Home and Links
 Your PC and Security
 Server NAS
 DVD making
 Raspberry Pi
 PIC projects
 Other projects
 Next >>

Windows XP - beyond nLite

Beyond nLite

How small can I go ?

The minimum installed nLite system is approx 230Mb. However this 'minimum' build still contains numerous tmp, log, cached (and some other duplicated) files plus 29 services, of which only 19 are normally running. Many (WebClient, ICS, Wireless Zero Config, Bluetooth & IR device support) are included simply because I specified Ethernet support and these files & services 'came along for the ride', some (IPSEC, NT LM) are included 'just in case' your computer is ever connected to a Corporate DOMAIN, whilst others (HID, Server, Windows Installer) seem to have been included as part of the 'basic functionality'.

The 230Mb nLite will INSTALL onto a 512Mb partition. After install you can CLONE it down to a 256Mb partition
There is no point in reducing the install and Sysprep'ing it UNLESS you need to install direct onto other 256Mb partitions

Say you are using 256Mb DOM / CF / USB on your nodes. You add a temp C: hard disk formatted to 512Mb FAT & install the 230Mb nLite onto the hard disk. You then reduce the 512Mb partition to 256Mb and CLONE it across to the 256Mb device. Finally you remove the hard disk and go onto the next node ..

List the tmp / log / cache etc. files that can be deleted ?

Of course :-)

C:\dell\ (7 files, 242,720 bytes) = the whole folder can go

C:\windows\system32\dllcache\*.*, 20 files (6,297,266 bytes) = the whole folder can go

This folder should have been removed when Windows File Protection was disabled, however somehow nLite leaves it behind full of .cat files ??

C:\WINDOWS\Driver Cache\i386\*.*, 2 files (5,088,098 bytes)

The 2 files, sp2.cab & driver.cab are included so you don't have to supply the Windows Install CD when 'rolling back' a driver (or installing 'new' Hardware)

C:\WINDOWS\repair\*.*, 8 Files (4,067,838 bytes). Registry back-up (copy of the Registry at time of install or last MS Back-up)

C:\WINDOWS\security\ complete. Consisting of 3 subfolders, \templates, 5 Files (719,214 bytes), \logs, 3 File (105,842 bytes), \Database, 1 file (3,153,920 bytes) for a total of 9 files, 3,978,976 bytes

Templates for changing Security settings and log files of changes

C:\WINDOWS\WinSxS\Manifests\*.cat (12 files, 88,203 bytes) [you have to leave the .manifest files]

C:\WINDOWS\system32\CatRoot2\*.*, 13 Files (2,378,533 bytes), & both sub-folders {127D0A1D-4EF2-11D1-8608-00C04FC295EE} 2 File (1,056,776 bytes) & {F750E6C3-38EE-11D1-85E5-00C04FC295EE} 2 Files, (3,153,928 bytes), total 6.5Mb.

CatRoot relates to the base system install, however CatRoot2 appears to be used only during Service Pack 2 install. Since you are never going to uninstall and re-install sp2, it's not needed

C:\windows\ *.log 31 files (1.6Mb), *.tmp 4 files (2.1 Mb), *.txt 4 files (0.3 Mb)

At least 13 of the .log files are held 'open' when windows is running (3 UsrClass.dat.log, 4 NTUSER.dat.log, PASSWD, default, SAM, SECURITY, Software, System). They can still be deleted by booting from a DOS floppy, however sys-prep should clear them anyway

C:\windows\inf\*.pnf, 73 files (approx 4.7Mb). These are complied from the matching .inf files when the .inf is used (typically during installation). I guess nLite leaves them behind to save time 'in case' you want to re-process the build.

A 'search' of the whole C: drive reveals 11 more *.pnf files hiding in the c:\windows\dell sub-folders (92,432 bytes) that can also go

A quick note re: .pnf and .inf files

A .pnf is a 'compiled' version of an .inf file. When an .inf file is needed and no .pnf found, one is created. This means you can discover if an .inf file is being 'used' for anything by checking to see if a matching .pnf's is created. The problem is, you won't know for sure until AFTER you have run sysprep, cloned the image to a 'real' processing 'node' and actually started to run SETI

Your system should now be approx 218Mb (mine was 228,827,136 bytes) on a 512Mb FAT partition. This will fit onto a 256Mb partition with no problems (n fact, when you reduce the partition size from 512Mb to 256Mb, you will gain a few Mb more space by going from 8k clusters to 4kb clusters). You may wish to take a quick look at what services you can stop & remove (see below), however ...

... there is no point spending lots of time squeezing the install further unless you REALLY need the space

At this point I suggest you proceed directly to my Using sysprep page.

If you continue below, you should minimise REBOOTING.
Each time you re-boot it will cost you approx 1Mb in additional 'log' file space

What 'components' are left behind by nLite ?

Quite a few. Here's a short list of what can be removed

The Windows Optional Components Wizard & Disk Cleanup

C:\WINDOWS\system32\Setup\*.* (4 Files, 162,304 bytes), C:\WINDOWS\system32\ loadperf.dll, ocmanage.dll, resutils.dll, sysocmgr.exe, , COMRES.DLL, CLEANMGR.EXE, compact.exe, dataclen.dll

System Profile

A 'dummy' structure for 'new users'. If you are never going to create any new users, you don't need the C:\WINDOWS\system32\config\systemprofile\ folder structure (69 folders, 3 files, 4,273 bytes). To delete this, you may have to reboot in Safe Mode

C:\WINDOWS\Web folder complete

Another 'just in case' - this time in case you want to print something from the web. 4 Files, 7,828 bytes

C:\WINDOWS\system32\wbem folder complete

This is the WMI (Windows Management Instrumentation) Service support structure. Since it's 28Mb's in size, it's a prime target for space saving. See WMI Service below


In C:\WINDOWS\Fonts, you can eliminate :-
15 .fon files 323,408 bytes (ega80850.fon 5,328, ega40850.fon 8,384, sseriff.fon 89,856 (NOT sserif.fon), seriff.fon 81,728 (NOT serif.fon), courf.fon 31,712, smalle.fon 26,112, smallf.fon 21,504, vga863.fon 5,200, vga865.fon 5,184, vga860.fon 5,184, cga40850.fon 6,352, 8514oem.fon 12,288, 8514fix.fon 10,976, 8514sys.fon 9,280, ga80850.fon 4,320)

13 .ttf files 2,245,842 bytes (trebucbi.ttf 131,188, trebucit.ttf 139,288, couri.ttf 245,032, timesbi.ttf 239,692, courbi.ttf 236,148, l_10646.ttf 323,980, courbd.ttf 312,920, cour.ttf 303,296, wingding.ttf 81,000, lsansdi.ttf 60,664, lsansi.ttf 59,636, lsans.ttf 58,740, lsansd.ttf 54,320)

Then delete the C:\WINDOWS\system32\FNTCACHE.DAT and reboot your system

At this point your image will be about 195 Mb or less.
My next step would be to reduce C: partition to '256' Mb

How do I reduce the C: partition ?

Download the GParted Live .iso & burn to CD. The CD is bootable - just place it into the CD drive, turn on your 'master', let it boot the CD & select GParted.

Set the new size = 255 Mb (if you set 256, GParted will, in fact, use 256.97 and your 'cluster size' will remain as 8kb = set it to 255 and the cluster size will be reduced to 4kb)

GParted will ask if you want to use FAT32 - make sure to select 'N' = no !

On reducing the C: partition to 255 Mb, you will have saved another 3Mb, taking your image to 192 Mb or less.
If you are aiming at the smallest possible RAMdisk, by all means continue below
Otherwise I suggest you go direct to my Using Sysprep page

What about the Dell OEM files ?

If you started with a Dell XP System CD, nLite will have found the Dell files in the $OEM$ folder. These will be unpacked and installed into c:\windows\dell (6 folders, 58 files, 2,534,547 bytes). They all relate to various Dell RAID solutions, however whilst the files are not actually needed, references will have been added to the Registry that 'marks' them as part of the basic Hardware driver set. So you can't just delete them without risking total boot failure (although you MAY be OK if the .sys files were copied to the C:\Windows\System32\drivers\ folder before being installed)

C:\WINDOWS\dell\a320raid is for the Dell Precision 470 with an Adaptec U320 SCSI HostRAID Controller card
C:\WINDOWS\dell\cercsr6 is for the Dell CERC (Cost effective RAID Controller) SATA 6 channel Miniport Driver (from Adaptec)
C:\WINDOWS\dell\aarich is the driver for the on-board SATA software RAID
C:\WINDOWS\dell\aac is for Dell CERC SATA 2 channel RAID controller drivers
C:\WINDOWS\dell\nvraid is the Dell NVIDIA nForce RAID Driver
C:\WINDOWS\dell\iastor is the driver for the Dell motherboard Intel Matrix Storage Manager & supports Dell 'DataSafe' RAID Mirror (required if SATA Operation is set in the BIOS to 'AHCI' mode, not needed if set to 'ATA' mode)

Before deleting the c:\windows\dell folder, the Registry will have to be modified. For clues on what is needed, see here.

Essentially, the following Dell files may be 'loaded' and 'registered' during install to 'support RAID' (even if you don't have any) :-
iastor.sys, a320raid.sys, aarich.sys, aac.sys, cercsr6.sys, afamgt.sys, NvAtaBus.sys, nvraid.sys, symmpi.sys, megasas.sys

What's the best way to remove the OEM Dell RAID support files ?

The 'ideal way' to get rid of them is to change the nLite generated 'setupreg.hiv', HKLM, the \controlset001\services\iastor sub-key so they are never loaded in the first place. One way to do this is to modify the boot CD .ISO generated by nLite before 'burning it'.

This is not as easy it it seems - 7-zip, for example, can only EXTRACT files from an .iso, and the same applies to Microsoft's own 'Virtual CD' driver ('winxpvirtualcdcontrolpanel_21.exe' = 'read only'). Whilst Daemon Tools Pro Standard will 'do the job' it's a 20 day 'free trail'. Alternatives are Ultra ISO, Magic ISO and Power ISO, all of which are limited to 300Mb unless paid for (which is more than enough for any sensible nLite build).

Ultra ISO claims to support direct edit of files withing the .iso image. See here to use Power ISO (essentially you need to 'extract' & then delete the .hiv from the .iso, mod the .hiv 'off line' then 'add' it back in

To access the iastor subkey, navigate to the i386 folder where the setupreg.hiv is found and extract the file from the .iso. Then change the key permissions using the Microsoft SubInAcl command line tool (load it into regedit (giving it an appropriate name eg 'modded') and change the iastor subkey permissions to 'match' the permissions of the main key (which you can access) & then unload the modded hive) :-

reg load HKLM\modded setupreg.hiv
subinacl /subkeyreg hkey_local_machine\modded\controlset001\services\iastor\ /objectcopysecurity=hkey_local_machine\modded\controlset001\services
reg unload HKLM\modded

Finally, you place the modded setupreg.hiv back in the .iso i386 folder and 'burn' the CD (and hope modding the .iso has not upset it's boot capability)

This is all a real pain, so instead I focus on deleting files AFTER they have been installed onto your 'master' (and before using sysprep to 'roll out' (clone) an image to your nodes)

Remove the unused Dell RAID support files after installation ?

Since you will have already set nLite to disable Windows File Protection (WFP), all you have to do is track them down and delete them

What Services can I remove ?

Any service in XP Pro that is not found in XP Home will TYPICALLY have been added for the benefit of Corporate DOMAIN IT staff (i.e. back-doors and remote controls so the IT Staff can 'manage' the employee 'remotely' without needing to 'bother them' by asking)

Almost all of the services are unnecessary and can be disabled and (after 'unregistering' the DLL's & rebooting) removed. Whist stopping the unwanted Services is easy enough, tracking down the components (DLL's) and removing them without affecting the functionality we want to keep is another matter

Some of the many sites I have used in an attempt to discover what's needed (and what's not) include Blackviper, the Elder Geek and here for information on what a Service does. For what DDL's can be removed, I used manually removing the trash and XPLite Professional (by comparing 'before & after' directory listings using the Open Source WinMerge file comparison tool).

I also used Microsoft's own ListDLLs v3.1, the freeware Dependancy Walker and DLL Show tool to see what DLL's some of the Services actually needed & used

The MS SysInternals ListDLLs v3.1 is a command line tool that allows you to discover what .DLL's a Service actually uses (the Windows 'sc' command can be used to discover the names of running services, which can then be 'fed' to ListDLLs to find out which is using what)

How do I delete a DLL ?

First you must 'unregister' the DLL = from a 'cmd' prompt type regsvr32 /u {filename}.dll where 'filename' is the dll you want to unregister (so, for example, to unregister the DNS Service DLL 'dnsrslvr.dll' found in C:\windows\system32, you would type regsvr32 /u C:\windows\system32\dnsrslvr.dll)

Then just delete it from the System32 folder - so long as Windows file Protection (WFP) is 'off' there will be no copy in the \dllcache folder and Windows will not 'complain' or make any attempt to 'replace' it

You should always unregister a .dll before deleting it. This saves space in the Registry and avoids Windows throwing up 'file not found' errors

Is there a simple way to 'unregister' (or re-register) a file ?

Yes - edit your Registry to add a 'right click' function for all dll (and ocx) files. Then all you need to do is select them & 'right click'

Copy the below into a text file called (eg.) 'newRClik.reg' & double click it to do create the entries

Windows Registry Editor Version 5.00

;Add register / unregister option to the RightClick menu for .dll files
"Content Type"="application/x-msdownload"
@="Application Extension"
@="regsvr32.exe \"%1\""
@="regsvr32.exe /u \"%1\""

;Add register / unregister option to the RightClick menu for .ocx files
@="regsvr32.exe \"%1\""
@="regsvr32.exe /u \"%1\""

Is there an 'automatic' way to delete the crap ?

Well, yes, sort of. You can try XPLite Professional. The paid for version ($40) is able to remove some of the Services mentioned below (marked 'xpl'). XPLite can be run on your nLite'd 'master' install before creating the sys-prep'd version for roll out to your SETI 'slave' nodes.

The MAJOR annoyance of running XPLite on an already cut-down nLite install is that it displays the list of services & components that exist on a 'full' system install, and does NOT indicate what actually exists on your hard disk. This means if you 'slip up' and fail to 'untick' some box, XPLite will ACTUALLY try to PUT BACK items already removed !

Perhaps of more concern is that XPLite appears to rely on some parts of Windows (such as Windows Installer & Windows .inf files) in order to perform the uninstall which (of course) means it's going to fall over if you already removed one of the files & services it relies on :-).

The final problem with XPLite is that it insists on 'saving' it's changes. First it defaults to turning ON Windows File Protection (although you can actually turn it off again before running), and then it insists on creating a 'Last Known Good' check point - which is 'nice' (since that lets you recover from a major slip-up) but this means XPLite actually INCREASES the used disk space whilst running so, if space is tight, it may well fall over with an 'out of disk space' error before completing the 'removal' !

After running XPLite, in addition to manually removing the 'Last Known Good' you will also have to go through and manually remove all it's log files

All of the above problems led me to drop XPLite (after paying the $40 :-( ) and rely on creating my own 'batch files' instead

What services has nLite included & why would I need them ?

The 'started' Services

Cryptographic Services

"Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates" ...

Whilst it's main functions are only useful in a Domain, it also keeps a list of the 'unsigned drivers' you OK'd to install. If you have installed any 'unsigned' drivers & remove this Service you get 'Warning - Unsigned Driver' pop-ups every time you boot. It's also needed by Windows Update or to install Service Packs (to confirm the signatures) and plays a role in helping Task Manager. May also be required to support SSL (https)

If your only Drivers are signed (or you don't care about the pop-ups), you can disable & remove C:\WINDOWS\system32\cryptsvc, softpub.dll, wintrust.dll, initpki.dll, dssenh.dll, rsaenh.dll, cryptdlg.dll, gpkcsp.dll, sccbase.dll, slbcsp.dll (& licdll.dll?).

Signatures for Service Pack 2 are kept in \System32\catroot2\*.* = the log of sigs. is 'edb.log'

You can remove the entire contents of C:\system32\catroot2 folder ... (you have to 'stop' the Cryptographic Services before Windows will allow you to delete the catalogue file). During normal running, if any \*.cat file is required but not found, Windows creates "dberr.txt" in C:\WINDOWS\system32\CatRoot2 (which will indicate what .cat file it is looking for).

You can also delete the contents of the catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\ folder

DCOM Server Process Launcher

"Provides launch functionality for DCOM services"

Yeah, right - Wikipedia reveals that DCOM is 'a proprietary Microsoft technology for communication among software components distributed across networked computers' i.e. it provides a route for hackers to access your computer. It's needed by RPC, Disk Defragmenter, Windows Firewall service and Windows Installer. Apparently it's also responsible for launching any Service you marked 'manual'.

Whilst DCOM does not exist in XPHome, nor, indeed in XP Pro before sp2 (so it's hard to see why you would ever need it) it turns out that RPC is now dependant on DCOM. RPC allows processes to communicate with one another and, using DCOM, across the network. Functions dependant upon RPC include Print Spooler, Windows Updates, Windows Installer and Network Connections.

Since I do, in fact, need Network Connections (for 'Map drive'), I need RPC, which forces me to keep DCOM

If you want to experiment eg by swapping out the XPpro RPC dll set for those in XPHome (to remove the DCOM dependency) you will need to disable DCOM first. Since DCOM can't be disabled from 'Services' you have to edit the Registry.

Disable with care - some users report their system goes into a continuous reboot cycle when DCOM is disabled ! (most likely this is because they are still using the XP Pro WinLogon which is attempting to access the network and find a DOMAIN = if you have already replaced WinLogon with MinLogon you should be OK - if not, I hope you remembered to include the Recovery Console :-)

For those who want to risk it, in regedit, locate HKEY_LOCAL_MACHINE\Software\Microsoft\OLE, change the 'EnableDCOM' (string value) to 'N'. Changes take effect on reboot. Once it's disabled you can then try tracking down (& replacing) the DLL's

DHCP Client

"Fetches the computers IP address, Default gateway & DNS addresses using DHCP"

Can be removed if you are prepared to enter the computers IP Address etc. manually. You can set-up IP in nLite along with the Default Gateway etc. (or by using Notepad on the 'answer file' (.sif)) but would have to manually edit the IP on each node (so each is unique) which would prevent fully automatic unattended install & run (i.e. install & run from a RAMdisk on power-on).

I leave DHCP in to avoid the need to manually change IP addresses for each node

DNS Client

"Resolves and caches Domain Name System (DNS) names for this computer".

What this MEANS is, allows a virus or 'phishing' attack to 'override' REAL web site address by placing fake ones in your local 'cache' (thereby directing you to a 'spoof' web site). It is only needed in a DOMAIN (so you can locate the Active Directory Servers & log-on)

When you Disable this Service, your PC has to go out onto the web and ask a real DNS Server for the real address of a web site you want to visit. Plainly it's a lot harder for criminals to place 'fake' addresses on your ISP's DNS Servers (or the super-protected Internet root-DNS Servers).

To delete the entries in the "DNS resolver cache", open a CMD window & type 'ipconfig /flushdns'. Then Disable & delete C:\WINDOWS\system32\dnsrslvr.dll.

Note - the MS 'wizard' that you may be tempted to use to 'Repair network connection' will fail if the DNS Client service is not running

Whilst here, the C:\WINDOWS\system32\drivers\etc\*.* can be deleted (5 Files, 12,739 bytes) - these files support NetBIOS/NetBUI (an ancient DOS level networking protocol used to 'map shares' etc. before TCP/IP & DNS)

Event Log

"Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped."

Whilst you "can't" stop this in XP, apparently Windows 7 is quite happy for you to stop it !

Too much aggro trying to stop = I just leave it on auto

HID Input Service (Human Interface Device)

"Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices"

Actually, it's only needed for extra 'special' (as opposed to the 'normal', built in) Hot Keys. May be useful if you are building a 'Media center' & want to use a 'remote control' (assuming your remote control does not come with it's own proper drivers) - otherwise it's just another waste of space

Disable & delete C:\WINDOWS\system32\HidServ.dll

Network Connections

"Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections"

Usual MS double-talk .. all it does is 'manage' (track) network 'connectivity' for those who like to play with their (dial up) connections. Needed for Windows Firewall & Internet Connection Sharing (ICS). If you disable this service, you will no longer see the 'Network Connected' icon in the system tray - connectivity, however, still exists.

Disable and check SETI still finds Berkley .. if so, you remove the following :-

C:\WINDOWS\system32\HNETCFG.DLL, hnetmon.dll, hnetwiz.dll, ncpa.cpl, ncxpnt.dll

Network Location Awareness (NLA)

"Collects information about your local network and notifies applications ...."

Required (only) if you are running ICS (Internet Connection Sharing i.e. using your computer as a 'gateway'/'proxy' for other machines to reach the Internet) or Windows Firewall or if you are using WiFi (and keep moving your computer from one coffee shop to another, i.e. need to set up a new 'profile') ...

Disable, but if you remove it's Mswsock.dll you get "MSIE is unable to connect to the internet" & the same may apply to SETI ...

Plug and Play

"Enables a computer to recognize and adapt to Hardware changes with little or no user input. Stopping or disabling this service will result in system instability"

BUT, if you DON'T change your Hardware, do you need it ???

Plainly you can't remove it before 'rolling out' your 'master' build to the 'slave' nodes (unless the node Hardware is TOTALLY identical to the master) .. however it might be possible to remove it later

Too risky to play with, I just leave it set to 'automatic'

Remote Procedure Call (RPC)

"Provides the endpoint mapper and other miscellaneous RPC services"

Whilst nothing seems to need RPC Locator service (which nLite doesn't even install), RPC itself seems to be used by just about everything !

Prior to sp2, this was set to 'manual' - so set it to manual and see if it actually 'starts'. If it never starts, you can spend some time tracking down & deleting its component parts (starting with 'rpcss')

Security Accounts Manager

"Stores security information for local user accounts"

Needed for NTFS Encryption, Secondary Logon & Fast User switching. Since we are building on a FAT partition (and have removed Secondary Logon & Fast User switching) and (see later) will be auto-logging in as 'System', this is just a total waste of space

Disable & delete C:\WINDOWS\system32\SCECLI.DLL

Note - to allow Windows to continue booting, the other SAM dll files (samlib, samsrv & scesrv) must NOT be deleted !


"Supports file, print, and named-pipe sharing over the network for this computer"

Allows your computer to offer 'shares' (files, folders) or a Printer to other computers. It has nothing to do with your computer mapping and accessing 'share' files & folders on OTHER computers (for that, see 'Workstation').

Disable & Remove C:\WINDOWS\system32\Srvsvc.dll


"Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution"

Needed in a Windows 2000 in a DOMAIN environment for file sharing. Otherwise it's just a waste of space

Can be removed using xpl.
To manually remove, Disable & Delete from C:\WINDOWS\system32\LMHSVC.DLL, TCPMIB.DLL, TCPMON.DLL, TCPMON.INI, TCPMONUI.DLL


"Enables Windows-based programs to create, access, and modify Internet-based files"

Only needed by MSIE = not needed by Firefox or any other 'proper' Internet browser

Can be removed using xpl.
To manually remove, Disable & uninstall WebFldrs then delete the DLL's

i.e. Start, RUN, msiexec /x C:\Windows\System32\webfldrs.msi, then delete C:\WINDOWS\system32\webfldrs.msi
Then delete C:\WINDOWS\system32\davclnt.dll, webclnt.dll
Then delete C:\WINDOWS\system32\drivers\mrxdav.sys, mrxsmb.sys

Windows Audio

"Manages audio devices for Windows-based programs."

Unless you like listening to Microsoft's 'beeps', it can go

Disable and delete C:\WINDOWS\system32\audiosrv.dll

Windows Firewall/Internet Connection Sharing (ICS)

"Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network."

Yes, it does, but only for OTHER computers using YOURS as a 'gateway' for Internet access !

Disable & Delete from C:\WINDOWS\system32\6to4svc.dll, firewall.cpl, fwcfg.dll, IPSEC6.EXE, ipsecsnp.dll, ipsecsvc.dll, ipsmsnap.dll, ipv6mon.dll, IPV6.EXE, winipsec.dll, wship6.dll, ipnathlp.dll. Delete from C:\WINDOWS\system32\drivers\ip6fw.sys, tcpip6.sys, ipnat.sys

Windows Management Instrumentation (WMI)

"Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly"

Actually, this is only used by IPv6 Helper Service, Security Center and Windows Firewall/Internet Connection Sharing (ICS) and Help & Support 'tools' ... none of which you need (see also Windows Management Instrumentation Driver Extensions & WMI Performance Adapter services below)

Can be removed using xpl.
To manually remove, Disable & reboot in Safe Mode (note 1) & delete the entire C:\WINDOWS\system32\wbem\ folder (but see note 2) 32 folders, 201 files, 28,423,374 bytes. C:\WINDOWS\system32\ cmprops.dll, licwmi.dll, mmfutil.dll, servdeps.dll, wmimgmt.msc, wmiprop.dll

Note 1. Eight of the .dll files in the root of \wbem can only be deleted when running in Safe Mode

Note 2. If you want to keep using System Restore, move the 'framedyn.dll' from C:\WINDOWS\system32\wbem\ up 1 level (i.e. to C:\WINDOWS\system32\) before deleting the \wbem folder

Wireless Zero Configuration

"Provides automatic configuration for the 802.11 adapters"

Only needed if you use wireless i.e. WiFi or BLUETOOTH (which is typically used for 'wireless' keyboards)

Can be removed using xpl.
To manually remove, Disable and Delete Delete from C:\WINDOWS\system32:-
bthci.dll, bthprops.cpl, bthserv.dll, btpanui.dll, fsquirt.exe, irclass.dll, irprops.cpl, netsetup.cpl (ONLY if Network Connections is disabled), wzcdlg.dll, WZCSAPI.DLL, WZCSVC.DLL.

You can also Delete the C:\WINDOWS\Provisioning\ folder complete (18 files, 53,529 bytes)


"Creates and maintains client network connections to remote servers"

Needed to so your computer can 'map' and link to shares on OTHER computers.

Set to 'Automatic'

The non-started Services

Application Management

"Provides software installation services such as Assign, Publish, and Remove"

This does not exist in XP Home, so whatever it does you don't need it or want it

Can be removed using xpl.
To manually remove, Disable & delete C:\WINDOWS\system32appmgmts.dll

Background Intelligent Transfer Service

"Uses idle network bandwidth to transfer data"

Required for Automatic Updates, MSN Explorer, Windows Messenger, Windows Media Player. It connects your PC to the internet (or network) without asking or telling you. NOT a good idea.

Can be removed using xpl.

BITS consists of C:\WINDOWS\system32\Bitsinst.exe (28,672), Bitsprx2.dll (8,192), Bitsprx3.dll (7,168), Bitsprx4.dll (7,168), Qmgr.dll (408,064), Qmgrprxy.dll (18,944), Bitsinst.exe (26,624), Bitsprx2.dll (8,192), Bitsprx3.dll (7,168), Bitsprx4.dll (7,168), Qmgr.dll (408,064), Qmgrprxy.dll (18,944).

BITS invokes 8 other DLL's (oleaut32.dll, jscript.dll, vbscript.dll, msxml.dll, softpub.dll, wintrust.dll, initpki.dll, cryptdlg.dll), however other Services also use these

Your_computer/ Browser

"Maintains an updated list of computers on the network and supplies this list to computers designated as browsers"

In other words it lays out your entire network to the first script kiddie who cares to look as well as helping a virus to spread inside your network. It may be useful in a (corporate) DOMAIN but is irrelevant in a home WORKGROUP based network. Yes, it says 'browser', but no, it has nothing whatever to do with MSIE or the Internet

Can be removed using xpl.
To manually remove, Disable and Delete C:\WINDOWS\system32\browser.dll

IPSEC Services

"Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver"

What this MEANS is, it's required for Active Directory (which exists only in a Domain) or to 'encrypt' data when linking (via 'VPN') to a remote corporate network DOMAIN. It's not required in a Workgroup.

Disable & remove C:\WINDOWS\system32\oakley.dll, polstore.dll.

You can also remove most of the Active Directory support components
Delete from C:\WINDOWS\system32\activeds.tlb, adsldp.dll, adsmsext.dll, adsnt.dll, dsauth.dll, dsprop.dll, dsprpres.dll, dsquery.dll, dssec.dat, dssec.dll, dsuiext.dll.
Delete from C:\WINDOWS\system32\wbem\dsprov.dll, dsprov.mfl, dsprov.mof.

[Leave ADSLDPC.DLL (AD LDAP Provider C DLL) & ACTIVEDS.DLL (AD Router Layer DLL) alone - they are needed by the Event Viewer]

Network Provisioning Service

"Manages XML configuration files on a domain basis for automatic network provisioning"

It allows corporate IT admins to remotely control your PC using XML scripts across the DOMAIN. In a Workgroup it simply provides yet another route for a virus or root kit to take over your PC.

Disable & delete C:\WINDOWS\system32\xmlprov.dll, xmlprovi.dll

NT LM Security Support Provider

"Provides support for Telnet and Message Queuing in a corporate environment"

It is only useful in a DOMAIN = in a Workgroup it's simply yet another virus vector

Can be removed using xpl.
To manually remove, Disable & delete


"Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service."

What this means is it supports 'dial-up' modems ! Whilst these were common 10 years ago, I would bet few users have even SEEN a modem (let alone fitted one to their computer), but that does not stop some brain dead 'internet' apps. (such as AOL) getting upset if Telephony is not found.

Can be removed using xpl.
To manually remove, Start by setting to 'disabled. If your system runs OK, delete it along with the following from C:\WINDOWS\system32\:-

confmsp.dll, h323.tsp, h323log.txt, h323msp.dll, hidphone.tsp, ipconf.tsp, kmddsp.tsp, ndptsp.tsp, rend.dll, sdpblb.dll, tapi3.dll, tapi.dll, tapiperf.dll, tapisrv.dll, tapiui.dll, TCMSETUP.EXE, telephon.cpl, termmgr.dll, umdmxfrm.dll, unimdm.tsp, unimdmat.dll, uniplat.dll, wavemsp.dll (and no doubt lots more trash I haven't found yet)

Windows Installer

Supports 'Add / Remove Programs' & needed to install (or remove programs) that use the .MSI Installer.

You won't have enough disk space to install anything that uses the bloated MSI system. Application Management, Windows Automatic Updates & Windows Update Manager all need Windows Installer (so those will have to go too).

Can be removed using xpl.
To manually remove, Disable and delete C:\Windows\System32\msiexec.exe, msi.dll, msihnd.dll. NB. If you have not installed anything, the folder C:\windows\Installer should be empty, if it's not, start worrying

Windows Management Instrumentation Driver Extensions

"Provides systems management information to and from drivers"

So what does that mean ? Well from Microsoft:- "WMI provides ... management .. with programming or scripting languages. For example, you can: Start a process on a remote computer, Schedule a process to run at specific times on specific days, Reboot a computer remotely, Get a list of applications installed on a local or remote computer, Query the Windows event logs on a local or remote computer.

So there you are = WMI is a tool provided by Microsoft so that hackers can take over your computer !

Can be removed using xpl.
To manually remove, Disable & delete C:\WINDOWS\system32\wbem\wmisvc.dll
& delete C:\WINDOWS\system32\cmprops.dll, licwmi.dll, mmfutil.dll, servdeps.dll, wmimgmt.msc & wmiprop.dll.

WMI Performance Adapter

"Provides performance library information from WMI HiPerf providers"

More MS double talk that no-one understands. As far as I can discover, no 'WMI HiPerf providers' exist anywhere on my computer (or anyone else), however since it needs RPC, perhaps it's just another way to force you to keep that ?

Disable & delete C:\WINDOWS\system32\wbem\wmiapsrv.exe

I've removed a lot of DLL's manually, what else should I do ?

A1. Windows keeps references to DLL's in the Registry. Whilst each entry may be only a few dozen bytes, it can really mount up. Use a Registry 'cleaner' such as the free CC Cleaner (Portable) to remove all references to those you have just deleted

WARNING - there is at least one other product calling itself 'CC Cleaner' that is NOT FREE

A2. It's also worth searching for DLL's that are no longer used at all. Whilst there are plenty of tools that will scan the Registry and remove REFERENCES to non-existent DLL's there are very few that will scan the hard drive and find the .DLL's that are NOT referenced. I have only located two 'Freeware' tools, AnalogX DLL Archive 1.01 (can't recommend since it has too few users) and PC-Cleaner (which is about 10 years old). Instead I recommend the 'shareware' DLL Toys which will list the orphan' DLL's but not delete them unless you pay the fee (of course you can always delete manually).

Quick note on downloading tools etc. == ALWAYS choose a 'recognised' source (such as cnet) and NEVER EVER be the 'first' to try anything, so avoid 'v1.0' and anything that hasn't been updated in the last year or so ! Better, never download anything that hasn't been used and reviewed by thousands of others first

I still need more free space - what else can I do ?

A1. It is possible to remove the 12Mb 'oembios' by replacing the Winlogon shell with Minlogon. See my CF and USB boot' page

Minlogon automatically logs you on as System (with no password). Minlogon is incapable of joining the computer to a Domain (so start up is a lot faster as there are no attempts to locate a Domain Server or download 'permissions'). It uses the 'default' desktop layout (and removes all other user settings, including the accounts). For further details see Microsoft MSDN pages (which suggests that Explorer can be removed and replaced with another 'shell' eg 'CMD')

A2. If you still need more space the only thing left is to set up a compressed (zipped) folder and move some of the larger files into it - on a Windows XP 'FAT' format disk you can not compress an existing folder, let alone the whole drive (there is no 32bit equivalent to the Win98 'Drive Space' compression drivers)

The obvious files to compress are the DLL's in the root of c:\Windows\System32\

XP will still open and 'run' (most) files directly from a compressed (zipped) folder just fine, however moving Windows system DLL files means manually resetting the file 'paths' that are hiding in the Registry.

Plainly the best approach is to 'unregister' the DLL from it's current location, move it to the compressed folder and re-register it. See above re: setting up a RightClick context menu function 'newRClik.reg'.

To help identify large files that are worth compressing, try using TreeSize

Click 'Next >>' in the Navigation bar left for Using Sysprep

Next page :- Using Sys Prep