|
Windows Services:NT, 2000 and XP
A list of all the 'standard' services [update: sp2 defaults are shown in Green]
Name | Service (Key) | Process | Description | Status (See Below) |
Alerter | Alerter | Services.exe [HKLM\SYSTEM\ CurrentControlSet\ Services\Alerter\Parameters] [HKLM\SYSTEM\ CurrentControlSet \Services\SysmonLog\Log Queries\<alertname> |
Distribute administrative alerts to specific users or machines. e.g. Performance Monitor thresholds are distributed as alerts. Requires the Messenger and Workstation services to be started. |
Manual. May be disabled if the alerts are not needed. |
Alerts and Performance Logs (Win 2K) | sysmonLog | smlogsvc.exe | Configure performance logs and alerts. | Manual. May be disabled if the alerts are not needed. |
Application Layer Gateway Service (XP) | ALG | alg.exe | Support for Internet Connection Sharing and the Internet Connection Firewall | Automatic |
Application Management (Win 2K/XP) |
appmgt | Services.exe or svchost.exe | Installation services (Add/Remove Programs) - Assign, Publish, and Remove. | Manual |
Automatic Updates (Win 2K/XP) |
wuaUserv | svchost.exe -k wugroup | Enable the download and installation of critical Windows updates. | Automatic. If the service is stopped, the operating system can be manually updated at the Windows Update Web site. |
Background Intelligent Transfer Service (Win 2K) | BITS | svchost.exe -k BITSgroup | Transfer files in the background using idle network bandwidth. | Automatic. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. |
COM+ Event System | Event System | svchost.exe -k netsvcs | Automatic distribution of events to subscribing COM components. | Manual |
Clipbook Server | Clipsrv | Clipsrv.exe | Provides support for the Clipbook Viewer, which allows the clipboard of the source machine to be accessed remotely. | Manual (or disable.) Disabled by default in WinXP sp2 |
Computer Browser | Browser | Services.exe | Actively collect the names of NetBIOS resources on the network, creating
a list so that it can participate as a master browser or basic browser (one
that takes part in browser elections). This maintained list of resources (computers) is displayed in Network Neighborhood and Server Manager. |
Automatic. If the machine is not connected to a LAN (stand-alone), or will not participate as a master browser or take part in elections, then feel free to change the status to manual (or disabled) This does not equate to disabling TCP/IP so internet browsing is still possible. |
Cryptographic Services (XP) | CryptSvc | svchost.exe | Management of Certification Authority certificates. | Automatic |
DHCP Client | Dhcp | Services.exe or svchost.exe | Manage network configuration by registering and updating IP addresses and DNS names. | Automatic On a home machine: Disable |
Distributed Link Tracking Client (Win 2K/XP) | TrkWks | Services.exe or svchost.exe | Send notification of files moving between NTFS volumes in a network domain. | Automatic or manual. |
Distributed Transaction Coordinator (Win 2K/XP) |
msdtc | MSDTC.exe | Coordinate transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers. | Manual |
DNS Client (Win 2K/XP) |
Dnscache | Services.exe | Resolves and caches Domain Name System (DNS) names. | Automatic On a home machine: Disable |
Directory Replicator | Replicator | Lmrepl.exe | Replicate specified files & folders between computers. The host is the export server, and the target machines are called import computers. Replication is configured under Server in the Control Panel. |
Automatic Domain Controllers need this to replicate the Netlogon share. |
Error Reporting Service | Ersvc | svchost.exe | Report errors back to Microsoft in Redmond. | Automatic or manual (or disabled.) |
EventLog | EventLog | Services.exe | Record System, Security, and Application Events. Viewed with the MMC Event Viewer (eventvwr.exe in NT). |
Automatic |
Fast User Switching Compatibility (XP) | FastUserSwitching Compatibility | svchost.exe | Enable multiple users to login to the same PC simultaneously. | Manual |
Fax Service (Win 2K/XP) |
Fax | faxsvc.exe | Send and receive faxes | Automatic or Manual (or Disabled.) |
Help and Support (XP) | helpsvc | svchost.exe | Help and Support Center | Automatic. |
Human Interface Device Access (XP) | HidServ | svchost.exe | Support for extra keyboard 'hot buttons' and other multimedia input devices. | Manual (or Disabled.) |
IMAPI CD-Burning COM Service (XP) | ImapiService | imapi.exe | CD-Rom Burning | Automatic. |
Indexing Service (Win 2K/XP) | cisvc | cisvc.exe | Index the contents and properties of files on local and remote computers.
RESOURCE HOG |
Disable or Uninstall thru C.Panel add/remove |
Internet Connection Sharing (Win 2K) Windows Firewall (XP SP2) |
SharedAccess | svchost.exe -k netsvcs | Network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection. | Automatic. unless you have chosen to disable the Application Layer Gateway Service for some reason. |
IPSEC Policy Agent (Win 2K/XP) |
PolicyAgent | lsass.exe | Manage IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. | Automatic or Manual (or Disabled.) |
License Logging Service | LicenseService | Llssrv.exe | License tracking on a server or DC (Domain Controller). | If disabled then licensing status alerts will not be generated. |
Logical Disk Manager (XP) | Dmserver | services.exe or svchost.exe | Required by the MMC Disk Management plug-in. | Automatic. |
Logical Disk Manager Administrative Service (XP) | Dmadmin | dmadmin.exe /com | Administrative service for disk management requests | Manual |
Message Queuing (XP) | mqsvc.exe | Message Queuing | ||
Message Queuing Triggers (XP) | mqtgsvc.exe | Message Queuing | ||
MS Software Shadow Copy Provider Service | swprv | dllhost.exe | Microsoft Backup Utility | Manual (or Disabled) |
Messenger | Messenger | Services.exe | Process the receipt or delivery of pop-up messages sent via NET SEND.
This service is not related to Windows Messenger |
You may consider disabling this service to avoid misuse (and pop-up spam). But be aware that this does not fix the underlying vulnerability. Use a firewall |
Network Connections (Win 2K/XP) |
Netman | svchost.exe -k netsvcs | Manage objects in the Network and Dial-Up Connections folder (LAN and remote connections.) | Manual |
Net Logon | Netlogon | Lsass.exe (Local Security Authority Subsystem) |
Network Authentication: maintains a synced domain directory database between
the PDC and BDC(s), handles authentication of respective accounts on the
DCs, and authenticates domain accounts on networked machines. |
Automatic - when connected to a domain. Manual for stand-alone machines. |
NetMeeting Remote Desktop Sharing | Nmnsrvc | mnmsrvc.exe | Allows authorized people to remotely access your Windows desktop using NetMeeting. | Manual. On a home machine: Disable |
Network DDE | NetDDE | Netdde.exe | Support the network transport of DDE (Dynamic Data Exchange) connections.
Such connectivity is mostly a relic from the NT 3.x days, and interaction
with Windows for Workgroup clients. Some Win32 NetDDE APIs are still used,
but such APIs are thunked down to 16-bit. Requires Network DDE DSDM to be started. |
Manual (or Disabled.) Disabled by default in WinXP sp2 |
Network DDE DSDM | NetDDEdsdm | Netdde.exe | Manage shared DDE conversations (from shares like: \\computername\ndde$).
|
Manual (or Disabled.) Disabled by default in WinXP sp2 |
NLA - Network Location Awareness (XP) | nla | svchost.exe | Part of Internet Connection Sharing (ICS) and the Internet Connection Firewall (ICF) | Automatic. unless you have chosen to disable the Application Layer Gateway Service for some reason. |
NT LM Security Support Provider | NtLmSsp | Services.exe | Extends NT security to Remote Procedure Call (RPC) programs using various
transports other than named pipes. RPC activity is quite common, and most RPC apps don't use named pipes. |
Manual |
Plug and Play | PlugPlay | Services.exe | Plug and Play. Do not disable this service. |
Automatic |
Universal Plug and Play Host | UPNPhost | svchost.exe | Device Host Detect and configure external UPnP devices. UPnP device = platform independent. |
Manual (or Disabled.) On a home machine: Disable |
Protected Storage | ProtectedStorage | Pstores.exe | Encrypt and store secure info: SSL certificates, passwords for Outlook, Outlook Express, Profile Assistant, MS Wallet, and digitally signed S/MIME keys. | Automatic. |
QoS RSVP (Win 2K) |
rsvp | rsvp.exe -s | Provide network signaling and local traffic control setup functionality for QoS-aware programs and control applets. | Manual (or Disabled.) |
Remote Access Auto Connection Manager or Remote Access AutoDial Manager |
Rasauto | svchost.exe -k netsvcs | Activates automatic dial-up when a URL link is clicked. Required for some but not all RAS, ADSL or Cable connections. |
Manual (or disabled.) |
Remote Access Connection Manager (Win 2K/XP) |
Rasman | svchost.exe -k netsvcs | Required for most but not all RAS, ADSL or Cable connections. | Manual (or disabled.) |
Remote Desktop Help Session Manager (XP) |
RDSessMgr | sessmgr.exe | Remote Desktop Help Session Manager. | Manual (or disabled.) |
Remote Procedure Call (RPC) Locator | RpcLocator | Locator.exe | Maintain the RPC name server database, requires the RPC service (below) to be started. Database of available server applications. | Manual. |
Remote Procedure Call (RPC) Service or Remote Procedure Call (RPC) |
RpcSs | Rpcss.exe or svchost -k rpcss | This RPC subsystem is crucial to the operations of any RPC activities
taking place on a system (DCOM, Server Manager, User Manager) Rpcss.exe is also known as dcomss.exe (Distributed Common Object Model). |
Automatic Do not even THINK about disabling this one! Many essential services are dependent on rpc. To avoid rpc security issues, block with a firewall. |
Remote Registry Service (Win 2K/XP) |
RemoteRegistry | regsvc.exe | Allow remote registry manipulation. | Automatic (or disabled.) |
Removable Storage (Win 2K/XP) |
Ntmssvc | svchost.exe -k netsvcs | Manage removable media, drives, and libraries. | Manual. |
RIP Listener (XP - option) |
Listen for RIP announcements from routers and modify the routing table accordingly. | To use the RIP Listener service, your adjacent routers must support the RIP v1 protocol. You'll find the RIP Listener service under Add/Remove Windows Components - Networking Services. | ||
Routing and Remote Access (Win 2K/XP) | RemoteAccess | svchost.exe -k netsvcs | Allow incoming connections via dial in or VPN. | Automatic or Manual or Disabled. Disabled by default in WinXP sp2 |
RunAs Service (Win 2K) Secondary Logon (Win XP) |
secLogon | services.exe or svchost.exe | Enables starting processes under alternate credentials. | Automatic or Manual or Disabled. |
Schedule or Task scheduler |
Schedule | atsvc.exe or mstask.exe | This service is required for the use of the AT command, which allows the
scheduling of commands (Jobs) to be run on the machine, at a specific date
& time. Under NT it's a Resource Hog. Under XP it's used by some auto-tuning operations. |
Automatic |
Security Accounts Manager (Win 2K) | SamSs | lsass.exe | Stores security information for local user accounts. | Automatic |
Server | LanmanServer | Services.exe |
Support for file sharing, print sharing, and named pipe sharing via SMB services. Perhaps surprisingly this is normally disabled on an IIS Server. |
Automatic, Manual (or Disabled) |
Shell Hardware Detection (XP) | ShellHWDetection | svchost.exe | CD Autoplay | Automatic. |
Simple TCP/IP Services (Win 2K) |
SimpTcp | tcpsvcs.exe | Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. | |
Smart Card (Win 2K/XP) |
ScardSrv | SCardSvr.exe | Manages and controls access to a smart card inserted into a smart card reader attached to the computer. | Manual (or Disabled) |
Smart Card Helper (Win 2K/XP) | ScardDrv | SCardSvr.exe | Provides support for legacy smart card readers attached to the computer. | Manual (or Disabled) Removed in XP SP2 |
SNMP Service (Win 2K/XP) |
Snmp | snmp.exe | Agents that monitor the activity in network devices and report to the network console workstation. | Automatic (if installed) |
SNMP Trap Service (Win 2K) | Snmptrap | snmptrap.exe | Receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on this computer. | Automatic (if installed) |
SSDP Discovery Service | SSDPSRV | svchost.exe | Simple Service Discovery Protocol. Enables discovery of UPnP devices on your home network |
Manual (or Disabled) |
Spooler or Print Spooler |
Spooler | Spoolss.exe or Spoolsv.exe | The NT printing subsystem. | Automatic - If you print documents. If no printing is ever done set to manual (or disabled) If you are having trouble with a printer not responding, you can try restarting this service. This cancels all pending print jobs. |
System Event Notification (Win 2K/XP) |
SENS | svchost.exe -k netsvcs | Track system events such as Windows logon, network, and power events.
Notifiy COM+ Event System subscribers of these events. |
Automatic. |
System Restore Service (XP) |
srservice | svchost.exe | Creates system snap shots. [ RESOURCE HOG ] |
Automatic or Manual (or Disabled) Before stopping this service turn off System Restore in Control Panel, Performance, system. |
TCP/IP NetBIOS Helper or TCP/IP NetBIOS Helper Service |
lmHosts | Services.exe | Support for name resolution via a lookup of the LMHosts file. (Netbios/Wins)
This is an alternative to the more standard DNS lookup. |
If you use an LMHosts file for name resolution, set to automatic. If you don't then set to manual. |
Telephony | TapiSrv | Tapisrv.exe | Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections. e.g unimodem modems. | Manual |
Telnet (Win 2K) |
TlntSvr | tlntsvr.exe | Allows a remote user to log on to the system and run console programs using the command line. | Manual or Disabled. Very insecure, presents a security risk when running. |
Terminal Services (XP) | TermService | svchost.exe | Required for Fast User Switching, Remote Desktop and Remote Assistance | Manual (or Disabled) |
Themes (XP) |
Themes | svchost.exe | XP Active Desktop Themes, and quick launch toolbars [ RESOURCE HOG ] |
Manual (or Disabled) |
Upload Manager | uploadmgr | svchost.exe | Upload Manager. | Manual (or Disabled) Removed in XP SP2 |
UPS or Uninterruptible Power Supply | UPS | Ups.exe | Support for an Uninteruptable Power Supply (UPS) physically connected to the machine. | Not every UPS will need or use this service. |
Utility Manager (Win 2K) | UtilMan | UtilMan.exe | Starts and configures accessibility tools from one window | |
Volume Shadow Copy (XP) |
VSS | vssvc.exe | MS Backup - A volume shadow copy is a picture of the volume at a particular moment in time. That means a computer can be backed up while files are open and applications running. | Manual or Disable. see MS Software Shadow Copy Provider Service |
WebClient (XP) |
WebClient | svchost.exe | Allow access to web-resident disk storage from an ISP. WebDAV "internet disks" such as Apple's iDisk. | Manual (or Disabled) On a home machine: Disable |
Windows Audio (XP) | AudioSrv | svchost.exe | Sound Driver | Automatic or disable if no sound card. Note that disabling the sound driver won't stop sounds from playing - you just won't hear them. |
Windows Image Acquisition | stisvc | svchost.exe | Required for some but not all scanners. | Manual |
Windows Installer | MSIServer | MsiExec.exe /V | Install, repair and remove software according to instructions contained in .MSI files. | Manual |
Windows Management Instrumentation (Win 2K/XP) | WinMgmt | C:\WINNT\System32 \WBEM\WinMgmt.exe |
Provides system management information. | Automatic |
Windows Management Instrumentation Driver Extensions (Win 2K) | Wmi | Services.exe | Provides systems management information to and from drivers. | Manual |
Windows Time (Win 2K) | W32time | services.exe | Update the computer clock by reference to an internet time source or a time server. | Automatic or disable. |
Wireless Zero Configuration | WZCSVC | svchost.exe | Configure wireless network devices. | Automatic or disable. |
WMI Performance Adapter | WmiApSrv | wmiapsrv.exe | Collect performance library information. | Manual |
Workstation | lanmanworkstation | Services.exe | Communications and network connections. Services dependent on this being started: Alerter, Messenger, and Net Logon. |
Automatic. or Manual - for a stand-alone PC with no LAN or internet connection. |
Changing the status of a service
The status settings above work for me, but your mileage may vary. Before changing any of the defaults - use the links above to find out more about what exactly the service does.
It is inadvisable to disable a service without being aware of the consequences, always start by setting the service to manual, reboot and test for any problems.
A service set to manual may be automatically restarted
if another service is dependent on it.
A service set to disabled will not restart even if it's required to boot
the machine!
Many XP services communicate and send data directly to Microsoft - if confidentiality is important to you, then managing the running of these services should be a part of your security evaluations.
Performance
Stopping or disabling a service will generally save just a small amout of memory, of far more importance is the number of software interrupts produced by the service, these will affect the system performance. In particular other processes will take longer to startup as they fight for a place in an overcrowded message queue.
DCOM
The Distributed COM interface (DCOM) is the subject of many recent exploits
(Blaster and others), if you don't need it: START, RUN dcomcnfg.exe, select
the default properties tab and uncheck "enable DCOM".
Do be aware that DCOM is required
by some
applications. Specifically many Windows installer packages use WMI & DCOM
to discover installed components, documentation of this is incomplete but
it's easy enough to re-enable
DCOM if an
installer
needs
it to
be running.
If you have a properly configured firewall then it's safe to leave DCOM running.
IIS
The following services are added by Internet Information Server, IIS (inetinfo.exe)
FTP Publishing Service, IIS Admin, Simple Mail Transport Protocol (SMTP),
World Wide Web Publishing Service.
Enable or Disable Ports
Many services and applications rely on the use of a specific PORT
- to determine if a particular port is enabled for use, review the list of Service
names and port numbers held in the "services" file ('windows\system32\drivers\etc\services')
Installing a good firewall is the easiest way to manage this.
Related commands:
DRIVERQUERY - display device drivers and properties (Resource Kit)
SC - Service Control
TASKLIST - List running Tasks and Services
WinMSD - List running services
Safe Mode - Press F8 during bootup to start with mimimal services running.
Recovery - The Recovery Console
WMIC SERVICE - WMI access to services.
Q288129 - Grant users
the right to manage services
Q263201 - Default Processes
Q244905 - How to disable
a service at boot
Q314056 - What is SvcHost
Links
Microsoft
Glossary - List of all
services for Windows 2K
Microsoft
Defaults - Default settings for Win XP Services
The
Register - Part
1 &
2 - Review of Win XP Services
BlackViper.com - Services guide
The Elder Geek - Services Guide