Note: Unfortunately many of the links in the article are no longer available. Please email us if you know where they are.
Much of the research discussed in this article was done by NT Internals expert Dr. Mark Russinovich, a Consulting Associate for Open System Resources, Inc. Russinovich is coauthor of numerous NT systems utilities, such as the NT registry monitor, the NT file monitor, and the NTFS file system for DOS. OSR specializes in file system, device driver, and data communications consulting, training, and development for Windows NT and other platforms. Neither Dr. Russinovich nor OSR are responsible for the conclusions drawn in this article.
This article has been written to describe and explain the differences between Microsoft's Windows NT Server and NT Workstation products, not for the purpose of encouraging readers to defeat Microsoft's licensing restrictions. The author and O'Reilly & Associates recommend that readers carefully review the terms of Microsoft's NT license agreement and comply in all respects therewith.
Microsoft recently introduced version 4.0 of NT Workstation (NTW) and NT Server (NTS), and claims that there are substantial technical differences between the Workstation and Server products. Microsoft uses this claim to justify an $800 price difference between NTW and NTS, as well as legal limits on web server usage in NTW, both of which have enormous impact on existing NTW users. But what if the supposed technical differences at the heart of NTW and NTS are mythical?
We have found that NTS and NTW have identical kernels; in fact, NT is a single operating system with two modes. Only two registry settings are needed to switch between these two modes in NT 4.0, and only one setting in NT 3.51. This is extremely significant, and calls into question the related legal limitations and costly upgrades that currently face NTW users.
Microsoft's Reponse: "700 Differences"?
NT 3.51: ProductType registry setting
NT 4.0: ProductType and SystemPrefix registry settings
A Web Tax?
In the course of the ongoing controversy over its restriction of only ten web connections in NT Workstation 4.0, Microsoft representatives have asserted that there are substantial technical differences between NT Server and NT Workstation. From this, Microsoft draws these conclusions:
that these differences justify the large price difference between the two products (street prices: NT 4.0 Workstation $260, Server 4.0 w/ 5 client $730, Server 4.0 w/ 10 client $1080)
that third-party web servers such as O'Reilly WebSite or Netscape Enterprise Server should not be run on top of the cheaper NT Workstation product, and
that customers should instead buy Microsoft's more expensive NT Server product, which comes already bundled with a "free" web server, Microsoft Internet Information Server (IIS). IIS competes with web servers from third-party vendors such as O'Reilly and Netscape.
For example, Microsoft spokesman Mark Murray was quoted by Reuters:
"The crux of this issue is that NT Workstation and NT Server are two very different products intended for two very different functions."
And, according to InfoWorld columnist Nicholas Petreley ("When it comes to judging Microsoft products, the devil is in the details," InfoWorld, September 16):
"when Microsoft delivered final Windows NT 4.0 code to InfoWorld ... I probed Microsoft about the differences between Windows NT Server and Workstation.... I asked specific questions and got specific answers: There is no way to change any setting to make the Workstation kernel behave like the Server. The reason, said the Microsoft representative, is that the source code for the kernel has embedded statements -- #ifdef statements. These cause the compiler to produce different executables depending on whether the target is a server or a workstation. As a result, the two kernels are hard-coded to use different caching algorithms and multitasking priorities, among other things. That's what the fellow said, in front of a room packed with InfoWorld editors and analysts."
In fact, the recent fight between Microsoft and Netscape, including Netscape's open letter to U.S. Department of Justice's Antitrust Division, was touched off by this very issue: Microsoft asserted that NTW should not (and, by license, apparently cannot) be used to run serious web servers, because that's what NTS (which, conveniently, comes as part of a package with Microsoft's own IIS) is for. Microsoft sent email to Netscape, complaining about a price comparison chart at Netscape's web site. According to Microsoft's letter (July 30):
If the user wishes to utilize more than the ten [web] connections, the user must license Windows NT server....
Microsoft is also concerned that Netscape is deceiving customers by suggesting that Windows NT Workstation is meant to be used as a server operating system for a Web site. It is not.
So Microsoft has a lot invested in the widespread public perception of crucial differences between NTS and NTW. As Microsoft Executive VP Steve Ballmer told PC Week:
"It is a serious thing for us," said Ballmer. "We did about a billion [dollars] in server revenue. What is the difference in price between the two--maybe 800 dollars. One of them costs 35 percent of what the other does. So if a billion dollars goes to $350 million--that is a big hit to this company."
At the same time, even Microsoft's own document on Differences Between Windows NT Workstation 4.0 and Windows NT Server 4.0 (Microsoft Windows NT 4.0 Market Bulletin, Summer 1996) admits that the two products share "the same kernel architecture."
This raises the question of exactly how NTS and NTW really differ.
Microsoft's document goes on to say its NT strategy is "optimizing, pricing, and licensing the products for two specific segments":
The difference in pricing is clear enough (NTS costs more than NTW).
As for licensing, Microsoft rather bizarrely defines "user" to include anyone connecting to the machine via TCP/IP. As pointed out in InfoWorld, "the whole idea of having price points for different numbers of Web hits (clients) is patently absurd." Certainly Microsoft, like any company, is entitled to a price structure based on the number of LAN clients -- but for every user browsing your web site too?! As the InfoWorld article notes, this "attempts to impose on the Internet the PC LAN server model of licensed client access." It is, in effect, an attempt at a "web tax."
It's also well known that NTS is bundled with additional components -- not only IIS, but also DNS, DHCP, WINS, and other services. For the most part, these services are not Microsoft operating system innovations, but bundled applications that compete with freestanding applications from other vendors. Besides HTTP web servers from companies such as Netscape and O'Reilly, MetaInfo has a commercial DNS that runs on both NTS and NTW, and BIND 4.9.3 (the "reference" implementation of DNS) is available free, and runs on both WinNT and Win95. There are FTP servers available for NT, some Telnet servers, SMTP servers, and so on.
So we know that the licensing, pricing, and bundling of NTS and NTW are different. But what does Microsoft mean by optimizing? What sort of technical difference are we talking about here? How specifically does the operating system itself differ between NTS and NTW?
For the vast majority of those interested in using NT as a web server, there is no functional difference. NTW, like Win95, will work just fine for the vast majority of web sites:
all of the servers we've tested will easily saturate a T-1 connection (1.55M bps) to the Internet -- after which the performance differences become meaningless.
Microsoft's license agreement for Workstation, therefore, is the only thing keeping many organizations from using Workstation as a Web server.
-- Eamonn Sullivan, "NT 4.0 license, not speed, is key", PC Week Online, August 26, 1996
Netscape estimates that 70% of its server customers using NT are in fact using NT Workstation rather than NT Server. Microsoft is claiming that most of these Netscape customers are in violation of the NTW license agreement! For web publishers to stay within the law, presumably they are supposed to get NTS with IIS.
So much for using NT as a web server. More generally, when you strip away differences in pricing, licensing, and extra bundled software like IIS, what are the real technical differences between NTS and NTW?
It turns out that NTS and NTW not only share "the same kernel architecture" (as Microsoft puts it), but in fact have identical kernels: in NT 4.0, the exact same file, NTOSKRNL.EXE, is used for both the Server and Workstation products. Likewise in NT 3.51.
Not only are the NTS and NTW kernels identical, but in both NT 3.51 and 4.0, whenever a binary file (EXE, DLL, device driver, etc.) is provided with Workstation, the identical file is provided with Server. This includes such core files as NTLDR, NTOSKRNL.EXE, HAL.DLL, KERNEL32.DLL, NTDLL.DLL, SRV.SYS, TCPIP.SYS, WINSOCK.DLL, NTLANMAN.DLL, RASAUTH.DLL, NTFS.SYS, and so on. This was determined by looking not only at filenames, date/timestamps, and filesizes, but by doing a full binary comparison. NTS and NTW are merely two options for running the exact same, byte-for-byte identical operating system.
The setup/installation files (TXTSETUP.SIF, INF files, etc.) differ from Workstation to Server, and Server comes with about 100 files that are not provided with Workstation. These additional files include DHCP*.*, LICCPA.*, LLS*.*, NCADMIN.*, RPC*.*, SFM*.*, SRVMGR.*, USRMGR.*, and WINS*.*, corresponding to the extras bundled with Server such as DHCP and WINS.
To us, having some additional programs bundled with NTS no more gives it a "very different function" from NTW, than the combination of Windows 95 and "Windows Plus!" has a very different function from plain Windows 95. All of Microsoft's technical descriptions suggest that NTS is supposed to be something more than NTW with some bundled add-ins.
It is doubtful that customers would feel good about paying approximately $800 for what is essentially an "NT Plus!" add-in package -- especially when Microsoft advertises that add-ins such as IIS come for "free." If the only technical difference between NTS and NTW were precisely these add-ins, then one could hardly call them free. Given that NTS for 10 "clients" (however Microsoft chooses to define that) costs $1080, while NTW costs $260, we figure that Microsoft would actually be charging over $800 for what is effectively "NT Plus!"
So, with identical kernels, how does NT distinguish these ostensibly "very different products intended for two very different functions"?
According to a course on NT internals at WinDev East '96 given by David Solomon, a single
MmIsThisAnNtAsSystem() is the
decider. It is used at boot time to make resource sizing decisions,
and also at runtime for certain policy decisions.
Starting with an examination of this function, Mark Russinovich found something quite remarkable: the value that MmIsThisAnNtAsSystem() returns (Workstation vs. Server) comes directly out of the registry. In 3.51, a single registry setting is used to differentiate between NTW and NTS. In 4.0, there are two registry settings, and some code intended to prevent the user from changing them.
That's it. By way of comparison, there is significantly less technical difference between NT Server and Workstation than there was between Win 3.1 Enhanced and Standard modes. Those were radically different pieces of software, bundled together for one remarkably low price. In contrast, Windows NT seems to be one piece of software, artifically differentiated into two products with wildly different prices. NT is one product, with two options: server and workstation. The Server option comes with a package of add-ins and with a license for more users.
But what of Microsoft's "optimizations"? Microsoft makes great claims for how its tuning differentiates server and workstation machines. It's clear that this tuning is not particularly useful for the vast majority of web publishers (just as Microsoft's NTW license seems irrelevant to those running web servers instead of LAN servers). It's even been reported some of these "optimizations" can actually hurt when a web site is running lots of CGI programs, as opposed to delivering static web pages.
Microsoft has optimized NTS for LAN servers. But since NTS and NTW use the same kernel, this optimization is based on nothing more than checking the registry settings. MmIsThisAnNtAsSystem() checks a global variable based on the registry settings, and various parts of the kernel in turn call MMIsThisAnNtAsSystem(), and behave slightly differently depending on this return value. For instance, in Process Manager initialization, the return value affects the foreground process quantum. Likewise, the value of most Memory Manager global variables are doubled if the registry indicates that NTS mode is being used.
One important caveat: You can only configure a server as a domain controller at setup time. We currently know of no way to take a machine that isn't already a domain controller and make it one without reinstalling NTS. Actually, this appears to be a limitation (or perhaps a security feature) in NT itself. According to one recently posted Usenet message:
Sorry, the creation of the domain takes place DURING the install. The ONLY way to put a PDC [Primary Domain Controller] in a new domain is to install NT Server on another machine, create the new domain, demote the first server, then make it a backup controller in the NEW domain.
Incidentally, Mark Russinovich has also found that the Peer Web Services (PWS) shipped with NTW is absolutely identical with IIS shipped with NTS. If PWS is installed on an NTS system, it comes up as IIS. If IIS is installed on an NTW system, it comes up as PWB. How does this single piece of software determine which role it's supposed to play? Using his NTWatch program, Russinovich found that when installing INETSRV in workstation mode and then in server mode, INETSTP and INETINFO check the registry settings.
Responding to an earlier edition of this article, Jonathan Roberts, a division marketing manager at Microsoft, was quoted in PC WeekOnline ("Microsoft: 'significant differences' between NTS, NTW", Norvin Leach, September 10):
Roberts acknowledged that NTS and NTW are included in the same binary file. It was easier to build and test them that way, he said. The setting in the Registry, he said, triggers 48 changes to the kernel. These changes cascade down to 700 additional settings in software outside the kernel.
So Microsoft has now acknowleged that NTS and NTW have identical kernels. This of course contradicts previous Microsoft assertions. But what about those 48 cascading down to 700 changes?
While the number 700 (or even 48) sounds impressive, all it seems to signify are the types of configuration switches already noted above, such as changes in the size of memory-management global variables depending on whether server or workstation mode has been chosen. These are the sort of changes that users have traditionally made in files such as CONFIG.SYS or SYSTEM.INI. While it's nice to have the operating system package many numeric settings together in a single name-based setting ("Winnt" vs. "Servernt"), this hardly seems to qualify as "significant differences," any more than it would if Microsoft had perhaps had the chutzpah to ship different versions of MS-DOS, at different price points, based on different FILES=, LASTDRIVE=, and BUFFERS= settings in CONFIG.SYS.
The number 700 is a recurrent theme in Microsoft's discussions of this issue. For example, here's Alec Saunders, a Microsoft product manager (quoted in Marcia Jacobs, "How Different Are NT Workstation And NT Server?," CommunicationsWeek, September 11):
Microsoft's Saunders claims that ... both versions of NT make more than 700 configuration adjustments upon system boot up depending on the type of hardware the OS is installed on. The type of adjustments made include determining whether the machine is a symmetric multiprocessing system, whether it's a PDC and the type of processor it's running on. It is these configurations that make the difference between the two OSes, Saunders said.
It's difficult to tell exactly what Alec Saunders is trying to say here, but at any rate -- aside from the reappearance of the magic number 700 -- it is a different explanation from the one just quoted by Jon Roberts. Saunders seems to be saying that NT goes into either NTW or NTS mode, depending on the type of underlying hardware. But that doesn't make any sense. On the other hand, one reader has made what sounds like a similar claim: that "the Current Hardware profiles are what cause [NTLDR] to load up server." This would seem to imply that, if you have a system with maybe four Pentium Pros, you automagically get NTS rather than NTW. But surely Microsoft isn't claiming that, are they?
Yet another Microsoft response comes to us from Mark Hassall, NT Server manager at Microsoft UK (quoted in PC Daily News, September 11):
"We don't recommend that users make the changes that O'Reilly recommends. We don't recommend users making random hacks. They suggest 48 changes to system files, so what about the other 700 NT does at boot time? We want to educate users as to what product is suitable. NT Workstation is not designed to be a big Web server so we put a limit to restrict it to 10 inbound connections. If you want more you should have NTS."
We're not sure where Hassall got the idea that this article was suggesting that individuals go and change their registry settings. All versions of this article have been absolutely clear that we want Microsoft to change its marketing and licensing of NT, not for individuals to sidestep the Microsoft license agreement. We have deliberately refrained from giving instructions for changing NTW 4.0 into NTS 4.0.
At any rate, notice again the numbers 48 and 700 -- except this time, the Microsoft spokesman appears to think that O'Reilly has recommended that customers make 48 changes (!), but that this meanwhile would miss an additional 700 that NT supposedly makes.
In short, Microsoft seems clear only about the magic numbers 48 and 700. What the numbers mean, though, seems to be improvised on the spot in whatever way seems most expedient to the Microsoft spokesman on the spot.
The most imaginative Microsoft response was quoted in ZD Net AnchorDesk (September 11), with an equally clever comeback:
While the Big "M" folks in Redmond maintain the products are vastly different, critics allege Workstation can be switched into the Server version with a few easy tweaks. An official Microsoft marketer suggests that's like arguing the only difference between men and women is a Y chromosome. We think it's more akin to discovering your date is in drag.
Having said that these differences between NTS and NTW kernels are basically controlled by simple registry settings -- and Microsoft having now acknowledged this bit of cross-dressing -- let's now look briefly at these $800 registry settings:
In version 3.51, NTS and NTW are distinguished with the following registry setting (see below for NT 4.0):
This is a string value that is interpreted as follows (NTOSKRNL.EXE itself only cares about the "WinNT" string, but other programs check for the "ServerNT" and "LanmanNT" strings):
ValueInterpretation "WinNT"NT Workstation "ServerNT"NT Server "LanmanNT"NT Advanced Server?
Click here to examine this setting on a machine running WebSite (and a Win-CGI based registry browser).
This setting is described in a new book published by O'Reilly, Inside the Windows 95 Registry, by Ron Petrusha. The book covers the NT registry as well as the Win95 registry (the NT "Product Type" setting is described on p. 525).
Microsoft actually describes this registry setting in an article on its web site, Determining the Product Option of a Windows NT Setup. The "product option" wording is curious, given the effort Microsoft makes elsewhere to have NTW and NTS appear to be significantly different systems.
Interestingly, Microsoft's document warns: "Do NOT change the ProductType [registry setting] under any circumstances. Changes to the ProductType can result in the failure of the Windows NT operating system."
What Mark Russinovich found, however, is that in NT 3.51 this "Product Type" setting can be changed by any end-user, using the Registry Editor supplied by Microsoft (REGEDT32.EXE).
The system does nothing to prevent changing the value from "WinNt" to
"ServerNt". After rebooting for the new "ServerNt" setting to take
effect, the system function as NTS. The
"Computer Role: SERVER". And BackOffice can
be installed and run.
This technique seems to have been known to others previously. An AltaVista search for "ServerNt" on the web or Usenet turned up several documents describing how to run IIS on top of NTW 3.51, one of which noted that:
One catch, when you change the key to ServerNt and leave it there, from another NT machine (especially a PDC [Primary Domain Controller]), if they browse the network, your machine will suddenly "appear" as an NT Server.... as far as the rest of the network is concerned, that [is] what your machine will appear to be.
Indeed, changing this registry setting turns an NTW 3.51 machine into an NTS 3.51 machine -- albeit without Microsoft's license to use NTS, and without the additional programs bundled with NTS. As noted above, some of these applications are available from third parties. So the real difference is Microsoft's license, which prevents the cheaper NTW product from being used as a serious web server, and which attempts to force web publishers into using the more expensive NTS/IIS "solution."
But what of the magical 3.51 "ProductType" registry setting? It's still there, and it still plays the same role in 4.0 that it did in 3.51 in distinguishing between the Server and Workstation modes (see table above). Microsoft has merely added an additional registry setting, and made some effort to prevent the user from changing these settings. The extra setting is:
HKEY_LOCAL_MACHINE\System\Setup\SystemPrefixThe SystemPrefix value is a binary value which the kernel treats as two DWORDs, of which the only important piece of information seems to be the bit represented by the mask 0x04000000 in the high-order DWORD. If ProductType is "ServerNT" or "LanmanNT", then this bit must be set. If ProductType is "WinNT" then the bit must be off (any inconsistency results in a blue-screen error at system boot).
The system spawns two worker threads that watch for, and override, changes to the two registry keys. If an attempt is made to change ProductType, the threads changes the settings back (really! you can see this happen if you manually refresh in REGEDT32) and pops up the following warning box:
"The system has detected tampering with your registered
product type. This is a violation of your software license.
Tampering with product type is not permitted."
Eamonn Sullivan of PC Week has confirmed that, when an NTW machine is tweaked via the registry into an NTS machine, web performance "tests on this "altered" Workstation were identical (within the margin of error) to Server." (See PC Week article, "Simple way found to turn NT Workstation into Server.")
If an attempt is made to install Microsoft's BackOffice suite on a workstation-mode NT system, the BackOffice setup program will prevent installation of the BackOffice programs and indicate that NT Server must be installed first. If the system type is then changed to server in the registry as described above and another attempt is made to install BackOffice, then the installation of the suite programs is possible. Curiously, if you then change the system back to NTW mode, BackOffice continues to run fine -- so it is only the setup/install program that cares.
To give an idea for what non-kernel processes depend upon the ProductType and SystemPrefix settings, Mark Russinovich has written a utility, NTWatch, which intercepts non-kernel accesses to these settings and displays them in a window. For example, the following screen shot shows NTWatch running on an NTW 3.51 system; at line 19, Microsoft's registry editor (RegEdt32) has been used to change the ProductType setting from "Winnt" to "Servernt". The NET ACCOUNTS command (NET1.EXE) was then run; of course, it now reported "Computer Role: SERVER".Unfortunately, NTWatch can't hook the MmIsThisAnNtAsSystem call; its output only shows direct access to the registry settings.
Click here to download NTWATCH.ZIP. Instructions for installation and deinstallation are included inside the zip file.
For a more general-purpose NT registry monitor, see NTRegMon.
A Web Tax?
To summarize, NTS is simply NTW plus some configuration changes, a
set of bundled programs (IIS, DNS, etc.), a license for more LAN
users, and apparently for more web users. NTS is a package
deal: if you want to publish to a reasonable number of web users
(more than ten!), you must get the more expensive NTS package, which
also has things you may not need, such as Microsoft's own web server.
Having paid the higher price which includes Microsoft's own web
server, you're unlikely to consider purchasing a third-party web
server. Those third-party web servers, combined with the lower price
of NTW, would be a cheaper solution that Microsoft's NTS/IIS bundle,
but Microsoft's license agreement prevents you from opting for this
better solution. Microsoft is restricting how you can use its
operating system until you agree to buy its server products.
An attorney for Microsoft, David Heiner, was quoted by the San Francisco Examiner (August 29):
This is correct. But does Microsoft have "every right to put conditions" on the use of standards such as TCP/IP, HTTP, and WinSock?
Heiner said Microsoft has every right to put conditions on how its software is used.
``Conditions on use are a standard practice in the software industry,'' Heiner said.
Leaving that question aside, it's certainly true that there would be nothing wrong if Microsoft would just come out and say that NTS and NTW are technically identical, but that NTS comes with a license for more LAN clients, an apparent license for more web surfers, and an "NT Plus!" package of add-ins. Microsoft might have trouble selling such an honestly-described version of NTS, but they could at least tell whether the market really thinks the license to host a web server is worth $800.
But as long as Microsoft claims that NTS is very different from NTW in anything other than licensing, pricing, and bundling, customers will have difficulty making informed choices. And as long as Microsoft attempts to claim that NTW isn't suitable for running competitors' web servers -- and attempts to use registry settings and license agreements to discourage the use of third-party web servers on NT -- the NTS/NTW price difference can be viewed as little more than a "web tax."
As noted earlier, InfoWorld says that "the whole idea of having price points for different numbers of Web hits (clients) is patently absurd." From Microsoft's view, however, perhaps it's not so absurd. It has often been noted that Microsoft wants to be "the toll-collector on the information superhighway." Such tired metaphors aside, it is clear that Bill Gates looks at businesses such as his friend Paul Allen's Ticketmaster, and wants a piece of the per-transaction action. The Microsoft Network (MSN) was a failed attempt to collect this toll/tax. Pricing NT based on the number of web users looks like another such attempt.
At the same time, we've received requests for further information on making this change in NT 4.0 (it is, as shown earlier, trivial in 3.51). Mark Russinovich has written a utility, NTTune, which can make the workstation-to-server registry change in 4.0. We are quite deliberately not making this available, however. We used NTTune to verify our tests, and made NTTune available to some members of the press so they could independently test our claims. That's it.
NTTune uses a technique developed by Mark Russinovich and Bryce Cogswell called "system call hooking." This technique is also used in their NT registry monitor, NTRegMon. Russinovich and Cogswell will be describing System Call Hooking in a forthcoming article in Dr. Dobb's Journal. (Back to text)
Copyright © 2009 O'Reilly Media, Inc.