove a Device or Service. There are rare occasions however where such knowledge can be valuable, such as when a Device or Service refuses to uninstall by conventional means, or problems are encountered during the automated installation.
I shall also show you, later in this article, how even the best uninstall process does not clear all the detritus placed in the registry by a Device or Service, and how you can manually clean up the registry to make it more easily readable and maintainable.
For the purposes of these activities, a Device or Service is managed by NT4.0 in basically the same manner, so in this discussion either can be handled equally using this technique. There are a couple of subtle differences that you will encounter - I will point them out at the appropriate time.
For a more detailed explanation of Services and Device Drivers, and their roles in a NT4.0 system see Microsoft Knowledgebase article 101501 - "Differences Between a Service and a Device Driver". I suggest you also read and understand Knowledgebase article 101230 - "Definition of Registry Value Data Types".
CAUTION: As with any activity involving manual editing of the registry - PROCEED WITH CARE - a mistake may render your machine unusable. If you are not confident in what you are attempting to do, seek experienced help !
IMPORTANT: You require 'ADMINISTRATOR' privileges to perform the following tasks.
Installing a Device or Service.
Manually installing a Device Driver or Service is reasonably straightforward. The new Device Driver or Service file(s) need to be copied to the boot partition. (ie: the partition that holds your working copy of NT4.0) Services are normally placed in the "WinNT\System32" folder, whilst the normal convention has Device Drivers placed in the "WinNT\System32\Drivers" folder. Ensure you keep note of where the files have been positioned - you will need this information shortly.
The only other task is to inform the system of the existence of the new file(s), and specify how it is to be handled. To do this we add a new series of entries in the registry.
To see how this is all managed, a good starting point is to examine the existing entries in the appropriate area of the registry. Start Regedit.exe and locate the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
This tree contains a series of subkeys listing of all the Devices and Services currently installed on the system. For example, the ATAPI disk interface Device Driver is controlled by the settings in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi.
Setting up a New Device or Service.
The easiest method to add all the new entries required for a new Device or Service is to use a .reg file and allow Regedit.exe to merge the information for us. This is done by simply creating a .reg file (eg: SomeName.reg) somewhere convenient on the machine, organising it's contents and saving it, then double clicking this .reg file in Explorer to integrate it's contents into the registry.
A Sample Registry Entry File.
To save you having to re-type all this (and the possibility of a error whilst doing so), you can download template.reg which contains the exact same content as described below. You can edit this file using any text editor. (eg: Notepad)
The items in red need to be customised to suit the circumstances and details of the new Device or Service you are installing:
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemName]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):5c,3f,3f,5c,44,3a,5c,57,49,4e,4e,54,5c,53,79,73,74,65,6d,33,\
32,5c,44,72,69,76,65,72,73,5c,4e,65,77,49,74,65,60,2e,73,79,73,00
"DisplayName"="FriendlyName"
Descriptions of the Entries in this file:
- SystemName - replace this text string in the .reg file with a single word (no spaces) that describes the device or service. This name MUST be unique ! (Creating an entry which matches a pre-existing 'SytemName' will cause major problems) This is the name used to refer to the Device or Service internally in NT4. (eg: from the command prompt - see the notes below for more details)
- Type - Specifies the type of Device or Service being installed. Valid values are:
- 00000001 - This is a Kernel Mode Driver.
- 00000002 - This is a File System Driver.
- 00000004 - This is an argument group.
- 00000010 - This is a Win32 Service that runs in it's own address space.
- 00000020 - This is a Win32 Service that runs in shared address space.
- Start - Specifies when the Device or Service is to be started. Valid values are:
- 00000000 - Boot (Device Drivers Only - preload before Kernel Startup)
- 00000001 - System (Device Drivers Only - load at Kernel Startup)
- 00000002 - Automatic (Start Automatically during System Startup)
- 00000003 - Manual (Start on demand, when required)
- 00000004 - Disabled (DO NOT Start)
- ErrorControl - Specifies what action to take if Device or Service fails to initialise. Valid values are:
- 00000000 - Ignore the error completely and continue system boot normally.
- 00000001 - Log the error and continue system boot normally. (You will get a Service Control Manager popup warning after system boot)
- 00000002 - Switch to 'Last Known Good' control set and continue system boot.
- 00000003 - Fail the startup, reboot and use 'Last Known Good' control set. If already on the 'Last Known Good' control set, generate a 'STOP' error (Blue Screen of Death) and halt the system.
- ImagePath - this specifies the location of the Device Driver or Service file. It is in the form of REG_EXPAND_SZ, so it appears as 'hex(2):' in a .reg file. The easiest method to edit this content is to leave this item as is intially, merge the .reg file contents into the registry, then use Regedt32.exe to edit it's contents once merged. (Regedt32.exe can edit ALL data types used in the NT4.0 registry, but unfortunately Regedit.exe is more limited) The path is presented in the form:
\??\D:\WinNT\System32\Drivers\Device.sys
or
\??\D:\WinNT\System32\Service.exe
There are several forms that can be used to describe the path, but this form appears to be the most reliable - the \??\ prefix IS required and should not be changed ! (This syntax is part of the WinNT Symbolic Links system)
- DisplayName - This entry specifies a 'friendly' name by which your Device or Service is to be displayed in the 'Devices' or 'Services' applets of Control Panel. Replace 'FriendlyName' with a text string of your choosing. (Restrict the size to about 30 characters preferably, or it will run off the edge of the list box in the 'Services' and 'Devices' applets in Control Panel)
- There are several other ValueNames you may see in an existing '\Services\' subkey. Manually setting or changing these values is beyond the scope of this simple discussion. See the section 'More Information' below if you want to explore this area further. Commonly found ValueNames you may see in a '\Services\' entry (that have not previously been dealt with) include:
- DependOnGroup
- DependOnService
- ObjectName
- Group
- Tag
- Linkage
- Parameters
Notes:
- I suggest that the 'Start' setting initially be set to '00000003' (ie: Manual) or '00000002' (ie: Automatic) until you are sure that the Device or Service is starting properly and reliably. Once you are satisfied all is well, you can then change this value as required. The normal strategy I employ is to use a setting of 'Manual', then use the 'Services' or 'Devices' applet in Control Panel to manually start the Device or Service to examine it's behaviour. If no problems are encountered I then change the 'Start' value to an appropriate setting.
- Only set a Device to 'Start' settings of 'System' or 'Boot' if you are certain this is required and the Device is designed for this activity - attempting to start a non-compliant Device too early in the system boot process can lead to instability or boot failure. Settings of 'System' or 'Boot' are illegal for a Service.
- Likewise the 'ErrorControl' setting should initially be set to '00000001' (ie: Log Error) Again, this value can be changed later, once the setup is verified as correct.
- After you have merged the .reg file into the registry, and made any last minute changes using Regedt32.exe, you will need to reboot the system. Attempting to start the new Device or Service before rebooting the system will most likely result in failure. (Primarily because the processes, described in the section below entitled "What Happens When a Device or Service is Started", have not yet been performed)
- If you open the 'Services' or 'Devices' applets in the Control Panel immediately after you have set up the registry entries (before rebooting), you will notice that the new Device or Service is NOT displayed in the listing. NT4.0 ONLY reads the '\Services\' registry key tree completely at bootup, so new items added manually after the boot are ignored. Once you have rebooted, the new item will appear. (There is a mechanism provided within the Windows API to dynamically add devices or services to a running system - but again this is outside the bounds of this simple discussion.)
- Devices and Services can be Started or Stopped (and Paused or Continued if they support these functions) from a command prompt. The 'NET' command has functions to allow these task to be performed. Type:
NET STOP /?
or
NET START /?
for more information. The syntax of these commands requires that the Device or Service be referered to by it's 'SystemName'.
What Happens When a Device or Service is Started.
The first time a Device or Service is successfully started, several new entries are created in the registry.
- The key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SystemName is created. Below this several subkeys may be present:
- A instance count subkey (so the first instance is '0000') is created. (The second instance will be located under subkey 0001 and so forth...)
- Under the '0000' subkey another subkey called 'Control' is created.
- For a newly created Device or Service a ValueName of '*NewlyCreated*' exists. This ValueName disappears after the next system reboot. I suspect this ValueName has something to do with copying of this new key into the 'Last Known Good' control set - but information on this topic is sketchy at best.
- The other commonly found ValueName here is 'Active Service' - it will have a value of the 'SystemName' of the Device or Service.
- For established Devices or Services the 'Control' subkey and 'Active Service' ValueName will only be present if the Device or Service has been started.
- Once present, the 'ActiveService' ValueName remains there, even if the Device or Service is subsequently stopped.
- The 'Control' subkey and 'ActiveService' ValueName entries are dynamically added after the system boots, so are not present in the 'Last Known Good' control set.
- This registry structure provides a useful method to allow us to see which Devices and Services are, or have been, started on a system since the last reboot.
- Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemName a new subkey called 'Enum' is created. It contains several ValueNames which point to the new key created under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SystemName
- A new entry in the form 'Root\LEGACY_SystemName\0000' is added to the Value Name 'Attached Components' under the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\HTREE\ROOT\0. (This item is a REG_Multi_SZ datatype, so it is only directly readable in Regedt32.exe) The '\0000' tag of course refers to the first instance of the device or service. If multiple instances of the device or service exist there will be multiple tags. (as described previously)
These activities require no intervention by the end user - it is all performed transparently by the NT4.0 system.
UnInstalling a Device or Service.
To uninstall a Device Driver or Service the basic procedure involves reversing the steps listed above. (If you have not read the previous sections of this article I suggest you do so before continuing)
Before beginning the process, there are several cautionary points that need to be observed:
- Use the 'Export Registry File' features of RegEdit.exe to save a copy of any keys you intend to remove from the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services tree. These may be needed if the removal of a Device or Service causes unforseen problems, and a key has to be restored.
- Ensure that the Device or Service that you are planning to remove is not named as a 'Dependency' by one or more other Devices or Services. Removing a Device or Service in such circumstances will undoubtedly cause serious problems. If you do have a 'Dependency' situation, the Device or Service that is dependent upon the item you are now contemplating removing will also need to be removed (or disabled) - and this needs to be done first.
- 'Dependency' entries (ie: 'DependOnGroup' or 'DependOnService') are normally of REG_Multi_SZ datatype, so you will need to use Rededt32.exe to be able to easily read the content.
- Ensure that the Device or Service has been stopped using the 'Devices' or 'Services' applet in Control Panel. It is advisable to change the 'Start up' setting for the item to 'Disabled' as well - in case something or someone attempts to restart it whilst you are trying to remove it !
- In some cases a Device or Service will refuse to stop. BEWARE - often this situation is caused by a 'Dependency' - check carefully ! Once such matters are resolved, if the Device or Service still refuses to stop, your only option is to change it's 'Startup' option to 'Disabled' and then reboot the system. This will guarantee that the Device or Service is stopped.
Now - Removing the Device or Service:
- Using Regedit.exe or Regedt32.exe delete the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemName (where 'SystemName' is the appropriate key for the Device or Service you are removing from the system)
- Using Regedt32.exe locate the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SystemName
- Highlight this key by clicking on it in the left hand pane. From the Regedt32 Menu select 'Security > Permissions'. Click on the 'Everyone' entry in the 'Name' list, then select 'Full Control' on the 'Type of Permissions' drop down list. Tick the 'Replace Permissions on Existing Subkeys' option, then click 'OK'. A dialogue will ask you to confirm replacing the permissions - answer 'Yes'.
- Ensure that the correct key (ie: for the Device or Service you are removing) is still highlighted in the left hand pane. Press the 'Delete' key on your keyboard. The system will ask you to confirm the delete - answer 'Yes'. If you neglect to change the permissions (as detailed in step 3 above) the system will refuse to delete the key, citing insufficient permissions as the reason.
- Remaining in Regedt32.exe locate the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\HTREE\ROOT\0
- Highlight this key by clicking on it in the left hand pane. From the Regedt32 Menu select 'Security > Permissions'. Click on the 'Everyone' entry in the 'Name' list, then select 'Full Control' on the 'Type of Permissions' drop down list. Tick the 'Replace Permissions on Existing Subkeys' option, then click 'OK'. A dialogue will ask you to confirm replacing the permissions - answer 'Yes'.
- Locate the REG_Multi_SZ ValueName called 'AttachedComponents' in the right hand pane. Double click this ValueName.
- A Multi-String Editor Window will appear. Locate the entry in the form Root\ LEGACY_SystemName\0000 that corresponds to the Device or Service you are removing from the system. Delete only this line from the Multi-String Editor list - ensure that no blank lines or gaps are left between entries in the listing. Click 'OK' to update the listing.
- Rehighlight the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\HTREE\ROOT\0 by clicking on it in the left hand pane.
- From the Regedt32 Menu select 'Security > Permissions'. Click on the 'Everyone' entry in the 'Name' list, then select 'Read' on the 'Type of Permissions' drop down list. Tick the 'Replace Permissions on Existing Subkeys' option, then click 'OK'. A dialogue will ask you to confirm replacing the permissions - answer 'Yes'.
- Close Regedt32 and reboot the system. Confirm that no Service Control Manager warnings or other problems arise.
- If all is well, the relevant files in the '\System32' and \System32\Drivers' folders may be deleted.
Why UnInstall Leaves Detritus.
As explained above, fully removing a Device or Service involves cleaning out a lot of Registry content. MOST UnInstall packages correctly remove the subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SystemName, but I have encountered some that leave the Devices and/or Services they installed, and all the relevant registry content, as is - which basically means their Device and/or Service content has been orphaned.
I have NEVER encountered an UnInstall process that correctly removes the content under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\HTREE\ROOT\0\AttachedComponents or HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SystemName
I suspect that most UnInstall processes encounter permissions problems that make it impossible to deal with these registry entries. You will need to manually clean up this mess as described above.
More Information.
For a far more extensive coverage of this and related topics involving the NT4.0 Device and Service entries in the registry, I highly recommend the book 'Managing the Windows NT Registry' by Paul Robichaux. (O'Reilly - ISBN 1-56592-378-2)
You may also want to read through the Microsoft Knowledgebase articles relating to the CurrentControlSet and Device Drivers. A full listing of all these Knowledgebase articles is here.
This page is very much a 'work in progress'. If you have additional information, or note an error or omission in this article, please contact the author via the email link on the index of this site.
All promotional photographs and advertising material, corporate names and logos, product names, trade names, trademarks and registered trademarks are the property of their respective owners, and are acknowledged as such.
This information is maintained by ZCM Services, Australia. Whilst every care is taken in preparation, I accept no responsibility for errors or omissions. Use the information presented on this site AT YOUR OWN RISK.
Last Update April 7, 2010 at 8:37 PMAEST.