Don't disable system services! (unless you REALLY know what you are doing)

(1) The problem

While searching the newsgroups I found out an interesting issue. It seems that many people are manually disabling some System Services, like "Volume Shadow Copy" (VSS) or "MS Software Shadow Copy Provider" (SWPRV). While this seems to be an innocent action, it will cause later subtle failures in other OS components, like NTBackup or Shadow Copies for Shared Folders.

For example, if you manually disable VSS or SWPRV, you will get a weird and apparently unrelated NTBackup error in the backup report which looks like this:

 =====================<BEGIN NTBACKUP LOG FILE>=====================

Backup Status
Operation: Backup
Active backup destination: File
Media name: "Small Business Server Backup (01).bkf created 12/22/2004 at
1:00 AM"

Error returned while creating the volume shadow copy:800423f4
Reverting to non-shadow copy backup mode.
Backup of "C: "
Backup set #1 on media #1
Backup description: "SBS Backup created on 12/22/2004 at 1:00 AM"

Also, if you try to enable Shadow Copies for Shared Folders you might also get various errors in the Application event log:

Event Type: Error
Event Source: VSS
Event Category: None
Event ID: 8193
Date: 12/26/2004
Time: 12:20:11 AM
User: N/A
Computer: AOLTEAN-H4
Description:
Volume Shadow Copy Service error: Unexpected error calling routine CoCreateInstance. hr = 0x80070422.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 55 45 43 58 4d 4c 43 BUECXMLC
0008: 33 35 33 32 00 00 00 00 3532....
0010: 42 55 45 43 58 4d 4c 43 BUECXMLC
0018: 33 34 39 34 00 00 00 00 3494....

There are even more subtle variations on the same problem. VSS uses under the cover other System Services, like RPCSS, COM+ Event System, etc. If any of these services is disabled, then you will get errors like the one above. But, you still have a clue on where to start the investigation. In all these cases, there will be an associated VSS error in the Application event log (like the one above) and another DCOM error in the system event log. These things are easy to spot with the Event Viewer.

(2) The cause

So, how did you ended up with such a system? In many cases that I've investigated, it looks like many users are disabling these services by mistake in their effort to get a better security or better overall performance.  

First, I would like to mention that manually disabling services is something that you should try on your own risk. Usually this is not a supported scenario. You might end up with a system that has weird failures in unexpected places...

Second, there are several web sites out there are mistakenly recommending disabling VSS and SWPRV as a "safe" setting. Some examples:
- https://www.theeldergeek.com/volume_shadow_copy.htm 
- https://www.theeldergeek.com/ms_software_shadow_copy_provider.htm 
- https://users.accesscomm.ca/gbraun/wxp/services.htm

So if you are experiencing these types of VSS failures, it might be a good idea to check if you didn't disabled these services previously. Look especially for 0x80070422 or 0x8007042c which almost always indicates a disabled service.

(3) Under the cover

We saw these errors in the event log: 0x80070422 or 0x8007042c. What are these cryptic errors? 

First thing we note, they start with 0x80070... so they are simply COM-specific error codes (HRESULTs in COM language) which denote Win32 failures. To manually transform such a HRESULT into its corresponding error code, do the following:
a) Isolate the last four digits in the hex number above. In our case 0x422 or 0x42c.

b) Transform this number in decimal. The "SET /A" command line comes handy here:

E:\>set /A 0x422
1058

c) Then, cut & paste the error code above into the parameters of the NET HELPMSG command:

E:\>net helpmsg 1058

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Windows programmers might recognize these errors immediately... for example 1058 is ERROR_SERVICE_DISABLED, and 0x80070422 is nothing else than HRESULT_FROM_WIN32(ERROR_SERVICE_DISABLED).

(4) The solution

Please check that the following services are enabled:
- "Remote Procedure Call" (RPCSS) should be enabled, Automatic
- "COM+ Event System" (EventSystem) should be enabled, Manual
- "System Event Notification Service" (SENS) should be enabled, Automatic
- "Volume Shadow Copy" (VSS) should be enabled, Manual
- "Microsoft Software Shadow Copy Provider" (SWPRV) should be enabled, manual.

If you have any of these services disabled or not in the state mentioned above, then you will get the 0x8007042c VSS error in the event log above. You can change the enable/disable status of various system services through the Services section in "Computer Management" applet in MMC. To open it, just right-click on the "My computer" and select "Manage".

(5) Disabling services the right way

There is a tool shipped by Microsoft called "Security Configuration Wizard" (SCW) which can be used to disable various (unused) OS services and therefore harden the system. More information about the one for Windows Server 2003 can be found here. Note that Windows Server 2003 SP1 will have an improved version of SCW, apparently not installed by default, but available through Control Panel, Add/Remove Programs, Add/Remove Windows Components.