Windows Services


As mentioned earlier, services are programs that are run by Windows without the need for an interactive logon. They are not part of the Windows kernel, but are applications that nevertheless provide essential system functions.

Services can be configured to start automatically as soon as Windows starts up (this includes services like Remote Desktop and the Event Logging system); to start up manually, either by you, when you want it or more often, when requested by another service or application (this includes the CD Burning service); and a "disabled" setting that prevents the service from running at all.

Most Windows service programs are packaged as dynamic link libraries (.DLLs) rather than as standalone executable ( .EXE ) files. These are loaded and called by svchost .exe . Svchost is a small program that contains the code a service needs to interact with the Windows Service Controller, but none of the code to actually implement a service. Svchost calls functions in the service's dynamic link library to do whatever job the service requires. One running copy of svchost can load and manage any number of services. This reduces the amount of memory each service consumes: the DLL method requires a minimum of about 150KB of memory per added service, versus a minimum of about 800KB for each service contained in a separate .EXE file.

On a typical Windows XP Professional installation, five to seven copies of svchost are started up (you can see them if you type Ctrl+Alt+Del and view the Processes tab), and collectively they manage about 40 services.

Many services rely on other services to do their job. These dependencies are tracked by Windows, and the relied-upon services are automatically started before their dependents. When Windows starts, the Service Controller program services.exe is started, and it uses the following procedure to start device drivers and services in an orderly fashion.

1.
The Service Controller ( services.exe ) scans the Registry subkeys under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services . Each subkey lists the service name for each device driver, filter, and service. Entries with a Type value of 10 or 20 (hex) are services. The Service Manager creates a list of all items that have a start mode of System, Boot, or Automatic. All of these are started when Windows boots up.

Although the Service Controller starts many device drivers as well as services, we'll focus on services here.

2.
Under each service's subkey are optional values named Group , DependOnGroup , and DependOnService . The Service Controller starts up services in the following order

  • Services with a Group value are considered first, with groups started in the order specified by the Registry value HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List , which is listed in Table 4.4.

  • Within each group, services with no dependencies are started first. Services with names listed in their DependOnGroup or DependOnService values are started only after, and only if, the named groups or services have successfully started.

  • Services with no group name are started last. Again, services with no dependencies are started first. Services with dependencies are started only after, and only if, the named groups or services have successfully started.

3.
When the Service Controller is to start a given service, it examines the Registry value HKLM\SYSTEM\CurrentControlSet\Services\Alerter\ImagePath , which contains the name of the executable file to start and any additional command-line parameters to pass to it. The Service Controller starts the specified program using the designated account credentials (LOCAL_SYSTEM, LOCAL_SERVICE, NETWORK_SERVICE, or a specified user account).

4.
When the service executable program starts up, it communicates to the Service Controller the name or names of any services it is designed to provide. In the future, if the Service Controller needs to start any other services that this executable program says it supports, it will not start a new copy of the program but will simply notify the existing process to start operating the additional service. This minimizes the number of separate processes required. (Presumably the Service Controller checks the definitions for any additional services to be sure that they point to the same executable; otherwise , a process could hijack other services and compromise the system.)

5.
The Service Controller signals the service process to start operating the designated service. The service process communicates its progress back to the Service Controller, indicating that the service status is "Starting," and then "Started." If the service process fails to report its status within a limited amount of time (30 seconds by default, or more if the service has indicated that it may need more time), or if the service process crashes, the Service Controller considers it to have failed.

Services.exe , besides acting as the Service Controller for all services, implements two services by itself: the Event Log service, and the Plug and Play service, presumably because these are required during Windows startup before any other services are started.

For services packaged as DLLs run by svchost.exe , the -k parameter passed to an instance of svchost tells it what set of services the particular svchost instance is to support. The names are recorded in Registry key HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Svchost . For example, when the first service whose ImagePath value has the command line %SystemRoot%\System32\svchost.exe -k LocalService is started, svchost examines value HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Svchost\LocalService , which contains the REG_MULTI_SZ string

 Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV 

This instance of svchost.exe will inform the Service Controller that it manages these six services. When the time comes to start one of the other five services, the Service Controller will not run an additional copy of svchost.exe , but will instruct the appropriate already-running instance to start the additional service.

For each service that svchost.exe is instructed to start, it examines Registry key HKLM\System\CurrentControlSet\Services\ servicename \Parameters value ServiceDll for the name of a DLL file to load. It loads the designated DLL and calls routines within it that actually perform the service functions. Table 4.5 lists the services implemented by the five or six instances of svchost.exe started when Windows XP starts. (The same DLL might contain more than one service; each would have a different entry point function in the DLL.) The services themselves are listed in detail in the next section.

Table 4.5. Svchost Service Groups

Svchost Group

Logon Account

Service Name

DcomLaunch

LocalSystem

DcomLaunch

HTTPFilter

LocalSystem

HTTPFilter

imgsvc

LocalSystem

StiSvc

LocalService

LocalService

Alerter LmHosts , RemoteRegistry , SSDPSRV , unphost , WebClient

netsvcs

LocalSystem

6to4, AppMgmt, AudioSrv, BITS, Browser, CryptSvc, DHCP, DMServer, ERSvc, EventSystem, FastUserSwitchingCompatibility, helpsvc, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, asauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, ShellHWDetection, SRService, Tapisrv, TermService, Themes, TrkWks, W32Time, winmgmt, WmdmPmSp, Wmi, wscsvc, wuauserv, WZCSVC, xmlprov

NetworkService

NetworkService

DnsCache

rpcss

NetworkService

RpcSs


Services often have to have wide- ranging privileges. For example, services that catalog (index) or back up the hard disk must be able to read any file on the disk, regardless of permission settings. (They, of course, must take responsibility for the data they collect, and only release it to authorized users.) Yet, one of the basic principles of computer and network security is to never give a program more than the minimum level of privilege it needs to get its job done. Therefore Windows runs services in the context of a user logon account, and the service gains only the privileges of its associated account. There are several "built-in" accounts provided with Windows that are never used for interactive logon, but solely to run services.

Most services are run under the LocalSystem account. This account can access any file or other secured object, and has all possible system privileges. It's the service's version of the Administrator account, and lets the service do whatever it needs, but it also is a problem if the service is compromised by a hacker, who could obtain full access to the entire system. When services are written correctly, they can usually be run under lower-privilege user accounts. Windows predefines two accounts for use by services:

LocalService This account has a reduced privilege level. Its file access rights can be controlled on NTFS file systems. When services under this account access the network, they do not present user credentials to other computers; they use anonymous access methods .

NetworkService This account is like LocalService but when it accesses the network, it uses the local machine account rather than anonymous access. On a domain network, this lets services run under NetworkService perform domain operations on behalf of another computer, such as replication.

Custom services may be installed with different user credentials.

Caution

Do not attempt to change the logon user account for a standard Windows service without explicit instructions to do so from Microsoft; changing a service's account or privileges may make it fail or may prevent Windows from starting.


List of Windows Services

This section lists the standard services provided with Windows XP. Not all of these services may be installed on a given system, depending on the optional software and hardware installed. The first line in each table row contains the service name in boldface, followed by the service's display name. Where DLL files are listed, the service is run from svchost.exe . These details are discussed in more detail later in the section.

Services with a Start mode of "Auto" are started when Windows boots, but may shut themselves down if they have no work to do. Services with a Start mode of "Manual" are usually started automatically by other services or applications when they are needed.

The list of Windows XP services includes:

  • 6to4 IPv6 Helper Service. Provides DDNS name registration and automatic IPv6 connectivity over an IPv4 network. (Installed with the IPV6 optional network protocol. The Tcpip6 item listed in the dependency list is a network protocol driver, not a service.)

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    6to4svc.dll

    Dependencies:

    RpcSs, Tcpip6, winmgmt


  • Alerter Notifies selected users and computers of administrative alerts.

    Start mode:

    Auto

    Login account:

    LocalService

    DLL file:

    alrsvc.dll

    Dependencies:

    lanmanworkstation


  • ALG Application Layer Gateway Service. Provides support for third-party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.

    Start mode:

    Manual

    Login account:

    LocalService

    EXE file:

    alg.exe


  • AppMgmt Application Management. Provides software installation services such as Assign, Publish, and Remove.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    appmgmts.dll


  • aspnet_state ASP.NET State Service. Provides support for out-of-process session states for ASP.NET.

    Start mode:

    Manual

    Login account:

    NetworkService

    EXE file:

    aspnet_state.exe


  • AudioSrv Windows Audio. Manages audio devices for Windows-based programs.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    audiosrv.dll

    Load group:

    AudioGroup

    Dependencies:

    PlugPlay, RpcSs


  • BITS Background Intelligent Transfer Service. Transfers files in the background using idle network bandwidth. Features such as Windows Update, Automatic Updates, and MSN Explorer depend on this service.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    qmgr.dll

    Dependencies:

    RpcSs

    Failure action:

    Restart service after 60 seconds


  • Browser Computer Browser. Maintains an updated list of computers on the network and supplies this list to computers designated as browsers.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    browser.dll

    Dependencies:

    lanmanworkstation, lanmanserver


  • cisvc Indexing Service. Indexes contents and properties of files on local and remote computers; used for desktop search and Internet Information Services Server Extensions searching.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    cisvc.exe

    Dependencies:

    RpcSs


  • ClipSrv ClipBook. Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped , ClipBook Viewer will not be able to share information with remote computers.

    Start mode:

    Disabled

    Login account:

    LocalSystem

    DLL files:

    catsrv.dll and comsvcs.dll , via COM+ and dllhost.exe

    Dependencies:

    NetDDE


  • COMSysApp COM+ System Application. Manages the configuration and tracking of Component Object Model COM+ components. Most COM+-based components depend on this service.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    dllhost.exe

    Dependencies:

    RpcSs

    Failure action:

    Restart service after 1 second, 5 seconds


  • CryptSvc Cryptographic Services. Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll the computer for certificates.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    cryptsvc.dll

    Dependencies:

    RpcSs


  • DcomLaunch DCOM Server Process Launcher. Provides launch functionality for DCOM services.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    rpcss.dll

    Load group:

    Event Log

    Failure action:

    REBOOT after 60 seconds


  • Dhcp DHCP Client. Manages network configuration by registering and updating IP addresses and DNS names.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    dhcpcsvc.dll

    Load group:

    TDI

    Dependencies:

    Tcpip, AFD, NetBT


  • dmadmin Logical Disk Manager Administrative Service. Configures hard disk drives and volumes . The service only runs for configuration processes and then stops.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    dmadmin.exe

    Dependencies:

    RpcSs, PlugPlay, dmserver


  • dmserver Logical Disk Manager. Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. Maintains configuration information for dynamic disks.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    dmserver.dll

    Dependencies:

    RpcSs, PlugPlay


  • Dnscache DNS Client. Resolves and caches Domain Name System (DNS) names for this computer.

    Start mode:

    Auto

    Login account:

    NetworkService

    DLL file:

    dnsrslvr.dll

    Load group:

    TDI

    Dependencies:

    Tcpip


  • ERSvc Error Reporting Service. Allows error reporting for services and applications running in nonstandard environments.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    ersvc.dll

    Dependencies:

    RpcSs


  • Eventlog Event Log. Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. This service is provided directly by the Service Controller process.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    services.exe

    Load group:

    Event log


  • EventSystem COM+ Event System. Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    es.dll

    Load group:

    Network

    Dependencies:

    RpcSs


  • FastUserSwitchingCompatibility Fast User Switching Compatibility. Provides management for applications that require assistance in a multiple user environment.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    shsvcs.dll

    Dependencies:

    TermService


  • Fax Enables you to send and receive faxes, using fax resources available on this computer or on the network.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    fxssvc.exe

    Dependencies:

    TapiSrv, RpcSs, PlugPlay, Spooler


  • helpsvc Help and Support. Enables Help and Support Center to run on this computer.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    pchsvc.dll

    Dependencies:

    RpcSs

    Failure action:

    Restart service after 100 milliseconds


  • HidServ HID Input Service. Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    hidserv.dll

    Dependencies:

    RpcSs


  • HTTPFilter HTTP SSL. This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL).

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    w3ssl.dll

    Dependencies:

    HTTP


  • IISADMIN IIS Admin. Allows administration of web and FTP services through the Internet Information Services snap-in. Installed with IIS; not available on Windows XP Home Edition.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    inetinfo.exe

    Dependencies:

    RpcSs, SamSs

    Failure action:

    Run repair program after 1 millisecond


  • ImapiService IMAPI CD-Burning COM Service. Manages CD recording using Image Mastering Applications Programming Interface (IMAPI).

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    imapi.exe


  • Iprip RIP Listener. Listens for route updates sent by routers that use the Routing Information Protocol version 1 (RIPv1).

    Start mode:

    Auto, when RIP network support is installed

    Login account:

    LocalSystem

    DLL file:

    iprip.dll

    Dependencies:

    RpcSs


  • irmon Infrared Monitor Service. Monitors an infrared (IrDA) interface for connections to other computers and devices; primarily used on laptops, PDAs, and printers.

    Startup mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    irmon.dll


  • lanmanserver Server. Supports file, print, and named-pipe sharing over the network for this computer. This service lets you share your folders and printers with other computers.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    srvsvc.dll


  • lanmanworkstation Workstation. Creates and maintains client network connections to remote servers. This service lets you use folders and printers shared by other computers.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    wkssvc.dll

    Load group:

    NetworkProvider


  • LmHosts TCP/IP NetBIOS Helper. Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.

    Start mode:

    Auto

    Login account:

    LocalService

    DLL file:

    lmhsvc.dll

    Load group:

    TDI

    Dependencies:

    NetBT, AFD


  • LPDSVC TCP/IP Print Server. Provides a TCP/IP-based printing service that uses the Line Printer protocol. Installed as part of Print Services for UNIX.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    tcpsvcs.exe

    Dependencies:

    Tcpip, Spooler


  • Messenger Transmits "net send" and Alerter service messages between clients and servers. This service is used primarily for network administrators to notify users of system outages, or for the Performance Logs and Alerts service to notify system managers of system problems. It is not related to the Windows Messenger chat program. Starting with Windows XP Service Pack 2, this service is disabled by default, as it was abused by spammers to post pop-up ads.

    Start mode:

    Disabled

    Login account:

    LocalSystem

    DLL file:

    msgsvc.dll

    Dependencies:

    lanmanworkstation, NetBIOS, PlugPlay, RpcSs


  • mnmsrvc NetMeeting Remote Desktop Sharing. Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    mnmsrvc.exe


    Note: This service can interact with the desktop.

  • MSDTC Distributed Transaction Coordinator. Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.

    Start mode:

    Manual

    Login account:

    NetworkService

    EXE file:

    msdtc.exe

    Load group:

    MS Transactions

    Dependencies:

    RpcSs, SamSs


  • MSFtpsvc FTP Publishing. Provides FTP connectivity and administration through the Internet Information Services snap-in. Installed with IIS; not available on Windows XP Home Edition.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    inetinfo.exe

    Dependencies:

    IISADMIN


  • MSIServer Windows Installer. The Windows installer service coordinates installation and removal of applications.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    msiexec .exe

    Dependencies:

    RpcSs


  • MSMQ Message Queuing. Provides a communications infrastructure for distributed, asynchronous messaging applications. Installed with optional Microsoft Message Queuing network component.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    mqsvc.exe

    Dependencies:

    MQAC, RMCAST, lanmanserver, NtLmSsp, RpcSs, MSDTC


  • MSMQTriggers Message Queuing Triggers. Associates the arrival of incoming messages at a queue with functionality in a COM component or a standalone executable program. Installed with optional Microsoft Message Queuing network component.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    mqtgsvc.exe

    Dependencies:

    MSMQ


  • NetDDE Network DDE. Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers.

    Start mode:

    Disabled

    Login account:

    LocalSystem

    EXE file:

    netdde.exe

    Load group:

    NetDDEGroup

    Dependencies:

    NetDDEdsdm


  • NetDDEdsdm Network DDE DSDM. Manages Dynamic Data Exchange (DDE) network shares.

    Start mode:

    Disabled

    Login account:

    LocalSystem

    EXE file:

    netdde.exe


  • Netlogon Net Logon. Supports pass-through authentication of account logon events for computers in a domain.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    lsass.exe

    Load group:

    RemoteValidation

    Dependencies:

    lanmanworkstation


  • Netman Network Connections. Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    netman.dll

    Dependencies:

    RpcSs


    Note: This service can interact with the desktop.

  • Nla Network Location Awareness (NLA). Collects and stores network configuration and location information, and notifies applications when this information changes.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    mswsock.dll

    Dependencies:

    Tcpip, AFD


  • NtLmSsp NT LM Security Support Provider. Provides security to remote procedure call (RPC) programs that use transports other than named pipes.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    lsass.exe


  • NtmsSvc Removable Storage. The Removable Storage service tracks and manages removable media such as tapes used for backups and archiving.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    ntmssvc.dll

    Dependencies:

    RpcSs


  • ose Office Source Engine. Saves installation files used for Microsoft Office updates and repairs and is required for the downloading of Setup updates and Watson error reports . (Installed as part of Microsoft Office.)

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    ose.exe


  • p2pgasvc Peer Networking Group Authentication. Provides Network Authentication for Peer Group Members. Installed with optional Peer-to-Peer networking support.

    Start mode:

    Manual

    Login account:

    LocalService

    DLL file:

    p2pgasvc.dll

    Dependencies:

    p2pimsvc


  • p2pimsvc Peer Networking Identity Manager. Provides Identity service for Peer Networking. Installed with optional Peer-to-Peer networking support.

    Start mode:

    Manual

    Login account:

    LocalService

    DLL file:

    p2psvc.dll


  • p2psvc Peer Networking. Provides Peer Networking services. Installed with optional Peer-to-Peer networking support.

    Start mode:

    Manual

    Login account:

    LocalService

    DLL file:

    p2psvc.dll

    Dependencies:

    PNRPSvc, p2pgasvc


  • PlugPlay Plug and Play. Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. This service is provided directly by the Service Controller process.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    services.exe

    Load group:

    PlugPlay


  • PNRPSvc Peer Name Resolution Protocol. Enables Serverless Peer Name Resolution over the Internet. Installed with optional Peer-to-Peer networking support.

    Start mode:

    Manual

    Login account:

    LocalService

    DLL file:

    p2psvc.dll

    Dependencies:

    Tcpip6, p2pimsvc


  • PolicyAgent IPSEC Services. Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    lsass.exe

    Dependencies:

    RpcSs, Tcpip, IPSec


  • ProtectedStorage Protected Storage. Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    lsass.exe

    Dependencies:

    RpcSs


    Note: This service can interact with the desktop.

  • RasAuto Remote Access Auto Connection Manager. Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    rasauto.dll

    Dependencies:

    RasMan, TapiSrv


  • RasMan Remote Access Connection Manager. Makes and manages temporary network connections including modem dialup and PPPoE.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    rasmans.dll

    Dependencies:

    TapiSrv


  • RDSessMgr Remote Desktop Help Session Manager. Manages and controls Remote Assistance.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    sessmgr.exe

    Dependencies:

    RpcSs


  • RemoteAccess Routing and Remote Access. Offers routing services to businesses in local area and wide area network environments.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    mprdim.dll

    Dependencies:

    RpcSs


  • RemoteRegistry Remote Registry. Enables remote users to modify Registry settings on this computer. If this service is stopped, the Registry can be modified only by users on this computer.

    Start mode:

    Auto

    Login account:

    LocalService

    DLL file:

    regsvc.dll

    Dependencies:

    RpcSs

    Failure action:

    Restart service after 1 second


  • RpcLocator Remote Procedure Call (RPC) Locator. Manages the RPC name service database.

    Start mode:

    Manual

    Login account:

    NetworkService

    EXE file:

    locator.exe

    Dependencies:

    lanmanworkstation


  • RpcSs Remote Procedure Call (RPC). Provides the endpoint mapper and other miscellaneous RPC services.

    Start mode:

    Auto

    Login account:

    NetworkService

    DLL file:

    rpcss.dll

    Load group:

    COM Infrastructure

    Failure action:

    REBOOT after 60 seconds


  • RSVP QoS RSVP. Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    rsvp.exe

    Dependencies:

    Tcpip, AFD, RpcSs


  • SamSs Security Accounts Manager. Stores security information for local user accounts.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    lsass.exe

    Load group:

    LocalValidation

    Dependencies:

    RpcSs


  • SCardSvr Smart Card. Manages access to smart cards read by this computer.

    Start mode:

    Manual

    Login account:

    LocalService

    EXE file:

    scardsvr.exe

    Load group:

    SmartCardGroup

    Dependencies:

    PlugPlay


  • Schedule Task Scheduler. Enables a user to configure and schedule automated tasks on this computer.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    schedsvc.dll

    Load group:

    SchedulerGroup

    Dependencies:

    RpcSs


    Note: This service can interact with the desktop.

  • seclogon Secondary Logon. Enables starting processes under alternative credentials.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    seclogon.dll


    Note: This service can interact with the desktop.

  • SENS System Event Notification. Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    sens.dll

    Load group:

    Network

    Dependencies:

    EventSystem


  • SharedAccess Windows Firewall/Internet Connection Sharing (ICS). Provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    ipnathlp.dll

    Dependencies:

    Netman, winmgmt


  • ShellHWDetection Shell Hardware Detection. Provides notifications for AutoPlay hardware events.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    shsvcs.dll

    Load group:

    ShellSvcGroup

    Dependencies:

    RpcSs


  • SimpTcp Simple TCP/IP Services. Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. Installed with Simple TCP/IP Services optional networking component.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    tcpsvcs.exe

    Dependencies:

    AFD


  • SMTPSVC Simple Mail Transfer Protocol (SMTP). Transports electronic mail across the network. Installed with IIS; not available on Windows XP Home Edition.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    inetinfo.exe

    Dependencies:

    IISADMIN, Eventlog


  • SNMP SNMP Service. Includes agents that monitor the activity in network devices and report to the network console workstation. Installed with the SNMP optional networking component.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    snmp.exe

    Dependencies:

    Eventlog


  • SNMPTRAP SNMP Trap Service. Receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on this computer. Installed with the SNMP optional networking component.

    Start mode:

    Manual

    Login account:

    LocalService

    EXE file:

    snmptrap.exe

    Dependencies:

    Eventlog


  • Spooler Print Spooler. Loads files to memory for later printing.

    Start mode:

    Auto

    Login account:

    LocalSystem

    EXE file:

    spoolsv.exe

    Load group:

    SpoolerGroup

    Dependencies:

    RpcSs

    Failure action:

    Restart service after 60 seconds


    Note: This service can interact with the desktop.

  • srservice System Restore Service. Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer, Properties

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    srsvc.dll

    Dependencies:

    RpcSs


  • SSDPSRV SSDP Discovery Service. Enables discovery of UPnP devices on your home network.

    Start mode:

    Manual

    Login account:

    LocalService

    DLL file:

    ssdpsrv.dll

    Dependencies:

    HTTP


  • SSDPSRV SSDP Discovery Service. Enables discovery of UPnP devices on your home network. Installed with the Internet Gateway Device Discovery and Control Client optional networking component.

    Start mode:

    Manual

    Login account:

    LocalService

    DLL file:

    ssdpsrv.dll

    Dependencies:

    HTTP


  • stisvc Windows Image Acquisition (WIA). Provides image acquisition services for scanners and cameras .

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    wiaservc.dll

    Dependencies:

    RpcSs


  • SwPrv MS Software Shadow Copy Provider. Manages software-based volume shadow copies taken by the Volume Shadow Copy service. This service provides crucial support required by backup programs.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    swprv.dll, via COM+ and dllhost.exe

    Dependencies:

    RpcSs


  • SysmonLog Performance Logs and Alerts. Collects performance data from local or remote computers based on preconfigured schedule parameters; then writes the data to a log or triggers an alert.

    Start mode:

    Manual

    Login account:

    NetworkService

    EXE file:

    smlogsvc.exe


  • TapiSrv Telephony. Provides Telephony API (TAPI) support for programs that control telephony devices and IP-based voice connections on the local computer and, through the LAN, on servers that are also running the service.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    tapisrv.dll

    Dependencies:

    PlugPlay, RpcSs


  • TermService Terminal Services. Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The service provides the underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    termsrv.dll

    Dependencies:

    RpcSs


  • Themes Provides user experience theme management.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    shsvcs.dll

    Load group:

    UIGroup

    Failure action:

    Restart service after 60 seconds


  • TlntSvr Telnet. Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    tlntsvr.exe


  • TrkWks Distributed Link Tracking Client. Maintains links between NTFS files within a computer or across computers in a network domain.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    trkwks.dll

    Dependencies:

    RpcSs


  • UMWdf Windows User Mode Driver Framework. Enables Windows user mode drivers.

    Start mode:

    Auto

    Login account:

    LocalService

    EXE file:

    wdfmgr.exe

    Dependencies:

    RpcSs


  • upnphost Universal Plug and Play Device Host. Provides support to host Universal Plug and Play devices.

    Start mode:

    Manual

    Login account:

    LocalService

    DLL file:

    upnphost.dll

    Dependencies:

    SSDPSRV, HTTP

    Failure action:

    Restart the service immediately


  • UPS Uninterruptible Power Supply. Manages an uninterruptible power supply (UPS) connected to the computer.

    Start mode:

    Manual, or Auto if a UPS is installed

    Login account:

    LocalSystem

    EXE file:

    ups.exe


  • VSS Volume Shadow Copy. Manages and implements Volume Shadow Copies used for backup and other purposes. This service provides crucial support required by backup programs.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    vssvc.exe

    Dependencies:

    RpcSs


  • W32Time Windows Time. Maintains date and time synchronization on all clients and servers in the network.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    w32time.dll

    Failure action:

    Restart service after 60 seconds


  • W3SVC World Wide Web Publishing. Provides web connectivity and administration through the Internet Information Services snap-in. Installed with IIS; not available on Windows XP Home Edition.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    inetinfo.exe

    Dependencies:

    IISADMIN


  • WebClient Enables Windows-based programs to create, access, and modify Internet-based files.

    Start mode:

    Auto

    Login account:

    LocalService

    DLL file:

    webclnt.dll

    Load group:

    NetworkProvider

    Dependencies:

    MRxDAV


  • winmgmt Windows Management Instrumentation. Provides a common interface and object model to access management information about operating system, devices, applications, and services. Most Windows management tools require this service.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    wmisvc.dll

    Dependencies:

    RpcSs, Eventlog

    Failure action:

    Restart service after 60 seconds


  • WmcCds Windows Media Connect (WMC). Serves shared multimedia content to Universal Plug and Play devices. Installed as an optional downloadable extension to Windows Media Player.

    Start mode:

    Manual

    Login account:

    NetworkService

    EXE file:

    mswmccds.exe

    Dependencies:

    RpcSs, upnphost, WmcCdsLs


  • WmcCdsLs Windows Media Connect (WMC) Helper. Monitors the network for new UPnP Media Renderer devices.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    mswmcls.exe

    Dependencies:

    RpcSs


  • WmdmPmSN Portable Media Serial Number Service. Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be downloaded to the device.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    mspmsnsv.dll


  • Wmi Windows Management Instrumentation Driver Extensions. Provides systems management information to and from drivers.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    advapi32.dll


  • WmiApSrv WMI Performance Adapter. Provides performance library information from WMI "HiPerf" providers.

    Start mode:

    Manual

    Login account:

    LocalSystem

    EXE file:

    wmiapsrv.exe

    Dependencies:

    RpcSs


  • wscsvc Security Center. Monitors system security settings and configurations. (Windows XP Service Pack 2 and later.)

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    wscsvc.dll

    Dependencies:

    RpcSs, winmgmt


  • wuauserv Automatic Updates. Enables the download and installation of critical Windows updates. If the service is disabled, the operating system must be manually updated at the Windows Update website.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    wuauserv.dll


  • WZCSVC Wireless Zero Configuration. Provides automatic configuration for the 802.11 adapters.

    Start mode:

    Auto

    Login account:

    LocalSystem

    DLL file:

    wzcsvc.dll

    Load group:

    TDI

    Dependencies:

    RpcSs, Ndisuio


  • xmlprov Network Provisioning Service. Manages XML configuration files on a domain basis for automatic network provisioning.

    Start mode:

    Manual

    Login account:

    LocalSystem

    DLL file:

    xmlprov.dll

    Dependencies:

    RpcSs


Your computer may have services not listed in this table, as third-party drivers and application software may install additional services. They seem to add up quickly. For instance, I just checked my computer and it has 10 non-standard services installed:

ATI Hotkey Poller and ATI Smart Installed with my ATI graphics adapter driver; monitors the keyboard for function keys set to change screen resolution or orientation.

Cisco Systems, Inc. VPN Service A Virtual Private Network client that I use to securely connect to other networks over the Internet.

Inadyn Dynamic DNS Update Client Updates the dyndns.org Domain Name Service when my network connection's IP address changes, as discussed in Chapter 7, "Networking Windows."

iPod Service Installed with Apple's iTunes program; manages data synchronization between the computer and iPods.

pcAnywhere Host Service Provides remote access, similar to Remote Desktop Connection, via the Symantec PCAnywhere program.

PDEngine and PDScheduler Installed with the PerfectDisk disk defragmenting utility that I purchased.

POP3Proxy A Perl script running as a Windows Service, which lets me filter my email through the SpamAssassin spam filter.

SETI@Home controller Runs the SETI@Home data processing application (setiathome.ssl.berkeley.edu) as a Windows service, so that it runs 24x7 instead of just when I'm logged on.

In addition, other services may be installed as part of Windows in order to support nonstandard hardware.

Tip

If you don't recognize a service installed on your system, check www.sysinfo.org, which has an extensive database of programs and services found on Windows computers, including third-party applications, spyware, adware, and virus programs. It also might help to perform a Google search on the name of the unrecognized executable file.


Using the Services Manager

You can start, stop, configure, and monitor the status of services using the Services management snapin, which appears in the Computer Management console. To open it, right-click My Computer and select Manage. In the left-hand pane, open Services and Applications, and then select Services. The management console is shown in Figure 4.5.

Figure 4.5. The Services management console lets you start, stop, and configure services.

Note

If you are using Windows 2000 or XP Professional, you can start, stop, and restart services using a Power Users account.

To change a service's configuration, you must be logged on as a Computer Administrator. Alternatively, open the Control Panel, select Performance and Maintenance, open Administrative Tools, right-click Computer Management, and select Run As. Select The Following User, and enter an Administrator account and password.


By default, services are listed in alphabetical order by their display name, although as usual for this type of display you can click on a column heading to sort by other column values, such as Status or Startup Type.

To start, stop, or restart (stop and then start) a given service, you can right-click it and select one of these actions from the pop-up menu.

To configure a service, double-click it, or highlight it and right-click Properties. The Service Properties dialog appears as shown in Figure 4.6.

Figure 4.6. The Service Properties dialog lets you configure service startup options.


The dialog has four tabs, from which you can perform the following maintenance tasks:

  • General View the path to the service's executable file; set the startup type to Disabled, Manual, or Automatic; Start, Stop, Pause, or Resume the service; add additional command-line parameters used when the service is started.

  • Log On Set the user account used to run the service; enable or disable the service in each defined Hardware Profile.

  • Recovery Specify actions to be taken if the service fails (crashes or quits unexpectedly), which range from taking no action, restarting the service, rebooting the computer, or running a specified program.

  • Dependencies On this display-only tab you can see the services that depend on the selected service (its dependents), and the services on which the selected service depends (its antecedents ).

In practice, you will almost never need to manage a service in any way other than to disable services that you do not want to use. Most Windows services are required for normal day-to-day use and should not be disabled. The one exception is the Indexing service. If the following holds:

  • You are not running Internet Information Services on your computer, or you are not using any search functions provided by the Server Extensions on your website

    and

  • You use an alternative desktop search program like Google Desktop Search, or you rarely perform keyword searches in the Windows Search window then you can safely disable the Indexing service, which will eliminate its annoying tendency to perform massive amounts of disk activity when you're trying to get real work done. To do this, right-click Indexing Service in the list, select the General tab, and set Startup Type to Manual.

Managing Services from the Command Line

On Windows NT, 2000, and XP, you can use the net command to start and stop services from the command line. The command

 net start  servicename  

starts a service, while

 net stop  servicename  

stops it. The servicename must be one of the service names listed in boldface in the "List of Windows Services" section (earlier in this section), or a service's long Display name, enclosed in quotation marks if it contains spaces.

Windows XP has a more powerful command-line service management tool called sc , which can start, stop, report on, install, delete, or reconfigure services. To get a list of active services, type

  sc query  

For a list of all installed services, type

  sc query type=service state=all  

For information about a single service, type

  sc queryex  servicename   

If you are logged on as a Computer Administrator, sc can also manage services on another computer. For example, to view the status of services on a computer named \\bobspc , you could type

  sc \bobspc query  

For a list of all sc commands, type the command sc with no arguments.

Device Drivers and the sc Command

Windows Device Drivers are actually very similar to services in that they are executable programs run by the system with no direct connection to the keyboard or display. In fact, the configuration settings for both types of system components are stored in the same part of the Registry under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services , and only the type and start values serve to distinguish one from the other. The primary difference between the two component types is that drivers are run within the Windows NT kernel and have hardware access, whereas services are "user"-level programs.

The similarity between them is especially notable when you investigate the sc command. Sc can list information about device drivers as well as services, and can change their startup options as well. Surprisingly, it's much easier to see a list of the device drivers that are loaded by your system using sc than it is using the Device Manager GUI program. For example, to display a list of device drivers, type the command

 sc query type=driver 




Upgrading and Repairing Microsoft Windows
Upgrading and Repairing Microsoft Windows (2nd Edition)
ISBN: 0789736950
EAN: 2147483647
Year: 2005
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net