Vernalex.com
 
 M  E  N  U
 - Guides
 - Links
 - Tools
 - Themes
 




 
 

Components Guide: Services

This chapter attempts to identify what Windows services are and what purpose they serve. As the name suggests they are there to provide services, or to use a different term, they are there to perform a specific task or set of tasks. They are modular components, and that is to say they can be turned on and off depending on if you require the features they provide or not. By turning them off you save computer resources (CPU time and memory), and when off they also pose no security vulnerability. The concept here is that all services should be off unless needed.

 

Service Definition

A service is simply a program, and they only differ in intent and implementation from regularly installed software. Normal programs execute as you require them, so if you wish to write a document then you would use Microsoft Word (as an example) when you needed it. But, you wouldn't normally leave it open until such a point that you want to write a document, as that would be wasteful because computers have limited RAM and clock cycles. But, a service is a program that constantly runs in the background and provides other programs its abilities when they require it. For example, a service may initialize your network settings so that when you require Internet access it is ready to be used, rather than configuring on demand. Another example would be a service that constantly monitors incoming traffic for an authenticated user that can perform registry manipulations, and without a service waiting for such an authentication it wouldn't be possible.

In simplistic terms a service is just a modular program that constantly runs, or at least automatically starts when needed. The need for a service was required for servers and workstations, but the modular behavior of services works nicely with various other abilities in Windows. In Windows 9x (short for Windows 95, Windows 98, and Windows Me) operating systems there were no services. And this meant that programs could only be run while a user was logged into the computer. However, since Windows NT (short for Windows NT4, Windows 2000 and Windows XP) operating systems requires a login (username and password) to access the computer programs could only be run while a user was logged in, if it were not for services. The services are special programs that run even before a user logs in, and this means a server can provide features to a network (such as a web server), even without a user being logged in. It should also be mentioned that services are called daemons in *nix (short for Unix based operating systems, such as Linux, Unix, BSDs, etc.) circles, but the general design is the same. Services usually have no physical self, but they often will have a front end that can be used to configure them.

In technical terms a service is a Windows plugin with API calls that lend themselves to other programs, as required, and is initialized while drivers are loaded. This gives a service the potential of being very low-level.

Many services come preinstalled to Windows, and the services differ from Windows version to Windows version. To make it more complicated though any service aware application can install its own service. The point of this is if you install a program that requires always-on behavior then it can set itself as such. It should be noted that a ill-intentioned program can also install itself as a service, but you should read the malware guide for information on worms and the like.

Return to top.

 

Service Control Manager / Windows Service Controller

Windows services are started, stopped, monitored and maintained by a central service process called the Services and Controller ap. This service is also known as either the service control manager or as the service controller. This process operates as services.exe under the authority of winlogon.exe as the Windows NT Logon application which runs under the system process of smss.exe that is the Windows NT Session Manager.

The purpose of the service controller is to follow the instructions provided to it by the registry, and to listen to event calls. These events could be to startup a service or to shutdown a service. It also watches all its child service processes, so if they fail it can take the proper actions (such as restarting the service or to restart the computer). This service also makes a great deal of comments, warnings and errors in the event logs to let you know how well the services are running.

The service controller also provides at least two additional service features. The first is that it maintains the event log. And it also provides plug and play support.

Return to top.

 

Load Startup Types

Services are either considered drivers or applications. Drivers are either loaded at the time of the system kernel, or after it. Applications are given three startup types, and these are called automatic, manual and disabled. When a service is set to automatic it means that the program will turn on when the operating system has initialized required components (such as drivers).

An automatic service will remain running until the service encounters an error (at which point it could restart or perform some other task), or until it has completed its designed task. Normally a service that defaults itself to automatic will never terminate itself.

A manual service will only start-up when it is required. The point here is that the service places hooks into the system, and these hooks are placed on programs related to it. In this way, when the hooks detect that the features provided by the associated service are required, it can start the service. If the service is properly programmed it can then shut itself down when it is no longer needed. This startup type requires that the service be made for this behavior, otherwise it won't be of much use. If you set a service that isn't made for this behavior then it will either automatically start or it will never run. Services that open listening ports and scan for network activity cannot be set to manual (for example), but a service that provides momentary effects could be (for example).

A disabled service is not able to execute. In fact, they cannot even be manually started. In order to start a disabled service the startup type must be changed from the disabled state to either manual or automatic. This is the state you want a program in if you do not want it starting up under any condition. In this startup type the program is inert, and as such it doesn't consume resources.

It should be noted here that you should only load services that you require. Each service is a program and will consume memory (RAM) and CPU time. But, the reserve also applies. You should only disable services that you do not require. The point I am trying to make here is that every service has a purpose, and ascertaining the varied purposes of a service is complicated. By disabling a service you thought you didn't need, but actually did, could turn up some very unexpected behaviors. And they aren't often cut and dry like your computer doesn't turn on. For example, there could be a service that provides network connectivity. And sure enough, it does. But, what you don't know are the other behaviors of the service. If you're not on a network you may think that disabling it could clear up memory, but beyond that it could cause complications. For example, a feature of Windows that requires the ability to check for the presence of Internet connectivity may crash your computer if the service won't answer at all. This is a severe example, but the point is that the features provided by the services do not have to be used by the most obvious programs, but could be used in strange ways that benefited the programmers. The reverse here is still true though, just because a service claims to do something does not mean it actually does. In fact, often there are features provided if the service is not enabled, or you may have additional plugins from vendors that do the task better than an installed service. The key here is to be careful.

Return to top.

 

Error Control Recovery

Like all programs a service can crash. But, this causes a problem since services provide important functionality to the rest of the computer. If a service fails it could mean you lose Internet access or lose control of your mouse or even that the operating system would freeze. So, services are given options on how to handle errors through a recovery system. Each service has two initial failures. During these failures they can do nothing, restart themselves, run a different program or restart the computer. The third failure has the same recovery options, but the options for the third apply to all subsequent failures. This usually means that the third failure initiates a reboot, whereas the first and second just restarts the service. The counter for the number of failures can also be reset after a particular number of days because a service failing every year doesn't represent an issue, whereas a service failing daily does.

Return to top.

 

User Authority

In Windows all programs must be executed by a specific user, and services are no different than any other program in this respect. In order for a service to run it must be told which user it should run under. This means that when the service is run the program is run under the credentials of the associated user account. This means that such things as the program's desktop directory is the one for that user account, and the startup items are from that particular user, and the current user registry hive is from that particular user.

Normally you don't run a service as a standard user. There are special account types that handle this very task. The first is called the local system account. It isn't an account that can be logged in from the login screen or from the welcome screen, but it is still an account. And it is the most powerful account on a Windows NT based computer. The local system account is what drivers ordinarily run under. This means that this account requires high access to the operating system, and to the hardware of the computer. Local system accounts are given a profile directory, but it is minimal. It is located in the profiles folder as LocalService. The other special account is the network service account. It is basically like the local system account, but it is used only for network related services.

Return to top.

 

Services Console

Services ConsoleThe configuration of services normally takes place within the services console. The services console is a snap-in to the Microsoft Management Console (MMC). The MMC is a generic utility interface that can be used by templates to provide unified configuration for varying components of Windows. One of these is the services snap-in. This file is called services.msc and can be found in the system32 directory under the Windows directory. The MSC extension identifies a saved Microsoft console session that contains the plug-ins as configured when the session was saved. To execute the services console you can either browse to the system32 directory and double click the services.msc file, or you can find a shortcut to the file under the Control Panel's Administrative Tools menu. You can also use the start menu's run menu to execute services.msc. This works because services.msc is in the environment path. It should be noted that the MMC comes preinstalled to Windows 2000 and Windows XP, but it did not with Windows NT4. For Windows NT4 you will need to run the Services option in the Control Panel to access the services. However, the services control panel is nowhere as flexible or useful as the consoles are.

The services console also appears under the computer management console, and some people prefer it because it provides a location with the services console as well as other options. The computer management console can be found in the administrative tools menu, as a file in the system32 directory or by right clicking my computer and selecting the option for manage. You can also use the start menu's run menu to execute compmgmt. Since the MMC does not come with Windows NT4, the computer management console also does not exist in Windows NT4.

The services MMC lists all program based services. In technical terms this means all service types of 16, 32, 272 and 288 show up. This list is populated with the display name of the service, a description, the status of the service, the startup type and the user the service attempts to authenticate as. The display name is basically a brief description. The real name of the service that Windows recognizes the service as is not shown in this list. The description is usually a sentence or two that contains little useful information, but often contains enough information to give you a hint of what the service does. Often the description is deceptive though, or does a lot more than the description would lead you to believe. The status represents whether the service is started or not. When started it means that the features provided by the service are available, and it also means that the service is consuming resources. The startup type describes the startup behavior of the service. As discussed previously, the three states are disabled, manual and automatic. The log on as part describes what user's credentials the service runs under. This can either be a user account, the local system account or the network service account.

Service PropertiesWhen you want to get more information on a service as well as additional options you can either double click one, or you can right click it and select properties. This will open up a dialog for the properties on that service. It provides four tabs of information and settings. The first displays general information, the second contains the log on settings, the third contains the recovery options and the fourth contains the dependencies.

The general tab contains several important fields. The display name is the same as the one as the name column on the service list. Like I mentioned before it is more like a brief description then it is the name. The service name though is the actual name of the service. It would have been nice if the list contained this as a column, or at least as an optional column. Internally when Windows refers to a service it does it by the service name rather than the display name. The description is a summary of the service, although that sometimes doesn't exist and often doesn't provide enough information. The path to executable is the fully qualified path to the actual service, including any command-line parameters. The startup type is either automatic, manual or disabled. And you can also start, stop, pause and resume the service from this tab. If a service is running it won't have the option to start, and if it isn't running then it won't have the option to stop. Very few services, if any, use the pause and resume functions. It should be noted that some services cannot be stopped from here, and to do so you must terminate their process, which usually must be done from a third party program since the task manager doesn't allow you to terminate protected services.

The log on tab allows you to select the user's credentials the service runs under. Remember that a service is like any other program and must run under a user account. Most services run under the local system account and a few run under the network service account. However, they can also run as a typical user. The local system account also has the option of interacting with the desktop, and this means that the program has the potential of being visible to a logged in user or to manipulate the user's profile. Normally this isn't desired though.

The recovery tab allows you to select the fail over behavior of the service. It lets you select the behavior after the first, second and each subsequent failure. It also lets you select the time to reset the failure counter, in days. The failure options to choose from are to do nothing, to reboot the system, to execute another program or to restart the service.

The dependencies tab is purely informational, but it allows you to see which services rely upon the features provided by that service. And it also allows you to see which services this service relies upon. The concept here is that if you disable the service, any dependent services will not be able to operate. And the same applies in reverse too.

Return to top.

 

System Configuration Utility (msconfig)

MSConfigBesides the services console you can also configure services through the system configuration utility. This interface comes with Windows XP, but it does not come with Windows 2000. However, you can copy this program from a Windows XP to a Windows 2000 installation and it will work just fine. The system configuration utility is not as powerful as the services console, but it does provide additional information that the services console leaves out. It should also be noted that the system configuration utility also allows you to edit additional settings on your Windows installation, but they are not covered in this guide.

The system configuration utility can be executed in several different ways. The first way is to run it directly as it is just a normal executable program. By default the program can be found in the Windows directory under PCHealth\HelpCtr\Binaries. Run the filename in that directory called msconfig.exe. By default that directory should be in the environment path so you should be able to run it without providing the directory. To do this go to your start menu, select run, type in msconfig and press ok.

Under the services tab there should be a list populated with all non-driver services, just like the services console. The service column contains the display name just like the services console, and it contains a status column just like the services console. The essential field is different though and it shows which services are required for Windows to run. However, it only mentions some of the required services as essential, so that column can be ignored for the most part. The interesting part about this though is the manufacturer field. This shows what company or user is registered to the service. This could help point you in the right direction as to what a service is. The checkbox for hide all microsoft services is also a huge help, as it helps to identify those that Microsoft installed and those that other companies installed, although all it really does is filter out all services that don't have Microsoft Corporation as their Manufacturer. It should be noted here that some programs don't have a manufacturer associated with them, but it should also be noted that worms and trojans that install themselves almost never register a manufacturer with them.

The system configuration utility allows you to enable and disable service by clicking on the checkboxes. However, it only recognizes automatic and disabled. It also allows you to enable all or disable all services, which should be something you never do. I have no idea why they provide that ability, but you should never click on either of those buttons. This program also allows you to disable services that are crucial and are required for startup, whereas the services console does not. This program also does not allow you to on-the-fly start and stop services, and requires a reboot if you change any service startup type. Because of these reasons I highly recommend that you do not enable or disable services through this program, but instead only use it as a reference because of the manufacturer column and the hide all microsoft services checkbox.

Return to top.

 

Remove / Delete a Service

Normally you remove services by uninstalling a program that installed the particular service. For example, if you wanted to remove the Norton Internet Security Firewall you would uninstall Norton Internet Security through Add / Remove Programs on the control panel. Some services are stock to Windows though, and they normally can't be removed or at least shouldn't be. In some cases a service could be uninstalled through the Add / Remove Windows Components on the Add / Remove Programs dialog menu. Typically it is a better idea to disable a service you do not need than to remove it, especially if you are not familiar with it. Many services are required for Windows to operate, and many services are required for Windows top operate optimally.

However, with the warnings aside there are two ways to remove a service, and I will discuss the first way here and the second way in the registry section. Since some worms and trojans install themselves into the services list it can be helpful to delete the services themselves. In the Windows resource kit there is a program called delsrv.exe that is a command-line programs that allows you to permanently delete any Windows service. This service should only be used on services that are not running, but if it is used on a service that is running then the service will continue to run until the system is restarted, or until the service crashes or is terminated. The program is very simplistic and it only takes a single parameter, the service's name. Please note that you must use the service's name and not the display name. Once again, the display name is a brief description and that isn't the name that Windows recognizes the service as.

The delsrv.exe file should be downloaded from Microsoft or from another trusted source. However, you can also download it from here too. Copy the file onto the computer you wish to remove the service from. I normally copy it into the system32 directory so I know it's in the environment path, so it could be run from any directory without having to provide the full path to the file. Then from a command prompt type delsrv <servicename>, with the service name (not the display name) in place of <servicename>. Here is an example of how to use it. Be sure to include quotes around the service name if it contains spaces. When you hit enter it will attempt to delete the service and you should be notified if the delete completed successfully. It should be noted that the services list will not automatically update, and as such you shouldn't delete services while you have a list of them up, especially not with the properties box open on a service you are deleting.

You can also use the command-line utility sc.exe to remove services, but by default this is only included in Windows XP and later operating systems. The syntax for the command is sc delete <servicename>, where <servicename> is the name of the service. If the service is running when it is deleted then it will be marked for deletion at the next available time, which usually means after you restart Windows.

Return to top.

 

Services in the Registry

Registry servicesThe registry is the supreme database of all common Windows versions. If you are not already familiar with the registry then you should most likely go back and read the chapter on the registry in the components guide as it will help to put this section into perspective. If you are familiar with the registry then the concepts of regedit, dwords, values, hives, etc. should be understandable.

Like most things in Windows, the services are stored in the registry. And like most system settings the services are stored in the local machine hive, although the conceptual local machine hive is really a collection of hives. The services are stored in HKLM\SYSTEM\CurrentControlSet\Services as subkeys. It should be noted here that the CurrentControlSet is really an alias for the active control set, as the name current suggests. To see the actual control set view the values under HKLM\SYSTEM\Select. The value for Current contains the dword value for the active control set, which normally will be 1. This would correspond to ControlSet001, and so normally the CurrentControlSet is just an alias of ControlSet001. The LastKnownGood is what is referred to as the last known good configuration. The purpose of this value is to distinguish a backup control set, normally 2 and corresponds to ControlSet002, that is used if the current control set fails, normally because a hardware reconfiguration problem.

The keys under the services key represent all the installed services for that hardware profile (control set). Services are represented by their service name, and once again that is different than the service display name. And most services will contain subkeys, although this is not true for all of them. The services consist of strict programs and drivers, running at different authority levels. Each service contains several important values. The most important ones are Type and Start. Type represents what type of service it is, and what authority level it has, where start contains the startup type for the service.

If you delete the service name key out of the Services list then you have effectively removed the service. However, in order for the changes in the services to take effect you will need to restart. This requirement of a restart is there because the local machine hive is only loaded on Windows startup. The only other way to reload the local machine hive is through API functions that tell the registry to reload.

From within the registry you can disable all service desktop interaction through a single value. This could be done as a security concern, but I recommend not setting this unless you require that you do. You can run this to disable interactive services or run this to enable interactive services. The default is that interactive services are allowed. The value in question is located in HKLM\SYSTEM\CurrentControlSet\Control\Windows and is a DWORD named NoInteractiveServices. If it is 0 then interactive services are allowed, and if it is 1 then interactive services are not allowed. The default is 0.

Generic Service Registry Values
Value Name
Type
Description
DependOnGroup
Multi
Defines what group of services, defined by the Group value, this service depends on. If a dependent group of services are not running then this service will not run, and will attempt to start the dependent services when started.
DependOnService
Multi
Defines what service this service depends on. If a dependent service is not running then this service will not run, and will attempt to start the dependent services when started.
Description
String
This is the text description of the service that will be displayed in the services console. Not every service has a description, and when they do they usually don't provide the entire feature list of the service.
DisplayName
String
This is not to be confused with the service name, which in the registry is the name of the key. The display name is normally longer and could be considered more like a brief description of the service.
ErrorControl
DWord
This defines the error handling of the service. Please see one of the below charts for information on this value.
Group
String
Defines what service group this service belongs to.
ImagePath
Expand
This expanded string contains the fully qualified path to the service executable filename. This path can also be appended with any command line parameters the service requires.
LastLoadStatus
DWord
Not sure, but I assume it represents if the service successfully started or perhaps it contains the number of times the service has failed since last counter reset.
ObjectName
String
Defines the user authority of the service. This is normally local system, but it could also be the network service or a particular user account.
Security
Binary
This value is found under the Security key. I think this value contains the encrypted password supplied with the user authority to run under.
ServiceDll
Expand
This value is found under under the Parameters key. This value should only exist if it is a shared service as it will contain a fully qualified path to a DLL that acts as a plugin to the shared service executable.
Start
DWord
Defines the startup state for the service. Please see one of the below charts for information on this value.
Tag
DWord
Not sure, but it seems to only involve drivers.
Type
DWord
Defines the type of service it is. Please see one of the below charts for information on this value.

Services Type DWORD Valid Values
Dec
Hex
Name
Description
1
0x1
Kernel-mode driver
These are drivers that are loaded when the system initially boots Windows, such as AGP support, and are the drivers you'll see loaded through text messages if you use safe mode. These drivers are usually factory installed and provide base level support to most devices and provide general support to different architectures.
2
0x2
File system driver
These are drivers that provide additional functionality, but are loaded after the kernel-mode drivers are loaded. These are usually add-on drivers that are considered critical, but are fairly core none-the-less, and things such as networking support.
4
0x4
Adapter arguments
I am not sure what this type of service does, but I would assume it is a driver that passes initialization information to a hardware device.
8
0x8
File system driver interpreter
This is a service program that communicates between a file system driver and the operating system. These are pretty rare, but you would expect to see these used in programs that install support for non-native file systems.
16
0x10
Independent Program
Represents a service that is controlled by the service control manager, but has a unique and independent service executable. This service type cannot interact with the desktop.
32
0x20
Shared Program
Represents a service that is controlled by the service control manager, but shares another service executable but with a different control point. This service type cannot interact with the desktop. This type usually signifies svchost.exe, netdde.exe, lsass.exe or services.exe as they encapsulate the functions of many different services.
272
0x110
Independent, Interactive Program
Represents a service that is controlled by the service control manager, but has a unique and independent service executable. This service type can interact with the desktop.
288
0x120
Shared, Interactive Program
Represents a service that is controlled by the service control manager, but shares another service executable but with a different control point. This service type can interact with the desktop.

Services Start DWORD Valid Values
Dec
Hex
Name
Description
0
0x0
Boot
This service is loaded by the kernel loader. This means this service is a driver and components of the driver stack on the boot volume must be loaded by the kernel loader.
1
0x1
System
This service is loaded by the input / output (I/O) subsystem. This means that this service is a driver that is loaded when the kernel is initialized.
2
0x2
Automatic
This service is controlled by the service control manager and is set to automatically start when the service control manager has begun.
3
0x3
Manual
This service is controlled by the service control manager and is started once the service control manager receives a request for a command hook owned by this service.
4
0x4
Disabled
This service is controlled by the service control manager and will not start, neither manually nor when requested by a program requiring its features.

Services ErrorControl DWORD Valid Values
Dec
Hex
Name
Description
0
0x0
Ignore
At failure, which means the service does not load or does not load properly, the startup of the computer will continue without displaying any error messages.
1
0x1
Normal
At failure, which means the service does not load or does not load properly, the startup of the computer will continue, but a warning message will be displayed.
2
0x2
Severe
At failure, which means the service does not load or does not load properly, the Failed value flag will be set and the computer will restart. Upon reload the computer will attempt to load the LastKnownGood control set, and if it fails on the LastKnownGood then the boot will continue.
3
0x3
Critical
At failure, which means the service does not load or does not load properly, the Failed value flag will be set and the computer will restart. Upon reload the computer will attempt to load the LastKnownGood control set, and if it fails on the LastKnownGood then the boot will halt and a debug operation will be performed.

Return to top.

 

Command-line Service Control

While graphical interfaces are very helpful for intuitive configuration of services, it also is nice to have a good command line interface to them as well. This makes it easy to script service configuration, especially for batch deployments. And luckily Windows has some decent command line service utilities. These tips are mainly for more technical people, so I assume you know how to use the command line.

The first is the net command, which is a historical networking command line program. It was originally included with the TCP/IP stack for DOS / Windows, but in Windows NT it also lets you start and stop services. This can be done with the net stop and net start command, where net stop <service_name> stops a service and net start <service_name> starts a service. Of course, <service_name> is the name of the service in question.

Another useful tool is sc.exe that allows you to manipulate the service controller. For help on this just type sc on the command line for all of the abilities the service has. It can do far more than starting and stopping the services, and can do anything you could do through the services console, and more.

A few free command line utilities exist for controlling services. A company named Sysinternals has a suite of utilities called PsTools that can help you control services from the command-line, as well as other things. The service controller in that suite is called PsService.

Return to top.

 

Services List

There are a lot of default services, and even more possible services that can be added by external programs. So I have put together a services tool that lists them and gives you information about them. You can find it here.

Return to top.

 

"When all government, domestic and foreign, in little as in great things, shall be drawn to Washington as the center of all power, it will render powerless the checks provided of one government on another and will become as venal and oppressive as the government from which we separated." --Thomas Jefferson to Charles Hammond, 1821. ME 15:332


Valid HTML 4.01! Paypal Donation
Link Partners