Exchange: How To View All Registered Event Sinks
In this article, I will go over how to view all registered event sinks within Exchange. Event sinks are basically a sub-routine that is fired at specific points in the message flow such as during transport. Most event sinks fire just before the message categorizer and right after. However, there are also sinks that run during message transfer. Many Exchange aware AV products register event sinks within Exchange. For example, before a message is sent to the categorizer, it is sent to the pre-submission queue where it is scanned for viruses or verified against the GAL. Other types of event sinks could be email disclaimers that are attached to say all outbound e-email or custom sinks that are fired based on rules you specify.
There may come a time where you need to view all registered event sinks. For example, you may have inherited an Exchange Server and which a previous admin may have registered custom event sinks that you are unaware of. In other circumstances, I've seen where products specifically AV software, in which the application was removed but the event sink was still registered and caused mail flow issues in which messages were stuck in the pre-submission queued.
To view all registered event sinks, follow the procedure below:
1. You need to download the smtpreg.vbs which you can get from the link below. I have heard that this file is also included in the Exchange SDK, but did not appear to be when I installed the SDK. You can also download the smtpreg.vbs from:
1. Once you have the smtpreg.vbs file, copy it to the root of your C:
2. Open command prompt, start run, cmd.
3. Type the following: C:\cscript smtpreg.vbs /enum
To pipe to a text file to easy viewing type:
C:\cscript smtpreg.vbs /enum > c:\file.txt
4. To remove the event sink. Go to your command prompt.
C:\cscript smtpreg.vbs /remove 1 sinkclass sinkname
1 = SMTP Virtual Service
Note: Sometimes duplicate sinks are registered. In this event, you will need to run this more than once. Re-run step 3 and verify the sink has been removed.
Another Method to view all event sinks is to download the Exchange SDK and launch Exchange Explorer.
MCSE M+, S+, MCTS, Security+
How useful was this article? Want to see a tip not listed? Please leave a comment.