Microsoft Windows Registry Guide, Second Edition

Removing Components

Whereas the previous section showed you how to prevent Windows from configuring components when it creates a user profile, this section shows you how to prevent Windows from installing certain components altogether. Be careful when you prevent the operating system from installing components, though, because doing so could cripple some features and applications. For example, Office 2003 Editions requires Internet Explorer, Outlook Express, and NetMeeting for a lot of its features, particularly its collaboration features. The moral is to test your configurations in a lab before deploying them to unsuspecting users.

The Windows setup program doesn't provide a user interface for removing components during installation. You can use an answer file to remove components, however; Chapter 14, “Deploying with Answer Files,” shows you what the [Components] section looks like in an answer file, and I summarize that information in this chapter. The operating system does allow users to add or remove components using the Windows Components Wizard, though: in Control Panel launch Add Or Remove Programs, Add/Remove Windows Components. Still, the wizard and answer files do not allow you to remove and disable some of the features that enterprises would rather not install. There's no option to remove Windows Movie Maker, for example, nor is there an option to remove Windows Messenger.

This section shows you some alternative ways to get rid of components, if possible, or to hide them. The most common requests that I get are to remove the Tour Windows, Movie Maker, Outlook Express, and Files And Settings Transfer Wizard components. Interestingly, I'm not often asked about removing the games, but you can do that easily enough through your Windows answer file.

Answer File [Components] Section

Chapter 14, “Deploying with Answer Files,” describes how to build an answer file. If you're an IT professional deploying Windows, you're probably already familiar with answer files. The [Components] section of answer files enables you to prevent the operating system from installing certain components. Table 18-2 describes all the components that Windows answer files support. The names of each component are self-explanatory. To install a component, set it to On. To prevent its installation, set it to Off. In the listing, I've set each component to its default installation value.

Microsoft doesn't document a way to prevent the setup program from installing Windows Messenger–a common request. I've added the component msmsgs to Table 18-2, however, which prevents the setup program from installing it. The file Sysoc.inf, which you learn about in the next section, hides this component in the Windows Components Wizard. You can edit that file to show Windows Messenger in the wizard, but doing so relies on users to remove Windows Messenger. Instead, you can add the component to the [Components] section of your answer file to prevent the setup program from installing it.

Table 18-2 [Components] Section

Setting

Default Value

Description

AccessOpt

On

Specifies whether to install the Accessibility Wizard

appsrv_console

Off

Specifies whether to install the Application Server Console

aspnet

Off

Specifies whether to install the ASP.NET Web development platform

AutoUpdate

See the AutomaticUpdates entry in the [Data] section of Unattend.txt

BitsServerExtensionsISAPI

Off

Specifies whether to install Internet Server Application Programming Interface (ISAPI) for Background Intelligent Transfer Service (BITS) server extensions on client computers

BitsServerExtensionsManager

Off

Specifies whether to install the Microsoft Management Console (MMC) snap-in, administrative Application Programming Interfaces (APIs), and Active Directory Service Interfaces (ADSI) extensions for Background Intelligent Transfer Service (BITS) server extensions

Calc

On

Specifies whether to install the Calculator feature

certsrv

Off

Specifies whether to install the Certificate Services components

certsrv_client

Off

Specifies whether to install the Web client components of Certificate Services

certsrv_server

Off

Specifies whether to install the server components of the Certificate Services feature for the Windows Server 2003 family only

charmap

On

Specifies whether to install the Character Map feature that inserts symbols and characters into documents

chat

Off

Specifies whether to install the Chat feature

clipbook

On

Specifies whether to install the clipboard viewer

cluster

Off

Specifies whether to install the Cluster service (for Windows 2000 Advanced or Datacenter Server only)

complusnetwork

Off

Specifies whether to enable network COM+ access

deskpaper

On

Specifies whether to install a desktop background on the computer desktop

dialer

On

Specifies whether to install the Phone Dialer feature

dtcnetwork

Off

Specifies whether to enable Microsoft Distributed Transaction Coordinator (DTC) network access

fax

Off

Specifies whether to install the Fax feature

fp_extensions

Off

Specifies whether to install Microsoft FrontPage server extensions

fp_vdir_deploy

Off

Specifies whether to install Microsoft Visual InterDev RAD Remote Deployment Support

freecell

On

Specifies whether to install the Freecell game (not available in the Windows Server 2003 family)

hearts

On

Specifies whether to install the Hearts game (not available in the Windows Server 2003 family)

hypertrm

On

Specifies whether to install the HyperTerminal feature (Windows XP)

IEAccess

On

Specifies whether to install visible entry points to Internet Explorer

IEHardenAdmin

On

Applies the Enhanced Security Configuration to members of the Administrators and Power Users groups

IEHardenUser

On

Applies the Enhanced Security Configuration to members of the Restricted Users and Guests groups

iis_asp

Off

Specifies whether to install Active Server Pages (ASP) for Internet Information Services (IIS)

iis_common

On

Specifies whether to install the common set of files required by IIS

iis_ftp

Off

Specifies whether to install the FTP service

iis_inetmgr

On

Specifies whether to install the Microsoft Management Console (MMC)–based administration tools for IIS

iis_internetdataconnector

Off

Specifies whether to install the Internet Data Connector

iis_nntp

Off

Specifies whether to install the Network News Transfer Protocol (NNTP) service for the Windows Server 2003 family

iis_serversideincludes

Off

Specifies whether to install the Server-Side Includes

iis_smtp

On

Specifies whether to install the Simple Mail Transfer Protocol (SMTP)

iis_webdav

Off

Specifies whether to install WebDAV Publishing

iis_www

On

Specifies whether to install the World Wide Web (WWW) service

indexsrv_system

On

Specifies whether to install the Indexing Service files

inetprint

Off

Specifies whether to install Internet Printing

licenseserver

Off

Specifies whether to turn Terminal Services licensing on

media_clips

On

Specifies whether to install sample sound clips on the computer (Windows XP)

media_utopia

Off

Specifies whether to install the Utopia Sound Scheme on the computer

minesweeper

On

Specifies whether to install the Minesweeper game on the computer (not available in the Windows Server 2003 family)

mousepoint

On

Specifies whether to install all the available mouse pointers distributed with Windows XP or Windows Server 2003 family

msmq_ADIntegrated

Off

Specifies whether to integrate Message Queuing (also known as MSMQ) with Active Directory if the computer belongs to a domain

msmq_Core

Off

Specifies whether to set up the Message Queuing components and provide functionality for any dependent clients

msmq_HTTPSupport

Off

Specifies whether to enable the sending and receiving of messages using the HTTP protocol

msmq_LocalStorage

Off

Specifies whether to store messages locally, so the computer can send and receive messages even when not connected to a network

msmq_MQDSService

Off

Specifies whether to provide access to Active Directory and site recognition for downstream clients

msmq_RoutingSupport

Off

Specifies whether to provide efficient routing

msmq_TriggersService

Off

Specifies whether to associate the arrival of incoming messages at a queue with functionality in a Component Object Model (COM) component or a stand-alone executable program

msnexplr

On

Specifies whether to install MSN Explorer

mswordpad

On

Specifies whether to install the WordPad feature on the computer

netcis

Off

Specifies whether to install Microsoft Component Object Model (COM) Internet Services

netoc

On

Specifies whether to install additional optional networking components

objectpkg

On

Specifies whether to install the Object Packager feature (Packager.exe) on the computer

OEAccess

On

Specifies whether to install visible entry points to Outlook Express

paint

On

Specifies whether to install the Microsoft Paint feature on the computer

pinball

On

Specifies whether to install the Pinball game on the computer (not available in the Windows Server 2003 family)

Pop3Admin

Off

Specifies whether to install the optional POP Web UI for the Remote Administration Tools on the computer

Pop3Service

On

Specifies whether to install the main POP3 service on the computer

Pop3Srv

On

Specifies whether to install the root POP3 component on the computer

rec

On

Specifies whether to install the Sound Recorder feature on the computer

reminst

Off

Specifies whether to install Remote Installation Services (RIS), which enables you to install an operating system remotely onto a computer with either a new PXE-based remote boot read-only memory (ROM) or a network card supported by the remote installation boot floppy disk

rootautoupdate

On

Specifies whether to turn on the Optional Components Manager (OCM) Update Root Certificates

rstorage

Off

Specifies whether to install the Remote Storage feature that enables the use of tape libraries as extensions of NTFS file system volumes

sakit_web

Off

Specifies whether to install the Remote Administration Tools (formerly known as the Server Administration Kit)

solitaire

On

Specifies whether to install the Solitaire game on the computer (not available in the Windows Server 2003 family)

spider

On

Specifies whether to install the Spider Solitaire game on the computer (not available in the Windows Server 2003 family)

templates

On

Specifies whether to install Document Templates on the computer

TerminalServer

Off

Specifies whether to install Terminal Server (Terminal Services for multiple users) on the computer

TSWebClient

Off

Specifies whether to install the ActiveX control and sample pages for hosting Terminal Services client connections over the Web

vol

On

Specifies whether to install the Volume Control feature on the computer

WbemCrrl

On

Specifies whether to install the Windows Management Instrumentation (WMI) event correlation component

WbemFwrd

On

Specifies whether to install the Windows Management Instrumentation (WMI) event forwarding components

WbemMSI

On

Specifies whether to install the WMI Windows installer provider

WMAccess

On

Specifies whether to install visible entry points to Windows Messenger

WMPOCM

On

Specifies whether to install visible entry points to Windows Media Player

wms

Off

Specifies whether to install the core Windows Media Server components

wms_admin_asp

Off

Specifies whether to install the Windows Media Services Web-based administrative components

wms_admin_mmc

Off

Specifies whether to install the Windows Media Services Microsoft Management Console (MMC)–based administrative components

wms_isapi

Off

Specifies whether to install the Windows Media Services Multicast and Advertisement Logging Agent components

wms_server

Off

Specifies whether to install the Windows Media Services server components

zonegames

On

Specifies whether to install the Microsoft Gaming Zone Internet games on the computer (not available in the Windows Server 2003 family)

This is a great technique for preventing the operating system from installing things such as the games, but it doesn't prevent the installation of components such as Movie Maker, because the [Components] section doesn't include settings for those components. You can use it to prevent the installation of Windows Media Player and Windows Messenger, though, which strikes two components off of my checklist.

Extending Windows Components Wizard

Just because you don't see a component in the Windows Components Wizard doesn't mean that Windows isn't prepared to remove it. The file Sysoc.inf controls which components appear in the wizard. This file is in %SystemRoot%\Inf, and Listing 18-2 shows its default contents. You must display super-hidden files to see the Inf folder: in Windows Explorer, click Tools, Folder Options. On the View tab, select the Show Hidden Files And Folders check box.

In Listing 18-2, the important section in this file is [Components]. Each line in this section is either a specific component or a category of components. If you see the word hide, Windows doesn't display the component or category in the Windows Components Wizard. To allow users to remove the component, or the components in the category, remove the word hide. For example, to allow users to remove Windows Messenger, change the line msmsgs=msgrocm.dll,OcEntry,msmsgs.inf, hide,7 to msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,,7.

Listing 18-2 Sysoc.inf

 [Version] Signature = "$Windows NT$" DriverVer=07/01/2001,5.1.2600.2180 [Components] NtComponents=ntoc.dll,NtOcSetupProc,,4 WBEM=ocgen.dll,OcEntry,wbemoc.inf,hide,7 Display=desk.cpl,DisplayOcSetupProc,,7 Fax=fxsocm.dll,FaxOcmSetupProc,fxsocm.inf,,7 NetOC=netoc.dll,NetOcSetupProc,netoc.inf,,7 iis=iis.dll,OcEntry,iis.inf,,7 com=comsetup.dll,OcEntry,comnt5.inf,hide,7 dtc=msdtcstp.dll,OcEntry,dtcnt5.inf,hide,7 IndexSrv_System = setupqry.dll,IndexSrv,setupqry.inf,,7 TerminalServer=TsOc.dll, HydraOc, TsOc.inf,hide,2 msmq=msmqocm.dll,MsmqOcm,msmqocm.inf,,6 ims=imsinsnt.dll,OcEntry,ims.inf,,7 fp_extensions=fp40ext.dll,FrontPage4Extensions,fp40ext.inf,,7     msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7 WMAccess=ocgen.dll,OcEntry,wmaccess.inf,,7 RootAutoUpdate=ocgen.dll,OcEntry,rootau.inf,,7 IEAccess=ocgen.dll,OcEntry,ieaccess.inf,,7 OEAccess=ocgen.dll,OcEntry,oeaccess.inf,,7 WMPOCM=ocgen.dll,OcEntry,wmpocm.inf,,7 Games=ocgen.dll,OcEntry,games.inf,,7 AccessUtil=ocgen.dll,OcEntry,accessor.inf,,7 CommApps=ocgen.dll,OcEntry,communic.inf,HIDE,7 MultiM=ocgen.dll,OcEntry,multimed.inf,HIDE,7 AccessOpt=ocgen.dll,OcEntry,optional.inf,HIDE,7 Pinball=ocgen.dll,OcEntry,pinball.inf,HIDE,7 MSWordPad=ocgen.dll,OcEntry,wordpad.inf,HIDE,7 ZoneGames=zoneoc.dll,ZoneSetupProc,igames.inf,,7 TabletPC=tabletoc.dll,TabletSetupProc,Tabletpc.inf,HIDE,7 Freestyle=medctroc.dll,MedCtrOCISetupProc,medctroc.inf,HIDE,7 netfx=netfxocm.dll,UrtOcmProc,netfxocm.inf,hide,7 [Global] WindowTitle=%WindowTitle% WindowTitle.StandAlone="*" [Components] msnexplr=ocmsn.dll,OcEntry,msnmsn.inf,,7 [Strings] WindowTitle="Windows Professional Setup" WindowTitle_Standalone="Windows Components Wizard"Removing Components After Installation

The first option that I gave you enables you to prevent the Windows setup program from installing components during installation. The second option enables you to expose additional components in the Windows Components Wizard. This last option is for scenarios in which you want to remove a component without exposing it in the Windows Components Wizard. This option is also useful when you want to script the removal so that you don't have to visit the desktop.

The first step is to find the component's INF file in %SystemRoot%\Inf. Remember that this is a super-hidden folder, and I gave you instructions for showing it earlier in this chapter. The easiest way to find the component's INF file is to use Search Assistant. Look for all files with the .inf extension that contain the name of the component. For example, to find the INF file for Windows Messenger, search for all files with the .inf extension in %SystemRoot%\Inf that contain Windows Messenger. You should come up with the file Msmsgs.inf as shown in Figure 18-3. Then look in the file for a section with the words remove or uninstall in it. In this case, the section is named [BLC.Remove]. Then execute the following command, whether in a script or in the Run dialog box, where Filename.inf is the name of the INF file and Section is the name of the uninstall section:

rundll32 advpack.dll,LaunchINFSection %systemroot%\Inf\Filename.inf,Section

Thus, to remove Windows Messenger, run the command:

rundll32 advpack.dll,LaunchINFSection %systemroot%\Inf\Msmsgs.inf,BLC.Remove.

Alas, many components don't have uninstall sections in their INF files, and that leaves you looking for other ways to remove them. You can use this method for many device drivers, programs, and components that do provide INF files, however.

Figure 18-3 Search the %SystemRoot%\Inf folder for all files with the .inf extension that contain the name of the component you want to remove.

Hiding Non-Removable Components

None of the methods I've shown will help you get rid of certain components, including Tour Windows XP, Movie Maker, Outlook Express, and the Files And Settings Transfer Wizard, which is what started me on this rampage in the first place. To prevent users from accessing these applications, you're going to have to get creative. Tour Windows XP is easy to hide, if not get rid of altogether. Create a new subkey in HKLM\Software\Microsoft\Windows\CurrentVersion\Applets\Tour named Tour. Then create the REG_DWORD value RunCount and set it to 0x00. Do this on your disk images so that users aren't accosted by Tour Windows XP the first time they log on to the operating system; they can run the tour from the Start menu.

The remaining bits aren't as easy. You can't just remove the program files because Windows File Protection (WFP) immediately restores them. You could disable Windows File Protection, but I don't recommend doing so because it protects users' configurations from accidents and misbehaved applications that like to replace files that they have no business replacing. Instead, on your disk images, hide the shortcuts, and use Software Restriction Policies to prevent users from running the programs by opening the program files:

  1. Prevent Windows from creating new shortcuts by removing the appropriate StubPath values from HKLM\SOFTWARE\Microsoft\ActiveSetup\Installed Components. See the section “Controlling Just-in-Time Setup,” earlier in this chapter, for more information.

  2. Hide existing shortcuts to the program (do this on your disk images):

    • Search %SystemDrive%\Documents and Settings\All Users for shortcuts to the program, and remove them.

    • Search %SystemDrive%\Documents and Settings\Default User for shortcuts to the program, and remove them.

    • Search the Default User folder in \\Server\NETLOGON\Default User share for the program's shortcuts, and remove them.

  3. Create a new Group Policy object (GPO) in Active Directory or locally on your disk images that prevents users from running the program.

That last step requires more explanation. Chapter 7, “Using Registry-Based Policy,” contains more information about Group Policy, but I'll get you started. The following instructions assume that you're defining Software Restriction Policies in the local GPO, but the steps transfer to network-based Group Policy:

  1. In Group Policy Editor's left pane, click Software Restriction Policies.

    To start Group Policy Editor, type gpedit.msc in the Run dialog box. Software Restriction Policies is under Computer Configuration\Windows Settings\Security Settings.

  2. Right-click Software Restriction Policies, and then click Create New Policies.

  3. Under Software Restrictions Policies, right-click Additional Rules, and then click New Hash Rule.

  4. Click Browse, and select the file that you want to prevent users from executing. For example to prevent users from running the Files And Settings Migration Wizard, select %SystemRoot%\system32\usmt\migwiz.exe.

After you select the file that you want to prevent users from running, Group Policy Editor creates a hash for the file. Figure 18-4 shows an example that prevents users from running Files And Settings Transfer Wizard. Users won't be able to run any program that matches that hash value. That way, users can't trick the system by copying the file to a different location (because some users can be clever). After you save the policy, you must log off of Windows for the change to take effect. When users try to run the program, they see an error message that reads, Windows cannot open this program because it has been prevented by a software restriction policy. So between hiding the advertisements and preventing the program file from executing, you can prevent programs such as Movie Maker and the Files And Settings Transfer Wizard from being run.

Figure 18-4 Without a Files And Settings Transfer Wizard shortcut on the Start menu, users will not usually try to run the wizard. Those who do will see an error message.

Категории