|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Chapter 9, Managing the Windows NT Registry, published by O'Reilly & Associates
In the preceding chapters, I showed you how to use the Registry tools and programming interfaces. As a sort of graduation exercise, this chapter contains a list of Registry settings you can use to change the way your computer behaves. I have deliberately not listed anything unsafe or dangerous here; as long as you follow the restrictions stated in each setting's explanatory text, these changes should be safe for you to make on any NT 4.0 machine.
If you carefully read Tables 6-1 through 6-4 in Chapter 6, Using the System Policy Editor, you may notice that some of these items are also editable through a system policy. That's on purpose; even if you're not using policies you may still want to make these changes. Of course, you can take any setting in this chapter and add it as a policy template file using the instructions in the section "Creating Your Own Policy Templates" in Chapter 6.
Warning: Be careful to apply the correct capitalization to any values or keys you change. Some applications are smart enough to ignore case, but most aren't.
The actual mechanics of making these changes should be pretty obvious by now: use your favorite Registry editor to add or modify keys or values as described for each setting. Some of these tweaks require you to add a new key, while others may require you to add or change a specific value. In all cases, when I say something like "add the value HKCU\Control Panel\Desktop\WindowMetrics\MinAnimate," what that means is that you should add it if it doesn't already exist. If it does exist, change its value as suggested in the text.
On This Page
User Interface Tweaks
The NT user interface is customizable in a lot of small ways. You can't easily change the standard way windows and menus work, for example, but you can change their colors. In that spirit, there are several adjustments you can make to change some basics of how you and NT interact with one another.
Add Your Own "Tip of the Day"
Microsoft Word for Windows introduced the "Tip of the Day" feature, which presents an ostensibly helpful tip every time you start a tip-enabled application. This feature made it into Windows 95, Office 95, NT 4.0, and a raft of third-party applications. Apart from disabling the feature altogether (which you can do with the "Don't show tips at startup" checkbox in the Tip of the Day dialog), you can add your own set of tips. This is particularly useful when you make this change as part of a system policy-you can build your own set of tips that are specific to your local environment, then remove the ability for users to turn the tips off. This is an easy, and cheap, way to disseminate information to your users. The list of tips is stored as a set of values under:
The tip values are stored as sequentially named REG_SZ values; the first one is named "0", and the names go up from there. You can replace any of the existing tips included with NT by changing that tip's value; alternatively, you can replace all of them by removing all the values under Tips and replacing them with your own.
However, the tip list is only half of the necessary change. There's also a pair of REG_BINARY values that control whether tips are displayed and which tip comes next. These values are stored in HKCU, so they can be different for every individual user. Here's how they work:
Controls whether tips are shown at startup or not. A value of 00000000 disables the tip display, while 01000000 enables it.
Controls which tip appears next. Its value is a sequence number that must match the name of a value in the tips list. A value of 00000000 displays tip 0, 01000000 displays tip 1, 0c000000 displays tip 12, and so on. NT will automatically increment and update this value as each tip is displayed.
Disable Window Animations
NT 4.0 copies the Win95 habit of using animated rectangles to provide a "zooming" effect when windows are opened and closed. However, after the first few times you've seen this effect it can become annoying; it also causes a slight but perceptible slowdown as the system draws all the fancy rectangles instead of just closing the window directly.
If you want to disable this animation, you may do so by adding the REG_DWORD value HKCU\Control Panel\Desktop\WindowMetrics\MinAnimate and setting its value to 0. If you later decide that you like the animations after all, setting MinAnimate back to 1 will turn it back on again.
Speed Up the Taskbar
The NT 4.0 Taskbar is a useful addition to the standard user interface. When Apple was designing the Macintosh interface, their research found that a single menu bar at the top or bottom of the screen was the fastest menu system; instead of having to carefully guide the mouse to a particular area, you can just slam it down (or up) to the menu region without any need for precise control. The Taskbar's default location at the bottom of the screen satisfies this. One failing of the Taskbar, however, is the speed with which the Start menu (and other menus attached to Taskbar items) pops up. In a word, it's slow. Fortunately, the speed is adjustable via a Registry change.
To adjust the Taskbar popup speed, add a REG_SZ value named MenuShowDelay to HKCU\Control Panel\Desktop. This value determines the number of milliseconds the shell will pause before displaying the Taskbar. By default, it's set to "400," which is a 0.4 second delay. Adjust it to your taste, then reboot to make the change take effect.
Enable Tab for Filename Completion
If you're a Unix administrator or programmer, you'll love this one. Many Unix shells allow you to quickly complete filenames in the shell by using the Tab key. For example, if you type "ls -l aar" and hit the Tab key, the shell will look for files whose names start with "aar." If it finds one, it automatically expands what you typed into the full file or directory name. This is a lifesaver, especially since Unix allows you to have very long file and path names with embedded spaces-just like NT.
If you want to enable this behavior in NT 4.0 command windows, you can do it by adding a REG_DWORD named HKCU\Software\Microsoft\Command Processor\CompletionChar and setting its value to the hex value of the character you want to use for filename completion. (If you don't already have a Command Processor key you'll need to add it too.) To use the Tab key, set its value to 0x09. While you may use other characters, I'd stick with Tab, since nothing else in the command window uses it.
Run a Different Screen Saver While Waiting for a Logon
You probably know that you can use the "Screen Savers" tab of the Display control panel to set a screen saver to be run after a specified period of inactivity. You can also choose which screen saver runs while an NT machine is waiting for a logon. The default choice displays the familiar "Press Ctrl+Alt+Del to log in" dialog, complete with the three-fingered hand icon, but you can easily choose another.
Warning: Some of NT's bundled screen savers are CPU hogs. If you're choosing a logon screen saver for an NT server, make sure you stick with the "blank screen" saver; otherwise, your server's valuable CPU cycles will be used to draw OpenGL objects or flying stars, robbing your server of the power it needs to handle your users.
If you want to use another screen saver while NT's waiting for someone to log on locally, you'll need to make three changes. First, add HKU\.DEFAULT\Control Panel\Desktop\ScreenSaveActive as a REG_DWORD; set its value to 1. This tells the system that when no one's logged in (e.g., when the .DEFAULT profile's being used) that you want a screen saver to run.
Next, edit the value of HKU\.DEFAULT\Control Panel\Desktop\SCRNSAVE.EXE to specify the full path of the screen saver you want to run. (If the screen saver you want is in the default location of %systemroot%\system32, you don't have to enter the full path.) For example, you might enter sstars.scr to run the "flying stars" screen saver.
Finally, edit the value of HKU\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut and enter a value for the screen saver trigger time. This value, in seconds, specifies the amount of inactivity you're willing to allow before the screen saver kicks in.
Once you've made these changes, you must reboot the machine before they'll take effect.
Enable X Window-Style "Auto Raise"
The X Window system has a neat configuration setting called "auto-raise." When this setting's in effect, you don't have to click on a window to bring it to the front of the window stack. Instead, just passing the mouse over a window raises it. This takes a little getting used to, but once you've made the adjustment you'll find that it eliminates a lot of extra mouse clicks.
NT does something similar: it can automatically set the focus to a window when you put the mouse in it, but it won't raise that window to the top of the stack. This setting is off by default to avoid confusing people who haven't been exposed to auto-raise before. To turn it on, set the value of HKCU\Control Panel\Mouse\ActiveWindowTracking to 1. You'll have to log out and log back on before the change takes effect.
Enable "Snap To Default Button"
Some X Window system implementations also have another handy feature: you can force the cursor to always jump to the default button of any dialog or alert that appears. This speeds the process of moving the cursor from wherever it happens to be to the dialog or alert, especially if you're using a high-resolution monitor or an input device that makes it hard to move the cursor quickly.
You can enable or disable this behavior by adjusting the value of HKCU\Control Panel\Mouse\SnapToDefaultButton. When this value is 0, as it is by default, no snapping occurs. Set it to 1, though, and the cursor will warp to the default button once you log out and log back on. Try it-you may like it.
Suppress Error Messages During Boot and Logon
During the NT boot process, it's not uncommon to see error dialogs reporting problems that occurred during startup. For example, you may see warnings telling you that a device driver couldn't be started, or that some other system component didn't do what it was supposed to do. You can suppress these error dialogs with a simple Registry change; the errors will still be logged on the system and application sections of the event log, but the dialogs won't interrupt or intrude on the boot and logon process.
The actual errors are displayed in two phases; their display is thus controlled by two separate Registry values. Messages that pop up as the result of errors in the boot phase are controlled by the value of HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\NoPopUpsOnBoot. Add this value as a REG_DWORD and give it a value of 1 to suppress boot errors, or 0 to allow the normal error dialog display.
Messages that appear as part of the post-boot startup phase (including messages produced by most device drivers and services) are controlled by a different value, HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ErrorMode. Set this value to 0 to allow all system and application errors to display dialogs, 1 to display only application errors, or 2 to suppress all error dialogs. The default value is 0.
The guts of NT's file system are mostly self-tuning. This is on purpose, following the theory that the file system can adjust its own caching and buffering better than you can. Whether this is true or not, there are still some changes you can make to control whether the file system does certain things. These changes apply to FAT, NTFS, and NTFS 5 file systems.
Change Low Disk Space Warning Threshold
Even though you may never have encountered it, NT can display an alert warning you that your disk is almost full. The threshold for these alerts is 90% disk usage; while this may seem generous, if you're using a large disk a 10% margin will result in you seeing these warnings even when the amount of space remaining is large in absolute terms. My local Internet service provider runs an NT news server with more than 80Gb of disk storage, so getting a warning that there's "only" 8Gb free is not very useful to them.
The DiskSpaceThreshold value controls when you see this alert; it sets the minimum amount of free space (as a percentage) that will trigger a warning. Add this value (it's a REG_DWORD) to HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters; the value you specify should be the percentage of free space, from 0 to 99, which should trigger a warning. When the amount of free space on any volume falls below this value, you'll get a warning.
Use Longer File Extensions
Even though Win95 ostensibly supports long file names, there's an ugly secret involved: it really only supports three-character file extensions! That means that the names medical.doc, medical.doctor, and medical.doctrine all point to the same file. Since NTFS doesn't have that restriction, you can make it take advantage of the longer extensions instead of being stuck with the old-style three-character versions.
The value of HKLM\System\CurrentControlSet\Control\FileSystem\Win95-TruncatedExtensions controls this behavior. By default, it's set to 0, which truncates extensions to the first three characters. Set it to 1 and reboot to take advantage of full-length extensions on NTFS volumes.
Turn Off CD-ROM AutoRun
Ahh, "AutoRun." While Microsoft undoubtedly did a favor for some users who like to automatically have CDs start running when they're inserted, many of the NT users I talk to don't like this feature. If, for example, you're loading the NT Resource Kit CD to copy a tool you need, do you really want to wait while the AutoRun-invoked setup tool loads, or would you rather just copy the file you need?
Happily, you can banish AutoRun from your machine with a simple change. Add a REG_DWORD value named HKLM\SYSTEM\CurrentControlSet\Services\Cdrom\Autorun and set its value to 0, and you'll no longer be forced to wait for AutoRunning-CDs to do their stuff. You can later change the value to 1 if you want to re-enable AutoRun for CD-ROMs.
Suppress "Last Access" Timestamp on NTFS Volumes
NTFS volumes store a "last access" timestamp for every file and directory on the volume. The NTFS driver automatically updates this timestamp every time a file's accessed, whether for reading or writing. That means that every time you look at a directory listing, NT is busily updating the file timestamps. As you might guess, this is often a waste of CPU cycles and disk bandwidth that could better be used elsewhere. To prevent NT from maintaining the "last access" timestamp for NTFS volumes, add a REG_DWORD value named NtfsDisableLastAccessUpdate to HKLM\System\CurrentControlSet\Control\FileSystem and set its value to 1. Note that this change has no effect on the "last modified" timestamp.
Warning: A surprising number of NT's security features are only accessible through Registry tweaks. For the most part, these adjustments add to your system's security; except as noted, you are not adding extra risk by not making the changes discussed here. You should carefully note the security suggestions included in Chapter 8, Administering the NT Registry. They reflect changes that you should make to preserve system security, while the items in this section are optional.
Clear the System Pagefile at Shutdown
The U.S. Government (in the form of the National Computer Security Center) has established a rating system for computer operating systems. This rating system, set forth in a document called the Orange Book, rates how secure operating systems are. To earn a particular rating, there are certain features that an OS must implement. One of these features is object reuse. Simply put, object reuse just means that objects (including disk blocks, memory, and other shared resources) are cleared out after use. This prevents any leakage of confidential data.
As shipped, however, NT doesn't implement reuse on the virtual memory's pagefile. A couple of publicized attacks rely on the fact that NT's pagefile is left intact when the system shuts down; it can then be scanned for useful data. To prevent this, you can add the REG_DWORD value HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown value and set it to 1; this forces NT to zero out the contents of the pagefile at system shutdown.
Prevent Caching of Logon Credentials
By default, NT workstations will cache the last ten sets of logon credentials received from a domain controller. This reduces the number of times a workstation has to contact a domain controller for verification of a logon request, and it often makes it possible to log on to a domain even when the domain controller isn't available on the network. If you want to prevent these credentials from being cached, as you might if you're running a high-security network, add a REG_SZ value named CachedLogonsCount beneath the HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon key. Set its value to 0 to prevent any caching, or to the number of cached credential sets you're willing to allow.
Turn Off "Save Password" Option in Dial-Up Networking
The NT Dial-Up Networking (DUN) subsystem lets you maintain a separate user name and password for every entry in the Phonebook. You can also use the "Save this password" checkbox, which appears in the RAS Logon dialog; when you do, NT will store that account's password in the Registry. This is pretty insecure, especially when the machine using DUN is a laptop-if it's stolen, the thief has automatic access to your dial-up connection if the password's been saved.
You can force DUN not to store passwords by adding the REG_DWORD value DisableSavePassword value to HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters. If you set its value to 1, DUN won't display the "Save password" checkbox, and it will forget any passwords it has previously stored. This setting's a good candidate for inclusion in a policy template; that allows you to enforce the security setting you want applied.
Prevent Users from Changing Network Drive Mappings
Once you establish a set of drive mappings for your users (either as part of a logon script, a profile, or a persistent connection), you can protect them from changes by changing the permissions on HKCU\Network, and its subkeys, to remove the Delete and Create Subkey permissions. If you do this, users can still add or delete network connections, but the changes won't persist after they log out.
Do not remove the users' Set Value or Read access; if you do, connections won't be re-established when that user logs on again.
Control Who Can See Performance Monitor Data
NT's Performance Monitor is a nice addition to the system's basic toolset; it allows you to quickly gather and analyze performance data for local and remote machines. If you're like most network administrators or managers, though, you'd probably prefer that your servers' performance data be kept away from other network users, since there's no good reason for ordinary users to be monitoring a server's performance.
The permissions on the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib key control who may read a machine's performance data. By default, an ordinary NT 4.0 installation has Everyone:Read permission on this key. I suggest using RegEdt32 to tighten those permissions: let Administrators have Full Control and remove Everyone altogether. If you want any user who's actually logged into the machine to have access, you can add Interactive Users:Read; doing so will keep network users from seeing the performance data while still allowing interactive users to monitor the machine if they need to do so.
Control Which Drives Are Visible Throughout the System
If you need to, you can hide drives on a machine so they don't appear in My Computer, Explorer, or the open and save dialog boxes. You might do this (in conjunction with other access control measures like the "run only allowed applications" policy setting) to keep users from damaging their NT installations or installing unapproved software-hide the drives you don't want users to tamper with and they won't see them. (Actually, hidden drives are accessible through the File Manager and the NT command prompt. Solution? Turn those off with a policy.) This hiding occurs on a per-user basis, too, so you have fairly fine control over which volumes users can see.
Unlike every other value in this chapter, the value that controls drive hiding is actually a bit mask. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NODRIVES is a REG_DWORD, which makes it 32 bits long. Since NT can only map 26 drives (A: through Z:), this mapping works out nicely. The upper six bits of the value are ignored; the remaining 26 bits map to each drive letter, with A: in the right-most position and Z: in the left-most, like this:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Z Y X............C B A
To turn off drives A, B, C, and D, you'd end up with a mask value of "00000000000000000000001111"; to turn off all drives, just use all 1 bits in the mask. RegEdt32 makes it easy to add new DWORD values as bitmasks or to edit existing values as binary strings (see Chapter 5, Using RegEdt32, if you need more details), so adding this restriction is easy to do. There's one caveat: if your drive letters change-perhaps because you've added a new disk or removed an old one-your NODRIVES values will be off, and you may suddenly lose sight of a drive you wanted to keep visible.
Change When the Password Expiration Warning Appears
A good password policy is one of the cornerstones of network security. You start by making users pick good passwords, then follow up by setting a password aging policy that forces users to change their passwords at reasonable intervals. NT will helpfully warn users that their password is going to expire two weeks, or 14 days, in advance. Since most users won't change their passwords when the first warning appears (most, in fact, won't change until their password finally does expire), why torture them with two weeks' worth of warnings?
Instead, add a REG_DWORD value named PasswordExpiryWarning to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Set its value to the number of days you want to start the expiration warnings at; I recommend between three and seven days.
Allow Members of the Printer Operators Group to Add Printers
NT includes a number of built-in groups that allow you to assign limited administration privileges to people who need them. The Server Operators, Printer Operators, and Backup Operators groups allow a network administrator to grant greater-than-normal rights to these operators without making them members of the Administrators group.
Printer Operators can stop and restart the print spooler, route print jobs, and perform other printer-related administrative functions. However, they cannot add or modify printer ports, meaning that you can't delegate that responsibility to the people who should most likely have it. You may reverse this unhappy state of affairs by changing the permissions on a single Registry key. Here's what to do:
Open RegEdt32 and select HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
Use the Security > Permissions… command to display the Registry Key Permissions dialog.
Click the Add button; when the Add Users and Groups dialog appears, select the Printer Operators group and give them Full Control access. Click OK; the Registry Key Permissions dialog will reappear with the new permissions.
Stop and restart the Spooler service, either with the Services control panel or by using the net stop spooler and net start spooler commands from an NT command window.
Set the Number of Authentication Retries for Dial-Up Connections
You may adjust the number of authentication attempts DUN will allow before it decides the remote user is bogus and hangs up the phone. By default, DUN allows two unsuccessful retries; you can adjust this value from zero to 10 by editing the HKLM\System\CurrentControlSet\Services\RemoteAccess\Parameters\AuthenticateRetries value. A value of zero tells DUN to hang up at the first failure, which may be too restrictive for users who must type in passwords manually-I habitually set the value to 1 so that users can make one mistake before they have to start over again.
Keep Users from Changing Video Resolutions
Being able to change screen resolution and color depth on the fly is a terrific NT feature-until your users start changing settings when you don't want them to. You can prevent this by changing the permissions on the settings key for the video card. The exact location of this key varies depending on the number and type of video cards installed in a particular computer, and it will vary between machines that have different video card types.
The key to change permissions on is located at:
where devicename is the name of your video adapter driver (mine is "S3," but you should be able to deduce the right value for your computers depending on what type of card you have). The proper value for DeviceX will vary too, but if you only have one video card it will always be "Device0."
Set the Authentication Timeout for Dial-Up Connections
In addition to setting the number of authentication retries you'll allow, you can also specify how long each attempt may take before the system counts it as a failed attempt. By default, DUN allows connecting users 120 seconds to either authenticate successfully or have their attempt deemed a failure. Edit the value named HKLM\System\CurrentControlSet\Services\RemoteAccess\Parameters\AuthenticateTime to adjust the timeout period; you can set any value you like from 20 seconds all the way up to 10 minutes (or 600 seconds; the value must be specified in seconds).
Keep Remote Users from Sharing a Mounted CD-ROM or Floppy
By default, NT automatically creates an administrative share for every disk or CD-ROM volume. This share, which is named by the drive letter plus a dollar sign, is invisible, so it doesn't appear in Network Neighborhood-but a savvy user can find it anyway. There may be times when you don't want anyone but the locally logged-in user to access a CD-ROM; for example, many reference CD-ROMs have strict licensing limits that promise big trouble if you share the CD-ROM across the network.
Remember the brief discussion about object reuse? It applies to other shared resources, too, including CD-ROMs and floppies. In its quest to gain C2 security certification for NT, Microsoft added two Registry keys that cause the CD-ROM and floppy drives to be allocated to the currently logged-in user. When this allocation occurs, other users can't access the drives or the media in them; when no one's logged in, the drives are unallocated and may be shared.
Two keys under HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon implement these settings: AllocateFloppies and AllocateCDRoms. Both are of type REG_SZ. To force allocation of either device type during logon, set the appropriate key's value to 1; to turn allocation off, set the key's value to 0.
Keep Users from Customizing "My Computer"
There's no policy setting that prevents users from changing the name or icon of the My Computer icon on the desktop. If you've ever had to administer a lab full of computers, you've probably had at least one incidence of finding a machine's My Computer icon renamed to "Beavis & Butthead" or something even worse. To nip these changes in the bud, change the access permissions on
Remove Everyone:Full Control on this key and change it to Authenticated Users:Read.
When it comes to computers-particularly those running NT-you can never have too much speed. The least expensive performance upgrade for NT machines is usually just additional RAM, since NT can productively use as much as you can stuff into your computers. Failing that, you can make a few small changes to improve both your computers' speed and their availability.
Automatically Delete Cached User Profiles
User profiles make it easy to centralize and distribute user-specific settings. This enables users to have their same desktop settings follow them as they wander around your network. However, these profiles take up space; if you have many users who interactively log onto a particular machine, their cached profiles will slowly accumulate, stealing your disk space as they build up.
The Resource Kit's delprof tool manually removes profiles, but you can tell NT to automatically delete cached profiles when they're no longer needed. When a user logs on, if her profile isn't on the local machine, NT will fetch it and keep it there until it's removed or updated (in which case the updated version is downloaded into the cache). This makes it possible to log on and get profile information even when the domain controller(s) aren't answering profile requests. If you enable automatic removal, NT will delete the cached profile when the user logs out. The good news is that this approach saves disk space at a small cost in extra profile downloads; the bad news is that users may not be able to log on when your domain controllers are unavailable-there won't be a cached profile on the machine for them to use when logging on.
If you want cached profiles to be deleted automatically, add a REG_DWORD value named DeleteRoamingCache to HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon. Give it a value of 1 to enable removal, or 0 to allow cached profiles to stay around.
Enable Automatic Reboot After a Crash
Normally when an NT machine crashes, it produces a "Blue Screen of Death" (BSOD), which indicates the cause of the crash and gives some information about the system's state when the crash happened. The problem with this approach is that the server will sit there, BSOD proudly displayed, until a human comes along and reboots it. This is not ideal for most server applications-if no one is able to get to the machine to reboot it, none of its users can use it. Imagine having your Exchange server go down while you're on vacation, with users unable to get mail until you can find someone in the office to go reboot it for you!
You can force NT to automatically reboot after a crash by setting the value of HKLM\SYSTEM\CurrentControlSet\CrashControl\AutoReboot to 1; this forces the system to automatically reboot after writing out the crash log file.
Record Evidence of a Crash
Besides the standard crash dump file, you can also tell NT to record the occurrence of a crash in two ways. First, the kernel can send an administrative alert to another machine; this alert may provide the first warning you get of a fresh crash. Second, the kernel can record a crash message in the event log. If you've turned on the automatic reboot option as discussed above, having a message in the event log gives you positive confirmation of the time when the crash occurred.
Both of these capabilities are controlled by values under the HKLM\SYSTEM\CurrentControlSet\CrashControl key. To turn on alert broadcasting, set the SendAlert value to 1 instead of its default of 0. To turn on event log messages, set the LogEvent value to 1 as well.
Tip All of the values under the CrashControlkey can be set through the Startup/Shutdown tab of the System control panel. Better still, you can control them by writing a policy template file so you can automatically install the settings you want on all machines in your domain.
Enabling Automatic Logon After Boot
My local library has a batch of PCs running an electronic library catalog application. These machines are basically single-function kiosks; the librarians don't want people using them for anything else. To get the machines set up to run with as little intervention as possible, the catalog software's installed as part of the Startup group; that way, it runs when Windows 95 starts. An NT-based kiosk system would allow the library to keep their computers more secure and administer them with less hassle; they can even get the automatic logon feature that Windows 95 offers.
Warning: Never, never, never enable auto-logon with an account that has administrative privileges. If you ever leave your machine unattended, an office prankster (or determined attacker) can have the run of your network right from your machine. Good security practice dictates that you only log in with an administrative account when you need to do something that requires the extra privileges.
To enable automatic logons, you have to make a total of four changes to values under HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon:
Set the DefaultDomainName value to the name of the domain you want to automatically log into. Of course, instead of a domain you may specify the name of the computer itself.
Set DefaultUserName to the user account name you want to use when logging on.
Add a REG_SZ named AutoAdminLogon and set its to value to 1.
Add a REG_SZ named DefaultPassword and set its contents to the password for the account you specified in DefaultUserName. If you leave this value blank, automatic logon will be turned off (actually, AutoAdminLogon will be set back to its default value of 0).
Once you make these changes, the next reboot will automatically log on the account you specified. If you want to log on as a different user, hold down the Shift key as you log off the machine; NT will allow you to use the standard logon dialog to log on as another user.
Power Off at Shutdown
Most laptops, many workstations, and even a few servers have smart power management hardware that lets the operating system actually turn off the hardware when the system is shut down. While not all machines can take advantage of this, it's nice to have the "Shut Down" command do just that instead of requiring an extra trip to the power button.
The HKLM\Softwate\Microsoft\WindowsNT\CurrentVersion\Winlogon\PowerdownAfterShutdown value enables this feature; add it as a REG_SZ and set its value to 1, and your computer will actually turn itself off when you tell NT to shut down-if your hardware supports this feature. If it doesn't, no harm will come to it, but the feature won't work. Reset PowerdownAfterShutdown back to 0 to restore normal operation.
Force Hung Tasks to End When Logging Off
When you log off of or shut down an NT machine, the system scheduler will attempt to stop any running tasks. In addition to shutting down any drivers or services started by the system, NT must shut down the 16-bit Windows subsystem and any applications you've started yourself. Most well-behaved Win32 applications will honor a system shutdown request, but it's unfortunately common to see hung tasks in the VDM prevent the entire system from shutting down.
NT's normal response to this problem is to display a dialog that asks whether you want to cancel the shutdown or logoff, wait for the recalcitrant task to stop by itself, or kill off the task. You can automate this process by specifying that you always want NT to go ahead and kill tasks that don't listen to shutdown requests; this finally makes it possible for you to tell your machine to reboot and go get a diet Coke while it does, secure in the knowledge that it won't be still waiting for you to end a task when you return.
To force this shutdown, add a REG_SZ value named AutoEndTasks to HKEY_USER<SID>\Control Panel\Desktop. Set it to 1 to forcibly kill off unresponsive tasks. You may also want to add the same value to HKU\.DEFAULT so that new accounts inherit it; you can also add it to a policy template.
Set a Time Limit for Shutting Down Tasks
You now know how to force an automatic end to tasks that won't stop when they get a shutdown request, but did you know you can also tell NT how long to wait before deciding an application isn't answering? If you add a REG_SZ value named WaitToKillAppTimeout to HKEY_USER<SID>\Control Panel\Desktop, you can specify the interval (in milliseconds again) that NT will wait before deciding that an application is ignoring the shutdown request. The default is a generous 20 seconds; if, like me, you're impatient you can whittle this down to 10 seconds or even less. If the user process doesn't answer the shutdown request and terminate within this time period, and AutoEndTasks is defined, the NT scheduler will kill off the task.
Speed Up System Shutdowns
When you boot an NT machine, part of the boot phase involves starting up all the system's drivers and services. Conversely, part of the shutdown process requires that all of these services be shut down so they can write out any data they've got cached. This is particularly important when you consider that Exchange Server, SQL Server, and several other BackOffice server products depend on NT services.
However, waiting for system shutdown can take a long time, depending on the service load you have running. Part of the problem is the generous default timeout value: when NT shuts down, it gives each service up to 20 seconds to shut down before the system kills it. If you have many services running, this time can add up.
The HKLM\SYSTEM\CurrentControlSet\Control\WaitToKillServiceTimeout value specifies how long NT should wait before killing a service; the value is a REG_SZ expressed in microseconds (1000 microseconds make one second). You can adjust this value as low, or high, as you'd like.
Note that WaitToKillAppTimeout and WaitToKillServiceTimeout are two different values! The former controls the timeout period for system tasks, while the latter only applies to NT services.
It's critical to leave services enough time to clean up after themselves and write out any cached data they may be maintaining internally. If you don't, you may lose all or part of the data maintained by the service; since the DHCP, DNS, WINS, Exchange, and SQL servers are all services, this poses a real risk to your data-you probably shouldn't adjust this value on machines that run any of these services.
Automatically Try to Detect Slow Network Connections
Face it: not all network connections are as fast as you'd like. In fact, if your network includes sites that are linked by a WAN, you may find they're much, much slower than you'd like. In a domain environment, NT will normally attempt to fetch a user's profile from the domain controller. In a typical enterprise network, not every WAN-connected site will have its own domain controller-meaning that logon requests from Huntsville may have to go to a domain controller in Chicago. With more than a few users, you'll quickly wish there was a way to encourage NT to use cached user profiles whenever possible.
Good news: you can do exactly that. The first step is to set a time limit for deciding whether a connection is "slow" or not. NT makes this decision by pinging the domain controller and waiting for a response. If the response takes longer than a threshold you specify, the link is considered "slow." You can set this threshold by adding a REG_DWORD value named HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SlowLinkTimeOut and setting it to the number of milliseconds (remember, 1000 milliseconds make one second) to wait for a ping response. The default value of 2000 means that NT will wait 2 seconds for a response; if you're really desperate, you may adjust this value all the way up to 120,000 milliseconds (or 2 minutes).
The other required change is to add a REG_DWORD named SlowLinkDetectEnabled to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. This value controls whether or not NT pays attention to SlowLinkTimeOut. When SlowLinkDetectEnabled is 0, NT won't attempt to detect a slow link. When it's 1, the system will wait for the amount of time specified in SlowLinkTimeOut; if that amount of time passes, the user may select a locally cached profile instead of continuing to wait.
Don't Automatically Create 8.3 Names on NTFS Volumes
For backwards compatibility with DOS, Windows for Workgroups, and other OSes that don't understand long file names, NTFS automatically creates standard 8.3 filenames and stores them along with the NTFS long name. For example, this chapter's full name is Chapter 9 draft.doc, but its 8.3 name is CHAPTE~1.DOC. If you don't care whether older OSes and software can read your file names, you can turn off the process that automatically creates short names for long-named files. If you depend on DOS or Win3.x programs on your computers, this probably isn't a good idea, as they depend on 8.3 names; however, if you're only running 32-bit applications you should be in good shape.
To accomplish this, add a new REG_DWORD value named NtfsDisable8dot3-NameCreation to HKLM\System\CurrentControlSet\Control\FileSystem and give it a value of 1. After you reboot, the system will no longer create 8.3 names for new files (but it won't delete the old ones).
Warning: You may be surprised to find out that many allegedly 32-bit applications rely on 8.3 filenames to work properly. Don't apply this tweak until you've made a full backup of all NTFS volumes on your machine, and be prepared to use that backup to restore from if things don't work properly.
Disable the Printer Browse Thread
When you create a new printer share, the print spooler service starts a new thread whose job is to broadcast announcements of the share's presence. Print servers and clients can receive these announcements and automatically add the new printer to their lists of known resources. To ensure that print servers have consistent resource lists, each print server also broadcasts its list of known shares. This enables other servers to be sure that their resource lists are complete. The combination of these two broadcasts can cause unneeded broadcast traffic, since once a printer's established and the servers have all seen it, there's little need to keep retransmitting the data.
You may disable the printer browse thread on each machine that shares a printer with the network; you may also wish to disable the thread on any centralized print servers on your network. Once you do, remember that when you add new printers they won't show up in browse lists until you re-enable the browse thread on all machines where you've disabled it.
To stop the browse thread, add a new REG_DWORD value named DisableServerThread to HKLM\SYSTEM\CurrentControlSet\Control\Print. Give it a value of 1 to disable the thread or 0 to re-enable it, then restart the computer to make the change effective. Since printer browsers share information, it may take as long as one hour for all the print servers on your network to make themselves known again by broadcasting.
Forcibly Recover a Crashed PDC
If your domain's PDC crashes or becomes unavailable before you have the chance to promote a BDC, the key that controls the server's role won't be changed to reflect that the PDC isn't a PDC anymore. When you recover and reboot the PDC, it thinks it's still a PDC, but when it discovers the newly promoted PDC on the network the original PDC petulantly stops its netlogon service. The recommended way to fix this is to edit the default or "<No Name>" value of HKLM\Security\Policy\PolSrvRo. Its value will be 0x03000000 for a PDC and 0x02000000 for a BDC. To turn the PDC into a BDC, change the value to 0x02000000, then reboot.
Tip This tip and the one that follows appear courtesy of the NT*Pro user group newsletter. Membership in NT*Pro is free, and you can learn an astounding amount from the newsletter.
To accomplish this fix, you'll have to allow the Administrators group Full Control permissions on HKLM\Security\Policy\PolSrvRo. Make sure to restore the permissions back to their original state after making the change.
Getting the Most from Your Cache
By default, the NT HAL tries to recognize the amount of L2 cache on your motherboard. Sometimes it succeeds, and sometimes it fails. You can make sure that the HAL knows how much cache you have installed by checking the value of the SecondLevelDataCache REG_DWORD value under the HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management key.
When this value is 0, that tells the HAL that you have 256Kb of L2 cache. If you have a different amount installed, set SecondLevelDataCache to the amount, in Kb, of cache you've actually got. For example, if you have a 512Kb cache, set the value to be a decimal value of 512 or a hex value of 0x200. If you get this wrong, your machine may be unstable, so make sure to enter the right value in the right base.
Hiding Servers from Network Computers
There may be times when you want to keep human browsers from seeing a particular server on your network. You may hide the server from Network Neighborhood and other browsing tools while still allowing users who know what share they want to access it. To hide a server (or workstation, for that matter), you'll have to add a new value to HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters. Name the new value HIDDEN and give it a type of REG_DWORD and a value of 1 (to hide it) or 0 (to make it visible). You'll have to restart the computer to make it stop broadcasting its presence; in addition, it can take an hour or two for the newly hidden machine to drop out of sight on other machines on your network.
NT's networking subsystem is pretty flexible. Most of the things you can change are exposed through the Network control panel and its various tabs, subdialogs, and property pages. However, there are some things you can change on your own that will smooth your network operations.
Create a Shared Favorites Folder for All Network Users
A standard NT installation gives every user her own Favorites folder. Since Internet Explorer and Microsoft Office both use this folder extensively, you might find it useful to build a shared Favorites folder containing IE shortcuts or Office documents that you want to make available to all your users.
Building a shared Favorites folder is pretty easy. The first step is to build the folder itself: on one of your file servers, share the directory you want to use as the shared Favorites folder. It can be an existing directory, or you may create a new one. Be sure to set appropriate share and NTFS permissions.
Next, on each machine you want to use the shared folder, you'll need to change the value of HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Favorites from its existing setting to the path to the new folder. For example, if your shared folder is on a machine named armageddon in a share named favorites, your new Favorites value would read \\armageddon\favorites. You can make this change as part of a system policy by adding a new policy template; you may also put it in HKU\.DEFAULT so that newly created accounts inherit the setting.
Automatically Use Dial-Up Networking to Log On
You can force NT to always use DUN to log onto your selected domain. Normally, when you have DUN installed and active you'll see a checkbox in the logon dialog that allows you to use DUN to establish a connection to your network for logon; setting this value forces the checkbox to stay on permanently. You might do this on a laptop or other computer that can only connect to your LAN via DUN.
To force this change, add a new REG_SZ value named RasForce to HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon and set its value to 1. After you reboot, the "Logon using Dial-up networking" checkbox will be permanently selected, and you won't be able to deselect it. This means that if you can't access your remote network, you can't log on! (As a workaround, you can restore from an ERD or edit the Registry using RegEdt32 's network connection function.)
Enable the WINS Proxy Agent
NT machines can act as Windows Internet Name Service (WINS) proxies; these proxies answer name resolution requests from machines (like Macintoshes or Unix machines) that don't speak the WINS protocol. In NT 4.0, the only way to enable this proxy mode is via a Registry change (in earlier versions, there was a checkbox in the TCP/IP control panel).
To turn a machine into a WINS proxy, add a new REG_DWORD value named HKLM\System\CurrentControlSet\Services\Netbt\Parameters\EnableProxy and give it a value of 1. This will enable the target machine to route WINS resolution requests to an available WINS server.
Set the Number of Rings for Answering Incoming Dial-Up Networking Calls
If you're using a TAPI or Unimodem-based device to answer incoming DUN calls, you may have noticed that the standard method of adjusting the modem.inf file to control how many times incoming calls may ring before the modem answers them doesn't work. This is by design, but it's not well-documented. The solution is to add a new Registry value to indicate the number of rings you want to allow. Add HKLM\CurrentControlSet\Services\RasMan\Parameters\NumberOfRings as a REG_DWORD, then set its value to the number of rings you want to use (between 1 and 20). Once you reboot your computer, DUN will answer only after the specified number of rings have occurred. Note that if you're not using a TAPI/Unimodem modem, this value will be completely ignored.
Turn On Logging for Dial-Up Networking
You can enable logging for Dial-Up Networking connections by changing the value of HKLM\System\CurrentControlSet\Services\RasMan\Parameters\Logging from its default of 0 to 1. When you do, DUN will log details of the initial connection in %systemroot%\system32\ras\device.log; this log will reveal what data DUN sends to the remote device and what responses come back. This log is invaluable when you're trying to troubleshoot DUN connections that fail at initial establishment.
Keep a Dial-Up Networking Connection Up After You Log Out
NT 4.0 automatically terminates DUN connections when you log off. This is a sensible feature (even though it's a change from previous versions), since it keeps you from inadvertently running up big connection or long-distance bills during a time when you're not even logged on to your machine. However, there may be times when you want the connection to stay up even when no one's logged on. For example, keeping the connection open when no one's logged on enables the DUN-connected machine to share files and printers with other network users.
To keep DUN connections active even when the user who started them has logged out, add HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon KeepRasConnections as REG_SZ. Set it to 1 and connections will stay connected when users log out; set it back to 0 to enable the standard NT 4.0 behavior of automatically disconnecting DUN.
Set the Dial-Up Networking Automatic Disconnect Timer
You can reset the deadman timer that causes DUN connections to hang up after a certain period of inactivity. The default value hangs up idle connections after 20 minutes, but you may change the value to any period between 1 minute and 1000-enough of a range for most uses. To effect this change, edit the REG_DWORD value named HKLM\System\CurrentControlSet\Services\RemoteAccess\Parameters\AutoDisconnect and set it to the number of idle minutes you're willing to tolerate before hanging up the connection. If you want the connection to always stay up until manually disconnected, set AutoDisconnect to zero.
The paperless office is not yet upon us, and may never be. Until it finally arrives, you'll need to keep printing things, and if you're using NT you can improve your printing experience with some minor Registry changes.
Keep the Print Spool Service from Popping Up Dialogs
The print spooler has an annoying "feature" that causes it to display alerts telling you when a print job has been submitted. I was delighted to find that you can stop it from doing so by adding a new REG_DWORD named NetPopup to HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers. Give it a value of 0 to suppress the alerts, or 1 to re-enable them. After making this change, you'll need to reboot, but you'll be free of print status messages forevermore.
Change the Print Spool Directory
NT defaults to putting its print spool directories on the system disk. If you have a small number of print jobs, or a large disk, this may work out fine; for disk space or performance reasons, though, it may make more sense to move your print spool directories to another volume. For example, networks that include high-resolution color printers like the Epson Stylus 1520 (which can print 11"x17" pages in 24-bit color-each page takes several tens of megabytes of spool space!) can quickly overwhelm the free space on a typical NT system disk. Unfortunately, there's no user interface for changing the spool locations; fortunately, you're probably comfortable enough with the Registry so that you don't need a user interface!
If you want to change the spool directory for a single printer, you'll need to add a new value to HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\<PrinterName>, where PrinterName is the name you gave the printer when you created its spooler entry. Name the new value SpoolDirectory and make it a REG_SZ. For this item's value, supply the full local path to the spool directory. The spool directory can't be a UNC path, and it must exist.
If you want to change the default spool used for any printer that doesn't specify its own spool directory, you should add a REG_SZ value named HKLM\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory. As with SpoolDirectory, the path you specify here must be a fully qualified local path, and it must exist before you make the change.
If you add either of these values, you'll need to stop and restart the Spooler service. To avoid losing any queued print jobs, it's best to make these changes only when your print queues are empty; that keeps users from having to resubmit their jobs to get them into the new spool directory.
Stop Print Job Logging In Event Log
Normally NT logs every print job processed by a server in that machine's application event log. Since for the most part these logs fall into the category of "data no one will ever look at," you can configure the spooler service to not make these log entries in the first place.
To suppress print job event log entries, add a new REG_DWORD value named HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers\EventLog and give it a value of 0. As with all the other printing tweaks, this change won't take effect until you stop and restart the Spooler service.
About the Author
PAUL ROBICHAUX is an experienced software developer and author. He has worked on UNIX, Macintosh, and Win32 development projects over the past six years, including a stint on Intergraph's OLE team. He is the author of the Windows NT Server 4 Administrator's Guide and a regular contributor to the TechNet site.
© 1998 O'Reilly & Associates. All rights reserved.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.
International rights = English only.