Jump to content

Windows Services

Recommended Posts

Windows Services

The following is a list of various types of information related to Windows Services that were compiled from various resources around the Web by AdvancedSetup
Many articles being from Microsoft knowledge base articles and forum posts so that a comprehensive presentation of knowledge about Windows Services would be available in a single resource.

Though not able to verify all information it is believed to be generally accurate.

Windows Services are one of the key components of Windows that allows the Windows Operating System to function.  Though technically possible to run Windows without services it would not run well or be easily managed.  Microsoft Windows services, formerly known as NT services, enable you to create long-running executable applications that run in their own Windows sessions.
They allow applications to run with or without a specific user logged onto the system.  They can run under different local or network credentials to perform various tasks.

Start Wikipedia quoted

Service Control Manager (SCM) is a special system process under Windows NT family of operating systems, which starts, stops and interacts with Windows service processes. It is located in %SystemRoot%\System32\services.exe executable. Service processes interact with SCM through a well-defined API, and the same API interface is used internally by the interactive Windows service management tools such as the MMC snap-in Services.msc and the command-line Service Control utility sc.exe.

The SCM executable, Services.exe, runs as a Windows console program, and is launched by the Wininit process early during the system startup. Its main function, SvcCtrlMain(), launches all the services configured for automatic startup. First an internal database of installed services is initialized by reading the following two registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List containing the names and order of service groups. Each service's registry key contains an optional Group value which governs the order of initialization of a respective service or a device driver, with respect to other service groups.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services which contains the actual database of services and device drivers and is read into SCM's internal database. SCM reads every service's Group value as well as load-order dependencies from their DependOnGroup and DependOnService registry keys.

In the next step, SCM's main function SvcCtrlMain() calls the function ScGetBootAndSystemDriverState() function which checks whether the device drivers that should be started during the boot or system startup were successfully loaded, and those that have failed to do so are stored in a list called ScFailedDrivers. Then a named pipe \Pipe\Ntsvcs is created as a remote procedure call interface between the SCM and the SCPs (Service Control Processes) that interact with specific services.

Next, it calls the ScAutoStartServices() function which loops through all the services marked as auto-start, paying attention to the calculated load-order dependencies. In case of a circular dependency an error is noted and the service depending on a service that belongs to a group coming later in the load order is skipped. For delayed auto-start services, grouping has no effect, and those are loaded at a later stage of system startup.

For each service it wants to start, the SCM calls the ScStartService() function which checks the name of the file that runs the service's process, ensuring that the account specified for the service is same as the account that the service process runs in. Every service that does not run in the System account is logged in by calling the LSASS function LogonUserEx(), for which LSASS process looks up "secret" passwords stored in the HKLM\SECURITY\Policy\Secrets\ registry key, which were stored by the SCP using the LsaStorePrivateData() API, when the service was originally configured.

Next, the ScLogonAndStartImage() function is called for every service whose service process has not been already launched. Service processes are created in a suspended state via the CreateProcessAsUser() API. Before the service process' execution is resumed, a named pipe \Pipe\Net\NtControlPipeX (where X is a number incremented for each service iteration) is created which serves as a communication channel between the SCM and the service process. Service process connects to the pipe by calling the StartServiceCtrlDispatcher() function, after which the SCM sends the service a "start" command.

Delayed auto-start services
Delayed auto-start services have been added in Windows Vista, in order to solve the problem of a prolonged system startup, as well as to speed-up the start of critical services that cannot be delayed. Originally the auto-start method of service initialization was designed for essential system services upon which other applications and services depend. The SCM initializes the delayed services only after handling all the non-delayed auto-start services, by invoking the ScInitDelayStart() function. This function queues a delayed (120 seconds by default) work item associated with a corresponding worker thread. Other than being initialized after a delay, there are no other differences between delayed and non-delayed services.

Device drivers
Services whose Type registry value is SERVICE_KERNEL_DRIVER or SERVICE_FILE_SYSTEM_DRIVER are handled specially: these represent device drivers for which ScStartService() calls the ScLoadDeviceDriver() function which loads the appropriate driver (usually a file with an extension .sys) which must be located in the %SystemRoot%\System32\Drivers\ directory. For that purpose, the NtLoadDriver system call is invoked, and the SeLoadDriverPrivilege is added to the SCM's process.

Network drive letters
SCM provides an additional functionality completely unrelated to Windows services: it notifies GUI applications such as the Windows Explorer when a network drive-letter connection has been created or deleted, by broadcasting Windows messages WM_DEVICECHANGE.

In the Windows NT family of operating systems, svchost.exe (Service Host, or SvcHost) is a system process which hosts multiple Windows services.[1] Its executable image, %SystemRoot%\System32\Svchost.exe or %SystemRoot%\SysWOW64\Svchost.exe (for 32-bit services running on 64-bit systems) runs in multiple instances, each hosting one or more services. It is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption.

  • Implementation
    Services run in SvcHost are implemented as dynamically-linked libraries (DLLs). Such service's registry key must have a value named ServiceDll under the Parameters subkey, pointing to the respective service's DLL file. Their ImagePath definition is of the form %SystemRoot%\System32\svchost.exe -k netsvcs: all the services sharing the same SvcHost process specify the same parameter, having a single entry in the SCM's database. The first time that a SvcHost process is launched with a specific parameter, it looks for a value of the same name under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost key, which it interprets as a list of service names. Then, it notifies the SCM of all the services that it hosts. SCM doesn't launch a second SvcHost process for any of those received services: instead, it simply sends a "start" command to the respective SvcHost process containing the name of the service that should be launched within its context, and whose respective DLL SvcHost loads.
    Grouping multiple services into a single process conserves computing resources. However, if one of the services causes an unhandled exception, the entire process may crash. In addition, identifying component services can be more difficult for end users. In Windows NT 5.1 (XP) and later editions, the tasklist command with the /svc switch includes a list of component services in each process. In Windows 6.0 (Vista) and later, a "Services" tab in Windows Task Manager includes a list of services and their groups and Process IDs (PIDs). Microsoft's Sysinternals Process Explorer also provides information about services running under svchost.exe processes.
  • Security issues
    Because svchost.exe is used as a common system process, some malware often uses a process name of "svchost.exe" to disguise itself. Determining the image path of a process, and its invoking command line, can help identify software masquerading in this way, and help locate the actual program file which is running under the assumed process name of "svchost.exe" (Windows allows multiple processes to all display the same name). Some malware inject a .dll file into the authentic svchost process, for example Win32/Conficker worm

End Wikipedia quoted

SCM maintains a database of all installed services, including a list of all services and device drivers that must be loaded, in order for Windows to start successfully
The services database contains a key for each installed service and driver list here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
The maximum service name length is 256 characters. The name is case-preserved in SCM. Display name comparisons are always case-insensitive.

The Service Control Manager locks the services database during initialization in order to serialize access to the configuration information and prevent changes during a service start.
You cannot start an auto-start or demand-start service if the service depends on a disabled service or is itself disabled.  You must first set it to auto or demand and then you can start the service.

NOTE: If you notice startup problems after disabling a service, do not log on to Windows. Instead, you should reboot the system with the last known good configuration to discard the most recent changes to the service configuration.
Windows stores the last known good configuration in the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 registry key and updates this key every time you log on successfully to the operating system. When you log on to Windows with an incorrect configuration, you apply the incorrect settings to the last known good configuration.

Regardless of which tool is used to manage a service the SCM performs the following sequential steps to start a service:

  • 1. Retrieves the account information stored in the services database
    The user name and password of the service account are specified at the time the service is installed. SCM stores the user name in a REG_SZ registry value named ObjectName within the Registry key of the individual service (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<service name="">). The password is in a secure portion of Local Security Authority (LSA). You can change the service account in the Services tool, using the Log On tab.
  • 2. Logs on the service account
    All active processes must have an identity in Windows, and service applications are no exception. When starting a service, SCM uses the account information obtained from the services database and logs on to Windows. On the local computer, the account that SCM uses to log on must have the special user right Log on as a service.
    NOTE: The LocalSystem account has the Log on as a service right implicitly, because this account has complete access to all local resources.
  • 3. Creates the service in suspended state
    SCM starts new services in a suspended state, because the service is useful only after SCM adds the required security information to the new process.
  • 4. Assigns the access token to the process
    Every process executed in Windows requires an access token, also referred to as a logon token. The access token is an object that describes the service's security context. The information in the token includes the identity and privileges of the service account that the service uses to interact with the operating system.
  • 5. Allows the process to execute
    After it completes the logon procedure and assigns the access token, SCM can allow the service to run and perform its functions.

SCM performs the following sequential steps when stopping a service:

  • 1. SCM receives a stop request for a service
    A service control program can stop a service using a service control function by sending a SERVICE_CONTROL_STOP request to the service through SCM.
  • 2. SCM examines the service dependencies
    If SCM determines that other services are running that are dependent on the service specified in the stop request, SCM returns an error code to the service control program. Before it triggers the stop procedure, the service control program must enumerate and stop all services that depend on the specified service. For example, the Services tool displays a Stop Other Services dialog box, which asks if you want to stop all dependent services as well. SC.exe, however, simply reports the failure code and states that the service cannot be stopped, because other active services depend on it.
  • 3. SCM forwards the stop request to the service
    If it detects no dependent active services, SCM instructs the specified service to stop by forwarding the stop code to the service. The service must now free its allocated resources and shut down.

When a service is running, it sends status notifications to the SCM process. SCM maintains this status information in the service record for each service. SCM tracks this information so that it does not mistakenly send control requests that do not conform to the recipient service's current state.
The service status information includes:

  • Service Type   A service can be a file system driver, device driver, or a Windows service, and can run its own process or share a process with other services. System Attendant is an example of a service that runs its own process. The SMTP service, however, is a service that shares a process with other services that are integrated with Internet Information Services (IIS).
  • Current state   The service state can be starting, running, paused, stopping, or not running.
  • Acceptable control codes   Theses are the control codes that the service is able to accept and process in its handler function, according to the current state.
  • Windows exit code   The service uses this code to report an error that occurs when it is starting or stopping. To return an error code specific to the service, the service must set this value to ERROR_SERVICE_SPECIFIC_ERROR to indicate that additional information can be found in the service exit code. The service sets this value to NO_ERROR when it is running or stopping properly.
  • Service exit code   The service uses this code to report an error when it is starting or stopping. The value is ignored unless the Windows exit code is set to ERROR_SERVICE_SPECIFIC_ERROR.
  • Wait hint   The service uses this code to report the estimated time, in milliseconds, required for a pending start, stop, pause, or continue operation.
  • Checkpoint   The service uses this value to periodically report its progress during a lengthy start, stop, pause, or continue operation. For example, the Services tool uses this value to track the progress of the service during start and stop operations.

The LocalSystem account (NT AUTHORITY\LocalSystem) always exists and has a random hexadecimal number as the password. This password changes automatically every seven days.  LocalSystem has complete access to local resources.

LocalSystem enables access to local resources only
When a service runs under the LocalSystem account, it can access only local resources, unless another account is used for network access. Therefore, services that run under LocalSystem use the NetworkService account for network access. The name of the account is NT AUTHORITY\NetworkService. This account does not have a password.
The NetworkService account corresponds to the computer account of the local computer in the domain.
Computer accounts by default have very few privileges and do not belong to any groups. The default configuration for computer accounts permits only minimal access to Active Directory.

Local System account
The Local System account is a powerful account that has full access to the computer and acts as the computer on the network. If a service uses the Local System account to log on to a domain controller, that service has access to the entire domain. Some services are configured by default to use the Local System account, and this should not be changed. The Local System account does not have a user-accessible password.

Local Service account
The Local Service account is a built-in account that is similar to an authenticated user account. It has the same level of access to resources and objects as members of the Users group. This limited access helps to safeguard your computer if individual services or processes are compromised. Services that use the Local Service account access network resources as a null session with anonymous credentials. The name of this account is NT AUTHORITY\Local Service, and it does not have a user-accessible password.

Network Service account
The Network Service account is also a built-in account that is similar to an authenticated user account. Like the Local Service account, it has the same level of access to resources and objects as members of the Users group, which helps to safeguard your computer. Services that use the Network Service account access network resources with the credentials of the computer account. The name of the account is NT AUTHORITY\Network Service, and it does not have a user-accessible password.

There are a few ways to manage or control a Windows service - listed are some of the more common methods.

  • SERVICES.MSC is the most common method of accessing the Services to manage them using a Graphical User Interface and is available on all Windows NT versions.
  • SC is also very commonly used and is a command line program used for communicating with the Service Control Manager and services.
    • sc query:
    • Information about services and drivers can be obtained with this command. Used alone it returns a list of running services with various information about the service.
      Lists can be redirected to a text file.
    • To create a text list of running services use the command sc query > serviceslist.txt    The path for the text file serviceslist.txt can be anywhere that is convenient.
    • To create a list of all services, use sc query type= service state= all > allserviceslist.txt
    • To create a list of active drivers, use sc query type= driver

SC Commands

  • SC boot : Indicates whether the last boot should be saved as the last-known good boot configuration.
  • SC config : Modifies the value of a service's entries in the registry and in the Service Control Manager database.
  • SC continue : Sends a CONTINUE control request to a paused service.
  • SC control : Sends a control to a service.
  • SC create : Creates a subkey and entries for the service in the registry and in the Service Control Manager database.
  • SC delete : Deletes a service subkey from the registry.
  • SC description : Sets the description string for a service.
  • SC enumdepend : Lists the services that cannot run unless the specified service is running.
  • SC failure : Specifies one or more actions to be taken if a particular service fails.
  • SC failureflag : Specifies whether to trigger recovery actions when a service stops as the result of an error.
  • SC getdisplayname : Gets the display name associated with a particular service.
  • SC getkeyname : Gets the key name associated with a particular service, using the display name as input.
  • SC interrogate : Sends an INTERROGATE control request to a service.
  • SC lock : Locks the Service Control Manager's database.
  • SC pause : Sends a PAUSE control request to a service.
  • SC qc : Queries the configuration information for a service.
  • SC qdescription : Displays a service's description string.
  • SC qfailure : Displays the actions that will be performed if the specified service fails.
  • SC query : Obtains and displays information about the specified service, driver, type of service, or type of driver.
  • SC queryex : Obtains and displays detailed information about the specified service, driver, type of service, or type of driver.
  • SC querylock : Queries and displays the lock status for the Service Control Manager database.
  • SC sdset : Sets a service's security descriptor, using Security Descriptor Definition Language (SDDL).
  • SC sdshow : Displays a service's security descriptor, using SDDL.
  • SC start : Starts a service.
  • SC stop : Sends a STOP control request to a service.

Configure how a service is started

  • Configure how a service is started from the command line
  • Syntax: sc configservice namestart= {boot|system|auto|demand|disabled}
  • sc config : Modifies the value of a service's entries in the registry and in the Service Control Manager's database.
  • service name : Specifies the short name of the service.
  • start= : Specifies the start type for the service.
  • boot : A device driver that is loaded by the boot loader.
  • system : A device driver that is started during kernel initialization.
  • auto : A service that automatically starts each time the computer is restarted and runs even if no one logs on to the computer.
  • demand : A service that must be manually started. This is the default value if start= is not specified.
  • disabled : A service that cannot be started. To start a disabled service, change the start type to one of the other values.

In most cases, it is recommended that you not change the Allow service to interact with desktop setting. If you allow the service to interact with the desktop, any information that the service displays on the desktop will also be displayed on an interactive user's desktop. A malicious user could then take control of the service or attack it from the interactive desktop.

Link to post

Registry Entries for Services - (Based on JSI tip)

If needed you can obtain the Default service registry exports available for Windows XP, Vista, Win 7, and Win 8 from: Bleepingcomputer

Contains sub-keys for services and device drivers. The following value entries appear in most sub-keys:

ErrorControl is a type REG_DWORD which specifies how to proceed if the driver fails to load or to initialize properly:
Value Description

  • 0 - Ignore: If the driver fails to load or initialize, startup proceeds, and no warning message appears.
  • 1 - Normal: If the driver fails to load or initialize, startup proceeds, but a warning message appears.
  • 2 - Severe: If the driver fails to load or initialize, declares the startup as having failed and restarts by using the LastKnownGood control set. If startup is already using the LastKnownGood control set, continues startup.
  • 3 - Critical: If the driver fails to load or initialize, declares the startup as having failed and restarts by by using the LastKnownGood control set. If startup is already using the LastKnownGood control set, stops startup and runs a debugging program.

ImagePath is a type REG_EXPAND_SZ that contains the full path to the executable. This entry is not used for network adapters.
ObjectName is a type REG_DWORD which contains the account name for services or the driver object that the I/O manager uses to load the device driver.
Start is a type REG_DWORD which specifies how the service is loaded or started. If the service is a Win32 service, the value of Start must be 2, 3, or 4. This value entry is not used for network adapters.
Value Description

  • 0 - Boot: Loaded by kernel loader. Components of the driver stack for the boot (startup) volume must be loaded by the kernel loader.
  • 1 - System: Loaded by I/O subsystem. Specifies that the driver is loaded at kernel initialization.
  • 2 - Automatic: Loaded by Service Control Manager. Specifies that the service is loaded or started automatically.
  • 3 - Manual: The service does not start until the user starts it manually, such as by using Services or Devices in Control Panel.
  • 4 - Disabled: Specifies that the service should not be started.

Type is a type REG_DWORD that specifies what this object represents:
         Value Description

  • 1 - A kernel-mode device driver.
  • 2 - A file system driver.
  • 4 - A set of arguments for an adapter.
  • 8 - A file system driver service, such as a file system recognizer.
  • 16 (0x10) - A Win32 program that runs in a process by itself. This type of Win32 service.can be started by the Service Controller.
  • 32 (0x20 - A Win32 program that shares a process. This type of Win32 service can be started by the Service Controller.
  • 272 (0x110) - A Win32 program that runs in a process by itself (like Type16) and can interact with users.
  • 288 (0x120) - A Win32 program that shares a process and can interact with users.

Service Groups

  • A Service Group is a collection of similar services that are loaded together at startup.
  • Most services that appear in the HKEY_LOCAL_MACHINE\CurrentControlSet\Services subkey are part of a Service Group. Windows NT loads one Service Group at a time. Services that are not in a group are loaded after all Service Groups are loaded.
  • The HKEY_LOCAL_MACHINE\CurrentControlSet\Control\ServiceGroupOrder subkey determines the order in which Service Groups are loaded. The List value is a REG_MULT_SZ entry that specifies the Service Group order.


  • The HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GroupOrderList subkey determines the order in which services within a Service Group are loaded. Services in a Service Group are assigned a tag, a unique numeric value within a Service Group which determines the service load order. Each value entry in GroupOrderList represents a Service Group. The value of the entry is a series of tags in a specified order. The first entry in this REG_BINARY value is the number of services in the group, followed by the tags in load sequence. If you look at PointerPort you can see that there are 3 services in the group and that the service with tag 02 is loaded first, followed by the service with tag 01 and then tag 03.
  • Description
    The GroupOrderList subkey stores the order in which services in a service group are loaded when the system starts.
    Services in a service group are assigned a tag. A tag is a numeric value that is unique within a service group. When the system loads a service group, it loads the services in the order in which their tags appear in the GroupOrderList entry for that service group.
    Each entry in the GroupOrderList subkey represents a service group. The value of the entry contains the number of tags, followed by a series of tags in a specified order. All entries have the same format:
  • Service group name
    Number of tags
    For example,

    The value in this example determines the order in which the three services in the PointerPort service group are loaded. The first significant digit, 3, indicates that the value of the entry contains three tags. The remaining significant digits, 2, 1, and 3, indicate that the service assigned tag 2 will load first in that group, followed by the service assigned tag 1, and then the service assigned tag 3.

    The value of Tag specifies a number that is unique within the group of which the service is a member.
    The related GroupName entry under the Control\GroupOrderList subkey
    specifies a list of tags, in load order.

    For example, the following services that are members of the Primary Disk
    group could have these values: Tag=4 for the Abiosdsk subkey, Tag=2 for
    Atdisk, Tag=1 for Cpqarray, and Tag=3 for Floppy. The value for Primary
    Disk under the GroupOrderList subkey will use these Tag values to specify
    the defined order for loading these services. As another example, each SCSI
    miniport service has a unique Tag value that is used as an identifier in
    the SCSI miniport value under the GroupOrderList subkey to define which
    SCSI adapter to load first.
  • To find the services in any service group, use Regedit.exe to open HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services On the Edit menu, click Find, type the name of the service group, and select only the Data check box. Press F3 to find other services in the service group.
  • To find the service group and tag number of any service, open the subkey representing the service in \CurrentControlSet\Services Click Group to find its service group, and click Tag to find its tag number.

At a service level, the HKEY_LOCAL_MACHINE\CurrentControlSet\Services\ServiceName subkeys contain:

  • Group     - this REG_SZ specifies the Service Group name that a service belongs to.
  • tag             - this REG_DWORD specifies the service load sequence.
  • DependOnGroup   - this REG_MULTI_SZ entry defines the Service Groups which must be loaded succesfully before this service loads.
  • DependOnService - this REG_MULTI_SZ entry defines services that must be loaded successfully before this service loads.


Configuring Service start up order in WinNT
You can configure the start up of a service based on the completion of one or more services. To do this, edit:


Scroll to the 1st service you want to control and highlight it. If the right hand pane contains a DependOnService, double click it and add a service. If DependOnService is not present, add value DependOnService with type REG_MULTI_SZ. If you wish to add multiple values, each one should be on a separate line.
If you have RemoteAccess installed, double click its' DependOnService. You will see that it depends on LanmanServer, RasMan, NetBios, and NetBT. Then look at NetBT. You can see that it depends on Tcpip. Finally, looking at Tcpip, we see that it depends on no other service.



HKLM\SYSTEM\CurrentControlSet\Services\ service-name
Data type
Default value
Service group name
(There is no default value for this entry.)
Specifies the name of the service group to which the service belongs. If this entry does not appear in the registry, the service does not belong to a service group. As a result, it will be loaded after all services in service groups are loaded.
This information is presented for reference only. You cannot change the service group of a service by editing this entry. To change the value of this entry, use the ChangeServiceConfig API or Sc.exe, a tool in the Windows 2000 Resource Kit.

The following are some of the most common dependencies that already exist in a default configuration:

Service      Depends on--------------------------------Alerter      LanmanWorkstationBrowser      LanmanWorkstation, LanmanServer, LmHostsClipSrv      NetDDEDHCP         Afd, NetBT, TCP/IPMessenger    LanmanWorkstation, NetBIOSNetBT        TCP/IPNetDDE       NetDDEDSDMNetLogon     LanmanWorkstation, LmHostsParallel     ParportReplicator   LanmanServer, LanmanWorkstation

Appendix D: Group and Service Dependencies (archived data for older systems)

The other aspect that you should be aware of is that the GroupOrderList is only used during Boot Start (0x01) and System Start (0X02). Services that are part of the Auto Load (0x03) phase are loaded in parallel.

The ImagePath value (of type REG_EXPAND_SZ), gives the registrar the ability to identify the path and filename of the service to be loaded. However, the use of this key has some restrictions. Drivers that have a Start value of either Boot Start (0x01) or System Start (0x02) must reside in the %SYSTEMROOT%\SYSTEM32\Drivers directory. Drivers that have any other Start value can reside in any directory on the local disks or network drives and are not supported.




Link to post

Driver Start Types
A kernel-mode driver's start type specifies whether the driver is to be loaded during or after system startup. There are five possible start types:

  • SERVICE_BOOT_START (0x00000000)
    Indicates a driver started by the operating system (OS) loader. File system filter drivers commonly use this start type or SERVICE_DEMAND_START. On Microsoft Windows XP and later systems, filters must use this start type in order to take advantage of the new file system filter load order groups.
  • SERVICE_SYSTEM_START (0x00000001)
    Indicates a driver started during OS initialization. This start type is used by the file system recognizer. Except for the file systems listed below under "SERVICE_DISABLED," file systems (including network file system components) commonly use this start type or SERVICE_DEMAND_START. This start type is also used by device drivers for PnP devices that are enumerated during system initialization but not required to load the system.
  • SERVICE_AUTO_START (0x00000002)
    Indicates a driver started by the Service Control Manager during system startup. Rarely used.
  • SERVICE_DEMAND_START (0x00000003)
    Indicates a driver started on demand, either by the PnP Manager (for device drivers) or by the Service Control Manager (for file systems and file system filter drivers).
  • SERVICE_DISABLED (0x00000004)
    Indicates a driver that is not started by the OS loader, Service Control Manager, or PnP Manager. Used by file systems that are loaded by a file system recognizer (except when they are the boot file system) or (in the case of EFS) by another file system. Such file systems include CDFS, EFS, FastFat, NTFS, and UDFS. Also used to temporarily disable a driver during debugging.

Driver Load Order Groups
Within the SERVICE_BOOT_START and SERVICE_SYSTEM_START start types, the relative order in which drivers are loaded is specified by each driver's load order group.

  • Drivers whose start type is SERVICE_BOOT_START are called boot (or boot-start) drivers. On Microsoft Windows 2000 and earlier systems, most filters that are boot drivers belong to the "filter" group. On Microsoft Windows XP and later systems, filters that are boot drivers generally belong to one of the new FSFilter load order groups. These load order groups are described in detail in Load Order Groups for File System Filter Drivers.
  • Driver whose start type is SERVICE_SYSTEM_START are also loaded in the order of the load order groups to which they belong. However, no system-start driver is loaded until after all boot drivers have been loaded.
    Note: Load order groups are ignored for drivers whose start type is SERVICE_AUTO_START, SERVICE_DEMAND_START, or SERVICE_DISABLED.
  • A complete, ordered list of load order groups can be found under the ServiceGroupOrder subkey of the following registry key:
  • The same load group ordering is used for SERVICE_BOOT_START and SERVICE_SYSTEM_START drivers. However, all SERVICE_BOOT_START drivers are loaded and started before any SERVICE_SYSTEM_START drivers are loaded.

Specifying Load Order Group

A driver writer can specify the load order group for a driver at installation time in either of the following ways:

  • By specifying the desired load order group for the LoadOrderGroup entry in the service-install-section referred to by an AddService directive in the driver's INF file. This method is described in ServiceInstall Section.
  • By passing the desired start type for the lpLoadOrderGroup parameter when calling CreateService or ChangeServiceConfig from a user-mode installation program. This method is described in the reference entries for CreateService and ChangeServiceConfig in the Microsoft Windows SDK documentation.

Every file system filter driver developed to the Filter Manager model (a minifilter) must have a unique identifier called an altitude. The altitude of a minifilter defines its position relative to other minifilters in the I/O stack when the minifilter is loaded. The altitude is an infinite-precision string interpreted as a decimal number. A minifilter that has a low numerical altitude is loaded below a minifilter that has a higher numerical value in the I/O stack.
Each load-order group has a defined range of altitudes. Allocation of altitudes to minifilters is managed by Microsoft.

File System Minifilter Allocated Altitudes

The Malwarebytes MBAMProtector is listed here in the Registry using 328800 as it's Microsoft assigned altitude.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MBAMProtector\Instances\MBAMProtector Instance

Link to post

Though most services are important, here are a few of some of the more important services of the system - (not a complete list)

  • Base Filtering Engine The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping or disabling the BFE service will significantly reduce the security of the system. It will also result in unpredictable behavior in IPsec management and firewall applications.
  • COM+ Event System Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
  • COM+ System Application  Manages the configuration and tracking of Component Object Model (COM)+-based
  • Cryptographic Services  Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
  • DCOM Server Process Launcher The DCOMLAUNCH service launches COM and DCOM servers in response to object activation requests. If this service is stopped or disabled, programs using COM or DCOM will not function properly. It is strongly recommended that you have the DCOMLAUNCH service running.
  • EventLog   This service enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
  • Plug and Play Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
  • Protected Storage Provides protected storage for sensitive data, such as passwords, to prevent access by unauthorized services, processes, or users.
  • Remote Procedure Call (RPC)   This service enables the RPC endpoint mapper to support RPC connections to the server. This service also serves as the Component Object Model (COM).
    RPCs and lightweight remote procedure calls (LRPCs) are important inter-process communication mechanisms. LRPCs are local versions of RPCs.
  • Server  This service enables file and printer sharing and named pipe access to the server through the server message block (SMB) protocol.
  • Workstation   This service is the counterpart to the server service. It enables the computer to connect to other computers on the network based on the SMB protocol.
  • Security Accounts Manager  The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests.  Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.
  • Security Center The WSCSVC (Windows Security Center) service monitors and reports security health settings on the computer.  The health settings include firewall (on/off), antivirus (on/off/out of date), antispyware (on/off/out of date), Windows Update (automatically/manually download and install updates), User Account Control (on/off), and Internet settings (recommended/not recommended). The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service.  The Action Center (AC) UI uses the service to provide systray alerts and a graphical view of the security health states in the AC control panel.  Network Access Protection (NAP) uses the service to report the security health states of clients to the NAP Network Policy Server to make network quarantine decisions.  The service also has a public API that allows external consumers to programmatically retrieve the aggregated security health state of the system.
  • Task Scheduler Enables a user to configure and schedule automated tasks on this computer. The service also hosts multiple Windows system-critical tasks. If this service is stopped or disabled, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
  • User Profile Service This service is responsible for loading and unloading user profiles. If this service is stopped or disabled, users will no longer be able to successfully logon or logoff, applications may have problems getting to users' data, and components registered to receive profile event notifications will not receive them.
  • Windows Installer Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
  • Windows Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
  • Windows Management Instrumentation   This service provides a standard interface and object model for accessing management information about the computer hardware and software.

How to debug Windows services
For the more advanced technicians, please see the following Microsoft KB article for step-by-step instructions on using WindDbg to debug a service: How to debug Windows services

DebugView by Microsoft Sysinternals is another debugging tool that is easier for most users to use (canned message by Samuel)

The tool and instructions can be found on this page

Create a DebugView Log:

  • Download DebugView by Microsoft Sysinternals from here and save it to your desktop
  • Double-click on DebugView.exe to run it Note: If using Windows Vista or Windows 7 you must right-click on it and choose Run as administrator
  • Click on Capture at the top and click once on each of the following so that they are checked:
    • Capture Win32
    • Capture Global Win32
    • Capture Kernel
    • Enable Verbost Kernel Output
    • Pass-Through
    • Capture Events
  • Click on File at the top and select Log to File As...
  • In the box that pops up, click on the ... button to the right of where it says Log File:
  • Browse to your Desktop and name the log MBAM Debug and click on Save
  • Make certain that Unlimited Log Size is selected and click on OK
  • insert whatever task the user is to perform here
  • Once that is complete, close DebugView and right-click on the MBAM Debug.log file now located on your desktop and hover your mouse over Send to and choose Compressed (zipped) folder
  • Attach the MBAM Debug.zip file you just created to your next reply

Further information about Windows Services on Microsoft Technet


Service State Transitions
Service Structures

The service is not running.

The service is starting.

The service is stopping.

The service is running.

The service continue is pending.

The service pause is pending.

The service is paused.


Link to post
  • celee unpinned this topic
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.