Andrew Schulman
Senior Editor, O'Reilly & Associates
andrew@ora.com
Much of the research discussed in this article was done by NT Internals expert Dr. Mark Russinovich, a Consulting Associate for Open System Resources, Inc. Russinovich is coauthor of numerous NT systems utilities, such as the NT registry monitor, the NT file monitor, and the NTFS file system for DOS. OSR specializes in file system, device driver, and data communications consulting, training, and development for Windows NT and other platforms. Neither Dr. Russinovich nor OSR are responsible for the conclusions drawn in this article.
This article has been written to describe and explain the differences between Microsoft's Windows NT Server and NT Workstation products, not for the purpose of encouraging readers to defeat Microsoft's licensing restrictions. The author and O'Reilly & Associates recommend that readers carefully review the terms of Microsoft's NT license agreement and comply in all respects therewith.
For additional technical details, see the article "Six in One, Half Dozen in the Other? Inside the Difference Between Windows NT Workstation and Windows NT Server" in the Fall 1996 issue of The NT Insider.
Microsoft recently introduced version 4.0 of NT Workstation (NTW) and NT Server (NTS), and claims that there are substantial technical differences between the Workstation and Server products. Microsoft uses this claim to justify an $800 price difference between NTW and NTS, as well as legal limits on web server usage in NTW, both of which have enormous impact on existing NTW users. But what if the supposed technical differences at the heart of NTW and NTS are mythical?
We have found that NTS and NTW have identical kernels; in fact, NT is a single operating system with two modes. Only two registry settings are needed to switch between these two modes in NT 4.0, and only one setting in NT 3.51. This is extremely significant, and calls into question the related legal limitations and costly upgrades that currently face NTW users.
Introduction
Identical Kernels
Microsoft's Reponse: "700 Differences"?
NT 3.51: ProductType registry setting
NT 4.0: ProductType and SystemPrefix registry settings
NTWatch Utility
A Web Tax?
Introduction
In the course of the ongoing controversy over its restriction of only
ten web connections in NT Workstation 4.0, Microsoft
representatives have asserted that there are substantial technical
differences between NT Server and NT Workstation. From this,
Microsoft draws these conclusions:
"The crux of this issue is that NT Workstation and NT Server are two very different products intended for two very different functions."And, according to InfoWorld columnist Nicholas Petreley ("When it comes to judging Microsoft products, the devil is in the details," InfoWorld, September 16):
"when Microsoft delivered final Windows NT 4.0 code to InfoWorld ... I probed Microsoft about the differences between Windows NT Server and Workstation.... I asked specific questions and got specific answers: There is no way to change any setting to make the Workstation kernel behave like the Server. The reason, said the Microsoft representative, is that the source code for the kernel has embedded statements -- #ifdef statements. These cause the compiler to produce different executables depending on whether the target is a server or a workstation. As a result, the two kernels are hard-coded to use different caching algorithms and multitasking priorities, among other things. That's what the fellow said, in front of a room packed with InfoWorld editors and analysts."In fact, the recent fight between Microsoft and Netscape, including Netscape's open letter to U.S. Department of Justice's Antitrust Division, was touched off by this very issue: Microsoft asserted that NTW should not (and, by license, apparently cannot) be used to run serious web servers, because that's what NTS (which, conveniently, comes as part of a package with Microsoft's own IIS) is for. Microsoft sent email to Netscape, complaining about a price comparison chart at Netscape's web site. According to Microsoft's letter (July 30):
If the user wishes to utilize more than the ten [web] connections, the user must license Windows NT server.... Microsoft is also concerned that Netscape is deceiving customers by suggesting that Windows NT Workstation is meant to be used as a server operating system for a Web site. It is not.So Microsoft has a lot invested in the widespread public perception of crucial differences between NTS and NTW. As Microsoft Executive VP Steve Ballmer told PC Week:
"It is a serious thing for us," said Ballmer. "We did about a billion [dollars] in server revenue. What is the difference in price between the two--maybe 800 dollars. One of them costs 35 percent of what the other does. So if a billion dollars goes to $350 million--that is a big hit to this company."At the same time, even Microsoft's own document on Differences Between Windows NT Workstation 4.0 and Windows NT Server 4.0 (Microsoft Windows NT 4.0 Market Bulletin, Summer 1996) admits that the two products share "the same kernel architecture."
This raises the question of exactly how NTS and NTW really differ.
Microsoft's document goes on to say its NT strategy is "optimizing, pricing, and licensing the products for two specific segments":
For the vast majority of those interested in using NT as a web server, there is no functional difference. NTW, like Win95, will work just fine for the vast majority of web sites:
all of the servers we've tested will easily saturate a T-1 connection (1.55M bps) to the Internet -- after which the performance differences become meaningless.Netscape estimates that 70% of its server customers using NT are in fact using NT Workstation rather than NT Server. Microsoft is claiming that most of these Netscape customers are in violation of the NTW license agreement! For web publishers to stay within the law, presumably they are supposed to get NTS with IIS.
Microsoft's license agreement for Workstation, therefore, is the only thing keeping many organizations from using Workstation as a Web server.
-- Eamonn Sullivan, "NT 4.0 license, not speed, is key", PC Week Online, August 26, 1996
So much for using NT as a web server. More generally, when you strip away differences in pricing, licensing, and extra bundled software like IIS, what are the real technical differences between NTS and NTW?
Identical Kernels
It turns out that NTS and NTW not only share "the same kernel
architecture" (as Microsoft puts it), but in fact have identical
kernels: in NT 4.0, the exact same file, NTOSKRNL.EXE, is used
for both the Server and Workstation products. Likewise in NT 3.51.
Not only are the NTS and NTW kernels identical, but in both NT 3.51 and 4.0, whenever a binary file (EXE, DLL, device driver, etc.) is provided with Workstation, the identical file is provided with Server. This includes such core files as NTLDR, NTOSKRNL.EXE, HAL.DLL, KERNEL32.DLL, NTDLL.DLL, SRV.SYS, TCPIP.SYS, WINSOCK.DLL, NTLANMAN.DLL, RASAUTH.DLL, NTFS.SYS, and so on. This was determined by looking not only at filenames, date/timestamps, and filesizes, but by doing a full binary comparison. NTS and NTW are merely two options for running the exact same, byte-for-byte identical operating system.
The setup/installation files (TXTSETUP.SIF, INF files, etc.) differ from Workstation to Server, and Server comes with about 100 files that are not provided with Workstation. These additional files include DHCP*.*, LICCPA.*, LLS*.*, NCADMIN.*, RPC*.*, SFM*.*, SRVMGR.*, USRMGR.*, and WINS*.*, corresponding to the extras bundled with Server such as DHCP and WINS.
To us, having some additional programs bundled with NTS no more gives it a "very different function" from NTW, than the combination of Windows 95 and "Windows Plus!" has a very different function from plain Windows 95. All of Microsoft's technical descriptions suggest that NTS is supposed to be something more than NTW with some bundled add-ins.
It is doubtful that customers would feel good about paying approximately $800 for what is essentially an "NT Plus!" add-in package -- especially when Microsoft advertises that add-ins such as IIS come for "free." If the only technical difference between NTS and NTW were precisely these add-ins, then one could hardly call them free. Given that NTS for 10 "clients" (however Microsoft chooses to define that) costs $1080, while NTW costs $260, we figure that Microsoft would actually be charging over $800 for what is effectively "NT Plus!"
So, with identical kernels, how does NT distinguish these ostensibly "very different products intended for two very different functions"?
According to a course on NT internals at WinDev East '96 given by David Solomon, a single function in
NTOSKRNL.EXE called MmIsThisAnNtAsSystem()
is the
decider. It is used at boot time to make resource sizing decisions,
and also at runtime for certain policy decisions.
Starting with an examination of this function, Mark Russinovich found something quite remarkable: the value that MmIsThisAnNtAsSystem() returns (Workstation vs. Server) comes directly out of the registry. In 3.51, a single registry setting is used to differentiate between NTW and NTS. In 4.0, there are two registry settings, and some code intended to prevent the user from changing them.
That's it. By way of comparison, there is significantly less technical difference between NT Server and Workstation than there was between Win 3.1 Enhanced and Standard modes. Those were radically different pieces of software, bundled together for one remarkably low price. In contrast, Windows NT seems to be one piece of software, artifically differentiated into two products with wildly different prices. NT is one product, with two options: server and workstation. The Server option comes with a package of add-ins and with a license for more users.
But what of Microsoft's "optimizations"? Microsoft makes great claims for how its tuning differentiates server and workstation machines. It's clear that this tuning is not particularly useful for the vast majority of web publishers (just as Microsoft's NTW license seems irrelevant to those running web servers instead of LAN servers). It's even been reported some of these "optimizations" can actually hurt when a web site is running lots of CGI programs, as opposed to delivering static web pages.
Microsoft has optimized NTS for LAN servers. But since NTS and NTW use the same kernel, this optimization is based on nothing more than checking the registry settings. MmIsThisAnNtAsSystem() checks a global variable based on the registry settings, and various parts of the kernel in turn call MMIsThisAnNtAsSystem(), and behave slightly differently depending on this return value. For instance, in Process Manager initialization, the return value affects the foreground process quantum. Likewise, the value of most Memory Manager global variables are doubled if the registry indicates that NTS mode is being used. One important caveat: You can only configure a server as a domain controller at setup time. We currently know of no way to take a machine that isn't already a domain controller and make it one without reinstalling NTS. Actually, this appears to be a limitation (or perhaps a security feature) in NT itself. According to one recently posted Usenet message:
Sorry, the creation of the domain takes place DURING the install. The ONLY way to put a PDC [Primary Domain Controller] in a new domain is to install NT Server on another machine, create the new domain, demote the first server, then make it a backup controller in the NEW domain.Incidentally, Mark Russinovich has also found that the Peer Web Services (PWS) shipped with NTW is absolutely identical with IIS shipped with NTS. If PWS is installed on an NTS system, it comes up as IIS. If IIS is installed on an NTW system, it comes up as PWB. How does this single piece of software determine which role it's supposed to play? Using his NTWatch program, Russinovich found that when installing INETSRV in workstation mode and then in server mode, INETSTP and INETINFO check the registry settings.
Microsoft's Reponse: "700 Differences"?
Responding to an earlier edition of this article, Jonathan Roberts, a
division marketing manager at Microsoft, was quoted in PC Week
Online ("Microsoft: 'significant differences' between NTS, NTW",
Norvin Leach, September 10):
Roberts acknowledged that NTS and NTW are included in the same binary file. It was easier to build and test them that way, he said. The setting in the Registry, he said, triggers 48 changes to the kernel. These changes cascade down to 700 additional settings in software outside the kernel.So Microsoft has now acknowleged that NTS and NTW have identical kernels. This of course contradicts previous Microsoft assertions. But what about those 48 cascading down to 700 changes?
While the number 700 (or even 48) sounds impressive, all it seems to signify are the types of configuration switches already noted above, such as changes in the size of memory-management global variables depending on whether server or workstation mode has been chosen. These are the sort of changes that users have traditionally made in files such as CONFIG.SYS or SYSTEM.INI. While it's nice to have the operating system package many numeric settings together in a single name-based setting ("Winnt" vs. "Servernt"), this hardly seems to qualify as "significant differences," any more than it would if Microsoft had perhaps had the chutzpah to ship different versions of MS-DOS, at different price points, based on different FILES=, LASTDRIVE=, and BUFFERS= settings in CONFIG.SYS.
The number 700 is a recurrent theme in Microsoft's discussions of this issue. For example, here's Alec Saunders, a Microsoft product manager (quoted in Marcia Jacobs, "How Different Are NT Workstation And NT Server?," CommunicationsWeek, September 11):
Microsoft's Saunders claims that ... both versions of NT make more than 700 configuration adjustments upon system boot up depending on the type of hardware the OS is installed on. The type of adjustments made include determining whether the machine is a symmetric multiprocessing system, whether it's a PDC and the type of processor it's running on. It is these configurations that make the difference between the two OSes, Saunders said.It's difficult to tell exactly what Alec Saunders is trying to say here, but at any rate -- aside from the reappearance of the magic number 700 -- it is a different explanation from the one just quoted by Jon Roberts. Saunders seems to be saying that NT goes into either NTW or NTS mode, depending on the type of underlying hardware. But that doesn't make any sense. On the other hand, one reader has made what sounds like a similar claim: that "the Current Hardware profiles are what cause [NTLDR] to load up server." This would seem to imply that, if you have a system with maybe four Pentium Pros, you automagically get NTS rather than NTW. But surely Microsoft isn't claiming that, are they?
Yet another Microsoft response comes to us from Mark Hassall, NT Server manager at Microsoft UK (quoted in PC Daily News, September 11):
"We don't recommend that users make the changes that O'Reilly recommends. We don't recommend users making random hacks. They suggest 48 changes to system files, so what about the other 700 NT does at boot time? We want to educate users as to what product is suitable. NT Workstation is not designed to be a big Web server so we put a limit to restrict it to 10 inbound connections. If you want more you should have NTS."We're not sure where Hassall got the idea that this article was suggesting that individuals go and change their registry settings. All versions of this article have been absolutely clear that we want Microsoft to change its marketing and licensing of NT, not for individuals to sidestep the Microsoft license agreement. We have deliberately refrained from giving instructions for changing NTW 4.0 into NTS 4.0.
At any rate, notice again the numbers 48 and 700 -- except this time, the Microsoft spokesman appears to think that O'Reilly has recommended that customers make 48 changes (!), but that this meanwhile would miss an additional 700 that NT supposedly makes.
In short, Microsoft seems clear only about the magic numbers 48 and 700. What the numbers mean, though, seems to be improvised on the spot in whatever way seems most expedient to the Microsoft spokesman on the spot.
The most imaginative Microsoft response was quoted in ZD Net AnchorDesk (September 11), with an equally clever comeback:
While the Big "M" folks in Redmond maintain the products are vastly different, critics allege Workstation can be switched into the Server version with a few easy tweaks. An official Microsoft marketer suggests that's like arguing the only difference between men and women is a Y chromosome. We think it's more akin to discovering your date is in drag.Having said that these differences between NTS and NTW kernels are basically controlled by simple registry settings -- and Microsoft having now acknowledged this bit of cross-dressing -- let's now look briefly at these $800 registry settings:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ ProductOptions\ProductTypeThis is a string value that is interpreted as follows (NTOSKRNL.EXE itself only cares about the "WinNT" string, but other programs check for the "ServerNT" and "LanmanNT" strings):
Value | Interpretation |
"WinNT" | NT Workstation |
"ServerNT" | NT Server |
"LanmanNT" | NT Advanced Server* |
*IMPORTANT NOTE: Do NOT experiment with changing this
setting to "LanmanNT"! We'll post some more information on this
setting soon, but in the meantime -- DON'T TRY IT.
Click here to examine this setting on a machine running WebSite (and
a Win-CGI
based registry browser).
This setting is described in a new book published by O'Reilly, Inside the Windows 95 Registry, by
Ron Petrusha. The book covers the NT registry as well as the Win95
registry (the NT "Product Type" setting is described on p. 525).
Microsoft actually describes this registry setting in an article on
its web site, Determining
the Product Option of a Windows NT Setup. The "product option"
wording is curious, given the effort Microsoft makes elsewhere to
have NTW and NTS appear to be significantly different systems.
Interestingly, Microsoft's document warns: "Do NOT change the
ProductType [registry setting] under any circumstances. Changes to
the ProductType can result in the failure of the Windows NT operating
system."
What Mark Russinovich found, however, is that in NT 3.51 this
"Product Type" setting can be changed by any end-user, using the
Registry Editor supplied by Microsoft (REGEDT32.EXE):
The system does nothing to prevent changing the value from "WinNt" to
"ServerNt". After rebooting for the new "ServerNt" setting to take
effect, the system function as NTS. The
This technique seems to have been known to others previously. An
AltaVista search for "ServerNt" on the web or
Usenet turned up several documents describing how to run IIS on top
of NTW 3.51, one of which noted that:
But what of the magical 3.51 "ProductType" registry setting? It's
still there, and it still plays the same role in 4.0 that it did in
3.51 in distinguishing between the Server and Workstation modes (see
table above). Microsoft has merely added an
additional registry setting, and made some effort to prevent the user
from changing these settings. The extra setting is:
The system spawns two worker threads that watch for, and override,
changes to the two registry keys. If an attempt is made to change
ProductType, the threads changes the settings back (really!
you can see this happen if you manually refresh in REGEDT32) and pops
up the following warning box:
Eamonn Sullivan of PC Week has confirmed that, when an NTW
machine is tweaked via the registry into an NTS machine, web
performance "tests on this "altered" Workstation were identical
(within the margin of error) to Server." (See PC Week
article, "Simple way found to turn NT Workstation into Server.")
If an attempt is made to install Microsoft's BackOffice suite on a
workstation-mode NT system, the BackOffice setup program will prevent
installation of the BackOffice programs and indicate that NT Server
must be installed first. If the system type is then changed to server
in the registry as described above and another attempt is made to
install BackOffice, then the installation of the suite programs is
possible. Curiously, if you then change the system back to NTW mode,
BackOffice continues to run fine -- so it is only the setup/install
program that cares.
Unfortunately, NTWatch can't hook the MmIsThisAnNtAsSystem call; its
output only shows direct access to the registry settings.
Click here to download NTWATCH.ZIP. Instructions for installation
and deinstallation are included inside the zip file.
For a more general-purpose NT registry monitor, see
An attorney for Microsoft, David Heiner, was quoted by the San
Francisco Examiner (August 29):
Leaving that question aside, it's certainly true that there would be
nothing wrong if Microsoft would just come out and say that NTS and
NTW are technically identical, but that NTS comes with a license for
more LAN clients, an apparent license for more web surfers, and an
"NT Plus!" package of add-ins. Microsoft might have trouble selling
such an honestly-described version of NTS, but they could at least
tell whether the market really thinks the license to host a web
server is worth $800.
But as long as Microsoft claims that NTS is very different from NTW
in anything other than licensing, pricing, and bundling, customers
will have difficulty making informed choices. And as long as
Microsoft attempts to claim that NTW isn't suitable for running
competitors' web servers -- and attempts to use registry settings and
license agreements to discourage the use of third-party web servers
on NT -- the NTS/NTW price difference can be viewed as little more
than a "web tax."
As noted earlier, InfoWorld says that "the whole idea of
having price points for different numbers of Web hits (clients) is
patently absurd." From Microsoft's view, however, perhaps it's not so
absurd. It has often been noted that Microsoft wants to be "the
toll-collector on the information superhighway." Such tired metaphors
aside, it is clear that Bill Gates looks at businesses such as his
friend Paul Allen's Ticketmaster, and wants a piece of the
per-transaction action. The Microsoft Network (MSN) was a failed
attempt to collect this toll/tax. Pricing NT based on the number of
web users looks like another such attempt.
Our homepage,
with product information, feature articles, and more.
WebSite Central,
home of O'Reilly's hot, new, Windows Web server.
The O'Reilly Windows Center
has Win 95 and NT programming information, articles, and links.
NET ACCOUNTS
command says "Computer Role: SERVER"
. And BackOffice can
be installed and run.
One catch, when you change the key to ServerNt and leave
it there, from another NT machine (especially a PDC [Primary Domain
Controller]), if they browse the network, your machine will suddenly
"appear" as an NT Server.... as far as the rest of the network is
concerned, that [is] what your machine will appear to be.
Indeed, changing this registry setting turns an NTW 3.51 machine into
an NTS 3.51 machine -- albeit without Microsoft's license to use NTS,
and without the additional programs bundled with NTS. As noted above,
some of these applications are available from third parties. So the
real difference is Microsoft's license, which prevents the cheaper
NTW product from being used as a serious web server, and which
attempts to force web publishers into using the more expensive
NTS/IIS "solution."
NT 4.0: ProductType and SystemPrefix registry settings
Some Microsoft employees have privately admitted that the differences
between NTS and NTW 3.51 were minimal. However, they have gone on to
claim that now everything is different in version 4.0. We've already
established that in fact NTS 4.0 and NTW 4.0 have exactly the same
kernel, and in fact exactly the same of everything but the costly
extras bundled in with NTS.
HKEY_LOCAL_MACHINE\System\Setup\SystemPrefix
The SystemPrefix value is a binary value which the kernel treats as
two DWORDs, of which the only important piece of information seems to
be the bit represented by the mask 0x04000000 in the high-order
DWORD. If ProductType is "ServerNT" or "LanmanNT", then this bit must
be set. If ProductType is "WinNT" then the bit must be
off (any inconsistency results in a blue-screen error at
system boot).
"The system has detected tampering with your registered product type.
This is a violation of your software license. Tampering with product
type is not permitted."
However, if the worker threads are overriden,* then
after making these changes and rebooting, a formerly NTW 4.0 system
functions as an NTS 4.0 system. The NET ACCOUNTS command reports
"Computer Role: SERVER" and the taskbar start menu's bitmap changes
from "Windows NT Workstation" to "Windows NT Server".NTWatch Utility
To give an idea for what non-kernel processes depend upon the
ProductType and SystemPrefix settings, Mark Russinovich has written a
utility, NTWatch, which intercepts non-kernel accesses to these
settings and displays them in a window. For example, the following
screen shot shows NTWatch running on an NTW 3.51 system; at line 19,
Microsoft's registry editor (RegEdt32) has been used to change the
ProductType setting from "Winnt" to "Servernt". The NET ACCOUNTS
command (NET1.EXE) was then run; of course, it now reported "Computer
Role: SERVER".A Web Tax?
To summarize, NTS is simply NTW plus some configuration changes, a
set of bundled programs (IIS, DNS, etc.), a license for more LAN
users, and apparently for more web users. NTS is a package
deal: if you want to publish to a reasonable number of web users
(more than ten!), you must get the more expensive NTS package, which
also has things you may not need, such as Microsoft's own web server.
Having paid the higher price which includes Microsoft's own web
server, you're unlikely to consider purchasing a third-party web
server. Those third-party web servers, combined with the lower price
of NTW, would be a cheaper solution that Microsoft's NTS/IIS bundle,
but Microsoft's license agreement prevents you from opting for this
better solution. Microsoft is restricting how you can use its
operating system until you agree to buy its server products.
Heiner said Microsoft has every right to put conditions on how its
software is used.
This is correct. But does Microsoft have "every right to put
conditions" on the use of standards such as TCP/IP, HTTP, and WinSock?
``Conditions on use are a standard practice in the software
industry,'' Heiner said.
NOTE: *The purpose of
this article is to point out the minimal differences between NTS and
NTW, and to get Microsoft to change its licensing and/or marketing of
NT. The purpose is not to have individual users change the
registry and therefore bypass their Microsoft license agreement. We
want Microsoft, not you, to make this change.
At the same time, we've received requests for further information on
making this change in NT 4.0 (it is, as shown earlier, trivial in 3.51). Mark Russinovich has written a utility,
NTTune, which can make the workstation-to-server registry change in
4.0. We are quite deliberately not making this available,
however. We used NTTune to verify our tests, and made NTTune
available to some members of the press so they could independently
test our claims. That's it.
NTTune uses a technique developed by Mark Russinovich and Bryce
Cogswell called "system call hooking." This technique is also used in
their NT registry monitor, NTRegMon.
Russinovich and Cogswell will be describing System Call Hooking in a
forthcoming article in Dr. Dobb's Journal.
(Back to text)
For more information, visit these other O'Reilly online areas: