Threats and Countermeasures Guide: System Services

System services are programs that load automatically either as part of an application's startup process or the operating system startup process to support the different tasks required of the operating system. In recent years, services have been an attractive target for creators of malicious software, such as viruses, who want to attack the Windows® operating systems. Examples of viruses that exploit core Windows services include Blaster, Sasser, and Code Red. There are a number of reasons for this situation:

  • Services are typically long-running. Often, they start when the system starts and stop when it shuts down.

  • Services are often network-facing, making them especially vulnerable to remote attacks.

  • Services typically run in a high-privilege account such as LocalSystem.

For Windows® 7 and Windows Server® 2008 R2, some enhancements were made to the core services to accomplish the following goals:

  • Limiting access to services by user applications. Session 0 isolation requires services and user applications to run in separate sessions.

  • "Hardening" services to limit the ability of a compromised service to damage a system. There are two complementary ways to accomplish this goal:

    • Running with least privilege allows services to run with only those privileges that they require, and nothing more.

    • Service isolation allows services to be isolated from other services or applications by using a unique service identity, which restricts access to its resources by other services or applications. The service identity also can restrict the service's access to the resources of other services or applications. For example, service isolation allows an antivirus service to maintain exclusive access to its signature definition files.

This section of this guide identifies the function and purpose of commonly used services and explains which services are enabled in Windows Server 2008 R2 and Windows 7.

When you first install Windows Server 2008 R2 or Windows 7, some services are installed and configured to run by default when the computer starts. There are fewer services installed by default in a Server Core installation of the Windows Server 2008 R2 operating system than in a default full installation of Windows Server 2008 R2, and it supports a limited subset of roles and services and has a smaller attack surface than the default Windows Server 2008 R2 installation. By default, Windows Server 2008 R2 is installed without any server roles enabled and with a minimum number of services running. You should install only the server roles and features required for the workload of each server. Even with this reduction in default services, your server may not need all of the services installed by default in your environment, and you should disable any unneeded services to enhance security.

Windows Services Overview

A service must log on to access resources and objects in the operating system, and most services are not designed to have their default logon account changed. If you change the default account, it is likely that the service will fail. If you select an account that does not have permission to log on as a service, the Services snap-in automatically grants that account the ability to log on as a service on the computer. However, this automatic configuration does not guarantee that the service will start. Windows includes three built-in local accounts that it uses as the logon accounts for various system services:

  • Local System account. The Local System account is a powerful account that has full access to the computer and acts as the computer on the network. If a service uses the Local System account to log on to a domain controller, that service has access to the entire domain. Some services are configured by default to use the Local System account, and this should not be changed. The Local System account does not have a user-accessible password.

  • Local Service account. The Local Service account is a built-in account that is similar to an authenticated user account. It has the same level of access to resources and objects as members of the Users group. This limited access helps to safeguard your computer if individual services or processes are compromised. Services that use the Local Service account access network resources as a null session with anonymous credentials. The name of this account is NT AUTHORITY\Local Service, and it does not have a user-accessible password.

    The Local Service account supports the following privileges by default.

    Privilege Description

    SeAssignPrimaryTokenPrivilege

    Replace a process-level token

    SeIncreaseQuotaPrivilege

    Adjust memory quotas for a process

    SeAuditPrivilege

    Generate security audits

    SeChangeNotifyPrivilege

    Bypass traverse checking

    (This privilege is inherited through membership in the Everyone group.)

    SeNetworkLogonRight

    Access this computer from the network

    (This privilege is inherited through membership in the Everyone group.)

    SeBatchLogonRight

    Log on as a batch job

  • Network Service account. The Network Service account is also a built-in account that is similar to an authenticated user account. Like the Local Service account, it has the same level of access to resources and objects as members of the Users group, which helps to safeguard your computer. Services that use the Network Service account access network resources with the credentials of the computer account. The name of the account is NT AUTHORITY\Network Service, and it does not have a user-accessible password.

    The Network Service account supports the following privileges by default.

    Privilege Description

    SeAssignPrimaryTokenPrivilege

    Replace a process-level token

    SeIncreaseQuotaPrivilege

    Adjust memory quotas for a process

    SeAuditPrivilege

    Generate security audits

    SeChangeNotifyPrivilege

    Bypass traverse checking

    (This privilege is inherited through membership in the Everyone group.)

    SeNetworkLogonRight

    Access this computer from the network

    (This privilege is inherited through membership in the Everyone group.)

    SeInteractiveLogonRight

    Log on as a service

    SeImpersonatePrivilege

    Impersonate a client after authentication

Services are attractive targets for creators of malicious software such as viruses because they usually run in the background and the average user does not interact with them, they interact with the application that uses them. Ideally, service developers should limit the risk presented by misuse of a service by developing services that run using a lower-privilege account such as Local Service or Network Service. However, many services require at least some privileges that only Local System supports.

If a service requires a privilege from Local system, it should be developed to run with least privilege. Running with least privilege means that services are not restricted to using only the default set of privileges that are supported by a standard account. Instead, services can select an account that has the privileges that they require and then remove all other unnecessary privileges. Running with least privilege can be used for any type of service account: Local Service, Network Service, Local System, a domain, or a local account.

Services specify their required privileges when registering with the Service Control Manager (SCM), which grants a set of privileges to the service that is stored in the process token for the service. The privilege check uses one of the following methods:

  • For stand-alone services, the SCM checks the list of required privileges against the process token. Any that were not specified as required are removed from the token.

  • For shared-process services, such as services hosted in svchost, the list of privileges is the union of the required privileges for all services in the group. The only privileges that the SCM removes from the process token are those that no member of the group has specified as required.

  • If a service does not specify a required set of privileges, the SCM assumes by default that the service requires all of the privileges that are associated with the account. This assures backward compatibility. However, if a service group contains a mixture of services with defined privileges and ones without defined privileges, the entire group runs using the privileges associated with the account.

If a service requires privileges that are not in the process token, the SCM does not start the service. For example, a process that is part of a service group running under the Network Service account could specify SeLoadDriverPrivilege as a required privilege. However other processes in the group did not specify required privileges, so the process token for the group contains only those privileges defined for the Network Service account. SeLoadDriverPrivilege is not supported by a Network Service process token, so the start attempt for that process fails. Administrators must understand this issue when they make configuration changes such as changing the service image of a shared-process service while the target service process is running. The service can start only if the target service process supports the specified privileges.

Service isolation

Many services require access to certain objects that are available only to high-privilege accounts. For example, a service might have to write to a registry key that provides write access only to administrators. Services typically gained access to such objects by running in a high-privilege account such as Local System or by weakening the security on the objects to allow access by services that are running in a generic lower-privilege account.

Both approaches increased the risk that an attacker or malicious software could gain control of the system. The only way for an administrator to mitigate this risk was to create an account specifically for the service and allow access to the objects only for that account. However, this approach created problems of manageability, most notably password management, because the administrator no longer had the advantages of using built-in operating system accounts.

Service isolation mitigates this problem by providing services a way to access specific objects without having to either run in a high-privilege account or weaken the objects' security protection. For example, service isolation allows an antivirus service to run in a lower-privilege account than Local System but still maintain complete access to its signature definition files or registry keys that would normally be accessible only to administrators.

A service isolates an object for its exclusive use by securing the resource—such as file or registry key access—with an access control entry that contains a service security ID (SID). This ID is referred to as a per-service SID. A per-service SID is derived from the service's name and is unique to that service.

After a SID has been assigned to a service, the service owner can then modify the required objects' access control lists (ACLs) to allow access to the SID. For example, a registry key in HKEY_LOCAL_MACHINE\SOFTWARE would normally be accessible only to services with administrative privileges. By adding the per-service SID to the key's ACL, the service can run in a lower-privilege account but still have access to the key.

If a per-service SID is enabled, it is added to the service's process token. A per-service SID must be enabled at the time the service's process is started to be added to the process token. If a process hosts multiple services with enabled SIDs, all the SIDs of these services are added to the process token. Per-service SIDs also allow a process token to be converted to a restricted token by adding one or more SIDs to the restricted token list.

Restricted SIDs

A per-service SID provides a good degree of isolation and allows the service to run in a lower-privilege account. However, it does not prevent the service from accessing other resources that are accessible to the account because the process token also contains the SID for the account. Consider the following scenario:

Service X runs in the Local Service account and has a service SID enabled. In addition to having access to objects that have specifically granted this service access—by using the per-service SID—it also has access to all objects that grant access to Local Service. As a result, if this service were compromised, the attacker could cause damage by accessing the resources that are not related to the service.

To mitigate this problem and reduce the damage potential of compromised services, Windows uses a hybrid approach that combines write-restricted tokens and per-service SIDs to introduce restricted SIDs for services.

When a service enables a restricted SID, the per-service SID of that service is added to both the normal and restricted SID list of the write-restricted service process token. This ensures that the service can write only to objects that have explicitly granted write access to one of the SIDs in the restricted list. Returning to the preceding example, by enabling restricted SIDs, Service X can no longer write to any objects that grant write access to Local Service account because those objects do not explicitly grant write access to the per-service SID of service X.

Important

If you change the default service settings, key services may not run correctly. It is especially important to use caution if you change the Startup type and Log on as settings of services that are configured to start automatically.

System Service Settings

System services are described differently from the other settings in this guide because the vulnerability, countermeasure, and potential impact statements are almost identical for all services. The following are some general rules for managing system services vulnerabilities, countermeasures, and potential impacts.

For each system service, you can assign a service startup type. The possible values for these settings are:

  • Automatic. Service automatically starts when the computer is restarted.

  • Automatic (Delayed start). Service starts automatically when the computer is restarted, but delays the start of the service until after higher priority services and drivers are started.

  • Manual. Service does not start until a program starts it or it is explicitly started by the user.

  • Disabled. The service cannot be started.

  • Not Defined

You can use the sc config command to set the service startup type from a command prompt.

Vulnerability

Any service or application is a potential point of attack.

Important

Additional services that you enable may depend on other services. Add all of the services that are needed for a specific server role to the policy for the server role that it performs in your organization.

Countermeasure

Disable all unnecessary services.

On server, install only the server roles and features that are required to support the server’s workload

Do not set permissions on service objects

There are graphical user interface (GUI)–based tools that you can use to edit services. We recommend that you not alter the permissions on services that are included with the operating system because the default permissions are already quite restrictive.

To modify the properties of system services, you can use the following tools as appropriate:

  • Use the Security Configuration Wizard provided with Windows Server 2008 R2. We recommend this approach when you must configure services and network port filters for various Windows Server 2008 server roles.

  • Run the Security Templates snap-in or Local Group Policy Editor on a server that runs with Windows Server 2008 R2. We recommend this approach when you must configure services for security templates or Group Policy settings that are applied to Windows 7.

Potential impact

If some services (such as the Security Accounts Manager) are disabled, you cannot restart the computer. If other critical services are disabled, the computer may be unable to authenticate with domain controllers. If you want to disable some system services, you should test the changed settings on nonproduction computers before you change them in a production environment.

Descriptions of System Services

The following subsections describe the services included with Windows Server 2008 R2 and Windows 7.

  • ActiveX Installer

  • Adaptive Brightness

  • Application Experience

  • Application Host Helper Service

  • Application Identity

  • Application Information

  • Application Layer Gateway Service

  • Application Management

  • ASP.NET State Service

  • Background Intelligent Transfer Service (BITS)

  • Base Filtering Engine

  • BitLocker Drive Encryption Service

  • Block Level Backup Engine Service

  • Bluetooth Support Service

  • BranchCache

  • Certificate Propagation

  • Client for NFS

  • Certificate Services

  • Cluster Service

  • CNG Key Isolation

  • COM+ Event System

  • COM+ System Application

  • Computer Browser

  • Credential Manager

  • Cryptographic Services

  • DCOM Server Process Launcher

  • Desktop Window Manager Session Manager

  • DHCP Client

  • DHCP Server

  • Diagnostic Policy Service

  • Diagnostic Service Host

  • Diagnostic System Host

  • Disk Defragmenter

  • Distributed File System

  • Distributed File System Replication

  • Distributed Link Tracking Client

  • Distributed Link Tracking Server

  • Distributed Transaction Coordinator

  • DNS Client

  • DNS Server

  • Encrypting File System

  • Extensible Authentication Protocol

  • Fax Service

  • Function Discovery Provider Host

  • Function Discovery Resource Publication

  • Group Policy Client

  • Group Policy

  • Health Key and Certificate Management

  • HomeGroup Listener

  • HomeGroup Provider

  • HTTP SSL

  • Human Interface Device Access

  • IIS Admin Service

  • IKE and AuthIP IPsec Keying Modules

  • Indexing Service

  • Interactive Services Detection

  • Internet Connection Sharing

  • Intersite Messaging

  • IP Helper

  • IPsec Policy Agent

  • KtmRm for Distributed Transaction Coordinator

  • Link-Layer Topology Discovery Mapper

  • LPD Service

  • Media Center Extender Service

  • Message Queuing

  • Message Queuing Triggers

  • Microsoft .NET Framework NGEN

  • Microsoft FTP Service

  • Microsoft Software Shadow Copy Provider

  • Microsoft iSCSI Initiator Service

  • Multimedia Class Scheduler

  • Microsoft Fibre Channel Platform Registration Service

  • Net.Msmq Listener Adapter

  • Net.Pipe Listener Adapter

  • Net.Tcp Listener Adapter

  • Net.Tcp Port Sharing Service

  • Netlogon

  • Network Access Protection Agent

  • Network Connections

  • Network List Service

  • Network Location Awareness

  • Network Store Interface Service

  • Offline Files

  • Parental Controls

  • Peer Name Resolution Protocol

  • Peer Networking Grouping

  • Peer Networking Identity Manager

  • Performance Counter DLL Host

  • Performance Logs & Alerts

  • Plug and Play

  • PnP-X IP Bus Enumerator

  • PNRP Machine Name Publication Service

  • Portable Device Enumerator Service

  • Power

  • Print Spooler

  • Problem Reports and Solutions Control Panel Support

  • Program Compatibility Assistant Service

  • Protected Storage

  • Quality Windows Audio Video Experience

  • Remote Access Auto Connection Manager

  • Remote Access Connection Manager

  • Remote Desktop Configuration

  • Remote Desktop Services

  • Remote Desktop Services UserMode Port Redirector

  • Remote Procedure Call (RPC)

  • Remote Procedure Call (RPC) Locator

  • Remote Registry

  • RIP Listener

  • Resultant Set of Policy Provider

  • Routing and Remote Access

  • RPC Endpoint Mapper

  • SeaPort

  • Secondary Logon

  • Secure Socket Tunneling Protocol Service

  • Security Accounts Manager

  • Security Center

  • Server

  • Shell Hardware Detection

  • Simple TCP/IP Services

  • Smart Card

  • Smart Card Removal Policy

  • SNMP Service

  • SNMP Trap

  • Software Protection

  • Special Administration Console Helper

  • SPP Notification Service

  • SSDP Discovery

  • Storage Service

  • Superfetch

  • System Event Notification Service

  • Tablet PC Input Service

  • Task Scheduler

  • TCP/IP NetBIOS Helper

  • Telephony

  • Themes

  • Thread Ordering Server

  • TPM Base Services

  • UPnP Device Host

  • User Profile Service

  • Virtual Disk Service

  • Volume Shadow Copy

  • WLAN AutoConfig

  • WMI Performance Adapter

  • WWAN AutoConfig

  • Web Management Service

  • WebClient

  • Windows Audio

  • Windows Audio Endpoint Builder

  • Windows Backup

  • Windows Biometric Service

  • Windows CardSpace

  • Windows Color System

  • Windows Connect Now - Config Registrar

  • Windows Defender

  • Windows Driver Foundation - User-mode Driver Framework

  • Windows Error Reporting Service

  • Windows Event Collector

  • Windows Event Log

  • Windows Firewall

  • Windows Font Cache Service

  • Windows Image Acquisition (WIA)

  • Windows Installer

  • Windows Internet Name Service (WINS)

  • Windows Management Instrumentation

  • Windows Media Center Receiver Service

  • Windows Media Center Scheduler Service

  • Windows Media Player Network Sharing Service

  • Windows Modules Installer

  • Windows Presentation Foundation Font Cache

  • Windows Process Activation Service

  • Windows Remote Management (WS-Management)

  • Windows Search

  • Windows Time

  • Windows Update (Automatic Updates)

  • Wired AutoConfig

  • Workstation

  • World Wide Web Publishing Service

Note

If a service is not started, other services that depend on that service also fail to start. Therefore, if you change the status of one service, you may affect other seemingly unrelated services. Applications and programs may also create dependencies on services that are different from the default configuration documented in the following service descriptions. To check the dependencies for a service, in the Services Control Panel or MMC snap-in (services.msc) open the properties sheet of the service, and then click the Dependencies tab.

ActiveX Installer

The ActiveX Installer (AxInstSV) service provides user account control validation for the installation of ActiveX controls from the Internet and enables management of ActiveX control installation based on Group Policy settings. This service’s startup type is Manual, so it will start when requested by an application. If this service is disabled the installation of ActiveX controls will behave according to the default browser settings. By default it logs on using the Local System account.

This service is not included in Windows Server 2008 R2.

For more information about working with this service, see Administering the ActiveX Installer Service in Windows 7.

The ActiveX Installer service is dependent upon the following system components:

  1. Remote Procedure Call (RPC)

  2. DCOM Server Process Launcher

  3. RPC Endpoint Mapper

Adaptive Brightness

The Adaptive Brightness (SensrSvc) service monitors ambient light sensors to detect changes in ambient light and adjust the display brightness. If this services is stopped or disabled the display brightness will not adapt to lighting conditions. This service is configured for a manual start by default. When started it will log on using the Local Service account by default. This service is not dependent on any other system service, nor is any service dependent on it.

This service is not included in Windows Server 2008 R2.

This service is supported in all versions of Windows 7except Windows 7 Starter operating system.

For more information about working with this service, see Windows 7 Brightness Control for Integrated Displays.

Application Experience

The Application Experience service (AELookupSvc) is a part of the Application Compatibility Administrator. It processes application compatibility lookup requests for applications as they are started, provides support for computers running programs in compatibility mode, reports on compatibility issues, and automatically applies software updates to programs.

The Application Experience service must be active for application compatibility software updates to be applied. You cannot customize this service; the operating system uses it internally. This service does not use any network, Internet, or Active Directory® Domain Services (AD DS) resources.

If you disable the Application Experience service, the service continues to run, but no calls are made to the service. You cannot stop the actual process.

The Application Experience service is configured for a Manual start. When started in its default configuration it logs on using the Local System account.

This service is not dependent on any other system service, nor is any service dependent on it.

Application Host Helper Service

The Application Host Helper Service (AppHostSvc) provides administrative services for IIS, for example configuration history and Application Pool account mapping. If this service is stopped, configuration history and locking down files or directories with Application Pool specific Access Control Entries will not work.

This service is not installed by default. Once installed it will be configured for an Automatic start and will log on using the Local System account by default.

This service is not dependent on any other system service, nor is any service dependent on it.

Application Identity

The Application Identity (AppIDSvc) service determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced. This service is configured by default for a manual start. When started, by default it logs on using the local service account.

The Application Identity service is dependent upon the following system components:

  1. AppID Driver

  2. Flt Mgr

  3. System Attribute Cache

  4. Cryptographic Services

  5. Remote Procedure Call (RPC)

  6. DCOM Server Process Launcher

  7. RPC Endpoint Mapper

Application Information

The Application Information service (Appinfo) facilitates the running of interactive applications with additional administrative privileges. If this service is stopped, users cannot start applications with the additional administrative privileges that they may require to perform certain user tasks. For example, if this service is disabled, system tools like Services and Regedit cannot run.

To enable this service after it has been disabled, you must start your computer in Safe Mode to get access to the Services snap-in console.

By default this service is configured for a manual start and is started by applications that request additional privileges. When started it runs under the Local System account by default.

The Application Information service is dependent upon the following system components:

  1. Remote Procedure Call (RPC)

  2. DCOM Server Process Launcher

  3. RPC Endpoint Mapper

  4. User Profile Service

Application Layer Gateway Service

The Application Layer Gateway Service (ALG) is a subcomponent of the Windows networking subsystem. It provides support for third-party plug-ins to allow network protocols to pass through the firewall and work behind Internet Connection Sharing. This service is installed by default and its startup type is Manual.

When started in the default configuration it will log on using the Local Service account.

This service is not dependent on any other system service, nor is any service dependent on it.

The following table identifies the application protocol, network protocol, and ports used by the Application Layer Gateway Service:

Application protocol

Network Protocol

Ports

FTP Control

TCP

21

Application Management

The Application Management service (AppMgmt) provides software installation services such as Assign, Publish, and Remove. It processes requests to enumerate, install, and remove applications that are deployed through an organization's network by using Group Policy. When you use Get Programs from the Windows Control Panel to install programs from the network on a domain-joined computer, Windows calls this service to retrieve the list of deployed applications on your network. The service is also called when you use Control Panel to remove an application, or when a component (such as the shell) makes an installation request for an application to handle a file name extension, Component Object Model (COM) class, or ProgID that is not present on the computer. The service is started by the first call that is made to it, and it does not stop after it is started.

If the Application Management service stops or if you disable it, users cannot install, remove, or enumerate applications that are deployed in AD DS. This service is installed by default but is not started unless an application requests it.

When started in the default configuration it will log on using the Local System account.

This service is available on Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise as well as all versions of Windows Server 2008 R2. It is not available on Windows 7 Starter, Windows 7 Home Basic, or Windows 7 Home Premium.

This service is not dependent on any other system service, nor is any service dependent on it.

ASP.NET State Service

The ASP.NET State Service (aspnet_state) provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.

This service is not installed by default on Windows 7 or Windows Server 2008 R2. In both operating systems, once installed, its startup type is Manual.

When started in the default configuration it will log on using the Network Service account.

This service is available on Windows 7 Home Premium, Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise as well as all versions of Windows Server 2008 R2. It is not available on Windows 7 Starter or Windows 7 Home Basic.

This service is not dependent on any other system service, nor is any service dependent on it.

The following table identifies the application protocol, network protocol, and ports used by the ASP.NET State Service:

Application protocol

Network Protocol

Ports

ASP.NET Session State

TCP

42424

Background Intelligent Transfer Service (BITS)

The Background Intelligent Transfer Service (BITS) is a background file-transfer mechanism and queue manager. BITS transfers files asynchronously between a client and an HTTP server. By default, requests to BITS are submitted and the files are transferred through otherwise idle network bandwidth so that other network-related activities, such as browsing, are not affected.

BITS suspends the transfer if a connection is lost or if the user logs off. The BITS connection is persistent and transfers information while the user is logged off, across network disconnects, and during computer restarts. When the user logs on, BITS resumes the user's transfer job.

BITS uses a queue to manage file transfers. You can prioritize transfer jobs within the queue and specify whether the files are transferred in the foreground or background. Background transfers are optimized by BITS, which increases and decreases (or throttles) the rate of transfer based on the amount of idle network bandwidth that is available. If a network application begins to consume more bandwidth, BITS decreases its transfer rate to preserve the user's interactive experience.

BITS provides one foreground and three background priority levels that you can use to prioritize transfer jobs. Higher priority jobs preempt lower priority jobs. Jobs at the same priority level share transfer time, and round-robin scheduling prevents blockage of the transfer queue by a large job. Lower priority jobs do not receive transfer time until all higher priority jobs are complete or in an error state.

The startup type of BITS is Manual in Windows 7 and Windows Server 2008 R2. When started in the default configuration it will log on using the Local System account.

If BITS stops, features such as Windows Update cannot automatically download programs and other information. This functionality also means that the computer cannot receive automatic updates from the organization's Windows Server Update Services server if one has been configured through Group Policy. If you disable this service, any services that explicitly depend on it fail to transfer files unless they have a fail-safe mechanism to transfer files directly through other methods.

BITS is dependent upon the following system components:

  • COM+ Event System

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Base Filtering Engine

The Base Filtering Engine (BFE) is a service that manages firewall and IPsec policies and implements user mode filtering. Stopping or disabling the BFE service significantly reduces the security of the system and results in unpredictable behavior in IPsec management and firewall applications.

The BFE is the core of the Windows Filtering Platform in Windows 7 and Windows Server 2008 R2. This service is installed by default and its startup type is Automatic. When started in the default configuration it will log on using the Local Service account.

The BFE service is dependent upon the following system components:

  1. Remote Procedure Call (RPC)

  2. DCOM Server Process Launcher

  3. RPC Endpoint Mapper

The following components are dependent upon the BFE service:

  • Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) IPsec Keying Modules

  • Internet Connection Sharing (ICS)

  • IPsec Policy Agent

  • Routing and Remote Access

  • Windows Firewall

This service should not be disabled.

BitLocker Drive Encryption Service

The BitLocker Drive Encryption Service (BDESVC) allows BitLocker to prompt users for various actions related to their drives when they are accessed and supports the unlocking of BitLocker-protected drives automatically without user interaction. Additionally, the service supports the storing of recovery information to Active Directory Domain Services, if available, and, if necessary, ensures the most recent recovery certificates are used. Stopping or disabling the service will prevent users from using these features of BitLocker.

This service is installed by default and its startup type is Manual. When started in the default configuration it will log on using the Local System account.

This service is not dependent on any other system service, nor is any service dependent on it.

Block Level Backup Engine Service

The Block Level Backup Engine Service (wbengine) performs block level backup and recovery of data. This service is used by the Backup and Restore feature in the Control Panel of Windows 7 and by the Windows Server Backup feature of Windows Server 2008 R2. It allows for backups to occur at the hard disk level, instead of just file by file, in a process similar to disk imaging.

This service is installed by default and its startup type is Manual. When started in the default configuration it will log on using the Local System account.

This service is not dependent on any other system service, nor is any service dependent on it.

Bluetooth Support Service

The Bluetooth Support Service (bthserv) supports discovery and association of remote Bluetooth devices. Stopping or disabling this service may cause already installed Bluetooth devices to fail to operate properly and prevent new devices from being discovered or associated. If you do not use Bluetooth devices with your computer, this service can be disabled.

This service is installed by default and its startup type is Manual. When started in the default configuration it will log on using the Local Service account.

The Bluetooth Support Service is dependent upon the following system components:

  1. Remote Procedure Call (RPC)

  2. DCOM Server Process Launcher

  3. RPC Endpoint Mapper

BranchCache

The BranchCache (PeerDistSvc) service caches network content from peers on the local subnet. This enables clients in a branch office to securely retrieve files that are cached locally instead of having to retrieve files from a home office server. If this service is stopped or disabled remote computers will need to be able to connect directly to host servers in order to retrieve data.

This service is installed by default on computers running Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise and its startup type is Manual. When started in the default configuration it will log on using the Network Service account.

The Branch Cache service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

BranchCache is a new feature in Windows 7 and Windows Server 2008 R2. To learn more about BranchCache, see the BranchCache technology center on TechNet.

Certificate Propagation

The Certificate Propagation service (CertPropSvc) propagates certificates from smart cards to resources that request them. The Certification Propagation service applies when a logged-on user inserts a smart card into a reader that is attached to the computer. This action causes the certificates to be read from the smart card. The certificates are then added to the user's personal store.

If the Group Policy "CertPropRootEnabledString" is set, Root Certificates are also propagated to the machine root trust store. Root certificate propagation is responsible for the following specific smart card deployment scenarios, where public key infrastructure (PKI) trust has not yet been established:

  • Joining the domain

  • Accessing a network remotely

In both cases, the computer is not joined to a domain, and, therefore, trust is not being managed by Group Policy. However, the objective is to authenticate to a remote server (the domain controller or the RADIUS server). Root certificate propagation provides the ability to use the smart card to include the missing trust chain.

On smart card insertion, the Certificate Propagation service propagates any root certificates on the card to the Smart Card Trusted Roots certificate stores on the local computer. This process establishes a trust relationship with the organization

This service startup type is by default Manual. However, if you have deployed smart cards as part of your authentication policy, we recommend that you configure this setting with the Automatic startup type. When started in the default configuration it will log on using the Local System account.

The Certification Propagation service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Client for NFS

The Client for NFS (NfsClnt) service enable the computer to access files of network file system (NFS) shares and is part of the Services for UNIX support in Windows 7 and Windows Server 2008 R2.

This service is not installed by default on Windows 7. It is installed by default on Windows Server 2008 R2. In both operating systems, once installed its service startup type is by default Manual.

When started in the default configuration it will log on using the Network Service account.

This service is available on Windows 7 Ultimate and Windows 7 Enterprise as well as all versions of Windows Server 2008 R2.

Certificate Services

The Certificate Services service supports the Active Directory Certificate Services (AD CS) server role as part of Windows Server 2008 R2 to enable a business to act as its own certification authority (CA). It issues and manages digital certificates for applications such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), Encrypting File System (EFS), IPsec, and smart card logon. Windows Server 2003 supports multiple levels of a CA hierarchy and cross-certified trust network, including offline and online CAs.

The AD CS server role is not installed by default. Administrators must install it through Server Manager, at which time the role service Certificate Services is also installed. If Certificate Services stops or if you disable it after installation, certificate requests are not accepted and certificate revocation lists (CRLs) and delta CRLs are not published. If the service stops long enough for CRLs to expire, existing certificates fail to validate.

Certificate services can be used to issue and manage digital certificates for programs and protocols such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), Encrypting File System (EFS), IPsec, and smart card logon. Certificate Services relies on RPC and on DCOM to communicate with clients by using random TCP ports that are higher than port 1024.

Certificate Services is not supported on a Server Core installation of Windows Server 2008, but it is supported on a Server Core installation of as well as the Standard, Enterprise, and Datacenter versions of Windows Server 2008 and Windows Server 2008 R2.

The following table identifies the application protocol, network protocol, and ports used by Certificate Services:

Application protocol

Network Protocol

Ports

RPC

TCP

135

Randomly allocated high TCP ports

TCP

random port number between 1024 - 65535

Cluster Service

The Cluster service (ClusSvc) supports the Failover Clustering feature in Windows Server 2008 R2 that controls server cluster operations and manages the cluster database. A cluster is a collection of independent computers that work together to provide load-balancing and failover support. Applications that can run on a cluster, such as Microsoft® Exchange Server and Microsoft SQL Server®, use the cluster to present a single virtual computer to users. The cluster software spreads data and computation tasks among the nodes of the cluster. When a node fails, other nodes provide the services and data that were formerly provided by the missing node. When a node is added or repaired, the cluster software migrates some data and computation tasks to that node.

There are two different types of cluster solutions for the Windows operating systems that support different application styles: server clusters and Network Load Balancing (NLB) clusters. Server clusters provide a highly available environment for applications that must run reliably for long periods of time (such as databases or file servers), and provide failover support with tightly integrated cluster management. NLB clusters provide a highly available and highly scalable environment for other types of applications such as public-facing Web servers, and load balance client requests among a set of identical servers.

The Cluster service provides support for server clusters. It is the essential software component that controls all aspects of the cluster operation and manages the cluster database. Each node in a cluster runs one instance of the Cluster service.

The Cluster service is not installed or enabled by default. If the Cluster service stops after it is installed, clusters are unavailable.

Cluster Services it an optional feature on a Server Core installation of as well as the Standard, Enterprise, and Datacenter versions of Windows Server 2008 and Windows Server 2008 R2.

The following table identifies the application protocol, network protocol, and ports used by Cluster Services:

Application protocol

Network Protocol

Ports

Cluster Services

UDP

3343

RPC

TCP

135

Cluster Administrator

UDP

137

Randomly allocated high UDP ports

UDP

random port number between 1024 – 65535

CNG Key Isolation

The CNG Key Isolation service is hosted in the Local Security Authority (LSA) process as part of system cryptography support. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria, or CC) is an international standard (ISO/IEC 15408) for computer security. Common Criteria is based on a framework in which computer system users can specify their security requirements, vendors can then implement and make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation, and evaluation of a computer security product has been conducted in a rigorous and standard manner.

The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements. To comply with Common Criteria requirements, the long-lived keys must be isolated so that they are never present in the application process. Cryptography Next Generation (CNG) currently supports the storage of asymmetric private keys by using the Microsoft software key storage provider (KSP) that is included with Windows Server 2008 R2 and Windows 7, and installed by default.

Key isolation is enabled by default in Windows Server 2008 R2 and Windows 7. Also, non-Microsoft KSPs are not loaded in the key isolation service (LSA process). Only the Microsoft KSP is loaded in the key isolation service.

The LSA process is used as the key isolation process to maximize performance. All access to private keys goes through the key storage router, which exposes a comprehensive set of functions for managing and using private keys.

CNG stores the public portion of the stored key separately from the private portion. The public portion of a key pair is also maintained in the key isolation service and is accessed by using lightweight remote procedure call (LRPC). The key storage router uses LRPC when calling into the key isolation process. All access to private keys goes through the private key router and is audited by CNG.

This service startup type is by default Manual.

When started in the default configuration it will log on using the Local System account.

The CNG Key Isolation service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The following components are dependent upon the CNG Key Isolation service:

  • Extensible Authentication Protocol

  • Wired AutoConfig

  • WLAN AutoConfig

COM+ Event System

The COM+ Event System (EventSystem) service provides automatic event distribution to COM components that subscribe to it. COM+ events extend the COM+ programming model to support late-bound events or method calls between the publisher or subscriber and the event system. The event system notifies event consumers as information becomes available, and does not repeatedly poll the server.

The COM+ Event System service handles most of the event semantics for the publisher and subscriber. Publishers offer to publish event types, and subscribers request event types from specific publishers. Subscriptions are maintained outside the publisher and subscriber and retrieved when needed, which simplifies the programming model for both. The subscriber is not required to contain the logic in order to build subscriptions—it is possible to build a subscriber as easily as a COM component. The life cycle of the subscription is separate from that of either the publisher or the subscriber. You can build subscriptions before either the subscriber or publisher is made active.

This service is installed by default and its startup type is Automatic. In its default configuration it logs on using the Local Service account. When the COM+ Event System services stops, the System Event Notification service closes and cannot provide logon and logoff notifications. The Volume Shadow Copy Service, which is needed for Windows Backup and backup applications that rely on the Windows Backup API, also requires this service.

The COM+ Event System service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The following components are dependent upon the COM+ Event System service:

  • Background Intelligent Transfer Service

  • COM+ System Application

  • SPP Notification Service

  • System Event Notification Service

COM+ System Application

The COM+ System Application (COMSysApp) service manages the configuration and tracking of COM+ based components. If this service stops, most COM+ based components do not function properly. The Volume Shadow Copy Service, which is needed for Windows Backup and backup applications that rely on the Windows Backup API, requires this service.

This service is installed and enabled by default. In its default configuration it logs on using the Local System account.

The COM+ System Application service is dependent upon the following system components:

  • COM+ Event System

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • System Event Notification Service

Computer Browser

The Computer Browser (Browser) service maintains an up-to-date list of computers on your network and supplies the list to programs that request it. The Computer Browser service is used by Windows-based computers that must view network domains and resources. Computers that are designated as browsers maintain browse lists, which contain all shared resources that are used on the network.

There are several different roles a computer might perform in a browsing environment. Under some conditions, such as failure or shutdown of a computer that is designated for a specific browser role, browsers or potential browsers may change to a different operational role.

The Computer Browser service is enabled and started by default on Windows 7-based computers. On computers running Windows Server 2008 R2 it is installed and disabled. When started in its default configuration it logs on using the Local System account. If it stops, the browser list is not updated or maintained.

The Computer service is dependent upon the following system components:

  • Server

  • Security Accounts Manager

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Server SMB 1.xxx Driver

  • Server SMB 2.xxx Driver

  • srvnet

  • Workstation

  • Browser Support Driver

  • Network Store Interface Service

  • NSI proxy service driver

  • SMB 1.x MiniRedirector

  • SMB 2.0 MiniRedirector

  • SMB MiniRedirector Wrapper and Engine

  • Redirected Buffering Sub System

  • Mup

The following table identifies the application protocol, network protocols and ports used by the Computer Browser service:

Application protocol

Network Protocol

Ports

NetBIOS Datagram Service

UDP

138

NetBIOS Name Resolution

UDP

137

NetBIOS Session Service

TCP

139

Credential Manager

The Credential Manager (VaultSvc) service provides secure storage and retrieval of credentials to users, applications and security service packages.

This service is installed by default and its startup type is Manual. When started it logs on using the Local System account in its default configuration.

The Credential Manager service has dependencies on the following system components:

  1. Remote Procedure Call (RPC)

  2. DCOM Server Process Launcher

  3. RPC Endpoint Mapper

The Windows Biometric Service is dependent upon the Credential Manager service.

Cryptographic Services

The Cryptographic Services (CryptSvc) service provides key-management services for your computer. Cryptographic Services is actually composed of four different management services:

  • Catalog Database Service. This service adds, removes, and looks up catalog files, which are used to sign all the files in the operating system. Windows File Protection (WFP), Driver Signing, and setup use this service to verify signed files. You cannot stop this service during setup. If the service stops after setup, it restarts when requested by an application.

  • Protected Root Service. This service adds and removes Trusted Root Certification Authority certificates. The service displays a service message box with the certificate's name and thumbprint. If you click OK, the certificate is added or removed from your current list of trusted root authorities. Only Local System accounts have write access to the list. If this service stops, the current user cannot add or remove Trusted Root Certification Authority certificates.

  • Automatic Root Certificate Update Service. This service retrieves root certificates as needed from Windows Update. This service can be used in support secure-sockets-layer (SSL) sessions to help ensure that server certificates are kept up-to-date. If this service stops, root certificates must be updated manually.

  • Key Service. This service allows administrators to enroll for certificates on behalf of the local computer account. The service provides several functions that are required for enrollment, such as enumeration of available CAs, enumeration of available computer templates, and the ability to create and submit a certificate request in the local computer context. Only administrators may enroll on behalf of the local computer account. The Key Service also allows administrators to remotely install Personal Information Exchange (PFX) files on your computer. If this service stops, autoenrollment cannot automatically acquire the default set of computer certificates.

The Cryptographic Services service is enabled and started automatically by default. When started, it logs on using the Network Service account in the default configuration. If it stops, the management services that are referenced in the preceding paragraphs do not function properly.

The Cryptographic Services service has dependencies on the following system components:

  1. Remote Procedure Call (RPC)

  2. DCOM Server Process Launcher

  3. RPC Endpoint Mapper

The Application Identity Service is dependent upon the Cryptographic Services service.

DCOM Server Process Launcher

The DCOM Server Process Launcher (DCOMLaunch) service launches COM and DCOM servers in response to object activation requests. This service is enabled and started by default; it runs under the Local System account.

If the DCOM Server Process Launcher service stops, remote procedure calls and DCOM requests on the local computer do not function properly. In particular, the Windows Firewall service fails if this service stops. This service is required and cannot be stopped from the Services console. If this service stops, the computer restarts.

The DCOM Server Process Launcher The Remote Procedure Call (RPC) service is dependent upon the DCOM Server Process Launcher service.

Desktop Window Manager Session Manager

The Desktop Window Manager Session Manager (UxSms) service provides Desktop Window Manager startup and maintenance services. The service supports the Themes service and checks that applications are compatible with the Windows Aero user experience. If an application is not compatible with Aero, this service causes it revert to a classic Windows theme that it supports.

If your computer does not support Aero graphics, you may see improved performance by disabling this service.

By default this service is installed and started automatically and logs on using the Local System account.

This service is not dependent on any other system service, nor is any service dependent on it.

DHCP Client

The DHCP Client (Dhcp) service manages network configuration. It registers and updates IP addresses and Domain Name System (DNS) names for your computer. You do not have to manually change the IP settings for a client computer, such as a portable computer, that connects from different locations throughout the network. The client computer is automatically given a new IP address, regardless of the subnet that it reconnects to (if a DHCP server is accessible from the subnets). There is no need to manually configure settings for DNS or WINS. The DHCP server can provide these settings to the client if the DHCP server is configured to issue such information. To enable this option on the client, click Obtain DNS Server Address Automatically. No conflicts are caused by duplicate IP addresses.

If the DHCP Client service stops, your computer does not receive dynamic IP addresses and automatic dynamic DNS updates stop being registered on the DNS server.

By default this service is installed and started automatically and logs on using the Local Service account.

The DHCP Client service is dependent upon the following system components:

  1. Ancillary Function Driver for Winsock

  2. Net I/O Legacy TDI Support Drive

  3. TCP/IP Protocol Driver

  4. Network Store Interface Service

  5. NSI proxy service driver

The WinHTTP Web Proxy Auto-Discovery Service is dependent upon the DHCP Client Service

DHCP Server

The DHCP Server (DHCPServer) service allocates IP addresses and enables advanced configuration of network settings such as DNS servers and WINS servers to DHCP clients automatically. DHCP uses a client/server model. The network administrator establishes one or more DHCP servers that maintain TCP/IP configuration information and provide the information to client computers. The server database includes the following:

  • Valid configuration parameters for all client computers on the network.

  • Valid IP addresses that are maintained in a pool for assignment to client computers, plus reserved addresses for manual assignment.

  • Duration of the lease offered by the server. The lease defines the length of time that the assigned IP address is valid.

DHCP is an IP standard that is designed to reduce the complexity of address configuration administration. It uses a server computer to centrally manage IP addresses and other related configuration details for your network. Windows Server 2008 provides the DHCP service, which enables the server computer to perform as a DHCP server and configure DHCP-enabled client computers on your network, as described in the current DHCP draft standard, Internet Engineering Task Force (IETF) Request for Comments (RFC) 2131.

DHCP includes the Multicast Address Dynamic Client Allocation Protocol (MADCAP), which is used to perform multicast address allocation. When registered client computers are dynamically assigned IP addresses through MADCAP, they can participate efficiently in the data stream process, such as for real-time video or audio network transmissions.

With a DHCP server installed and configured on your network, DHCP-enabled client computers can obtain their IP addresses and related configuration parameters dynamically each time they start and join the network. DHCP servers provide this configuration in the form of an address-lease offer to the client computers.

If the DHCP Server service stops, the server no longer issues IP addresses or other configuration parameters automatically. This service is only installed and activated if you install the DHCP server role.

This service is available on a Server Core installation of as well as the Standard, Enterprise, and Datacenter versions of Windows Server 2008 and Windows Server 2008 R2.

The following table identifies the application protocols, network protocols, and ports used by the DHCP Server service:

Application protocol

Network Protocol

Ports

DHCP Server

UDP

67

MADCAP

UDP

2535

Diagnostic Policy Service

The Diagnostic Policy Service (DPS) enables problem detection, troubleshooting, and resolution for Windows components. If this service is stopped, diagnostics cannot function. The Diagnostic Policy Service supports the Network Diagnostic Framework that is used to troubleshoot network connectivity issues.

This service startup type is by default Automatic and it logs on using the Local Service account.

This service is not dependent on any other system service, nor is any service dependent on it.

Diagnostic Service Host

The Diagnostic Service Host (WdiServiceHost) enables problem detection, troubleshooting, and resolution for Windows components. If this service is stopped, diagnostics cannot function. The Diagnostic Service Host is part of the Network Diagnostic Framework that is used to troubleshoot network connectivity issues. When a user selects Diagnose and Repair from either the Network and Sharing Center or the Network Connection context menu, the Diagnostic Policy Service starts the Diagnostic Service Host. The service continues to run until the computer is restarted.

This service startup type is by default Manual and when started it logs on using the Local Service account.

This service is not dependent on any other system service, nor is any service dependent on it.

Diagnostic System Host

The Diagnostic System Host (WdiSystemHost) enables problem detection, troubleshooting, and resolution for Windows components. If this service is stopped, diagnostics cannot function. The Diagnostic System Host is part of the Network Diagnostic Framework that is used to troubleshoot network connectivity issues.

This service startup type is by default Manual and when started it logs on using the Local System account.

This service is not dependent on any other system service, nor is any service dependent on it.

Disk Defragmenter

The Disk Defragmenter (defragsvc) service is used to defragment disks on a schedule. It will start and stop automatically when the task is scheduled and is not started when the computer starts. By default it logs on using the Local System account

The Disk Defragmenter service is dependent upon the following services:

  1. Remote Procedure Call (RPC) service

  2. DCOM Server Process Launcher

  3. RPC Endpoint Mapper

Distributed File System

The Distributed File System (Dfs) service manages logical volumes that are distributed across a local or wide area network and is required for the AD DS SYSVOL share. Distributed File System (DFS) is a distributed service that integrates disparate file shares into a single logical namespace.

This namespace is a logical representation of the network storage resources that are available to users on the network. If the Distributed File System service stops, you are unable to access file shares or network data through the logical namespace. To access the data when the service is stopped, you must know the names of all the servers and all the shares in the namespace and must access each of these targets independently. This service is installed as part of the File Services role.

This service is available on a Server Core installation of as well as the Standard, Enterprise, and Datacenter versions of Windows Server 2008 and Windows Server 2008 R2. The following table identifies the application protocols, network protocols, and ports used by the Distributed File System service:

Application protocol

Network Protocol

Ports

NetBIOS Datagram Service

UDP

138

NetBIOS Session Service

TCP

139

LDAP Server

TCP

389

LDAP Server

UDP

389

SMB

TCP

445

RPC

TCP

135

Randomly allocated high TCP ports

TCP

random port number between 1024 - 65535

Distributed File System Replication

The Distributed File System Replication (DFSR) service is a state-based, multi-master file replication engine that automatically copies updates to files and folders between computers that are participating in a common replication group. This service is installed as part of the File Services role.

This service is available on a Server Core installation of as well as the Standard, Enterprise, and Datacenter versions of Windows Server 2008 and Windows Server 2008 R2. The following table identifies the application protocols, network protocols, and ports used by the Distributed File System service:

Application protocol

Network Protocol

Ports

RPC

TCP

135

RPC

TCP

5722 (domain controller only)

Randomly allocated high TCP ports

TCP

random port number between 1024 – 65535

The Distributed Link Tracking Client (TrkWks) service maintains links between the NTFS file system files within your computer or across computers in your network domain. This service ensures that shortcuts and Object Linking and Embedding (OLE) links continue to work after the target file is renamed or moved.

When you create a shortcut to a file on an NTFS volume, distributed link tracking stamps a unique object identifier (ID) into the target file, which is known as the link source. The file that refers to the target file (known as the link client) also stores information about the object ID internally. Distributed link tracking can use this object ID to locate the link source file in the following scenarios:

  • When the link source file is renamed.

  • When the link source file is moved to another folder on the same volume or a different volume of the same computer.

  • When the link source file is moved to another computer in the network.

Note

Unless the computer is in a domain where the Distributed Link Tracking Server service is available, this form of link tracking is less reliable over time.

  • When the shared network folder that contains the link source file is renamed.

  • When the computer that contains the link source file is renamed.

For all of the preceding scenarios, the link source file must be on a fixed NTFS volume. The NTFS volumes cannot be on removable media.

Note

The Distributed Link Tracking Client service monitors activity on NTFS volumes and stores maintenance information in a file called Tracking.log, which is located in a hidden folder called System Volume Information at the root of each volume. This folder is protected by permissions that allow only the computer to have access to it. The folder is also used by other Windows services, such as the Indexing Service.

If the Distributed Link Tracking Client service stops, any links to content on that computer are not maintained or tracked.

By default this service is installed and starts automatically and logs on under the Local System account.

The Distributed Link Tracking Client service is dependent upon the following system components:

  1. Remote Procedure Call

  2. DCOM Server Process Launcher

  3. RPC Endpoint Mapper

The Distributed Link Tracking Server (TrkSvr) service stores information so that files that are moved between volumes can be tracked for each volume in the domain. When enabled, the Distributed Link Tracking Server service runs on each domain controller in a domain. This service enables the Distributed Link Tracking Client service to track linked documents that have been moved to a location in another NTFS volume in the same domain.

The Distributed Link Tracking Server service is disabled by default. If you enable it, you must do so on all domain controllers of a domain. If the Distributed Link Tracking Server service is enabled on a domain controller that is upgraded to a newer version of Windows Server, the service must be re-enabled manually.

If the Distributed Link Tracking Server service is enabled, the DLT_AllowDomainMode system policy must be enabled for Windows XP client computers to be able to use it. If the Distributed Link Tracking Server service is enabled and then later disabled, you must purge its entries in AD DS. For more information, see article 312403, Distributed Link Tracking on Windows-based domain controllers, in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=100974).

If the Distributed Link Tracking Server service stops or if you disable it, links that are maintained by the Distributed Link Tracking Client service eventually become less reliable.

The Distributed Link Tracking Server service is part of the AD DS server role.

This service is available on a Server Core installation of as well as the Standard, Enterprise, and Datacenter versions of Windows Server 2008 and Windows Server 2008 R2. The following table identifies the application protocols, network protocols, and ports used by the Distributed Link Tracking Server service:

Application protocol

Network Protocol

Ports

RPC

TCP

135

Randomly allocated high TCP ports

TCP

random port number between 1024 – 65535

Distributed Transaction Coordinator

The Distributed Transaction Coordinator (MSDTC) service coordinates transactions that are distributed across multiple computers and resource managers, such as databases, message queues, file systems, and other transaction-based resource managers. This service is necessary if transactional components are to be configured through COM+. It is also required for transactional queues in Message Queuing (also known as MSMQ) and SQL Server operations that span multiple computers.

The Distributed Transaction Coordinator service is installed and configured for a manual start by default. If it stops, transactions that use this service are not performed. Clustered installations of Microsoft Exchange, SQL Server, or other applications that make use of transaction services may be affected if this service stops.

When started in the default configuration the Distributed Transaction Coordinator service logs on using the Network Service account.

This service has dependencies upon the following system components:

  1. Remote Procedure Call (RPC)

  2. DCOM Server Process Launcher

  3. RPC Endpoint Mapper

  4. Security Accounts Manager

This service is available on a Server Core installation of as well as the Standard, Enterprise, and Datacenter versions of Windows Server 2008 and Windows Server 2008 R2. The following table identifies the application protocols, network protocols, and ports used by the Distributed Transaction Coordinator service:

Application protocol

Network Protocol

Ports

RPC

TCP

135

Randomly allocated high TCP ports

TCP

random port number between 1024 – 65535

DNS Client

The DNS Client (Dnscache) service resolves and caches Domain Name System (DNS) names for your computer. The DNS Client service must run on every computer that performs DNS name resolution. DNS name resolution is needed to locate domain controllers in AD DS domains. The DNS Client service is also needed to enable location of the devices that are identified through DNS name resolution. Windows 7 includes both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) protocol stacks that are installed and enabled by default. Domain Name System (DNS) name queries and registrations can now involve both IPv4 address records (A records) and IPv6 address records (AAAA records).

The DNS Client service that runs on Windows Server 2008 R2 implements the following features:

  • Systemwide caching. Resource records (RRs) from query responses are added to the client cache when applications query DNS servers. This information is then cached for a specific Time to Live (TTL) and can be used again to answer subsequent queries.

  • RFC-compliant negative caching support. In addition to positive query responses from DNS servers (which contain resource record information in the answered reply), the DNS Client service also caches negative query responses.

    A negative response results when an RR for the queried name does not exist. Negative caching prevents the repetition of additional queries for names that do not exist, which can adversely affect client computer performance. Any negative query information that is cached is kept for a shorter period of time than positive query information; by default, no more than five minutes. This configuration prevents stale negative query information from being continuously cached if the records later become available.

  • Avoidance of unresponsive DNS servers. The DNS Client service uses a server search list that is ordered by preference. This list includes all preferred and alternate DNS servers that are configured for each of the active network connections on the computer. Windows Server 2008 rearranges these lists based on the following criteria:

    • Preferred DNS servers are given first priority.

    • If no preferred DNS servers are available, alternate DNS servers are used.

    • Unresponsive servers are removed temporarily from these lists.

If the DNS Client service stops, the computer cannot resolve DNS names or locate Active Directory domain controllers and users cannot log on to the computer.

Computers must perform both A and AAAA queries to determine the best method of connectivity to the endpoint that is wanted. By obtaining both IPv4 and IPv6 addresses, there is an increased chance of access to the wanted endpoint if one of the addresses is unreachable. The DNS Client minimizes the impact on DNS servers when performing DNS name queries through the following behavior:

  • If the host has only link-local or Teredo IPv6 addresses assigned, the DNS Client service sends a single query for A records. For more information about Teredo, see the Teredo Overview on Microsoft TechNet.

  • If the host has at least one IPv6 address assigned that is not a link-local or Teredo address, the DNS Client service sends a DNS query for A records and then a separate DNS query to the same DNS server for AAAA records. If an A record query times out or has an error (other than name not found), the corresponding AAAA record query is not sent.

This service is installed by default and it startup type is Automatic. In its default configuration it logs on using the Network Service account.

This service has dependencies upon the following system components:

  1. NetIO Legacy TDI Support Driver

  2. TCP/IP Protocol Driver

  3. Network Store Interface Service

  4. NSI proxy service driver

DNS Server

The DNS Server (DNS) service enables DNS name resolution. It answers queries and update requests for DNS names. DNS servers locate devices that are identified by their DNS names and locate domain controllers in AD DS.

If the DNS Server service stops or if you disable it, DNS updates do not occur. The DNS Server service is not required to run on every computer. However, if there is no authoritative DNS server for a particular portion of the DNS namespace, the location of the devices that use DNS names in that portion of the namespace fail. Absence of an authoritative DNS server for the DNS namespace that is used to name Active Directory domains results in an inability to locate domain controllers in that domain.

The DNS Server service is only installed and activated if you install the DNS Server role.

This service is available on a Server Core installation of as well as the Standard, Enterprise, and Datacenter versions of Windows Server 2008 and Windows Server 2008 R2. The following table identifies the application protocols, network protocols, and ports used by the DNS Server service:

Application protocol

Network Protocol

Ports

DNS

UDP

53

DNS

TCP

53

Encrypting File System

The Encrypting File System (EFS) service provides the core file encryption technology used to store encrypted files on NTFS file system volumes. If this service is stopped or disabled, applications will be unable to access encrypted files.

By default this service is installed and configured for a manual start. When you select a file or folder to encrypt with EFS the service will be started and its startup type changed to an Automatic start.

When this service is started in the default configuration it logs on using the Local System account.

The EFS service is dependent upon the following system components:

  1. Remote Procedure Call (RPC)

  2. DCOM Server Process Launcher

  3. RPC Endpoint Mapper

Extensible Authentication Protocol

The Extensible Authentication Protocol (EapHost) service provides network authentication in such scenarios as 802.1x wired and wireless, virtual private network (VPN), and Network Access Protection (NAP). The Extensible Authentication Protocol (EAP) also provides APIs that are used by network access clients, including wireless and VPN clients, during the authentication process.

EAP supports authentication schemes such as Generic Token Card, One Time Password (OTP), Message Digest 5 (MD5)-Challenge, Transport Layer Security (TLS) for smart card and digital certificate-based authentication, and future authentication technologies. EAP is a critical technology component for establishing secure connections. If you disable this service, this computer is prevented from accessing networks that require EAP authentication.

This service startup type is by default Manual. When started in its default configuration the service logs on using the Local System account.

The Extensible Authentication Protocol service is dependent upon the following system components:

  1. CNG Key Isolation

  2. Remote Procedure Call (RPC)

  3. DCOM Server Process Launcher

  4. RPC Endpoint Mapper

The following components are dependent upon the Extensible Authentication Protocol service:

  1. Wired AutoConfig

  2. WLAN AutoConfig

Fax Service

The Fax service, a Telephony API (TAPI)-compliant service, provides fax capabilities from users' computers. The Fax service allows users to send and receive faxes from their desktop applications through either a local fax device or a shared network fax device. The service offers the following features:

  • Fax distribution and receipt

  • Fax activity tracking and monitoring

  • Inbound fax routing

  • Server and device configuration management

  • Archiving of sent faxes

If you disable the print spooler or telephony service, the Fax service does not start successfully. If this service stops, users cannot send or receive faxes. The Fax service startup type is Manual; it stops when there is no fax activity and restarts on an as-needed basis. On server operating systems, the Fax service is installed with the Fax Server role.

This service is available on a Server Core installation of as well as the Standard, Enterprise, and Datacenter versions of Windows Server 2008 and Windows Server 2008 R2.

The Fax service is dependent upon the following system components:

  • Plug and Play

  • Print Spooler

  • HTTP

  • Remote Procedure Call

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Telephony

The following table identifies the application protocols, network protocols, and ports used by the Fax Service:

Application protocol

Network Protocol

Ports

NetBIOS Session Service

TCP

139

SMB

TCP

445

RPC

TCP

135

Randomly allocated high TCP Ports

TCP

Random port number between 1024- 65535

Function Discovery Provider Host

The Function Discovery Provider Host (fdPHost) service provides the host process for Function Discovery providers. Function Discovery provides a uniform programmatic interface for enumerating system resources, such as hardware devices, whether they are local or connected through a network. It enables applications to discover and manage lists of devices or objects sorted by functionality or class. Users benefit from this categorized view of devices on their system. Both applications and users can use Function Discovery to discover what functions their system can perform, regardless of the underlying device or software architecture.

Function Discovery supports an extensible discovery provider model. The providers included in the system provide an abstraction layer over existing standards such as Plug and Play, Simple Service Discovery Protocol (SSDP), Web Services Dynamic Discovery (WS-Discovery), and the registry. Custom providers can be created to expose your organization's resources through Function Discovery.

The service startup type is Manual. When started in the default configuration the service will log on using the Local Service account.

The Function Discovery Provider Host service is dependent upon the following system components:

  1. HTTP

  2. Remote Procedure Call (RPC)

  3. DCOM Server Process Launcher

  4. RPC Endpoint Mapper

The following system components depend on the Function Discovery Provider Host service:

  1. HomeGroup Provider

  2. Media Center Extender Service

  3. PnP-X IP Bus Enumerator

Function Discovery Resource Publication

The Function Discovery Resource Publication (FDResPub) service publishes this computer and resources attached to this computer so that they can be discovered over the network. If this service is stopped, network resources cannot be published and they cannot be discovered by other computers on the network.

The service startup type is by default Manual. When started in its default configuration it will log on using the Local Service account.

The Function Discovery Resource Publication service is dependent upon the following system components:

  1. HTTP

  2. Remote Procedure Call (RPC)

  3. DCOM Server Process Launcher

  4. RPC Endpoint Mapper

The following system components depend on this service:

  1. HomeGroup Provider

Group Policy Client

The Group Policy Client (gpsvc) service is responsible for applying settings configured by administrators for the computer and users through the Group Policy component. If the service is stopped or disabled, the settings are not applied and applications and components cannot be managed through Group Policy. Any components or applications that depend on the Group Policy component might not be functional if the service is stopped or disabled.

The service startup type is Automatic and it logs on using the Local System account. The service cannot be disabled or modified through the Services snap-in console.

The Group Policy Client service is dependent upon on the following system components:

  1. Mup

  2. Remote Procedure Call (RPC)

  3. DCOM Server Process Launcher

  4. RPC Endpoint Mapper

Group Policy

The Group Policy service on domain controllers supports the application of Group Policies to client computers in the domain. To successfully apply Group Policy, a client must be able to contact a domain controller over the DCOM, ICMP, LDAP, SMB, and RPC protocols. If any one of these protocols are unavailable or blocked between the client and a relevant domain controller, policy will not apply or refresh. For a cross-domain logon, where a computer is in one domain, and the user account is in another, these protocols may be required for the client, the resource domain, and the account domain to communicate. ICMP is used for slow link detection.

This service is available on a Server Core installation of as well as the Standard, Enterprise, and Datacenter versions of Windows Server 2008 and Windows Server 2008 R2. The following table identifies the application protocols, network protocols, and ports used by the Group Policy service:

Application protocol

Network Protocol

Ports

DCOM

TCP + UDP

Random ports between 1024 - 65535

ICMP (ping)

ICMP

Used for slow link detection

LDAP

TCP

389

SMB

TCP

445

RPC

TCP

135 or a random port number between 1024 and 65535

Health Key and Certificate Management

The Health Key and Certificate Management (hkmsvc) service provides X.509 certificate and key management services for the Network Access Protection Agent service as part of the Network Access Protection (NAP) platform. Enforcement technologies that use X.509 certificates may not function properly if this service is not installed or is disabled.

The NAP platform helps administrators validate and enforce compliance with system health policies for network access and communication. Administrators can create solutions for validating computers that connect to or communicate on their networks, provide needed updates or access to needed resources, and limit the network access of computers that are noncompliant.

The service startup type is Manual. When started in the default configuration it will log on using the Local System account.

The Health Key and Certificate Management service is dependent upon the following system components:

  1. Remote Procedure Call (RPC)

  2. DCOM Server Process Launcher

  3. RPC Endpoint Mapper

HomeGroup Listener

The HomeGroup Listener service makes local computer changes associated with configuration and maintenance of the homegroup-joined computer. If this service is stopped or disabled, your computer will not work properly in a homegroup and your homegroup might not work properly. It is recommended that you keep this service running if you use your computer as part of a homegroup.

The service startup type is Manual. When started in the default configuration it will log on using the Local System account.

The HomeGroup Listener service is dependent upon the following system components:

  1. Server

  2. Security Accounts Manager

  3. Remote Procedure Call (RPC)

  4. DCOM Server Process Launcher

  5. RPC Endpoint Mapper

  6. Server SMB 1.xxx Driver

  7. Server SMB 2.xxx Driver

  8. srvnet

HomeGroup Provider

The HomeGroup Provider service performs networking tasks associated with configuration and maintenance of homegroups. If this service is stopped or disabled, your computer will be unable to detect other homegroups and your homegroup might not work properly. It is recommended that you keep this service running if you use your computer as part of a homegroup.

The service startup type is Manual. When started in the default configuration the HomeGroup Provider service will log on using the Local Service account.

The HomeGroup Provider service depends on the following system components:

  1. Function Discovery Provider Host

  2. HTTP

  3. Remote Procedure Call (RPC)

  4. DCOM Server Process Launcher

  5. RPC Endpoint Mapper

  6. Function Discovery Resource Publication

  7. Network List Service

  8. Network Location Awareness

  9. Network Store Interface Service

  10. NSI proxy service driver

  11. TCP/IP Protocol Driver

HTTP SSL

The HTTP SSL (HTTPFilter) service enables IIS to perform Secure Sockets Layer (SSL) functions. SSL is an open standard that establishes encrypted communications channels to help to prevent the interception of critical information, such as credit card numbers. Primarily, it protects data transmitted for electronic financial transactions on the Internet, although it is designed to work on other Internet services as well.

If the HTTP SSL service stops, IIS does not perform SSL functions. This service is installed when IIS is installed and is not present or active otherwise. You can configure this service through the Internet Information Services (IIS) Manager snap-in.

This service is available on a Server Core installation of as well as the Web, Standard, Enterprise, and Datacenter versions of Windows Server 2008 and Windows Server 2008 R2.

The following table identifies the application protocols, network protocols, and ports used by the HTTP SSL service:

Application protocol

Network Protocol

Ports

HTTPS

TCP

443

Human Interface Device Access

The Human Interface Device Access (hidserv) service enables generic input access to Universal Serial Bus (USB) devices such as keyboards and mice. The service activates and maintains predefined keyboard keys, remote controls, and other multimedia devices.

If the Human Interface Device Access service stops, keyboard keys that are controlled by this service no longer function. For instance, the Back key, Forward key, and other keyboard keys on USB keyboards and volume buttons on USB speakers do not function.

This service is installed by default and its startup type is Manual.When started in the default configuration it will log on using the Local System account.

This service is not dependent on any other system service, nor is any service dependent on it.

IIS Admin Service

The IIS Admin Service (IISADMIN) allows administration of Internet Information Services (IIS) components such as FTP, application pools, Web sites, Web service extensions, and both Network News Transfer Protocol (NNTP) and Simple Mail Transfer Protocol (SMTP) virtual servers. If you stop or disable this service, you cannot run Web, FTP, NNTP, or SMTP sites.

The IIS Admin Service is not installed by default, it is installed when you install IIS an optional feature of the operating system. Once installed its service startup type is Automatic. When started in the default configuration it will log on using the Local System account.

The IIS Admin Service is dependent upon the following system components:

  • HTTP

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Security Accounts Manager

IKE and AuthIP IPsec Keying Modules

The IKE and AuthIP IPsec Keying Modules (IKEEXT) service hosts the IKE and AuthIP keying modules. These keying modules are used for authentication and key exchange in IPsec. Stopping or disabling the IKEEXT service disables IKE and AuthIP key exchange with peer computers. IPsec is typically configured to use IKE or AuthIP; therefore, stopping or disabling the IKEEXT service may result in an IPsec failure and may compromise the security of the system. We strongly recommend that you have the IKEEXT service running.

This service is installed by default and its startup type is Manual. When started in the default configuration it will log on using the Local System account.

The IKE and AuthIP IPsec Keying Modules service is dependent upon the following system components:

  • Base Filtering Engine

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Indexing Service

The Indexing Service (CISVC) indexes the contents and properties of files on local and remote computers and provides rapid access to files through a flexible querying language. The Indexing Service also enables quick document search capability on local and remote computers and a search index for content that is shared on the Web. The service builds indexes of all textual information in files and documents. After the initial index build is complete, the Indexing Service maintains its indexes whenever a file is created, modified, or deleted.

The Indexing Service has been replaced by Windows Search in Windows 7 and Windows Server 2008 R2. However, the Indexing Service is still available in Windows 7 and Windows Server 2008 R2 but must be explicitly installed. Once installed, its default startup type is Automatic and it will log on using the Local System account.

The Indexing Service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Interactive Services Detection

The Interactive Services Detection (UI0Detect) service enables user notification of user input for interactive services, which enables access to dialog boxes created by interactive services when they appear. If this service is stopped, notifications of new interactive service dialog boxes no longer function and there may no longer be access to interactive service dialog boxes. This service supports the service isolation feature in Windows 7.

In Windows XP, Windows Server 2003, and earlier versions of the Windows operating system, all services run in the same session as the first user who logs on to the console. This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and, therefore, are targets for malicious users who are looking for a way to elevate their own privilege level.

The Windows 7 and Windows Server 2008 R2 operating system mitigates this security risk by isolating services in Session 0 and making Session 0 noninteractive. In these operating systems, only system processes and services run in Session 0. The first user logs on to Session 1, and subsequent users log on to subsequent sessions. This means that services never run in the same session as users' applications and, therefore, are protected from attacks that originate in application code. Because Session 0 is no longer a user session, services that are running in Session 0 do not have access to the video driver. This means that any attempt that a service makes to render graphics fails. For example, if a device installer runs in Session 0 and the installation program creates a dialog box in Session 0 that requires user input to continue, the device installation never completes because the user does not see the dialog box. From the user's perspective, the device installer has stopped responding because it has stopped progressing and the user has no way to resume it. Basically, any functionality in a service or a service-hosted driver that assumes the user is running in Session 0 does not work correctly in Windows 7 and Windows Server 2008 R2.

As a result of this issue, the option of enabling the Interactive Service Detection Service is available for customers who have services from earlier versions of Windows that send user interaction dialog boxes to Session 0 instead of the corresponding user's session.

The service startup type is Manual by default. The service starts only when a visible dialog box that is not a command window is detected. If the service is started, users are notified when a dialog box or window (including a command window) appears in Session 0. Information about each of the last 10 dialog boxes appears in turn if more information is shown. This helps to ensure that deployment testers are aware of services from earlier operating systems in their environment and have the opportunity to contact the vendors for updated services.

The service detects these visible dialog boxes or windows and sends a notification to the user. Users may choose to:

  • Respond to the dialog box immediately by clicking a button to switch to Session 0, interact with the task dialog box, and then switch back to their session.

  • Be reminded again in five minutes. The reminders continue until the dialog box closes.

If this service is disabled, users do not receive notifications when the devices or services send dialog boxes to Session 0.

By default this service logs on using the Local System account and is allowed to interact with the desktop.

This service is not dependent on any other system service, nor is any service dependent on it.

Internet Connection Sharing

The Internet Connection Sharing (SharedAccess) service provides network address translation, addressing, name resolution, and intrusion prevention services for a home or small office network.

This service is installed by default and its startup type is Disabled. If started in its default configuration it will log on using the Local System account.

The Internet Connection Sharing service is dependent upon the following system components:

  • Base Filtering Engine

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Network Connections

  • Network Store Interface Service

  • NSI proxy service drive

  • Remote Access Connection Manager

  • Secure Socket Tunneling Protocol Service

  • Telephony

  • Plug and Play

  • Windows Management Instrumentation

Intersite Messaging

The Intersite Messaging (IsmServ) service enables message exchanges between computers that run Windows server sites. This service is used for mail-based replication between sites. AD DS includes support for replication between sites through SMTP over IP transport. SMTP support is provided by the SMTP service, which is a component of IIS.

The set of transports that are used for communication between sites must be extensible. Therefore, each transport is defined in a separate add-in dynamic link library (DLL) file. These add-in DLL files are loaded into the Intersite Messaging service, which runs on all domain controllers that can perform communication between sites. The Intersite Messaging service directs send-and-receive requests to the appropriate transport add-in DLL files, which then route the messages to the Intersite Messaging service on the destination computer.

If the Intersite Messaging service stops, messages are not exchanged, intersite messaging replication does not work, and site-routing information is not calculated for other services. This service is installed by default on Windows Server 2008–based computers, but it is disabled until the server is promoted to the domain controller role. When started in its default configuration it will log on using the Local System account.

The Intersite Messaging service is dependent on the following system components:

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

IP Helper

The IP Helper (iphlpsvc) service offers Internet Protocol version 6 (IPv6) connectivity over an Internet Protocol version 4 (IPv4) network. IPv6 solves many IPv4 problems with regard to address depletion, security, autoconfiguration, and extensibility. This service allows IPv6-enabled sites and hosts to communicate through IPv6 over an IPv4 infrastructure—for example, the Internet. This is often referred to as "6to4." IPv6 sites and hosts can use their 6to4 address prefix and the Internet to communicate. They do not need to obtain an IPv6 global address prefix from an Internet service provider (ISP) and to connect to the IPv6-enabled portion of the Internet.

6to4 is a tunneling technique that is described in RFC 3056. The 6to4 hosts do not require any manual configuration and use standard autoconfiguration to create 6to4 addresses. The 6to4 technique uses the global address prefix of 2002:WWXX:YYZZ::/48, where WWXX:YYZZ is the colon-hexadecimal representation of a public IPv4 address (w.x.y.z) that is assigned to a site or host, also known as the Next Level Aggregator (NLA) portion of a 6to4 address.

The IP Helper service also supports 6over4, also known as IPv4 multicast tunneling, a technique that is described in RFC 2529. The 6over4 technique allows IPv6 and IPv4 nodes to communicate through IPv6 over an IPv4 infrastructure. It uses the IPv4 infrastructure as a multicast-capable link. For 6over4 to work correctly, the IPv4 infrastructure must be IPv4 multicast-enabled.

If the IP Helper service stops, the computer only has IPv6 connectivity if it is connected to a native IPv6 network.

This service is installed by default and its startup type is Automatic. When started in the default configuration it will log on using the Local System account.

The IP Helper service is dependent upon the following system components:

  • NetIO Legacy TDI Support Driver

  • TCP/IP Protocol Driver

  • Network Store Interface Service

  • NSI proxy service driver

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Windows Management Instrumentation

IPsec Policy Agent

The IPsec Policy Agent (PolicyAgent) service provides end-to-end security between clients and servers on TCP/IP networks, manages IPsec policy, starts IKE, and coordinates IPsec policy settings with the IP security driver. The service is controlled by using the NET START or NET STOP command.

IPsec operates at the IP layer and is transparent to other operating system services and applications. The service provides packet filtering, and can negotiate security between computers on IP networks. You can configure IPsec to provide:

  • Packet filtering with actions to permit, block, or negotiate security.

  • Negotiated trust and encrypted IP communication. The IKE protocol mutually authenticates the sender and receiver of IP data packets based on policy settings. Authentication can use the Kerberos V5 authentication protocol, digital certificates, or a shared secret key (password). IKE automatically generates cryptographic keys and IPsec security associations.

  • Protection of IP packets with IPsec formats that provide cryptographic integrity, authenticity, and (optionally) encryption of IP packets.

  • End-to-end IPsec transport protection of traffic between servers and other systems that support Layer Two Tunneling Protocol (L2TP) VPN connections.

  • IPsec tunnel mode to improve the security for interoperability with gateways or other systems that do not support L2TP or point-to-point protocol (PPTP) VPN site-to-site connections.

If the IPsec Policy Agent service stops, TCP/IP security between clients and servers on the network is impaired. This service is installed and its startup type is Manual by default on computers running Windows Server 2008 R2 or Windows 7. When started in the default configuration it will log on using the Network Service account.

The IPsec Policy Agent service is dependent upon the following system components:

  • Base Filtering Engine

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • TCP/IP Protocol Driver

KtmRm for Distributed Transaction Coordinator

The KtmRm for Distributed Transaction Coordinator (KtmRm) service coordinates transaction between the Microsoft Distributed Transaction Coordinator (MSDTC) and the Kernel Transaction Manager (KTM). This service supports the Kernel Transaction Manager (KTM) feature in Windows 7 and Windows Server 2008 R2. The KTM enables the development of applications that use transactions. The transaction engine itself is within the kernel, but transactions can be developed for kernel-mode or user-mode transactions, and within a single host or among distributed hosts.

The KTM implements Transactional NTFS (TxF) and Transactional Registry (TxR). TxF allows transacted file system operations within the NTFS file system. TxR allows transacted registry operations. KTM enables client applications to coordinate file system and registry operations with a transaction that results in better error recovery during data transfer and in the event of system failure.

This service is installed by default and its startup type is Manual. When started in the default configuration it will log on using the Network Service account.

The KtmRm service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Security Accounts Manager

The Link-Layer Topology Discovery Mapper (lltdsvc) service creates a network map, consisting of computer and device topology (connectivity) information, and metadata describing each computer and device. If this service is disabled, the network map does not function properly.

This service is installed by default and its startup type is Manual. When started in the default configuration it will log on using the Local Service account.

The Link-Layer Topology Discovery Mapper service is dependent upon the following system components:

  • Link-Layer Topology Discovery Mapper I/O Driver

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

LPD Service

The LPD Service (LPDSVC) enables client computers to print to the Line Printer Daemon (LPD) service on this server using TCP/IP and the Line Printer Remote (LPR) protocol. This service is part of the Print and Documents Services feature of the operating system.

This service is not installed by default. It can be added using the Turn Windows Features on or off option in the Control Panel. Once installed, its default startup type is Manual and it logs on using the Local System account.

The LPD Service is dependent upon the following system components:

  • Print Spooler

  • HTTP

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • TCP/IP Protocol Driver

Media Center Extender Service

The Media Center Extender Service (Mcx2Svc) allows Media Center Extenders to locate and connect to the computer. This service is available on Windows 7 Home Premium, Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise. It is not available on Windows 7 Starter or Windows 7 Home Basic.

This service is installed by default and its startup type is Disabled.When started in the default configuration it will log on using the Local Service account.

The Media Center Extender Service is dependent upon the following system components:

  • Function Discovery Provider Host

  • HTTP

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • PnP-X IP Bus Enumerator

  • Remote Desktop Services

  • Terminal Device Driver

  • SSDP Discovery

Message Queuing

The Message Queuing (MSMQ) service is a messaging infrastructure and development tool that creates distributed messaging applications for Windows. Such applications can communicate across heterogeneous networks and send messages between computers that may be temporarily unable to connect to each other. This service provides guaranteed message delivery, efficient routing, security, and priority-based messaging. It also supports the ability to send messages within transactions, and it provides both Microsoft Win32® and COM APIs for all programmatic functionality, including administration and management.

For remote reading, Message Queuing 4.0 uses encrypted RPC by default. In situations where encrypted RPC cannot be used, (for example, where a workgroup computer is part of the remote read process), the message is passed to the remote computer as plaintext and message security is not guaranteed. A plaintext message that has reached its destination queue can be read only by users that have the necessary access rights to read messages from the queue.

We recommend that you enable your Message Queuing 4.0 server to use only secured remote reading mode. In secured remote reading mode, your computer only listens on the secure remote read interface, and not on the nonsecure remote read interface. The effect of this is that only Message Queuing 4.0 and 3.0 servers on Windows Server 2003–based computers or later can remotely receive messages from queues on your computer, and remote reads from MSMQ 1.0 clients, MSMQ 2.0 clients, and Message Queuing 3.0 clients running on Windows XP–based computers are not supported. For information about enabling your server to use only the new secured mode, see Enable Secured Remote Read (https://go.microsoft.com/fwlink/?LinkID=105681).

If the Message Queuing service stops, distributed messages are unavailable. If you disable this service, any services that explicitly depend on it do not start. Also, COM+ Queued Component (QC) functionality, some functionality of Windows Management Instrumentation (WMI), and the Message Queuing Triggers service are affected.

Message Queuing is an optional feature of Windows 7 and Windows Server 2008 R2. It is not installed or enabled by default. It can be added through the Turn Windows Features on or off dialog box in the Programs area of Control Panel. When installed its default startup type is Automatic and it will log on using the Network Service account.

The Message Queuing service is dependent upon the following system components:

  • Message Queuing Access Control

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Windows Event Log

The following services are dependent upon the Message Queuing Service:

  • Message Queuing Triggers

  • Net.Msmq Listener Adapter

Message Queuing Triggers

The Message Queuing Triggers (MSMQTriggers) service provides a rule-based system to monitor messages that arrive in a Message Queuing service queue and, when the conditions of a rule are satisfied, invoke a COM component or a stand-alone executable program to process the message.

The Message Queuing Triggers service is installed as part of the Message Queuing service on Windows Server 2008 R2. In Windows 7, the Message Queuing Triggers feature must be installed through the Turn Windows Features on or off dialog box in the Programs area of Control Panel.

If the Message Queuing Triggers service stops, you cannot apply rule-based monitoring or invoke programs to process messages automatically.

Microsoft .NET Framework NGEN

This service supports the Microsoft .NET Framework Native Image Generator (NGEN) feature of the .NET Framework Common-Language Runtime. It is used to create platform-specific, optimized versions of .NET Framework applications that have faster performance than applications that have to be compiled by the just-in-time compiler before they can be run.

The service runs either in low priority for important compilations or in idle priority for non-important compilations. After all optimizations that are in the queue are completed, the service shuts down.

This service is installed by default, and the service startup type is Manual.

Microsoft FTP Service

Enables this server to be a File Transfer Protocol (FTP) server. If this service is stopped, the server cannot function as an FTP server. If this service is disabled, any services that explicitly depend on it will fail to start. This service is not installed by default. When installed, the default service startup type is Automatic and it will logon using the Local System account.

The Microsoft FTP service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Microsoft Software Shadow Copy Provider

The Microsoft Software Shadow Copy Provider service manages software-based shadow copies that are taken by the Volume Shadow Copy Service. A shadow copy is a snapshot copy of a disk volume that represents a consistent read-only point in time for that volume. This point-in-time snapshot then stays constant and allows an application, such as backup software, to copy data from the shadow copy to tape.

There are two general classes of shadow copies:

  • Hardware. A hardware shadow copy is a mirror of two or more disks that are split into separate volumes. One of the two volumes remains the working set, and the other one can be mounted separately.

  • Software. A software shadow copy uses a copy-on-write scheme to copy all sectors of a volume that change over time into a differential area on disk. When the shadow copy is mounted, all unchanged sectors are read from the original volume and all sectors that have changed are read from the differential area.

Shadow copies can resolve three classic data backup challenges:

  • The need to back up files that were opened for exclusive access. Backup of an open file is a challenge because it is likely in a state of change. Without a shadow copy or a way to suspend the application, backups often become corrupted.

  • The need to maintain a computer's availability during the shadow copy.

  • Use of the same communications channels as snapshots to facilitate information transfer between application and backup tools.

If the Microsoft Software Shadow Copy Provider service stops, software-based volume shadow copies cannot be managed, which could cause Windows Backup to fail.

This service is installed by default. The default service startup type is Manual and it will logon using the Local System account.

The Microsoft Software Shadow Copy Provider service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Microsoft iSCSI Initiator Service

This service manages Internet Small Computer System Interface (iSCSI) sessions from a computer to remote iSCSI target devices. If this service is stopped, the computer cannot log on or access iSCSI targets. If this service is disabled, any services that explicitly depend on it fail to start.

You can use iSCSI to connect storage devices over a network (LAN, WAN, or the Internet) by using TCP/IP; iSCSI devices can be disks, tapes, CDs, or other storage devices on network connected systems. The technology is often associated with storage area networks.

The Microsoft iSCSI Initiator Service ensures all volumes and devices listed as "favorite targets" are available to the computer. The iSCSI Initiator properties are configured from the Administrative Tools Control Panel. To use an Internet storage device, you must unblock the appropriate firewall ports.

The IP network used by iSCSI does not include a default security mechanism. Because iSCSI is a plaintext protocol, iSCSI presents an attack surface that should be secured if you decide to use this service. To help secure IP packets (the data stream), you can use the challenge-handshake authentication protocol (CHAP), IPsec, or both.

CHAP verifies the identity of iSCSI host systems that are attempting to access storage targets. CHAP has known vulnerabilities and should not be relied upon as the only security method.

IPsec is a standards-based means of aiding the secure transfer of information across IP networks through the use of authentication and encryption that guards against both active and passive attacks.

This service is installed by default and the service startup type is Manual.

This service is not dependent on any other system service, nor is any service dependent on it.

Multimedia Class Scheduler

The Multimedia Class Scheduler (MMCSS) service enables relative prioritization of work based on systemwide task priorities. This is intended mainly for multimedia applications. If this service is stopped, individual tasks return to their default priority.

Users expect multimedia applications to offer a smooth playback experience. If the playback has pauses or jerky movements, the user tends to be dissatisfied with the experience and does not use that content delivery method. While early versions of media players suffered from lack of bandwidth, the issue that is encountered more commonly now is lack of CPU processing time. Demand for the CPU processing time by other concurrently running applications, like antivirus programs, content indexing, or even the mail client, can interfere with media rendering and playback.

To provide a better playback experience the operating system provides MMCSS to manage the CPU priorities of multimedia threads. An application registers with MMCSS using APIs that indicate its multimedia characteristics, which must match one of those listed by name under the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Currentversion\Multimedia\SystemProfile\Tasks

The task keys are:

  • Audio

  • Capture

  • Distribution

  • Games

  • Playback

  • Pro Audio

  • Window Manager

The various task keys specify how much preference threads associated with different multimedia types get for CPU and graphics processor resources.

MMCSS, which is implemented in %systemroot%\System32\Mmcss.dll and runs in a Service Host (Svchost.exe) process, has a priority-management thread that runs at priority 27. (Thread priorities in Windows range from 0 to 31.) This thread boosts the priority of registered multimedia threads into the range associated with the Scheduling Category value of their task's registry key; those with a Scheduling Category of High have a priority between 23 and 26, those with a Scheduling Priority of Medium have a priority between 16 and 23. In Windows, thread priorities 16 and higher are in the real-time priority range and higher than all other threads on a system (with the exception of the kernel's Memory Manager worker threads, which run at priorities 28 and 29). Only administrative accounts, like the Local System account in which MMCSS runs, have the Increase Priority privilege that is required to set real-time thread priorities.

MMCSS also ensures that other concurrently running threads get an adequate portion of CPU time so that the system and other applications remain responsive. Therefore, MMCSS reserves 20 percent of CPU time for other activity.

This service is installed by default and its startup type is Automatic.When started in the default configuration it will log on using the Local System account.

The following component is dependent upon the Multimedia Class Scheduler service:

  • Windows Audio

Microsoft Fibre Channel Platform Registration Service

The Microsoft Fibre Channel Platform Registration Service (FCRegSvc) registers the platform with all available Fibre Channel fabrics and maintains the registrations. A fabric is a network topology where devices are connected to each other through one or more high-efficiency data paths. This service is used in support of storage area networks.

This service is installed by default on Windows Server 2008 R2, and the service startup type is Manual.

Net.Msmq Listener Adapter

The Net.Msmq Listener Adapter (NetMsmqActivator) service receives activation requests over the net.msmq and msmq.formatname protocols and passes them to the Windows Process Activation Service. This service is not installed by default. It can be added using the Turn Windows Features on or off option in the Control Panel. Once installed, its default startup type is Automatic and it logs on using the Network Service account.

The Net.Msmq Listener Adapter service is dependent upon the following system components:

  • Message Queuing

  • Message Queuing Access Control

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Windows Event Log

  • Windows Process Activation Service

Net.Pipe Listener Adapter

The Net.Pipe Listener Adapter (NetPipeActivator) service receives activation requests over the net.pipe protocol and passes them to the Windows Process Activation Service. This service is not installed by default. It can be added using the Turn Windows Features on or off option in the Control Panel. Once installed, its default startup type is Automatic and it logs on using the Local Service account.

The Net.Pipe Listener Adapter service is dependent upon the following system components:

  • Windows Process Activation Service

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Net.Tcp Listener Adapter

The Net.Tcp Listener Adapter (NetTcpActivator) receives activation requests over the net.tcp protocol and passes them to the Windows Process Activation Service. This service is not installed by default. It can be added using the Turn Windows Features on or off option in the Control Panel. Once installed, its default startup type is Automatic and it logs on using the Local Service account.

The Net.Tcp Listener Adapter service is dependent upon the following system components:

  • Net.Tcp Port Sharing Service

  • Windows Process Activation Service

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Net.Tcp Port Sharing Service

The Net.Tcp Port Sharing Service (NetTcpPortSharing) provides the ability for multiple user processes to share TCP ports over the net.tcp protocol. This service allows a net.tcp port to be shared and secured in a similar fashion as port 80 is for HTTP traffic.

The Net.Tcp Port Sharing Service is available on all operating systems that support .NET Framework 3.0, but the service is not enabled by default. As a security precaution, an administrator must manually enable the Net.Tcp Port Sharing Service prior to first use. Although the Net.Tcp Port Sharing Service does provide a layer of processing between applications and the network, applications that use port sharing should still be secured as if they were listening on the network directly. Specifically, applications that use port sharing should evaluate the process privileges under which they run. When possible, run your application using the built-in Network Service account, which runs with the minimal set of process privileges required for network communication.

The Net.Tcp Port Sharing Service is included by default with Windows 7. It is available for installation as role service for the Application Server role on Windows Server 2008 R2.

The Net.Tcp Port Sharing Service is not dependent upon any other system components.

The following system component is dependent upon the Net.Tcp Port Sharing Service:

  • Net.Tcp Listener Adapter

Netlogon

The Netlogon service maintains an encrypted channel between your computer and the domain controller that it uses to authenticate users and services. It passes user credentials through the encrypted channel to a domain controller and returns the domain security identifiers and user rights for the user, which is commonly referred to as pass-through authentication. The service is installed by default and its startup type is Manual. After the computer joins a domain, the service starts automatically. When started it logs on using the Local System account.

If the Netlogon service stops, the computer may not authenticate users and services and the domain controller cannot register DNS records. If this happens, the domain controller may deny NTLM authentication requests, and client computers cannot discover domain controllers.

The Netlogon service is dependent upon the following system components:

  • Workstation

  • Browser Support Driver

  • Network Store Interface Service

  • NSI proxy service driver

  • SMB 1.x MiniRedirector

  • SMB MiniRedirector Wrapper and Engine

  • Redirected Buffering Sub System

  • Mup

  • SMB 2.0 MiniRedirector

Network Access Protection Agent

The Network Access Protection Agent (napagent) service enables NAP functionality on client computers. Enabling the NAP client agent makes it possible for clients that support NAP to evaluate clients that connect to your network for compliance with organizational software security policies such as mandatory updates, antivirus, signatures, and firewall configurations.

By default this service startup type is Manual. If you have a NAP infrastructure in place, this service startup type is Automatic. When started it logs on using the Network Service account.

The Network Access Protection Agent service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Network Connections

The Network Connections (Netman) service is installed by default on computers running Windows Server 2008 R2 or Windows 7. This service manages objects in the Network Connections folder, from which you can view both network and remote connections. This service is responsible for client network configuration and displays connection status in the notification area on the taskbar. You may also view and configure network interface settings through this service.

The Network Connections service starts automatically when the startup type is Manual and the Network Connections interface is invoked. If this service stops, client-side configuration of LAN, dial-up, and VPN connections are unavailable. If you disable this service, the following might result:

  • Network connection status indicator in the system tray will not display correctly.

  • Connections do not display in the Network Connections folder, which prevents dial-out access and configuration of LAN settings.

  • Other services that use Network Connections to check for Network Location-specific Group Policy settings do not function properly.

  • Events that pertain to media connects and disconnects are not received.

  • Internet connection sharing does not function correctly.

  • The ability to configure incoming connections, wireless settings, or your home network is unavailable.

  • New connections are not created.

  • Any services that explicitly depend on this service do not start.

    The Network Connections service is dependent upon the following system components

    • Network Store Interface Service

    • NSI proxy service driver

    • Remote Procedure Call (RPC)

    • DCOM Server Process Launcher

    • RPC Endpoint Mapper

The following system component is dependent upon the Network Connections service:

  • Internet Connection Sharing (ICS)

Network List Service

The Network List Service (netprofm) identifies the networks to which the computer has connected, collects and stores properties for these networks, and notifies applications when these properties change. This service, along with the Network Location Awareness service, enables the display of the status of network connections in the notification area. The service is part of the Network Diagnostics Framework.

This service startup type is Manual. When started in its default configuration it logs on using the Local Service account.

The Network List Service is dependent upon the following system components:

  • Network Location Awareness

  • Network Store Interface Service

  • NSI proxy service driver

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • TCP/IP Protocol Driver

The following system component is dependent upon the Network List Service:

  • HomeGroup Provider

Network Location Awareness

The Network Location Awareness (NlaSvc) service collects and stores network configuration information, such as IP address and domain name changes, as well as location change information. The service notifies compatible applications when this information changes so that they can reconfigure themselves to use the current network connection.

The Network Location Awareness service is a default service on Windows 7 and Windows Server 2008 R2. Its service startup type is Automatic and it logs on using the Network Service account. Even if you configure this service with a startup type of Manual, it is started usually by dependent services. If this service stops, network location awareness functionality is not available.

The Network Location Awareness service is dependent upon the following system components:

  • Network Store Interface Service

  • NSI proxy service driver

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • TCP/IP Protocol Driver

The following system components are dependent upon the Network Location Awareness service:

  • Network List Service

  • HomeGroup Provider

  • WWAN AutoConfig

Network Store Interface Service

The Network Store Interface Service (nsi) delivers network notification to user mode clients. The service keeps track of the network interfaces available on the computer, stores routing information for each, and communicates this information with other services that require it. Stopping this service causes loss of network connectivity.

The Network Store Interface service is installed by default and its startup type is Automatic. When started in its default configuration it logs on using the Local Service account.

The Network Store Interface service is dependent upon the following system component:

  • NSI proxy service driver

The following system components are dependent upon the Network Store Interface service:

  • DHCP Client

  • WinHTTP Web Proxy Auto-Discovery Service

  • DNS Client

  • IP Helper

  • Network Connections

  • Internet Connection Sharing (ICS)

  • Network Location Awareness

  • Network List Service

  • HomeGroup Provider

  • WWAN Autoconfig

  • Workstation

  • Computer Browser

  • Netlogon

  • Remote Desktop Configuration

Offline Files

The Offline Files (CscService) service performs maintenance activities on the Offline Files cache, responds to user logon and logoff events, implements the internals of the public API, and dispatches events to accounts or logs configured for receiving events related to Offline Files activities and changes in cache state.

The Offline Files service enables the user to designate particular network folders (and their subfolders) to be available offline. When the user is connected to the network, Offline Files service automatically synchronizes the folders to the local hard disk. When the computer disconnects from the network (in other words, to go "offline"), Offline Files service provides access to the content from the locally cached copy. When the computer reconnects to the network, the service automatically synchronizes any changes made offline with the online version and updates the offline versions with more recently made online versions.

We recommend that you use Encrypting File System (EFS) to encrypt the Offline Files cache so that the files in the cache can only be accessed by the user on whose behalf it is cached.

The Offline Files service is not available on computers running Windows 7 Starter, Windows 7 Home Basic, or Windows 7 Home Premium operating systems. It is installed by default and configured for an automatic start on computers running Windows 7 Professional, Windows 7 Ultimate, or Windows 7 Enterprise operating systems. The Offline Files service logs on using the Local System account by default.

The Offline Files service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Parental Controls

The Parental Controls (WPCSvc) service is provided for backwards compatibility with Vista parental controls. If you did not use Vista parental controls this service is not used and can be disabled.

This service is installed by default and its startup type is Manual. When started in its default configuration it will log on using the Local Service account.

The Parental Controls service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Peer Name Resolution Protocol

The Peer Name Resolution Protocol (PNRPsvc) service enables serverless peer name resolution over the Internet. If disabled, some peer-to-peer and collaborative applications may not function. This protocol enables the naming of computers and services without reliance on a DNS server. This allows for flexible, informal, temporary networks of nearby computers for collaboration, data sharing, and data storage.

Security in peer-to-peer networks is difficult to establish. If computers in your organization are allowed to connect to peer-to-peer networks, a security policy about the types of information shared and the types of peer-to-peer networks that are compliant with your policy should be explicitly designed and communicated to your users to enable them to make decisions about which peer-to-peer networks they can trust.

A trusted peer-to-peer network should be one that meets the industry standard for establishing trust:

  • The network uses a trusted authentication method to identify itself and its users. Your security policy should identify which form of authentication is the minimally acceptable method.

  • The network supports different authorization levels to allow for control over who you share information with by using the network.

  • The network supports encrypted data transmission so that when you collaborate by using this network, your information is not as susceptible to capture by unauthorized users. It should also provide some form of data-integrity checking such as digital signatures to ensure that the data was not modified in transit.

This service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local Service account.

The Peer Name Resolution Protocol service is dependent upon the following system component:

  • Peer Networking Identity Manager

The following system components are dependent upon the Peer Name Resolution Protocol service:

  • Peer Networking Grouping

  • PNRP Machine Name Publication Service

Peer Networking Grouping

The Peer Networking Grouping (p2psvc) service supports peer "grouping," which is a technology that allows a developer to create a private peer-to-peer network. Administrators create the groups and invite members to join after verifying their credentials. Each member has a specific certificate, which is called a Group Member Certificate (GMC). The GMC ensures that all records exchanged between peers are digitally signed. The public key of a peer is contained in the structures that are passed as part of the communication between peers. The groups are opened and closed by the administrator as needed. This service supports the HomeGroup feature in Windows 7.

This service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local Service account

The Peer Networking Grouping service is dependent upon the following system components:

  • Peer Name Resolution Protocol

  • Peer Networking Identity Manager

Peer Networking Identity Manager

The Peer Networking Identity Manager (p2pimsvc) service provides the identity service for Peer Networking. It allows for the creation, enumeration, and manipulation of peer identities in a peer-to-peer application. An individual user can have several different peer identities. This service supports the HomeGroup feature in Windows 7.

This service is installed by default and its startup type is Manual. When started in its default configuration it will log on using the Local Service account.

The Peer Networking Identity Manager service is not dependent upon any other system component.

The following system components are dependent upon the Peer Networking Identity Manager service:

  • Peer Name Resolution Protocol

  • Peer Networking Grouping

  • PNRP Machine Name Publication Service

Performance Counter DLL Host

The Performance Counter DLL Host (PerfHost) service enables remote users and 64-bit processes to query performance counters provided by 32-bit DLLs. If this service is stopped, only local users and 32-bit processes will be able to query performance counters provided by 32-bit DLLs.

This service is installed by default on computers running Windows 7 64-bit and its startup type is Manual. When started in its default configuration it will log on using the Local Service account.

The Performance Counter DLL Host service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Performance Logs & Alerts

The Performance Logs & Alerts (pla) service collects performance data from local or remote computers based on preconfigured schedule parameters, and then writes the data to a log or triggers an alert. This service starts and stops each named performance data collection based on the information that is contained in the named log collection setting. This service only runs if at least one collection is scheduled.

If the Performance Logs & Alerts service stops or if you disable it, performance information is not collected. Also, any data collections that are currently active terminate, and future scheduled collections will not occur.

This service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local Service account.

The Performance Logs & Alerts service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Plug and Play

The Plug and Play (PlugPlay) service enables a computer to recognize and adapt to hardware changes with little or no user input. This service enables you to add or remove devices without any detailed knowledge of your computer hardware, and you do not need to manually configure the hardware or the operating system. For example, you can plug in a USB keyboard, and the Plug and Play service detects the new device, finds a driver for it, and installs it. Or you can dock a portable computer and use the docking station's Ethernet card to connect to the network; you do not need to change any configuration settings. Later, you can undock the same computer and use a modem to connect to the network—again, without any manual configuration changes.

The Plug and Play service is installed by default and the service startup type is Automatic on Windows Server 2008 and Windows 7. You cannot stop or disable the service through the Services snap-in console because of the impact on operating system stability. If this service stops, the Device Manager interface appears blank and no hardware devices are displayed.

The Plug and Play service is not dependent upon any other system components.

The following system components are dependent upon the Plug and Play service:

  • Fax

  • Smart Card

  • Tablet PC Input Service

  • Telephony

  • Remote Access Auto Connection Manager

  • Remote Access Connection Manager

  • Internet Connection Sharing (ICS)

  • Routing and Remote Access

  • Virtual Disk

  • Windows Audio Endpoint Builder

  • Windows Audio

  • Windows Driver Foundation – User-mode Driver Framework

  • Windows Biometric Service

  • WWAN Autoconfig

PnP-X IP Bus Enumerator

The PnP-X IP Bus Enumerator (IPBusEnum) service manages the virtual network bus. It discovers network-connected devices by using SSDP or the WS-Discovery protocol and gives them presence in Plug and Play. If this service is stopped or disabled, presence of network-connected devices is not maintained in Plug and Play and all Plug and Play–based scenarios stop functioning.

The PnP-X IP Bus Enumerator service is installed, and the service startup type is Manual in Windows 7. On Windows Server 2008 R2, the service is installed but disabled. When started in its default configuration, it logs on using the Local System account.

The PnP-X IP Bus Enumerator service is dependent upon the following system components:

  • Function Discovery Provider Host

  • HTTP

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The following system component is dependent upon the PnP-X IP Bus Enumerator service:

  • Media Center Extender Service

PNRP Machine Name Publication Service

The PNRP Machine Name Publication Service (PNRPAutoReg) publishes a computer name by using the Peer Name Resolution Protocol (PNRP). You can publish the computer name as a secured or unsecured peer name. The peer name configuration is managed by means of the netsh command p2p pnrp peer.

This service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local Service account.

The PNRP Machine Name Publication Service is dependent upon the following system components:

  • Peer Name Resolution Protocol

  • Peer Networking Identity Manager

Portable Device Enumerator Service

The Portable Device Enumerator Service (WPDBusEnum) enforces Group Policy settings for removable mass-storage devices. It enables applications such as Windows Media Player and Image Import Wizard to transfer and synchronize content by using removable mass-storage devices. This service enables you to specify which portable storage devices are allowed to be connected to systems that are managed with Group Policy.

This service startup type is Manual on Windows 7 and Manual on Windows Server 2008 R2. When started in its default configuration it logs on using the Local System account.

The Portable Device Enumerator Service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Power

The Power service manages power policy and power policy notification delivery.

This service startup type is Automatic on Windows 7 and Manual on Windows Server 2008 R2. When started in its default configuration it logs on using the Local System account.

This service is not dependent on any other system service, nor is any service dependent on it.

The Print Spooler (Spooler) service manages all local and network print queues and controls all print jobs. The print spooler communicates with printer drivers and input/output (I/O) components, such as the USB port and the TCP/IP protocol suite, and is the center of the Windows printing subsystem. It is installed and activated by default on computers running Windows 7 or Windows Server 2008.

If the Print Spooler service stops, you cannot print or send faxes from your local computer. When the Print Spooler service stops on a server that runs Remote Desktop Services, the Easy Print feature will not work correctly.

Also, the Printer Pruner feature of AD DS relies on the Print Spooler service. For the Printer Pruner to operate across the organization and allow orphaned queues to be scavenged on an unmanaged basis, every site in the organization must have at least one domain controller that runs the Print Spooler service. If you configure this service to Disabled or Manual, it does not automatically start when print jobs are submitted.

The Print Spooler service is installed by default and its startup type is Automatic. When started in its default configuration it will log on using the Local System account and is allowed to interact with the desktop.

The Print Spooler service is dependent upon the following system components:

  • HTTP

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The following system components are dependent upon the Print Spooler service:

  • Fax

  • LPD Service

Problem Reports and Solutions Control Panel Support

The Problem Reports and Solutions Control Panel Support (wercplsupport) service provides support for viewing, sending, and deleting system-level problem reports for the Problem Reports and Solutions control panel. This service is part of the Windows Diagnostic Infrastructure.

This service is installed by default and its startup type is Manual. When started it logs on using the Local System account.

This service is not dependent on any other system service, nor is any service dependent on it.

Program Compatibility Assistant Service

The Program Compatibility Assistant Service (PcaSvc) provides support for the Program Compatibility Assistant. If this service is stopped, the Program Compatibility Assistant does not function properly. The Program Compatibility Assistant Service attempts to find software and driver updates that improve the compatibility of applications with Windows 7 and make changes to the computer's configuration so that the program runs better. The Program Compatibility Assistant runs automatically when it detects that an older program is attempting to run in Windows 7 and is encountering problems.

This service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local System account.

The Program Compatibility Assistant Service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Protected Storage

The Protected Storage service protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. The service provides a set of software libraries that allow applications to retrieve security and other information from personal storage locations as it hides the implementation and details of the storage itself.

The storage location that is provided by this service is protected from modification. The Protected Storage service uses the Hash-Based Message Authentication Code (HMAC) and the Secure Hash Algorithm 1 (SHA1) cryptographic hash function to encrypt the user's master key. This component requires no configuration.

If the Protected Storage service stops, private keys are inaccessible, the Certificate Services service does not operate, Secure/Multipurpose Internet Mail Extensions (S/MIME) and SSL do not work, and smart card logon fails.

This service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local System account.

The Protected Storage service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Quality Windows Audio Video Experience

Quality Windows Audio Video Experience (qWave) is a networking platform for Audio Video (AV) streaming applications on IP home networks. The qWave platform enhances AV streaming performance and reliability by ensuring network Quality of Service (QoS) for AV applications. It provides mechanisms for admission control, run-time monitoring and enforcement, application feedback, and traffic prioritization. The qWave platform provides the functionality for socket-based applications to gather in-depth, real-time information of a variable bandwidth network, allowing it to dynamically adapt to changing network conditions. It also allows applications to prioritize packets in order to make better use of the available bandwidth.

This service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local Service account.

The Quality Windows Audio Video Experience service is dependent upon the following system components:

  • Link-Layer Topology Discovery Mapper I/O Driver

  • QoS Packet Scheduler

  • QWAVE driver

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Remote Access Auto Connection Manager

The Remote Access Auto Connection Manager (RasAuto) service detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection. When a program fails in an attempt to reference a remote DNS or NetBIOS name or address or when network access is unavailable, the service displays a dialog box that allows you to make a dial-up or VPN connection to the remote computer.

The Remote Access Auto Connection Manager service maintains a local database of connections that were previously used to reach named computers or shares. When the service detects an unsuccessful attempt to reach a remote computer or shared folder, it offers to dial the connection that was last used to reach this remote device. It is started automatically on an as-needed basis. If you disable the Remote Access Auto Connection Manager service, you must manually establish connections to remote computers when you want to access them.

This service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local System account.

The Remote Access Auto Connection Manager service is dependent on the following system components:

  • Remote Access Auto Connection Driver

  • Remote Access Connection Manager

  • Secure Socket Tunneling Protocol Service

  • Telephony

  • Plug and Play

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Remote Access Connection Manager

The Remote Access Connection Manager (RasMan) service manages dial-up and VPN connections from your computer to the Internet or other remote networks. When you double-click a connection in the Network Connections folder and then click the Connect button, the Remote Access Connection Manager service either dials the connection or sends a VPN connection request and handles subsequent negotiations with the remote access server to set up the connection.

The Remote Access Connection Manager service unloads itself when no requests are pending. The Network Connections folder calls this service to enumerate the set of connections and to display the status of each one.

If the Remote Access Connection Manager service stops or if you disable it, your computer cannot make dial-up or VPN connections to a remote network or accept inbound connection requests. Also, the Network Connections folder does not display any VPN or dial-up connections, and the Internet Options Control Panel does not allow the user to configure any options that pertain to dial-up or VPN connections.

This service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local System account.

The Remote Access Connection Manager service is dependent upon the following system components:

  • Secure Socket Tunneling Protocol Service

  • Telephony

  • Plug and Play

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The following system components are dependent upon the Remote Access Connection Manager service:

  • Internet Connection Sharing (ICS)

  • Remote Access Auto Connection Manager

  • Routing and Remote Access

Remote Desktop Configuration

The Remote Desktop Configuration service (SessionEnv) is responsible for all Remote Desktop Services and Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, remote desktop themes, and remote desktop certificates.

This service is installed by default and it startup type is Manual. When started in its default configuration it logs on using the Local System account.

The Remote Desktop Configuration service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Workstation

  • Browser Support Driver

  • Network Store Interface Service

  • NSI proxy service driver

  • SMB 1.x MiniRedirector

  • SMB MiniRedirector Wrapper and Engine

  • Redirected Buffering Sub System

  • Mup

  • SMB 2.0 MiniRedirector

Remote Desktop Services

The Remote Desktop Services (TermService) service allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. To prevent remote use of this computer, clear the checkboxes on the Remote tab of the System properties control panel item.

This service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local System account.

The Remote Desktop Services service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Terminal Device Driver

The following system components are dependent on the Remote Desktop Services service:

  • Media Center Extender Service

  • Remote Desktop Services UserMode Port Redirector

Remote Desktop Services UserMode Port Redirector

The Remote Desktop Services UserMode Port Redirector (UmRdpService) service allows the redirection of printers, drives, and ports for remote desktop sessions.

This service is installed by default with Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise as well as all versions of Windows Server 2008 R2. It is not available on Windows 7 Starter, Windows 7 Home Basic, or Windows 7 Home Premium. Its service startup type is Manual. When started in the default configuration it will log on using the Local System account.

The Remote Desktop Services UserMode Port Redirector service is dependent upon the following system components:

  • Remote Desktop Services

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Terminal Device Driver

  • Terminal Service Device Redirector Driver

  • Redirected Buffering Sub System

  • Mup

Remote Procedure Call (RPC)

The Remote Procedure Call (RPCSS) service is an interprocess communication (IPC) mechanism that enables data exchange and invocation of functionality that resides in a different process. The different process can be on the same computer, on the local area network, or across the Internet. The Remote Procedure Call (RPC) service serves as the RPC endpoint mapper and COM Service Control Manager (SCM).

You cannot stop or disable the Remote Procedure Call (RPC) service. The service runs under the Network Service account. If this service is not available, the operating system does not load.

The Remote Procedure Call (RPC) service is dependent on the following system components:

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The following system components are dependent on the Remote Procedure Call (RPC) service:

  • ActiveX Installer

  • Application Identity

  • Application Information

  • Background Intelligent Transfer Service

  • Base Filtering Engine

  • Bluetooth Support Service

  • Certificate Propagation

  • CNG Key Isolation

  • COM+ Event System

  • COM+ System Application

  • Computer Browser

  • Credential Manager

  • Cryptographic Services

  • Disk Defragmenter

  • Distributed Link Tracking Client

  • Distributed Transaction Coordinator

  • Encrypting File System (EFS)

  • Extensible Authentication Protocol

  • Fax

  • Function Discovery Provider Host

  • Function Discovery Resource Publication

  • Group Policy Client

  • Health Key and Certificate Management

  • HomeGroup Listener

  • HomeGroup Provider

  • IIS Admin Service

  • IKE and AuthIP IPsec Keying Modules

  • Indexing Service

  • Internet Connection Sharing (ICS)

  • IP Helper

  • IPsec Policy Agent

  • KtmRm for Distributed Transaction Coordinator

  • Link-Layer Topology Discovery Mapper

  • LPD Service

  • Media Center Extender Service

  • Message Queuing

  • Message Queuing Triggers

  • Microsoft FTP Service

  • Microsoft Software Shadow Copy Provider

  • Net.Msmq Listener Adapter

  • Net.Pipe Listener Adapter

  • Net.Tcp Listener Adapter

  • Network Access Protection Agent

  • Network Connections

  • Network List Service

  • Network Location Awareness

  • Offline Files

  • Parental Controls

  • Performance Logs & Alerts

  • PnP-X IP Bus Enumerator

  • Portable Device Enumerator Service

  • Print Spooler

  • Program Compatibility Assistant Service

  • Protected Storage

  • Quality Windows Audio Video Experience

  • Remote Access Auto Connection Manager

  • Remote Access Connection Manager

  • Remote Desktop Configuration

  • Remote Desktop Services

  • Remote Desktop Services UserMode Port Redirector

  • Remote Registry

  • RIP Listener

  • Routing and Remote Access

  • Security Accounts Manager

  • Security Center

  • Server

  • Shell Hardware Detection

  • Smart Card Removal Policy

  • Software Protection

  • SPP Notification Service

  • Superfetch

  • System Event Notification Service

  • Tablet PC Input Service

  • Task Scheduler

  • Telephony

  • Telnet

  • User Profile Service

  • Virtual Disk

  • Volume Shadow Copy

  • Windows Audio

  • Windows Backup

  • Windows Biometric Service

  • Windows Color System

  • Windows Connect Now - Config Registrar

  • Windows Defender

  • Windows Firewall

  • Windows Image Acquisition (WIA)

  • Windows Installer

  • Windows Live Family Safety

  • Windows Management Instrumentation

  • Windows Media Center Scheduler Service

  • Windows Process Activation Service

  • Windows Remote Management (WS-Management)

  • Windows Search

  • Windows Update

  • Wired AutoConfig

  • WLAN AutoConfig

  • World Wide Web Publishing Service

  • WWAN AutoConfig

Remote Procedure Call (RPC) Locator

In Windows 2003 and earlier versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database. In Windows Vista and later versions of Windows, this service does not provide any functionality and is present for application compatibility. The Remote Procedure Call (RPC) Locator service enables RPC clients that use the RpcNs* APIs to locate RPC servers.

By default, this service startup type is Manual.

If the Remote Procedure Call (RPC) Locator service stops or if you disable it, RPC clients that must locate RPC services on other computers cannot locate servers, or they may fail to start. RPC clients that rely on RpcNs* APIs from the same computer may not find RPC servers that support a given interface. If the service stops or if you disable it on a domain controller, RPC clients that use the RpcNs* APIs and the domain controller may experience interruption of service when they try to locate clients. RpcNs* APIs are not used internally in Windows; you must start this service only if non-Microsoft applications require this service.

This service is not dependent on any other system service, nor is any service dependent on it.

Remote Registry

The Remote Registry service enables remote users who have the appropriate permissions to modify registry settings on the domain controller. This service is installed and automatically run by default. However, the service's default configuration allows only members of the Administrators and Backup Operators groups to access the registry remotely. This service is required for the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA enables you to verify which patches are installed on each of the servers in your organization.

If the Remote Registry service stops, only the registry on the local computer can be modified. If you disable this service, any services that explicitly depend on the service cannot start, but registry operations on your local computer are not affected. However, other computers or devices cannot connect to your local computer's registry.

This service startup type is Automatic.

The Remote Registry service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

RIP Listener

The RIP Listener (iprip) service listens for route updates sent by routers that use the Routing Information Protocol (RIP).

RIP Listener is an optional networking component that you can install through the Turn Windows features on or off item of Control Panel. When installed its startup type is Automatic. When started, the RIP Listener service listens for RIP v1 and RIP v2 traffic and uses the received RIP messages to update its routing tables. It logs on using the Local Service account.

The RIP Listener service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Resultant Set of Policy Provider

The Resultant Set of Policy Provider service enables you to connect to a Windows Server 2008–based domain controller, access the WMI database for that computer, and simulate Resultant Set of Policy (RSoP) for Group Policy settings. The policy settings are determined for a user or computer that is located in AD DS. This simulation is commonly referred to as Planning mode.

The Resultant Set of Policy Provider service is installed by default on Windows Server 2008–based computers, but its startup type is Manual. If this service stops on a domain controller, RSoP Planning Mode simulation is unavailable on that domain controller. RSoP must run only on domain controllers; member servers and workstations do not need to run this service to use the feature.

The Resultant Set of Policy Provider service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Routing and Remote Access

The Routing and Remote Access (RemoteAccess) service provides multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services. This service also provides dial-up and VPN remote access services. Your server can use this service to function as a remote access server, a VPN server, a gateway, or a branch-office router.

From a routing perspective, the Routing and Remote Access service supports the Open Shortest Path First (OSPF) and Routing Information Protocol (RIP) routing protocols, and controls the routing tables for the TCP/IP stack-forwarding engine.

The Routing and Remote Access service is installed but disabled by default and must be explicitly enabled to support remote access scenarios. If you support remote access and this service stops, your computer cannot accept incoming RAS, VPN, or dial-on-demand connections, and routing protocols are not received or transmitted.

The Routing and Remote Access service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

RPC Endpoint Mapper

The RPC Endpoint Mapper (RpcEptMapper) service resolves RPC interfaces identifiers to transport endpoints. This service is installed by default and starts automatically.

You cannot stop or disable the RPC Endpoint Mapper service. The service runs under the Network Service account. If this service is not available, the operating system does not load.

The RPC Endpoint Mapper service is not dependent on any other system components.

The following system components are dependent on the RPC Endpoint Mapper service:

  • ActiveX Installer

  • Application Identity

  • Application Information

  • Background Intelligent Transfer Service

  • Base Filtering Engine

  • Bluetooth Support Service

  • Certificate Propagation

  • CNG Key Isolation

  • COM+ Event System

  • COM+ System Application

  • Computer Browser

  • Credential Manager

  • Cryptographic Services

  • Disk Defragmenter

  • Distributed Link Tracking Client

  • Distributed Transaction Coordinator

  • Encrypting File System (EFS)

  • Extensible Authentication Protocol

  • Fax

  • Function Discovery Provider Host

  • Function Discovery Resource Publication

  • Group Policy Client

  • Health Key and Certificate Management

  • HomeGroup Listener

  • HomeGroup Provider

  • IIS Admin Service

  • IKE and AuthIP IPsec Keying Modules

  • Indexing Service

  • Internet Connection Sharing (ICS)

  • IP Helper

  • IPsec Policy Agent

  • KtmRm for Distributed Transaction Coordinator

  • Link-Layer Topology Discovery Mapper

  • LPD Service

  • Media Center Extender Service

  • Message Queuing

  • Message Queuing Triggers

  • Microsoft FTP Service

  • Microsoft Software Shadow Copy Provider

  • Net.Msmq Listener Adapter

  • Net.Pipe Listener Adapter

  • Net.Tcp Listener Adapter

  • Network Access Protection Agent

  • Network Connections

  • Network List Service

  • Network Location Awareness

  • Offline Files

  • Parental Controls

  • Performance Logs & Alerts

  • PnP-X IP Bus Enumerator

  • Portable Device Enumerator Service

  • Print Spooler

  • Program Compatibility Assistant Service

  • Protected Storage

  • Quality Windows Audio Video Experience

  • Remote Access Auto Connection Manager

  • Remote Access Connection Manager

  • Remote Desktop Configuration

  • Remote Desktop Services

  • Remote Desktop Services UserMode Port Redirector

  • Remote Procedure Call (RPC)

  • Remote Registry

  • RIP Listener

  • Routing and Remote Access

  • Security Accounts Manager

  • Security Center

  • Server

  • Shell Hardware Detection

  • Smart Card Removal Policy

  • Software Protection

  • SPP Notification Service

  • Superfetch

  • System Event Notification Service

  • Tablet PC Input Service

  • Task Scheduler

  • Telephony

  • Telnet

  • User Profile Service

  • Virtual Disk

  • Volume Shadow Copy

  • Windows Audio

  • Windows Backup

  • Windows Biometric Service

  • Windows Color System

  • Windows Connect Now - Config Registrar

  • Windows Defender

  • Windows Firewall

  • Windows Image Acquisition (WIA)

  • Windows Installer

  • Windows Live Family Safety

  • Windows Management Instrumentation

  • Windows Media Center Scheduler Service

  • Windows Process Activation Service

  • Windows Remote Management (WS-Management)

  • Windows Search

  • Windows Update

  • Wired AutoConfig

  • WLAN AutoConfig

  • World Wide Web Publishing Service

  • WWAN AutoConfig

SeaPort

The SeaPort service enables the detection, download and installation of up-to-date configuration files for Microsoft Search Enhancement applications. Also provides server communication for the customer experience improvement program. If this service is disabled, search enhancement features such as search history may not work correctly.

This service is not installed by default. It is installed with Windows Live Essentials as an enhancement to the default Windows Search service. Once installed, it will be configured to start automatically. It logs on using the Local System account by default.

This service is not dependent on any other system service, nor is any service dependent on it.

Secondary Logon

The Secondary Logon (seclogon) service enables process to be started under alternate credentials. This allows a user to create processes in the context of different security principals. A common use of this service is by administrators who may log on as restricted users but must have administrative privileges to run a specific application. They can use a secondary logon to temporarily run such applications. This service is started when a program or application is started using the Run as different user option in the extended content menu.

The Secondary Logon service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local System account. If the service is disabled, this type of logon access is unavailable and any calls to the CreateProcessWithLogonW API fail.

This service is not dependent on any other system service, nor is any service dependent on it.

Secure Socket Tunneling Protocol Service

The Secure Socket Tunneling Protocol Service (SstpSvc) provides support for the Secure Socket Tunneling Protocol (SSTP) to connect to remote computers using virtual private networking (VPN). If this service is disabled, users will not be able to use SSTP to access remote servers.

The Secure Socket Tunneling Protocol Service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local Service account.

This Secure Socket Tunneling Protocol Service is not dependent on any other system service.

The following system components are dependent on the Secure Socket Tunneling Protocol Service.

  • Remote Access Connection Manager

  • Internet Connection Sharing

  • Remote Access Auto Connection Manager

  • Routing and Remote Access

Security Accounts Manager

The Security Accounts Manager (SamSs) service is a protected subsystem that manages user and group account information. The startup of the Security Accounts Manager service signals to other services that it is ready to accept requests.

The Security Accounts Manager service is installed by default and started automatically, and you cannot stop it. If you disable this service, other services in the computer may not start correctly. Do not disable this service. This service logs on using the Local System account.

The Security Accounts Manager service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The following system components are dependent upon the Security Accounts Manager service:

  • Distributed Transaction Coordinator

  • KtmRm for Distributed Transaction Coordinator

  • Server

  • Computer Browser

  • HomeGroup Listener

Security Center

The Security Center (wscsvc) service monitors and reports security health settings on the computer. The health settings include whether the firewall is turned on, the current status of the installed antivirus application, the current status of the installed antispyware application, the current Windows Update setting, whether User Account Control is turned on, and whether the recommended Internet settings are in use. The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service. The Action Center uses the service to provide alerts in the system tray and a graphical view of the security health states in the Action Center control panel. Network Access Protection (NAP) uses the service to report the security health states of clients to the NAP Network Policy Server to make network quarantine decisions. The service also has a public API that allows external consumers to programmatically retrieve the aggregated security health state of the system.

If you disable the Security Center service, the protected components continue to function in accordance with their specific configuration settings. However, no centralized monitor service is provided.

This service is configured for an automatic delayed start by default and logs on using the Local Service account.

The Security Center service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Windows Management Instrumentation

Server

The Server service provides RPC support, file printing, and named-pipe sharing over the network. It allows local resources to be shared, such as disks and printers, so that other users on the network can access them. It also allows named-pipe communication between applications that run on other computers and your computer, which is used to support RPC. Named-pipe communication is memory that is reserved for the output of one process to be used as input for another process. The input-acceptance process does not need to be local to the computer.

If the Server service stops or if you disable it, the computer cannot share local files and printers with other computers on the network, and it cannot satisfy remote RPC requests.

The Server service is installed by default and its startup type is Automatic. In its default configuration it logs on using the Local System account.

The Server service is dependent upon the following system components:

  • Security Accounts Manager

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Server SMB 1.xxx Driver

  • Server SMB 2.xxx Driver

The following system components are dependent on the Server service:

  1. Computer Browser

  2. HomeGroup Listener

Shell Hardware Detection

The Shell Hardware Detection (ShellHWDetection) service monitors and provides notification for AutoPlay hardware events. AutoPlay is a feature that detects content such as pictures, music, or video files on removable media and removable devices. AutoPlay then automatically starts applications to play or display that content, which simplifies the use of specialized peripheral devices such as MP3 players and digital photo readers. The service also makes it easier for users because they do not need to know beforehand what software applications are needed to access various content types.

AutoPlay supports a variety of media content types and applications. Both independent hardware vendors (IHVs) and independent software vendors (ISVs) can extend this support to include their hardware devices and applications. A user can configure a different AutoPlay action for any combination of pictures, music files, and video.

Media and device types that are supported by AutoPlay include:

  • Removable storage media

  • Flash media

  • PC cards

  • External hot-plug USB or 1394 fixed drives

  • Supported content types, which include:

    • Pictures (.jpg, .bmp, .gif, and .tif files)

    • Music files (.mp3 and .wma files)

    • Video (.mpg and .asf files)

The Shell Hardware Detection service is installed and runs automatically by default on Windows 7 and Windows Server 2008 R2. It logs on using the Local System account by default. If the service stops, the Hardware AutoPlay functionality does not work and shell performance is also affected.

The Shell Hardware Detection service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The following system component is dependent upon the Shell Hardware Detection Service:

  • Windows Image Acquisition (WIA)

Simple TCP/IP Services

The Simple TCP/IP Services (simptcp) service implements support for the following protocols and ports:

  • Echo, port 7, RFC 862

  • Discard, port 9, RFC 863

  • Character Generator, port 19, RFC 864

  • Daytime, port 13, RFC 867

  • Quote of the Day, port 17, RFC 865

When you enable Simple TCP/IP Services, all five protocols are enabled on all adapters. There is no ability to selectively enable specific services or enable the service on per-adapter basis.

If you stop or disable Simple TCP/IP Services, the rest of the operating system is unaffected. This service must be manually installed. Do not install this service unless you specifically need a computer to support communication with other computers that use the referenced protocols. When started in the default configuration it will log on using the Local Service account.

The Simple TCP/IP Services service is dependent upon the following system component:

  • Ancillary Function Driver for Winsock

Smart Card

The Smart Card (SCardSvr) service manages and controls access to a smart card that is inserted into a smart card reader, which is connected to your computer. The smart card subsystem is based on Personal Computer/Smart Card (PC/SC) Workgroup consortium standards (https://go.microsoft.com/fwlink/?LinkId=120309) and consists of the Resource Manager component, which manages access to readers and smart cards. To manage these resources, the Resource Manager performs the following functions:

  • Identifies and tracks resources.

  • Allocates readers and resources across multiple applications.

  • Supports transaction primitives to access services that are available on a given card.

The Resource Manager also exposes the WinSCard subset of the Win32 API to provide applications with access to a Card/Reader Selection user interface (UI). This component allows simple applications that work with smart cards to access a card and reader with minimum coding.

The Smart Card service is automatically installed by default on computers running Windows 7 or Windows Server 2008 R2. If this service stops, your computer is unable to read smart cards.

This service startup type is Manual on Windows 7 and Windows Server 2008 R2. When started in its default configuration it logs on using the Local Service account.

The Smart Card service is dependent upon the following system component:

  • Plug and Play

Smart Card Removal Policy

The Smart Card Removal Policy (SCPolicySvc) service allows the system to be configured to lock the user desktop, disconnect from Remote Desktop sessions, or log off the user upon smart card removal. Users who walk away from computers that are running an active logon session create a security risk. To enforce the security of your system, it is best practice for users to disconnect from any remote Remote Desktop sessions and either log off or lock their computers when they leave. The smart card removal policy allows you to force users to comply with this practice when they remove their smart cards.

Note

If you decide to use the force logoff policy, users must ensure that they have saved changes to documents and other files before they remove their smart cards. Otherwise, they may lose any changes they have made.

Whether or not you use the Smart Card Removal Policy service depends on how your users interact with their computers. For example, this policy may be used for computers in an open floor or kiosk environment. This policy may not be necessary when users have dedicated computers or exclusive use of multiple computers. You can use a password-protected screensaver or other means to lock the computers of these users.

This service is installed by default and its startup type is manual. When started in its default configuration it logs on using the Local System account.

The Smart Card Removal Policy service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

SNMP Service

The SNMP Service allows inbound Simple Network Management Protocol (SNMP) requests to be serviced by the local computer. This service includes agents that monitor activity in network devices and report to the network console workstation, and provides a way to manage network hosts such as workstation or server computers, routers, bridges, and hubs from a centrally located computer that runs network management software. SNMP performs management services through a distributed architecture of management computers and agents.

The SNMP Service also includes an SNMP agent that allows remote, centralized management of computers and services.

The SNMP Service is only installed on your computer if you manually install the optional SNMP feature. When installed, the service starts automatically and logs on using the Local System account by default. If the SNMP service stops or if you disable it, the computer no longer responds to SNMP requests. If the computer is being monitored by network management tools that rely on SNMP, they cannot collect data from the computer nor control its functionality through the service.

SNMP Trap

The SNMP Trap service receives trap messages, which contain information about specific events and are generated by local or remote SNMP agents. The service forwards the messages to SNMP management programs that run on your computer. When configured for an agent, the SNMP service generates trap messages if any specific events occur and these messages are sent to a trap destination. For example, an agent can be configured to initiate an authentication trap if an unrecognized management computer sends a request for information. Trap destinations consist of the computer name, and the IP address of the management computer. The trap destination must be a network-enabled host that runs SNMP management software. Trap destinations can be configured by a user, but the events, such as computer restarts, that generate trap messages are internally defined by the SNMP agent.

The SNMP Trap service is installed by default and configured for Manual start. When started in its default configuration it logs on using the Local Service account. If the service stops or if you disable it, SNMP-based programs on the computer do not receive SNMP trap messages from other computers. If this computer monitors network devices or server applications with SNMP traps, significant computer events are lost.

Software Protection

The Software Protection (sppsvc) service enables the download, installation and enforcement of digital licenses for Windows and Windows applications. If the service is disabled, the operating system and licensed applications may run in a notification mode. It is strongly recommended that you not disable the Software Protection service.

This service is installed by default and its startup type is Automatic. In its default configuration it logs on using the Network Service account.

The Software Protection service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Special Administration Console Helper

The Special Administration Console Helper (sacsvr) service provides the ability to perform remote management tasks on a Windows Server 2008-based computer if the computer's functions are halted because of a Stop error message. The Windows Emergency Management Services component supports two out-of-band console interfaces: the Special Administration Console (SAC) and !SAC, which offers a subset of SAC commands for use when the server has been halted.

Both the SAC and !SAC components accept input and send output through the out-of-band port. SAC is a separate entity from both !SAC and Windows Server 2008 command-line environments. After a specific failure point is reached, Emergency Management Services components determine when the shift should be made from SAC to !SAC. !SAC becomes available automatically if SAC fails to load or does not function. The Special Administration Console Helper service allows you to create inbound communication channels through the command prompt. This service is installed on Windows Server 2008–based computers and configured for a Manual start. When started in its default configuration it will log on using the Local System account.

If the Special Administration Console Helper service stops, SAC services are not available.

SPP Notification Service

The SPP Notification Service (sppuinotify) provides software licensing activation and notification.

The SPP Notification Service is installed and the startup type is Manual on Windows 7–based and Windows Server 2008 R2–based computers. When started in its default configuration it logs on using the Local Service account.

The SPP Notification is dependent on the following system components:

  • COM+ Event System

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

SSDP Discovery

The SSDP Discovery (SSDPSRV) service discovers networks devices and services that use the simple service discovery protocol (SSDP), such as universal plug and play devices. For example, the UPnP Device Host service uses SSDP to locate and identify UPnP-certified network devices and service. The SSDP Discovery service also announces SSDP devices and services running on the local computer.

The SSDP Discovery service is installed and the startup type is Manual on Windows 7–based computers. On Windows Server 2008 R2–based computers, the service is installed and disabled. When started in its default configuration it logs on using the Local Service account. The service is started only when the computer attempts to locate and configure UPnP-certified devices. If you disable this service, the computer is cannot find UPnP-certified devices on the network and the UPnP Device Host service cannot find and interact with UPnP-certified devices.

The SSDP Discovery service is dependent on the following system component:

  • HTTP

The following system components are dependent on the SSDP Discovery service:

  • Media Center Extender Service

  • UPnP Device Host

Storage Service

The Storage Service (StorSvc) enforces group policy settings for storage devices. It is available for computers running Windows 7 Professional or Windows 7 Enterprise only. Its startup type is Manual and logs on using the Local System account by default.

Superfetch

The Superfetch (Sysmain) service maintains and improves system performance over time. Superfetch is part of a collection of performance-enhancing features that address responsiveness issues related to demand paging. We do not recommend the use of Superfetch on servers unless the server is being used as a workstation.

This service startup type is Automatic on Windows 7–based computers. On Windows Server 2008 R2–based computers, the service is installed and disabled. When started in its default configuration it logs on using the Local System account.

The Superfetch service is dependent on the following system components:

  • File Information FS MiniFilter

  • FltMgr

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

System Event Notification Service

The System Event Notification Service (SENS) monitors and tracks computer events such as Windows logon network and power events. It also notifies COM+ Event System subscribers of these events. This service is installed by default and runs automatically under Windows 7 and Windows Server 2008 R2. When started in its default configuration it logs on using the Local System account.

If the System Event Notification service stops, subscribers to the COM+ Event System service do not receive event notifications and the following problems occur:

  • Win32 APIs IsNetworkAlive and IsDestinationReachable do not work. These APIs are typically used by mobile applications on portable computers.

  • ISens* interfaces do not work. SENS logon/logoff notifications fail.

  • SyncMgr (Mobsync.exe) does not work properly due to its dependency on network connectivity information and logon notifications from SENS.

  • The COM+ EventSystem fails when it tries to notify SENS of some events.

  • The Volume Shadow Copy Service does not load properly, which causes the Windows Server Backup API to fail.

The System Event Notification service is dependent upon the following system components:

  • COM+ Event System

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The following system component is dependent upon the System Event Notification Service:

  1. COM+ System Application

Tablet PC Input Service

The Tablet PC Input Service (TabletInputService) enables Tablet PC pen-and-ink functionality. This allows any version of Windows 7 to be installed on a Tablet PC or to use a pen or touch input device.

If your computer does not have tablet functionality or an external pen or touch input device, you should consider disabling this service.

This service is installed by default and configured for a manual start. When started in its default configuration it logs on using the Local Service account.

The Tablet PC Input Service is dependent upon the following system components:

  • Plug and Play

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Task Scheduler

The Task Scheduler (Schedule) service enables you to configure and schedule automated tasks on your computer. The service monitors whatever criteria you choose and carries out the task when the criteria have been met.

Task Scheduler supports a security isolation model that runs tasks in separate sessions according to their security content. As part of this isolation mode, tasks performed for different users are started in separate sessions, in complete isolation from one another and from tasks that are running in the system context. If passwords are required, they are encrypted and stored in Credential Manager and are retrieved as necessary.

By default, the Task Scheduler service is installed on computers running Windows 7 or Windows Server 2008 R2 and starts automatically. It logs on under the Local System account and cannot be configured to log on using another account.

If the Task Scheduler service stops, scheduled tasks do not run at their scheduled times or intervals.

The Task Scheduler service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Windows Event Log

TCP/IP NetBIOS Helper

The TCP/IP NetBIOS Helper (lmhosts) service provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on your network. It enables users to share files, print, and log on to the network. Specifically, the service performs DNS name resolution and pings a set of IP addresses that return a list of accessible IP addresses to provide support for the NetBT service.

The TCP/IP NetBIOS Helper Service is installed and started automatically by default on Windows Server 2008 R2 and Windows 7. In its default configuration it logs on using the Local Service account. If this service stops or if you disable it, NetBT, Redirector (RDR), Server (SRV), Net Logon, and Messenger service clients may not be able to share files, printers, and log on to computers. For example, domain-based Group Policy no longer functions.

The TCP/IP NetBIOS Helper service is dependent upon the following system components:

  • Ancillary Function Driver for Winsock

  • NetBT

  • NetIO Legacy TDI Support Driver

  • TCP/IP Protocol Driver

Telephony

The Telephony (TapiSrv) service provides support for programs that control telephony devices on the local computer and, through the LAN, on servers that are also running the service. This service is required for dial-up modem connectivity.

This service startup type is Manual. When started in its default configuration the service will log on using the Network Service account.

The Telephony service is dependent upon the following system components:

  • Plug and Play

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The following system components are dependent upon the Telephony service:

  • Fax

  • Remote Access Auto Connection Manager

  • Remote Access Connection Manager

  • Internet Connection Sharing (ICS)

Themes

The Themes service provides user experience theme-management services. A desktop theme is a predefined set of icons, fonts, colors, sounds, and other elements that give the computer desktop a unified and distinctive look. On Windows 7–based computers, the Themes service is set to start automatically. On Windows Server 2008–based computers, it is disabled. When started in its default configuration it logs on using the Local System account.

If the Themes service stops or if you disable it, the Windows 7 visual style—windows, buttons, scrollbars, Start button and other controls—revert to the Windows Classic visual style.

Thread Ordering Server

The Thread Ordering Server (THREADORDER) service provides ordered execution for a group of threads within a specific period of time. The Thread Ordering Server service controls the running of one or more client threads. It ensures that each client thread runs once during the specific period and in relative order.

This service is installed by default and configured for Manual start. When started in its default configuration it logs on using the Local Service account.

TPM Base Services

The TPM Base Services (TBS) service enables access to the Trusted Platform Module (TPM), which provides hardware-based cryptographic services to system components and applications. The TPM Base Services component centralizes TPM access across applications. It also virtualizes certain limited TPM resources. The TBS uses priorities specified by calling applications to cooperatively schedule TPM access.

The TBS component is an optional system service that allows transparent sharing of the TPM resources. It simultaneously shares the TPM resources among multiple applications on the same physical computer, even if those applications run on different virtual computers. The TBS is installed by default and configured for a manual start.

The TBS runs as a system service in the Windows Server 2008 R2 and Windows 7 operating systems. It provides services to other components as an API exposed through remote procedure calls (RPC). When started in its default configuration it logs on using the Local Service account.

The Trusted Computing Group (TCG) defines a Trusted Platform Module that provides cryptographic functions designed to provide trust in the platform. Because this component is implemented in hardware, it has finite resources. The TCG also defines a software stack that makes use of these resources to provide trusted operations for application software. However, no provision is made for running a TSS implementation side-by-side with operating system software that may also be using TPM resources. The TBS component solves this problem by enabling each software stack that communicates with TBS to use TPM resources checking for any other software stacks that may be running on the computer.

If this service is stopped or disabled, an application cannot use keys protected by the TPM.

UPnP Device Host

The UPnP Device Host (upnphost) service supports peer-to-peer UPnP functionality for network devices. This service simplifies device and network service installation and management and accomplishes device and service discovery and control through driverless, standards-based protocol mechanisms.

UPnP-certified devices can automatically configure network addresses, announce their presence on a network subnet, and enable the exchange of device and service descriptions. When the UPnP Device Host service is installed, a computer can act as a UPnP-certified control point to discover and control the devices through a Web or application interface.

This service is installed by default on computers running Windows 7 or Windows Server 2008 R2. On Windows 7 the service startup type is Manual. On Windows Server 2008 R2, the service is disabled by default. When the service is started it logs on using the Local Service account by default.

The UPnP Device Host service is dependent upon the following system components:

  • HTTP

  • SSDP Discovery

User Profile Service

The User Profile Service (ProfSvc) is responsible for loading and unloading user profiles. If this service is stopped or disabled, users cannot successfully log on or log off, applications may have problems getting to users' data, and components registered to receive profile event notifications do not receive them.

This service should not be stopped or disabled. This service startup type is Automatic. It logs on using the Local System account by default.

The User Profile Service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The following system component is dependent on the User Profile Service:

  • Application Information

Virtual Disk Service

The Virtual Disk Service (VDS) provides a single interface to manage block storage virtualization, whether it is done in operating system software, redundant array of independent disks (RAID) storage hardware subsystems, or other virtualization engines.

VDS provides a vendor-neutral and technology-neutral interface to manage logical volumes (software) and logical units (hardware). You can use this interface to manage bind operations, topology discovery and tracking, volume status, and fault tracking.

VDS is installed and startup type is Manual on computers running Windows Server 2008 R2 or Windows 7. The service is started only when an application attempts to use VDS. When the service stops, VDS is no longer available. VDS logs on using the Local System account by default.

VDS is dependent upon the following system components:

  • Plug and Play

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Volume Shadow Copy

The Volume Shadow Copy (VSS) service manages and implements volume shadow copies, which are used for backup and other purposes, and manages the volume snapshots. When a backup application attempts to start a backup with the new snapshots infrastructure, the backup application determines the number of writers that are currently active on the service and then queries each writer to gather the required metadata. The backup application can then collect the volumes that require a shadow copy to ensure a successful backup session. The volumes are presented to the shadow copy coordinator and a shadow copy is created. The shadow copy creates volumes that match the original volumes at the shadow copy point in time. If the service is stopped, shadow copies will be unavailable for backup and the backup process may not succeed.

The Volume Shadow Copy Service is installed on computers running Windows 7 or Windows Server 2008 R2, and its startup type is Manual. When started in the default configuration the service will log on using the Local System account.

The Volume Shadow Copy service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

WLAN AutoConfig

The WLAN AutoConfig (Wlansvc) service provides the logic required to configure, discover, connect to, and disconnect from a wireless local area network (WLAN) as defined by IEEE 802.11 standards. It also contains the logic to turn your computer into a software access point so that other devices or computers can connect to your computer wirelessly using a WLAN adapter that can support this. Stopping or disabling the WLAN AutoConfig service will make all WLAN adapters on your computer inaccessible from the Windows networking UI. It is strongly recommended that you have the WLAN AutoConfig service running if your computer has a WLAN adapter.

This service is installed by default and its startup type is Manual. When started in the default configuration it will log on using the Local System account.

The WLAN AutoConfig service is dependent upon the following system components:

  • Extensible Authentication Protocol

  • CNG Key Isolation

  • Native WiFi Filter

  • NDIS Usermode I/O Protocol

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

WMI Performance Adapter

The WMI Performance Adapter (wmiApSrv) service provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network. This service only runs when Performance Data Helper is activated.

This service is installed by default and its startup type is Manual. When started in the default configuration it will log on using the Local System account.

WWAN AutoConfig

The WWAN AutoConfig (WwanSvc) service manages mobile broadband (GSM & CDMA) data card/embedded module adapters and connections by auto-configuring the networks. It is strongly recommended that this service be kept running for best user experience of mobile broadband devices.

The WWAN Autoconfig service is configured to start manually and log on using the Local Service account

The WWAN AutoConfig service is dependent upon the following system components:

  • NDIS Usermode I/O Protocol

  • Network Location Awareness

  • Network Store Interface Service

  • NSI proxy service driver

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • TCP/IP Protocol Driver

  • Plug and Play

Web Management Service

The Web Management Service (WMSVC) enables remote and delegated management capabilities for administrators to manage for the Web server, sites and applications present on this computer. This service supports Internet Information Services.

This service is not installed by default and must be added through the Turn Windows Features on or off dialog box in the Programs area of Control Panel. This service is not available on computers running Windows 7 Starter or Windows 7 Home Basic. When started in its default configuration it logs on using the Local Service account.

The Web Management Service is dependent upon the following system component:

  • HTTP

WebClient

The WebClient (WebClient) service enables Win32 applications to access documents on the Internet. The service extends the network capability of Windows by allowing standard Win32 applications to create, read, and write files on Internet file servers through the use of WebDAV, a file-access protocol that is described in XML and uses HTTP for communication. Because it uses standard HTTP, WebDAV communicates using existing Internet infrastructure, such as firewalls and routers.

The WebClient service is installed on Windows 7, and its startup type is Manual. When started in its default configuration it logs on using the Local Service account

The WebClient service is dependent upon the following system components:

  • WebDav Client Redirector Driver

  • Redirected Buffering Sub System

  • Mup

Windows Audio

The Windows Audio (AudioSrv) service provides support for sound and related Windows Audio event functions. This service manages events–that are compatible with Plug and Play for audio devices such as sound cards and global audio effects (GFX) for Windows audio application program interfaces. Examples of GFXs are equalization (EQ), bass enhancement, and speaker correction. The service loads, unloads, saves, and restores state for the GFXs on a per-session basis.

Through the Multimedia control panel, users can accomplish the following:

  • Enable or disable a GFX.

  • Select among several GFX filters if more than one GFX is available that is designed for the specific audio hardware. A GFX driver's .inf file specifies the target hardware for the GFX.

You cannot stop the Windows Audio service after it is started. If you disable this service, audio functionality may be affected, including the inability to hear sound or process GFXs.

The Windows Audio service is installed on computers running Windows Server 2008 R2 or Windows 7. The service starts automatically on computers running Windows 7. The service must be manually started on computers running Windows Server 2008 R2. When started it logs on using the Local Service account.

The Windows Audio service is dependent upon the following system components:

  • Multimedia Class Scheduler

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Windows Audio Endpoint Builder

  • Plug and Play

Windows Audio Endpoint Builder

The Windows Audio Endpoint Builder (AudioEndpointBuilder) service manages audio devices for the Windows Audio service. If this service is stopped, audio devices and effects do not function properly. The term endpoint device refers to a hardware device at one end of a data path that originates or terminates at an application program. Examples of audio endpoint devices are speakers, headphones, microphones, and CD players.

The audio system keeps track of both endpoint devices and dynamic changes in the configuration of audio hardware that has jack-presence detection. While an endpoint device remains plugged in, the system enumerates that device. When the user unplugs an endpoint device, the system ceases to enumerate it. This feature improves the reliability of the audio system, giving more predictable capture and playback experiences across different devices.

The Windows Audio Endpoint Builder service is installed on computers running Windows Server 2008 R2 or Windows 7. The service starts automatically on computers running Windows 7. The service must be manually started on computers running Windows Server 2008 R2. When started in its default configuration it will log on using the Local System account.

The Windows Audio Endpoint Builder service is dependent upon the following system component:

  • Plug and Play

The following system component is dependent upon the Windows Audio Endpoint Builder service:

  • Windows Audio

Windows Backup

The Windows Backup (SDRSVC) service supports backup features provided by Windows 7 that allows data files and system images to be stored separate from the computer in case of system failure or data loss.

Having a regular backup policy is essential for disaster recovery scenarios, but backups are also a security risk. Your security policy must address how data backups are going to be protected so that they are not used to remove confidential information from your data center or your organization. Backup copies that are on removable media should be placed in a secure storage area that only trusted personnel have access to, and they should be encrypted. If possible, desktops and portable computers should be backed up on network servers, which are in turn backed up into secure storage. If that is not feasible, your users should be informed as to the best practices for backing up data securely and be provided a secure location to store their backup copies.

This service is installed by default and its startup type is Manual. When started in its default configuration it will log on using the Local System account.

The Windows Backup service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Windows Biometric Service

The Windows Biometric Service (WbioSrvc) gives client applications the ability to capture, compare, manipulate, and store biometric data without gaining direct access to any biometric hardware or samples. The service is hosted in a privileged SVCHOST process.

The service is installed by default and its startup type is manual. When started in its default configuration it will log on using the Local System account.

The Windows Biometric Service is dependent upon the following system components:

  • Credential Manager

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Windows Driver Foundation – User-mode Driver Framework

  • Plug and Play

  • User Mode Driver Frameworks Platform Driver

Windows CardSpace

The Windows CardSpace (idsvc) service enables the creation, management, and disclosure of digital identities. Windows CardSpace is client software that enables users to provide their digital identity to online services in a simple and trusted way. It is known as an identity selector: when a user must authenticate to a Web site or a Web service, CardSpace presents a dialog box with a set of "information cards" for the user to choose from. Each card has some identity data associated with it—though this is not actually stored in the card—that has either been given to the user by an identity provider such as their bank, employer, or government, or has been created by users themselves. The CardSpace UI enables users to create Personal cards (also known as self-issued cards) and associate a limited set of identity data. When the user chooses a card, a signed and encrypted security token containing the required information (for example, name and address, employer's name and address, or credit limit) is generated by the identity provider that created the card. The user, in control at all times, then decides whether to release this information to the requesting online service. If the user approves, the token is sent on to the requesting party where the token is processed and the identity information is extracted.

This service is installed by default and its startup type is Manual. When started in the default configuration, it logs on using the Local System account.

Windows Color System

The Windows Color System service (WcsPlugInService) hosts non-Microsoft Windows Color System color device model and gamut map model plug-in modules. These plug-in modules are vendor-specific extensions to the Windows Color System baseline color device and gamut map models. Stopping or disabling the WcsPlugInService service disables this extensibility feature, and the Windows Color System uses its baseline model processing rather than the vendor's requested processing. This might result in inaccurate color rendering. The Windows Color System provides for more precise color mapping and gradation. Non-Microsoft vendors such as printer manufacturers and photo finishers can use this feature in applications and drivers to explicitly call the color that they want rendered.

This service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local Service account.

The Windows Color System service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Windows Connect Now - Config Registrar

The Windows Connect Now - Config Registrar (WCNCSVC) service acts as a registrar for the Windows Connect Now service and issues network credentials to the enrollee in the service. Windows Connect Now technology enables stream-lined configuration of secured wireless networks and easier provisioning of wireless hardware and supports configuration of devices on out-of-band Ethernet and in-band wireless networks. WCNCSVC hosts the Windows Connect Now Configuration which is Microsoft's Implementation of Wi-Fi Protected Setup (WPS) protocol. This is used to configure Wireless LAN settings for an Access Point (AP) or a Wi-Fi Device. The service is started programmatically as needed.

Windows Connect Now-NET in Windows 7 communicates with access points and wireless stations by using UPnP architecture, authenticates with them by using a personal identification number (PIN), and provides wireless settings that are based on user selection.

This service is installed by default and its startup type is Manual. When started in its default configuration it logs on using the Local Service account.

The Windows Connect Now - Config Registrar service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Windows Defender

The Windows Defender (WinDefend) service scans your computer and helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software.

This service is installed by default and its startup type is Automatic. By default it logs on using the Local System account.

The Windows Defender service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Windows Driver Foundation - User-mode Driver Framework

The Windows Driver Foundation - User-mode Driver Framework (wudfsvc) service manages user-mode driver host processes. User-mode Driver Framework (UMDF) supports the creation of user-mode drivers that support protocol-based or serial-bus-based devices. Such drivers handle the same types of I/O requests as kernel-mode drivers and are installed by INF files, just as kernel-mode drivers are. The UMDF supports protocol device classes such as cameras and portable music players. Moving drivers for such devices into user mode can simplify the drivers and improve the overall stability of the operating system.

This service is installed by default, and the startup type is Automatic. When started in its default configuration it logs on using the Local System account.

The Windows Driver Foundation – User-mode Driver Framework is dependent upon the following system components:

  • Plug and Play

  • User Mode Driver Frameworks Platform Driver

The following system component relies on the Windows Driver Foundation – User-mode Driver Framework:

  • Windows Biometric Service

Windows Error Reporting Service

The Windows Error Reporting Service (WerSvc) reports errors when programs stop working or responding and enables existing solutions to be delivered. It also generates logs for the Problem Reports and Solutions diagnostic and repair service. If this service is stopped, programs and services that rely on this service will not report errors correctly, and the results of diagnostic services and repairs for those programs and services will not be displayed.

Windows Error Reporting is a feature that allows Microsoft to track and address errors relating to the operating system, Windows features, and applications. Windows Error Reporting gives users the opportunity to send data about errors to Microsoft and to receive information about solutions. Solution information can include instructions for working around a problem, or a link to the Windows Update Web site or another Web site for updated drivers, patches, or Microsoft Knowledge Base articles. Microsoft developers can use Windows Error Reporting as a problem-solving tool to address customer problems in a timely manner and to improve the quality of Microsoft products.

Windows Error Reporting has "consent levels" that an administrator can configure to control how Windows Error Reporting sends data to Microsoft. These setting are configured in the Problem Reporting settings page of the Action Center Control Panel. These settings can also be configured through Group Policy under either Computer Configuration or User Configuration in Administrative Templates\Windows Components\Windows Error Reporting\Consent.

User Account Control does affect how Windows Error Reporting works. A standard user does not have the same ability to report errors as an administrator does. If a prompt appears when a user is logged on as an administrator, the user can choose to report application and operating system errors. If a prompt appears for a user who is not logged on as an administrator, the user can choose to report application errors plus errors for operating system software that does not require administrative credentials to run.

The administrator also has the option to specify a list of programs for which error reports should never be sent.

This service is installed by default, and the startup type is Automatic.

Windows Event Collector

The Windows Event Collector (Wecsvc) service manages persistent subscriptions to events from remote sources that support the WS-Management protocol. This includes event logs, hardware, and Intelligent Platform Management Interface (IPMI)-enabled event sources. The service stores forwarded events in a local event log. If this service is stopped or disabled, event subscriptions cannot be created and forwarded events cannot be accepted.

The Event Collector service on the local computer uses the WS-Management protocol to send an event subscription request to a remote computer. The remote computer must be able to receive this information. This subscription request is passed to the Event Forwarder, which is a WS-Management plug-in. The plug-in then creates an event subscription on the remote computer based on the subscription request made by the local computer. Any events delivered to the remote computer are then sent to the Event Collector service on the local computer.

Event collection allows administrators to get events from remote computers and store them in a centralized place. The events are stored in the local event log of the collector computer and persisted in the local event log. The destination log path for the events is a property of the subscription. All data in the received event is saved in the collector computer event log. Additional information related to the event forwarding is also added to the event.

This service startup type is Manual. When started in its default configuration it logs on using the Network Service account.

The Windows Event Collector is dependent upon the following system components:

  • HTTP

  • Windows Event Log

Windows Event Log

The Windows Event Log (Eventlog) service enables event log messages that are issued by Windows-based programs and components to be viewed in Event Viewer. These event log messages contain information that can help diagnose problems with applications, services, and the operating system.

You cannot stop the Windows Event Log service. If you disable the service, it would be impossible to track events, which significantly reduces the ability to successfully diagnose computer problems. Also, security events would not be audited, and you could not view previous event logs with the Event Viewer console. The Windows Event Log service runs under the Local Service account.

The following table identifies the application protocols, network protocols, and ports used by the Windows Event Log service:

Application protocol

Network Protocol

Ports

RPC/named pipes (NP)

TCP

139

RPC/NP

TCP

445

RPC/NP

UDP

137

RPC/NP

UDP

138

Warning

This service has the same firewall requirements as those of the "File and Printer Sharing" feature.

The following system components are dependent upon the Windows Event Log Service:

  • Operations Manager Audit Forwarding Service

  • Task Scheduler

  • Windows Event Collector

Windows Firewall

The Windows Firewall (MpsSvc) service helps to protect your computer by preventing unauthorized users from gaining access to your computer through the Internet or a network. For an overview of the changes in Windows Firewall in Windows 7 and Windows Server 2008 R2, see What’s New in Windows Firewall with Advanced Security

This service is installed by default and the startup type is Automatic. When started in the default configuration it logs on using the Local Service account.

The Windows Firewall service is dependant upon the following system components:

  • Base Filtering Engine

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Windows Firewall Authorization Driver

Windows Font Cache Service

The Windows Font Cache Service (FontCache) Optimizes performance of applications by caching commonly used font data. Applications will start this service if it is not already running. It can be disabled, though doing so will degrade application performance.

This service is installed by default and configured for a manual start. When started in the default configuration it will log on using the Local Service account.

Windows Image Acquisition (WIA)

The Windows Image Acquisition (WIA) service provides image acquisition services for scanners and cameras.

The Windows Image Acquisition (WIA) service supports Small Computer System Interface (SCSI), IEEE 1394, USB, and serial digital still-image devices. Support for infrared, parallel, and serial still-image devices is provided by the existing infrared, parallel, and serial interfaces. Image scanners and digital cameras are examples of still-image devices.

The Windows Image Acquisition (WIA) service is installed, and its startup type is Manual on Windows 7–based computers. If the service stops, events from imaging devices are not captured and processed. The service restarts automatically at startup if there is a WIA device installed. Also, it restarts any time that a WIA-enabled application is started. When started in the default configuration it will log on using the Local Service account.

The Windows Image Acquisition service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

  • Shell Hardware Detection

Windows Installer

The Windows Installer (msiserver) service manages the installation and removal of applications. It applies a set of centrally defined setup rules during the installation process that specify how applications are installed and configured. You can also use this service to modify, repair, or remove existing applications. The Windows Installer technology consists of the Windows Installer service for the Windows operating systems and the package (.msi) file format that contains application setup and installation information.

The Windows Installer service is not only an installation program, but it is also an extensible software management system. It manages the installation, addition, and deletion of software components, monitors file resiliency, and maintains basic disaster recovery by way of rollbacks. It also supports the installation and operation of software from multiple sources, and can be customized by developers who want to install custom applications.

By default, the Windows Installer service is installed and its startup type is Manual on computers running Windows 7 or Windows Server 2008 R2. Applications that use the installer start the service. If this service stops, applications that use it cannot be installed, removed, repaired, or modified. Also, a number of applications use this service when they are active, and they may not run if the Windows Installer service stops. When started in the default configuration it will log on using the Local System account.

The Windows Installer service is dependent upon the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Windows Internet Name Service (WINS)

The Windows Internet Name Service (WINS) enables NetBIOS name resolution. If you have computers in your organization that require NetBIOS name resolution, you can use Server Manager to install this feature on servers running Windows Server 2008 R2. However, we recommend that you investigate the use of DNS alternatives to WINS, such as a search suffix list or a global names zone.

Windows Management Instrumentation

The Windows Management Instrumentation service (Winmgmt) provides a common interface and object model to access management information about operating systems, devices, applications, and services. Windows Management Instrumentation (WMI) is an infrastructure that provides the ability to build management applications and instrumentation.

The WMI infrastructure is a Windows operating system component that moves and stores information about managed objects. It is composed of two subcomponents: the Windows Management Instrumentation service and the WMI repository. The service acts as an intermediary between the providers, management applications, and the WMI repository, and places information from a provider into the WMI repository. The service also accesses the WMI repository in response to queries and instructions from management applications. Finally, the service can pass information directly between a provider and a management application. In contrast, the WMI repository acts as a storage area for information from the various providers.

The Windows Management Instrumentation service provides access to the management data through a number of interfaces, including COM API, scripts, and command-line interfaces. It is compatible with previous management interfaces and protocols, such as Simple Network Management Protocol (SNMP). The service installs and runs automatically on computers running Windows 7 or Windows Server 2008 R2. If the service stops, most Windows-based software cannot function properly.

This service is available in all versions of Windows 7 and configured for an automatic start. It logs on using the Local System account by default.

The Windows Management Instrumentation service is dependent on the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The following system components are dependent on the Windows Management Instrumentation service:

  • Internet Connection Sharing (ICS)

  • IP Helper

  • Security Center

Windows Media Center Receiver Service

The Windows Media Center Receiver Service (ehRecvr) supports the Windows Media Center so that you can receive TV and radio programs on your computer.

This service is not available in Windows 7 Starter or Windows 7 Home Basic. In Windows 7 Home Premium, Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise it is installed by default and configured for a Manual start. Once started, in a default configuration, it logs on using the Network Service account.

The Windows Media Center Receiver Service is dependent on the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Windows Media Center Scheduler Service

The Windows Media Center Scheduler Service (ehSched) supports the Windows Media Center so that you can start and stop recording of TV programs on schedule.

This service is not available in Windows 7 Starter or Windows 7 Home Basic. In Windows 7 Home Premium, Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise it is installed by default and configured for a Manual start. Once started, in a default configuration, it logs on using the Network Service account.

The Windows Media Center Scheduler Service is dependent on the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Windows Media Player Network Sharing Service

The Windows Media Player Network Sharing Service (WMPNetworkSvc) shares Windows Media Player libraries to other networked players and media devices by using the UPnP architecture. By default this service is installed on all versions of Windows 7, and its startup type is Automatic on Windows 7 Home Premium and Windows 7 Professional. On all other versions of Windows 7 its startup type is Manual. When started in its default configuration it logs on using the Network Service account.

The Windows Media Player Network Sharing Service is dependent upon the HTTP system component.

Windows Modules Installer

The Windows Modules Installer (TrustedInstaller) service enables installation, modification, and removal of Windows updates and optional components. If this service is disabled, installation or removal of Windows updates may fail for this computer.

This service is installed by default, and its startup type is Manual.

Windows Presentation Foundation Font Cache

The Windows Presentation Foundation Font Cache service optimizes performance of the Windows Presentation Foundation (WPF) application by caching commonly used font data. You may have multiple versions of this service, such as Windows Presentation Foundation Font Cache 3.0.0.0 and Windows Presentation Foundation Font Cache 4.0.0.0, to support applications created with different versions of WPF. WPF applications will start this service if it is not already running. It can be disabled, but doing so degrades the performance of WPF applications.

WPF is supported by default in Windows 7 and configured for a manual start.

Windows Process Activation Service

The Windows Process Activation Service (WAS) manages the activation and lifetime of the worker processes that contain applications that host Windows Communication Foundation (WCF) services. The WAS process model generalizes the IIS process model for the HTTP server by removing the dependency on HTTP. This allows WCF services to use both HTTP and non-HTTP protocols, such as Net.TCP, in a hosting environment that supports message-based activation and offers the ability to host a large number of applications on a computer.

This service is not installed by default. From a security standpoint, you should not run Windows Process Activation Service unless you are supporting a .NET Framework 3.5.1 application or IIS 7.0.Both IIS and .NET Framework 3.5.1 automatically install Windows Process Activation Service as needed. You should not install Windows Process Activation Service by itself. Once installed and started it logs on using the Local System account by default.

The Windows Process Activation Service depends on the following system components:

  1. Remote Procedure Call (RPC)

  2. DCOM Server Process Launcher

  3. RPC Endpoint Mapper

The following system components are dependent on the Windows Process Activation Service:

  1. Net.Msmq Listener Adapter

  2. Net.Pipe Listener Adapter

  3. Net.Tcp Listener Adapter

  4. World Wide Web Publishing Service

Windows Remote Management (WS-Management)

The Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard Web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The WinRM Service must be configured with a listener by using the Winrm command-line tool or by using a Group Policy setting in order for it to listen over the network. The WinRM service provides access to WMI data and enables event collection. Event collection and subscription to events require that the service be running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is preconfigured to share a port with IIS on the same computer. The WinRM service reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators should verify that any Web sites hosted on IIS do not use the /wsman URL prefix.

Windows Remote Management (WinRM) is one component of the Windows Hardware Management features introduced with Windows Server 2003 R2 that manage server hardware locally and remotely. These features include a service that implements the WS-Management protocol, hardware diagnosis and control through baseboard management controllers (BMCs), and a COM API and scripting objects that allow you to write applications that communicate remotely through the WS-Management protocol.

WinRM provides an efficient way for management applications and scripts to communicate with local and remote computers by using an encrypted channel. The Windows service that WinRM installs and uses is also named WinRM.

When a server is connected to a BMC that supports the WS-Management standard, applications and scripts can use WinRM to communicate directly with the BMC, even when the operating system is offline (pre-boot or post-failure).

When a server is not connected to a BMC, WinRM can still be used to connect to WMI remotely in situations where DCOM communication is impeded, for example, across a firewall. This usage is possible because the WS-Management standard uses a single port that is configurable by the system administrator.

WinRM exposes its own application programming interface (API) for scripting, which can be used by scripts written in any Windows Script Host-compatible language. The scripting API communicates with WMI by using syntax different from standard WMI scripts. WinRM syntax is documented in the WinRM Software Development Kit. Hardware Management uses a WMI plug-in to expose WMI classes to WinRM. To call these classes, the WMI namespace and class must be converted into a Uniform Resource Identifier (URI).

WS-Management is based on the following standard specifications:

  • HTTPS

  • SOAP over HTTP (WS-I profile)

  • SOAP 1.2

  • WS-Addressing

  • WS-Transfer

  • WS-Enumeration

  • WS-Eventing

As a security measure, if you use WinRM for remote management, you should configure the WinRM service to use the HTTPS protocol.

This service is installed by default, and its startup type is Manual. When started in its default configuration it will log on using the Network Service account.

WinRM is dependent on the following system components:

  • HTTP

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

The Windows Search (WSearch) service supports the Instant Search feature and provides content indexing and property caching for file, e-mail, and other content (by means of extensibility APIs). The service responds to file and e-mail notifications to index modified content. If the service is stopped or disabled, Windows Explorer cannot display virtual folder views of items, and search in Windows Explorer reverts to an item-by-item search.

The content indexed is based on the file and data types supported through add-ins included with Windows Search and the default inclusion and exclusion rules for folders in the file system. For example, the filters included in Windows Search support more than 200 common types of data, including support for Microsoft® Office documents, Office Outlook e-mail (in conjunction with the MAPI protocol handler), plaintext files, and HTML.

The main component of Windows Search is the indexer process, which is implemented as a Windows service running in the Local System account. The process is always running for all users even if no user is logged on, enabling Windows Search to maintain one index shared among all users with security restrictions on content access and to process remote queries from client computers on the network.

The Windows Search service includes a number of features to ensure that it protects the user experience and system performance when indexing. A number of conditions cause the service to throttle back or pause indexing:

  • High CPU usage by processes that are not search-related

  • High system I/O rate including file reads and writes, page file and file cache I/O, and mapped file I/O

  • Low memory availability

  • Low battery life

  • Low disk space on the drive storing the index

This service is installed by default, and its startup type is Automatic.

The Windows Search service depends on the following system components:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

Windows Time

The Windows Time (W32Time) service maintains date and time synchronization on all computers on a Windows network. It uses the Network Time Protocol (NTP) to synchronize computer clocks so that an accurate clock value, or timestamp, can be assigned to network validation and resource access requests. The implementation of NTP and the integration of time providers make Windows Time a reliable and scalable time service for administrators. For computers that are not joined to a domain, you can configure the Windows Time service to synchronize time with an external time source. If this service is turned off, the time setting for local computers is not synchronized with any time service in the Windows domain or external time service.

The Windows Time service is installed by default and configured for a manual start. When started in the default configuration is will log on using the Local Service account.

If the Windows Time service stops or if you disable it, date and time synchronization is unavailable in the network or from an external NTP server. There are two possible scenarios:

  • If you stop the Windows Time service on a workstation, the workstation cannot synchronize its time with another source, but no other external server is affected.

  • If you stop the Windows Time service on a domain controller, the same effect as in the previous scenario applies, but domain members are also unable to synchronize time with it. This inability to synchronize may adversely affect time synchronization in the organization.

By default, the Windows Time service is installed and started automatically on computers running Windows 7 or Windows Server 2008 R2.

Windows Update (Automatic Updates)

The Windows Update (wuauserv) service enables the download and installation of security updates for Windows and Office. It automatically provides Windows computers with the latest updates, drivers, and enhancements. When an Internet connection is available, the operating system searches for applicable updates. Depending on the configuration settings, the service may notify the user before download, notify the user before installation, or automatically install the updates.

You can disable the Windows Update feature through the Control Panel.

You can also use the Local Group Policy Editor to configure an intranet server that is configured with Windows Server Update Services to host updates from the Microsoft Update sites. This setting lets you specify a server on your network to function as an internal update service. The Windows Updates client searches this service for updates that apply to the computers on your network.

The Windows Update service is installed by default and configured for an automatic start. It logs on using the Local System account.

If the Windows Update service stops or if you disable it, updates are not automatically downloaded to the computer automatically. You must search for, download, and install applicable fixes manually.

The following system components are dependent upon the Windows Update service:

  • Remote Procedure Call (RPC)

  • DCOM Server Process Launcher

  • RPC Endpoint Mapper

WinHTTP Web Proxy Auto-Discovery Service

The WinHTTP Web Proxy Auto-Discovery Service implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP). WPAD is a protocol that enables an HTTP client to automatically discover a proxy configuration.

If the WinHTTP Web Proxy Auto-Discovery Service stops or if you disable it, the WPAD protocol runs within the HTTP client's process instead of an external service process, and there is no loss of functionality. This service is installed by default, and its startup type is Manual.

Wired AutoConfig

The Wired AutoConfig (dot3svc) service performs IEEE 802.1X authentication on Ethernet interfaces. The Wired Network (IEEE 802.3) Policies Group Policy and client-side extension is a new feature in Windows Server 2008 R2. You can use the Wired Network (IEEE 802.3) Policies Group Policy and client-side extension to specify network settings for computers running Windows 7 and Windows Server 2008 R2 that connect to an Ethernet network through an 802.1X-compatible switch in an Active Directory environment.

Note

You cannot configure computers running Windows XP or Windows Server 2003 by using Wired Network (IEEE 802.3) Policies.

If your current wired network deployment enforces 802.1x authentication, the Wired AutoConfig service should be configured to run for establishing Layer 2 connectivity to provide access to network resources. Wired netowrks that do not enforce 802.1x authentication are unaffected by the Wired AutoConfig service.

Additionally, you can use Wired Network (IEEE 802.3) Policies to integrate client-wired Ethernet connectivity and security settings with Network Access Protection (NAP) to restrict network access for clients that do not meet system health requirements.

This service is installed by default and configured for a manual start. When started it logs on using the Local System account by default.

The Wired AutoConfig service is dependent on the following system components:

  1. Extensible Authentication Protocol

  2. CNG Key Isolation

  3. Remote Procedure Call (RPC)

  4. DCOM Server Process Launcher

  5. RPC Endpoint Mapper

  6. NDIS Usermode I/O Protocol

WLAN Autoconfig

The WLAN Autoconfig service enables automatic configuration for IEEE 802.11 wireless adapters for wireless communications. Microsoft has worked with 802.11 network-adapter vendors to automate the network adapter configuration process, which associates the network adapter with an available network and improves the wireless roaming experience on Windows.

The wireless network adapter and its Network Driver Interface Specification (NDIS) driver must do little more than provide support for a few new NDIS object identifiers (also known as OIDs) that query and set device and driver behavior. The network adapter scans for available networks and passes the information to Windows. The Wireless Configuration service configures the network adapter for an available network. When two networks cover the same area, the user can configure a preferred network order; the computer tries each network in order until it determines an active one. It is also possible to limit association to only the configured, preferred networks.

On Windows Server 2008 R2 and Windows 7, the WLAN AutoConfig (WLANSVC) service enumerates wireless adapters, and manages both wireless connections and the wireless profiles that contain the settings required to configure a wireless client to connect to wireless networks. The WLAN AutoConfig System Services Group Policy settings in Windows Server 2008 R2 enable administrators to specify the service startup type of the WLAN AutoConfig service for domain member computers running with Windows 7 and Windows Server 2008 R2 that have wireless network adapters and the associated Windows 7 adapter drivers installed.

WLAN AutoConfig Group Policy settings enable administrators to prevent domain member users from altering the startup mode of the WLAN AutoConfig service.

WMI Performance Adapter

The WMI Performance Adapter service provides performance library information from WMI high-performance providers. Applications and services that need to provide performance counters today can do so in two ways: they can write a WMI high-performance provider or write a performance library. Consumers of high-performance data also have two ways to request performance data: through WMI or through the Performance Data Helper (PDH) APIs. There are mechanisms that are in place to enable the two models to interact, so that clients that access counters through each model can still detect the counters provided by the other model. The reverse adapter is one of those mechanisms.

The WMI Performance Adapter service transforms performance counters that are supplied by WMI high-performance providers into counters that can be consumed by PDH through the Reverse Adapter Performance Library. This approach provides PDH clients such as Sysmon with the ability to consume performance counters from any WMI high-performance providers on the computer.

If the WMI Performance Adapter service stops, WMI performance counters are unavailable.

Workstation

The Workstation (LanmanWorkstation) service is installed and runs automatically on Windows 7 and Windows Server 2008 R2. This service creates and maintains client network connections and communications. The Workstation service is a user-mode wrapper for the Microsoft Networks redirector. It loads and performs configuration functions for the redirector, supports network connections to remote servers, supports the WNet APIs, and provides redirector statistics.

This service is installed by default and is started automatically

If the Workstation service stops, clients cannot establish connections to remote servers or access files through named pipes. Clients and programs cannot access files and printers on other remote computers, but TCP/HTTP connectivity is not affected. Internet browsing and Web Client access still work.

The Workstation service has dependencies on the following system components:

  1. Browser Support Driver

  2. Network Store Interface Service

  3. NSI proxy service driver

  4. SMB 1.x MiniRedirector

  5. SMB 2.0 MiniRedirector

  6. SMB MiniRedirector Wrapper and Engine

  7. Redirected Buffering Sub System

  8. Mup

The following system components depend on the Workstation service:

  1. Computer Browser

  2. Netlogon

  3. Remote Desktop Configuration

World Wide Web Publishing Service

The World Wide Web Publishing Service (W3SVC) provides Web connectivity and administration of Web sites through the IIS snap-in. The service provides HTTP services for applications on the Windows operating system and contains a process manager and a configuration manager. The process manager controls the processes in which custom applications and simple Web sites reside. The configuration manager reads the stored computer configuration and ensures that Windows is configured to route HTTP requests to the appropriate application pools or operating system processes.

This service can monitor the processes that contain custom applications and provide recycling services for these applications. Recycling is a configuration property of an application pool and can be done on the basis of memory limits, request limits, processing time, or time of day. The service queues HTTP requests if custom applications stop responding, and also attempts to restart custom applications.

You can configure the ports that are used by this service through the Internet Information Services (IIS) Manager snap-in. If the administrative Web site is enabled, a virtual Web site is created that uses HTTP traffic on TCP port 8098.

The following table identifies the application protocol, network protocol, and ports used by the World Wide Web Publishing Service by default:

Application protocol

Network Protocol

Ports

HTTP

TCP

80

HTTPS

TCP

443

This service is an optional component that may be installed on Windows Server 2008 R2 or Windows 7 as part of the IIS Web Server package. If the World Wide Web Publishing Service stops, the operating system cannot serve any form of Web request.

The World Wide Web Publishing Service has dependencies on the following system components:

  1. Windows Process Activation Service

  2. Remote Procedure Call (RPC)

  3. DCOM Server Process Launcher

  4. RPC Endpoint Mapper