Services Disable on PDC

[SR7758]

The strangest thing has been happening and I finally have time to find out what the solution is.
Our PDC (WIN NT 4.0, build 1381, SP6) automatically disables all of its services. They started services remain running, but disabled. With a cold boot everything seems ok - the changes were not saved.
This server runs WINS, DHCP and used to run DNS.
Has anyone seen this problem?
How did you fix it?
Thank you! S.R.

 

[ShackDaddy]

Come on. Don't hold out...what's the event log telling you? RPC errors? Can you rule out another person with admin rights disabling them?

 

[SR7758]

There is never anything in the event log showing services being set to disabled or stopped, no errors, nothing out of the ordinary.
The only admins are me and my manager, and he's out this week, so it can't be him.
It's really annoying! S.R.

 

[Highland]

Is it all services that are affected....????

Are there any UNUSUAL scheduled tasks on the PDC....???

Do they stop at the same time every day....???

Shackdaddy sounds sceptical....!!!!

 

[SR7758]

Yes, all services are disabled.

No, and the Schedule service is set to manual, and not started.

The times vary. We keep a log of when it happens and it doesn't seem to have any pattern. S.R.

 

[ShackDaddy]

If restarting the server brings things back to normal, then the registry entries that control the service states are remaining intact. If a person were manually stopping the services, even via hacking, I would expect the registry entries to change, which they don't seem to be.

What's interesting is that your operations aren't being affected, since the services don't actually stop, right? Are you sure your manager didn't write and schedule a script that disables the services, just to prank you?

And is it ALL the services that are disabled, or just a large number of them?

If you type 'net start' do you see a list of services that are running?

 

[Highland]

It sounds very strange.....!!!

Try changing the Admin password so only YOU know it....????

 

[SR7758]

The services don't actually stop. The startup method is just changed from Manual or Automatic to Disabled, then remotely restarting the service does not work because it is disabled.
If my manager has time to do that, then why am I stuck doing all of the sh*t work?
Net Start shows nothing out of the ordinary; matches the services list. S.R.

 

[haxx77]

These things happen when one of NT's rules is broken.
Such as, To many login attempts, Wins replication failure, Scope full etc. NT can't recover. Did you install SP6a and the Rollup?

 

[SR7758]

A-HA!! Our DHCP scope has been full a couple of times. Are you sure this could do it?

SP6a is installed I will check the rollup package. S.R.

 

[ensorg]

Sorry sound sceptical but I don't think that your scope being full or two many logons would cause this problem. If it did then it would be a much greater problem (I can imagine that a lot of servers have run out of DHCP addresses and have had a lot of incorrect logins)

I have been thinking about this for a while and I have to admit that it has me stumped.

try this app, it will show you what registry changes are made and by what programs, if there is a script or something this should display it.

http://www.sysinternals.com/ntw2k/source/regmon.shtml

 

[ShackDaddy]

Regmon is useful for a lot of things, but it's not a great tool for general auditing. It's great when you have a program failing, but if you are thinking you need to keep an eye on something for more than 3-5 minutes, there's got to be a better way. The filtering on Regmon is bad too, so the gargantuan log you collect waiting for your services to be disabled might not even be easily sorted through.

If you could nail down an exact time, Regmon might help, but as long as you are dealing with a large window....

 

[Highland]

Yeah regmon is a nitemare even if you roughly know what your looking for..!!!!..it might not be too bad on a PDC though...???

Did you change ur Admin password for this server....???

How many people actually have access to it...??? U said u can access this server remotely...???....have you tried disabling remote access...???

 

[ensorg]

Its true you would have to wade through a lot of stuff even if you filter it by the reg key for only one service e.g HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netware
but might be worth while to spend a bit of time going through this (i agree may not provide any useful information) before you take the last resort of a reinstall if you can find no other solutions.