System Services

Applies To: Windows Server 2008

System services are programs that load automatically either as part of an application's startup process or the operating system startup process to support the different tasks required of the operating system. In recent years, services have been an attractive target for creators of malicious software, such as viruses, who want to attack the Windows® operating systems. Examples of viruses that exploit core Windows services include Blaster, Sasser, and Code Red. There are a number of reasons for this situation:

  • Services are typically long-running. Often, they start when the system starts and stop when it shuts down.

  • Services are often network-facing, making them especially vulnerable to remote attacks.

  • Services typically run in a high-privilege account such as LocalSystem.

For Windows Vista® and Windows Server® 2008, some enhancements were made to the core services to accomplish the following goals:

  • Limiting access to services by user applications. Session 0 isolation requires services and user applications to run in separate sessions.

  • "Hardening" services to limit the ability of a compromised service to damage a system. There are two complementary ways to accomplish this goal:

    • Running with least privilege allows services to run with only those privileges that they require, and nothing more.

    • Service isolation allows services to be isolated from other services or applications by using a unique service identity, which restricts access to its resources by other services or applications. The service identity also can restrict the service's access to the resources of other services or applications. For example, service isolation allows an antivirus service to maintain exclusive access to its signature definition files.

This section of this guide identifies the function and purpose of commonly used services and explains which services are enabled in Windows Server 2008 and Windows Vista.

When you first install Windows Server 2008 or Windows Vista, some services are installed and configured to run by default when the computer starts. There are fewer services installed by default in a Server Core installation of the Windows Server 2008 operating system than in a default full installation of Windows Server 2008, and it supports a limited subset of roles and services and has a smaller attack surface than the default Windows Server 2008 installation. By default, Windows Server 2008 is installed without any server roles enabled and with a minimum number of services running. You should install only the server roles and features required for the workload of each server. Even with this reduction in default services, your server may not need all of the services installed by default in your environment, and you should disable any unneeded services to enhance security.

You can configure the system services settings in the following location within the Group Policy Management Console:

Computer Configuration\Windows Settings\Security Settings\System Services\

Windows Server 2008 Services Overview

A service must log on to access resources and objects in the operating system, and most services are not designed to have their default logon account changed. If you change the default account, it is likely that the service will fail. If you select an account that does not have permission to log on as a service, the Services snap-in automatically grants that account the ability to log on as a service on the computer. However, this automatic configuration does not guarantee that the service will start. Windows Server 2008 includes three built-in local accounts that it uses as the logon accounts for various system services:

  • Local System account. The Local System account is a powerful account that has full access to the computer and acts as the computer on the network. If a service uses the Local System account to log on to a domain controller, that service has access to the entire domain. Some services are configured by default to use the Local System account, and this should not be changed. The Local System account does not have a user-accessible password.

  • Local Service account. The Local Service account is a built-in account that is similar to an authenticated user account. It has the same level of access to resources and objects as members of the Users group. This limited access helps to safeguard your computer if individual services or processes are compromised. Services that use the Local Service account access network resources as a null session with anonymous credentials. The name of this account is NT AUTHORITY\Local Service, and it does not have a user-accessible password.

    The Local Service account supports the following privileges by default.

    Privilege Description

    SeAssignPrimaryTokenPrivilege

    Replace a process-level token

    SeIncreaseQuotaPrivilege

    Adjust memory quotas for a process

    SeAuditPrivilege

    Generate security audits

    SeChangeNotifyPrivilege

    Bypass traverse checking

    (This privilege is inherited through membership in the Everyone group.)

    SeNetworkLogonRight

    Access this computer from the network

    (This privilege is inherited through membership in the Everyone group.)

    SeBatchLogonRight

    Log on as a batch job

  • Network Service account. The Network Service account is also a built-in account that is similar to an authenticated user account. Like the Local Service account, it has the same level of access to resources and objects as members of the Users group, which helps to safeguard your computer. Services that use the Network Service account access network resources with the credentials of the computer account. The name of the account is NT AUTHORITY\Network Service, and it does not have a user-accessible password.

    The Network Service account supports the following privileges by default.

    Privilege Description

    SeAssignPrimaryTokenPrivilege

    Replace a process-level token

    SeIncreaseQuotaPrivilege

    Adjust memory quotas for a process

    SeAuditPrivilege

    Generate security audits

    SeChangeNotifyPrivilege

    Bypass traverse checking

    (This privilege is inherited through membership in the Everyone group.)

    SeNetworkLogonRight

    Access this computer from the network

    (This privilege is inherited through membership in the Everyone group.)

    SeInteractiveLogonRight

    Log on as a service

    SeImpersonatePrivilege

    Impersonate a client after authentication

Windows Vista Services Overview

In previous versions of Windows, system services commonly ran by using the Local System account, the most powerful account on the system. This made such services attractive targets for creators of malicious software such as viruses. Ideally, service developers should limit their damage potential by developing services to run using a lower-privilege account such as Local Service or Network Service. However, many services require at least some privileges that only Local System supports. The all-or-nothing model that was used in versions earlier than Windows Vista meant that a service that required any Local System privileges had to also include all other Local System privileges. This often meant including privileges that the service did not require, creating an unnecessarily high damage potential.

Windows Vista addresses this issue by allowing services to run with least privilege. Services are no longer restricted to the default set of privileges that are supported by a standard account. Instead, services can select an account that has the privileges that they require and then remove all other unnecessary privileges. This feature can be used for any type of service account: Local Service, Network Service, Local System, a domain, or a local account.

Services specify their required privileges when registering with the Service Control Manager (SCM), which grants a set of privileges to the service that is stored in the process token for the service. The privilege check uses one of the following methods:

  • For stand-alone services, the SCM checks the list of required privileges against the process token. Any that were not specified as required are removed from the token.

  • For shared-process services, such as services hosted in svchost, the list of privileges is the union of the required privileges for all services in the group. The only privileges that the SCM removes from the process token are those that no member of the group has specified as required.

  • If a service does not specify a required set of privileges, the SCM assumes by default that the service requires all of the privileges that are associated with the account. This assures backward compatibility. However, if a service group contains a mixture of services with defined privileges and ones without defined privileges, the entire group runs using the privileges associated with the account.

If a service requires privileges that are not in the process token, the SCM does not start the service. For example, a process that is part of a service group running under the Network Service account could specify SeLoadDriverPrivilege as a required privilege. However other processes in the group did not specify required privileges, so the process token for the group contains only those privileges defined for the Network Service account. SeLoadDriverPrivilege is not supported by a Network Service process token, so the start attempt for that process fails. Administrators must understand this issue when they make configuration changes such as changing the service image of a shared-process service while the target service process is running. The service can start only if the target service process supports the specified privileges.

Service isolation

Many services require access to certain objects that are available only to high-privilege accounts. For example, a service might have to write to a registry key that provides write access only to administrators. Earlier than Windows Vista, services typically gained access to such objects by running in a high-privilege account such as Local System. An alternative approach was to weaken the security on the objects to allow access by services that are running in a generic lower-privilege account.

Both approaches increased the risk that an attacker or malicious software could gain control of the system. The only way for an administrator to mitigate this risk was to create an account specifically for the service and allow access to the objects only for that account. However, this approach created problems of manageability, most notably password management, because the administrator no longer had the advantages of using built-in operating system accounts.

To mitigate this problem, Windows Vista and Windows Server 2008 include service isolation, which provides services a way to access specific objects without having to either run in a high-privilege account or weaken the objects' security protection. For example, service isolation allows an antivirus service to run in a lower-privilege account than Local System but still maintain complete access to its signature definition files or registry keys that would normally be accessible only to administrators.

A service isolates an object for its exclusive use by securing the resource—such as file or registry key access—with an access control entry that contains a service security ID (SID). This ID is referred to as a per-service SID. A per-service SID is derived from the service's name and is unique to that service.

After a SID has been assigned to a service, the service owner can then modify the required objects' access control lists (ACLs) to allow access to the SID. For example, a registry key in HKEY_LOCAL_MACHINE\SOFTWARE would normally be accessible only to services with administrative privileges. By adding the per-service SID to the key's ACL, the service can run in a lower-privilege account but still have access to the key.

If a per-service SID is enabled, it is added to the service's process token. A per-service SID must be enabled at the time the service's process is started to be added to the process token. If a process hosts multiple services with enabled SIDs, all the SIDs of these services are added to the process token. Per-service SIDs also allow a process token to be converted to a restricted token by adding one or more SIDs to the restricted token list.

Restricted SIDs

A per-service SID provides a good degree of isolation and allows the service to run in a lower-privilege account. However, it does not prevent the service from accessing other resources that are accessible to the account because the process token also contains the SID for the account. Consider the following scenario:

Service X runs in the Local Service account and has a service SID enabled. In addition to having access to objects that have specifically granted this service access—by using the per-service SID—it also has access to all objects that grant access to Local Service. As a result, if this service were compromised, the attacker could cause damage by accessing the resources that are not related to the service.

To mitigate this problem and reduce the damage potential of compromised services, Windows Vista and Windows Server 2008 use a hybrid approach that combines write-restricted tokens and per-service SIDs to introduce restricted SIDs for services.

When a service enables a restricted SID, the per-service SID of that service is added to both the normal and restricted SID list of the write-restricted service process token. This ensures that the service can write only to objects that have explicitly granted write access to one of the SIDs in the restricted list. Returning to the preceding example, by enabling restricted SIDs, Service X can no longer write to any objects that grant write access to Local Service account because those objects do not explicitly grant write access to the per-service SID of service X.

Important

If you change the default service settings, key services may not run correctly. It is especially important to use caution if you change the Startup type and Log on as settings of services that are configured to start automatically.

System Service Settings

System services are described differently from the other settings in this guide because the vulnerability, countermeasure, and potential impact statements are almost identical for all services. The following are some general rules for managing system services vulnerabilities, countermeasures, and potential impacts.

For each system service, you can assign a service startup mode through Group Policy. The possible values for these Group Policy settings are:

  • Automatic. Service automatically starts when the computer is restarted.

  • Manual. Service does not start until a program starts it or it is explicitly started by the user.

  • Disabled. The service cannot be started.

  • Not Defined

Vulnerability

Any service or application is a potential point of attack.

Important

Additional services that you enable may depend on other services. Add all of the services that are needed for a specific server role to the policy for the server role that it performs in your organization.

Countermeasure

Disable all unnecessary services.

There are additional optional services available in Windows Server 2003, such as Certificate Services, that are not installed during a default installation of the operating system.

You can add these optional services to an existing computer through Add/Remove Windows Components in Control Panel or the Windows Server 2003 Configure Your Server Wizard. You can also create a customized automated installation of Windows Server 2003. In the Member Server Baseline Policy (MSBP) that is described in the Windows Server 2003 Security Guide (https://go.microsoft.com/fwlink/?LinkId=14845), these optional services and all unnecessary services are disabled.

Another way to manage service security is to configure an ACL for each service with a user-defined list of accounts. This method provides a way to control the start of the service and access to the running service.

Do not set permissions on service objects

There are graphical user interface (GUI)–based tools that you can use to edit services. We recommend that you not alter the permissions on services that are included with Windows Vista or Windows Server 2008 because the default permissions are already quite restrictive.

To modify the properties of system services, you can use the following tools as appropriate:

  • Use the Security Configuration Wizard provided with Windows Server 2008. We recommend this approach when you must configure services and network port filters for various Windows Server 2008 server roles.

  • Run the Security Templates snap-in or Local Group Policy Editor on a server that runs with Windows Server 2008. We recommend this approach when you must configure services for security templates or Group Policy settings that are applied to Windows Vista.

Potential impact

If some services (such as the Security Accounts Manager) are disabled, you cannot restart the computer. If other critical services are disabled, the computer may be unable to authenticate with domain controllers. If you want to disable some system services, you should test the changed settings on nonproduction computers before you change them in a production environment.

Descriptions of System Services

The following subsections describe the services included with Windows Server 2008 and Windows Vista. Each service description includes a list of operating systems on which the service is available.

Note

If a service is not started, other services that depend on that service also fail to start. Therefore, if you change the status of one service, you may affect other seemingly unrelated services. To check the dependencies for a service, in the Services Control Panel or MMC snap-in (services.msc) open the properties sheet of the service, and then click the Dependencies tab.

Application Experience

The Application Experience service (AELookupSvc) is a part of the Application Compatibility Administrator. It processes application compatibility lookup requests for applications as they are started, provides support for Windows Server 2008 and Windows Vista–based computers running programs in compatibility mode, reports on compatibility issues, and automatically applies software updates to programs.

The Application Experience service must be active for application compatibility software updates to be applied. You cannot customize this service; the operating system uses it internally. This service does not use any network, Internet, or Active Directory® Domain Services (AD DS) resources.

If you disable the Application Experience service, the service continues to run, but no calls are made to the service. You cannot stop the actual process.

Application Information

The Application Information service (Appinfo) facilitates the running of interactive applications with additional administrative privileges. If this service is stopped, users cannot start applications with the additional administrative privileges that they may require to perform certain user tasks. For example, if this service is disabled, system tools like Services and Regedit cannot run.

To enable this service after it has been disabled, you must start your computer in Safe Mode to get access to the Services snap-in console.

Application Layer Gateway Service

The Application Layer Gateway Service (ALG) is a subcomponent of the Windows networking subsystem. It provides support for third-party plug-ins to allow network protocols to pass through the firewall and work behind Internet Connection Sharing. This service is installed by default but is not started unless an application requests it.

Application Management

The Application Management service (AppMgmt) provides software installation services such as Assign, Publish, and Remove. It processes requests to enumerate, install, and remove applications that are deployed through an organization's network by using Group Policy. When you use Programs and Features to install programs from the network on a domain-joined computer, Windows calls this service to retrieve the list of deployed applications on your network. The service is also called when you use Control Panel to remove an application, or when a component (such as the shell) makes an installation request for an application to handle a file name extension, Component Object Model (COM) class, or ProgID that is not present on the computer. The service is started by the first call that is made to it, and it does not stop after it is started.

If the Application Management service stops or if you disable it, users cannot install, remove, or enumerate applications that are deployed in AD DS. This service is installed by default but is not started unless an application requests it.

Background Intelligent Transfer Service (BITS)

The Background Intelligent Transfer Service is a background file-transfer mechanism and queue manager. BITS transfers files asynchronously between a client and an HTTP server. By default, requests to BITS are submitted and the files are transferred through otherwise idle network bandwidth so that other network-related activities, such as browsing, are not affected.

BITS suspends the transfer if a connection is lost or if the user logs off. The BITS connection is persistent and transfers information while the user is logged off, across network disconnects, and during computer restarts. When the user logs on, BITS resumes the user's transfer job.

BITS uses a queue to manage file transfers. You can prioritize transfer jobs within the queue and specify whether the files are transferred in the foreground or background. Background transfers are optimized by BITS, which increases and decreases (or throttles) the rate of transfer based on the amount of idle network bandwidth that is available. If a network application begins to consume more bandwidth, BITS decreases its transfer rate to preserve the user's interactive experience.

BITS provides one foreground and three background priority levels that you can use to prioritize transfer jobs. Higher priority jobs preempt lower priority jobs. Jobs at the same priority level share transfer time, and round-robin scheduling prevents blockage of the transfer queue by a large job. Lower priority jobs do not receive transfer time until all higher priority jobs are complete or in an error state.

The startup type of BITS is Automatic in Windows Vista and Windows Server 2008.

If BITS stops, features such as Windows Update cannot automatically download programs and other information. This functionality also means that the computer cannot receive automatic updates from the organization's Windows Server Update Services server if one has been configured through Group Policy. If you disable this service, any services that explicitly depend on it fail to transfer files unless they have a fail-safe mechanism to transfer files directly through other methods, such as Windows Internet Explorer®.

Base Filtering Engine

The Base Filtering Engine (BFE) is a service that manages firewall and IPsec policies and implements user mode filtering. Stopping or disabling the BFE service significantly reduces the security of the system. It also results in unpredictable behavior in IPsec management and firewall applications.

The BFE is the core of the new Windows Filtering Platform in Windows Vista and Windows Server 2008 and is required for the following services to start properly:

  • Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) IPsec Keying Modules

  • Internet Connection Sharing (ICS)

  • IPsec Policy Agent

  • Routing and Remote Access

  • Windows Firewall

This service default startup type is Automatic, and the service should not be disabled.

Block Level Backup Engine Service

The Block Level Backup Engine Service (wbengine) performs block level backup and recovery of data. This service is used by the Backup and Restore Center in the Control Panel of Windows Vista and by the Windows Server Backup feature of Windows Server 2008. It allows for backups to occur at the hard disk level, instead of just file by file, in a process similar to disk imaging.

This service startup type is by default Manual.

Certificate Propagation

The Certificate Propagation service (CertPropSvc) propagates certificates from smart cards to resources that request them. The Certification Propagation service applies when a logged-on user inserts a smart card into a reader that is attached to the computer. This action causes the certificates to be read from the smart card. The certificates are then added to the user's personal store.

If the Group Policy "CertPropRootEnabledString" is set, Root Certificates are also propagated to the machine root trust store. Root certificate propagation is responsible for the following specific smart card deployment scenarios, where public key infrastructure (PKI) trust has not yet been established:

  • Joining the domain

  • Accessing a network remotely

In both cases, the computer is not joined to a domain, and, therefore, trust is not being managed by Group Policy. However, the objective is to authenticate to a remote server (the domain controller or the RADIUS server). Root certificate propagation provides the ability to use the smart card to include the missing trust chain.

On smart card insertion, the Certificate Propagation service propagates any root certificates on the card to the Smart Card Trusted Roots certificate stores on the local computer. This process establishes a trust relationship with the organization

This service startup type is by default Manual. However, if you have deployed smart cards as part of your authentication policy, we recommend that you configure this setting with the Automatic startup type.

For more information about deploying smart cards with Windows Vista, see "Windows Vista Smart Card Infrastructure" on the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkID=111969).

Certificate Services

The Certificate Services service supports the Active Directory Certificate Services (AD CS) server role as part of Windows Server 2008 to enable a business to act as its own certification authority (CA). It issues and manages digital certificates for applications such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), Encrypting File System (EFS), IPsec, and smart card logon. Windows Server 2003 supports multiple levels of a CA hierarchy and cross-certified trust network, including offline and online CAs.

The AD CS server role is not installed by default. Administrators must install it through Server Manager, at which time the role service Certificate Services is also installed. If Certificate Services stops or if you disable it after installation, certificate requests are not accepted and certificate revocation lists (CRLs) and delta CRLs are not published. If the service stops long enough for CRLs to expire, existing certificates fail to validate.

Available on:

Windows Server® 2008 Standard operating system

Windows Server® 2008 Enterprise operating system

Windows Server® 2008 Datacenter operating system

Cluster Service

The Cluster service supports the Failover Clustering feature in Windows Server 2008 that controls server cluster operations and manages the cluster database. A cluster is a collection of independent computers that work together to provide load-balancing and failover support. Applications that can run on a cluster, such as Microsoft® Exchange Server and Microsoft SQL Server®, use the cluster to present a single virtual computer to users. The cluster software spreads data and computation tasks among the nodes of the cluster. When a node fails, other nodes provide the services and data that were formerly provided by the missing node. When a node is added or repaired, the cluster software migrates some data and computation tasks to that node.

There are two different types of cluster solutions for the Windows operating systems that support different application styles: server clusters and Network Load Balancing (NLB) clusters. Server clusters provide a highly available environment for applications that must run reliably for long periods of time (such as databases or file servers), and provide failover support with tightly integrated cluster management. NLB clusters provide a highly available and highly scalable environment for other types of applications such as public-facing Web servers, and load balance client requests among a set of identical servers.

The Cluster service provides support for server clusters. It is the essential software component that controls all aspects of the cluster operation and manages the cluster database. Each node in a cluster runs one instance of the Cluster service.

The Cluster service is not installed or enabled by default. If the Cluster service stops after it is installed, clusters are unavailable.

Available on:

Windows Server 2008 Enterprise

Windows Server 2008 Datacenter

Windows Server® 2008 for Itanium-Based Systems operating system

CNG Key Isolation

The CNG Key Isolation service is hosted in the Local Security Authority (LSA) process as part of system cryptography support. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria, or CC) is an international standard (ISO/IEC 15408) for computer security. Common Criteria is based on a framework in which computer system users can specify their security requirements, vendors can then implement and make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation, and evaluation of a computer security product has been conducted in a rigorous and standard manner.

The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements. To comply with Common Criteria requirements, the long-lived keys must be isolated so that they are never present in the application process. Cryptography Next Generation (CNG) currently supports the storage of asymmetric private keys by using the Microsoft software key storage provider (KSP) that is included with Windows Server 2008 and Windows Vista, and installed by default.

Key isolation is enabled by default in Windows Server 2008 and Windows Vista. The key isolation feature is not available on operating systems prior to these. Also, non-Microsoft KSPs are not loaded in the key isolation service (LSA process). Only the Microsoft KSP is loaded in the key isolation service.

The LSA process is used as the key isolation process to maximize performance. All access to private keys goes through the key storage router, which exposes a comprehensive set of functions for managing and using private keys.

CNG stores the public portion of the stored key separately from the private portion. The public portion of a key pair is also maintained in the key isolation service and is accessed by using lightweight remote procedure call (LRPC). The key storage router uses LRPC when calling into the key isolation process. All access to private keys goes through the private key router and is audited by CNG.

This service startup type is by default Manual.

COM+ Event System

The COM+ Event System service provides automatic event distribution to COM components that subscribe to it. COM+ events extend the COM+ programming model to support late-bound events or method calls between the publisher or subscriber and the event system. The event system notifies event consumers as information becomes available, and does not repeatedly poll the server.

The COM+ Event System service handles most of the event semantics for the publisher and subscriber. Publishers offer to publish event types, and subscribers request event types from specific publishers. Subscriptions are maintained outside the publisher and subscriber and retrieved when needed, which simplifies the programming model for both. The subscriber is not required to contain the logic in order to build subscriptions—it is possible to build a subscriber as easily as a COM component. The life cycle of the subscription is separate from that of either the publisher or the subscriber. You can build subscriptions before either the subscriber or publisher is made active.

This service is installed by default, but is not started until an application requests its services. When COM+ Event System stops, the System Event Notification service closes and cannot provide logon and logoff notifications. The Volume Shadow Copy Service, which is needed for Windows Backup and backup applications that rely on the Windows Backup API, requires this service.

COM+ System Application

The COM+ System Application service manages the configuration and tracking of COM+ based components. If this service stops, most COM+ based components do not function properly. The Volume Shadow Copy Service, which is needed for Windows Backup and backup applications that rely on the Windows Backup API, requires this service.

This service is installed and enabled by default.

Computer Browser

The Computer Browser service maintains an up-to-date list of computers on your network and supplies the list to programs that request it. The Computer Browser service is used by Windows-based computers that must view network domains and resources. Computers that are designated as browsers maintain browse lists, which contain all shared resources that are used on the network. Earlier versions of Windows applications, such as My Network Places, the NET VIEW command, and Windows NT® Explorer, all require browsing capability. For example, if you open My Network Places on a Windows 95–based computer, a computer that is designated as a browser generates the list of domains and computers that displays.

There are several different roles a computer might perform in a browsing environment. Under some conditions, such as failure or shutdown of a computer that is designated for a specific browser role, browsers or potential browsers may change to a different operational role.

The Computer Browser service is enabled and started by default. If it stops, the browser list is not updated or maintained.

Cryptographic Services

The Cryptographic Services service provides key-management services for your computer. Cryptographic Services is actually composed of four different management services:

  • Catalog Database Service. This service adds, removes, and looks up catalog files, which are used to sign all the files in the operating system. Windows File Protection (WFP), Driver Signing, and setup use this service to verify signed files. You cannot stop this service during setup. If the service stops after setup, it restarts when requested by an application.

  • Protected Root Service. This service adds and removes Trusted Root Certification Authority certificates. The service displays a service message box with the certificate's name and thumbprint. If you click OK, the certificate is added or removed from your current list of trusted root authorities. Only Local System accounts have write access to the list. If this service stops, the current user cannot add or remove Trusted Root Certification Authority certificates.

  • Automatic Root Certificate Update Service. This service retrieves root certificates as needed from Windows Update. This service can be used in support secure-sockets-layer (SSL) sessions to help ensure that server certificates are kept up-to-date. If this service stops, root certificates must be updated manually.

  • Key Service. This service allows administrators to enroll for certificates on behalf of the local computer account. The service provides several functions that are required for enrollment, such as enumeration of available CAs, enumeration of available computer templates, and the ability to create and submit a certificate request in the local computer context. Only administrators may enroll on behalf of the local computer account. The Key Service also allows administrators to remotely install Personal Information Exchange (PFX) files on your computer. If this service stops, autoenrollment cannot automatically acquire the default set of computer certificates.

The Cryptographic Services service is enabled and started automatically by default. If it stops, the management services that are referenced in the preceding paragraphs do not function properly.

DCOM Server Process Launcher

In versions of Windows earlier than Windows Server 2003 with Service Pack 1, the Remote Procedure Call (RPC) service (RPCSS) ran as Local System. To reduce the attack surface of Windows and provide defense in depth, the RPC service functionality was split into two services in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.

The RPCSS service retains all of the original functionality that did not require Local System privileges, and it now runs under the Network Service account. The DCOM Server Process Launcher (DCOMLaunch) service incorporates the functions of the old RPC service that required Local System privileges; it runs under the Local System account. This service is enabled and started by default.

If the DCOM Server Process Launcher service stops, remote procedure calls and DCOM requests on the local computer do not function properly. In particular, the Windows Firewall service fails if this service stops. This service is required and cannot be stopped from the Services console. If this service stops, the computer restarts.

Desktop Window Manager Session Manager

The Desktop Window Manager Session Manager service provides Desktop Window Manager startup and maintenance services. The service supports the Themes service and checks that applications are compatible with the Windows Aero user experience in Windows Vista. If an application is not compatible with Aero, this service causes it revert to a classic Windows theme that it supports.

If your computer does not support Aero graphics, you may see improved performance by disabling this service.

DFS Namespace

In Windows Server 2008, the DFS Namespace service integrates disparate file shares into a single, logical volume that can be managed. It is a supporting role service of the File Services Role.

If the DFS Namespace service stops, users and services cannot access the file shares aggregated into the namespace.

DFS Replication

In Windows Server 2008, the DFS Replication service allows files to be automatically copied and maintained simultaneously on multiple servers. It can also be configured to replicate files among alternative targets that are associated with the fault-tolerant DFS. It is a supporting role service of the File Services role.

If the DFS Replication service stops, file replication does not occur and server data does not synchronize. Also, a domain controller's ability to function could be seriously affected if this service stops. This service is not available on servers running with 64-bit Itanium-based systems.

In Windows Vista, the DFS Replication service replicates files among multiple computers, keeping them in sync. It is used to roam folders between computers. If the service is stopped, file replication does not occur, and the files become out-of-date.

DHCP Client

The DHCP Client service manages network configuration. It registers and updates IP addresses and Domain Name System (DNS) names for your computer. You do not have to manually change the IP settings for a client computer, such as a portable computer, that connects from different locations throughout the network. The client computer is automatically given a new IP address, regardless of the subnet that it reconnects to (if a DHCP server is accessible from the subnets). There is no need to manually configure settings for DNS or WINS. The DHCP server can provide these settings to the client if the DHCP server is configured to issue such information. To enable this option on the client, click Obtain DNS Server Address Automatically. No conflicts are caused by duplicate IP addresses.

If the DHCP Client service stops, your computer does not receive dynamic IP addresses and automatic dynamic DNS updates stop being registered on the DNS server.

DHCP Server

The DHCP Server service allocates IP addresses and enables advanced configuration of network settings such as DNS servers and WINS servers to DHCP clients automatically. DHCP uses a client/server model. The network administrator establishes one or more DHCP servers that maintain TCP/IP configuration information and provide the information to client computers. The server database includes the following:

  • Valid configuration parameters for all client computers on the network.

  • Valid IP addresses that are maintained in a pool for assignment to client computers, plus reserved addresses for manual assignment.

  • Duration of the lease offered by the server. The lease defines the length of time that the assigned IP address is valid.

DHCP is an IP standard that is designed to reduce the complexity of address configuration administration. It uses a server computer to centrally manage IP addresses and other related configuration details for your network. Windows Server 2008 provides the DHCP service, which enables the server computer to perform as a DHCP server and configure DHCP-enabled client computers on your network, as described in the current DHCP draft standard, Internet Engineering Task Force (IETF) Request for Comments (RFC) 2131.

DHCP includes the Multicast Address Dynamic Client Allocation Protocol (MADCAP), which is used to perform multicast address allocation. When registered client computers are dynamically assigned IP addresses through MADCAP, they can participate efficiently in the data stream process, such as for real-time video or audio network transmissions.

With a DHCP server installed and configured on your network, DHCP-enabled client computers can obtain their IP addresses and related configuration parameters dynamically each time they start and join the network. DHCP servers provide this configuration in the form of an address-lease offer to the client computers.

If the DHCP Server service stops, the server no longer issues IP addresses or other configuration parameters automatically. This service is only installed and activated if you install the DHCP server role.

Available on:

Windows Server 2008 Standard

Windows Server 2008 Enterprise

Windows Server 2008 Datacenter

Diagnostic Policy Service

The Diagnostic Policy Service (DPS) enables problem detection, troubleshooting, and resolution for Windows components. If this service is stopped, diagnostics cannot function. The Diagnostic Policy Service supports the Network Diagnostic Framework that is used to troubleshoot network connectivity issues.

This service startup type is by default Automatic.

Diagnostic Service Host

The Diagnostic Service Host (WdiServiceHost) enables problem detection, troubleshooting, and resolution for Windows components. If this service is stopped, diagnostics cannot function. The Diagnostic Service Host is part of the Network Diagnostic Framework that is used to troubleshoot network connectivity issues. When a user selects Diagnose and Repair from either the Network and Sharing Center or the Network Connection context menu, the Diagnostic Policy Service starts the Diagnostic Service Host. The service continues to run until the computer is restarted.

This service startup type is by default Manual.

Diagnostic System Host

The Diagnostic System Host (WdiSystemHost) enables problem detection, troubleshooting, and resolution for Windows components. If this service is stopped, diagnostics cannot function. The Diagnostic System Host is part of the Network Diagnostic Framework that is used to troubleshoot network connectivity issues.

This service startup type is by default Manual.

Distributed File System

The Distributed File System service manages logical volumes that are distributed across a local or wide area network and is required for the AD DS SYSVOL share. Distributed File System (DFS) is a distributed service that integrates disparate file shares into a single logical namespace.

This namespace is a logical representation of the network storage resources that are available to users on the network. If the Distributed File System service stops, you are unable to access file shares or network data through the logical namespace. To access the data when the service is stopped, you must know the names of all the servers and all the shares in the namespace and must access each of these targets independently. This service is installed as part of the File Server role.

Available on:

Windows Server 2008 Standard

Windows Server 2008 Enterprise

Windows Server 2008 Datacenter

The Distributed Link Tracking Client service maintains links between the NTFS file system files within your computer or across computers in your network domain. This service ensures that shortcuts and Object Linking and Embedding (OLE) links continue to work after the target file is renamed or moved.

When you create a shortcut to a file on an NTFS volume, distributed link tracking stamps a unique object identifier (ID) into the target file, which is known as the link source. The file that refers to the target file (known as the link client) also stores information about the object ID internally. Distributed link tracking can use this object ID to locate the link source file in the following scenarios:

  • When the link source file is renamed.

  • When the link source file is moved to another folder on the same volume or a different volume of the same computer.

  • When the link source file is moved to another computer in the network.

Note

Unless the computer is in a domain where the Distributed Link Tracking Server service is available, this form of link tracking is less reliable over time.

  • When the shared network folder that contains the link source file is renamed.

  • When the computer that contains the link source file is renamed.

For all of the preceding scenarios, the link source file must be on a fixed NTFS volume. The NTFS volumes cannot be on removable media.

Note

The Distributed Link Tracking Client service monitors activity on NTFS volumes and stores maintenance information in a file called Tracking.log, which is located in a hidden folder called System Volume Information at the root of each volume. This folder is protected by permissions that allow only the computer to have access to it. The folder is also used by other Windows services, such as the Indexing Service.

If the Distributed Link Tracking Client service stops, any links to content on that computer are not maintained or tracked.

The Distributed Link Tracking Server service stores information so that files that are moved between volumes can be tracked for each volume in the domain. When enabled, the Distributed Link Tracking Server service runs on each domain controller in a domain. This service enables the Distributed Link Tracking Client service to track linked documents that have been moved to a location in another NTFS volume in the same domain.

The Distributed Link Tracking Server service is disabled by default. If you enable it, you must do so on all domain controllers of a domain. If the Distributed Link Tracking Server service is enabled on a domain controller that is upgraded to a newer version of Windows Server, the service must be re-enabled manually.

If the Distributed Link Tracking Server service is enabled, the DLT_AllowDomainMode system policy must be enabled for Windows XP client computers to be able to use it. If the Distributed Link Tracking Server service is enabled and then later disabled, you must purge its entries in AD DS. For more information, see article 312403, Distributed Link Tracking on Windows-based domain controllers, in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=100974).

If the Distributed Link Tracking Server service stops or if you disable it, links that are maintained by the Distributed Link Tracking Client service eventually become less reliable.

In Windows Server 2008, the Distributed Link Tracking Server service is part of the AD DS server role.

Available on:

Windows Server 2008 Standard

Windows Server 2008 Enterprise

Windows Server 2008 Datacenter

Distributed Transaction Coordinator

The Distributed Transaction Coordinator service coordinates transactions that are distributed across multiple computers and resource managers, such as databases, message queues, file systems, and other transaction-based resource managers. This service is necessary if transactional components are to be configured through COM+. It is also required for transactional queues in Message Queuing (also known as MSMQ) and SQL Server operations that span multiple computers.

The Distributed Transaction Coordinator service is installed and running by default. If it stops, transactions that use this service are not performed. Clustered installations of Microsoft Exchange, SQL Server, or other applications that make use of transaction services may be affected if this service stops.

DNS Client

The DNS Client service resolves and caches Domain Name System (DNS) names for your computer. The DNS Client service must run on every computer that performs DNS name resolution. DNS name resolution is needed to locate domain controllers in AD DS domains. The DNS Client service is also needed to enable location of the devices that are identified through DNS name resolution. Windows Vista includes both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) protocol stacks that are installed and enabled by default. Domain Name System (DNS) name queries and registrations can now involve both IPv4 address records (A records) and IPv6 address records (AAAA records).

The DNS Client service that runs on Windows Server 2008 implements the following features:

  • Systemwide caching. Resource records (RRs) from query responses are added to the client cache when applications query DNS servers. This information is then cached for a specific Time to Live (TTL) and can be used again to answer subsequent queries.

  • RFC-compliant negative caching support. In addition to positive query responses from DNS servers (which contain resource record information in the answered reply), the DNS Client service also caches negative query responses.

    A negative response results when an RR for the queried name does not exist. Negative caching prevents the repetition of additional queries for names that do not exist, which can adversely affect client computer performance. Any negative query information that is cached is kept for a shorter period of time than positive query information; by default, no more than five minutes. This configuration prevents stale negative query information from being continuously cached if the records later become available.

  • Avoidance of unresponsive DNS servers. The DNS Client service uses a server search list that is ordered by preference. This list includes all preferred and alternate DNS servers that are configured for each of the active network connections on the computer. Windows Server 2008 rearranges these lists based on the following criteria:

    • Preferred DNS servers are given first priority.

    • If no preferred DNS servers are available, alternate DNS servers are used.

    • Unresponsive servers are removed temporarily from these lists.

If the DNS Client service stops, the computer cannot resolve DNS names or locate Active Directory domain controllers and users cannot log on to the computer.

Computers running with Windows Vista must perform both A and AAAA queries to determine the best method of connectivity to the endpoint that is wanted. By obtaining both IPv4 and IPv6 addresses, there is an increased chance of access to the wanted endpoint if one of the addresses is unreachable. The DNS Client service in Windows Vista and Windows Server 2008 minimizes the impact on DNS servers when performing DNS name queries through the following behavior:

  • If the host has only link-local or Teredo IPv6 addresses assigned, the DNS Client service sends a single query for A records. For more information about Teredo, see the Teredo Overview on Microsoft TechNet.

  • If the host has at least one IPv6 address assigned that is not a link-local or Teredo address, the DNS Client service sends a DNS query for A records and then a separate DNS query to the same DNS server for AAAA records. If an A record query times out or has an error (other than name not found), the corresponding AAAA record query is not sent.

This service startup type is by default Automatic.

DNS Server

The DNS Server service enables DNS name resolution. It answers queries and update requests for DNS names. DNS servers locate devices that are identified by their DNS names and locate domain controllers in AD DS.

If the DNS Server service stops or if you disable it, DNS updates do not occur. The DNS Server service is not required to run on every computer. However, if there is no authoritative DNS server for a particular portion of the DNS namespace, the location of the devices that use DNS names in that portion of the namespace fail. Absence of an authoritative DNS server for the DNS namespace that is used to name Active Directory domains results in an inability to locate domain controllers in that domain.

The DNS Server service is only installed and activated if you install the DNS Server role.

Available on:

Windows Server 2008 Standard

Windows Server 2008 Enterprise

Windows Server 2008 Datacenter

Windows Event Log

The Windows Event Log service enables event log messages that are issued by Windows-based programs and components to be viewed in Event Viewer. These event log messages contain information that can help diagnose problems with applications, services, and the operating system.

You cannot stop the Windows Event Log service. If you disable the service, it would be impossible to track events, which significantly reduces the ability to successfully diagnose computer problems. Also, security events would not be audited, and you could not view previous event logs with the Event Viewer console.

Extensible Authentication Protocol

The Extensible Authentication Protocol (EAP) service provides network authentication in such scenarios as 802.1x wired and wireless, virtual private network (VPN), and Network Access Protection (NAP). EAP also provides APIs that are used by network access clients, including wireless and VPN clients, during the authentication process.

EAP supports authentication schemes such as Generic Token Card, One Time Password (OTP), Message Digest 5 (MD5)-Challenge, Transport Layer Security (TLS) for smart card and digital certificate-based authentication, and future authentication technologies. EAP is a critical technology component for establishing secure connections. If you disable this service, this computer is prevented from accessing networks that require EAP authentication.

This service startup type is by default Manual.

Fax Service

The Fax Service, a Telephony API (TAPI)-compliant service, provides fax capabilities from users' computers. The Fax Service allows users to send and receive faxes from their desktop applications through either a local fax device or a shared network fax device. The service offers the following features:

  • Fax distribution and receipt

  • Fax activity tracking and monitoring

  • Inbound fax routing

  • Server and device configuration management

  • Archiving of sent faxes

If you disable the print spooler or telephony service, the Fax Service does not start successfully. If this service stops, users cannot send or receive faxes. The Fax Service startup type is Manual; it stops when there is no fax activity and restarts on an as-needed basis. For Windows Server 2008, the Fax Service is installed with the Fax Server role.

Available on:

Windows Server 2008 Standard

Windows Server 2008 Enterprise

Windows Server 2008 Datacenter

Function Discovery Provider Host

The Function Discovery Provider Host service provides the host process for Function Discovery providers. Function Discovery provides a uniform programmatic interface for enumerating system resources, such as hardware devices, whether they are local or connected through a network. It enables applications to discover and manage lists of devices or objects sorted by functionality or class. Users benefit from this categorized view of devices on their system. Both applications and users can use Function Discovery to discover what functions their system can perform, regardless of the underlying device or software architecture.

Function Discovery supports an extensible discovery provider model. The providers included in the system provide an abstraction layer over existing standards such as Plug and Play, Simple Service Discovery Protocol (SSDP), Web Services Dynamic Discovery (WS-Discovery), and the registry. Custom providers can be created to expose your organization's resources through Function Discovery. Function Discovery is a component of the Windows Connect Now technologies built into Windows Server® 2008 and Windows Vista.

This service startup type is Manual.

Function Discovery Resource Publication

The Function Discovery Resource Publication service publishes this computer and resources attached to this computer so that they can be discovered over the network. If this service is stopped, network resources cannot be published and they cannot be discovered by other computers on the network.

This service startup type is Automatic.

Group Policy Client

The Group Policy Client service is responsible for applying settings configured by administrators for the computer and users through the Group Policy component. If the service is stopped or disabled, the settings are not applied and applications and components cannot be managed through Group Policy. Any components or applications that depend on the Group Policy component might not be functional if the service is stopped or disabled.

This service startup type is Automatic. The service cannot be disabled through the Services snap-in console.

Health Key and Certificate Management

The Health Key and Certificate Management service provides X.509 certificate and key management services for the Network Access Protection Agent service. Enforcement technologies that use X.509 certificates may not function properly if this service is not installed or is disabled. The service supports the NAP platform on Windows Vista and Windows Server 2008 computers.

The NAP platform helps administrators validate and enforce compliance with system health policies for network access and communication. Administrators can create solutions for validating computers that connect to or communicate on their networks, provide needed updates or access to needed resources, and limit the network access of computers that are noncompliant.

This service startup type is Manual.

Help and Support

The Help and Support service allows the Help and Support Center application to run on users' computers, supports the application, and enables communication between the client application and the help data. This service provides access to stores and services such as the taxonomy database that contains metadata and information about the help topics, the support automation framework that enables data collection for registered support providers, user history and preference information, and the search engine manager. When you interact with the Help and Support Center features such as search, index, or table of contents, the service allows for data transaction support of all these features.

If the Help and Support service startup type is configured to Manual, the service starts if a user accesses the Help and Support Center from the desktop. If you disable or stop this service, the Help and Support Center application is essentially unusable and users see the following message:

Windows cannot open Help and Support because a system service is not running.

Users can access some high-level topics that may be cached on the local computer, but most of the Help and Support Center application features (including Remote Assistance) cannot function if the Help and Support service is not enabled. However, users can still view the *.chm files that are located in the Windows\Help folder. The Help and Support service is installed and the startup type is Automatic.

HTTP SSL

The HTTP SSL service enables IIS to perform Secure Sockets Layer (SSL) functions. SSL is an open standard that establishes encrypted communications channels to help to prevent the interception of critical information, such as credit card numbers. Primarily, it protects data transmitted for electronic financial transactions on the Internet, although it is designed to work on other Internet services as well.

If the HTTP SSL service stops, IIS does not perform SSL functions. This service is installed when IIS is installed and is not present or active otherwise.

Human Interface Device Access

The Human Interface Device Access service enables generic input access to Universal Serial Bus (USB) devices such as keyboards and mice. The service activates and maintains predefined keyboard keys, remote controls, and other multimedia devices. This service is installed and started by default on Windows XP and Windows Server 2003–based computers.

If the Human Interface Device Access service stops, keyboard keys that are controlled by this service no longer function. For instance, the Back key, Forward key, and other keyboard keys on USB keyboards and volume buttons on USB speakers do not function.

IIS Admin Service

The IIS Admin Service allows administration of IIS components such as FTP, application pools, Web sites, Web service extensions, and both Network News Transfer Protocol (NNTP) and Simple Mail Transfer Protocol (SMTP) virtual servers. If you stop or disable this service, you cannot run Web, FTP, NNTP, or SMTP sites.

In Windows 2000, the IIS Admin Service and related services are installed by default. In Windows Server 2003, you must install the IIS components through Add/Remove Windows Components or Configure Your Server.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

IKE and AuthIP IPsec Keying Modules

The IKE and AuthIP IPsec Keying Modules (IKEEXT) service hosts the IKE and AuthIP keying modules. These keying modules are used for authentication and key exchange in IPsec. Stopping or disabling the IKEEXT service disables IKE and AuthIP key exchange with peer computers. IPsec is typically configured to use IKE or AuthIP; therefore, stopping or disabling the IKEEXT service may result in an IPsec failure and may compromise the security of the system. We strongly recommend that you have the IKEEXT service running.

This service startup type is Automatic.

Indexing Service

The Indexing Service indexes the contents and properties of files on local and remote computers and provides rapid access to files through a flexible querying language. The Indexing Service also enables quick document search capability on local and remote computers and a search index for content that is shared on the Web. The service builds indexes of all textual information in files and documents. After the initial index build is complete, the Indexing Service maintains its indexes whenever a file is created, modified, or deleted.

Note

The Indexing Service has been replaced by Windows Search in Windows Vista and Windows Server 2008. However, the Indexing Service is still available in Windows Vista and Windows Server 2008 but must be explicitly installed.

Interactive Services Detection

The Interactive Services Detection service enables user notification of user input for interactive services, which enables access to dialog boxes created by interactive services when they appear. If this service is stopped, notifications of new interactive service dialog boxes no longer function and there may no longer be access to interactive service dialog boxes. This service supports the new service isolation feature in Windows Vista.

In Windows XP, Windows Server 2003, and earlier versions of the Windows operating system, all services run in the same session as the first user who logs on to the console. This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and, therefore, are targets for malicious users who are looking for a way to elevate their own privilege level.

The Windows Vista and Windows Server 2008 operating system mitigates this security risk by isolating services in Session 0 and making Session 0 noninteractive. In these operating systems, only system processes and services run in Session 0. The first user logs on to Session 1, and subsequent users log on to subsequent sessions. This means that services never run in the same session as users' applications and, therefore, are protected from attacks that originate in application code. Because Session 0 is no longer a user session, services that are running in Session 0 do not have access to the video driver. This means that any attempt that a service makes to render graphics fails. For example, if a device installer runs in Session 0 and the installation program creates a dialog box in Session 0 that requires user input to continue, the device installation never completes because the user does not see the dialog box. From the user's perspective, the device installer has stopped responding because it has stopped progressing and the user has no way to resume it. Basically, any functionality in a service or a service-hosted driver that assumes the user is running in Session 0 does not work correctly in Windows Vista and Windows Server 2008.

As a result of this issue, the option of enabling the Interactive Service Detection Service is available for customers who have services from earlier versions of Windows that send user interaction dialog boxes to Session 0 instead of the corresponding user's session.

The service startup type is Manual start by default. The service starts only when a visible dialog box that is not a command window is detected. If the service is started, users are notified when a dialog box or window (including a command window) appears in Session 0. Information about each of the last 10 dialog boxes appears in turn if more information is shown. This helps to ensure that deployment testers are aware of services from earlier operating systems in their environment and have the opportunity to contact the vendors for updated services.

The service detects these visible dialog boxes or windows and sends a notification to the user. Users may choose to:

  • Respond to the dialog box immediately by clicking a button to switch to Session 0, interact with the task dialog box, and then switch back to their session.

  • Be reminded again in five minutes. The reminders continue until the dialog box closes.

If this service is disabled, users do not receive notifications when the devices or services send dialog boxes to Session 0.

Internet Connection Sharing

The Internet Connection Sharing service provides network address translation, addressing, name resolution, and intrusion prevention services for a home or small office network.

This service startup type is Manual.

Intersite Messaging

The Intersite Messaging service enables message exchanges between computers that run Windows server sites. This service is used for mail-based replication between sites. AD DS includes support for replication between sites through SMTP over IP transport. SMTP support is provided by the SMTP service, which is a component of IIS.

The set of transports that are used for communication between sites must be extensible. Therefore, each transport is defined in a separate add-in dynamic link library (DLL) file. These add-in DLL files are loaded into the Intersite Messaging service, which runs on all domain controllers that can perform communication between sites. The Intersite Messaging service directs send-and-receive requests to the appropriate transport add-in DLL files, which then route the messages to the Intersite Messaging service on the destination computer.

If the Intersite Messaging service stops, messages are not exchanged, intersite messaging replication does not work, and site-routing information is not calculated for other services. This service is installed by default on Windows Server 2008–based computers, but it is disabled until the server is promoted to the domain controller role.

Available on:

Windows Server 2008 Standard

Windows Server 2008 Enterprise

Windows Server 2008 Datacenter

IP Helper (IP Version 6 Helper Service)

The IP Helper service offers Internet Protocol version 6 (IPv6) connectivity over an Internet Protocol version 4 (IPv4) network. IPv6 is a new suite of standard protocols for the network layer of the Internet. It solves many IPv4 problems with regard to address depletion, security, autoconfiguration, and extensibility. This service allows IPv6-enabled sites and hosts to communicate through IPv6 over an IPv4 infrastructure—for example, the Internet. This is often referred to as "6to4." IPv6 sites and hosts can use their 6to4 address prefix and the Internet to communicate. They do not need to obtain an IPv6 global address prefix from an Internet service provider (ISP) and to connect to the IPv6-enabled portion of the Internet.

6to4 is a tunneling technique that is described in RFC 3056. The 6to4 hosts do not require any manual configuration and use standard autoconfiguration to create 6to4 addresses. The 6to4 technique uses the global address prefix of 2002:WWXX:YYZZ::/48, where WWXX:YYZZ is the colon-hexadecimal representation of a public IPv4 address (w.x.y.z) that is assigned to a site or host, also known as the Next Level Aggregator (NLA) portion of a 6to4 address.

The IP Helper service also supports 6over4, also known as IPv4 multicast tunneling, a technique that is described in RFC 2529. The 6over4 technique allows IPv6 and IPv4 nodes to communicate through IPv6 over an IPv4 infrastructure. It uses the IPv4 infrastructure as a multicast-capable link. For 6over4 to work correctly, the IPv4 infrastructure must be IPv4 multicast-enabled.

If the IP Helper service stops, the computer only has IPv6 connectivity if it is connected to a native IPv6 network.

IPsec Policy Agent

The IPsec Policy Agent (IPsec Service) service provides end-to-end security between clients and servers on TCP/IP networks, manages IPsec policy, starts IKE, and coordinates IPsec policy settings with the IP security driver. The service is controlled by using the NET START or NET STOP command.

IPsec operates at the IP layer and is transparent to other operating system services and applications. The service provides packet filtering, and can negotiate security between computers on IP networks. You can configure IPsec to provide:

  • Packet filtering with actions to permit, block, or negotiate security.

  • Negotiated trust and encrypted IP communication. The IKE protocol mutually authenticates the sender and receiver of IP data packets based on policy settings. Authentication can use the Kerberos V5 authentication protocol, digital certificates, or a shared secret key (password). IKE automatically generates cryptographic keys and IPsec security associations.

  • Protection of IP packets with IPsec formats that provide cryptographic integrity, authenticity, and (optionally) encryption of IP packets.

  • End-to-end IPsec transport protection of traffic between servers and other systems that support Layer Two Tunneling Protocol (L2TP) VPN connections.

  • IPsec tunnel mode to improve the security for interoperability with gateways or other systems that do not support L2TP or point-to-point protocol (PPTP) VPN site-to-site connections.

If the IPsec Policy Agent (IPsec Service) service stops, TCP/IP security between clients and servers on the network is impaired. This service is installed and started automatically by default on computers running Windows Server 2008 or Windows Vista.

Kerberos Key Distribution Center

The Kerberos Key Distribution Center service enables users to log on to the network and be authenticated by the Kerberos version 5 (v5) authentication protocol.

As in other implementations of the Kerberos protocol, the Kerberos Key Distribution Center (KDC) is a single process that provides two services:

  • Authentication Service. This service issues ticket-granting tickets (TGTs) for connection to the ticket-granting service in its own domain or in any trusted domain. Before a client computer can request a ticket to another computer, it must request a TGT from the authentication service in its account domain. The authentication service returns a TGT for the ticket-granting service in the target computer's domain. The TGT can be reused until it expires, but initial access to any domain's ticket-granting service always requires the client computer to contact the authentication service in its account domain.

  • Ticket-granting Service. This service issues tickets for connection to computers in its own domain. When a client computer wants to access another computer, it must request a TGT and ask for a ticket to the computer. The ticket can be reused until it expires, but initial access to any computer always requires contact with the ticket-granting service in the target computer's account domain.

If the Kerberos Key Distribution Center service stops, users cannot log on to the network and access resources. This service is installed with the AD DS role and is used by domain controllers. If you disable this service, users cannot log on to the domain.

KtmRm for Distributed Transaction Coordinator

The KtmRm for Distributed Transaction Coordinator service coordinates transaction between the Microsoft Distributed Transaction Coordinator (MSDTC) and the Kernel Transaction Manager (KTM). This service supports the Kernel Transaction Manager (KTM) feature in Windows Vista and Windows Server 2008. The KTM enables the development of applications that use transactions. The transaction engine itself is within the kernel, but transactions can be developed for kernel-mode or user-mode transactions, and within a single host or among distributed hosts.

The KTM implements Transactional NTFS (TxF) and Transactional Registry (TxR). TxF allows transacted file system operations within the NTFS file system. TxR allows transacted registry operations. KTM enables client applications to coordinate file system and registry operations with a transaction that results in better error recovery during data transfer and in the event of system failure.

This service startup type is Automatic.

The Link-Layer Topology Discovery Mapper service creates a network map, consisting of computer and device topology (connectivity) information, and metadata describing each computer and device. If this service is disabled, the network map does not function properly.

This service startup type is Manual.

Message Queuing

The Message Queuing service is a messaging infrastructure and development tool that creates distributed messaging applications for Windows. Such applications can communicate across heterogeneous networks and send messages between computers that may be temporarily unable to connect to each other. This service provides guaranteed message delivery, efficient routing, security, and priority-based messaging. It also supports the ability to send messages within transactions, and it provides both Microsoft Win32® and COM APIs for all programmatic functionality, including administration and management.

Message Queuing is an optional feature of Windows Vista and Windows Server 2008. It is not installed or enabled by default.

Windows Vista and Windows Server 2008 include Message Queuing 4.0. For remote reading, Message Queuing 4.0 uses encrypted RPC by default. This feature is available when a client computer running Windows Vista or Windows Server 2008 performs remote reading against a Message Queuing server running Windows Vista, Windows Server 2008, Windows Server 2003, or Windows 2000. In situations where encrypted RPC cannot be used, (for example, where a workgroup computer is part of the remote read process), the message is passed to the remote computer as plaintext and message security is not guaranteed. A plaintext message that has reached its destination queue can be read only by users that have the necessary access rights to read messages from the queue.

With Windows Vista, we recommend that you enable your Message Queuing 4.0 server to use only secured remote reading mode. In secured remote reading mode, your computer only listens on the secure remote read interface, and not on the nonsecure remote read interface. The effect of this is that only Message Queuing 4.0 and 3.0 servers on Windows Server 2003–based computers or later can remotely receive messages from queues on your computer, and remote reads from MSMQ 1.0 clients, MSMQ 2.0 clients, and Message Queuing 3.0 clients running on Windows XP–based computers are not supported. For information about enabling your server to use only the new secured mode, see Enable Secured Remote Read (https://go.microsoft.com/fwlink/?LinkID=105681).

If the Message Queuing service stops, distributed messages are unavailable. If you disable this service, any services that explicitly depend on it do not start. Also, COM+ Queued Component (QC) functionality, some functionality of Windows Management Instrumentation (WMI), and the Message Queuing Triggers service are affected.

Message Queuing Triggers

The Message Queuing Triggers service provides a rule-based system to monitor messages that arrive in a Message Queuing service queue and, when the conditions of a rule are satisfied, invoke a COM component or a stand-alone executable program to process the message.

The Message Queuing Triggers service is installed as part of the Message Queuing service on Windows Server 2008. In Windows Vista, the Message Queuing Triggers feature must be explicitly selected for it to be installed.

If the Message Queuing Triggers service stops, you cannot apply rule-based monitoring or invoke programs to process messages automatically.

Microsoft .NET Framework NGEN

This service supports the Microsoft .NET Framework Native Image Generator (NGEN) feature of the .NET Framework Common-Language Runtime. It is used to create platform-specific, optimized versions of .NET Framework applications that have faster performance than applications that have to be compiled by the just-in-time compiler before they can be run.

The service runs either in low priority for important compilations or in idle priority for non-important compilations. After all optimizations that are in the queue are completed, the service shuts down.

This service is installed by default, and the service startup type is Manual.

Microsoft iSCSI Initiator Service

This service manages Internet Small Computer System Interface (iSCSI) sessions from a computer to remote iSCSI target devices. If this service is stopped, the computer cannot log on or access iSCSI targets. If this service is disabled, any services that explicitly depend on it fail to start.

You can use iSCSI to connect storage devices over a network (LAN, WAN, or the Internet) by using TCP/IP; iSCSI devices can be disks, tapes, CDs, or other storage devices on network connected systems. The technology is often associated with storage area networks.

The Microsoft iSCSI Initiator Service ensures all volumes and devices listed as "favorite targets" are available to the computer. The iSCSI Initiator properties are configured from the Administrative Tools Control Panel. By default, the Microsoft iSCSI Initiator Service is configured for the Manual startup type. To use an Internet storage device, you must unblock the appropriate firewall ports.

The IP network used by iSCSI does not include a default security mechanism. Because iSCSI is a plaintext protocol, iSCSI presents an attack surface that should be secured if you decide to use this service. To help secure IP packets (the data stream), you can use the challenge-handshake authentication protocol (CHAP), IPsec, or both.

CHAP verifies the identity of iSCSI host systems that are attempting to access storage targets. CHAP has known vulnerabilities and should not be relied upon as the only security method.

IPsec is a standards-based means of aiding the secure transfer of information across IP networks through the use of authentication and encryption that guards against both active and passive attacks.

This service is installed by default and the service startup type is Manual.

Microsoft Fibre Channel Platform Registration Service

The Microsoft Fibre Channel Platform Registration Service registers the platform with all available Fibre Channel fabrics and maintains the registrations. A fabric is a network topology where devices are connected to each other through one or more high-efficiency data paths. This service is used in support of storage area networks.

This service is installed by default on Windows Server 2008, and the service startup type is Manual.

Microsoft Software Shadow Copy Provider

The Microsoft Software Shadow Copy Provider service manages software-based shadow copies that are taken by the Volume Shadow Copy Service. A shadow copy is a snapshot copy of a disk volume that represents a consistent read-only point in time for that volume. This point-in-time snapshot then stays constant and allows an application, such as backup software, to copy data from the shadow copy to tape.

There are two general classes of shadow copies:

  • Hardware. A hardware shadow copy is a mirror of two or more disks that are split into separate volumes. One of the two volumes remains the working set, and the other one can be mounted separately.

  • Software. A software shadow copy uses a copy-on-write scheme to copy all sectors of a volume that change over time into a differential area on disk. When the shadow copy is mounted, all unchanged sectors are read from the original volume and all sectors that have changed are read from the differential area.

Shadow copies can resolve three classic data backup challenges:

  • The need to back up files that were opened for exclusive access. Backup of an open file is a challenge because it is likely in a state of change. Without a shadow copy or a way to suspend the application, backups often become corrupted.

  • The need to maintain a computer's availability during the shadow copy.

  • Use of the same communications channels as snapshots to facilitate information transfer between application and backup tools.

If the Microsoft Software Shadow Copy Provider service stops, software-based volume shadow copies cannot be managed, which could cause Windows Backup to fail. This service is installed by default on Windows Server 2008, but it only runs when requested.

Multimedia Class Scheduler

The Multimedia Class Scheduler (MMCSS) service enables relative prioritization of work based on systemwide task priorities. This is intended mainly for multimedia applications. If this service is stopped, individual tasks return to their default priority.

Users expect multimedia applications to offer a smooth playback experience. If the playback has pauses or jerky movements, the user tends to be dissatisfied with the experience and does not use that content delivery method. While early versions of media players suffered from lack of bandwidth, the issue that is encountered more commonly now is lack of CPU processing time. Demand for the CPU processing time by other concurrently running applications, like antivirus programs, content indexing, or even the mail client, can interfere with media rendering and playback.

To provide a better playback experience, Windows Vista provides MMCSS to manage the CPU priorities of multimedia threads. An application registers with MMCSS using new APIs that indicate its multimedia characteristics, which must match one of those listed by name under the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Currentversion\Multimedia\SystemProfile\Tasks

The task keys are:

  • Audio

  • Capture

  • Distribution

  • Games

  • Playback

  • Pro Audio

  • Window Manager

The various task keys specify how much preference threads associated with different multimedia types get for CPU and graphics processor resources. (Graphics processor resource management is not implemented in Windows Vista.)

MMCSS, which is implemented in %systemroot%\System32\Mmcss.dll and runs in a Service Host (Svchost.exe) process, has a priority-management thread that runs at priority 27. (Thread priorities in Windows range from 0 to 31.) This thread boosts the priority of registered multimedia threads into the range associated with the Scheduling Category value of their task's registry key; those with a Scheduling Category of High have a priority between 23 and 26, those with a Scheduling Priority of Medium have a priority between 16 and 23. In Windows, thread priorities 16 and higher are in the real-time priority range and higher than all other threads on a system (with the exception of the kernel's Memory Manager worker threads, which run at priorities 28 and 29). Only administrative accounts, like the Local System account in which MMCSS runs, have the Increase Priority privilege that is required to set real-time thread priorities.

MMCSS also ensures that other concurrently running threads get an adequate portion of CPU time so that the system and other applications remain responsive. Therefore, MMCSS reserves 20 percent of CPU time for other activity.

Net.Tcp Port Sharing Service

The Net.Tcp Port Sharing Service provides the ability for multiple user processes to share TCP ports over the net.tcp protocol. This service supports the .NET Framework 3.0 Windows Communication Foundation (WCF), which provides a new TCP-based network protocol (net.tcp://) for high-performance communication. This service allows a net.tcp port to be shared and secured in a similar fashion as port 80 is for HTTP traffic.

The Net.Tcp Port Sharing Service is available on all operating systems that support .NET Framework 3.0, but the service is not enabled by default. As a security precaution, an administrator must manually enable the Net.Tcp Port Sharing Service prior to first use. Although the Net.Tcp Port Sharing Service does provide a layer of processing between applications and the network, applications that use port sharing should still be secured as if they were listening on the network directly. Specifically, applications that use port sharing should evaluate the process privileges under which they run. When possible, run your application using the built-in Network Service account, which runs with the minimal set of process privileges required for network communication.

The Net.Tcp Port Sharing Service is included by default with Windows Vista. It is available for installation as role service for the Application Server role on Windows Server 2008.

Netlogon

The Netlogon service maintains an encrypted channel between your computer and the domain controller that it uses to authenticate users and services. It passes user credentials through the encrypted channel to a domain controller and returns the domain security identifiers and user rights for the user, which is commonly referred to as pass-through authentication. The service is installed on all Windows Server 2003 and Windows XP computers, and its startup type is Manual. After the computer joins a domain, the service starts automatically.

If the Netlogon service stops, the computer may not authenticate users and services and the domain controller cannot register DNS records. If this happens, the domain controller may deny NTLM authentication requests, and client computers cannot discover domain controllers.

This service startup type is Automatic.

Network Access Protection Agent

The Network Access Protection Agent service enables NAP functionality on client computers. Enabling the NAP client agent makes it possible for clients that support NAP to evaluate clients that connect to your network for compliance with organizational software security policies such as mandatory updates, antivirus, signatures, and firewall configurations.

By default this service startup type is Manual. If you have a NAP infrastructure in place, this service startup type is Automatic.

Network Connections

The Network Connections service is installed by default on computers running Windows Server 2008 or Windows Vista. This service manages objects in the Network Connections folder, from which you can view both network and remote connections. This service is responsible for client network configuration and displays connection status in the notification area on the taskbar. You may also view and configure network interface settings through this service.

The Network Connections service starts automatically when the startup type is Manual and the Network Connections interface is invoked. If this service stops, client-side configuration of LAN, dial-up, and VPN connections are unavailable. If you disable this service, the following might result:

  • Connections do not display in the Network Connections folder, which prevents dial-out access and configuration of LAN settings.

  • Other services that use Network Connections to check for Network Location-specific Group Policy settings do not function properly.

  • Events that pertain to media connects and disconnects are not received.

  • Internet connection sharing does not function correctly.

  • The ability to configure incoming connections, wireless settings, or your home network is unavailable.

  • New connections are not created.

  • Any services that explicitly depend on this service do not start.

Network List Service

The Network List Service identifies the networks to which the computer has connected, collects and stores properties for these networks, and notifies applications when these properties change. This service, along with the Network Location Awareness service, enables the display of the status of network connections in the notification area. The service is part of the Network Diagnostics Framework in Windows Vista and Windows Server 2008.

This service startup type is Automatic.

Network Location Awareness (NLA)

The Network Location Awareness (NLA) service collects and stores network configuration information, such as IP address and domain name changes, as well as location change information. The service notifies compatible applications when this information changes so that they can reconfigure themselves to use the current network connection.

The Network Location Awareness (NLA) service is a default service on Windows Vista and Windows Server 2008. Even if you configure this service with a startup type of Manual, it is started usually by dependent services. If this service stops, network location awareness functionality is not available.

This service startup type is Automatic.

Network Store Interface Service

The Network Store Interface Service delivers network notification to user mode clients. The service keeps track of the network interfaces available on the computer, stores routing information for each, and communicates this information with other services that require it. This service depends on the NSI Proxy Service. The following system components depend on this service and fail if this service is stopped:

  • DHCP Client

  • IP Helper

  • Network Connections

  • Network Location Awareness

  • Workstation

Stopping this service causes loss of network connectivity. This service startup type is Automatic.

Offline Files

The Offline Files service performs maintenance activities on the Offline Files cache, responds to user logon and logoff events, implements the internals of the public API, and dispatches events to accounts or logs configured for receiving events related to Offline Files activities and changes in cache state.

The Offline Files service enables the user to designate particular network folders (and their subfolders) to be available offline. When the user is connected to the network, Offline Files service automatically synchronizes the folders to the local hard disk. When the computer disconnects from the network (in other words, to go "offline"), Offline Files service provides access to the content from the locally cached copy. When the computer reconnects to the network, the service automatically synchronizes any changes made offline with the online version and updates the offline versions with more recently made online versions.

This service startup type is Automatic. We recommend that you use Encrypting File System (EFS) to encrypt the Offline Files cache so that the files in the cache can only be accessed by the user on whose behalf it is cached.

Peer Name Resolution Protocol

The Peer Name Resolution Protocol (PNRP) service enables Serverless Peer Name Resolution over the Internet. If disabled, some peer-to-peer and collaborative applications may not function. This protocol enables the naming of computers and services without reliance on a DNS server. This allows for flexible, informal, temporary networks of nearby computers for collaboration, data sharing, and data storage.

Security in peer-to-peer networks is difficult to establish. If computers in your organization are allowed to connect to peer-to-peer networks, a security policy about the types of information shared and the types of peer-to-peer networks that are compliant with your policy should be explicitly designed and communicated to your users to enable them to make decisions about which peer-to-peer networks they can trust.

A trusted peer-to-peer network should be one that meets the industry standard for establishing trust:

  • The network uses a trusted authentication method to identify itself and its users. Your security policy should identify which form of authentication is the minimally acceptable method.

  • The network supports different authorization levels to allow for control over who you share information with by using the network.

  • The network supports encrypted data transmission so that when you collaborate by using this network, your information is not as susceptible to capture by unauthorized users. It should also provide some form of data-integrity checking such as digital signatures to ensure that the data was not modified in transit.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Peer Networking Grouping

The Peer Networking Grouping service supports peer "grouping," which is a technology that allows a developer to create a private peer-to-peer network. Administrators create the groups and invite members to join after verifying their credentials. Each member has a specific certificate, which is called a Group Member Certificate (GMC). The GMC ensures that all records exchanged between peers are digitally signed. The public key of a peer is contained in the structures that are passed as part of the communication between peers. The groups are opened and closed by the administrator as needed.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Peer Networking Identity Manager

The Peer Networking Identity Manager service provides the identity service for Peer Networking. It allows for the creation, enumeration, and manipulation of peer identities in a peer-to-peer application. An individual user can have several different peer identities.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Performance Logs and Alerts

The Performance Logs and Alerts service collects performance data from local or remote computers based on preconfigured schedule parameters, and then writes the data to a log or triggers an alert. This service starts and stops each named performance data collection based on the information that is contained in the named log collection setting. This service only runs if at least one collection is scheduled.

If the Performance Logs and Alerts service stops or if you disable it, performance information is not collected. Also, any data collections that are currently active terminate, and future scheduled collections will not occur.

This service startup type is Manual.

Plug and Play

The Plug and Play service enables a computer to recognize and adapt to hardware changes with little or no user input. This service enables you to add or remove devices without any detailed knowledge of your computer hardware, and you do not need to manually configure the hardware or the operating system. For example, you can plug in a USB keyboard, and the Plug and Play service detects the new device, finds a driver for it, and installs it. Or you can dock a portable computer and use the docking station's Ethernet card to connect to the network; you do not need to change any configuration settings. Later, you can undock the same computer and use a modem to connect to the network—again, without any manual configuration changes.

The Plug and Play service is installed and the service startup type is Automatic on Windows Server 2008 and Windows Vista. You cannot stop or disable the service through the Services snap-in console because of the impact on operating system stability. If this service stops, the Device Manager interface appears blank and no hardware devices are displayed.

PnP-X IP Bus Enumerator

The PnP-X IP Bus Enumerator (IPBusEnum) service manages the virtual network bus. It discovers network-connected devices by using SSDP or the WS-Discovery protocol and gives them presence in Plug and Play. If this service is stopped or disabled, presence of network-connected devices is not maintained in Plug and Play and all Plug and Play–based scenarios stop functioning.

The PnP-X IP Bus Enumerator service is installed, and the service startup type is Manual in Windows Vista. On Windows Server 2008, the service is installed but disabled.

PNRP Machine Name Publication Service

The PNRP Machine Name Publication Service publishes a computer name by using the Peer Name Resolution Protocol (PNRP). You can publish the computer name as a secured or unsecured peer name. The peer name configuration is managed by means of the netsh command p2p pnrp peer.

The peer computer name is a text string that has the following format:

Authority.Classifier

The value of Authority depends on whether the name is secure or unsecured. The Classifier of a peer computer name is a string. A Classifier can be any name that contains 150 or fewer UNICODE characters. Peer names are case-sensitive. The following list identifies some examples of peer names:

  • "0.MyUnsecuredPeerName"

  • "0.RobertZare.Games"

  • "6520c005f63fc1864b7d8f3cabebd4916ae7f33d.RobertZare"

For a secure name, the Authority is the Secure Hash Algorithm (SHA) hash of the public key of the peer name and results in a 40-character hexadecimal string.

For an unsecured name, the Authority is zero (0), and the Classifier is the only significant part of the peer name, which creates an unsecured peer name without an associated identity. For more information about how to configure peer names, see Windows Internet Computer Names (https://go.microsoft.com/fwlink/?LinkId=101045).

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Portable Device Enumerator Service

The Portable Device Enumerator Service enforces Group Policy settings for removable mass-storage devices. It enables applications such as Windows Media Player and Image Import Wizard to transfer and synchronize content by using removable mass-storage devices. This service enables you to specify which portable storage devices are allowed to be connected to systems that are managed with Group Policy.

This service startup type is Automatic on Windows Vista and Manual on Windows Server 2008.

The Print Spooler service manages all local and network print queues and controls all print jobs. The print spooler communicates with printer drivers and input/output (I/O) components, such as the USB port and the TCP/IP protocol suite, and is the center of the Windows printing subsystem. It is installed and activated by default on computers running Windows Vista or Windows Server 2008.

If the Print Spooler service stops, you cannot print or send faxes from your local computer. When the Print Spooler service stops on a server that runs Terminal Services, the System hive of the registry slowly grows until it fills the system volume and causes the server to crash. This problem is caused by the fact that when new clients log on to the server through Terminal Services, the system automatically tries to map the client's local printer to a printer port on the server, and it records this mapping in the registry. However, the Print Spooler service is supposed to delete each record when user end a session, and if the service is not running, the unused records are never deleted.

Also, the Printer Pruner feature of AD DS relies on the Print Spooler service. For the Printer Pruner to operate across the organization and allow orphaned queues to be scavenged on an unmanaged basis, every site in the organization must have at least one domain controller that runs the Print Spooler service. If you configure this service to Disabled or Manual, it does not automatically start when print jobs are submitted.

Problem Reports and Solutions Control Panel Support

The Problem Reports and Solutions Control Panel Support service provides support for viewing, sending, and deleting system-level problem reports for the Problem Reports and Solutions control panel. This service is part of the Windows Diagnostic Infrastructure in Windows Vista.

This service startup type is Manual.

Program Compatibility Assistant Service

The Program Compatibility Assistant Service provides support for the Program Compatibility Assistant. If this service is stopped, the Program Compatibility Assistant does not function properly. The Program Compatibility Assistant Service attempts to find software and driver updates that improve the compatibility of applications with Windows Vista and make changes to the computer's configuration so that the program runs better. The Program Compatibility Assistant runs automatically when it detects that an older program is attempting to run in Windows Vista and is encountering problems.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Protected Storage

The Protected Storage service protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. The service provides a set of software libraries that allow applications to retrieve security and other information from personal storage locations as it hides the implementation and details of the storage itself.

The storage location that is provided by this service is protected from modification. The Protected Storage service uses the Hash-Based Message Authentication Code (HMAC) and the Secure Hash Algorithm 1 (SHA1) cryptographic hash function to encrypt the user's master key. This component requires no configuration.

If the Protected Storage service stops, private keys are inaccessible, the Certificate Services service does not operate, Secure/Multipurpose Internet Mail Extensions (S/MIME) and SSL do not work, and smart card logon fails.

This service startup type is Manual.

Quality Windows Audio Video Experience

Quality Windows Audio Video Experience (qWave) is a networking platform for Audio Video (AV) streaming applications on IP home networks. The qWave platform enhances AV streaming performance and reliability by ensuring network Quality of Service (QoS) for AV applications. It provides mechanisms for admission control, run-time monitoring and enforcement, application feedback, and traffic prioritization. The qWave platform provides the functionality for socket-based applications to gather in-depth, real-time information of a variable bandwidth network, allowing it to dynamically adapt to changing network conditions. It also allows applications to prioritize packets in order to make better use of the available bandwidth.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

ReadyBoost

The ReadyBoost service provides support for improving system performance. It allows you to use nonvolatile flash memory, such as that on a universal serial bus (USB) flash drive, to providing additional memory resources without having to provide additional RAM for the system.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Remote Access Auto Connection Manager

The Remote Access Auto Connection Manager service detects unsuccessful attempts to connect to a remote network or computer and provides alternative methods for connection. When a program fails in an attempt to reference a remote DNS or NetBIOS name or address or when network access is unavailable, the service displays a dialog box that allows you to make a dial-up or VPN connection to the remote computer.

To assist you, the Remote Access Auto Connection Manager service maintains a local database of connections that were previously used to reach named computers or shares. When the service detects an unsuccessful attempt to reach a remote computer or shared folder, it offers to dial the connection that was last used to reach this remote device. This service is installed by default on computers running Windows XP or Windows Server 2003, but its startup type is Manual. It is started automatically on an as-needed basis. If you disable the Remote Access Auto Connection Manager service, you must manually establish connections to remote computers when you want to access them.

This service startup type is Manual.

Remote Access Connection Manager

The Remote Access Connection Manager system service manages dial-up and VPN connections from your computer to the Internet or other remote networks. When you double-click a connection in the Network Connections folder and then click the Connect button, the Remote Access Connection Manager service either dials the connection or sends a VPN connection request and handles subsequent negotiations with the remote access server to set up the connection.

The Remote Access Connection Manager service unloads itself when no requests are pending. The Network Connections folder calls this service to enumerate the set of connections and to display the status of each one. Although its default startup type is Manual, this service can start if there are one or more VPN or dial-up connections in the Network Connections folder.

If the Remote Access Connection Manager service stops or if you disable it, your computer cannot make dial-up or VPN connections to a remote network or accept inbound connection requests. Also, the Network Connections folder does not display any VPN or dial-up connections, and the Internet Options Control Panel does not allow the user to configure any options that pertain to dial-up or VPN connections.

This service startup type is Manual.

Remote Procedure Call (RPC)

The Remote Procedure Call (RPC) service is an interprocess communication (IPC) mechanism that enables data exchange and invocation of functionality that resides in a different process. The different process can be on the same computer, on the local area network, or across the Internet. The Remote Procedure Call (RPC) service serves as the RPC endpoint mapper and COM Service Control Manager (SCM). More than 50 services depend on the RPC service to start successfully.

You cannot stop or disable the Remote Procedure Call (RPC) service. If this service is not available, the operating system does not load.

Remote Procedure Call (RPC) Locator

The Remote Procedure Call (RPC) Locator service enables RPC clients that use the RpcNs* APIs to locate RPC servers. It also manages the RPC name service database.

By default, this service startup type is Manual.

If the Remote Procedure Call (RPC) Locator service stops or if you disable it, RPC clients that must locate RPC services on other computers cannot locate servers, or they may fail to start. RPC clients that rely on RpcNs* APIs from the same computer may not find RPC servers that support a given interface. If the service stops or if you disable it on a domain controller, RPC clients that use the RpcNs* APIs and the domain controller may experience interruption of service when they try to locate clients. RpcNs* APIs are not used internally in Windows; you must start this service only if non-Microsoft applications require this service.

Remote Registry

The Remote Registry service enables remote users who have the appropriate permissions to modify registry settings on the domain controller. This service is installed and automatically run by default. However, the service's default configuration allows only members of the Administrators and Backup Operators groups to access the registry remotely. This service is required for the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA enables you to verify which patches are installed on each of the servers in your organization.

If the Remote Registry service stops, only the registry on the local computer can be modified. If you disable this service, any services that explicitly depend on the service cannot start, but registry operations on your local computer are not affected. However, other computers or devices cannot connect to your local computer's registry.

This service startup type is Automatic.

Resultant Set of Policy Provider

The Resultant Set of Policy Provider service enables you to connect to a Windows Server 2008–based domain controller, access the WMI database for that computer, and simulate Resultant Set of Policy (RSoP) for Group Policy settings. The policy settings are determined for a user or computer that is located in AD DS. This simulation is commonly referred to as Planning mode.

The Resultant Set of Policy Provider service is installed by default on Windows Server 2008–based computers, but its startup type is Manual. If this service stops on a domain controller, RSoP Planning Mode simulation is unavailable on that domain controller. RSoP must run only on domain controllers; member servers and workstations do not need to run this service to use the feature.

Available on:

Windows Server 2008 Standard

Windows Server 2008 Enterprise

Windows Server 2008 Datacenter

Routing and Remote Access

The Routing and Remote Access service provides multiprotocol LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services. This service also provides dial-up and VPN remote access services. Your server can use this service to function as a remote access server, a VPN server, a gateway, or a branch-office router.

From a routing perspective, the Routing and Remote Access service supports the Open Shortest Path First (OSPF) and Routing Information Protocol (RIP) routing protocols, and controls the routing tables for the TCP/IP stack-forwarding engine.

The Routing and Remote Access service is installed but disabled by default and must be explicitly enabled to support remote access scenarios. If you support remote access and this service stops, your computer cannot accept incoming RAS, VPN, or dial-on-demand connections, and routing protocols are not received or transmitted.

Secondary Logon

The Secondary Logon service allows a user to create processes in the context of different security principals. A common use of this service is by administrators who may log on as restricted users but must have administrative privileges to run a specific application. They can use a secondary logon to temporarily run such applications.

Another component of the Secondary Logon service is RunAs.exe, which allows you to run programs (*.exe files), saved MMCs (*.msc files), shortcuts to programs and saved MMCs, and Control Panel items as Administrator while you are logged on to your computer as a member of another group, such as the Users group. In Windows 2000, this service was called the RunAs Service.

The Secondary Logon service is installed and run automatically by default on Windows Vista and Windows Server 2008. If the service stops or if you disable it, this type of logon access is unavailable. Any calls to the CreateProcessWithLogonW API fail. Specifically, if you stop or disable this service, the MMC snap-in that starts applications as other users and the RunAs.exe tool malfunction.

Security Accounts Manager

The Security Accounts Manager (SAM) service is a protected subsystem that manages user and group account information. The startup of the Security Accounts Manager service signals to other services that it is ready to accept requests.

The Security Accounts Manager service is present on all versions of Windows Vista and Windows Server 2008, and you cannot stop it. If you disable this service, other services in the computer may not start correctly. Do not disable this service.

Security Center

The Security Center service provides a central location for computers that run Windows Vista to manage security-related settings. It is configured to run automatically by default. When it runs, it performs the following tasks:

  • Determines whether the Windows Firewall service is running and queries specific non-Microsoft WMI providers to determine whether compatible software firewall applications are present and running.

  • Queries specific non-Microsoft WMI providers to determine whether compatible antivirus software is installed, whether the software is up-to-date, and whether real-time scanning is turned on.

  • Determines the configuration of the Windows Automatic Updates service. If the Automatic Updates service is turned off or not configured in accordance with the recommended settings, the Security Center service notifies the user.

  • Verifies that Internet security settings are set to their recommended levels.

  • Verifies that User Account Control is enabled.

If the Security Center service determines that a protected component is missing, incorrectly configured, or out-of-date, it notifies the user through a logon alert message and icon in the notification area of the taskbar.

If you disable the Security Center service, the protected components continue to function in accordance with their specific configuration settings. However, no centralized monitor service is provided.

This service is configured for an automatic delayed start.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Server

The Server service provides RPC support, file printing, and named-pipe sharing over the network. It allows local resources to be shared, such as disks and printers, so that other users on the network can access them. It also allows named-pipe communication between applications that run on other computers and your computer, which is used to support RPC. Named-pipe communication is memory that is reserved for the output of one process to be used as input for another process. The input-acceptance process does not need to be local to the computer. This service is installed and runs automatically by default on Windows Vista and Windows Server 2008.

If the Server service stops or if you disable it, the computer cannot share local files and printers with other computers on the network, and it cannot satisfy remote RPC requests.

This service startup type is Automatic.

Shell Hardware Detection

The Shell Hardware Detection service monitors and provides notification for AutoPlay hardware events. AutoPlay is a feature that detects content such as pictures, music, or video files on removable media and removable devices. AutoPlay then automatically starts applications to play or display that content, which simplifies the use of specialized peripheral devices such as MP3 players and digital photo readers. The service also makes it easier for users because they do not need to know beforehand what software applications are needed to access various content types.

AutoPlay supports a variety of media content types and applications. Both independent hardware vendors (IHVs) and independent software vendors (ISVs) can extend this support to include their hardware devices and applications. A user can configure a different AutoPlay action for any combination of pictures, music files, and video.

Media and device types that are supported by AutoPlay include:

  • Removable storage media

  • Flash media

  • PC cards

  • External hot-plug USB or 1394 fixed drives

  • Supported content types, which include:

    • Pictures (.jpg, .bmp, .gif, and .tif files)

    • Music files (.mp3 and .wma files)

    • Video (.mpg and .asf files)

The Shell Hardware Detection service is installed and runs automatically by default on Windows Vista and Windows Server 2008. If the service stops, the Hardware AutoPlay functionality does not work and shell performance is also affected.

Simple TCP/IP Services

The Simple TCP/IP Services service implements support for the following protocols and ports:

  • Echo, port 7, RFC 862

  • Discard, port 9, RFC 863

  • Character Generator, port 19, RFC 864

  • Daytime, port 13, RFC 867

  • Quote of the Day, port 17, RFC 865

When you enable Simple TCP/IP Services, all five protocols are enabled on all adapters. There is no ability to selectively enable specific services or enable the service on per-adapter basis.

If you stop or disable Simple TCP/IP Services, the rest of the operating system is unaffected. This service must be manually installed. Do not install this service unless you specifically need a computer to support communication with other computers that use the referenced protocols.

SL UI Notification Service

The SL UI Notification Service (SLUINotify) provides notification messages about software licensing and activation. Windows Vista and Windows Server 2008 use the licensing service, Slsvc.exe, that manages all activity related to Windows licensing. This service implements several anti-tampering technologies intended to detect modifications performed on this service. When modifications are detected, the licensing state of the system is affected and a message is sent to SLUINotify to notify of this change in licensing state. For example, the user might get a notification that the user's copy of Windows is non-genuine through a message box that states, "An unauthorized change was made to your license."

This service startup type is Manual.

Smart Card

The Smart Card service manages and controls access to a smart card that is inserted into a smart card reader, which is connected to your computer. The smart card subsystem is based on Personal Computer/Smart Card (PC/SC) Workgroup consortium standards (https://go.microsoft.com/fwlink/?LinkId=120309) and consists of the Resource Manager component, which manages access to readers and smart cards. To manage these resources, the Resource Manager performs the following functions:

  • Identifies and tracks resources.

  • Allocates readers and resources across multiple applications.

  • Supports transaction primitives to access services that are available on a given card.

The Resource Manager also exposes the WinSCard subset of the Win32 API to provide applications with access to a Card/Reader Selection user interface (UI). This component allows simple applications that work with smart cards to access a card and reader with minimum coding.

The Smart Card service is automatically installed by default on computers running Windows Vista or Windows Server 2008. If this service stops, your computer is unable to read smart cards.

This service startup type is Automatic on Windows Vista and Manual on Windows Server 2008.

Smart Card Removal Policy

The Smart Card Removal Policy service allows the system to be configured to lock the user desktop, disconnect from remote Terminal Services sessions, or log off the user upon smart card removal. Users who walk away from computers that are running an active logon session create a security risk. To enforce the security of your system, it is best practice for users to disconnect from any remote Terminal Services sessions and either log off or lock their computers when they leave. The smart card removal policy allows you to force users to comply with this practice when they remove their smart cards.

Note

If you decide to use the force logoff policy, users must ensure that they have saved changes to documents and other files before they remove their smart cards. Otherwise, they lose any changes they have made.

Whether or not you use the Smart Card Removal Policy service depends on how your users interact with their computers. For example, this policy may be used for computers in an open floor or kiosk environment. This policy may not be necessary when users have dedicated computers or exclusive use of multiple computers. You can use a password-protected screensaver or other means to lock the computers of these users.

SNMP

The SNMP service allows inbound Simple Network Management Protocol (SNMP) requests to be serviced by the local computer. This service includes agents that monitor activity in network devices and report to the network console workstation, and provides a way to manage network hosts such as workstation or server computers, routers, bridges, and hubs from a centrally located computer that runs network management software. SNMP performs management services through a distributed architecture of management computers and agents.

You can use SNMP to perform the following tasks:

  • Configure remote devices. Configuration information can be sent to each networked host from the management computer.

  • Monitor network performance. You can track the speed of processing, network throughput, and collect information about the success of data transmissions.

  • Detect network faults or inappropriate access. You can configure trigger alarms on network devices when certain events occur. When an alarm is triggered, the device forwards an event message to the management computer. Common types of alarms include a device being shut down and restarted, a link failure being detected on a router, and inappropriate access.

  • Audit network usage. You can monitor overall network usage to identify user or group access as well as types of usage for network devices and services.

The SNMP service also includes an SNMP agent that allows remote, centralized management of computers and services.

The SNMP service is only installed on your server if you manually install the optional SNMP feature using Server Manager. When installed, the service starts automatically. If the SNMP service stops or if you disable it, the computer no longer responds to SNMP requests. If the computer is being monitored by network management tools that rely on SNMP, they cannot collect data from the computer nor control its functionality through the service.

SNMP Trap

The SNMP Trap service receives trap messages, which contain information about specific events and are generated by local or remote SNMP agents. The service forwards the messages to SNMP management programs that run on your computer. When configured for an agent, the SNMP service, generates trap messages if any specific events occur, and these messages are sent to a trap destination. For example, an agent can be configured to initiate an authentication trap if an unrecognized management computer sends a request for information. Trap destinations consist of the computer name, and the IP address of the management computer. The trap destination must be a network-enabled host that runs SNMP management software. Trap destinations can be configured by a user, but the events, such as computer restarts, that generate trap messages are internally defined by the SNMP agent.

The SNMP Trap service is installed only if you manually install the optional SNMP component through the Control Panel. When installed, the service starts automatically. If the service stops or if you disable it, SNMP-based programs on the computer do not receive SNMP trap messages from other computers. If this computer monitors network devices or server applications with SNMP traps, significant computer events are lost.

Software Licensing

Windows Vista and Windows Server 2008 include the licensing service, Slsvc.exe, that manages all activity related to Windows licensing. This service implements several anti-tampering technologies intended to detect modifications performed on this service.

This service startup type is Automatic.

Special Administration Console Helper

You can use the Special Administration Console Helper service to perform remote management tasks on a computer running with Windows Server 2008 if the computer's functions are halted because of a Stop error message. The Windows Emergency Management Services component supports two out-of-band console interfaces: the Special Administration Console (SAC) and !SAC, which offers a subset of SAC commands for use when the server has been halted.

Both the SAC and !SAC components accept input and send output through the out-of-band port. SAC is a separate entity from both !SAC and Windows Server 2008 command-line environments. After a specific failure point is reached, Emergency Management Services components determine when the shift should be made from SAC to !SAC. !SAC becomes available automatically if SAC fails to load or does not function. The Special Administration Console Helper service allows you to create inbound communication channels through the command prompt. This service is only installed on Windows Server 2008–based computers.

If the Special Administration Console Helper service stops, SAC services are not available.

SSDP Discovery Service

The UPnP Device Host service that is included with Windows Vista and Windows Server 2008 supports peer-to-peer Plug and Play functionality for network devices and services. The UPnP™ specification is designed to simplify device and network service installation and management. The UPnP Device Host service uses SSDP to locate and identify UPnP-certified network devices and service.

The SSDP Discovery Service is installed and the startup type is Manual on Windows Vista–based computers. On Windows Server 2008–based computers, the service is installed and disabled. The service is started only when the computer attempts to locate and configure UPnP-certified devices. If you disable this service, the computer is cannot find UPnP-certified devices on the network and the UPnP Device Host service cannot find and interact with UPnP-certified devices.

Superfetch

The Superfetch service maintains and improves system performance over time. Superfetch is part of a collection of performance-enhancing features available on Windows Vista and Windows Server 2008 that address responsiveness issues related to demand paging. We do not recommend the use of Superfetch on servers unless the server is being used as a workstation.

This service startup type is Automatic on Windows Vista–based computers. On Windows Server 2008–based computers, the service is installed and disabled.

System Event Notification

The System Event Notification (SENS) service monitors and tracks computer events such as Windows logon network and power events. It also notifies COM+ Event System subscribers of these events. This service is installed by default and runs automatically under Windows Vista and Windows Server 2008.

If the System Event Notification service stops, subscribers to the COM+ Event System service do not receive event notifications and the following problems occur:

  • Win32 APIs IsNetworkAlive and IsDestinationReachable do not work. These APIs are typically used by mobile applications on portable computers.

  • ISens* interfaces do not work. SENS logon/logoff notifications fail.

  • SyncMgr (Mobsync.exe) does not work properly. It depends on connectivity information and Network Connect/Disconnect and Logon/Logoff notifications from SENS.

  • The COM+ EventSystem fails when it tries to notify SENS of some events.

  • The Volume Shadow Copy Service does not load properly, which causes the Windows Server Backup API to fail.

Tablet PC Input Service

The Tablet PC Input Service enables Tablet PC pen-and-ink functionality. This allows any version of Windows Vista to be installed on a Tablet PC or to use a pen or touch input device.

If your computer does not have tablet functionality or an external pen or touch input device, you should consider disabling this service.

This service is installed by default and is started automatically.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Task Scheduler

The Task Scheduler service enables you to configure and schedule automated tasks on your computer. The service monitors whatever criteria you choose and carries out the task when the criteria have been met.

The Task Scheduler has been updated for Windows Vista and Windows Server 2008 to allow more detailed task triggers and assignments. Also, the Task Scheduler in Windows Vista and Windows Server 2008 supports a security isolation model that runs tasks in separate sessions according to their security content. As part of this isolation mode, tasks performed for different users are started in separate sessions, in complete isolation from one another and from tasks that are running in the system context. If passwords are required, they are encrypted and stored in Credential Manager and are retrieved as necessary.

You can use the Task Scheduler feature to perform the following tasks:

  • Create tasks.

  • Schedule tasks to run at specific times or when a specific event occurs. For example, you can have the computer run ScanDisk at 7:00 P.M. every Sunday.

  • Change the schedule for a task.

  • Customize how tasks are run.

  • Stop a scheduled task.

You can start the Task Scheduler service from the Services snap-in console or configure it to start automatically. By default, the Task Scheduler service is installed on computers running Windows Vista or Windows Server 2008. It can be accessed from the Task Scheduler Administrative Tool, through the Task Scheduler API, or from the SchTasks.exe tool.

If the Task Scheduler service stops, scheduled tasks do not run at their scheduled times or intervals. Also, this service is needed for Windows Backup and backup applications that rely upon the Windows Backup API. If there are no jobs listed in the %systemroot%\Tasks\ folder, there is minimal effect if you stop the service. Otherwise, jobs that are required to run cannot start. The Systems Management Server Software Update Services Feature Pack fails if the Task Scheduler service is unavailable. Also, scheduled backups fail to run if the Task Scheduler service stops.

TCP/IP NetBIOS Helper Service

The TCP/IP NetBIOS Helper Service provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on your network. It enables users to share files, print, and log on to the network. Specifically, the service performs DNS name resolution and pings a set of IP addresses that return a list of accessible IP addresses to provide support for the NetBT service.

The TCP/IP NetBIOS Helper Service is installed and started automatically by default on Windows Server 2008 and Windows Vista. If this service stops or if you disable it, NetBT, Redirector (RDR), Server (SRV), Net Logon, and Messenger service clients may not be able to share files, printers, and log on to computers. For example, domain-based Group Policy no longer functions.

Telephony

The Telephony service provides Telephony Application Programming Interface (TAPI) support for programs that control telephony devices, as well as IP-based voice connections on the local computer and through LAN servers that also run the service. The service enables applications to act as clients to telephony equipment such as private branch exchanges (PBXs), telephones, and modems. It supports the TAPI under which different wire protocols that communicate with telephony equipment are supported. These protocols are implemented in Telephony Service Providers (TSPs).

The Telephony service is installed by default on Windows Vista and Windows Server 2008, and its startup type is configured to Manual. Applications that require TAPI service may start it. If the Telephony service stops or if you disable it, any services that explicitly depend on it (such as modem support) cannot start. You cannot stop the service if another dependent service is currently active. If you stop the service when no dependent services are active, it restarts when any application makes an initialization call to the TAPI interface.

Telnet

The Telnet service for Windows provides ASCII terminal sessions to Telnet clients. It supports two types of authentication, NTLM and Kerberos, and supports four types of terminals: American National Standards Institute (ANSI), VT-100, VT-52, and VTNT.

The Telnet service also allows a remote user to log on to a computer and run console programs using a command prompt. A computer that runs the Telnet service can support connections from various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. The Telnet service is available as an optional feature of Windows Server 2008 that can be installed from Server Manager. The Telnet service is not installed on Windows Vista but can be added from the Programs and Features control panel. For upgrade installations, the startup type of the Telnet service in the previous version of Windows is preserved.

If the Telnet service stops, remote user access to programs is unavailable through the Telnet client, remote users cannot connect through the Telnet protocol, and users cannot connect to the computer or run console-based applications.

Terminal Services

The Terminal Services service provides a multisession environment that allows client devices to interact with virtual Windows desktop sessions and Windows-based programs that run on a server.

By default, the Terminal Services service is installed in support of the Remote Desktop for Administration feature on Windows Server 2008–based computers. This feature allows a maximum of two users to remotely connect to the server, and those users must be members of the local Administrators group. To enable multiple users to use Terminal Services, install the Terminal Services server role from Server Manager.

For Windows Server 2008–based computers, this service is required if you want to use Remote Desktop. On Windows Vista, it is required if you want to use Fast User Switching, Remote Desktop, and Remote Assistance. In Windows Server 2008 and Windows Vista, this service startup type is Automatic.

If the Terminal Services system service stops or if you disable it, your computer may become unreliable and Remote Assistance is no longer available. To prevent remote use of your computer, clear the Allow Remote Assistance and Allow Remote Desktop check boxes on the Remote tab of System Properties.

Terminal Services Configuration

Terminal Services Configuration service (TSCS) is responsible for all Terminal Services and Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, Terminal Services themes, and Terminal Services certificates.

This service startup type is Manual.

Terminal Services UserMode Port Redirector

The Terminal Services UserMode Port Redirector allows the redirection of printers, drives, or ports for Remote Desktop connections to enable the Remote Desktop session to use the locally available resources.

This service startup type is Manual.

Themes

The Themes service provides user experience theme-management services. A desktop theme is a predefined set of icons, fonts, colors, sounds, and other elements that give the computer desktop a unified and distinctive look. On Windows Vista–based computers, the Themes service is set to start automatically. On Windows Server 2008–based computers, it is disabled.

If the Themes service stops or if you disable it, the new Windows Vista visual style—windows, buttons, scrollbars, Start button, and other controls—revert to the Windows Classic visual style.

Thread Ordering Server

The Thread Ordering Server service provides ordered execution for a group of threads within a specific period of time. The Thread Ordering Server service controls the running of one or more client threads. It ensures that each client thread runs once during the specific period and in relative order.

This service is installed by default and configured for Manual start.

TPM Base Services

The TPM Base Services service enables access to the Trusted Platform Module (TPM), which provides hardware-based cryptographic services to system components and applications. The TPM Base Services (TBS) component centralizes TPM access across applications. It also virtualizes certain limited TPM resources. The TBS uses priorities specified by calling applications to cooperatively schedule TPM access.

The TBS runs as a system service in the Windows Server 2008 and Windows Vista operating systems. It provides services to other components as an API exposed through remote procedure calls (RPC).

The TBS component is an optional system service that allows transparent sharing of the TPM resources. It simultaneously shares the TPM resources among multiple applications on the same physical computer, even if those applications run on different virtual computers.

The Trusted Computing Group (TCG) defines a Trusted Platform Module that provides cryptographic functions designed to provide trust in the platform. Because this component is implemented in hardware, it has finite resources. The TCG also defines a software stack that makes use of these resources to provide trusted operations for application software. However, no provision is made for running a TSS implementation side-by-side with operating system software that may also be using TPM resources. The TBS component solves this problem by enabling each software stack that communicates with TBS to use TPM resources checking for any other software stacks that may be running on the computer.

If this service is stopped or disabled, an application cannot use keys protected by the TPM.

UPnP Device Host

The UPnP Device Host service supports peer-to-peer UPnP functionality for network devices. This service simplifies device and network service installation and management and accomplishes device and service discovery and control through driverless, standards-based protocol mechanisms.

UPnP-certified devices can automatically configure network addresses, announce their presence on a network subnet, and enable the exchange of device and service descriptions. When the UPnP Device Host service is installed, a computer can act as a UPnP-certified control point to discover and control the devices through a Web or application interface.

This service is installed by default on computers running Windows Vista or Windows Server 2008. On Windows Vista Ultimate, the service startup type is Automatic. On the other versions of Windows Vista, the service startup type is Manual. On Windows Server 2008, the service is disabled by default.

User Profile Service

The User Profile Service is responsible for loading and unloading user profiles. If this service is stopped or disabled, users cannot successfully log on or log off, applications may have problems getting to users' data, and components registered to receive profile event notifications do not receive them.

This service should not be stopped or disabled. This service startup type is Automatic.

Virtual Disk Service

The Virtual Disk Service (VDS) provides a single interface to manage block storage virtualization, whether it is done in operating system software, redundant array of independent disks (RAID) storage hardware subsystems, or other virtualization engines.

VDS provides a vendor-neutral and technology-neutral interface to manage logical volumes (software) and logical units (hardware). You can use this interface to manage bind operations, performance monitoring, topology discovery and tracking, volume status, and fault tracking.

Do not confuse virtual disks with snapshots. Unlike the Volume Shadow Copy Service, VDS does not coordinate with applications or the file system, and the data that is contained on a volume is not synchronized before a volume or disk configuration operation. You can use VDS to configure a mirror plex, but a snapshot provider is necessary to perform the coordination when removing the plex and surfacing the snapshot. That use is outside the scope of this topic with two exceptions:

  • VDS coordinates with the file system before it extends or shrinks volumes.

  • Full copy snapshots appear as plexes to VDS.

VDS is installed and startup type is Manual on computers running Windows Server 2008 or Windows Vista. The service is started only when an application attempts to use VDS. If it stops, VDS is no longer available.

Volume Shadow Copy

The Volume Shadow Copy Service manages and implements volume shadow copies, which are used for backup and other purposes, and manages the volume snapshots. When a backup application attempts to start a backup with the new snapshots infrastructure, the backup application determines the number of writers that are currently active on the service and then queries each writer to gather the required metadata. The backup application can then collect the volumes that require a shadow copy to ensure a successful backup session. The volumes are presented to the shadow copy coordinator and a shadow copy is created. The shadow copy creates volumes that match the original volumes at the shadow copy point in time.

The Volume Shadow Copy Service is installed on computers running Windows Vista or Windows Server 2008, and its startup type is Manual. Although the service is stopped, shadow copies are unavailable for backup and the backup process may not succeed. Specifically, the Volume Shadow Copy Service is required for Windows Backup and backup applications that rely on the Windows Backup API.

WebClient

The WebClient service enables Win32 applications to access documents on the Internet. The service extends the network capability of Windows by allowing standard Win32 applications to create, read, and write files on Internet file servers through the use of WebDAV, a file-access protocol that is described in XML and uses HTTP for communication. Because it uses standard HTTP, WebDAV communicates using existing Internet infrastructure, such as firewalls and routers.

The WebClient service is installed on Windows Vista, and its startup type is Automatic. If the WebClient service stops, users of the computer cannot use the Web Publishing Wizard to publish data to Internet locations that use the WebDAV protocol.

Windows Audio

The Windows Audio service provides support for sound and related Windows Audio event functions. This service manages events–that are compatible with Plug and Play for audio devices such as sound cards and global audio effects (GFX) for Windows audio application program interfaces. Examples of GFXs are equalization (EQ), bass enhancement, and speaker correction. The service loads, unloads, saves, and restores state for the GFXs on a per-session basis.

Through the Multimedia control panel, users can accomplish the following:

  • Enable or disable a GFX.

  • Select among several GFX filters if more than one GFX is available that is designed for the specific audio hardware. A GFX driver's .inf file specifies the target hardware for the GFX.

The Windows Audio service is installed on computers running Windows Server 2008 or Windows Vista. The service starts automatically on computers running Windows Vista. The service must be manually started on computers running Windows Server 2008.

You cannot stop the Windows Audio service after it is started. If you disable this service, audio functionality may be affected, including the inability to hear sound or process GFXs.

Windows Audio Endpoint Builder

The Windows Audio Endpoint Builder service manages audio devices for the Windows Audio service. If this service is stopped, audio devices and effects do not function properly. The term endpoint device refers to a hardware device at one end of a data path that originates or terminates at an application program. Examples of audio endpoint devices are speakers, headphones, microphones, and CD players.

The audio system keeps track of both endpoint devices and dynamic changes in the configuration of audio hardware that has jack-presence detection. While an endpoint device remains plugged in, the system enumerates that device. When the user unplugs an endpoint device, the system ceases to enumerate it. This feature improves the reliability of the audio system, giving more predictable capture and playback experiences across different devices.

The Windows Audio Endpoint Builder service is installed on computers running Windows Server 2008 or Windows Vista. The service starts automatically on computers running Windows Vista. The service must be manually started on computers running Windows Server 2008.

Windows Backup

The Windows Backup service supports the four main backup features provided by the new Backup and Restore Center in Windows Vista: File Backup and Restore, Windows Complete PC Backup and Restore, System Restore, and Shadow Copy.

Having a regular backup policy is essential for disaster recovery scenarios, but backups are also a security risk. Your security policy must address how data backups are going to be protected so that they are not used to remove confidential information from your data center or your organization. Backup copies that are on removable media should be placed in a secure storage area that only trusted personnel have access to, and they should be encrypted. If possible, desktops and portable computers should be backed up on network servers, which are in turn backed up into secure storage. If that is not feasible, your users should be informed as to the best practices for backing up data securely and be provided a secure location to store their backup copies.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows CardSpace

The Windows CardSpace service enables the creation, management, and disclosure of digital identities. Windows CardSpace is client software that enables users to provide their digital identity to online services in a simple and trusted way. It is known as an identity selector: when a user must authenticate to a Web site or a Web service, CardSpace presents a dialog box with a set of "information cards" for the user to choose from. Each card has some identity data associated with it—though this is not actually stored in the card—that has either been given to the user by an identity provider such as their bank, employer, or government, or has been created by users themselves. The CardSpace UI enables users to create Personal cards (also known as self-issued cards) and associate a limited set of identity data. When the user chooses a card, a signed and encrypted security token containing the required information (for example, name and address, employer's name and address, or credit limit) is generated by the identity provider that created the card. The user, in control at all times, then decides whether to release this information to the requesting online service. If the user approves, the token is sent on to the requesting party where the token is processed and the identity information is extracted.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Color System

The Windows Color System service (WcsPlugInService) hosts non-Microsoft Windows Color System color device model and gamut map model plug-in modules. These plug-in modules are vendor-specific extensions to the Windows Color System baseline color device and gamut map models. Stopping or disabling the WcsPlugInService service disables this extensibility feature, and the Windows Color System uses its baseline model processing rather than the vendor's requested processing. This might result in inaccurate color rendering. The Windows Color System provides for more precise color mapping and gradation. Non-Microsoft vendors such as printer manufacturers and photo finishers can use this feature in applications and drivers to explicitly call the color that they want rendered.

This service startup type is Manual.

Windows Connect Now - Config Registrar

The Windows Connect Now - Config Registrar service acts as a registrar for the Windows Connect Now service and issues network credentials to the enrollee in the service. Windows Connect Now technology enables stream-lined configuration of secured wireless networks and easier provisioning of wireless hardware. Windows Connect Now-NET (WCNNET) is the Microsoft implementation of the Simple Configuration Protocol, a new standard in the WiFi Alliance. WCNNET supports configuration of devices on out-of-band Ethernet and in-band wireless networks.

Windows Connect Now-NET in Windows Vista communicates with access points and wireless stations by using UPnP architecture, authenticates with them by using a personal identification number (PIN), and provides wireless settings that are based on user selection.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Defender

The Windows Defender service scans your computer and helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. Windows Defender in Windows Vista provides the following real-time protection options:

  • Auto start. Monitors lists of programs that are allowed to automatically run when you start your computer.

  • System configuration (settings). Monitors security-related settings in Windows.

  • Internet Explorer add-ins. Monitors programs that automatically run when you start Internet Explorer.

  • Internet Explorer configurations (settings). Monitors browser security settings.

  • Internet Explorer downloads. Monitors files and programs that are designed to work with Internet Explorer.

  • Services and drivers. Monitors services and drivers as they interact with Windows and your programs.

  • Application execution. Monitors when programs start and any operations they perform while running.

  • Application registration. Monitors tools and files in the operating system where programs can register to run at any time.

  • Windows add-ins. Monitors add-in programs (also known as software tools) for Windows.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Driver Foundation - User-mode Driver Framework

The Windows Driver Foundation - User-mode Driver Framework (UMDF) manages user-mode driver host processes. UMDF supports the creation of user-mode drivers that support protocol-based or serial-bus-based devices. Such drivers handle the same types of I/O requests as kernel-mode drivers and are installed by INF files, just as kernel-mode drivers are. The UMDF supports protocol device classes such as cameras and portable music players. Moving drivers for such devices into user mode can simplify the drivers and improve the overall stability of the operating system.

This service is installed by default, and the startup type is Manual.

Windows Error Reporting Service

The error reporting service was updated for Windows Vista and Windows Server 2008 as part of the Windows Diagnostics Framework enhancements.

The Windows Error Reporting Service reports errors when programs stop working or responding and enables existing solutions to be delivered. It also generates logs for the Problem Reports and Solutions diagnostic and repair service. If this service is stopped, programs and services that rely on this service will not report errors correctly, and the results of diagnostic services and repairs for those programs and services will not be displayed.

Windows Error Reporting is a feature that allows Microsoft to track and address errors relating to the operating system, Windows features, and applications. Windows Error Reporting gives users the opportunity to send data about errors to Microsoft and to receive information about solutions. Solution information can include instructions for working around a problem, or a link to the Windows Update Web site or another Web site for updated drivers, patches, or Microsoft Knowledge Base articles. Microsoft developers can use Windows Error Reporting as a problem-solving tool to address customer problems in a timely manner and to improve the quality of Microsoft products.

Windows Error Reporting has the following "consent levels" that an administrator can configure to control how Windows Error Reporting sends data to Microsoft. These setting are configured in the Advanced settings dialog box of the Problem Reports and Solutions Control Panel. These settings can also be configured through Group Policy under either Computer Configuration or User Configuration in Administrative Templates\Windows Components\Windows Error Reporting\Consent.

  • Ask each time a problem occurs. Windows Error Reporting always asks for the user's consent before sending an error report to Microsoft.

  • Automatically check for solutions (also known as "Send parameters"). Windows Error Reporting sends the minimum data required to check for an existing solution, for example, the application name and version, module name and version, and exception code. After sending this data, Windows Error Reporting prompts for consent before sending any additional data requested by Microsoft.

  • Automatically check for solutions and send additional information, if needed (also known as "Send parameters and safe additional data"). Windows Error Reporting sends the minimum data required to check for an existing solution as well as data that the developer of the program has designated as being highly unlikely to contain personally identifiable information. Windows Error Reporting then prompts for consent before sending any additional data requested by Microsoft.

  • Send all data (Group Policy setting only). This setting can only be configured through Group Policy, not through the Control Panel interface. Any data requested by Microsoftis sent without asking for consent.

User Account Control does affect how Windows Error Reporting works. A standard user does not have the same ability to report errors as an administrator does. If a prompt appears when a user is logged on as an administrator, the user can choose to report application and operating system errors. If a prompt appears for a user who is not logged on as an administrator, the user can choose to report application errors plus errors for operating system software that does not require administrative credentials to run.

The administrator also has the option to specify a list of programs for which error reports should never be sent.

This service is installed by default, and the startup type is Automatic.

Windows Event Collector

The Windows Event Collector service manages persistent subscriptions to events from remote sources that support the WS-Management protocol. This includes event logs, hardware, and Intelligent Platform Management Interface (IPMI)-enabled event sources. The service stores forwarded events in a local event log. If this service is stopped or disabled, event subscriptions cannot be created and forwarded events cannot be accepted.

The Event Collector service on the local computer uses the WS-Management protocol to send an event subscription request to a remote computer. The remote computer must be able to receive this information. This subscription request is passed to the Event Forwarder, which is a WS-Management plug-in. The plug-in then creates an event subscription on the remote computer based on the subscription request made by the local computer. Any events delivered to the remote computer are then sent to the Event Collector service on the local computer.

Event collection allows administrators to get events from remote computers and store them in a centralized place. The events are stored in the local event log of the collector computer and persisted in the local event log. The destination log path for the events is a property of the subscription. All data in the received event is saved in the collector computer event log. Additional information related to the event forwarding is also added to the event.

This service startup type is Manual.

Windows Firewall

The Windows Firewall service helps to protect your computer by preventing unauthorized users from gaining access to your computer through the Internet or a network.

Windows Vista and Windows Server 2008 include a new and enhanced version of Windows Firewall. Like the Windows Firewall in Windows XP with Service Pack 2 (SP2) and Windows Server 2003 with Service Pack 1 (SP1), the new Windows Firewall is a stateful host-based firewall that allows or blocks network traffic according to its configuration and the applications that are currently running to provide a level of protection from malicious users and software on a network. The new Windows Firewall includes enhancements for better protection and more advanced configuration.

Windows Firewall in Windows Vista and Windows Server 2008 has the following enhancements over the Windows Firewall in Windows XP with SP2 and Windows Server 2003 with SP1:

  • Both incoming and outgoing traffic can be filtered

  • New snap-in for user interface (UI) configuration

  • Integrated firewall filtering and IPsec protection settings

  • Rules (exceptions) that can be configured for AD DS accounts and groups, source and destination IP addresses, IP number, source and destination Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports, all or multiple TCP or UDP ports, specific types of interfaces, Internet Control Message Protocol (ICMP) and ICMP for IPv6 (ICMPv6) traffic by type and code, and for services

This service is installed by default and the startup type is Automatic.

Windows Image Acquisition (WIA)

The Windows Image Acquisition (WIA) service provides image acquisition services for scanners and cameras.

The Windows Image Acquisition (WIA) service supports Small Computer System Interface (SCSI), IEEE 1394, USB, and serial digital still-image devices. Support for infrared, parallel, and serial still-image devices is provided by the existing infrared, parallel, and serial interfaces. Image scanners and digital cameras are examples of still-image devices.

The Windows Image Acquisition (WIA) service is installed, and its startup type is Manual on Windows Vista–based computers. If the service stops, events from imaging devices are not captured and processed. The service restarts automatically at startup if there is a WIA device installed. Also, it restarts any time that a WIA-enabled application is started.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Installer

The Windows Installer service manages the installation and removal of applications. It applies a set of centrally defined setup rules during the installation process that specify how applications are installed and configured. You can also use this service to modify, repair, or remove existing applications. The Windows Installer technology consists of the Windows Installer service for the Windows operating systems and the package (.msi) file format that contains application setup and installation information.

The Windows Installer service is not only an installation program, but it is also an extensible software management system. It manages the installation, addition, and deletion of software components, monitors file resiliency, and maintains basic disaster recovery by way of rollbacks. It also supports the installation and operation of software from multiple sources, and can be customized by developers who want to install custom applications.

By default, the Windows Installer service is installed and its startup type is Manual on computers running Windows Vista or Windows Server 2008. Applications that use the installer start the service. If this service stops, applications that use it cannot be installed, removed, repaired, or modified. Also, a number of applications use this service when they are active, and they may not run if the Windows Installer service stops.

Windows Internet Name Service (WINS)

The Windows Internet Name Service (WINS) enables NetBIOS name resolution. If you have computers in your organization that require NetBIOS name resolution, you can use Server Manager to install this feature on servers running Windows Server 2008. However, we recommend that you investigate the use of DNS alternatives to WINS, such as a search suffix list or a global names zone.

Windows Management Instrumentation

The Windows Management Instrumentation (WMI) service provides a common interface and object model to access management information about operating systems, devices, applications, and services. WMI is an infrastructure that provides the ability to build management applications and instrumentation.

The WMI infrastructure is a Windows operating system component that moves and stores information about managed objects. It is composed of two subcomponents: the Windows Management Instrumentation service and the WMI repository. The service acts as an intermediary between the providers, management applications, and the WMI repository, and places information from a provider into the WMI repository. The service also accesses the WMI repository in response to queries and instructions from management applications. Finally, the service can pass information directly between a provider and a management application. In contrast, the WMI repository acts as a storage area for information from the various providers.

The Windows Management Instrumentation service provides access to the management data through a number of interfaces, including COM API, scripts, and command-line interfaces. It is compatible with previous management interfaces and protocols, such as Simple Network Management Protocol (SNMP). The service installs and runs automatically on computers running Windows Vista or Windows Server 2008. If the service stops, most Windows-based software cannot function properly.

Windows Media Player Network Sharing Service

The Windows Media Player Network Sharing Service shares Windows Media Player libraries to other networked players and media devices by using the UPnP architecture. By default this service is installed on all versions of Windows Vista, and its startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Modules Installer

The Windows Modules Installer enables installation, modification, and removal of Windows updates and optional components. If this service is disabled, installation or removal of Windows updates may fail for this computer.

This service is installed by default, and its startup type is Manual.

Windows Presentation Foundation Font Cache 3.0.0.0

The Windows Presentation Foundation Font Cache 3.0.0.0 service optimizes performance of the Windows Presentation Foundation (WPF) application by caching commonly used font data. WPF applications start this service if it is not already running. It can be disabled, but doing so degrades the performance of WPF applications.

WPF is supported by default in Windows Vista.

Windows Remote Management (WS-Management)

The Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard Web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The WinRM Service must be configured with a listener by using the Winrm command-line tool or by using a Group Policy setting in order for it to listen over the network. The WinRM service provides access to WMI data and enables event collection. Event collection and subscription to events require that the service be running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is preconfigured to share a port with IIS on the same computer. The WinRM service reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators should verify that any Web sites hosted on IIS do not use the /wsman URL prefix.

Windows Remote Management (WinRM) is one component of the Windows Hardware Management features introduced with Windows Server 2003 R2 that manage server hardware locally and remotely. These features include a service that implements the WS-Management protocol, hardware diagnosis and control through baseboard management controllers (BMCs), and a COM API and scripting objects that allow you to write applications that communicate remotely through the WS-Management protocol.

WinRM provides an efficient way for management applications and scripts to communicate with local and remote computers by using an encrypted channel. The Windows service that WinRM installs and uses is also named WinRM.

When a server is connected to a BMC that supports the WS-Management standard, applications and scripts can use WinRM to communicate directly with the BMC, even when the operating system is offline (pre-boot or post-failure).

When a server is not connected to a BMC, WinRM can still be used to connect to WMI remotely in situations where DCOM communication is impeded, for example, across a firewall. This usage is possible because the WS-Management standard uses a single port that is configurable by the system administrator.

WinRM exposes its own application programming interface (API) for scripting, which can be used by scripts written in any Windows Script Host-compatible language. The scripting API communicates with WMI by using syntax different from standard WMI scripts. WinRM syntax is documented in the WinRM Software Development Kit. Hardware Management uses a WMI plug-in to expose WMI classes to WinRM. To call these classes, the WMI namespace and class must be converted into a Uniform Resource Identifier (URI).

WS-Management is based on the following standard specifications:

  • HTTPS

  • SOAP over HTTP (WS-I profile)

  • SOAP 1.2

  • WS-Addressing

  • WS-Transfer

  • WS-Enumeration

  • WS-Eventing

As a security measure, if you use WinRM for remote management, you should configure the WinRM service to use the HTTPS protocol.

This service is installed by default, and its startup type is Manual.

The Windows Search service supports the Instant Search feature and provides content indexing and property caching for file, e-mail, and other content (by means of extensibility APIs). The service responds to file and e-mail notifications to index modified content. If the service is stopped or disabled, Windows Explorer cannot display virtual folder views of items, and search in Windows Explorer reverts to an item-by-item search.

The content indexed is based on the file and data types supported through add-ins included with Windows Search and the default inclusion and exclusion rules for folders in the file system. For example, the filters included in Windows Search support more than 200 common types of data, including support for Microsoft® Office documents, Office Outlook e-mail (in conjunction with the MAPI protocol handler), plaintext files, and HTML.

The main component of Windows Search is the indexer process, which is implemented as a Windows service running in the Local System account. The process is always running for all users even if no user is logged on, enabling Windows Search to maintain one index shared among all users with security restrictions on content access and to process remote queries from client computers on the network.

The Windows Search service includes a number of features to ensure that it protects the user experience and system performance when indexing. A number of conditions cause the service to throttle back or pause indexing:

  • High CPU usage by processes that are not search-related

  • High system I/O rate including file reads and writes, page file and file cache I/O, and mapped file I/O

  • Low memory availability

  • Low battery life

  • Low disk space on the drive storing the index

This service is installed by default, and its startup type is Automatic.

Windows Time

The Windows Time service maintains date and time synchronization on all computers on a Windows network. It uses the Network Time Protocol (NTP) to synchronize computer clocks so that an accurate clock value, or timestamp, can be assigned to network validation and resource access requests. The implementation of NTP and the integration of time providers make Windows Time a reliable and scalable time service for administrators. For computers that are not joined to a domain, you can configure the Windows Time service to synchronize time with an external time source. If this service is turned off, the time setting for local computers is not synchronized with any time service in the Windows domain or external time service.

If the Windows Time service stops or if you disable it, date and time synchronization is unavailable in the network or from an external NTP server. There are two possible scenarios:

  • If you stop the Windows Time service on a workstation, the workstation cannot synchronize its time with another source, but no other external server is affected.

  • If you stop the Windows Time service on a domain controller, the same effect as in the previous scenario applies, but domain members are also unable to synchronize time with it. This inability to synchronize may adversely affect time synchronization in the organization.

By default, the Windows Time service is installed and started automatically on computers running Windows Vista or Windows Server 2008.

Windows Update (Automatic Updates)

The Windows Update service enables the download and installation of security updates for Windows and Office. It automatically provides Windows computers with the latest updates, drivers, and enhancements. When an Internet connection is available, the operating system searches for applicable updates from the Windows Update service. Depending on the configuration settings, the service may notify the user before download, notify the user before installation, or automatically install the updates.

You can disable the Windows Update feature through the Control Panel.

You can also use the Local Group Policy Editor to configure an intranet server that is configured with Windows Server Update Services to host updates from the Microsoft Update sites. This setting lets you specify a server on your network to function as an internal update service. The Windows Updates client searches this service for updates that apply to the computers on your network.

If the Windows Update service stops or if you disable it, updates are not automatically downloaded to the computer automatically. You must search for, download, and install applicable fixes manually.

WinHTTP Web Proxy Auto-Discovery Service

The WinHTTP Web Proxy Auto-Discovery Service implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP). WPAD is a protocol that enables an HTTP client to automatically discover a proxy configuration.

If the WinHTTP Web Proxy Auto-Discovery Service stops or if you disable it, the WPAD protocol runs within the HTTP client's process instead of an external service process, and there is no loss of functionality. This service is installed by default, and its startup type is Manual.

Wired AutoConfig

The Wired AutoConfig service performs IEEE 802.1X authentication on Ethernet interfaces. The Wired Network (IEEE 802.3) Policies Group Policy and client-side extension is a new feature in Windows Server 2008. You can use the Wired Network (IEEE 802.3) Policies Group Policy and client-side extension to specify network settings for computers running Windows Vista and Windows Server 2008 that connect to an Ethernet network through an 802.1X-compatible switch in an Active Directory environment.

Note

You cannot configure computers running Windows XP or Windows Server 2003 by using Wired Network (IEEE 802.3) Policies.

The new functionality in Wired Network (IEEE 802.3) Policies in Windows Server 2008 enables administrators to programmatically configure 802.1X-based connectivity and security settings on domain member computers running Windows Vista or Windows Server 2008.

Additionally, you can use Wired Network (IEEE 802.3) Policies to integrate client-wired Ethernet connectivity and security settings with Network Access Protection (NAP) to restrict network access for clients that do not meet system health requirements.

WLAN Autoconfig

The WLAN Autoconfig service enables automatic configuration for IEEE 802.11 wireless adapters for wireless communications. Microsoft has worked with 802.11 network-adapter vendors to automate the network adapter configuration process, which associates the network adapter with an available network and improves the wireless roaming experience on Windows.

The wireless network adapter and its Network Driver Interface Specification (NDIS) driver must do little more than provide support for a few new NDIS object identifiers (also known as OIDs) that query and set device and driver behavior. The network adapter scans for available networks and passes the information to Windows. The Wireless Configuration service configures the network adapter for an available network. When two networks cover the same area, the user can configure a preferred network order; the computer tries each network in order until it determines an active one. It is also possible to limit association to only the configured, preferred networks.

On Windows Server 2008 and Windows Vista, the WLAN AutoConfig (WLANSVC) service enumerates wireless adapters, and manages both wireless connections and the wireless profiles that contain the settings required to configure a wireless client to connect to wireless networks. The WLAN AutoConfig System Services Group Policy settings in Windows Server 2008 enable administrators to specify the service startup type of the WLAN AutoConfig service for domain member computers running with Windows Vista and Windows Server 2008 that have wireless network adapters and the associated Windows Vista adapter drivers installed.

WLAN AutoConfig Group Policy settings enable administrators to prevent domain member users from altering the startup mode of the WLAN AutoConfig service.

WMI Performance Adapter

The WMI Performance Adapter service provides performance library information from WMI high-performance providers. Applications and services that need to provide performance counters today can do so in two ways: they can write a WMI high-performance provider or write a performance library. Consumers of high-performance data also have two ways to request performance data: through WMI or through the Performance Data Helper (PDH) APIs. There are mechanisms that are in place to enable the two models to interact, so that clients that access counters through each model can still detect the counters provided by the other model. The reverse adapter is one of those mechanisms.

The WMI Performance Adapter service transforms performance counters that are supplied by WMI high-performance providers into counters that can be consumed by PDH through the Reverse Adapter Performance Library. This approach provides PDH clients such as Sysmon with the ability to consume performance counters from any WMI high-performance providers on the computer.

If the WMI Performance Adapter service stops, WMI performance counters are unavailable.

Workstation

The Workstation service is installed and runs automatically on Windows Vista and Windows Server 2008. This service creates and maintains client network connections and communications. The Workstation service is a user-mode wrapper for the Microsoft Networks redirector. It loads and performs configuration functions for the redirector, supports network connections to remote servers, supports the WNet APIs, and provides redirector statistics.

If the Workstation service stops, clients cannot establish connections to remote servers or access files through named pipes. Clients and programs cannot access files and printers on other remote computers, but TCP/HTTP connectivity is not affected. Internet browsing and Web Client access still work.

World Wide Web Publishing Service

The World Wide Web Publishing Service provides Web connectivity and administration of Web sites through the IIS snap-in. The service provides HTTP services for applications on the Windows operating system and contains a process manager and a configuration manager. The process manager controls the processes in which custom applications and simple Web sites reside. The configuration manager reads the stored computer configuration and ensures that Windows is configured to route HTTP requests to the appropriate application pools or operating system processes.

This service can monitor the processes that contain custom applications and provide recycling services for these applications. Recycling is a configuration property of an application pool and can be done on the basis of memory limits, request limits, processing time, or time of day. The service queues HTTP requests if custom applications stop responding, and also attempts to restart custom applications.

This service is an optional component that may be installed on Windows Server 2008 or Windows Vista as part of the IIS Web Server package. If the World Wide Web Publishing Service stops, the operating system cannot serve any form of Web request.