A list of all the standard services
|ServiceName||Service (Key)||Process||Description||Default Status & notes|
|Distribute administrative alerts to specific users or machines.
e.g. Performance Monitor thresholds are distributed as alerts.
Requires the Messenger and Workstation services to be started.
May be disabled if the alerts are not needed.
|Application Layer Gateway Service||ALG||alg.exe||Support for Internet Connection Sharing and the Internet Connection Firewall||Manual|
|Application Management||appmgt||Services.exe or svchost.exe||Installation services (Add/Remove Programs) - Assign, Publish, and Remove.||Manual|
|Automatic Updates||wuaUserv||svchost.exe -k wugroup||Enable the download and installation of critical Windows updates.||Automatic.
If the service is stopped, the operating system can be manually updated at the Windows Update Web site.
|Background Intelligent Transfer Service||BITS||svchost.exe -k BITSgroup||Transfer files using idle network bandwidth, maintain file transfers through network disconnections and computer restarts.|| Automatic
switch to manual if you have problems - Q314862
|Clipbook Server||Clipsrv||Clipsrv.exe||Provides support for the Clipbook Viewer, which allows the clipboard of the source machine to be accessed remotely.||Disabled|
|COM+ Event System||Event System||svchost.exe -k netsvcs||Automatic distribution of events to subscribing COM components.||Manual|
|Computer Browser||Browser||Services.exe||Collects the names of NetBIOS resources on the network, creating
a list so that it can participate as a master browser or basic browser (one
that takes part in browser elections).
This maintained list of resources (computers) is displayed in Network Neighborhood and Server Manager. If disabled you can still map drives, but can't browse the whole network.
If the machine is not connected to a LAN (stand-alone), or will not participate as a master browser or take part in elections, then feel free to change the status to manual (or disabled)
This does not equate to disabling TCP/IP so internet browsing is still possible.
|Cryptographic Services||CryptSvc||svchost.exe||Management of Certification Authority certificates. Driver Catalog Database, Protected Root and Key certificate Services.||Automatic|
|DCOM Server Process Launcher||DcomLaunch||svchost.exe||Launch DCOM services||Automatic|
|DHCP Client||Dhcp||Services.exe or svchost.exe||Manage network configuration by registering and updating IP addresses and DNS names.||Automatic
On a stand-alone machine: Disable
|Distributed Link Tracking Client||TrkWks||Services.exe or svchost.exe||Send notification of files moving between NTFS volumes in a network domain.||Automatic
Can be set to manual if you dont need this function.
|Distributed Transaction Coordinator||msdtc||MSDTC.exe||Coordinate transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.||Manual
Can be set to Disabled if you dont need this function.
|DNS Client||Dnscache||Services.exe||Resolves and caches Domain Name System (DNS) names.||Automatic|
|Directory Replicator (Server only)||Replicator||Lmrepl.exe||Replicate specified files & folders between computers.
The host is the export server, and the target machines are called import computers.
Replication is configured under Server in the Control Panel.
Domain Controllers need this to replicate the Netlogon share.
|Error Reporting Service||Ersvc||svchost.exe||Report errors back to Microsoft in Redmond.||Automatic
If you never want to report system crash info. to Microsoft set this to disabled.
|EventLog||EventLog||Services.exe||Record System, Security, and Application Events.
Viewed with the MMC Event Viewer (eventvwr.exe in NT).
|Fast User Switching Compatibility||FastUserSwitching Compatibility >||svchost.exe||Enable multiple users to login to the same PC simultaneously.||Manual|
|Fax Service||Fax||faxsvc.exe||Send and receive faxes||Automatic or Manual|
|Help and Support||helpsvc||svchost.exe||Help and Support Center||Automatic.
If stopped the help system will stop working.
|Human Interface Device Access||HidServ||svchost.exe||Support for extra keyboard 'hot buttons' and other multimedia input devices.||Disabled|
|HTTP SSL||HTTPFilter||svchost.exe||Support for HTTPS (Secure Socket Layer) websites such as banking and e-commerce.||Manual|
|IMAPI CD-Burning COM Service||ImapiService||imapi.exe||CD-Rom Burning||Manual
If you have problems changing to Automatic may help.
|Indexing Service||cisvc||cisvc.exe||Index the contents and properties of files on local and remote computers.
[ RESOURCE HOG ]
For improved performance Disable or
Uninstall thru C.Panel add/remove
|IPSEC Policy Agent||PolicyAgent||lsass.exe||Manage IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.||Automatic
May be changed to Manual if IPSec is not needed.
|License Logging Service (Server)||LicenseService||Llssrv.exe||License tracking on a server or DC (Domain Controller).||If disabled then licensing status alerts will not be generated.|
|Logical Disk Manager||Dmserver||services.exe or svchost.exe||Required by the MMC Disk Management plug-in.||Automatic|
|Logical Disk Manager Administrative Service||Dmadmin||dmadmin.exe /com||Administrative service for disk management requests||Manual|
|Message Queuing||mqsvc.exe||Message Queuing|
|Message Queuing Triggers||mqtgsvc.exe||Message Queuing|
|MS Software Shadow Copy Provider Service||swprv||dllhost.exe||Microsoft Backup Utility||Manual
Disable if you never use Shadow Copy features.
|Messenger||Messenger||Services.exe||Process the receipt or delivery of pop-up messages sent via NET SEND.
Not related to Windows Messenger
|Network Connections||Netman||svchost.exe -k netsvcs||Manage objects in the Network and Dial-Up Connections folder (LAN and remote connections.)||Manual|
(Local Security Authority Subsystem)
|Network Authentication: maintains a synced domain directory database between
the PDC and BDC(s), handles authentication of respective accounts on the
DCs, and authenticates domain accounts on networked machines.
For stand-alone machines never connected to a domain set to Manual.
|NetMeeting Remote Desktop Sharing||Nmnsrvc||mnmsrvc.exe||Allows authorized people to remotely access your Windows desktop using NetMeeting.||Manual.
A good idea to Disable unless you plan to allow remote connections.
|Network DDE||NetDDE||Netdde.exe||Support the network transport of DDE (Dynamic Data Exchange) connections.
Requires Network DDE DSDM to be started. See Clipbook service
|Network DDE DSDM||NetDDEdsdm||Netdde.exe||Manage shared DDE conversations (from shares like: \\computername\ndde$).
See Clipbook service
|NLA - Network Location Awareness||nla||svchost.exe||Part of Internet Connection Sharing (ICS) and the Internet Connection Firewall (ICF)||Manual|
|Network Provisioning Service||xmlprov||svchost.exe||Manage XML configuration files on a domain basis||Manual|
|NT LM Security Support Provider||NtLmSsp||Services.exe||Extends NT security to Remote Procedure Call (RPC) programs using various
transports other than named pipes.
RPC activity is quite common, and most RPC apps don’t use named pipes.
| Performance Logs and Alerts (XP)
Alerts and Performance Logs (Win 2K)
|sysmonLog||smlogsvc.exe||Configure performance logs and alerts.||Manual. May be disabled if the alerts are not needed.|
|Plug and Play||PlugPlay||Services.exe||Plug and Play.
Do not disable this service.
|Universal Plug and Play Host||UPNPhost||svchost.exe||Device Host detect and configure external UPnP devices.
|Portable Media Serial Number Service||WmdmPmSN||svchost.exe||Retrieves the serial number of any portable media player connected to this computer.||Manual
Disable if you never use DRM music devices.
|Print Spooler or Spooler
(Spoolss.exe in NT4)
|The NT printing subsystem.||Automatic - If you print documents.
If no printing is ever done set to manual (or disabled)
Restarting this service will cancel all pending print jobs.
|Protected Storage||ProtectedStorage||Pstores.exe||Encrypt and store secure info: SSL certificates, passwords for Outlook, Outlook Express, Profile Assistant, MS Wallet, and digitally signed S/MIME keys.||Automatic.|
|QoS RSVP||rsvp||rsvp.exe -s||Provide network signaling and local traffic control setup functionality for QoS-aware programs and control applets.||Manual|
|Remote Access Auto Connection Manager
Remote Access AutoDial Manager
|Rasauto||svchost.exe -k netsvcs||Activates automatic dial-up when a URL link is clicked.
Required for some but not all RAS, ADSL or Cable connections.
May be disabled if the machine has no internet access.
|Remote Access Connection Manager||Rasman||svchost.exe -k netsvcs||Required for most but not all RAS, ADSL or Cable connections.||Manual.
Required for Internet Connection Sharing or accessing remote servers via RAS.
|Remote Desktop Help Session Manager||RDSessMgr||sessmgr.exe||Remote Desktop Help Session Manager.||Manual
May be disabled if RDP is never used.
|Remote Procedure Call (RPC) Service
Remote Procedure Call (RPC)
|RpcSs||svchost -k rpcss||This RPC subsystem is crucial to the operations of any RPC activities taking place on a system (e.g. DCOM)||Automatic
Do not disable
Many essential services are dependent on RPC.
|Remote Procedure Call (RPC) Locator||RpcLocator||Locator.exe||Maintain the RPC name server database, requires the RPC service (below) to be started. Database of available server applications.||Manual.|
|Remote Registry Service (XP Pro only)||RemoteRegistry||regsvc.exe||Allow remote registry manipulation.||Automatic
A good idea to disable this, unless you have some reason to allow remote registry editing.
|Removable Storage||Ntmssvc||svchost.exe -k netsvcs||Manage removable media, drives, and libraries.||Manual.|
(XP - option)
|Listen for RIP announcements from routers and modify the routing table accordingly.||To use the RIP Listener service, your adjacent routers must support the RIP v1 protocol. You'll find the RIP Listener service under Add/Remove Windows Components - Networking Services.|
|Routing and Remote Access||RemoteAccess||svchost.exe -k netsvcs||Allow incoming connections via dial in or VPN. (WAN Routing)||Disabled|
| Secondary Logon (Win XP)
RunAs (Win 2K)
|secLogon||services.exe or svchost.exe||Enables starting processes under alternate credentials.||Automatic
You may want to stop this service if you never use RunAs
|Security Accounts Manager (Win 2K)||SamSs||lsass.exe||Stores security information for local user accounts.||Automatic|
|Security Center||wscsvc||svchost.exe||Monitor system security settings and configurations.||Automatic
You may want to disable this if firewall and virus updates are controlled via other means.
Support for peer-to peer file sharing, print sharing, and named pipe sharing via SMB
May be disabled if you dont host file or print shares. (Admin$ shares)
|Shell Hardware Detection||ShellHWDetection||svchost.exe||CD Autoplay||Automatic.|
|Smart Card||ScardSrv||SCardSvr.exe||Manages and controls access to a smart card inserted into a smart card reader attached to the computer.||Manual
If you never use smart cards, Disable
|Smart Card Helper||ScardDrv||SCardSvr.exe||legacy smart card readers||Removed in XP SP2|
|SNMP Service||Snmp||snmp.exe||Agents that monitor the activity in network devices and report to the network console workstation.||Automatic (if installed)|
|SSDP Discovery Service||SSDPSRV||svchost.exe||Simple Service Discovery Protocol.
Enables discovery of UPnP devices on your home network
May be disabled if as is likely you dont have any UPnP devices)
|System Event Notification||SENS||svchost.exe -k netsvcs||Track system events such as Windows logon, network, and power events.
Notifiy COM+ Event System subscribers of these events.
|System Restore Service||srservice||svchost.exe||Creates system snap shots.
[ RESOURCE HOG ]
If the machine's configuration has been cloned/backed up - turn off System Restore in Control Panel, System.
|Task Scheduler or Schedule||Schedule||atsvc.exe or mstask.exe||This service is required to schedule background tasks (run at a specific date & time)
Under NT it's a Resource Hog.
Under XP it's used by some auto-tuning operations.
|TCP/IP NetBIOS Helper
TCP/IP NetBIOS Helper Service
|lmHosts||Services.exe||Support for name resolution in a Windows 2000 domain. (Netbios/Wins)
An alternative to DNS lookup.
If not required may be set to manual.
|Telephony||TapiSrv||Tapisrv.exe||Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections. e.g unimodem modems.||Manual|
|TlntSvr||tlntsvr.exe||Allows a remote user to log on to the system and run console programs using the command line.||Disabled
Very insecure, presents a security risk when running.
|Terminal Services||TermService||svchost.exe||Required for Fast User Switching, Remote Desktop and Remote Assistance||Manual
If not required may be Disabled
|Themes||Themes||svchost.exe||XP Active Desktop Themes, and quick launch toolbars
[ RESOURCE HOG ]
Set to Manual or Disabled if you dont like themes.
|UPS or Uninterruptible Power Supply||UPS||Ups.exe||Support for an Uninteruptable Power Supply (UPS) physically connected to the machine.||Manual
Not every UPS will need or use this service.
|Universal Plug and Play Host||UPNPhost||svchost.exe||Device Host detect and configure external UPnP devices.
|Upload Manager||uploadmgr||svchost.exe||Upload Manager.||Removed in XP SP2|
|Volume Shadow Copy||VSS||vssvc.exe||MS Backup - A volume shadow copy is a picture of the volume at a particular moment in time. That means a computer can be backed up while files are open and applications running.||Manual
If not required may be disabled
see MS Software Shadow Copy Provider Service
|WebClient||WebClient||svchost.exe||Allow access to web-resident disk storage from an ISP. WebDAV "internet disks" such as Apple's iDisk.||Automatic
If not required may be disabled
|Windows Audio||AudioSrv||svchost.exe||Sound Driver
Note that disabling the sound driver won't stop sounds from playing - you just won't hear them.
If no sound card fitted then disable.
Windows Firewall (XP SP2)
Internet Connection Firewall (XP)
Internet Connection Sharing (Win 2K)
|SharedAccess||svchost.exe -k netsvcs||Network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.||Automatic.
For better protection consider adding a third party firewall.
|Windows Image Acquisition||stisvc||svchost.exe||Required for some but not all cameras, scanners, and digital video cameras.||Manual|
|Windows Installer||MSIServer||MsiExec.exe /V||Install, repair and remove software according to instructions contained in .MSI files.||Manual|
|Windows Management Instrumentation||WinMgmt||C:\Windows\System32
|WMI provides system management information.||Automatic|
|Windows Management Instrumentation Driver Extensions||Wmi||svchost.exe||Provides systems management information to and from drivers.||Manual|
|Windows Time||W32time||services.exe||Update the computer clock by reference to an internet time source or a time server.||Automatic|
|Wireless Zero Configuration||WZCSVC||svchost.exe||Configure wireless network devices (802.11a/b/g).||Automatic
disable if you don’t have any wireless devices.
|WMI Performance Adapter||WmiApSrv||wmiapsrv.exe||Collect performance library information.||Manual|
|Workstation||lanmanworkstation||Services.exe||Communications and network connections.
Services dependent on this being started: Alerter, Messenger, and Net Logon.
Before changing any of the defaults - use the links above to find what exactly the service does. The Elder Geek also has some good advice about services.
It is inadvisable to disable a service without being aware of the consequences, always start by setting the service to manual, reboot and test for any problems.
A service set to manual may be automatically restarted if another service is dependent on it.
A service set to disabled will not restart even if it's required to boot the machine!
Stopping or disabling a service will generally save a small amount of memory and will reduce the number of software interrupts (cpu message queue.) The main reason for tinkering with services is to harden the system against security vulnerabilities. Disable everything that you don’t need or use - then any future problems with those services cannot affect the machine.
The security group All Services (NT SERVICES\ALL SERVICES) includes all service processes that are configured on the system. Membership of this group is controlled by the OS.
To document all the services currently installed:
SC QUERY state= all |findstr "DISPLAY_NAME STATE" >my_services.csv
Some services communicate and send data directly to Microsoft, this is not generally something to lose sleep over. Managing the running of these services may be a consideration if confidentiality or anonymity is highly important to you.
Removing a service completely
To delete a service use the SC delete command:
SC delete NameofServiceTodelete
Built-in Service Accounts
In addition to other Default User & Group accounts there are 3 built-in accounts, designed for running background services.
Local Service Account (NT AUTHORITY\LOCAL SERVICE) - has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials. (This account is not supported for running SQL Server services.)
Network Service Account (NT AUTHORITY\NETWORK SERVICE) - has more access to resources and objects than members of the Users group. Services that run as the Network Service account access network resources by using the credentials of the computer account.
Local System Account (NT AUTHORITY\SYSTEM) - a very high-privileged built-in account. It has extensive privileges on the local system and acts as the computer on the network.
Windows 2008 introduced a new feature: Managed Service Accounts these provide automatic password management and simplified service principal name (SPN) management. Service accounts are created in PowerShell with New-ADServiceAccount
Enable or Disable Ports
Many services and applications rely on the use of a specific PORT - to determine if a particular port is enabled for use, review the list of Service names and port numbers held in the "services" file ('windows\system32\drivers\etc\services')
Installing a good firewall is the easiest way to manage this.
“The service we render to others is really the rent we pay for our room on this earth. It is obvious that man is himself a traveler; that the purpose of this world is not 'to have and to hold' but 'to give and serve.' There can be no other meaning” - Sir Wilfred T. Grenfell
SC - Service Control
TASKLIST - List running tasks and services
WinMSD - List running services
ServiceStatus.ps1 - List all services (Powershell)
Safe Mode - Press F8 during bootup to start with mimimal services running.
Recovery - The Recovery Console
WMIC SERVICE - WMI access to services
DRIVERQUERY - display device drivers and properties (Resource Kit)
DComCnfg - Disable/configure DCOM
Microsoft.com - WinXP services - default settings
Microsoft.com - Win2003 services - 138 page Word Doc
Microsoft.com - Managing System Services.doc - 2003
The Elder Geek - Services Guide
The Register - Part 1 & 2 - Review of Win XP Services
Sysinternals - how to disable every service
SecurityFocus - Securing Windows Services
Wikipedia - Windows service
Q137890 - SRVANY - create a User-Defined Service
Q288129 - Grant users the right to manage services
Q263201 - Default Processes
Q244905 - How to disable a service at boot
Q314056 - What is SvcHost
Q825826 - Troubleshoot missing network connection icons