Showing posts with label Service. Show all posts
Showing posts with label Service. Show all posts

Windows Vista Default Services

Posted in , , , , , , , ,


Windows 7 Default Services

5:49 PM by Yash Kalra 0 comments

Posted in , , , , , , , ,


TASKLIST

TaskList displays all running applications and services with their Process ID (PID) This can be run on either a local or a remote computer.

Syntax
      tasklist options

Options:

   /s computer  Name or IP address of a remote computer
                don't use backslashes. Default = local computer.

   /u domain\user [/p password]]
                Run under a different account

   /svc         List information for each process without truncation.
                Valid when /fo=TABLE. Cannot be used with /m or /v

   /m [ModuleName]
                Show the processes that include the given module.

   /v           Verbose task information

   /fo {TABLE|LIST|CSV}]
                Output format, the default is TABLE.

   /nh          No Headers in the output (does not apply to LIST output)

   /fi FilterName [/fi FilterName2 [ ... ]]
                Apply one of the Filters below:

                   Imagename   eq, ne                  String
                   PID         eq, ne, gt, lt, ge, le  Positive integer.
                   Session     eq, ne, gt, lt, ge, le  Any valid session number.
                   SessionName eq, ne                  String
                   Status      eq, ne                  RUNNING | NOT RESPONDING
                   CPUTime     eq, ne, gt, lt, ge, le  Time hh:mm:ss
                   MemUsage    eq, ne, gt, lt, ge, le  Any valid integer.
                   Username    eq, ne                  User name ([Domain\]User).
                   Services    eq, ne                  String
                   Windowtitle eq, ne                  String
                   Modules     eq, ne                  String

Examples:

List the services running under each process:

TASKLIST /svc

List the services running under each SvcHost process:

TASKLIST /FI "imagename eq svchost.exe" /svc

List the services running now:

TASKLIST /v /fi "STATUS eq running"

List the services running under a specific user account:

TASKLIST /v /fi "username eq SERVICE_ACCT05"

Posted in , , , , ,


SC (Service Control)

4:45 PM by Yash Kalra 0 comments

Service Control - Create, Start, Stop, Query or Delete any Windows SERVICE. The command options for SC are case sensitive.

Syntax
      SC [\\server] [command] [service_name] [Options]

Key
   server       : The machine where the service is running

   service_name : The KeyName of the service, this is often but not always
                  the same as the DisplayName shown in Control Panel, Services.
                  You can get the KeyName by running: 
                     SC GetKeyName <DisplayName>

   commands:
          query  [qryOpt]   Show status
          queryEx [qryOpt]  Show extended info - pid, flags
          GetDisplayName    Show the DisplayName
          GetKeyName        Show the ServiceKeyName
          EnumDepend        Show Dependencies
          qc                Show config - dependencies, full path etc
          start          START a service.
          stop           STOP a service
          pause          PAUSE a service.
          continue       CONTINUE a service.
          create         Create a service. (add it to the registry)
          config         permanently change the service configuration
          delete         Delete a service (from the registry)
          control        Send a control to a service
          interrogate    Send an INTERROGATE control request to a service
          Qdescription   Query the description of a service
          description    Change the description of a service
          Qfailure       Query the actions taken by a service upon failure
          failure        Change the actions taken by a service upon failure
          sdShow         Display a service's security descriptor using SDDL
          SdSet          Sets a service's security descriptor using SDDL

   qryOpt:
          type= driver|service|all
                         Query specific types of service
          state= active|inactive|all
                         Query services in a particular state only
          bufsize= bytes 
          ri= resume_index_number (default=0)
          group= groupname
                         Query services in a particular group

   Misc commands that don't require a service name:
          SC  QueryLock  Query the LockStatus for the ServiceManager Database.
                         this will show if a service request is running
          SC  Lock       Lock the Service Database
          SC  BOOT       Values are {ok | bad} Indicates whether to save  
                         the last restart configuration as the `last-known-good`
                         restart configuration
   Options
     The CREATE and CONFIG commands allow additional options to be set
     see the build-in help: 'SC create' and 'SC config'

Note the qryOpt options above are case sensitive - they must be entered in lower case, also the position of spaces and = must be exactly as shown.

The SC command duplicates some aspects of the NET command but adds the ability to create a service.
SC query will display if a service is running, giving output like this:

        SERVICE_NAME       : messenger
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

To retrieve specific information from SC's output, pipe into FIND or FindStr
e.g.

  C:\> SC query messenger | FIND "STATE" | FIND "STOPPED"

  C:\> SC query messenger | FIND "STATE" | FIND "RUNNING"

The statements above will return an %ERRORLEVEL% = 1 if the text is not found

IF errorlevel 1 GOTO :my_subroutine

The NET START command can be used in a similar way to check if a service is running:

   NET START | FIND "Service name" > nul
   IF errorlevel 1 ECHO The service is not running

The service control manager will normally wait up to 30 seconds to allow a service to start - you can modify this time (30,000 milliseconds) in the registry

HKLM\SYSTEM\CurrentControlSet\Control
ServicesPipeTimeout (REG_DWORD)

Some options only take effect at the point when the service is started e.g. the SC config command allows the executable of a service to be changed. When the service next starts up it will run the new executable. Config changes requires the current user to have "permission to configure the service".

Examples:

 SC GetKeyName "task scheduler"
 SC GetDisplayName schedule 
 SC start schedule
 SC QUERY schedule
 SC QUERY type= driver
 SC QUERY state= all |findstr "DISPLAY_NAME STATE" >svc_installed.txt 
 SC \\myServer CONFIG myService obj= LocalSystem password= mypassword
 SC CONFIG MyService binPath=c:\myprogram.exe obj=".\LocalSystem" password=""

Watch out for extra spaces:
SC QUERY state= all Works
SC QUERY sTate =all Fails!

Posted in , , , , , , , ,


Windows XP Services list

4:15 PM by Yash Kalra 0 comments

A list of all the standard services

ServiceName

Service (Key)

Process

Description

Default Status & notes

Alerter

Alerter

Services.exe

[HKLM\SYSTEM\
CurrentControlSet\
Services\Alerter\Parameters]

[HKLM\SYSTEM\
CurrentControlSet
\Services\SysmonLog\Log Queries\<alertname>]

Distribute administrative alerts to specific users or machines.

e.g. Performance Monitor thresholds are distributed as alerts.

Requires the Messenger and Workstation services to be started.

Manual.
May be disabled if the alerts are not needed.

Application Layer Gateway Service

ALG

alg.exe

Support for Internet Connection Sharing and theInternet Connection Firewall

Manual

Application Management

appmgt

Services.exe or svchost.exe

Installation services (Add/Remove Programs) - Assign, Publish, and Remove.

Manual

Automatic Updates

wuaUserv

svchost.exe -k wugroup

Enable the download and installation of critical Windows updates.

Automatic.
If the service is stopped, the operating system can be manually updated at the Windows Update Web site.

Background Intelligent Transfer Service

BITS

svchost.exe -k BITSgroup

Transfer files using idle network bandwidth, maintain file transfers through network disconnections and computer restarts.

Automatic
switch to manual if you have problems - Q314862

Clipbook Server

Clipsrv

Clipsrv.exe

Provides support for the Clipbook Viewer, which allows the clipboard of the source machine to be accessed remotely.

Disabled

COM+ Event System

Event System

svchost.exe -k netsvcs

Automatic distribution of events to subscribing COM components.

Manual

Computer Browser

Browser

Services.exe

Collects the names of NetBIOS resources on the network, creating a list so that it can participate as a master browser or basic browser (one that takes part in browser elections).

This maintained list of resources (computers) is displayed in Network Neighborhood and Server Manager. If disabled you can still map drives, but can't browse the whole network.

Automatic.

If the machine is not connected to a LAN (stand-alone), or will not participate as a master browser or take part in elections, then feel free to change the status to manual (or disabled)

This does not equate to disabling TCP/IP so internet browsing is still possible.

Cryptographic Services

CryptSvc

svchost.exe

Management of Certification Authority certificates. Driver Catalog Database, Protected Root and Key certificate Services.

Automatic

DCOM Server Process Launcher

DcomLaunch

svchost.exe

Launch DCOM services

Automatic

DHCP Client

Dhcp

Services.exe or svchost.exe

Manage network configuration by registering and updating IP addresses and DNS names.

Automatic
On a stand-alone machine: Disable

Distributed Link Tracking Client

TrkWks

Services.exe or svchost.exe

Send notification of files moving between NTFS volumes in a network domain.

Automatic
Can be set to manual if you dont need this function.

Distributed Transaction Coordinator

msdtc

MSDTC.exe

Coordinate transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.

Manual
Can be set to Disabled if you dont need this function.

DNS Client

Dnscache

Services.exe

Resolves and caches Domain Name System (DNS) names.

Automatic

Directory Replicator (Server only)

Replicator

Lmrepl.exe

Replicate specified files & folders between computers.
The host is the export server, and the target machines are called import computers.
Replication is configured under Server in the Control Panel.

Automatic

Domain Controllers need this to replicate the Netlogon share.

Error Reporting Service

Ersvc

svchost.exe

Report errors back to Microsoft in Redmond.

Automatic
If you never want to report system crash info. to Microsoft set this to disabled.

EventLog

EventLog

Services.exe

Record System, Security, and Application Events.

Viewed with the MMC Event Viewer (eventvwr.exe in NT).

Automatic

Fast User Switching Compatibility

FastUserSwitching Compatibility

svchost.exe

Enable multiple users to login to the same PC simultaneously.

Manual

Fax Service

Fax

faxsvc.exe

Send and receive faxes

Automatic or Manual

Help and Support

helpsvc

svchost.exe

Help and Support Center

Automatic.
If stopped the help system will stop working.

Human Interface Device Access

HidServ

svchost.exe

Support for extra keyboard 'hot buttons' and other multimedia input devices.

Disabled

HTTP SSL

HTTPFilter

svchost.exe

Support for HTTPS (Secure Socket Layer) websites such as banking and e-commerce.

Manual

IMAPI CD-Burning COM Service

ImapiService

imapi.exe

CD-Rom Burning

Manual
If you have problems changing to Automatic may help.

Indexing Service

cisvc

cisvc.exe

Index the contents and properties of files on local and remote computers.
[ RESOURCE HOG ]

Manual
For improved performance Disable or
Uninstall thru C.Panel add/remove

IPSEC Policy Agent

PolicyAgent

lsass.exe

Manage IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

Automatic
May be changed to Manual if IPSec is not needed.

License Logging Service (Server)

LicenseService

Llssrv.exe

License tracking on a server or DC (Domain Controller).

If disabled then licensing status alerts will not be generated.

Logical Disk Manager

Dmserver

services.exe or svchost.exe

Required by the MMC Disk Management plug-in.

Automatic

Logical Disk Manager Administrative Service

Dmadmin

dmadmin.exe /com

Administrative service for disk management requests

Manual

Message Queuing

mqsvc.exe

Message Queuing

Message Queuing Triggers

mqtgsvc.exe

Message Queuing

MS Software Shadow Copy Provider Service

swprv

dllhost.exe

Microsoft Backup Utility

Manual
Disable if you never use Shadow Copy features.

Messenger

Messenger

Services.exe

Process the receipt or delivery of pop-up messages sent via NET SEND.
Not related to Windows Messenger

Disabled
vulnerability once used to send pop-up spam.

Network Connections

Netman

svchost.exe -k netsvcs

Manage objects in the Network and Dial-Up Connections folder (LAN and remote connections.)

Manual

Net Logon

Netlogon

Lsass.exe
(Local Security Authority Subsystem)

Network Authentication: maintains a synced domain directory database between the PDC and BDC(s), handles authentication of respective accounts on the DCs, and authenticates domain accounts on networked machines.

Automatic
For stand-alone machines never connected to a domain set to Manual.

NetMeeting Remote Desktop Sharing

Nmnsrvc

mnmsrvc.exe

Allows authorized people to remotely access your Windows desktop using NetMeeting.

Manual.
A good idea to Disable unless you plan to allow remote connections.

Network DDE

NetDDE

Netdde.exe

Support the network transport of DDE (Dynamic Data Exchange) connections.
Requires Network DDE DSDM to be started. See Clipbook service

Disabled

Network DDE DSDM

NetDDEdsdm

Netdde.exe

Manage shared DDE conversations (from shares like: \\computername\ndde$).
See Clipbook service

Disabled

NLA - Network Location Awareness

nla

svchost.exe

Part of Internet Connection Sharing (ICS) and the Internet Connection Firewall (ICF)

Manual

Network Provisioning Service

xmlprov

svchost.exe

Manage XML configuration files on a domain basis

Manual

NT LM Security Support Provider

NtLmSsp

Services.exe

Extends NT security to Remote Procedure Call (RPC) programs using various transports other than named pipes.
RPC activity is quite common, and most RPC apps don't use named pipes.

Manual

Performance Logs and Alerts (XP)

Alerts and Performance Logs (Win 2K)

sysmonLog

smlogsvc.exe

Configure performance logs and alerts.

Manual. May be disabled if the alerts are not needed.

Plug and Play

PlugPlay

Services.exe

Plug and Play.
Do not disable this service.

Automatic

Universal Plug and Play Host

UPNPhost

svchost.exe

Device Host detect and configure external UPnP devices.
UPnP<>PnP

Manual

Portable Media Serial Number Service

WmdmPmSN

svchost.exe

Retrieves the serial number of any portable media player connected to this computer.

Manual
Disable if you never use DRM music devices.

Print Spooler or Spooler

Spooler

Spoolsv.exe
(Spoolss.exe in NT4)

The NT printing subsystem.

Automatic - If you print documents.

If no printing is ever done set to manual (or disabled)

Restarting this service will cancel all pending print jobs.

Protected Storage

ProtectedStorage

Pstores.exe

Encrypt and store secure info: SSL certificates, passwords for Outlook, Outlook Express, Profile Assistant, MS Wallet, and digitally signed S/MIME keys.

Automatic.

QoS RSVP

rsvp

rsvp.exe -s

Provide network signaling and local traffic control setup functionality for QoS-aware programs and control applets.

Manual

Remote Access Auto Connection Manager
or
Remote Access AutoDial Manager

Rasauto

svchost.exe -k netsvcs

Activates automatic dial-up when a URL link is clicked.

Required for some but not all RAS, ADSL or Cable connections.

Manual
May be disabled if the machine has no internet access.

Remote Access Connection Manager

Rasman

svchost.exe -k netsvcs

Required for most but not all RAS, ADSL or Cable connections.

Manual.
Required for Internet Connection Sharing or accessing remote servers via RAS.

Remote Desktop Help Session Manager

RDSessMgr

sessmgr.exe

Remote Desktop Help Session Manager.

Manual
May be disabled if RDP is never used.

Remote Procedure Call (RPC) Service
or
Remote Procedure Call (RPC)

RpcSs

svchost -k rpcss

This RPC subsystem is crucial to the operations of any RPC activities taking place on a system (e.g. DCOM)

Automatic
Do not disable

Many essential services are dependent on RPC.

Remote Procedure Call (RPC) Locator

RpcLocator

Locator.exe

Maintain the RPC name server database, requires the RPC service (below) to be started. Database of available server applications.

Manual.

Remote Registry Service (XP Pro only)

RemoteRegistry

regsvc.exe

Allow remote registry manipulation.

Automatic
A good idea to disable this, unless you have some reason to allow remote registry editing.

Removable Storage

Ntmssvc

svchost.exe -k netsvcs

Manage removable media, drives, and libraries.

Manual.

RIP Listener
(XP - option)

Listen for RIP announcements from routers and modify the routing table accordingly.

To use the RIP Listener service, your adjacent routers must support the RIP v1 protocol. You'll find the RIP Listener service under Add/Remove Windows Components - Networking Services.

Routing and Remote Access

RemoteAccess

svchost.exe -k netsvcs

Allow incoming connections via dial in or VPN. (WAN Routing)

Disabled

Secondary Logon (Win XP)
RunAs (Win 2K)

secLogon

services.exe or svchost.exe

Enables starting processes under alternate credentials.

Automatic
You may want to stop this service if you never use RunAs

Security Accounts Manager (Win 2K)

SamSs

lsass.exe

Stores security information for local user accounts.

Automatic

Security Center

wscsvc

svchost.exe

Monitor system security settings and configurations.

Automatic
You may want to disable this if firewall and virus updates are controlled via other means.

Server

LanmanServer

Services.exe

Support for peer-to peer file sharing, print sharing, and named pipe sharing via SMB services.

Automatic
May be disabled if you dont host file or print shares. (Admin$ shares)

Shell Hardware Detection

ShellHWDetection

svchost.exe

CD Autoplay

Automatic.

Smart Card

ScardSrv

SCardSvr.exe

Manages and controls access to a smart card inserted into a smart card reader attached to the computer.

Manual
If you never use smart cards, Disable

Smart Card Helper

ScardDrv

SCardSvr.exe

legacy smart card readers

Removed in XP SP2

SNMP Service

Snmp

snmp.exe

Agents that monitor the activity in network devices and report to the network console workstation.

Automatic (if installed)

SSDP Discovery Service

SSDPSRV

svchost.exe

Simple Service Discovery Protocol.
Enables discovery of UPnP devices on your home network

Manual
May be disabled if as is likely you dont have any UPnP devices)

System Event Notification

SENS

svchost.exe -k netsvcs

Track system events such as Windows logon, network, and power events.
Notifiy COM+ Event System subscribers of these events.

Automatic.

System Restore Service

srservice

svchost.exe

Creates system snap shots.
[ RESOURCE HOG ]

Automatic

If the machine's configuration has been cloned/backed up - turn off System Restore in Control Panel, System.

Task Scheduler or Schedule

Schedule

atsvc.exe or mstask.exe

This service is required to schedule background tasks (run at a specific date & time)

Under NT it's a Resource Hog.
Under XP it's used by some auto-tuning operations.

Automatic

TCP/IP NetBIOS Helper
or
TCP/IP NetBIOS Helper Service

lmHosts

Services.exe

Support for name resolution in a Windows 2000 domain . (Netbios/Wins)
An alternative to DNS lookup.

Automatic
If not required may be set to manual.

Telephony

TapiSrv

Tapisrv.exe

Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections. e.g unimodem modems.

Manual

Telnet
(Win 2K)

TlntSvr

tlntsvr.exe

Allows a remote user to log on to the system and run console programs using the command line.

Disabled
Very insecure, presents a security risk when running.

Terminal Services

TermService

svchost.exe

Required for Fast User Switching, Remote Desktop and Remote Assistance

Manual
If not required may be Disabled

Themes

Themes

svchost.exe

XP Active Desktop Themes, and quick launch toolbars
[ RESOURCE HOG ]

Automatic
Set to Manual or Disabled if you dont like themes.

UPS or Uninterruptible Power Supply

UPS

Ups.exe

Support for an Uninteruptable Power Supply (UPS) physically connected to the machine.

Manual
Not every UPS will need or use this service.

Universal Plug and Play Host

UPNPhost

svchost.exe

Device Host detect and configure external UPnP devices.
UPnP<>PnP

Manual

Upload Manager

uploadmgr

svchost.exe

Upload Manager.

Removed in XP SP2

Volume Shadow Copy

VSS

vssvc.exe

MS Backup - A volume shadow copy is a picture of the volume at a particular moment in time. That means a computer can be backed up while files are open and applications running.

Manual
If not required may be disabled
see MS Software Shadow Copy Provider Service

WebClient

WebClient

svchost.exe

Allow access to web-resident disk storage from an ISP. WebDAV "internet disks" such as Apple's iDisk.

Automatic
If not required may be disabled

Windows Audio

AudioSrv

svchost.exe

Sound Driver
Note that disabling the sound driver won't stop sounds from playing - you just won't hear them.

Automatic
If no sound card fitted then disable.

Windows Firewall (XP SP2)

Internet Connection Firewall (XP)

Internet Connection Sharing (Win 2K)

SharedAccess

svchost.exe -k netsvcs

Network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.

Automatic.
For better protection consider adding a third party firewall.

Windows Image Acquisition

stisvc

svchost.exe

Required for some but not all cameras, scanners, and digital video cameras.

Manual

Windows Installer

MSIServer

MsiExec.exe /V

Install, repair and remove software according to instructions contained in .MSI files.

Manual

Windows Management Instrumentation

WinMgmt

C:\WINNT\System32
\WBEM\WinMgmt.exe

WMI provides system management information.

Automatic

Windows Management Instrumentation Driver Extensions

Wmi

svchost.exe

Provides systems management information to and from drivers.

Manual

Windows Time

W32time

services.exe

Update the computer clock by reference to an internet time source or a time server.

Automatic

Wireless Zero Configuration

WZCSVC

svchost.exe

Configure wireless network devices (802.11a/b/g).

Automatic
disable if you don't have any wireless devices.

WMI Performance Adapter

WmiApSrv

wmiapsrv.exe

Collect performance library information.

Manual

Workstation

lanmanworkstation

Services.exe

Communications and network connections.
Services dependent on this being started: Alerter, Messenger, and Net Logon.

Automatic

It is inadvisable to disable a service without being aware of the consequences,

always start by setting the service to manual,

reboot and test for any problems.

A service set to manual may be automatically restarted if another service is dependent on it.
A service set to disabled will not restart even if it's required to boot the machine!

Stopping or disabling a service will generally save a small amount of memory and will reduce the number of software interrupts (cpu message queue.)

The main reason for tinkering with services is to harden the system against security vulnerabilities. Disable everything that you don't need or use -

then any future problems with those services cannot affect the machine.

To document all the services currently installed:

SC QUERY state= all |findstr "DISPLAY_NAME STATE" >my_services.csv

Some XP services communicate and send data directly to Microsoft, this is not generally something to lose sleep over.

Managing the running of these services may be a consideration if confidentiality/anonymity is highly important to you.

Removing a service completely

To delete a service, you may be tempted to hack the registry settings under (HKLM/SYSTEM/CurrentControlSet/Services)

this is not a reliable or recommended method, far better is to use the SC command:

SC delete NameofServiceTodelete

Built-in Service Accounts

In addition to other Default User & Group accounts there are 3 built-in accounts, designed for running background services.

Local Service Account (NT AUTHORITY\LOCAL SERVICE) - has the same level of access to resources and objects as

members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised.

Services that run as the Local Service account access network resources as a null session without credentials.

(This account is not supported for running SQL Server services.)

Network Service Account (NT AUTHORITY\NETWORK SERVICE) - has more access to resources

and objects than members of the Users group. Services that run as the Network Service account access

network resources by using the credentials of the computer account.

Local System Account (NT AUTHORITY\SYSTEM) - a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network.

In Windows 2008 a new feature was introduced: Managed Service Accounts which provide aut

omatic password management and simplified service principal name (SPN) management.

These accounts are created in Powershell with New-ADServiceAccount

Enable or Disable Ports
Many services and applications rely on the use of a specific PORT - to determine if a particular port is enabled for use, review the list of Service names and port numbers held in the "services" file ('windows\system32\drivers\etc\services')
Installing a good firewall is the easiest way to manage this.

Source

Posted in , , , , , , , , , ,


Subscribe to: Posts (Atom)