Don’t disable system services! (unless you REALLY know what you are doing)


(1) The problem

While searching the newsgroups I found out an interesting issue. It seems that many people are manually disabling some System Services, like “Volume Shadow Copy” (VSS) or “MS Software Shadow Copy Provider” (SWPRV). While this seems to be an innocent action, it will cause later subtle failures in other OS components, like NTBackup or Shadow Copies for Shared Folders.

For example, if you manually disable VSS or SWPRV, you will get a weird and apparently unrelated NTBackup error in the backup report which looks like this:


=====================<BEGIN NTBACKUP LOG FILE>=====================

Backup Status
Operation: Backup
Active backup destination: File
Media name: “Small Business Server Backup (01).bkf created 12/22/2004 at
1:00 AM”

Error returned while creating the volume shadow copy:800423f4
Reverting to non-shadow copy backup mode.
Backup of “C: “
Backup set #1 on media #1
Backup description: “SBS Backup created on 12/22/2004 at 1:00 AM”

Also, if you try to enable Shadow Copies for Shared Folders you might also get various errors in the Application event log:

Event Type: Error
Event Source: VSS
Event Category: None
Event ID: 8193
Date:  12/26/2004
Time:  12:20:11 AM
User:  N/A
Computer: AOLTEAN-H4
Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance.  hr = 0x80070422.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 55 45 43 58 4d 4c 43   BUECXMLC
0008: 33 35 33 32 00 00 00 00   3532….
0010: 42 55 45 43 58 4d 4c 43   BUECXMLC
0018: 33 34 39 34 00 00 00 00   3494….

There are even more subtle variations on the same problem. VSS uses under the cover other System Services, like RPCSS, COM+ Event System, etc. If any of these services is disabled, then you will get errors like the one above. But, you still have a clue on where to start the investigation. In all these cases, there will be an associated VSS error in the Application event log (like the one above) and another DCOM error in the system event log. These things are easy to spot with the Event Viewer.

(2) The cause

So, how did you ended up with such a system? In many cases that I’ve investigated, it looks like many users are disabling these services by mistake in their effort to get a better security or better overall performance.  

First, I would like to mention that manually disabling services is something that you should try on your own risk. Usually this is not a supported scenario. You might end up with a system that has weird failures in unexpected places…

Second, there are several web sites out there are mistakenly recommending disabling VSS and SWPRV as a “safe” setting. Some examples:
http://www.theeldergeek.com/volume_shadow_copy.htm 
http://www.theeldergeek.com/ms_software_shadow_copy_provider.htm 
http://users.accesscomm.ca/gbraun/wxp/services.htm

So if you are experiencing these types of VSS failures, it might be a good idea to check if you didn’t disabled these services previously. Look especially for 0x80070422 or 0x8007042c which almost always indicates a disabled service.

(3) Under the cover

We saw these errors in the event log: 0x80070422 or 0x8007042c. What are these cryptic errors? 

First thing we note, they start with 0x80070… so they are simply COM-specific error codes (HRESULTs in COM language) which denote Win32 failures. To manually transform such a HRESULT into its corresponding error code, do the following:
a) Isolate the last four digits in the hex number above. In our case 0x422 or 0x42c.

b) Transform this number in decimal. The “SET /A” command line comes handy here:

E:\>set /A 0x422
1058

c) Then, cut & paste the error code above into the parameters of the NET HELPMSG command:

E:\>net helpmsg 1058

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Windows programmers might recognize these errors immediately… for example 1058 is ERROR_SERVICE_DISABLED, and 0x80070422 is nothing else than HRESULT_FROM_WIN32(ERROR_SERVICE_DISABLED).

(4) The solution

Please check that the following services are enabled:
– “Remote Procedure Call” (RPCSS) should be enabled, Automatic
– “COM+ Event System” (EventSystem) should be enabled, Manual
– “System Event Notification Service” (SENS) should be enabled, Automatic
– “Volume Shadow Copy” (VSS) should be enabled, Manual
– “Microsoft Software Shadow Copy Provider” (SWPRV) should be enabled, manual.

If you have any of these services disabled or not in the state mentioned above, then you will get the 0x8007042c VSS error in the event log above. You can change the enable/disable status of various system services through the Services section in “Computer Management” applet in MMC. To open it, just right-click on the “My computer” and select “Manage”.

(5) Disabling services the right way

There is a tool shipped by Microsoft called “Security Configuration Wizard” (SCW) which can be used to disable various (unused) OS services and therefore harden the system. More information about the one for Windows Server 2003 can be found here. Note that Windows Server 2003 SP1 will have an improved version of SCW, apparently not installed by default, but available through Control Panel, Add/Remove Programs, Add/Remove Windows Components.

Comments (11)

  1. 干燥剂 says:

    The site is really good.may i have the code?

    i want to use it at http://www.aagg.net and http://www.aaff.net.

  2. Adi Oltean says:

    The code for this blog site is a blogging engine written in C#/ASP.NET called .Text

    The code for .Text can be found at http://www.gotdotnet.com/Workspaces/Workspace.aspx?id=e99fccb3-1a8c-42b5-90ee-348f6b77c407

    The author is Scott Watermasysk – you can find his blog at http://scottwater.com/blog

    Thanks, Adi

  3. If you have windbg installed you can also use the !error extension to translate error codes. It automatically handles standard HRESULTs, as well as win32 and native NT codes:

    c:debuggers> cdb.exe notepad

    0:000> !error 8007042c

    Error code: (HRESULT) 0x8007042c (2147943468) – The dependency service or group failed to start.

    0:000> q

  4. Sam says:

    So how do I disable backup using shadow copy?

    It’s very annoying, after each backup I have to reboot the server since shadow copy services eats up most available memory 🙁

    I asked about this problem in newsgroups, no one had been able to help. It seems no one else even noticed backup enabling shadow copy making services.exe grow its memory usage big time.

    Sam

  5. Adi Oltean says:

    Hi Sam,

    Unfortunately I never heard about this problem. But my take would be that disabling shadow copies would be the wrong approach – we should find first what’s wrong and try to fix it (if possible).

    Can you give me more details about the symptoms?

    1) Is this Windows XP or Server 2003?

    2) What are visible efects after shadow copy creation (i.e. is the computer slow? etc)

    3) What is the memory consumption from services.exe? What type of memory is consumed? (i.e. is this virtual memory, commited memory, private pages or the working set?)

    4) What is the size of your event logs? (I ask this because services.exe hosts the event log service – which are dumped during backup-style shadow copy creation)

    BTW, for quicker resolution of you problem, you can contact directly the VSS team at VSSAPP@microsoft.com (for informal support) but for formal support you might want to contact the PSS support team.

    Thanks, Adi

  6. Michael says:

    Heya all,

    Interresting issue, but now I disabled rpcss and few other services and i cannot get them to work again. When i click the propreties under services in administrative tools the propreties dialog box does not appear, since half of my services are down/disabled.

    net start rpcss does not solve it

    run svchost -k rpcss does not solve it

    What is the solution? lol

  7. Adi Oltean says:

    To re-enable RPCSS, you can just run the following command:

    sc config rpcss start= auto

    Then, reboot, and see if it works…

    Thanks, Adi

  8. Michael says:

    all set and done, i fixed it from the registry.

    change the DWORD for rpcss to 2 to make it automatic.

  9. online poker says:

    Please visit some relevant pages in the field of online poker http://online-poker.cheat-elite.com/

    phentermine http://phentermine.ps2cool.com/

    viagra http://viagra.cheat-elite.com/

    credit cards http://credit-cards.cheat-elite.com/

    flowers http://flowers.cheat-elite.com/

    casino http://casino.ps2cool.com/

    poker http://poker.cheat-elite.com/

    online casino http://online-casino.ps2cool.com/

    texas holdem http://texas-holdem.ps2cool.com/

    texas hold em http://texas-hold-em.cheat-elite.com/

    texas holdem poker http://texas-holdem-poker.ps2cool.com/

    pacific poker http://pacific-poker.cheat-elite.com/

    party poker http://party-poker.ps2cool.com/

    empire poker http://empire-poker.cheat-elite.com/

    poker games http://poker-games.ps2cool.com/

    generic viagra http://generic-viagra.cheat-elite.com/

    cialis http://cialis.ps2cool.com/

    levitra http://levitra.cheat-elite.com/

    tramadol http://tramadol.ps2cool.com/

    online pharmacy http://online-pharmacy.cheat-elite.com/

    soma http://soma.ps2cool.com/

    diet pills http://diet-pills.cheat-elite.com/

    phendimetrazine http://phendimetrazine.ps2cool.com/

    credit card http://credit-card.ps2cool.com/

    payday loans http://payday-loans.cheat-elite.com/

    loans http://loans.ps2cool.com/

    personal loans http://personal-loans.cheat-elite.com/

    student loans http://student-loans.ps2cool.com/

    private mortgages http://www.cheat-elite.com/

    low interest credit cards http://low-interest-credit-cards.ps2cool.com/

    online casinos http://online-casinos.cheat-elite.com/

    casinos http://casinos.ps2cool.com/

    flower shop http://www.ps2cool.com/

    online loan http://online-loan.cheat-elite.com/

    mortgage refinance http://mortgage-refinance.ps2cool.com/

    – Tons of interesdting stuff!!!

  10. Shyblog says:

    Microsoft’s support knowledge base (KB) both helps and hurts MS’ reputation. On one hand, they freely provide a great deal of information that other companies charge for. On the other hand, the number and pervasiveness of Microsoft software (especially Windows,…