Question:

I have a Windows XP SP2 machine that requires IIS running only sometimes, so I set these service to Manual startup (I use a script to start them when I need them):

IIS Admin
Simple Mail Transfer Protocol (SMTP)
World Wide Web Publishing

However when I boot the machine I can see that INETINFO.EXE is running anyway.

Is there a way to prevent this?

Answer:

I presume what you are really asking is this:

"Since I set these services to manually start up, and I did not perform any action to start them, why is IIS Admin (INETINFO.EXE) still running when I reboot the machine? At the conclusion of a clean reboot, shouldn't only services set to Automatically start up be running?"

In other words, are we just seeing one more "security" bug in Windows where manual services incorrectly start on machine reboot? Or is there some other plausible explanation?

Service Startup 101

When you set NT services to Manual startup, it means that they require external intervention to start. This intervention could be in the form of:

  • User performing action to change service state
  • Code performing action to change service state

Now, you are probably assuming that since rebooting a machine stops all non-automatic startup services, and you performed no user action to start INETINFO.EXE, then the fact that you see INETINFO.EXE running after a system reboot must indicate an "issue" in Windows which you want to prevent.

However, I want to suggest maybe, just maybe, that one of the Startup programs or services you configured to startup automatically is triggering a service state change of IISADMIN such that INETINFO.EXE is running. How is this possible?

HOWTO Start IISADMIN without involving "Services"

Let me show you one way to start a service like IISADMIN by merely running code unassociated with service configuration.

  1. Type the following code snippet into a file named "StartIISADMIN.vbs":
    GetObject( "IIS://localhost" )
  2. Type the following command sequence into another file named "IISAdminTest.bat":
    @ECHO OFF
    SETLOCAL
    SET SVC=IISADMIN
    SET SCRIPT=%~dp0StartIISADMIN.vbs
    
    IF NOT EXIST "%SCRIPT%" (
        ECHO Cannot find "%SCRIPT%" test script. Aborting.
        GOTO :EOF
    )
    
    ECHO Setting %SVC% to manual startup...
    SC CONFIG %SVC% start= demand
    
    ECHO Stopping %SVC% with NET STOP...
    NET STOP /y %SVC%
    
    ECHO Verify that %SVC% is:
    ECHO - Manual    Startup --^> START_TYPE : 3 (DEMAND_START) 
    ECHO - Currently STOPPED --^> STATE : 1 (STOPPED)
    SC QC %SVC%
    SC QUERY %SVC%
    
    PAUSE
    
    ECHO Running normal admin script which does not explicitly start %SVC%...
    IF EXIST "%SCRIPT%" (
        CSCRIPT "%SCRIPT%"
    ) ELSE (
        ECHO Cannot find "%SCRIPT%" test script. Aborting.
        GOTO :EOF
    )
    
    PAUSE
    
    ECHO Verify that %SVC% is now:
    ECHO - Manual    Startup --^> START_TYPE : 3 (DEMAND_START) 
    ECHO - Currently RUNNING --^> STATE : 4 (RUNNING)
    SC QC %SVC%
    SC QUERY %SVC%
    ENDLOCAL
  3. Now run IISAdminTest.bat

Notice that no where did I run things like "NET START IISADMIN" to explicitly start the IISADMIN service. Yet, by the end of the batch file, IISADMIN service is running and the INETINFO.EXE process exists.

This is because Windows will demand-start services to fulfill interface requests like GetObject() - and this behavior is by-design. Surely you do not want Windows asking you:

  • "Do you want to start the DMADMIN and DMSERVER services?" every time you run DISKPART or DISKMGMT.MSC to check on your disk partitioning
  • "Do you want to start the HELPSVC service?" every time you press F1 for help or want to send a Remote Assistance request
  • "Do you want to start the SPOOLER service?" every time you want to print something in Windows
  • "Do you want to start the TERMSERVICE service?" every time you want to Remote Desktop into this machine

Try setting those services to manual startup and tell me which user experience you prefer...

However, it should be clear that even if IISADMIN is configured to start up manually, code analogous to the above example can trigger the service to startup.

Conclusion

So, your real question is:

"How do I detect what program is starting IISADMIN and how do I stop it?"

Well, I do not know of any auditing of process or DLL that initiates service state change, but I can suggest one pragmatic approach:

Set IISADMIN service startup to DISABLE. Now reboot the machine. If the culprit is written well, it should log or display some complaint about failure to detect IIS status. Presumably, that program is interested in IIS status or configuration, and by denying that program access, it should log or display an error if it is well written and actually interested in obtaining IIS status. Bam! Caught red-handed!

//David