=====================================================================
5. Services
=====================================================================
A
service is identical to a normal user mode application, with the exception that it can be launched and running without a user being logged on.
(Services also rarely have interfaces, but an application without a user interface is not necessarily a service.)
Services are listed in the registry along with their startup type and dependencies, and they still run in user mode just like any other application.
It is the job of the Service Control Manager (SCM) to start and stop the services (either automatically or on demand) and to take recovery actions specified if a service crashes.
As they are identical to regular user mode applications in other aspects, they have their own protected memory space and sandbox to play in - however, because of dependencies you may find that a service which crashes or fails to start can impact other services.
Through the Control Panel (under Administrative Tools/Services) you can see the services registered, their startup type and current status (started or stopped).
If you view the properties of a service and go to the Dependencies tab you can see the services or system components upon which this service relies, and also the other services which rely on this one.
There are various guides around the Internet describing how to disable "unnecessary" services, but what is correct for one user might be disastrous for another so I dislike explicit "you should stop this service" remarks in general.
View the properties of the Remote Procedure Call (RPC) service and see how many system components rely on it - then decide if it is worth potentially breaking your anti-virus, Windows Update, wireless configuration, etc. services by disabling this one service.
One process which confuses a lot of people is "svchost.exe" - yes there ARE meant to be multiple instances of this process.
This svchost is a special case - its purpose is to collect together a numbers of "not so critical" services to run within 1 process, and the reason for this is to conserve resources.
More critical system services are either independent or run under services.exe ("Services and Controller app").
svchost.exe has the description "Generic Host Proces for Win32 Services".
How does svchost know which services are running in each instance?
Task Manager only shows you "svchost.exe" listed a number of times.
If you run a tool such as Process Explorer from SysInternals you can see a great deal more information on running processes, and if you add the detail column "command line" to the view then you will see each instance of svchost.exe has a unqiue switch after it.
e.g.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService A quick note on naming conventions regarding the registry:
A key (or subkey) is synonymous with a folder in a file system.
A value (or "leaf node") is synonymous with a file in a file system.
A key has only a name - no data - it is just a container for further (sub)keys or values.
A value has a type (e.g. REG_SZ) and associated data (e.g. "this is a string").
People often incorrectly talk about modifying registry keys when editing values.
So how do you know which instance is running which service(s)?
The services are listed as keys under the registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
If we take the Alerter service and view the data for the value "ImagePath" we can see it is:
"%SystemRoot%\system32\svchost.exe -k LocalService"
Now if we look at the WebClient service further down the list, we can see its command line is identical.
So when Windows comes to start one of these services, how does it know which service is starting, and not affect the other?
If we look in the registry under the following key, there are a number of values whose names match the command line arguments of svchost.exe instances:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
In the data for each of these values you will see a list of services that all share the same process space.
e.g.
LocalService =
Alerter WebClient LmHosts W32Time RemoteRegistry upnphost SSDPSRV WinHttpAutoProxySvc
So here is a list of potential services which would all share the same process, started or stopped individually with what appears to be the same command line.
The slight drawback with this approach is that software firewalls will govern access based on the command line and CRC check of the executable, so any service running under svchost.exe is tarred with the same brush.
Hint:
It is possible to convert practically any executable into a service using the Resource Kit tools
instsrv and
srvany, as described in
KB137890