Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Thursday, February 28, 2013

event ID 8003 -master browser for the domain on transport NetBT_Tcpip


Details
Product: Windows Operating System
ID: 8003
Source: MRxSmb
Version: 5.2
Symbolic Name: EVENT_BOWSER_OTHER_MASTER_ON_NET
Message: The master browser has received a server announcement from the computer %2 that believes that it is the master browser for the domain on transport %3. The master browser is stopping or an election is being forced.
Explanation
This computer is a master browser, and another computer has announced that it is the master browser. There can be only one master browser on a subnet at any given time. This message is logged for informational purposes only.
The existence of two browser masters occurs when a second computer cannot contact the master browser for some reason: for example, when there are name resolution problems or the master browser is too busy to respond. When the original master browser receives a master announcement from the second computer, the master browser tries to resolve the conflict by ending its status as a master server, forcing an election, or both.
The choice of these actions depends on the status of the two computers: for example, whether one or both are domain controllers, primary domain controllers or Windows for Workgroups computers, and whether this computer lost an election earlier. For more information about browsing, see Appendix I: Windows 2000 Server Browser Service on the Microsoft Technet Web site.
   
User Action
No user action is required.
Version: 5.0
Symbolic Name: EVENT_BOWSER_OTHER_MASTER_ON_NET
Message: The master browser has received a server announcement from the computer %2
   
Explanation
This computer is a master browser, and another computer has announced that it is the master browser. There can be only one master browser on a subnet at any given time. This message is logged for informational purposes only.
The existence of two browser masters occurs when a second computer cannot contact the master browser for some reason: for example, when there are name resolution problems or the master browser is too busy to respond. When the original master browser receives a master announcement from the second computer, the master browser tries to resolve the conflict by ending its status as a master server, forcing an election, or both.
The choice of these actions depends on the status of the two computers: for example, whether one or both are domain controllers, primary domain controllers or Windows for Workgroups computers, and whether this computer lost an election earlier. For more information about browsing, see Appendix I: Windows 2000 Server Browser Service on the Microsoft Technet Web site.
 =================================
http://www.hightechdad.com/2007/05/09/how-to-fix-master-browser-mrxsmb-event-id-8003-errors/
The master browser has received a server announcement from the computer [computer] that believes that it is the master browser for the domain on transport NetBT_Tcpip_{ 
The master browser is stopping or an election is being forced.

Here are some steps you can follow (no guarantee that they will work, but it worked for me and for others based on the various things that I read).
  1. Look at the System Event log on your Server and look for the Error 8003 (like the one listed above). Within that log, identify the “computer” that is announcing itself as a master browser.
  2. Go on to the computer identified in step 1 and go to the Services Administration panel. You can usually find this by going to Control Panel - Administrative Tools - Services.
  3. Once you have Services open, look for an entry called “Computer Browser”. If that Service is “started,” you have found your culprit. If not, you may have to try the registry hack listed in step 6 a few steps
  4. Double click on the “Computer Browser” service to edit it. STOP the service and then change the type to Disabled (from either Manual or Automatic). Click OK to apply your changes.
  5. That should have resolved the issue. You should check your main servers event logs periodically to be sure that the error doesn’t show up. If it continues to show…
  6. …you have to check the registry value on the computer. You do this by launching your registry editor and going to the following key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster
    and ensure that it is set to FALSE. If it isn’t, you can change it to FALSE. Caution: registry edits are dangerous so only do this if you are sure you know what you are doing and the previous fix didn’t work. You probably have to reboot the machine to make the change take place.
I have also read that you need to be sure that all of your computers should be on the same subnet. If the above doesn’t work, be sure to check that.

More detail on the Computer Browser Service can be read here at Microsoft.
Steps 1-5 worked for me. I hope that this was a useful tip (given that it is so hard to find the solution).
========================
http://social.technet.microsoft.com/forums/es-ES/windowsserveres/thread/8f48a98c-7d23-4889-8046-10b55684815f
El evento es cuando el serviico de Browser se encuentra detenido o cuando existen dos master browsers en la red y sólo puede haber uno.
Te dejo más información:
Te recomendaría que fuerces que tu DC sea master browser.
 =======================
http://www.eventid.net/display.asp?eventid=8003&eventno=680&source=mrxsmb&phase=1
Here are some steps you can follow:

1. Look at the System Event log on your server and look for the error 8003. Within that log, identify the “computer” that is announcing itself as a master browser.
2. Go on to the computer identified in step 1, go to the Services Administration panel. You can usually find this by going to Control Panel -> Administrative Tools -> Services.
3. Once you have Services open, look for an entry called “Computer Browser”. If that service is “started, ” you have found your culprit. If not, you may have to try the registry hack listed in step 6.
4. Double click on the “Computer Browser” service to edit it. Stop the service and then change the type to „Disabled” (from either Manual or Automatic). Click OK to apply your changes.
5. That should have resolved the issue. You should check your main servers event logs periodically to be sure that the error does not show up. If the error continues to appear read step 6.
6. Check the following registry value on the computer: "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\IsDomainMaster". Ensure that it is set to false. You probably have to reboot the machine to make the change take place.
Click if the comment is good! x 109

EventID.Net
As per Microsoft: "This computer is a master browser, and another computer has announced that it is the master browser. There can be only one master browser on a subnet at any given time. This message is logged for informational purposes only". See MSW2KDB for more details on this issue.

See M191611 for details on symptoms of multihomed browsers.
See M190930 if IP Helper has been enabled on a Cisco switch.
See M188305 for information on troubleshooting the Microsoft Computer Browser service.

From a newsgroup post: "I just resolved a similar issue. My IP address and netmask were correct so according to TechNet I should not be getting this error message. I did an "ipconfig /release" followed by a "/renew" and received the 8003 message again. Therefore, I disabled the adapter then enabled it and everything is fine. Did another "ipconfig /release, /renew" and no message came up on the server. Note: This adapter had a static IP configuration at one time when it was connected to another network. Perhaps that was not cleaned up 100% when I changed it to DHCP. Disabling and enabling the adapter seemed to reset the configuration completely".

See the links to "EventID 8003 from source Rdr", "EventID 8003 from source Browser" and "Computer Browser and Browsing Roles" for additional information on this event.
Click if the comment is good! x 15

NBJ
Make sure the routers on the network are not forwarding UDP broadcasts, keeping browser elections on NetBT local to each subnet, and enable WINS or lmhosts on the network for netbios name resolution.
Click if the comment is good! x 9

David Fosbenner
In my case, I have a Windows 2003 Standalone server. Once I installed ISA Server 2006, I started to get these errors about once per hour. I disabled the Computer Browser service and the Print Spooler service since neither of these are necessary on an ISA Server, and the messages ceased. This error will occur in the same circumstances on ISA Server 2004 also.
Click if the comment is good! x 11

James
I resolved this issue by stopping and disabling the Browser service on the remote host.
Click if the comment is good! x 13

Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here!

Robert H.
This error can occur if the computer forcing the election has an incorrect subnet mask.
Click if the comment is good! x 13

Lingod
This event occurred when we had to computers with the same name in the same domain. Giving one PC some other name and joining both PCs again in the domain solved the problem.
Click if the comment is good! x 14

Nebil Ben Jeddou
In my case, all I had to do was to restart the Netlogon Service on the PDC.
Click if the comment is good! x 13

Steve Marek
I had this problem after disabling the Sygate personal firewall. It seems that sygate needs to be uninstalled if you do not want to use it anymore. In my case, Sygate blocked all incoming and outgoing data without any warnings or something else. After reactivating it, everything worked fine again.
Click if the comment is good! x 12

Shaun Smallwood
I used the answers from Anonymous about DNS entries and from Dave Murphy to solve this problem:
1. I had several entries listed as “(same as parent folder)” that were incorrect so I deleted them. There should only be an entry for each DC on your network.
2. I changed the "IsDomainMaster" key that Dave Murphy mentions above to “TRUE”.
Click if the comment is good! x 12

Matthias Kock
I got this error after a W2k3 migration. There was still old information in the lmhost-file (c:\windows\system32\drivers\etc\). After a correction (correct domain name, correct ip address), the problem was solved. As an alternative, you can turn off the use of the lmhost-file (in the nic-properties).
Click if the comment is good! x 11

Anonymous
This event started to occur every hour on our DC1 about the DC2. Solutions already listed here and in MS KB were not applicable to us. (Disabling/re-enabling NIC stopped the error for one day but then it showed up again) I believe the browser elections were being caused by DNS misconfig. (We use MS DNS AD-Integrated zones) Someone changed the IP address of the DC1 NS record (the record marked "same as parent folder"). When I finally noticed, I also noticed that the Host record for DC1 in DomainDNSZones disappeared entirely (replicated out). I manually changed the NS record back to the correct IP. I also manually added the Host record back in, under DomainDNSZones. (I allowed for replication time but the Host record did not come back on its own). Since then the error has not reoccurred.
Click if the comment is good! x 8

EventID.Net
This issue was found on a Windows 2000 domain with two subnets connected by a Cisco router that has the ip helper command enabled. See the link to "Cisco Support Document ID: 49860" for a solution to this problem.
Click if the comment is good! x 10

Doug Hall
We were getting this event frequently on our PDC Emulator DC which is Windows 2003. It turned out that the offending Windows XP PC had two enabled network cards, both with valid IP addresses, only one of which was connected to the network. Disabling the second network card solved the problem.
Click if the comment is good! x 11

Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here!

Anonymous
I got this error because in my W2k3 migration, supplying the personal firewall with the new server IP address had been missed. I supplied the address and the event disappeared.
Click if the comment is good! x 11

Timothy Riegel
If 2 servers are involved, and one server appears in the others’ event log, check the DHCP scope options on the server whose name appears in the event log. This error is most commonly attributed to the subnet mask but if the domain name in the scope options is different on one of the servers it will cause this error to appear. Correcting the domain name in the scope options fixes the error message.
Click if the comment is good! x 11

Maikel Martens
There is a hotfix available for Windows 2003 member server if a workstation becomes the master browser instead. See M843517 for the hotfix.
Click if the comment is good! x 9

Benjamin Turner
We had this occurring on our network from an XP machine and within 30 minutes the server would crash. We called Microsoft and we were told that XP could cause servers running Win2k or NT 4.0 to crash because of the forced election. We were instructed to set the “Computer Browser” service on the culprit machine to Disabled and to recreate the Paging File on the server. We did both and the server has been up and running since.
Click if the comment is good! x 10

Anonymous
This is a common event when you have multiple computers in a local workgroup and no domain.
Click if the comment is good! x 9

Anonymous
Windows XP Pro clients with the inbuilt firewall enabled on the LAN interface cause this event to appear in the server logs. Disabling this sorted the problem.
Click if the comment is good! x 9

Dave Murphy
Some considerations and ways to keep this from happening. As one other post mentioned, stopping the browser service on the workstation can clear this out. Other options to look into also consist of editing the "IsDomainMaster" key, under HKLM\System\CCS\Service\Browser\Parameters, on the domain controllers and changing the key to TRUE. This gives an extra boost the election process to help ensure the domain controllers retain the master browser status. Also on the domain controllers, change the "MaintainServerList" key to "Yes" instead of Auto, and on the workstation, change the entry to "No" instead of Auto. This should resolve a number of browsing issues.

There is also a tool, called the NetBIOS Browsing Console to help with browsing issues. The software and instructions can be found via M818092 article.
Click if the comment is good! x 5

Anonymous
Setting MaintainServerList to False will cause 2550 errors from the Browser service on restarts. The Browser service consequently fails every time. The solution to this can be to remove the Browser service with "instsrv browser REMOVE" at the command prompt.
Click if the comment is good! x 2

Anonymous
In my case I had an open pair in my cat5 cabling. Repaired the cable and the error message stopped.
Click if the comment is good! x 3

Why bother deciphering Event logs when GFI EventsManager can do everything for you? Free trial here!

Dan Israel
Client desktop or workstations using Win XP Pro can cause this issue if the built in Internet Connection Firewall is active.  Because this feature interferes with the network browsing, the client will attempt to become the Master Browser. Disabling the setting under browser/parameter will block the attempt to become master, but the client will still have difficult seeing and being seen in the workgroup/domain.
Click if the comment is good! x 2

Woodrow Wayne Collins
See also Microsoft W2K Resource Kit link.
Click if the comment is good! x 4

Michael Hopkinson
The actual commands to be applied to the Cisco router are:
"no ip forward-protocol udp NetBIOS-ns"
and
"no ip forward-protocol udp netbios-dgm"
This will prevent each VLAN or segment from seeing the others when sending out NetBIOS broadcasts.  You should end up with a valid master browser in each segment and no longer have these Events on your DC.
Click if the comment is good! x 2

Damien Murphy
Related to Cisco routers that have IP helper statements that point back to the DHCP server: This also occurs with "ip-helpering" if the DHCP server is a Windows 2000 Domain Controller holding the PDC Emulator Role (as it is the Domain Master Browser).
Click if the comment is good! x 2

EventID.Net
In order to stop this error from occuring, use Regedit and set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList from Auto or YES to FALSE

This will prevent the computer from attempting to become a Domain Master Browser and compete with Domain Controllers. If the server is a domain controller it is advisable to leave it with the default settings.
Click if the comment is good! x 3

Kevin Biddick
Look for NT 4.0 Domain controller that is hosting DHCP and Cisco routers that have IP helper statements that point back to the DHCP server. The default IP helper setings cause master browser elections. 

Wednesday, February 27, 2013

Understanding the Terminal Server Session Directory

http://www.brianmadden.com/blogs/brianmadden/archive/2004/11/30/understanding-the-terminal-server-session-directory.aspx
by Brian Madden
I briefly mentioned Session Directory in yesterday's article. I've received a lot of email since then about it, and I think there are several misconceptions about what the Session Directory does and doesn't do. The Session Directory is nothing more than a database that keeps track of which users are running which sessions on which servers. This information is used when a user wants to disconnect from a session and then reconnect back to it in multi-server environments. Without the Session Directory, the system would not know that the user had a disconnected session on a server and might route her to a different server where she would start a new session. In addition to being annoying for the user, this is a waste of resources. A single user could leave many orphan sessions throughout the environment.
Not every multi-server load-balanced environment needs a Session Directory. For example, if your environment is configured so that users are not allowed to leave disconnected sessions on a server, then you won’t need a Session Directory. Also, if you're using a third-party tool like Citrix MetaFrame Presentation Server, then you will not need to use Microsoft's Session Directory since MetaFrame will manage it for you.
One important fact about Session Directory is that by itself, a Session Directory does not enable load balancing. It’s merely one of the three components that make up a load-balanced cluster of Terminal Servers.
  1. Terminal Servers host users’ sessions.
  2. A load-balancing mechanism routes users’ inbound connections.
  3. A Session Directory is the optional component that allows users to reconnect to previously disconnected sessions.
Prior to implementing the cluster, you need to determine if a Session Directory Database will be required. In addition to allowing users to reconnect to disconnected sessions, a Session Directory can restrict users to a single Terminal Server session in the cluster. If you want to use this feature or have the ability to reconnect users to disconnected sessions, you will have to implement a Session Directory.
The downside to using a Session Directory is that the Terminal Servers that participate in it must run at least Windows Server 2003 Enterprise edition, costing about $3000 more than the standard edition of Windows 2003.
Advantages of using Session Directory
  • Allows users to reconnect to disconnected sessions.
  • Allows you to enforce single-session only user policies.
Disadvantages of using Session Directory
  • Requires at least the Enterprise edition of Windows 2003.
  • Requires an external load-balancer.
How the Session Directory Works
The Session Directory is a simple Windows service and a small database that run on a Terminal Server in your environment. When a Terminal Server is configured to participate in a Session Directory, a record is created in this central database each time a session is started. These records are queried or updated by the Terminal Servers in the cluster whenever users log on, log off, or disconnect their session.s Users can quickly reconnect to their existing disconnected sessions even though the client has no idea to which server they were attached. The Session Directory service (the database itself) is light (in terms of required resources), and one Session Directory server can handle multiple Terminal Server clusters.
To use the Session Directory in your environment, two configurations are needed:
  1. Install the Session Directory database on the server that will host it.
  2. Configure each of your Terminal Server member servers to participate in that Session Directory.
Configuring the Session Directory Database
You can make any Windows 2003 server into a Session Directory server. It does not have to be running Terminal Services. Furthermore, the Session Directory service is “preinstalled” on every Windows 2003 server. To use it, simply enable the service (Start | Administrative Tools | Services | Double-click “Terminal Services Session Directory” | Change Startup type to “Automatic” | Apply | Click “Start” button).
Several things happen as soon as you start the Session Directory service. First, a folder called “tssesdir” is added to the system32 folder. This folder contains the database and some supporting transaction log and check files.
Also, a local group is created on the server called “Session Directory Computers.” At first this group is empty, but each Terminal Server’s computer account must be added to this group to use the Session Directory on that server. It should be noted that if the Session Directory is started on a domain controller, the “Session Directory Computers” group will be created as a Local Domain group.
Since this service is fairly light, it can easily be run on a file server for smaller implementations. With thousands of users, however, you might consider a dedicated server (or redundant servers).
That’s all there is to it. No GUI configuration tool in needed for the Session Directory service. The task of defining Session Directory clusters falls to the individual Terminal Servers themselves.
Creating High Availability Session Directory Service
The Session Directory can be used to ensure that Terminal Servers are highly-available. However, what happens if the Session Directory itself fails? In addition to losing the ability to make use of the Session Directory features, your users’ logon times will dramatically increase as each Terminal Server tries to connect to the Session Directory server. Therefore, in larger environments, it’s worth spending the money to cluster your Session Directory server. (In this case the term “cluster” is used in its proper sense.)
Since Session Directory is nothing more than a simple database, the only way to make it fault-tolerant is to cluster it. Fortunately, Microsoft wholly supports Session Directory clustering on a Windows Server 2003 Microsoft cluster. While some might feel that clustering such a small service is overkill, losing a Session Directory in a production environment can cause major problems.
Clustering is a complex technology. Entire books have been written about Windows clustering, so we won’t address it here. However, we will discuss the Session Directory-specific cluster components.
At this point, we’ll assume that a two-server Windows 2003 cluster has been created and you’re getting ready to create a new resource. In order to cluster the Session Directory Service, follow these steps:
  1. Set the Terminal Server Session Directory service to “Automatic” on any Windows Server 2003 (Enterprise or Datacenter edition) servers that will host the service.
  2. Verify that the cluster group already exits with the IP address, network name and disk resources to be used for the Terminal Services Session Directory server.
  3. Create a Generic Service resource (MMC Cluster Administrator Snap-in | File | New | Resource).
  4. The New resource wizard is launched. Enter the following information on the first screen:
    • Name (This doesn’t really matter. Most people use something like “TS Session Dir.”).
    • Description (not required for functionality).
    • Configure the Resource type as a Generic Service.
    • Configure the group as the cluster group name already configured for the cluster.
  5. On the next screen, select the nodes in the cluster on which you wish to host the Session Directory Service.
  6. On the Dependencies screen, specify that two resources need to be online before bringing the Session Directory service resource online. These two resources are:
    • The “Physical Disk” resource.
    • The “Network Name” resource.
  7. On, the Generic Service Parameters screen, configure the Service name as “TSSDIS,” and check the box next to “Use Network Name for computer name.” TSSDIS.EXE is the EXE that loads the service. Using the network name for the computer name allows computers to connect to this service despite which physical server they actually get connected to.
  8. On the Registry Replication screen, the Terminal Services Session Directory Service requires the following: System\CurrentControlSet \Services\Tssdis\Parameters. Notice that this entry does not contain “HKEY_Local_Machine.” Type the entry just as it is listed above to configure the nodes in the cluster to replicate these registry entries between them and allow service settings between servers to be identical.
  9. Once you’re finished with the wizard, verify that the resource appears in the Cluster Administrator and bring the service online (Right-click on the service name | Bring On-line).
  10. Finally, since your Session Directory service is running on multiple servers, create a domain group for use in the Terminal Servers Session Directory local groups on your clustered servers. This domain group should contain all of the computer accounts of the Terminal Servers that will act as clients to the Session Directory Cluster. Once the group is created, add it to the local group on each Session Directory server.
Configuring Servers to Use the Session Directory
Each Terminal Server in your environment must be configured to participate in a Session Directory. At the most basic level, you need to tell each Terminal Server which server it should contact to find the Session Directory and what cluster name it should use. Think of this as a restaurant reservation. In order to meet your friends, you need to know both the name of the restaurant (the Session Directory server) and the name on the reservation (the cluster name).
We’ve mentioned previously that a single Session Directory server can support multiple clusters (just as a single restaurant can support multiple parties). What’s interesting about this is that you don’t configure these cluster names on the Session Directory server itself. Instead, you configure each Terminal Server so that it looks for a specific cluster name on a specific Session Directory server.
In order host multiple clusters on the single Session Directory server, simply specify the same server for multiple Terminal Servers and give each group of Terminal Servers a unique cluster name in its Session Directory settings. The Session Directory server will manage each cluster separately without any other configuration.
Keep in mind that all Terminal Servers that use a particular Session Directory server—regardless of cluster name—must have their computer account in the “Session Directory Computer” group on the server hosting the directory.
Use the following procedure to configure a Terminal Server to use a Session Directory:
  1. Open the Terminal Services Configuration MMC snap-in and select the “Server Settings” item in the left pane.
  2. Open the Properties page of the “Session Directory” item in the right pane.
  3. On the Properties page, check the box labeled “Join Session Directory.”
  4. Add the cluster domain name to the “Cluster name” field. The actual name you choose is inconsequential and never revealed to clients. Just make sure the name is identical on each server that you want in that cluster.
  5. Enter the Session Directory server name or IP address to the “Session Directory server name” field. (If you’re using a clustered Session Directory, this will be the Network Name of the cluster.)
  6. Ensure that the “IP Address Redirection (uncheck for token redirection)” box is checked. Token redirection is used with some hardware load balancers and is covered later in this chapter.
  7. The final setting on the server is the “Network adapter and IP address Session Directory should redirect users to.” This setting tells the session directory which IP address to send to client computers for redirection, allowing you to control to which network card the client will connect. It also allows you to isolate RDP traffic to a single network card and use a second network card for backend traffic (more on this later).
Configuring Session Directory Options Using a GPO
Since Active Directory will be used in almost every environment where a Terminal Server 2003 Session Directory is used, it’s easiest to configure each server’s Session Directory settings via a GPO (Computer Configuration | Administrative Templates | Terminal Services | Session Directory).
The only setting that you can’t configure via a GPO is the server’s IP address used for IP Address Redirection. This setting doesn’t matter if you are using Routing tokens, but since it’s unique for each server it can’t be set within the GPO. It will have to be set in the Terminal Services Configuration for each server.
=======================================
Windows Server 2003 Terminal Services Session Directory

A. Imagine that you have multiple terminal servers and instead of letting users connect to one of them by individual name (which is problematic), you create a Network Load Balanced (NLB) cluster that collects all the terminal servers into a terminal server farm and users connect to the DNS name or the IP address of the NLB. The incoming connections are then automatically distributed to one of the terminal servers in the NLB cluster. However, if a user disconnects from a session (which means the session is still available on the terminal server) and later attempts to reconnect, the NLB cluster may redirect the user to a different terminal server instance and thus a new session is created on that terminal server.
The solution is a terminal server Session Directory server, which keeps track of user sessions in a simple database. When a user requests a new connection, the Session Directory server checks for the user account and if a disconnected session is found, the server directs the user to resume that existing session.
The Session Directory can run on any server, but ideally, it shouldn't run on any of the terminal servers in the farm. One note, only terminal servers running Windows 2003 Enterprise Edition can communicate with session directory--not the standard edition. To enable the Session Directory on a server, perform these steps:
  1. Log on as Administrator to the server that will host the Session Directory.
  2. Start the Microsoft Management Console (MMC) Computer Management snap-in (Start, Programs, Administrative Tools, Computer Management).
  3. Expand "Services and Applications" and select Services.
  4. Right-click Terminal Services Session Directory and select Properties.
  5. Set the Startup type to Automatic and click OK.
  6. Now select the "Terminal Services Session Directory" and click Start.
The Session Directory database is now stored in the %systemroot%\system32\tssesdir folder, and if you look at the files, you'll see it's an Extensible Storage Engine (ESE) database (the same kind that Microsoft Exchange Server uses). The installation also creates a group called "Session Directory Computers" to which you must manually add the computer accounts of each terminal server that will participate with the Session Directory. (The computer account is the name of the computer with a $ at the end (e.g., savdalts01$.) To configure the terminal servers to use Session Directory, configure each terminal server via the Session Directory setting under Server Settings of the MMC Terminal Services Configuration snap-in. Alternatively, you can use the Group Policy setting under Computer Configuration, Administrative Templates, Windows Components, Terminal Services, Session Directory. Set the "Terminal Server IP Address Redirection" and "Join Session Directory" to Enabled; set "Session Directory Server" to the name of the session directory server and "Session Directory Cluster Name" to the name of the NLB terminal server cluster. The settings will take effect after Group Policy has refreshed. The only setting you might to check on the terminal servers is the NIC that users are redirected to (if you have multiple NICs), as the figure shows.
 

"Session Directory Computers" group is empty

The "Session Directory Computers" group is empty, you must add the computer accounts of Terminal Servers into this group for the Session Directory service to work properly. 
 
There are two different modes for terminal services:
Remote Administration Mode -- this requires no licenses, it allows administrators to log in and perform maintainance tasks remotely.
Application Mode -- this allows users to log in remotely and do work. This requires a license server, and a license for each user that connects.

In win2k3, installing "Terminal Services" installs application mode, which is what you have done. I would try running it in remote administration mode, which can be found under My Computer properties, in the Remote tab. The only restriction is the number of users that can log in.
------------------------------------
 Try uninstalling terminal services licensing.
-------------------------------------
Remote administration mode was allready enabled when I had the terminal server installed. Anything else you can think of that might be the causing the problem? btw I uninstalled terminal services and the same thing still happens.
I also get a new warning message from TermServSessDir
The "Session Directory Computers" group is empty, you must add the computer accounts of Terminal Servers into this group for the Session Directory service to work properly.
I  still get the same thing. It started to log me on then it boots me right off.
-----------------------------------------
Are you running Active Directory on that box? If so, open up Active Directory Users and Computers from Administrative Tools and go to the Users OU. Find the group "Session Directory Computers", and add your computer to it. If you are not running AD, then I'm not sure. You can try adding your computer to the local group (in Computer Management / Local Users and Groups), but I don't think it'll let you outside of AD.   
-------------------------------------------
I am not running AD. I tried adding my computer to the local group like you said above but it wouldn't let me do it outside of AD. Anyway I fixed the problem. A simple Re-installation of remote desktop from the 2k3 cd fixed it. I installed sp1 for 2k3 a while ago and then I had about a month downtime with my comp while I rma'd my crappy koolance water cooled case. After that I got some danger den water block and I built my own watercooled rig. This is the first time I tried remote desktop since I installed sp1. Perhaps that messed something up?? Oh well Its fixed now. Thanks a lot for your time and your knowledge!!
P.S. looks like I spoke too soon, I used to be able to get in om my end now I can't, the same thing is happening, I alos have a friend who is running 2003 server and he is having the same problem with his. This is really ****ing ****ing me off. Does any one know if this is a common problem with 2003 server??
P.P.S Ok this time the problem is definetely fixed. It turned out being the NVIDIA display driver service. Once that was disabled, everything worked fine again. Totally wierd. Anyway Thanks a lot Electro and su root for your input!!

event ID 4319 -NBT error

A duplicate name has been detected on the TCP network.  The IP address of the machine that sent the message is in the data. Use nbtstat -n in a command window to see which name is in the Conflict state.
nbtstat -A gives a conflict status on <00> and <20> on 1 of my domain controllers upon which I recently changed IP address. 
http://technet.microsoft.com/en-us/library/cc723244.aspx
http://compnetworking.about.com/od/windowsnetworking/f/duplicate_name.htm
Answer: The "Duplicate name exists" error indicates the (NetBIOS) name of the Windows computer conflicts with some other name on the network. Most commonly, this happens when another Windows computer on the local network uses the same name. This error can also occur when one of the connected Windows workgroups has the same name as the computer. "Duplicate name exists" errors prevent a Windows computer from joining the network. The computer will start up and function in an offline mode only. To resolve this error, simply change the name of the computer to one that is not used by other local computers (or Windows workgroups), then reboot.
Note that a network administrator should also verify the Windows Internet Naming Service (WINS) is up to date. In rare instances, "Duplicate name exists" is a false error reported when old information is stored in the WINS database.
=============================
http://www.computing.net/answers/windows-2003/ip-conflict-problem-on-server/7787.html
First you should make sure that your server IP isn't in a DHCP scope. If it is, change the scope or make an exception.
If not, find the system causing the IP conflict. When your server goes down due to IP conflict, take that opportunity to turn off your NIC and ping -a serverIP to get a name. (of course, easier if computer names are based by room or user)
-----------------------
You could get on the DNS server and look at what names are resolved to the IP. If there is a conflict you should be able to see what machines have that ip.
-----------------------
If you want avoid IP Conflict, you can have many ways.
First, using nbtstat -A command.. you can find who use your IP address.
Second method is install IP conflict protection firewall.. something like IP Holder (it can found from google). This will be remove your conflict popup message on your SERVER or PC. Also it protect your ip address from other user. If you install it the other user never use your ip address.
==============================
http://www.computing.net/answers/windows-2000/duplicate-name-conflict-but-not-sh/65586.html
wins is netbios name resolution
dns is domain name resolution
They are not the same :-)
This error
""Can't find server name for address 192.x.x.x: No response from server".
is usually a result of being on a workstation whos dns entries point to the isps dns server not the local MS dns server.
Confirm the workstations dns entries in tcp/ip
----------------------------
The dns entries are on the particular server I am having periodic issues with (so they are not pointing to the ISP). The problem arises only after some hours, wherein AD will not open ("Network path was not found"), and nslookup ceases to work ("Can't find server name for address 192.x.x.x").
If I have already opened AD before this fault, I can still use it. Both the opening of AD and nslookup work fine for some hours after a reboot. Sometimes, clearing out the security log and restarting: NT LM Security Support Provider, DNS, and WINS clears the fault for some hours. Otherwise, only rebooting clears it.
----------------------------
I didn't ask about the server. I asked about a workstation and what it was pointed to for dns.
I would suspect the name conflict error you are referring to is what is making your server unreachable.

Windows 7 connection to Server 2003

cannot connect windows 7 to a server 2003
 "An attempt to resolve the DNS name of a domain controller in the domain being joined has failed. Please verify this client is configured to reach a DNS Server that can resolve DNS names in the target domain."
What edition of Windows 7?
Only Professional, Ultimate and Enterprise editions can join a domain.
----------------------------
This is either the DHCP is not configured properly to give the computer the proper DNS or you are using a static IP and have specified the wrong DNS or simply your DNS cache has not been updated. Lets start with the last one and work our way up. To refresh the cache do...
ipconfig /flushdns
ipconfig /registerdns

You have to do this with elevated rights in Windows 7 so right click in the Command Prompt and select run as administrator.
Then you can see if it is resolving your DC by doing a ping...
ping yourdomainname.local
If it does then try joining if not then look at what is specified in the DNS of your...
ipconfig /all
If it is not your primary Name Server then look at the network connections to correct it or look at your DHCP settings.
You may want to do an NSLOOKUP to make sure the computer is seeing your Name Server and not another.
You may also want to look at your DNS server to make sure the host for the DC is registered.

Tuesday, February 26, 2013

Service-oriented architecture

http://en.wikipedia.org/wiki/SOA_Security
http://en.wikipedia.org/wiki/Service-oriented_architecture
...
Elements of SOA, by Dirk Krafzig, Karl Banke, and Dirk Slama[16]
SOA meta-model, The Linthicum Group, 2007
Service-Oriented Modeling Framework (SOMF) Version 2.0
SOA enables the development of applications that are built by combining loosely coupled and interoperable services.[17]
These services inter-operate based on a formal definition (or contract, e.g., WSDL) that is independent of the underlying platform and programming language. The interface definition hides the implementation of the language-specific service. SOA-based systems can therefore function independently of development technologies and platforms (such as Java, .NET, etc.). Services written in C# running on .NET platforms and services written in Java running on Java EE platforms, for example, can both be consumed by a common composite application (or client). Applications running on either platform can also consume services running on the other as web services that facilitate reuse. Managed environments can also wrap COBOL legacy systems and present them as software services. This has extended the useful life of many core legacy systems indefinitely[citation needed], no matter what language they originally used. SOA can support integration and consolidation activities within complex enterprise systems, but SOA does not specify or provide a methodology or framework for documenting capabilities or services.
High-level languages such as BPEL and specifications such as WS-CDL and WS-Coordination extend the service concept by providing a method of defining and supporting orchestration of fine-grained services into more coarse-grained business services, which architects can in turn incorporate into workflows and business processes implemented in composite applications or portals[citation needed].
As of 2008 researchers have started investigating the use of service component architecture (SCA) to implement SOA.
....

Firewall

Eine Firewall (von englisch firewall [ˈfaɪəwɔːl] „die Brandmauer“) ist ein Sicherungssystem, das ein Netzwerk oder einen einzelnen Computer vor unerwünschten Netzwerkzugriffen schützt[1] und ist weiter gefasst auch ein Teilaspekt[2] eines Sicherheitskonzepts.
Jedes Firewall-Sicherungssystem basiert auf einer Softwarekomponente. Die Firewall-Software dient dazu, den Netzwerkzugriff zu beschränken, basierend auf Absender- oder Zieladresse und genutzten Diensten. Sie überwacht den durch die Firewall laufenden Datenverkehr und entscheidet anhand festgelegter Regeln, ob bestimmte Netzwerkpakete durchgelassen werden oder nicht. Auf diese Weise versucht sie, unerlaubte Netzwerkzugriffe zu unterbinden.
Abhängig davon, wo die Firewall-Software installiert ist, wird unterschieden zwischen einer Personal Firewall (auch Desktop Firewall) und einer externen Firewall (auch Netzwerk- oder Hardware-Firewall genannt). In Abgrenzung zur Personal Firewall arbeitet die Software einer externen Firewall nicht auf dem zu schützenden System selbst, sondern auf einem separaten Gerät, welches Netzwerke oder Netzsegmente miteinander verbindet und dank der Firewall-Software gleichzeitig den Zugriff zwischen den Netzen beschränkt. In diesem Fall kann ‚Firewall’ auch als Bezeichnung für das komplette System stehen (ein Gerät mit der beschriebenen Funktion).[3]
Die Funktion einer Firewall besteht nicht darin, Angriffe zu erkennen. Sie soll ausschließlich Regeln für die Netzwerkkommunikation umsetzen. Für das Aufspüren von Angriffen sind sogenannte IDS-Module zuständig, welche durchaus auf einer Firewall aufsetzen können. Sie gehören jedoch nicht zum Firewall-Modul.[4]
Die externe Firewall befindet sich zwischen verschiedenen Rechnernetzen. In diesem Beispiel beschränkt sie den Netzwerkzugriff des Internets (externes Netz; WAN) auf das private (in sich geschlossene) Netz (internes Netz; LAN). Sie tut dies, indem sie beispielsweise (Antwort-)Pakete durchlässt, die aus dem internen Netz heraus angefordert wurden und alle anderen Netzwerkpakete blockiert.
Die Software der Personal Firewall läuft auf dem zu schützenden Computersystem und beschränkt dort den Zugriff auf Netzwerkdienste des Computers. Abhängig vom Produkt kann sie zudem versuchen, innerhalb ihrer Grenzen den unerlaubten Zugriff von Anwendungen auf das Netz zu unterbinden.

EPESI

http://sourceforge.net/projects/epesi/?source=dlp
EPESI is a web application for managing business information: store, organize, process, link and share records between people within a single company or organization.

The standard features include CRM modules like shared calendar, tasks and address book, an integrated e-mail client Roundcube and unique solutions like advanced permission system, easy form filling (Click2Fill), record change tracking (Watchdog) and full record history.

EPESI CRM is built on top of a high level PHP/Ajax framework with modular design that can be easily customized and modified to match your processes and workflow. The EPESI framework allows rapid development of custom modules and extending functionality of the basic CRM package into full ERP application.

Examples of modules created with EPESI:
List Manager
Campaign Manager
Inventory Management System
e-commerce
Project Tracking for Construction Industry
Medical Records Management System
Scheduling and Attendance Tracking for school
EPESI - web CRM/ERP & PHP/AJAX framework Web Site

Monday, February 25, 2013

event ID 8003 -master browser error

The master browser has received a server announcement from the computer  {...} that believes that it is the master browser for the domain on transport NetBT_Tcpip_{80178446-3157-4DA9-8. The master browser is stopping or an election is being forced.

Common Questions About Browsing with Windows
8003 browsing errors with UDP forwarding
--------------------------
event ID 8003 windows server 2003
try resolutions mentioned in these Microsoft articles and check again: 
http://support.microsoft.com/kb/135464
http://support.microsoft.com/kb/143153
======================
Hundreds of Event 8003 errors on layer 3 network
There will be no consistency about which machine reports that it thinks it is the master browser. This is a symptom, not a cause. When a machine cannot obtain a browse list (because it cannot find a master browser), it assumes that browsing has failed. It then declares itself the master browser to force an election. That is how the system works. The machine which actually triggers the election is not the problem.
  Browsing is an NT legacy app, so it really has nothing to do with AD or DNS. Basically it relies on Netbios names and LAN broadcasts, and originally only worked in a single segment. To enable it to work across routers you need to have WINS and Netbios over TCP/IP, and you need all machines to register with WINS. WINS allows the master browsers to communicate directly (rather than through broadcasts) by converting names to IP addresses.
 First up, make sure that all of your servers have Netbios over TCP/IP enabled. If any of them are multihomed, make sure that only one interface has NBT enabled. Apart from that, debugging browser problems is still the same as it was in NT. The standard tool is browstat. The standard decription of browing is KB188001 and the standard troubleshooter is KB188305.
--------------------

How to reset Internet Protocol (TCP/IP)

http://support.microsoft.com/kb/299357
Intro
One of the components of the Internet connection on your computer is a built-in set of instructions called TCP/IP. TCP/IP can sometimes become damaged or corrupted. If you cannot connect to the Internet and you have tried all other methods to resolve the problem, TCP/IP might be causing it.
Because TCP/IP is a core component of Windows, you cannot remove it. However, you can reset TCP/IP to its original state by using the NetShell utility (netsh).
This article describes two ways to reset TCP/IP. You must be logged on to the computer as an administrator. Use a manual method to reset TCP/IP for Windows XP
The reset command is available in the IP context of the NetShell utility. Follow these steps to use the reset command to reset TCP/IP manually:
  1. To open a command prompt, click Start and then click Run. Copy and paste (or type) the following command in the Open box and then press ENTER:
    cmd
  2. At the command prompt, copy and paste (or type) the following command and then press ENTER:
    netsh int ip reset c:\resetlog.txt
    Note If you do not want to specify a directory path for the log file, use the following command:
    netsh int ip reset resetlog.txt
  3. Reboot the computer.
Use a manual method to reset TCP/IP for Windows Vista and Windows 7
The reset command is available in the IP context of the NetShell utility. Follow these steps to use the reset command to reset TCP/IP manually:
  1. To open a command prompt, click Start and then type CMD in the Search programs and files.
  2. Right-click CMD.exe icon in Programs and choose Run as administrator.
  3. When the User Account Control box pop up, click Yes.
  4. At the command prompt, copy and paste (or type) the following command and then press ENTER:
    netsh int ip reset c:\resetlog.txt
    Note If you do not want to specify a directory path for the log file, use the following command:
    netsh int ip reset resetlog.txt
  5. Reboot the computer.
When you run the reset command, it rewrites two registry keys that are used by TCP/IP. This has the same result as removing and reinstalling the protocol. The reset command rewrites the following two registry keys:
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ 
SYSTEM\CurrentControlSet\Services\DHCP\Parameters\ 
To run the manual command successfully, you must specify a file name for the log, in which the actions that netsh takes will be recorded. When you run the manual command, TCP/IP is reset and the actions that were taken are recorded in the log file, known as resetlog.txt in this article.
The first example, c:\resetlog.txt, creates a path where the log will reside. The second example, resetlog.txt, creates the log file in the current directory. In either case, if the specified log file already exists, the new log will be appended to the end of the existing file.
 811259 How to determine and recover from Winsock2 corruption in Windows Server 2003, in Windows XP, and in Windows Vista

Malware & Co.

How Malware hides and is installed as a Service
A common misconception when working on removing malware from a computer is that the only place an infection will start from is in one of the entries enumerated by HijackThis. For the most part these entries are the most common, but it is not always the case. Lately there are more infections installing a part of themselves as a service. Some examples are Ssearch.biz and Home Search Assistant.
Windows Forensics: Have I been Hacked?
One of the top questions I see on forums is "How do I know if I have been hacked?". When something strange occurs on a computer such as programs shutting down on their own, your mouse moving by itself, or your CD constantly opening and closing on its own, the first thing that people think is that they have been hacked. In the vast majority of cases there is a non-malicious explanation ...
How to delete or rename files and folders that are in use or locked in Windows
One of the more frustrating experiences when using a computer is when you want to delete or rename a file or folder in Windows, but get an error stating that it is open, shared, in use, or locked by a program currently using it.
HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers & Spyware
HijackThis is a utility that produces a listing of certain settings found in your computer. HijackThis will scan your registry and various other files for entries that are similar to what a Spyware or Hijacker program would leave behind. Interpreting these results can be tricky as there are many legitimate programs that are installed in your operating system in a similar manner that Hijackers get ...
How to remove a Trojan, Virus, Worm, or other Malware
If you use a computer, read the newspaper, or watch the news, you will know about computer viruses or other malware. These are those malicious programs that once they infect your machine will start causing havoc on your computer. What many people do not know is that there are many different types of infections that are categorized in the general category of Malware.

SVCHOST.EXE process


How to determine what services are running under a SVCHOST.EXE process 
By Lawrence Abrams
Table of Contents
  1. Introduction
  2. Determining the services running under a SVCHOST.EXE process using Process Explorer
  3. Determining the services running under a SVCHOST.EXE process using TaskList
  4. Determining the services running under a SVCHOST.EXE process in Windows Vista and Windows 7
  5. Determining the services running under a SVCHOST.EXE process in Windows 8
  6. Advanced Information about SVCHOST.EXE
  7. Conclusion
Watch the Windows XP SVCHOST companion video here!
Watch the Windows Vista and Windows 7 SVCHOST companion video here!

Introduction
A very common question we see here at Bleeping Computer involves people concerned that there are too many SVCHOST.EXE processes running on their computer. The confusion typically stems from a lack of knowledge about SVCHOST.EXE, its purpose, and Windows services in general. This tutorial will clear up this confusion and provide information as to what these processes are and how to find out more information about them. Before we continue learning about SVCHOST, lets get a small primer on Windows services.
Services are Windows programs that start when Windows loads and that continue to run in the background without interaction from the user. For those familiar with Unix/Linux operating systems, Windows services are similar to *nix daemons. For the most part Windows services are executable (.EXE) files, but some services are DLL files as well. As Windows has no direct way of executing a DLL file it needs a program that can act as a launcher for these types of programs. In this situation, the launcher for DLL services is SVCHOST.EXE, otherwise known as the Generic Host Process for Win32 Services. Each time you see a SVCHOST process, it is actually a process that is managing one or more distinct Windows DLL services.
Outlined below are three methods, depending on your Windows version, to see what services a SVCHOST.EXE process is controlling on your computer as well as some advanced technical knowledge about svchost for those who are interested.

Determining the services running under a SVCHOST.EXE process using Process Explorer
Process Explorer, from Sysinternals, is a process management program that allows you to see the running processes on your computer and a great deal of information about each process. One of the nice features of Process Explorer is that it also gives you the ability to see what services a particular SVCHOST.EXE process is controlling.
First you need to download Process Explorer from the following site:
Process Explorer
Download the file and save it to your hard drive. When it has finished downloading, extract the file into its own folder and double-click on the procexp.exe to start the program. If this is your first time running the program, it will display a license agreement. Agree to the license agreement and the program will continue. When it is finished loading you will be presented with a screen containing all the running processes on your computer as shown in the figure below. Remember that the processes you see in this image will not be the same as what is running on your computer.
Process Explorer
Process Explorer Screen
Scroll through the list of processes until you see the SVCHOST.EXE process(es). To find out which services are running within a particular SVCHOST.EXE process we need to examine the properties for the process. To do this double-click SVCHOST.EXE entry in Process Explorer and you will see the properties screen for the process like in the image below.
SVCHOST.EXE Properties
SVCHOST.EXE Properties
Finally, to view the services running in this process, click on the Services tab. You will now see a screen similar to the one below.
Services Tab
Services Tab
This window displays the services that are being managed by this particular SVCHOST.EXE process. As you can see the SVCHOST.EXE that we are currently looking at in this tutorial is managing the DCOM Server Process Launcher and Terminal Services.
Using this method you can determine what services a SVCHOST.EXE process is controlling on your computer.

Determining the services running under a SVCHOST.EXE process using Task List
For those who like to tinker around in a Windows command prompt/console window, and have Windows XP Pro or Windows 2003, there is a Windows program called tasklist.exe that can be used to list the running processes, and services, on your computer. To use task list to see the services that a particular SVCHOST.EXE process is loading, just follow these steps:
1. Click on the Start button and then click on the Run menu command.
2. In the Open: field type cmd and press enter.
3. You will now be presented with a console window. At the command prompt type tasklist /svc /fi "imagename eq svchost.exe" and press the enter key. You will see a list of the processes on your computer as well as the services that a SVCHOST.EXE process is managing. This can be seen in the image below.
TaskList /svc output
TaskList /svc output
When you are done examining the output, you can type exit and press the enter key to close the console window.
Determining the services running under a SVCHOST.EXE process in Windows Vista and Windows 7
Windows Vista and Windows 7 have enhanced their Windows Task Manager and one of its features allows us to easily see what services are being controlled by a particular SVCHOST.EXE process. To start, simply start the task manager by right clicking on the task bar and then selecting Task Manager. When Task Manager opens click on the Processes tab. You will now be presented with a list of processes that your user account has started as shown in the image below.
Windows 7's Current User Processes.
Windows 7's Current User Processes
We, though, need to see all of the processes running on the computer. To do this click on the button labeled Show All Processes. When you do this, Windows may prompt you to allow authorization to see all the processes as shown below.
Show all Processes Confirmation
Show all Processes Confirmation
Press the Continue button and the Task Manager will reload, but this time showing all the processes running in the operating system. Scroll down through the list of processes until you see the SVCHOST processes as shown in the image below.
All Windows 7 Processes
All Windows 7 Processes
Right-click on a SVCHOST process and select the Go to Service(s) menu option. You will now see a list of services on your computer with the services that are running under this particular SVCHOST process highlighted. Now you can easily determine what services a particular SVCHOST process is running in Windows Vista or Windows 7.

Determining the services running under a SVCHOST.EXE process in Windows 8
The Windows 8 Task Manager makes it much easier to find what services are running under a particular SVCHOST.exe instance. To access the Task Manager, type Task Manager from the Windows 8 Start Screen and then click on the Task Manager option when it appears in the search results. This will open the basic Task Manager as shown in the screenshot below.
Tip: You can also use the Ctrl+Shift+Esc keyboard combination to automatically open the Task Manager from any screen in Windows.

Minimal Task Manager

To see the list of processes, click on the More details option.

Task Manager More Details

Scroll down until you see the Windows Processes category and look for the Service Host entries as shown in the image below.

Service Host Entries

Next to each Service Host row process will be a little arrow. Click on this arrow to expand that particular Service Host entry to see what services are running under it.

Expanded Service Host entry

Under the expanded Service Host, you will now see the list of services that is running under it. This allows you to easily determine what services a particular SVCHOST process is managing in Windows 8.

Advanced Information about SVCHOST.EXE
Now that we know that a single SVCHOST.EXE process can load and manage multiple services, what determines what services are grouped together under a SVCHOST instance? These groups are determined by the settings in the following Windows Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST
Under this key are a set of values that group various services together under one name. Each group is a REG_MULTI_SZ Registry value that contains a list of service names that belong to that group. Below you will see standard groups found in XP Pro.
Group Name
Services in the group
LocalService Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
NetworkService DnsCache
netsvcs 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP,
ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias,
Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman,
Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess,
Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks,
W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, TermService, wuauserv,
BITS, ShellHWDetection, helpsvc, xmlprov, wscsvc, WmdmPmSN
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService
HTTPFilter HTTPFilter
DcomLaunch DcomLaunch, TermService
Each of the service names in these groups corresponds to a service entry under the Windows Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Under each of these service entries there is a Parameters subkey that contains a ServiceDLL value which corresponds to the DLL that is used to run the service.
When Windows loads it begins to start services that are set to enabled and have an automatic startup. Some services are started using the SVCHOST.exe command. When Windows attempts to start one of these types of services and there is currently not a svchost instance running for that services group, it will create a new SVCHOST instance and then load the DLL associated with the service. If on the other hand, there is already a SVCHOST process running for that group it will just load the new service using that existing process. A service that uses SVCHOST to initialize itself, provides the name of the group as a parameter to svchost.exe command. An example would be:
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
In the above command line, the svchost process will look up the ServiceDLL associated with the service name from the DcomLaunch group and load it.
This can be confusing, so let's use an example. There is a Windows service called Distributed Link Tracking Client which has a service name TrkWks. If we examine the table above, we can see that the TrkWks service is part of the netsvcs group. If we look at the Registry key for this service we see that it's ServiceDLL is %SystemRoot%\system32\trkwks.dll. Therefore, using this information and what we learned above, we know that the executable command for the TrkWks service must be:
C:\WINDOWS\system32\svchost.exe -k netsvcs
When the TrkWks service is started Windows will check to see if there is a SVCHOST process for the netsvcs group already created. If not it will create an instance of one to handle services in the netsvcs group. The SVCHOST process for netsvcs will then start the service by executing the %SystemRoot%\system32\trkwks.dll. Once the DLL has been loaded by SVCHOST the service will then be in a started state.

Conclusion
Now that you understand what SVCHOST.EXE is and how it manages certain Windows services, seeing multiple instances in your process list should no longer be a mystery or a concern. It is not uncommon to see numerous SVCHOST entries, sometimes upwards to 8 or 9 entries, running on your computer. If you are concerned with what is running under these processes, simply use the steps described above to examine their services. If you are unsure what a particular service does and need help, feel free to ask any question you may have in of our Windows forums.