After enabling the light forwarder on a Windows machine, I noticed that the splunk-regmon.exe and splunk-wmi.exe still run as processes. Since I only use the light forwarder to monitor some application log files, Is it ok to disable the splunk-regmon.exe, splunk-wmi.exe, and spunk-admon.exe by adding the following configuration to inputs.conf in C:\Program Files\Splunk\etc\system\local\
Yah, the sample_app being enabled by default is the one that bit me. Deploying 100 windows light forwarders at once resulted in my indexer being immediately splooged with 100 * 8MB of sendmail data from the sample_app maillog files.
I used the MSI flag to enable LIghtForwarder app, which disables a lot, but doesn't disable the other apps.