Skip to content
Home ยป Operating Systems

Windows NT Service

A Look At Windows NT Service - Configuration problems

The following was lifted, with some modification, from two sources:

  1. A response I sent to a friend who had requested help overcoming HTTP error 401 problems that, presumably, were due to shortcomings in the configuration of Microsoft Internet Information Server 4 within a Windows 2000 Server environment.
  2. A reply to an Oracle news group poster who was having the same problems as I was with installing Oracle 8i and Oracle Application Server 4.x under NT on the same machine
0. What Is A Windows NT Service? (paraphrased from the Microsoft literature)

On Windows NT, a service is a special kind of executable program that runs in the background, usually with no console or other interaction with the desktop. Programs that implement things like network protocols and network-enabled database servers are typically written so they can be run as services. For instance, most WWW servers on Windows NT can be run as services. Indeed, Microsoft's own Internet Information Server (IIS) and Oracle's Database Server for NT both run as services, by default.

A service is different from other programs in several ways:

  • Services typically are not run interactively, although the NET START and NET STOP commands can be used to start or stop a service. The Services control panel applet can be used do this too and offers the ability to modify the startup and logon characteristics of a service, as well as the hardware profiles in which it appears.
  • Services don't act with the authority of the local desktop's logged-in user. This means that services don't normally see the local user's environment variables, including the local user's PATH variable.
  • By default, services run with the authority of the SYSTEM account, although this can be set explicitly to another user, via the Services control panel applet or via a registry editor like regedit.exe or regedt32.exe. through a service's ObjectName string entry.
  • Services log in and run, even when no physical user has logged in to the machine.

The most important thing to remember is that, for correct operation, you may have to take special steps to make resources available to services. When a service is set to run under the default SYSTEM account, you need to make the files it attempts to access available to the Everyone group since this is the only group to which it belongs and it is not a user whose security settings can be manipulated via the User Manager.  Also, environment variables that a service running under the SYSTEM account uses must be specified as system environment variables.

1. What Are The Most Common NT Service Configuration Problems?

Given the properties of services, as described above, several things can go wrong if one, such as the WWW service, is not configured properly.  The three most common problems are:

  • Incorrect security settings, such as ACLs that deny access to the account under which a service runs.
  • Incorrect or missing environment variables.
  • Conflicting versions of software (DLLs in particular) that a service uses.

A. Security Settings

For an example of improperly configured security, if IIS reports an authentication error (401), it may be because the WWW service is running under the default SYSTEM account, the requesting user is the IIS anonymous user, and yet the ACL for a resource that it is trying to access disallows such access, despite the fact that the webmaster desires it.

For the above reason, and many others, one should not (as my freind had done) explicitly specify the IIS anonymous user (or any user, for that matter) in the ACLs of the public directories and files that are on one's website.  It is better to change the ACLs of all files and directories including and below one's root web directory (whether physically or by creation of virtual directories) to something like:

Administrators Full Control (all) (all) Everyone Read (RX) or Special Permission(R)

and then remove the Everyone Group and add one or more of

SpecialGroup1 SpecialPermissions1 (????) (????) . . . . . . SpecialGroupN SpecialPermissionsN (????) (????) ExecuteGroup SpecialPermission Execute(X)

as needed to the files and/or directories where special rights are required ( i.e having paid for or registered for use of part of the site; needing to execute as a script. etc)

  • Of course, access to restricted content (and regularly changing content) is now more typically handled using dynamic server-side processing.  For restricted access, a server-side script engine checks each request to see if the requestor is authorized, based usually on http server session state and data stored in a modern (i.e. secure) DBMS (database management system).  With larger sites, it is usually much easier to manage restricted content this way than by manually setting individual file or directory permissions.  It also reduces the problem of unwanted access to sensitive web-pages, as they do not actually exist somewhere on the  file system in the case that OS level security has been compromised.  This reduces the security problem because a would-be intruder, after gaining OS level access, is still faced with the task of gaining authorized access to the data stored in the DBMS.  Of course, when serving dynamically generated content from a DBMS, precautions must be taken to ensure that any SQL (Structured Query Language) holes are avoided too, as it has been demonstrated many times that http requests containing SQL can easily be modified to comprimise DBMS security in systems where such precautions have not been taken

B. Environment Variables And Software Version Conflicts

Environment variable errors/conflicts and software version conflicts can be best demonstrated by the situation I encountered while installing Oracle 8i and Oracle Application server on the same machine.  I found in the Oracle news groups that several people had the same problems, and the following is my response to one such individual:

In response to:

"pher" <no.spam@plea.se> wrote in message news:p4c5ps0ugf2cm7sv1m5788sidvv72akvof@4ax.com...

> Hello all

> I'm trying to install the Oracle 8.1.5 onto an NT4 SP6 server

> that has Oracle Application Server 4.08 installed. The 2 softwares

> seem to be incompatible. I get Blue Screens or Dr Watson error at

> JREW.EXE upon installing. I install them in 2 different Oracle-home

> directories.

> Is there any advice on how to proceed ?

> Thank you very much in advance

> Pierrot

[Lengthy prolog concerning other issues related to which version of SP6 was installed and potential problems arising from this]

if you are still determined, then you should:

-1. Backup any work you have done, if required

That is back up:

  • Your Oracle Application Server configurations. (i.e. Application and Cartridge installations)
  • Any important data stored in the RDBMS (such as user schemas you have developed)
0. Start clean.

In other words:

  • Shut down all running Oracle services (such as listeners)
  • uninstall both products
    • Remember to first remove any Oracle instances you have created and thus removing the associated NT services.
    • The uninstall procedures should remove any other services such as OAS listeners, Data Gatherer, TNS Listener.  Make sure this happened.
  • Restart the computer
  • Remove all remaining registry entries referring to Oracle Products (include any HKLM\SYSTEM\ControlSet00(*)\Enum\Root\LEGACY_ORACLE(*) entries.) 

NOTE:

You may first have to change permissions on all items including and below the LEGACY_ORACLE* entries using regedt32, as by default only the SYSTEM account has the right to delete them. You will of course need Administrator group membership to change these permissions.

1. Back up and clear the system environment settings that the installations will affect .

In other words:

  • Copy your system environment variable settings to a text file
  • Clear the system path and classpath variables just prior to installing each product (you can use the system properties control panel applet)
  • Reinstate after all products have been installed (but read points 3-5 and 8 first).

NOTE:

You must do this because there are known incidents concerning exceeded path lengths during installation, conflicting DLLs (especially Object Request Broker DLLs), conflicting classpaths to Java archives, among other environment related problems. 

2. Install the products under different accounts:
  • Create a separate account for each product with the user manager applet.
  • Log on as the install user for each product
  • install and perform steps 3 to 5 below for each until all products are installed
3. Isolate each product's environment settings:
  • After each install and before the next: move to the install user's environment the:
    • system path
    • classpath
    • any other environment variable items added by that install
4. Isolate each product's services' environments:
  • Modify all services added by the particular install to run under that install user's account. (instead of the SYSTEM account default)
5. Restore your system environment:
  • Reinstate the:
    • System path.
    • Class path.
    • Any other pre-existing system environment variables.
  • Consider carefully what effect restoring each entry may have on the products installed. 
  • Modify the path order and/or remove items from path type variables (...if you feel they may pose a risk. This is especially so for the classpath: see 8, below)
6. Enable the use of common tools outside of install user logins, if desired:
  • Add the %ORACLE_HOME%\bin for each product to the system path.

NOTE:

It is best to put the %ORACLE_HOME%\bin items on the PATH in descending order, starting from the product with the latest release date.  This will avoid as many DLL problems as possible.

7. Fix remaining non-Java related conflicts:
  • You will probably have to write some custom batch files to set up the environment (for running some of the command line versions of the tools and utilities).
8. Fix problems with conflicting Java versions:

If you had some other Java JRE installed before installing the Oracle products, you may run into version conflict problems:

  • Look at HKLM\SOFTWARE\JavaSoft\Java Runtime Engine\Current Version.
  • Oracle sets ..\Current Version to 1.1
  • Oracle creates a HKLM\SOFTWARE\JavaSoft\Java Runtime Engine\1.1\ entry.
  • The ../1.1/ entry contains JavaHome="%SystemDrive%\Program Files\Oracle\jre\1.1.7" etc. 
  • If you have JRE/JDK 1.2 or 1.3 installed, that version of the java.exe/javaw.exe may exist in %SystemRoot%
  • If you have java.exe/javaw.exe 1.2.x+ in %SystemRoot%, it may found first on your system path when executing certain java programs and Oracle RDBMS/OAS tools.
  • If the JRE "Current Version" is set to 1.1, and java.exe/javaw.exe 1.2.x+ is executed, Java will refuse to operate.
  • Try setting the JRE "Current Version" registry entry to match the version of java.exe in %SystemRoot%.
  • (This is fairly safe as Java 1.2/1.3 do not have the Java 1.1 jre.exe or jrew.exe executables.  Thus, Oracle software that needs jre.exe or jrew.exe (for the most part /:-( ) explicitly states the path to these Java 1.1 only executables.
  • Fix local classpath specifications as required.
  • (Sorry: this is unavoidable and really tedious)

Anyway, the above procedure is just a rough guide.  If you can think up a system configuration that logically does the same thing (or better), great: do that instead.  For instance, I have had some luck with running the command line tools through telnet, as this allows one to log on as the installation user, giving that user's environment and allowing trouble-free operation of at least the command line tools for that installation.

The real point here is your ideal is to have all the:

  • Oracle 8i services and tools to run as if only Oracle 8i was installed.
  • Oracle Application Server services and tools to run as if only OAS was installed.

For instance, many of the tool and services expect %ORACLE_HOME% and/or %ORAWEB_HOME% to be set, with Oracle Application Server expecting them to point to the OAS HOME and Oracle RDBMS expecting them to point to the Oracle RDBMS HOME.  Of course, many times these values are obtained from the registry, so they will work fine if you have installed the products under separate accounts and to separate homes.  As well, discovery scripts are often executed by Oracle products to set up the correct execution environment, so in these cases things will work just fine too.  But unfortunately, there are a few places that, in my experience, still need hand tweaking to work properly in a "same machine" Oracle RDBMS/OAS installation, even if separate accounts and ORACLE HOMES are used.

I have 8.1.6 Enterprise Edition and Oracle Application Server 4.082 installed on the same NT 4 Workstation Service Pack 5 machine (I have avoided SP6 due to reported problems and the fact that things seem to work just fine as they are).  The techniques outlined above seem to have worked quite well, but I have still had some rough edges to deal with. The Oracle documentation states that Oracle RDBMS 8.1.6/OAS 4.082 should work together, even if installed using the default settings, with all Oracle services running under that default SYSTEM user account and both products installed to the same ORACLE HOME.  However, I found that, like you, this was not the case.  So I had to uninstall both products and went through the above procedure to isolate the products as much as possible.

If you have a couple of extra machines (they don't have to be that great), and you are installing the same or greater version of the software, I strongly recommend installing  8i RDBMS, Oracle Management Server for Oracle Enterprise Manager, and Oracle Application Server each on a separate, clean machine, with:

  • Oracle 8i RDBMS installed on the biggest box with the most memory
  • Oracle Application Server on the middle sized box
  • Oracle Management Server for Oracle Enterprise Manager  installed on the smallest box *

*if you choose the Oracle Enterprise Manager  install only, I believe a database instance is installed that is custom tailored for OEM's  needs and that takes far fewer system resources than the default 8.1.5 database instance install, but don't quote me on this.\

NOTE:  The same situation I have discussed above applies to many Microsoft, Oracle and other company's server products, although you must watch out for the "per machine" licensing issues.  It turns out, for instance, that the back office suite is usually licensed per machine, requiring you to allocate a fair amount of additional funds for each box that is to run some subset of the servers/services that back office provides.  And in my experience, running everything from Exchange server to SQL Server on one box in, say, a 100+ user environment is just asking for trouble, both performance and reliability of service-wise, even on a quad Xenon box with redundancy RAID.

Anyway, the above one machine per Oracle product architecture will:

  • Isolate the installations from each other.
  • Give the greatest future configuration flexibility.
  • Take best advantage of Oracle's multi-tiered design, providing the best and most convenient scalability.
  • Yield the fewest problems when/if you must later install patches/upgrades to any of the products.

NOTE:  If you use Oracle JDeveloper, definitely do not install it on the Oracle 8i RDBMS box, unless you have tons of RAM and a really fast CPU or 4 ;-).  JDeveloper can easily use over 100MB of main memory for moderately complex projects and can eat 99.99 CPU for many seconds at a time in such a situation for each operation.  Additionally, JServer for Oracle 8i is the same way when asked to do a server-side java load/compile.  So if you have JDeveloper 3.x or above and 8.1.5 or above on the same machine and you are deploying from JDeveloper to a local 8.1.5+ instance, you really need 384 MB+ RAM and a 700 Mhz+ CPU to get any work done.  Otherwise you will spend most of your time sitting around watching task manger say that CPU and memory usage are maxed out.

Campbell Boucher-Burnet,

Camco & Associates:

Software Development and Consulting

2. How to Diagnose And Eliminate Possibilities?

The next step in solving a service confguration error is to:

  • Diagnose the problem by looking up help on the error numbers reported, if any
  • Ensure that all settings are known.
  • Control each setting to eliminate possibilities, until a managably small set of contenders remains.

For example, to narrow down the possibilities of where the previously mentioned http 401 error could be coming from, one must ensure that certain default security settings created during the installation of  NT and IIS are still in place.  I'm pretty sure the following is how the defaults are set under NT Workstation 4, but I asked my friend to check the defaults for IIS 4 under Win2000 Server and revert to these while solving the problem:

IUSR_mymachine, whether set explicitly or through group membership has only "Log on locally" and "Access computer across network"

For more accurate diagnostics, one needs to know that in IIS4 under NT4 (at least), there are actually 6 types of 401 error:

401 Authentication required 401;1 Unauthorized: Logon failed. 401;2 Unauthorized: Logon failed due to server configuration. 401;3 Unauthorized: Unauthorized due to ACL on resource. 401;4 Unauthorized: Authorization failed by filter. 401;5 Unauthorized: Authorization failed by IASP/CGI app.

So, one should check precisely which is being reported.  Of course, it does not tell you too much if it is the first, as in the case of my friend.

Next, set the extended logging so that the Windows user logname  (not just the IP) is recorded and then check to see who is actually logged in and for what resource, as far as IIS is concerned, when the 401 error occurs.  When one is running a site with frames including many pages (and possibly dynamically determined pages), server-side scripts, client-side scripts, mixed secure and unsecure pages, and the like, this is very important.  If you are serving plain, static, non-frame HTML, this becomes much less an issue.

Then check the User Manager to see if there is more than one internet guest account, like I had once from reinstalling IIS after slightly changing the host name of my computer.

My friend had to do this because he removed the Everyone (All) (All) default (a stupid Windows default if you ask me) and explicitly added the IIS anonymous user to the ACLs of his web files and directories. However, as you can see from the regedit snapshot, below, IIS supports only the one anonymous user.  This means that it is important to figure out (from the logs, the ACLs on one's web stuff, and the rights of various group and users) whether, perhaps, the user or group permissions and ACLs on the desired resources have gotten out of sync. Of course, this turned out not to be the problem for my friend, but strange things can happen when IIS is reinstalled or NTFS is upgraded (as per the move from NT4 to Windows 2000), or a boot drive is copied, verbatim, A La early Drive Image to another computer within a MS Windows Domain.  Once again, one really should just give the Everyone Group read access to all public web files, as well as ensuring that any files outside the scope of one's web hierarchy (for example, external files accessed by the ASP engine or CGI programs) are accessible by whatever account the WWW service runs under.

Now, the next thing to understand is that various DLLs (Dynamic Link Libraries) handle server-side processed files, as shown below:

Additionally, for each site or IIS application (read: DNS name and subdirectory under its root) within the Internet Service Control Manager, an additional set of ISAPI (Internet Service Application Programming Interface) filters can be specified.

If I recall correctly, these can register to be passed control from the DLLs that handle file mappings, either totally, or for identified sections within a server-side processed file.  Hence, if there is a functional overlap between filters, then there can be problems with the priority in which the filters are specified.

Remember also that if the files accessed by server-side processing are dynamically determined at run-time, then there is another set of security settings to worry about. Also, there can be cases where server-side processing occurs using trusted impersonation, so it may be difficult to predict when and if authentication violations will occur in such cases.

All in all, it is best to keep file system level authentication issues simple...very simple.

3. Can There Be Other Problems?

A final thought in the form of an excerpt from the IIS Service manager Help Pages:

Anonymous User Account Use this dialog box to set the Windows NT user account used for anonymous connections. By default, the server creates and uses the account IUSR_computername. Username Type the name of the anonymous account you created with the Windows NT User Manager for Domains utility in this box. Password Type in the anonymous user account password in this box. When you installed the server, Setup created the account IUSR_computername in Windows NT User Manager for Domains and in Internet Service Manager. Note Enabling automatic password synchronization disables this box. The password is used only within Windows NT; anonymous users do not log on by using a user name and password. Enable Automatic Password Synchronization When you create a new anonymous account, you must make sure that your Web site and Windows NT password settings are identical. Select this option to automatically synchronize your anonymous password settings with those set in Windows NT. Important Password synchronization should only be used with anonymous user accounts defined on the local computer, not with anonymous accounts remote computers.

So, there is one more problem that can occur here: if Enable Automatic Password Synchronization is not set and IIS is reinstalled or someone or something changes the Windows password for the anonymous user account, problems can occur.  I have experienced this problem with Samba under Linux as well.

As you can see, there are many aspects to configuring services under Windows NT (or indeed any OS supporting services).  They can range from the obvious to the subtle and complex.  I hope that this article can help, in some small way, anyone who is having problems in this area and has bumped into this page somehow.

C.B.  2000

For Further Reading:

  • Editorial: Goodbye cross-platform incompatibility: hello brave new world.
  • Review: CygWin - a revolutionary idea in Windows programming
  • Help Desk: NT Error codes explained

Comments

Post new comment

Image CAPTCHA
Enter the characters shown in the image.