System Services

System services are programs that load automatically either as part of an application's startup process or the operating system startup process to support the different tasks required of the operating system. In recent years, services have been an attractive target for virus writers who want to attack the Windows® operating systems. Examples of viruses that exploit core Windows services include Blaster, Sasser, and Code Red. There are a number of reasons for this situation:

• Services are typically long running. Often, they start when the system starts and stop when it shuts down.

• Services are often network facing, making them especially vulnerable to remote attacks.

• Services typically run in a high-privilege account such as LocalSystem.

For Windows Vista®, some enhancements were made to the core services to accomplish the following goals:

• Limiting access to services by user applications. Session 0 isolation requires services and user applications to run in separate sessions.

• "Hardening" services to limit the ability of a compromised service to damage a system. There are two complementary ways to accomplish this goal:

  • Running with least privilege allows services to run with only those privileges that they need, and nothing more.

  • Service isolation allows services to isolate themselves from other services or applications by using a unique service identity. A service can use this identity to restrict access to its resources by other services or applications. A service can also use its identity to restrict the service's access to the resources of other services or applications. For example, service isolation allows an antivirus service to maintain exclusive access to its signature definition files.

This section of this guide helps identify the function and purpose of each service, and explain which services were left enabled in Windows Server® 2003 and Windows Vista to ensure application compatibility or client compatibility, or to facilitate computer system management.

When you first install Windows Server 2003 or Windows Vista, some services are installed and configured to run by default when the computer starts. There are fewer services installed by default than there were in Windows 2000 Server, and for Windows Server 2003 the specific services vary in accordance with the role that is assigned to each server. You may not need all of the services installed by default in your environment, and you should disable any unneeded services to enhance security.

You can configure the system services settings in the following location within the Group Policy Management Console:

Computer Configuration\Windows Settings\Security Settings\System Services\

Windows Server 2003 Services Overview

A service must log on to access resources and objects in the operating system, and most services are not designed to have their default logon account changed. If you change the default account, it is likely that the service will fail. If you select an account that does not have permission to log on as a service, the Services snap-in automatically grants that account the ability to log on as a service on the computer. However, this automatic configuration does not guarantee that the service will start. Windows Server 2003 includes three built-in local accounts that it uses as the logon accounts for various system services:

• Local System account. The Local System account is a powerful account that has full access to the computer and acts as the computer on the network. If a service uses the Local System account to log on to a domain controller, that service has access to the entire domain. Some services are configured by default to use the Local System account, and this should not be changed. The Local System account does not have a user-accessible password.

• Local Service account. The Local Service account is a special, built-in account that is similar to an authenticated user account. It has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your computer if individual services or processes are compromised. Services that use the Local Service account access network resources as a null session with anonymous credentials. The name of this account is NT AUTHORITY\Local Service, and it does not have a user-accessible password.

  The Local Service account supports the following privileges by default.

Privilege	Description
SeAssignPrimaryTokenPrivilege	Replace a process-level token
SeIncreaseQuotaPrivilege	Adjust memory quotas for a process
SeAuditPrivilege	Generate security audits
SeChangeNotifyPrivilege	Bypass traverse checking (This privilege is inherited through membership in the Everyone group.)
SeNetworkLogonRight	Access this computer from the network(This privilege is inherited through membership in the Everyone group.)
SeBatchLogonRight	Log on as a batch job

• Network Service account. The Network Service account is also a special, built-in account that is similar to an authenticated user account. Like the Local Service account, it has the same level of access to resources and objects as members of the Users group, which helps safeguard your computer. Services that use the Network Service account access network resources with the credentials of the computer account. The name of the account is NT AUTHORITY\Network Service, and it does not have a user-accessible password.

  The Network Service account supports the following privileges by default.

Privilege	Description
SeAssignPrimaryTokenPrivilege	Replace a process-level token
SeIncreaseQuotaPrivilege	Adjust memory quotas for a process
SeAuditPrivilege	Generate security audits
SeChangeNotifyPrivilege	Bypass traverse checking(This privilege is inherited through membership in the Everyone group.)
SeNetworkLogonRight	Access this computer from the network(This privilege is inherited through membership in the Everyone group.)
SeInteractiveLogonRight	Log on as a service
SeImpersonatePrivilege	Impersonate a client after authentication

Windows Vista Services Overview

In previous versions of Windows, system services commonly ran by using the Local System account, the most powerful account on the system. This made such services attractive targets for virus writers. Ideally, service developers should limit their damage potential by developing them to run using a lower-privilege account such as Local Service or Network Service. However, many services require at least some privileges that only Local System supports. The all-or-nothing model that was used in versions earlier than Windows Vista meant that a service that required any Local System privileges had to also include all other Local System privileges. This often meant including privileges that the service did not require, creating an unnecessarily high damage potential.

Windows Vista addresses this issue by allowing services to run with least privilege. Services are no longer restricted to the default set of privileges that are supported by a standard account. Instead, services can select an account that has the privileges that they require and then remove all other unnecessary privileges. This feature can be used for any type of service account: Local Service, Network Service, Local System, a domain, or a local account.

Services specify their required privileges when registering with the Service Control Manager (SCM), which grants a set of privileges to the service that is stored in the process token for the service. The privilege check uses one of the following methods:

• For stand-alone services, the SCM checks the list of required privileges against the process token. Any that were not specified as required are removed from the token.

• For shared-process services, such as services hosted in svchost, the list of privileges is the union of the required privileges for all services in the group. The only privileges that the SCM removes from the process token are those that no member of the group has specified as required.

• If a service does not specify a required set of privileges, the SCM assumes by default that the service requires all of the privileges that are associated with the account. This assures backward compatibility. However, if a service group contains a mixture of services with defined privileges and ones without defined privileges, the entire group runs with the default set of privileges for the account that they run under.

If a service requires privileges that are not in the process token, the SCM does not start the service. For example, a process that is part of a service group running under the Network Service account could specify SeLoadDriverPrivilege as a required privilege. However other processes in the group did not specify required privileges, so the process token for the group contains only those privileges defined for the Network Service account. SeLoadDriverPrivilege is not supported by a Network Service process token, so the start attempt for that process fails. Administrators must understand this issue when they make configuration changes such as changing the service image of a shared-process service while the target service process is running. The service can start only if the target service process supports the specified privileges.

Service isolation

Many services require access to certain objects that are available only to high-privilege accounts. For example, a service might have to write to a registry key that provides write access only to administrators. Earlier than Windows Vista, services typically gained access to such objects by running in a high-privilege account such as Local System. An alternative approach was to weaken the security on the objects to allow access by services that are running in a generic lower-privilege account.

Both approaches increased the risk that an attacker or malicious software could gain control of the system. The only way for an administrator to mitigate this risk was to create an account specifically for the service and allow access to the objects only for that account. However, this approach created manageability problems, most notably password management, because the administrator no longer had the advantages of using built-in operating system accounts.

To mitigate this problem, Windows Vista introduces service isolation, which provides services a way to access specific objects without having to either run in a high-privilege account or weaken the objects' security protection. For example, service isolation allows an antivirus service to run in a lower-privilege account than Local System but still maintain complete access to its signature definition files or registry keys that would normally be accessible only to administrators.

A service isolates an object for its exclusive use by securing the resource—such as file or registry key access—with an access control entry that contains a service security ID (SID). This ID is referred to as a per-service SID. A per-service SID is derived from the service's name and is unique to that service.

After a SID has been assigned to a service, the service owner can then modify the required objects' ACLs to allow access to the SID. For example, a registry key in HKEY_LOCAL_MACHINE\SOFTWARE would normally be accessible only to services with administrative privileges. By adding the per-service SID to the key's ACL, the service can run in a lower-privilege account but still have access to the key.

If a per-service SID is enabled, it is added to the service's process token. Note that a per-service SID must be enabled at the time the service's process is started to be added to the process token. If a process hosts multiple services with enabled SIDs, all the SIDs of these services are added to the process token. Per-service SIDs also allow a process token to be converted to a restricted token by adding one or more SIDs to the restricted token list.

Restricted SIDs

Using a per-service SID provides a good degree of isolation and allows the service to run in a lower-privilege account. However, it does not prevent the service from accessing other resources that are accessible to the account because the process token also contains the SID for the account. Consider the following scenario:

Service X runs in the Local Service account and has a service SID enabled. In addition to having access to objects that have specifically granted this service access—by using the per-service SID—it also has access to all objects that grant access to Local Service. As a result, if this service were compromised, the attacker could cause damage by accessing the resources that are not related to the service.

To mitigate this problem and reduce the damage potential of compromised services, Windows Vista uses a hybrid approach that combines write-restricted tokens and per-service SIDs to introduce restricted SIDs for services.

When a service enables a restricted SID, the per-service SID of that service is added to both the normal and restricted SID list of the write-restricted service process token. This guarantees that the service can write only to objects that have explicitly granted write access to one of the SIDs in the restricted list. Returning to the example above, by enabling restricted SIDs, Service X can no longer write to any objects that grant write access to Local Service account because those objects do not explicitly grant write access to the per-service SID of service X.

System Service Settings

System services are described differently from the other settings in this guide because the vulnerability, countermeasure, and potential impact statements are almost identical for all services. The following are some general rules for managing system services vulnerabilities, countermeasures, and potential impacts.

For each system service, you can assign a service startup mode through Group Policy. The possible values for these Group Policy settings are:

• Automatic. Service automatically starts when computer is restarted.

• Manual. Service does not start until a program or user explicitly starts it.

• Disabled. The service cannot be started.

• Not Defined

Vulnerability

Any service or application is a potential point of attack.

Countermeasure

Disable all unnecessary services.

There are additional optional services available in Windows Server 2003, such as Certificate Services, that are not installed during a default installation of the operating system.

You can add these optional services to an existing computer through Add/Remove Windows Components in Control Panel or the Windows Server 2003 Configure Your Server Wizard. You can also create a customized automated installation of Windows Server 2003. In the Member Server Baseline Policy (MSBP) that is described in the Windows Server 2003 Security Guide (https://go.microsoft.com/fwlink/?LinkId=14845), these optional services and all unnecessary services are disabled.

Another way to manage service security is to configure an ACL for each service with a user-defined list of accounts. This method provides a way to control starting of the service and access to the running service.

Do not set permissions on service objects

There are graphical user interface (GUI)–based tools that you can use to edit services. We recommend that you not alter the permissions on services that are included with Windows Vista, Windows XP, or Windows Server 2003 because the default permissions are already quite restrictive.

To modify the properties of system services, you can use the following tools as appropriate:

• Use the Security Configuration Wizard, an optional Windows component that is included in Windows Server 2003 with Service Pack 1 (SP1). We recommend this approach when you need to configure services and network port filters for various Windows Server 2003 server roles.

• Run the Security Templates snap-in and Group Policy Object Editor on a server that runs Windows Server 2003 with SP1. We recommend this approach when you need to configure services for security templates or Group Policy settings that will be applied to Windows Vista or Windows XP.

Potential impact

If some services (such as the Security Accounts Manager) are disabled, you will not be able to restart the computer. If other critical services are disabled, the computer may not be able to authenticate with domain controllers. If you want to disable some system services, you should test the changed settings on non-production computers before you change them in a production environment.

Descriptions of System Services

The following subsections describe the Windows Server 2003, Windows Vista, and Windows XP services. Windows Vista includes many new services that were not part of Windows XP or Windows Server 2003. Each service description includes a list of operating systems that the service is available on. Some service names were slightly changed between Windows Server 2003 and Windows Vista. In those cases, the name of the service in Windows Server 2003 is in parenthesis in the subsection heading.

Alerter

The Alerter service notifies selected users and computers of administrative alerts. You can use this service to send alert messages to specified users that are connected on your network.

Alert messages warn users about security, access, and user session problems. Alert messages are sent from a server to a client computer, and the Messenger service must be running on the client computer for the user to receive alert messages. (The Messenger service is disabled by default in Windows XP and Windows Server 2003 so that malicious users cannot send false notifications.)

If the Alerter service is disabled, applications that use the NetAlertRaise or NetAlertRaiseEx application programming interfaces (APIs) will be unable to notify a user or computer—by means of a message box that the Messenger service displays—that the administrative alert took place. For example, many uninterruptible power supply (UPS) management tools use the Alerter service to notify administrators of significant events that are related to the UPS. To use this service, configure its startup type to Automatic so that external components can use it when needed.

Available on:

Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows XP Professional	Windows Server 2003 Enterprise Edition
	Windows Server 2003 Datacenter Edition
	Windows Server 2003 Web Edition

Application Experience (Application Experience Lookup Service)

The Application Experience service (AELookupSvc) is a part of the Application Compatibility Administrator. It processes application compatibility lookup requests for applications as they are started, provides support for Windows Server 2003 and Windows Vista-based computers, reports on compatibility issues, and automatically applies software updates to programs.

The Application Experience service must be active for application compatibility software updates to be applied. You cannot customize this service; the operating system uses it internally. This service does not use any network, Internet, or Active Directory® directory service resources.

If you disable the Application Experience service, the service continues to run but no calls are made to the service. You cannot stop the actual process.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

Application Information

The Application Information service (Appinfo) facilitates the running of interactive applications with additional administrative privileges. If this service is stopped, users are unable to start applications with the additional administrative privileges they may require to perform desired user tasks. For example, if this service is disabled, system tools like Services and Regedit are not able to run.

To enable this service once it has been disabled, you must start your computer in Safe Mode to get access to the Services snap-in console.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Application Layer Gateway Service

The Application Layer Gateway Service is a subcomponent of the Windows networking subsystem. It provides support for plug-ins that allow network protocols to pass through the firewall and work behind Internet connection sharing. Application Layer Gateway (ALG) plug-ins can open ports and change data that is embedded in packets, such as ports and IP addresses. File Transfer Protocol (FTP) is the only network protocol that has a plug-in included with Windows Server 2003 Standard Edition and Windows Server 2003 Enterprise Edition.

The ALG FTP plug-in is designed to support active FTP sessions through the network address translation (NAT) engine that is included with Windows. To do this, the ALG FTP plug-in redirects all traffic that passes through the NAT and that is destined for port 21 to a private listening port in the 3000–5000 range on the loopback adapter. The ALG FTP plug-in then monitors/updates traffic on the FTP control channel so that the FTP plug-in can plumb port mappings through the NAT for the FTP data channels. The FTP plug-in also updates ports in the FTP control channel stream.

If the Application Layer Gateway Service stops, network connectivity for the referenced protocols is unavailable and adversely affects the network. For example, if you disable this service the Windows Messenger and MSN® Messenger instant messaging applications will fail.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

Application Management

The Application Management service (AppMgmt) provides software installation services such as Assign, Publish, and Remove. It processes requests to enumerate, install, and remove applications that are deployed through an organization's network by using Group Policy. When you use Programs and Features in Windows Vista or Add or Remove Programs in Windows Server 2003 to install programs from the network on a domain-joined computer, Windows calls this service to retrieve the list of deployed applications on your network. The service is also called when you use Control Panel to remove an application, or when a component (such as the shell) makes an installation request for an application to handle an extension, Component Object Model (COM) class, or ProgID that is not present on the computer. The service is started by the first call that is made to it, and it does not stop after it is started.

If the Application Management service stops or if you disable it, users are unable to install, remove, or enumerate applications that are deployed in Active Directory through Microsoft® IntelliMirror® management technologies.

You cannot stop this service after it is started without restarting the computer. If you do not require this service and do not want it to start, you must disable it.

Available on:

Windows Vista Enterprise	Windows Server 2003 Standard Edition
Windows Vista Ultimate	Windows Server 2003 Enterprise Edition
	Windows Server 2003 Datacenter Edition
	Windows Server 2003 Web Edition

ASP .NET State Service

The ASP .NET State Service provides support for out-of-process session states for ASP.NET. ASP.NET has a concept of session state—a list of values that are associated with the client session is accessible from ASP.NET pages through the Session setting. Three options are provided to store the session data: in process, Microsoft SQL Server database, and out-of-process session state server.

The ASP.NET State Service stores session data out-of-process. The service communicates with ASP.NET, which runs on the Web server by using sockets. If this service stops or if you disable it, no out-of-process requests are processed. The executable code for this service is installed by default, but the service itself is disabled until you manually change its startup type to Automatic or Manual.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Background Intelligent Transfer Service (BITS)

The Background Intelligent Transfer Service is a background file transfer mechanism and queue manager. BITS transfers files asynchronously between a client and an HTTP server. By default, requests to BITS are submitted and the files are transferred through otherwise idle network bandwidth so that other network-related activities, such as browsing, are not affected.

BITS suspends the transfer if a connection is lost or if the user logs off. The BITS connection is persistent, and transfers information while the user is logged off, across network disconnects, and during computer restarts. When the user logs on, BITS resumes the user's transfer job.

BITS uses a queue to manage file transfers. You can prioritize transfer jobs within the queue and specify whether the files are transferred in the foreground or background. Background transfers are optimized by BITS, which increases and decreases (or throttles) the rate of transfer based on the amount of idle network bandwidth that is available. If a network application begins to consume more bandwidth, BITS decreases its transfer rate to preserve the user's interactive experience.

BITS provides one foreground and three background priority levels that you can use to prioritize transfer jobs. Higher priority jobs preempt lower priority jobs. Jobs at the same priority level share transfer time and round-robin scheduling prevents blockage of the transfer queue by a large job. Lower priority jobs do not receive transfer time until all higher priority jobs are complete or in an error state.

The startup type of BITS is Manual in both Windows Server 2003 and Windows XP, and is Automatic in Windows Vista.

If BITS stops, features such as Windows Update are unable to automatically download programs and other information. This functionality means that the computer is also unable to receive automatic updates from the organization's Windows Server Update Services server if one has been configured through Group Policy. If you disable this service, any services that explicitly depend on it will fail to transfer files unless they have a fail-safe mechanism to transfer files directly through other methods, such as Internet Explorer®.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

Base Filtering Engine

The Base Filtering Engine (BFE) is a service that manages firewall and IPsec policies and implements user mode filtering. Stopping or disabling the BFE service significantly reduces the security of the system. It also results in unpredictable behavior in IPsec management and firewall applications.

The BFE is the core of the new Windows Filtering Platform in Windows Vista and is required for the following services to start properly:

• Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) IPsec Keying Modules

• Internet Connection Sharing (ICS)

• IPsec Policy Agent

• Routing and Remote Access

• Windows Firewall

This service default startup type is Automatic and the service should not be disabled.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Block Level Backup Engine Service

The Block Level Backup Engine Service (wbengine) performs block level backup and recovery of data. This service is used by the Backup and Restore Center in the Control Panel. It allows for backups to occur at the hard disk level, instead of just file by file, in a process similar to disk imaging.

This service startup type is by default Manual.

Available on:

Windows Vista Enterprise

Windows Vista Ultimate

Certificate Propagation

The Certificate Propagation service (CertPropSvc) propagates certificates from smart cards to resources that request them. The Certification Propagation service applies when a logged-on user inserts a smart card in a reader that is attached to the computer. This action causes the certificates to be read from the smart card. The certificates are then added to the user's personal store.

If the Group Policy "CertPropRootEnabledString" is set, then Root Certificates are also propragated to the machine root trust store. Root certificate propagation is responsible for the following specific smart card deployment scenarios, where public key infrastructure (PKI) trust has not yet been established:

• Joining the domain

• Accessing a network remotely

In both cases, the computer is not joined to a domain and, therefore, trust is not being managed by Group Policy. However, the objective is to authenticate to a remote server (the domain controller or the RADIUS server). Root certificate propagation provides the ability to use the smart card to include the missing trust chain.

On smart card insertion, the Certificate Propagation service will propagate any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the organization

This service startup type is by default Manual. However, if you have deployed smart cards as part of your authentication policy, we recommend configuring this setting with the Automatic startup type.

For more information about deploying smart cards with Windows Vista, see "Windows Vista Smart Card Infrastructure" on the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkID=111969).

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Certificate Services

The Certificate Services service functions as part of the core operating system to enable a business to act as its own certification authority (CA) and issue and manage digital certificates for applications such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL), Encrypting File System (EFS), IPsec, and smart card logon. Windows Server 2003 supports multiple levels of a CA hierarchy and cross-certified trust network, including offline and online CAs.

Certificate Services is not installed by default. Administrators must install it through Add/Remove Windows Components in Control Panel. If Certificate Services stops or if you disable it after installation, certificate requests are not accepted and certificate revocation lists (CRLs) and delta CRLs are not published. If the service stops long enough for CRLs to expire, existing certificates fail to validate.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Client Service for NetWare

Servers with the Client Service for NetWare service installed provide access to file and print resources on NetWare networks for interactively logged-on users. With Client Service for Netware, you can access file and print resources on Netware servers that run Novell Directory Services (NDS) or bindery security (NetWare versions 3.x or 4.x) from your computer.

Client Service for NetWare does not support the IP protocol and therefore cannot be used to interoperate with NetWare 5.x in an IP-only environment. To provide this capability, you must load the Internetwork Packet Exchange (IPX) protocol on the NetWare 5.x server or use a redirector that is compatible with Netware Core Protocol (NCP) and supports native IP.

If the Client Service for NetWare service stops or if you disable it, you will lose access to file and print resources on NetWare networks unless you install the Novell Client for NetWare. This service is not installed or enabled by default.

Available on:

Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows XP Professional	Windows Server 2003 Enterprise Edition
	Windows Server 2003 Datacenter Edition
	Windows Server 2003 Web Edition

ClipBook

The ClipBook service enables the ClipBook Viewer to create and share pages of data for review by remote users. This service depends on the Network Dynamic Data Exchange (NetDDE) service to create the actual file shares that other computers can connect to. The ClipBook application and service allow you to create the pages of data to share.

The ClipBook service is installed by default, but its startup type is Disabled. When this service stops, the ClipBook Viewer cannot share information with remote computers. Clipbrd.exe can still be used to view the local Clipboard, where data is stored when a user highlights text and either clicks Copy from the Edit menu or presses CTRL+C on the keyboard.

Available on:

Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows XP Professional	Windows Server 2003 Enterprise Edition
	Windows Server 2003 Datacenter Edition
	Windows Server 2003 Web Edition

Cluster Service

The Cluster service controls server cluster operations and manages the cluster database. A cluster is a collection of independent computers that work together to provide load balancing and failover support. Applications that can run on a cluster, such as Microsoft Exchange Server and Microsoft SQL Server, use the cluster to present a single virtual computer to users. The cluster software spreads data and computation tasks among the nodes of the cluster. When a node fails, other nodes provide the services and data that were formerly provided by the missing node. When a node is added or repaired, the cluster software migrates some data and computation tasks to that node.

There are two different types of cluster solutions for the Windows platform that support different application styles: server clusters and Network Load Balancing (NLB) clusters. Server clusters provide a highly available environment for applications that must run reliably for long periods of time (such as databases or file servers), and provide failover support with tightly integrated cluster management. NLB clusters provide a highly available and highly scalable environment for other types of applications such as public-facing Web servers, and load balance client requests among a set of identical servers.

The Cluster service provides support for server clusters. It is the essential software component that controls all aspects of the cluster operation and manages the cluster database. Each node in a cluster runs one instance of the Cluster service.

The Cluster service is not installed or enabled by default. If the Cluster service stops after it is installed, clusters are unavailable.

Available on:

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

CNG Key Isolation

The CNG Key Isolation service is hosted in the Local Security Authority (LSA) process as part of system cryptography support. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard (ISO/IEC 15408) for computer security. Common Criteria is based upon a framework in which computer system users can specify their security requirements, vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation, and evaluation of a computer security product has been conducted in a rigorous and standard manner.

The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements. To comply with Common Criteria requirements, the long-lived keys must be isolated so that they are never present in the application process. Cryptography Next Generation (CNG) currently supports the storage of asymmetric private keys by using the Microsoft software key storage provider (KSP) that is included with Windows Server 2008 and Windows Vista and installed by default.

Key isolation is enabled by default in Windows Server 2008 and Windows Vista. The key isolation feature is not available on platforms prior to these. Also, non-Microsoft KSPs are not loaded in the key isolation service (LSA process). Only the Microsoft KSP is loaded in the key isolation service.

The LSA process is used as the key isolation process to maximize performance. All access to private keys goes through the key storage router, which exposes a comprehensive set of functions for managing and using private keys.

CNG stores the public portion of the stored key separately from the private portion. The public portion of a key pair is also maintained in the key isolation service and is accessed by using lightweight remote procedure call (LRPC). The key storage router uses LRPC when calling into the key isolation process. All access to private keys goes through the private key router and is audited by CNG.

This service startup type is by default Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

COM+ Event System

The COM+ Event System service provides automatic event distribution to COM components that subscribe to it. COM+ events extend the COM+ programming model to support late-bound events or method calls between the publisher or subscriber and the event system. The event system notifies event consumers as information becomes available, and does not repeatedly poll the server.

The COM+ Event System service handles most of the event semantics for the publisher and subscriber. Publishers offer to publish event types, and subscribers request event types from specific publishers. Subscriptions are maintained outside the publisher and subscriber and retrieved when needed, which simplifies the programming model for both. The subscriber does not need to contain the logic to build subscriptions—it is possible to build a subscriber as easily as a COM component. The life cycle of the subscription is separate from that of either the publisher or the subscriber. You can build subscriptions before either the subscriber or publisher is made active.

This service is installed by default, but is not started until an application requests its services. When COM+ Event System stops, the System Event Notification service closes and is not able to provide logon and logoff notifications. The Volume Shadow Copy Service, which is needed for Windows Backup and backup applications that rely upon the Windows Backup API, requires this service.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

COM+ System Application

The COM+ System Application service manages the configuration and tracking of COM+-based components. If this service stops, most COM+-based components do not function properly. The Volume Shadow Copy Service, which is needed for Windows Backup and backup applications that rely upon the Windows Backup API, requires this service.

This service is installed and enabled by default.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

Computer Browser

The Computer Browser service maintains an up-to-date list of computers on your network and supplies the list to programs that request it. The Computer Browser service is used by Windows-based computers that need to view network domains and resources. Computers that are designated as browsers maintain browse lists, which contain all shared resources that are used on the network. Earlier versions of Windows applications, such as My Network Places, the NET VIEW command, and Windows NT® Explorer, all require browsing capability. For example, if you open My Network Places on a Windows 95–based computer, a computer that is designated as a browser generates the list of domains and computers that displays.

There are several different roles a computer might perform in a browsing environment. Under some conditions, such as failure or shutdown of a computer that is designated for a specific browser role, browsers or potential browsers may change to a different operational role.

The Computer Browser service is enabled and started by default. If it stops, the browser list is not updated or maintained.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

Cryptographic Services

The Cryptographic Services service provides key-management services for your computer. Cryptographic Services is actually composed of three different management services:

• Catalog Database Service. This service adds, removes, and looks up catalog files, which are used to sign all the files in the operating system. Windows File Protection (WFP), Driver Signing, and setup use this service to verify signed files. You cannot stop this service during setup. If the service stops after setup, it will restart when requested by an application.

• Protected Root Service. This service adds and removes Trusted Root Certification Authority certificates. The service displays a service message box with the certificate's name and thumbprint. If you click OK, the certificate is added or removed from your current list of trusted root authorities. Only Local System accounts have write access to the list. If this service stops, the current user is not able to add or remove Trusted Root Certification Authority certificates.

• Key Service. This service allows administrators to enroll for certificates on behalf of the local computer account. The service provides several functions that are required for enrollment, such as enumeration of available CAs, enumeration of available computer templates, and the ability to create and submit a certificate request in the local computer context. Only administrators may enroll on behalf of the local computer account. The Key Service also allows administrators to remotely install Personal Information Exchange (PFX) files on your computer. If this service stops, autoenrollment is not able to automatically acquire the default set of computer certificates.

The Cryptographic Services service is enabled and started automatically by default. If it stops, the management services that are referenced in the preceding paragraphs do not function properly.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

DCOM Server Process Launcher

In versions of Windows earlier than Windows Server 2003 with Service Pack 1, the Remote Procedure Call (RPC) service (RPCSS) ran as Local System. To reduce the attack surface of Windows and provide defense in depth, the RPC service functionality was split into two services in Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.

The RPCSS service retains all of the original functionality that did not require Local System privileges, and it now runs under the Network Service account. The DCOM Server Process Launcher (DCOMLaunch) service incorporates the functions of the old RPC service that required Local System privileges; it runs under the Local System account. This service is enabled and started by default.

If the DCOM Server Process Launcher service stops, remote procedure calls and DCOM requests on the local computer will not function properly. In particular, the Windows Firewall service will fail if this service stops.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

Desktop Window Manager Session Manager

The Desktop Window Manager Session Manager service provides Desktop Window Manager startup and maintenance services. The service supports the Themes service and checks that applications are compatible with the new Aero user experience in Windows Vista. If an application is not compatible with Aero, then this service causes it revert to a classic Windows theme that it supports.

If your computer does not support Aero graphics, you may see improved performance by disabling this service.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

DFS Replication (File Replication)

In Windows Server 2003, the File Replication Service allows files to be automatically copied and maintained simultaneously on multiple servers. It can also be configured to replicate files among alternate targets that are associated with the fault-tolerant DFS.

If the File Replication Service stops, file replication will not occur and server data will not synchronize. Also, a domain controller's ability to function could be seriously affected if this service stops. The File Replication Service is installed by default on Windows Server 2003, but its startup type is configured to Manual.

In Windows Vista, the DFS Replication service replicates files among multiple computers keeping them in sync. It is used to roam folders between computers. If the service is stopped, file replication does not occur, and the files become out of date.

This service startup type is by default Manual.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

DHCP Client

The DHCP Client service manages network configuration. It registers and updates IP addresses and Domain Name System (DNS) names for your computer. You do not have to manually change the IP settings for a client computer, such as a portable computer, that connects from different locations throughout the network. The client computer is automatically given a new IP address, regardless of the subnet it reconnects to (if a DHCP server is accessible from the subnets). There is no need to manually configure settings for DNS or WINS. The DHCP server can provide these settings to the client if the DHCP server is configured to issue such information. To enable this option on the client, click Obtain DNS Server Address Automatically. No conflicts are caused by duplicate IP addresses.

If the DHCP Client service stops, your computer does not receive dynamic IP addresses and automatic dynamic DNS updates stop being registered on the DNS server.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

DHCP Server

The DHCP Server service allocates IP addresses and enables advanced configuration of network settings such as DNS servers and WINS servers to DHCP clients automatically. DHCP uses a client/server model. The network administrator establishes one or more DHCP servers that maintain TCP/IP configuration information and provide the information to client computers. The server database includes the following:

• Valid configuration parameters for all client computers on the network.

• Valid IP addresses that are maintained in a pool for assignment to client computers, plus reserved addresses for manual assignment.

• Duration of the lease offered by the server. The lease defines the length of time the assigned IP address is valid.

DHCP is an IP standard that is designed to reduce the complexity of address configuration administration. It uses a server computer to centrally manage IP addresses and other related configuration details for your network. Windows Server 2003 provides the DHCP service, which enables the server computer to perform as a DHCP server and configure DHCP-enabled client computers on your network as described in the current DHCP draft standard, Internet Engineering Task Force (IETF) Request for Comments (RFC) 2131.

DHCP includes the Multicast Address Dynamic Client Allocation Protocol (MADCAP), which is used to perform multicast address allocation. When registered client computers are dynamically assigned IP addresses through MADCAP, they can participate efficiently in the data stream process, such as for real-time video or audio network transmissions.

With a DHCP server installed and configured on your network, DHCP-enabled client computers can obtain their IP addresses and related configuration parameters dynamically each time they start and join the network. DHCP servers provide this configuration in the form of an address-lease offer to the client computers.

If the DHCP Server service stops, the server will no longer issue IP addresses or other configuration parameters automatically. This service is only installed and activated if you configure a Windows Server 2003-based computer as a DHCP server.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Diagnostic Policy Service

The Diagnostic Policy Service (DPS) enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, diagnostics will no longer function. The Diagnostic Policy Service supports the Network Diagnostic Framework in Windows Vista that is used to troubleshoot network connectivity issues.

This service startup type is by default Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Diagnostic Service Host

The Diagnostic Service Host (WdiServiceHost) enables problem detection, troubleshooting, and resolution for Windows components. If this service is stopped, diagnostics will no longer function. The Diagnostic Service Host is part of the Network Diagnostic Framework in Windows Vista that is used to troubleshoot network connectivity issues. When a user selects Diagnose and Repair from either the Network and Sharing Center or the Network Connection context menu, the Diagnostic Policy Service starts the Diagnostic Service Host. The service will continue to run until the computer is restarted.

This service startup type is by default Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Diagnostic System Host

The Diagnostic System Host (WdiSystemHost) enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, diagnostics will no longer function. The Diagnostic System Host is part of the Network Diagnostic Framework in Windows Vista that is used to troubleshoot network connectivity issues.

This service startup type is by default Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Distributed File System

The Distributed File System service manages logical volumes that are distributed across a local or wide area network (WAN) and is required for the Active Directory SYSVOL share. Distributed File System (DFS) is a distributed service that integrates disparate file shares into a single logical namespace.

This namespace is a logical representation of the network storage resources that are available to users on the network. If the Distributed File System service stops, you are unable to access file shares or network data through the logical namespace. To access the data when the service is stopped, you need to know the names of all the servers and all the shares in the namespace, and access each of these targets independently. This service is installed and run by default on Windows Server 2003-based computers.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Distributed Link Tracking Client

The Distributed Link Tracking Client service maintains links between the NTFS file system files within your computer or across computers in your network domain. This service ensures that shortcuts and Object Linking and Embedding (OLE) links continue to work after the target file is renamed or moved.

When you create a shortcut to a file on an NTFS volume, distributed link tracking stamps a unique object identifier (ID) into the target file, which is known as the link source. The file that refers to the target file (known as the link client) also stores information about the object ID internally. Distributed link tracking can use this object ID to locate the link source file in the following scenarios:

• When the link source file is renamed.

• When the link source file is moved to another folder on the same volume or a different volume of the same computer.

• When the link source file is moved to another computer in the network.

• When the shared network folder that contains the link source file is renamed.

In a Windows 2000 or Windows Server 2003 domain in which the Distributed Link Tracking Server service is available, the link source file can be found in the following additional scenarios:

• When the computer that contains the link source file is renamed.

• When the volume that contains the link source file is moved to another computer within the same domain.

The scenarios that involve the Distributed Link Tracking Server service require that the client computer—the computer on which the Distributed Link Tracking Client service is running—have the DLT_AllowDomainMode system policy configured for clients that run Windows XP with SP1 or SP2. For all of the above scenarios, the link source file must be on an NTFS volume that runs Windows 2000, Windows XP, or Windows Server 2003. The NTFS volumes cannot be on removable media.

If the Distributed Link Tracking Client service stops, any links to content on that computer will not be maintained or tracked.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

Distributed Link Tracking Server

The Distributed Link Tracking Server service stores information so that files that are moved between volumes can be tracked for each volume in the domain. When enabled, the Distributed Link Tracking Server service runs on each domain controller in a domain. This service enables the Distributed Link Tracking Client service to track linked documents that have been moved to a location in another NTFS volume in the same domain.

The Distributed Link Tracking Server service is disabled by default. If you enable it, you must do so on all domain controllers of a domain. If the Distributed Link Tracking Server service is enabled on a domain controller that is upgraded to a newer version of Windows Server, the service must be re-enabled manually.

If the Distributed Link Tracking Server service is enabled, then the DLT_AllowDomainMode system policy must be enabled for Windows XP client computers to be able to use it. If the Distributed Link Tracking Server service is enabled and then later disabled, purge its entries in Active Directory. For more information, see article 312403, Distributed Link Tracking on Windows–based domain controllers, in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=100974).

If the Distributed Link Tracking Server service stops or if you disable it, links that are maintained by the Distributed Link Tracking Client service will eventually become less reliable

In Windows Server 2003, the Distributed Link Tracking Server service is installed but the startup type is Disabled by default.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Distributed Transaction Coordinator

The Distributed Transaction Coordinator service coordinates transactions that are distributed across multiple computers and/or resource managers, such as databases, message queues, file systems, and other transaction–based resource managers. This service is necessary if transactional components are to be configured through COM+. It is also required for transactional queues in Message Queuing (also known as MSMQ) and SQL Server operations that span multiple computers.

The Distributed Transaction Coordinator service is installed and running by default. If it stops, transactions that use this service are not performed. Clustered installations of Microsoft Exchange, SQL Server, or other applications that make use of transaction services may be affected if this service stops.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

DNS Client

The DNS Client service resolves and caches Domain Name System (DNS) names for your computer. The DNS Client service must run on every computer that performs DNS name resolution. DNS name resolution is needed to locate domain controllers in Active Directory domains. The DNS Client service is also needed to enable location of the devices that are identified through DNS name resolution.

The DNS Client service that runs on Windows Server 2003 implements the following features:

• System-wide caching. Resource records (RRs) from query responses are added to the client cache as applications query DNS servers. This information is then cached for a specific Time to Live (TTL) and can be used again to answer subsequent queries.

• RFC-compliant negative caching support. In addition to positive query responses from DNS servers (which contain resource record information in the answered reply), the DNS Client service also caches negative query responses.

  A negative response results when a RR for the queried name does not exist. Negative caching prevents the repetition of additional queries for names that do not exist, which can adversely affect client computer performance. Any negative query information that is cached is kept for a shorter period of time than positive query information; by default, no more than five minutes. This configuration prevents stale negative query information from being continuously cached if the records later become available.

• Avoidance of unresponsive DNS servers. The DNS Client service uses a server search list that is ordered by preference. This list includes all preferred and alternate DNS servers that are configured for each of the active network connections on the computer. Windows Server 2003 rearranges these lists based on the following criteria:

  • Preferred DNS servers are given first priority.

  • If no preferred DNS servers are available, then alternate DNS servers are used.

  • Unresponsive servers are removed temporarily from these lists.

If the DNS Client service stops, the computer will not be able to resolve DNS names or locate Active Directory domain controllers, and users may not be able to log on to the computer.

This service startup type is by default Automatic.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

DNS Server

The DNS Server service enables DNS name resolution. It answers queries and update requests for DNS names. DNS servers are needed to locate devices that are identified by their DNS names and to locate domain controllers in Active Directory.

If the DNS Server service stops or if you disable it, DNS updates do not occur. The DNS Server service does not need to run on every computer. However, if there is no authoritative DNS server for a particular portion of the DNS namespace, the location of the devices that use DNS names in that portion of the namespace fail. Absence of an authoritative DNS server for the DNS namespace that is used to name Active Directory domains results in an inability to locate domain controllers in that domain.

The DNS Server service is only installed and activated if you configure a Windows Server 2003-based computer as a DNS server. In this situation the service startup type is Automatic.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Windows Event Log (Event Log)

The Event Log service enables event log messages that are issued by Windows–based programs and components to be viewed in Event Viewer. These event log messages contain information that can help diagnose problems with applications, services, and the operating system. The logs can be viewed through the Event Log APIs or through the Event Viewer console.

By default, a computer that runs Windows Server 2003 records events in three different logs:

• Application log. This log records application program events. For example, a database program might record a file error in the Application log. Program developers decide which events to log.

• Security log. This log records events such as valid and invalid logon attempts, as well as events that are related to resources—such as when files or other objects are created, opened, or deleted. For example, if you enable logon auditing, attempts to log on to the computer are recorded in the Security log.

• System log. This log records events that relate to Windows components. For example, the System log would record the failure of a driver or other component to load during startup. The event types that are logged by Windows components are predetermined by the server.

A Windows Server 2003–based computer that is configured as a domain controller records events in two additional logs:

• Directory service log. This log records events that relate to Active Directory. For example, connection problems between the server and the global catalog are recorded in the Directory service log.

• File Replication Service log. This log records Windows File Replication Service events. For example, file replication failures and events that occur while domain controllers are being updated with information about system volume changes are recorded in the File Replication log.

A computer that runs Windows and is configured as a DNS server records events in an additional log:

• DNS Server log. This log contains events that are logged by the Windows DNS service.

In Windows Vista the Event Log is replaced by the Windows Event Log, which has an expanded feature set and a new set of developer APIs. This service has been greatly expanded to support more detailed logging of events, querying events, subscribing to events, archiving event logs, and managing event metadata. Events can be displayed in both XML and plain text format. With the inclusion of detailed logging support, the number of logs that are available has increased so that they cannot be listed in the scope of this document.

You cannot stop the either the Event Log service or the Windows Event Log service. If you disable the service, it would be impossible to track events, which will significantly reduce the ability to successfully diagnose computer problems. Also, security events would not be audited, and you would not be able to view previous event logs with the Event Viewer console.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

Extensible Authentication Protocol

The Extensible Authentication Protocol (EAP) service provides network authentication in such scenarios as 802.1x wired and wireless, virtual private network (VPN), and Network Access Protection (NAP). EAP also provides APIs that are used by network access clients, including wireless and VPN clients, during the authentication process.

EAP supports authentication schemes such as Generic Token Card, One Time Password (OTP), Message Digest 5 (MD5)-Challenge, Transport Layer Security (TLS) for smart card and digital certificate-based authentication, and future authentication technologies. EAP is a critical technology component for establishing secure connections. If you disable this service, this computer is prevented from accessing networks that require EAP authentication.

This service startup type is by default Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Fax Service

The Fax Service, a Telephony API (TAPI)-compliant service, provides fax capabilities from users' computers. The Fax Service allows users to send and receive faxes from their desktop applications through either a local fax device or a shared network fax device. The service offers the following features:

• Fax distribution and receipt

• Fax activity tracking and monitoring

• Inbound fax routing

• Server and device configuration management

• Archiving of sent faxes

If you disable the print spooler or telephony service, the Fax Service does not start successfully. If this service stops, users cannot send or receive faxes. The Fax Service startup type is Manual; it stops when there is no fax activity and restarts on an as-needed basis.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

File Server for Macintosh

The File Server for Macintosh service enables Macintosh computer users to store and access files on computers that run Windows Server 2003. If you disable this service, Macintosh client computers cannot store and access files on Windows Server 2003–based computers.

This service is not installed or started by default.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

FTP Publishing Service

The FTP Publishing Service provides FTP connectivity and administration through the Microsoft Internet Information Services (IIS) snap-in. Features include the ability to throttle bandwidth, security accounts, and extensible logging. This service includes the new FTP User Isolation feature, which allows users to access only their files on an FTP site. Also, there is improved international support.

If the FTP Publishing Service stops, the server cannot function as an FTP server. This service is not installed by default.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Function Discovery Provider Host

The Function Discovery Provider Host service provides the host process for Function Discovery providers. Function Discovery provides a uniform programmatic interface for enumerating system resources, such as hardware devices, whether they are local or connected through a network. It enables applications to discover and manage lists of devices or objects sorted by functionality or class. Users will benefit from this categorized view of devices on their system. Both applications and users can use Function Discovery to discover what functions their system can perform, regardless of the underlying device or software architecture.

Function Discovery supports an extensible discovery provider model. The providers included in the system provide an abstraction layer over existing standards such as Plug and Play, Simple Service Discovery Protocol (SSDP), Web Services Dynamic Discovery (WS-Discovery), and the registry. Custom providers can be created to expose your organization's resources through Function Discovery. Function Discovery is a component of the Windows Connect Now technologies built into Windows Server® 2008 and Windows Vista.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Function Discovery Resource Publication

The Function Discovery Resource Publication service publishes this computer and resources attached to this computer so that they can be discovered over the network. If this service is stopped, network resources will no longer be published and they will not be discovered by other computers on the network.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Group Policy Client

The Group Policy Client service is responsible for applying settings configured by administrators for the computer and users through the Group Policy component. If the service is stopped or disabled, the settings will not be applied and applications and components will not be manageable through Group Policy. Any components or applications that depend on the Group Policy component might not be functional if the service is stopped or disabled.

This service startup type is Automatic. The service cannot be disabled through the Services snap-in console.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Health Key and Certificate Management

The Health Key and Certificate Management service provides X.509 certificate and key management services for the Network Access Protection Agent service. Enforcement technologies that use X.509 certificates may not function properly if this service is not installed or is disabled. The service supports the NAP platform on Windows Vista and Windows Server 2008 computers.

The NAP platform helps administrators validate and enforce compliance with system health policies for network access and communication. Administrators can create solutions for validating computers that connect to or communicate on their networks, provide needed updates or access to needed resources, and limit the network access of computers that are noncompliant.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Help and Support

The Help and Support service allows the Help and Support Center application to run on users' computers, supports the application, and enables communication between the client application and the help data. This service provides access to stores and services such as the taxonomy database that contains metadata and information about the help topics, the support automation framework that enables data collection for registered support providers, user history and preference information, and the search engine manager. When you interact with the Help and Support Center features such as search, index, or table of contents, the service allows for data transaction support of all these features.

If the Help and Support service startup type is configured to Manual, the service will start if a user accesses the Help and Support Center from the desktop. If you disable or stop this service, the Help and Support Center application will be essentially unusable and users will see the following message:

Windows cannot open Help and Support because a system service is not running.

Users will be able to access some high-level topics that might be cached on the local computer, but most of the Help and Support Center application features (including Remote Assistance) cannot function if the Help and Support service is not enabled. However, users can still view the *.hlp and *.chm files that are located in the Windows\Help folder. The Help and Support service is installed and the startup type is Automatic.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

HTTP SSL

The HTTP SSL service enables IIS to perform Secure Sockets Layer (SSL) functions. SSL is an open standard that establishes encrypted communications channels to help prevent the interception of critical information, such as credit card numbers. Primarily, it is used to protect data transmitted for electronic financial transactions on the Internet, although it is designed to work on other Internet services as well.

If the HTTP SSL service stops, IIS does not perform SSL functions. This service is installed when IIS is installed and is not present or active otherwise.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Human Interface Device Access

The Human Interface Device Access service enables generic input access to Universal Serial Bus (USB) devices such as keyboards and mice. The service activates and maintains predefined keyboard keys, remote controls, and other multimedia devices. This service is installed and started by default on Windows XP and Windows Server 2003-based computers.

If the Human Interface Device Access service stops, keyboard keys that are controlled by this service no longer function. For instance, the Back key, Forward key, and other keyboard keys on USB keyboards and volume buttons on USB speakers will not function.

Available on:

Windows Vista Home Basic	Windows XP Home Edition	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows XP Professional	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise		Windows Server 2003 Datacenter Edition
Windows Vista Ultimate		Windows Server 2003 Web Edition

IAS Jet Database Access

The IAS Jet Database Access service uses the Remote Authentication Dial-In User Service (RADIUS) protocol to provide authentication, authorization, and accounting services. It is only available in 64-bit versions of Windows. With Internet Authentication Services (IAS), you can centrally manage user authentication, authorization, and accounting. You can also use IAS to authenticate users against domain controllers that run Windows NT® 4.0, Windows 2000, or Windows Server 2003 operating systems. IAS works equally well in homogeneous and heterogeneous networks.

IAS can be used as a RADIUS proxy to route RADIUS messages between RADIUS clients (access servers) and RADIUS servers that perform user authentication, authorization, and accounting for the connection attempt. When used as a RADIUS proxy, IAS is a central switch or routing point through which RADIUS access and accounting messages flow. IAS records information in an accounting log about the messages that are forwarded.

A RADIUS authentication, authorization, and accounting infrastructure consists of two IAS Jet databases:

• Ias.mdb, which is used to configure IAS

• Dnary.mdb, which is used to validate the dictionary that IAS uses to track the vendor-specific attributes of RADIUS-compatible network access servers

If the IAS Jet Database Access service stops, remote network access that requires user authentication will be unavailable. For example, remote access dial-up, VPN, wireless LAN (802.1x), and Ethernet 802.1x LAN access will not work. If you disable this service, both the Routing and Remote Access Service (RRAS) and IAS services will not start. You will also be unable to administer RRAS or IAS either locally or remotely.

Available on: This service is not installed by default on any version of Windows; it is available only on the Itanium–based versions of Windows Server 2003.

IIS Admin Service

The IIS Admin Service allows administration of IIS components such as FTP, application pools, Web sites, Web service extensions, and both Network News Transfer Protocol (NNTP) and Simple Mail Transfer Protocol (SMTP) virtual servers. If you stop or disable this service, you will not be able to run Web, FTP, NNTP, or SMTP sites.

In Windows 2000, the IIS Admin Service and related services are installed by default. In Windows Server 2003, you must install the IIS components through Add/Remove Windows Components or Configure Your Server.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

IKE and AuthIP IPsec Keying Modules

The IKE and AuthIP IPsec Keying Modules (IKEEXT) service hosts the IKE and AuthIP keying modules. These keying modules are used for authentication and key exchange in IPsec. Stopping or disabling the IKEEXT service disables IKE and AuthIP key exchange with peer computers. IPsec is typically configured to use IKE or AuthIP; therefore, stopping or disabling the IKEEXT service might result in an IPsec failure and might compromise the security of the system. We strongly recommend that you have the IKEEXT service running.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

IMAPI CD-Burning COM Service

The IMAPI CD-Burning COM Service manages the creation of CDs through the Image Mastering API (IMAPI) COM interface and performs CD-Recordable (CD-R) writes when requested by the user through Windows Explorer, Windows Media® Player (WMP) or non-Microsoft applications that use this API. IMAPI allows an application to stage and burn simple audio or data images to CD-R and CD Rewritable (CD-RW) devices. The API supports Redbook audio and data disc formats with both Joliet and ISO 9660. The architecture allows for future expansion of the supported format set.

If the IMAPI CD-Burning COM Service stops or if you disable it, your computer will be unable to record CDs with the built-in features of Windows XP and Windows Server 2003. If you disable this service and use a non-Microsoft CD-RW application, your ability to record CDs will not be affected (if the non-Microsoft software does not rely on the service). If this service is started after logon, you must log off from your computer and then log back on to write data to CD-R media with your CD-R device through Windows Explorer. This service is installed but disabled by default on Windows Server 2003.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Indexing Service

The Indexing Service indexes the contents and properties of files on local and remote computers and provides rapid access to files through a flexible querying language. The Indexing Service also enables quick document search capability on local and remote computers and a search index for content that is shared on the Web. The service builds indexes of all textual information in files and documents. After the initial index build is complete, the Indexing Service maintains its indexes whenever a file is created, modified, or deleted.

Initial indexing can be resource-intensive. By default, the Indexing Service is set to start manually. When the service is active it will index only when the computer is idle, although you can use the Index snap-in to configure the service to work at non-idle times. The Index snap-in also allows you to optimize the service's resource allocation configuration for query or indexing usage patterns.

If the Indexing Service stops, text-based searches will be slower.

This service startup type is Manual.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Infrared Monitor

The Infrared Monitor service enables you to share files and images through infrared connections. This service is installed by default on Windows Vista and Windows XP if an infrared device is detected during operating system installation.

If the Infrared Monitor service stops or is disabled, files and images cannot be shared through infrared connections.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic	Windows XP Home Edition
Windows Vista Home Premium	Windows XP Professional
Windows Vista Enterprise
Windows Vista Ultimate

Interactive Services Detection

The Interactive Services Detection service enables user notification of user input for interactive services, which enables access to dialog boxes created by interactive services when they appear. If this service is stopped, notifications of new interactive service dialog boxes no longer function and there may no longer be access to interactive service dialog boxes. This service supports the new service isolation feature in Windows Vista.

In Windows XP, Windows Server 2003, and earlier versions of the Windows operating system, all services run in the same session as the first user who logs on to the console. This session is called Session 0. Running services and user applications together in Session 0 poses a security risk because services run at elevated privilege and therefore are targets for malicious users who are looking for a way to elevate their own privilege level.

The Windows Vista operating system mitigates this security risk by isolating services in Session 0 and making Session 0 noninteractive. In Windows Vista, only system processes and services run in Session 0. The first user logs on to Session 1, and subsequent users log on to subsequent sessions. This means that services never run in the same session as users' applications and are therefore protected from attacks that originate in application code. Because Session 0 is no longer a user session in Windows Vista, services that are running in Session 0 do not have access to the video driver in Windows Vista. This means that any attempt that a service makes to render graphics fails. For example, if a device installer runs in Session 0 and the installation program creates a dialog box in Session 0 that requires user input to continue, the device installation never completes because the user does not see the dialog box. From the user's perspective, the device installer is hung because it has stopped progressing and the user has no way to resume it. Basically, any functionality in a service or a service-hosted driver that assumes the user is running in Session 0 does not work correctly in Windows Vista.

As a result of this issue, the option of enabling the Interactive Service Detection Service will be available for customers who have services from earlier versions of Windows that send user interaction dialog boxes to Session 0 instead of the corresponding user's session.

The service startup type is Manual start by default. The service starts only when a visible dialog box that is not a command window is detected. If the service is started, then users will be notified when a dialog box or window (including a command window) appears in Session 0. Information about each of the last 10 dialog boxes will appear in turn if more information is shown. This will help ensure that deployment testers are aware of services from earlier operating systems in their environment and have the opportunity to contact the vendors for updated services.

The service will detect these visible dialog boxes or windows and send a notification to the user. Users may choose to:

• Respond to the dialog box immediately by clicking a button to switch to Session 0, interact with the task dialog box, and then switch back to their session.

• Be reminded again in five minutes. They will continue to be reminded until the dialog box closes.

If this service is disabled, users will no longer receive notifications when the devices or services send dialog boxes to Session 0.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Internet Authentication Service

The Internet Authentication Service (IAS) performs centralized authentication, authorization, audit, and accounting of users who connect to a network—either LAN or remote—through VPN equipment, Remote Access Equipment (RAS), or 802.1x Wireless and Ethernet/Switch Access Points.

IAS implements the Internet Engineering Task Force (IETF) standard RADIUS protocol, which enables heterogeneous network access equipment. If this service is stopped or disabled, authentication requests fail over to a backup IAS server, if it is available. If no backup IAS servers are available, users cannot connect to the network. This service must be installed manually and is only available Windows Server 2003.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Internet Connection Firewall (ICF)/Internet Connection Sharing

The Internet Connection Sharing service provides network address translation, addressing, name resolution, and/or intrusion prevention services for a home or small office network.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Intersite Messaging

The Intersite Messaging service enables message exchanges between computers that run Windows Server sites. This service is used for mail-based replication between sites. Active Directory includes support for replication between sites through SMTP over IP transport. SMTP support is provided by the SMTP service, which is a component of IIS.

The set of transports that are used for communication between sites must be extensible. Therefore, each transport is defined in a separate add-in dynamic link library (DLL) file. These add-in DLL files are loaded into the Intersite Messaging service, which runs on all domain controllers that can perform communication between sites. The Intersite Messaging service directs send and receive requests to the appropriate transport add-in DLL files, which then route the messages to the Intersite Messaging service on the destination computer.

If the Intersite Messaging service stops, messages will not be exchanged, intersite messaging replication does not work, and site-routing information is not calculated for other services. This service is installed by default on Windows Server 2003-based computers, but it is disabled until the server is promoted to the domain controller role.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

IP Helper (IP Version 6 Helper Service)

The IP Helper service offers Internet Protocol version 6 (IPv6) connectivity over an Internet Protocol version 4 (IPv4) network. IPv6 is a new suite of standard protocols for the network layer of the Internet. It is designed to solve many IPv4 problems with regard to address depletion, security, auto-configuration, and extensibility. This service allows IPv6-enabled sites and hosts to communicate through IPv6 over an IPv4 infrastructure—for example, the Internet. This is often referred to as "6to4." IPv6 sites and hosts can use their 6to4 address prefix and the Internet to communicate. They do not need to obtain an IPv6 global address prefix from an Internet service provider (ISP) and connect to the IPv6-enabled portion of the Internet.

6to4 is a tunneling technique that is described in RFC 3056. 6to4 hosts do not require any manual configuration and use standard auto-configuration to create 6to4 addresses. 6to4 uses the global address prefix of 2002:WWXX:YYZZ::/48, where WWXX:YYZZ is the colon-hexadecimal representation of a public IPv4 address (w.x.y.z) that is assigned to a site or host, also known as the Next Level Aggregator (NLA) portion of a 6to4 address.

The IP Helper service also supports 6over4, also known as IPv4 multicast tunneling, a technique that is described in RFC 2529. 6over4 allows IPv6 and IPv4 nodes to communicate through IPv6 over an IPv4 infrastructure. 6over4 uses the IPv4 infrastructure as a multicast-capable link. For 6over4 to work correctly, the IPv4 infrastructure must be IPv4 multicast-enabled.

If the IP Helper service stops, the computer will only have IPv6 connectivity if it is connected to a native IPv6 network. This service is not installed or activated by default on Windows Server 2003, but is installed and started automatically on Windows Vista.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

IPsec Policy Agent (IPsec Service)

The IPsec Policy Agent (IPsec Service) service provides end-to-end security between clients and servers on TCP/IP networks, manages IPsec policy, starts IKE, and coordinates IPsec policy settings with the IP security driver. The service is controlled by using the NET START or NET STOP command.

IPsec operates at the IP layer and is transparent to other operating system services and applications. The service provides packet filtering, and can negotiate security between computers on IP networks. You can configure IPsec to provide:

• Packet filtering with actions to permit, block, or negotiate security.

• Negotiated trust and encrypted IP communication. The IKE protocol mutually authenticates the sender and receiver of IP data packets based on policy settings. Authentication can use the Kerberos V5 authentication protocol, digital certificates, or a shared secret key (password). IKE automatically generates cryptographic keys and IPsec security associations.

• Protection of IP packets with IPsec formats that provide cryptographic integrity, authenticity, and (optionally) encryption of IP packets.

• End-to-end IPsec transport protection of traffic between servers and other systems that support Layer Two Tunneling Protocol (L2TP) VPN connections.

• IPsec tunnel mode to improve the security for interoperability with gateways or other systems that do not support L2TP or point-to-point protocol (PPTP) VPN site-to-site connections.

If the IPsec Policy Agent (IPsec Service) service stops, TCP/IP security between clients and servers on the network is impaired. This service is installed and started automatically by default on Windows Server 2003-based and Windows Vista-based computers.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Kerberos Key Distribution Center

The Kerberos Key Distribution Center service enables users to log on to the network and be authenticated by the Kerberos version 5 (v5) authentication protocol.

As in other implementations of the Kerberos protocol, the Kerberos Key Distribution Center (KDC) is a single process that provides two services:

• Authentication Service. This service issues ticket-granting tickets (TGTs) for connection to the ticket-granting service in its own domain or in any trusted domain. Before a client computer can request a ticket to another computer, it must request a TGT from the authentication service in its account domain. The authentication service returns a TGT for the ticket-granting service in the target computer's domain. The TGT can be reused until it expires, but first access to any domain's ticket-granting service always requires the client computer to contact the authentication service in its account domain.

• Ticket-granting service. This service issues tickets for connection to computers in its own domain. When a client computer wants to access another computer, it must request a TGT and ask for a ticket to the computer. The ticket can be reused until it expires, but first access to any computer always requires contact with the ticket-granting service in the target computer's account domain.

If the Kerberos Key Distribution Center service stops, users will be unable to log on to the network and access resources. This service is installed on all Windows Server 2003-based computers, but it runs only on domain controllers. If you disable this service, users cannot log on to the domain.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

KtmRm for Distributed Transaction Coordinator

The KtmRm for Distributed Transaction Coordinator service coordinates transaction between the Microsoft Distributed Transaction Coordinator (MSDTC) and the Kernel Transaction Manager (KTM). This service supports the Kernel Transaction Manager (KTM) feature, which is new to Windows Vista. The KTM enables the development of applications that use transactions. The transaction engine itself is within the kernel, but transactions can be developed for kernel-mode or user-mode transactions, and within a single host or among distributed hosts.

The KTM is used to implement Transactional NTFS (TxF) and Transactional Registry (TxR). TxF allows transacted file system operations within the NTFS file system. TxR allows transacted registry operations. KTM enables client applications to coordinate file system and registry operations with a transaction that results in better error recovery during data transfer and in the event of system failure.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

License Logging Service

The License Logging Service monitors and records client access license information. It works with portions of the operating system, such as IIS, Terminal Services, file and print sharing, and also with products that are not a part of the operating system, such as SQL Server or Microsoft Exchange server.

If this service is stopped or disabled, licensing will be enforced but will not be monitored. This service is disabled by default on Windows Server 2003-based computers.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Link-Layer Topology Discovery Mapper

The Link-Layer Topology Discovery Mapper service creates a Network Map, consisting of computer and device topology (connectivity) information, and metadata describing each computer and device. If this service is disabled, the Network Map will not function properly.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Logical Disk Manager

The Logical Disk Manager service detects and monitors new hard disk drives and sends disk volume information to the Logical Disk Manager Administrative Service for configuration. This service monitors Plug and Play events to detect new drives and uses an administrator service and a watchdog service. Do not disable the service if dynamic disks are present in the computer.

The Logical Disk Manager service runs by default on Windows Server. If it stops, dynamic disk status and configuration information might become outdated. For example, hard disk drives will not be detected. The administrator service and the watchdog service are essentially one component. The administrative service starts only when you configure a drive, partition, or when a new drive is detected.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Logical Disk Manager Administrative Service

The Logical Disk Manager Administrative Service performs administrative services for disk management requests and configures hard disk drives and volumes. It starts only when you configure a drive or partition, or when a new drive is detected. This service does not start by default, but is activated whenever dynamic disk configuration changes occur or when the Disk Management console or the Diskpart.exe tool is opened. Changes that can activate this service include conversions of basic disks to dynamic, recovery of fault-tolerant volumes, volume formatting, or changes to a page file.

The Logical Disk Manager Administrative Service runs only for configuration processes and then stops. If you disable this service, attempts to use the Disk Management console to configure disks will cause the following error message to be displayed:

Unable to connect to Logical Disk Manager service

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Machine Debug Manager

The Machine Debug Manager service manages local and remote debugging for a number of applications, including the Microsoft Script Editor, various versions of the Office application suite, and Microsoft Visual Studio®.

If you disable the Machine Debug Manager service, attempts to debug scripts or processes will fail and cause the following error message to be displayed:

Unable to start debugging. The Machine Debug Manager Service is disabled.

Also, users will not be given the opportunity to debug script errors in Web pages.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Message Queuing

The Message Queuing service is a messaging infrastructure and development tool that can be used to create distributed messaging applications for Windows. Such applications can communicate across heterogeneous networks and send messages between computers that may be temporarily unable to connect to each other. This service provides guaranteed message delivery, efficient routing, security, and priority-based messaging. It also supports the ability to send messages within transactions, and it provides both Microsoft Win32® and COM APIs for all programmatic functionality, including administration and management.

Message Queuing is an optional feature of Windows Vista, Windows Server 2008, Windows XP, and Windows Server 2003. It is not installed or enabled by default.

The implementation of the remote read features in the Windows XP version of the Message Queuing service allows unauthenticated users to connect to queues. A malicious user could purge a queue and create a denial of service condition. Also, Message Queuing remote read data is transmitted over the network in plaintext, which means it could be read by a malicious user who is able to capture network data.

For these reasons, we recommend that you not install the Message Queuing service on Windows XP-based computers that are exposed to untrusted networks such as the Internet.

Windows Vista and Windows Server 2008 include Message Queuing 4.0 that addresses these security concerns. For remote reading, Message Queuing 4.0 uses encrypted RPC by default. This feature is available when a Windows Vista or Windows Server 2008-based client computer performs remote reading against a Message Queuing server running Windows Vista, Windows Server 2008, Windows Server 2003, or Windows 2000. Note that in situations where encrypted RPC cannot be used, (for example, where a workgroup computer is part of the remote read process), the message will be passed to the remote computer as plaintext and message security is not guaranteed. A plaintext message that has reached its destination queue can be read only by users that have the necessary access rights to read messages from the queue.

With Windows Vista, we recommend that you enable your Message Queuing 4.0 server to use only secured remote reading mode. In secured remote reading mode, your computer will only listen on the secure remote read interface, and not on the non-secure remote read interface. The effect of this is that only Message Queuing 4.0 and 3.0 servers on Windows Server 2003-based computers or later can remotely receive messages from queues on your computer, and remote reads from MSMQ 1.0 clients, MSMQ 2.0 clients, and Message Queuing 3.0 clients running on Windows XP-based computers are not supported. For information about enabling your server to use only the new secured mode, see Enable Secured Remote Read (https://go.microsoft.com/fwlink/?LinkID=105681).

If the Message Queuing service stops, distributed messages will be unavailable. If you disable this service, any services that explicitly depend on it will not start. Also, COM+ Queued Component (QC) functionality, some functionality of Windows Management Instrumentation (WMI), and the Message Queuing Triggers service will be affected.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Message Queuing Down Level Clients

The Message Queuing Down Level Clients service provides Active Directory access for Windows NT 4.0, Windows 95, Windows 98, Windows Millennium Edition, and Windows 2000 clients that use the Message Queuing service on domain controllers. The Message Queuing service optionally uses information that is published in Active Directory to obtain routing information for security-related objects, such as destination public keys, and to learn about public queues. If you install Message Queuing in workgroup mode, Active Directory is never accessed. This service is only required on Windows Server 2003 domain controllers that run the Message Queuing service.

If the Message Queuing Down Level Clients service stops on a domain controller, versions of the Message Queuing client earlier than version 3.0 will not be able to obtain Active Directory services on the specified domain controller for public queue discoverability, message routing, and site recognition. This service is not installed by default on Windows Server 2003-based computers.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Message Queuing Triggers

The Message Queuing Triggers service provides a rule-based system to monitor messages that arrive in a Message Queuing service queue and, when the conditions of a rule are satisfied, invoke a COM component or a stand-alone executable program to process the message.

The Message Queuing Triggers service is installed as an integral part of the Message Queuing service on Windows Server 2003. In Windows Vista, the Message Queuing Triggers feature must be explicitly selected for it to be installed.

If the Message Queuing Triggers service stops, you will not be able to apply rule-based monitoring or invoke programs to process messages automatically. This service is not installed by default on Windows Server 2003-based computers.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Messenger

The Messenger service sends messages to or receives messages from users, computers, administrators, and the Alerter service. This service is not related to Windows Live™ Messenger, a free instant-messaging service.

If you disable the Messenger service, notifications cannot be sent to or received by the computer or by users who are currently logged on. Also, the NET SEND and NET NAME shell commands will no longer function. This service is installed but disabled by default on Windows Server 2003.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Microsoft .NET Framework NGEN

This service supports the Microsoft .NET Framework Native Image Generator (NGEN) feature of the .NET Framework Common-Language Runtime. It is used to create platform-specific, optimized versions of .NET Framework applications that have faster performance than applications that have to be compiled by the just-in-time compiler before they can be run.

The service runs either in low priority for important compilations or in idle priority for non-important compilations. Once all optimizations are completed that are in the queue, the service shuts down.

This service is installed by default and the service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Microsoft iSCSI Initiator Service

This service manages Internet Small Computer System Interface (iSCSI) sessions from a computer to remote iSCSI target devices. If this service is stopped, the computer will not be able to log on or access iSCSI targets. If this service is disabled, any services that explicitly depend on it will fail to start.

You can use iSCSI to connect storage devices over a network (LAN, WAN, or the Internet) by using TCP/IP; iSCSI devices can be disks, tapes, CDs, or other storage devices on network connected systems. The technology is often associated with storage area networks (SANs).

The Microsoft iSCSI Initiator Service ensures all volumes and devices listed as "favorite targets" are available to the computer. The iSCSI Initiator properties are configured from the Administrative Tools Control Panel. By default the Microsoft iSCSI Initiator Service is configured for the Manual startup type. To use an Internet storage device, you must unblock the appropriate firewall ports.

The IP network used by iSCSI does not include a default security mechanism. Because iSCSI is a plaintext protocol, iSCSI presents an attack surface that should be secured if you decide to use this service. To help secure IP packets (the data stream), you can use CHAP, IPsec, or both.

CHAP verifies the identity of iSCSI host systems that are attempting to access storage targets. CHAP has known vulnerabilities and should not be relied upon as the only security method.

IPsec is a standards-based means of aiding the secure transfer of information across IP networks through the use of authentication and encryption that guards against both active and passive attacks.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Microsoft POP3 Service

The Microsoft POP3 Service provides e-mail transfer and retrieval services. Administrators can use this service to store and manage e-mail accounts on a mail server. When you install the Microsoft POP3 Service on a mail server, users can connect to that server and retrieve e-mail messages with an e-mail client program that supports the POP3 protocol, such as Microsoft Outlook®. The Microsoft POP3 Service works in combination with the SMTP Service, which allows users to send outgoing e-mail.

The Microsoft POP3 Service is the mechanism that allows users to retrieve their e-mail messages from a mail server. Sender's and recipient's computers connect to the Internet through their respective Internet service providers (ISPs). When the sender uses an e-mail client to send a message, the SMTP Service transfers the message to the sender's ISP. The message is then routed to the Internet and relayed through various intermediate servers. When the message reaches the recipient's ISP, it is placed in the recipient's mailbox. When the recipient's computer connects to their ISP, the ISP transfers the message to the recipient's e-mail client on the local computer in accordance with POP3 protocol standards.

If the Microsoft POP3 Service stops, e-mail transfer and retrieval services no longer function. This service must be manually installed on Windows Server 2003-based computers.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Microsoft Software Shadow Copy Provider

The Microsoft Software Shadow Copy Provider service manages software-based shadow copies that are taken by the Volume Shadow Copy Service. A shadow copy is a snapshot copy of a disk volume that represents a consistent read-only point in time for that volume. This point-in-time snapshot then stays constant and allows an application, such as backup software, to copy data from the shadow copy to tape.

There are two general classes of shadow copies:

• Hardware. A hardware shadow copy is a mirror of two or more disks that are split into separate volumes. One of the two volumes remains the working set and the other one can be mounted separately.

• Software. A software shadow copy uses a copy-on-write scheme to copy all sectors of a volume that change over time into a differential area on disk. When the shadow copy is mounted, all unchanged sectors are read from the original volume and all sectors that have changed are read from the differential area.

Shadow copies can resolve three classic data backup challenges:

• The need to back up files that were opened for exclusive access. Backup of an open file is a challenge, because it is likely in a state of change. Without a shadow copy or a way to suspend the application, backups often become corrupted.

• The need to maintain a computer's availability during the shadow copy.

• Use of the same communications channels as snapshots to facilitate information transfer between application and backup tools.

If the Microsoft Software Shadow Copy Provider service stops, software-based volume shadow copies cannot be managed, which could cause Windows Backup to fail. This service is installed by default on Windows Server 2003, but it only runs when requested.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

MSSQL$UDDI

The MSSQL$UDDI service is installed when the Universal Description, Discovery, and Integration (UDDI) feature of Windows Server 2003 is installed. (This feature provides UDDI capabilities within an organization.) When this service is installed, a SQL Server database instance is also installed. This instance manages all of the files that comprise the databases that are used by the service, and it processes all Transact-SQL statements that are sent from SQL Server client applications. The MSSQL$UDDI service allocates computer resources effectively between multiple concurrent users. It also enforces business rules that are defined in stored procedures and triggers, ensures the consistency of the data, and prevents logical problems, such as two people who try to update the same data at the same time.

UDDI is an industry specification for the description and discovery of Web services. The UDDI specification builds on the Simple Object Access Protocol (SOAP), Extensible Markup Language (XML), and HTTP/S protocol standards that were developed by the World Wide Web Consortium (W3C) and the Internet Engineering Task Force (IETF). UDDI services are standards-based XML Web services that allow developers to efficiently publish, discover, share, and re-use Web Services directly through their development tools. Built on the Microsoft .NET Framework, UDDI services use proven Microsoft SQL Server technology and tools to provide a scalable storage mechanism. IT managers can leverage UDDI services' support for standard categorization schemes and Active Directory authentication, which allows easy integration within an enterprise environment.

The MSSQL$UDDI service must be manually installed on Windows Server 2003-based computers; when installed, its startup type is Manual. If this service stops, the UDDI SQL Server database is no longer available and clients cannot query or access the data in its databases.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

MSSQLServerADHelper

The MSSQLServerADHelper service enables Microsoft SQL Server and Microsoft SQL Server Analysis Services to publish information in Active Directory when those services are not invoked by the Local System account. Only one instance of the MSSQLServerADHelper service is allowed to run on a computer. All instances of Microsoft SQL Server and Microsoft SQL Server Analysis Services use it on an as-needed basis.

MSSQLServerADHelper is not a server service and does not service requests from the client. The service does not use a UDP or TCP port.

You cannot stop the MSSQLServerADHelper service. This service is dynamically started by an instance of SQL Server or Analysis Manager when needed. The service stops as soon as it has completed its work. This service should always be run by the Local System account; do not start it manually from the console. If you disable this service, the ability to add, update, or delete SQL Server-related Active Directory objects may be affected. This service must be manually installed on Windows Server 2003-based computers. When installed, its startup type is Manual.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Multimedia Class Scheduler

The Multimedia Class Scheduler (MMCSS) service enables relative prioritization of work based on system-wide task priorities. This is intended mainly for multimedia applications. If this service is stopped, individual tasks return to their default priority.

Users expect multimedia applications to offer a smooth playback experience. If the playback has pauses or jerky movements, the user will tend to be dissatisfied with the experience and not use that content delivery method. While early versions of media players suffered from lack of bandwidth, the issue that is encountered more commonly now is lack of CPU processing time. Demand for the CPU processing time by other concurrently running applications, like antivirus programs, content indexing, or even the mail client, can interfere with media rendering and playback.

To provide a better playback experience, Windows Vista provides MMCSS to manage the CPU priorities of multimedia threads. An application registers with MMCSS using new APIs that indicate its multimedia characteristics, which must match one of those listed by name under the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Currentversion\Multimedia\SystemProfile\Tasks

The task keys are:

• Audio

• Capture

• Distribution

• Games

• Playback

• Pro Audio

• Window Manager

The various task keys specify how much preference threads associated with different multimedia types get for CPU and graphics processor resources. (Graphics processor resource management is not implemented in Windows Vista.)

MMCSS, which is implemented in %systemroot%\System32\Mmcss.dll and runs in a Service Host (Svchost.exe) process, has a priority-management thread that runs at priority 27. (Thread priorities in Windows range from 0 to 31.) This thread boosts the priority of registered multimedia threads into the range associated with the Scheduling Category value of their task's registry key; those with a Scheduling Category of High will have a priority between 23 and 26, those with a Scheduling Priority of Medium with have a priority between 16 and 23. In Windows, thread priorities 16 and higher are in the real-time priority range and higher than all other threads on a system (with the exception of the kernel's Memory Manager worker threads, which run at priorities 28 and 29). Only administrative accounts, like the Local System account in which MMCSS runs, have the Increase Priority privilege that is required to set real-time thread priorities.

MMCSS also ensures that other concurrently running threads get an adequate portion of CPU time so that the system and other applications remain responsive. MMCSS therefore reserves 20 percent of CPU time for other activity.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

.NET Framework Support Service

The .NET Framework Support Service notifies a subscriber client when a specified process initializes the Client Runtime Service. The .NET Framework Support Service provides a run-time environment called the Common Language Runtime (CLR), which manages code execution and provides services that make the development process easier. Compilers and tools expose the runtime's functionality and enable you to write code that benefits from this managed execution environment. The CLR enables you to design components and applications whose objects interact across languages. Objects that are written in different languages can communicate with each other, and their behaviors can be tightly integrated. This service is normally installed as part of the Visual Studio .NET development environment and is not present or active unless it is manually installed.

If the .NET Framework Support Service stops or if you disable it, the user does not receive a notification when a .NET application starts the CLR.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Net.Tcp Port Sharing Service

The Net.Tcp Port Sharing Service provides the ability for multiple user processes to share TCP ports over the net.tcp protocol. This service supports the .NET Framework 3.0 Windows Communication Foundation (WCF), which provides a new TCP-based network protocol (net.tcp://) for high-performance communication. This service allows a net.tcp port to be shared and secured in a similar fashion as port 80 is for HTTP traffic.

The Net.Tcp Port Sharing Service is available on all operating systems that support .NET Framework 3.0, but the service is not enabled by default. As a security precaution, an administrator must manually enable the Net.Tcp Port Sharing Service prior to first use. Although the Net.Tcp Port Sharing Service does provide a layer of processing between applications and the network, applications that use port sharing should still be secured as if they were listening on the network directly. Specifically, applications that use port sharing should evaluate the process privileges under which they run. When possible, run your application using the built-in Network Service account, which runs with the minimal set of process privileges required for network communication.

Available on: The Net.Tcp Port Sharing Service is included by default with Windows Vista. After installing the .NET Framework 3.0 redistributable package, it can be used with Windows Server 2003 with Service Pack 1 installed and with Windows XP with Service Pack 2.

Netlogon

The Netlogon service maintains an encrypted channel between your computer and the domain controller that it uses to authenticate users and services. It passes user credentials through the encrypted channel to a domain controller and returns the domain security identifiers and user rights for the user, which is commonly referred to as pass-through authentication. The service is installed on all Windows Server 2003 and Windows XP computers, and its startup type is Manual. After the computer joins a domain, the service starts automatically.

In Windows 2000 Server and Windows Server 2003, the Netlogon service publishes service resource records in Domain Name System (DNS) and uses DNS to resolve names to the IP addresses of domain controllers. The service also implements the replication protocol that is based on remote procedure call (RPC) to synchronize Windows NT 4.0 primary domain controllers (PDCs) and backup domain controllers (BDCs).

If the Netlogon service stops, the computer may not authenticate users and services and the domain controller cannot register DNS records. Specifically, it might deny NTLM authentication requests, and domain controllers will not be discoverable by client computers.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

NetMeeting Remote Desktop Sharing

The NetMeeting Remote Desktop Sharing service allows authorized users to remotely access your Windows desktop with the Microsoft NetMeeting® application from another personal computer over an intranet. The service is installed and disabled by default. It must be explicitly enabled by the user through NetMeeting, and can be disabled in NetMeeting or shut down by means of a notification area icon.

If the NetMeeting Remote Desktop Sharing service stops or if you disable it, the NetMeeting display driver is unloaded and the computer cannot provide remote access to its desktop by using NetMeeting.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Network Access Protection Agent

The Network Access Protection Agent service enables NAP functionality on client computers. Enabling the NAP client agent makes it possible for clients that support NAP to evaluate clients that connect to your network for compliance with organizational software security policies such as mandatory updates, antivirus, signatures, and firewall configurations.

By default this service startup type is Manual. If you have a NAP infrastructure in place, this service startup type should be Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Network Connections

The Network Connections service is installed by default on Windows Server 2003-based and Windows Vista-based computers. This service manages objects in the Network Connections folder, from which you can view both network and remote connections. This service is responsible for client network configuration and displays connection status in the notification area on the taskbar. You may also view and configure network interface settings through this service.

The Network Connections service starts automatically when the startup type is Manual and the Network Connections interface is invoked. If this service stops, client-side configuration of LAN, dial-up, and VPN connections are unavailable. If you disable this service, the following might result:

• Connections do not display in the Network Connections folder, which prevents dial-out access and configuration of LAN settings.

• Other services that use Network Connections to check for Network Location-specific Group Policy settings do not function properly.

• Events that pertain to media connects and disconnects are not received.

• Internet connection sharing does not function correctly.

• The ability to configure incoming connections, wireless settings, or your home network is unavailable.

• New connections are not created.

• Any services that explicitly depend on this service do not start.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Network DDE

The Network DDE service provides network transport for Dynamic Data Exchange (DDE) for programs that run on the same computer or on different computers. You can create Network DDE "shares" programmatically or with Ddeshare.exe and make them visible to other applications and computers. Traditionally, the user who creates the share will create and run a server process to handle inbound requests from client processes and/or applications, whether they run on the same computer or remotely. After they are connected, these processes can exchange any kind of data.

This service is installed but disabled by default. To use network DDE functionality, you must set the service startup type to Manual, after which the service is only started when invoked by an application that uses Network DDE, such as Clipbrd.exe or Ddeshare.exe.

If the Network DDE service stops, DDE transport and security are unavailable. If you disable this service, any applications that depend on it time out when they try to start the service. If an application on a remote computer tries to start the Network DDE service on another computer, the remote computer is not visible on the network.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Network DDE DSDM

The Network DDE DSDM service manages DDE shared folders. This service is used only by the Network DDE service to manage shared DDE conversations. You can create and trust DDE shares with Ddeshare.exe to allow remote computers and applications to connect and share data. The Network DDE DSDM service maintains a database of DDE shares that includes information about trusted shares. For each connection request that is made from or to an application, the service queries the database and validates your security settings to determine if the request should be granted.

The Network DDE DSDM service is installed but disabled by default. To use network DDE functionality, you must set the service startup type to Manual, after which the service is only started when invoked by an application that uses Network DDE. If the Network DDE DSDM service stops, DDE network shares are unavailable. If you disable this service, any applications that depend on it time out when they try to start the service.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Network List Service

The Network List Service identifies the networks to which the computer has connected, collects and stores properties for these networks, and notifies applications when these properties change. This service along with the Network Location Awareness service enables the display of the status of network connections in the notification area. The service is part of the new Network Diagnostics Framework in Windows Vista.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Network Location Awareness (NLA)

The Network Location Awareness (NLA) service collects and stores network configuration information, such as IP address and domain name changes, as well as location change information. The service notifies compatible applications when this information changes so that they can reconfigure themselves to use the current network connection.

The Network Location Awareness (NLA) service is a default service on Windows Vista. Even if you configure this service with a startup type of Manual, it will usually be started by dependent services. If this service stops, network location awareness functionality is not available.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Network Provisioning Service

The Network Provisioning Service provides the ability to download and manage XML configuration files from network provisioning services such as the Microsoft Wireless Provisioning Services (WPS), which enable automatic network provisioning for Internet service providers and private networks. This service works with the Wireless Zero Configuration service to provide support for the latest wireless security standards.

If the Network Provisioning Service stops or if you disable it, wireless network interface configuration and operation may not succeed, even if the network environment does not use WPS or an equivalent.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Network News Transfer Protocol (NNTP)

The Network News Transfer Protocol (NNTP) service allows computers that run Windows Server 2003 to act as news servers. Client computers can use a news client application such as the Microsoft Outlook Express messaging client to retrieve newsgroups from the server and read headers or bodies of the articles in each newsgroup. The client computers can then post back to the server.

NNTP is an Internet standard. The NNTP service that is included with Windows Server 2003 does not support feeds, in which two news servers replicate their contents between each other. However, the version that is included with Exchange 2000 does include this functionality. This service is not installed or enabled by default. It can only be installed in conjunction with IIS.

If the Network News Transfer Protocol (NNTP) service stops, client computers are not able to connect and read or retrieve posts.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Network Store Interface Service

The Network Store Interface Service delivers network notifications (for example, interface addition or deletion) to user-mode clients. The service keeps track of the network interfaces available on the computer, stores routing information for each, and communicates this information with other services that require it. Stopping this service causes loss of network connectivity.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

NT LM Security Support Provider

The NT LM Security Support Provider service provides security to RPC programs that use transports other than named pipes. It also enables users to log on to the network and be authenticated by the NTLM authentication protocol, which authenticates clients that do not use the Kerberos v5 authentication protocol.

The NTLM authentication protocol is used on networks that include systems that run versions of the Windows NT operating system and on stand-alone systems.

Windows 2000 uses the Kerberos v5 authentication protocol, which provides greater security to computer networks than NTLM. Although the Kerberos v5 protocol is the authentication protocol of choice for Windows 2000 and Windows Server 2003 networks, NTLM is still supported and must be used for network authentication if the network includes computers that run versions of Windows NT, Windows 98, or Windows Millennium Edition. Logon authentication on stand-alone computers also requires NTLM.

NTLM credentials are based on data that is obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password. NTLM uses an encrypted challenge/response protocol to authenticate a user but does not send the user's password over the network. Instead, the computer that requests authentication must perform a calculation that proves it has access to the secured NTLM credentials.

Interactive NTLM authentication over a network typically involves two computers: a client computer, in which the user is requesting authentication, and a domain controller that stores information that is related to the user's password. Non-interactive authentication—which may be required to permit an already logged-on user to access a resource such as a server application—typically involves three computers: a client, a server, and a domain controller that does the authentication calculations on behalf of the server.

The NT LM Security Support Provider service is installed and runs by default on all Windows XP and Windows Server 2003-based computers. If this service stops or if you disable it, clients that use the NTLM authentication protocol will not be able to log on or access network resources. Microsoft Operations Manager (MOM) relies on this service.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Offline Files

The Offline Files service performs maintenance activities on the Offline Files cache, responds to user logon and logoff events, implements the internals of the public API, and dispatches events to accounts or logs configured for receiving events related to Offline Files activities and changes in cache state.

Offline Files enables the user to designate particular network folders (and their subfolders) to be available offline. When the user is connected to the network, Offline Files automatically synchronizes the folders to the local hard disk. When the computer disconnects from the network (in other words, to go "offline"), Offline Files provides access to the content from the locally cached copy. When the computer reconnects to the network, Offline Files automatically synchronizes any changes made offline with the online version and vice-versa.

This service startup type is Automatic. We recommend that you use Encrypting File System (EFS) to encrypt the offline files cache so that the files in the cache can only be accessed by the user on whose behalf it is cached.

Available on:

Windows Vista Enterprise

Windows Vista Ultimate

Peer Name Resolution Protocol

The Peer Name Resolution Protocol (PNRP) service enables Serverless Peer Name Resolution over the Internet. If disabled, some peer-to-peer and collaborative applications may not function. This protocol enables the naming of computers and services without reliance on a DNS server. This allows for flexible, ad-hoc networks of nearby computers for collaboration, data sharing, and data storage.

Security in peer-to-peer networks is difficult to establish. If computers in your organization are allowed to connect to peer-to-peer networks, a security policy about the types of information shared and the types of peer-to-peer networks that are compliant with your policy should be explicitly designed and communicated to your users to enable them to make decisions about which peer-to-peer networks they can trust.

A trusted peer-to-peer network should be one that meets the industry standard for establishing trust:

• The network uses a trusted authentication method to identify itself and its users. Your security policy should identify which form of authentication is the minimum acceptable method.

• The network supports different authorization levels to allow for control over who you share information with by using the network.

• The network supports encrypted data transmission so that when you collaborate by using this network, your information is not as susceptible to capture by unauthorized users. It should also provide some form of data-integrity checking such as digital signatures to ensure that the data was not modified in transit.

This service startup type is Manual.

For information about using PNRP on Windows XP, see article 920342 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=101043).

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Peer Networking Grouping

The Peer Networking Grouping service supports peer "grouping," which is a technology that allows a developer to create a private peer-to-peer network. Administrators create the groups and invite members to join after verifying their credentials. Each member has a specific certificate, which is called a Group Member Certificate (GMC). The GMC ensures that all records exchanged between peers are digitally signed. The public key of a peer is contained in the structures that are passed as part of the communication between peers. The groups are opened and closed by the administrator as needed.

This service startup type is Manual.

For information about using Peer Name Resolution Protocol (PNRP) on Windows XP, see article 920342 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=101043).

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Peer Networking Identity Manager

The Peer Networking Identity Manager service provides the identity service for Peer Networking. It allows for the creation, enumeration, and manipulation of peer identities in a peer-to-peer application. An individual user can have several different peer identities.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Performance Logs and Alerts

The Performance Logs and Alerts service collects performance data from local or remote computers based on preconfigured schedule parameters, and then writes the data to a log or triggers an alert. This service starts and stops each named performance data collection based on the information that is contained in the named log collection setting. This service only runs if at least one collection is scheduled. However, it is installed by default on Windows XP and Windows Server 2003.

If the Performance Logs and Alerts service stops or if you disable it, performance information will not be collected. Also, any data collections that are currently active will terminate and future scheduled collections will not occur.

This service startup type is Manual.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Plug and Play

The Plug and Play service enables a computer to recognize and adapt to hardware changes with little or no user input. This service enables you to add or remove devices without any detailed knowledge of your computer hardware, and you do not need to manually configure the hardware or the operating system. For example, you can plug in a USB keyboard and the Plug and Play service will detect the new device, find a driver for it, and install it. Or you can dock a portable computer and use the docking station's Ethernet card to connect to the network; you do not need to change any configuration settings. Later, you can undock the same computer and use a modem to connect to the network—again, without any manual configuration changes.

The Plug and Play service is installed and the service startup type is Automatic on Windows Server 2003 and Windows Vista. You cannot stop or disable the service through the Services snap-in console because of the impact on operating system stability. If you use the MSCONFIG troubleshooting tool and this service stops, the Device Manager interface will appear blank and no hardware devices will be displayed.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

PnP-X IP Bus Enumerator

The PnP-X IP Bus Enumerator (IPBusEnum) service manages the virtual network bus. It discovers network-connected devices by using SSDP or the WS-Discovery protocol and gives them presence in Plug and Play. If this service is stopped or disabled, presence of network-connected devices will not be maintained in Plug and Play and all Plug and Play–based scenarios will stop functioning.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

PNRP Machine Name Publication Service

The PNRP Machine Name Publication Service publishes a computer name by using the Peer Name Resolution Protocol (PNRP). You can publish the computer name as a secured or unsecured peer name. The peer name configuration is managed by means of the netsh command p2p pnrp peer.

The peer computer name is a text string that has the following format:

Authority.Classifier

The value of Authority depends on whether the name is secure or unsecured. The Classifier of a peer computer name is a string. A Classifier can be any name that contains 150 or fewer UNICODE characters. Peer names are case-sensitive. The following list identifies some examples of peer names:

• "0.MyUnsecuredPeerName"

• "0.JohnDoe.Games"

• "6520c005f63fc1864b7d8f3cabebd4916ae7f33d.JohnDoe"

For a secure name, the Authority is the Secure Hash Algorithm (SHA) hash of the public key of the peer name and results in a 40-character hexadecimal string.

For an unsecured name, the Authority is zero (0), and the Classifier is the only significant part of the peer name, which creates an unsecured peer name without an associated identity. For more information about how to configure peer names, see Windows Internet Computer Names (https://go.microsoft.com/fwlink/?LinkId=101045).

This service startup type is Manual.

For information about using PNRP on Windows XP, see article 920342 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=101043).

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Portable Device Enumerator Service

The Portable Device Enumerator Service enforces Group Policy settings for removable mass-storage devices. It enables applications such as Windows Media Player and Image Import Wizard to transfer and synchronize content by using removable mass-storage devices. This service enables you to specify which portable storage devices are allowed to be connected to systems that are managed with Group Policy.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Portable Media Serial Number

The Portable Media Serial Number service retrieves the serial number of any portable music player that is connected to your computer. The service allows Windows Media Device Manager (WMDM) to acquire the serial number from portable music devices so that media content can be copied securely to those devices. Without the serial number, you cannot associate content to a specific device, which might prevent protected content from being transferred to the device.

To uniquely identify portable media, many storage media manufacturers have implemented a unique serial number that is stored on a non-volatile area of the storage device. For example, the CompactFlash specification revision 1.3 from CompactFlash Association requires CompactFlash cards to have a unique serial number. Some types of removable storage media also have unique serial numbers on them.

For a portable media reader or adapter to be Windows Media-compliant, it must allow an application to retrieve media serial numbers.

The Portable Media Serial Number service is installed by default in Windows Server 2003. Its startup type is Manual, and it is started on request by WMDM. If the service stops or if you disable it, protected content might not be allowed to transfer to the device and the serial number might not be retrieved from portable media devices.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Print Server for Macintosh

The Print Server for Macintosh service enables Apple Macintosh clients to route print jobs to a print spooler located on a computer that runs Windows Server 2003. This service also allows Windows Server 2003 Enterprise Edition to communicate with a print device that uses the AppleTalk protocol. This service is not installed by default.

If the Print Server for Macintosh service stops, Macintosh AppleTalk clients will not be able to route print jobs to a Windows Server 2003–based print spooler.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Print Spooler

The Print Spooler service manages all local and network print queues and controls all print jobs. The print spooler communicates with printer drivers and input/output (I/O) components, such as the USB port and the TCP/IP protocol suite, and is the center of the Windows printing subsystem. It is installed and activated by default on Windows Vista and Windows Server 2003-based computers.

If the Print Spooler service stops, you will not be able to print or send faxes from your local computer. When the Print Spooler service stops on a server that runs Terminal Services, the System hive of the registry will slowly grow until it fills the system volume and causes the server to crash. This problem is caused by the fact that when new clients log on to the server through Terminal Services, the system automatically tries to map the client's local printer to a printer port on the server, and it records this mapping in the registry. However, the Print Spooler service is supposed to delete each record when user end their sessions, and if the service is not running, the unused records will never be deleted.

Also, the Printer Pruner feature of Active Directory relies on the Print Spooler service. For the Printer Pruner to operate across the organization and allow orphaned queues to be scavenged on an unmanaged basis, every site in the organization must have at least one domain controller that runs the Print Spooler service. If you configure this service to Disabled or Manual, it will not automatically start when print jobs are submitted.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Problem Reports and Solutions Control Panel Support

The Problem Reports and Solutions Control Panel Support service provides support for viewing, sending, and deleting system-level problem reports for the Problem Reports and Solutions control panel. This service is part of the Windows Diagnostic Infrastructure in Windows Vista.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Program Compatibility Assistant Service

The Program Compatibility Assistant Service provides support for the Program Compatibility Assistant. If this service is stopped, the Program Compatibility Assistant will not function properly. The Program Compatibility Assistant Service attempts to find software and driver updates that will improve the compatibility of applications with Windows Vista and make changes to the computer's configuration so that the program will run better. The Program Compatibility Assistant runs automatically when it detects that an older program is attempting to run in Windows Vista and is encountering problems.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Protected Storage

The Protected Storage service protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users. The service provides a set of software libraries that allow applications to retrieve security and other information from personal storage locations as it hides the implementation and details of the storage itself.

The storage location that is provided by this service is protected from modification. The Protected Storage service uses the Hash-Based Message Authentication Code (HMAC) and the Secure Hash Algorithm 1 (SHA1) cryptographic hash function to encrypt the user's master key. This component requires no configuration.

The Protected Storage service was originally introduced in Windows 2000. In Windows XP and Windows Server 2003, this service was replaced by the Data Protection API (DPAPI), which is currently the preferred service for protected storage. Unlike DPAPI, the interface to the Protected Storage service is not publicly exposed.

If the Protected Storage service stops, private keys are inaccessible, the Certificate Services service does not operate, Secure/Multipurpose Internet Mail Extensions (S/MIME) and SSL do not work, and smart card logon fails.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Quality Windows Audio Video Experience

Quality Windows Audio Video Experience (qWave) is a networking platform for Audio Video (AV) streaming applications on IP home networks. The qWave platform enhances AV streaming performance and reliability by ensuring network Quality of Service (QoS) for AV applications. It provides mechanisms for admission control, run-time monitoring and enforcement, application feedback, and traffic prioritization. The qWave platform provides the functionality for socket-based applications to gather in-depth, real-time information of a variable bandwidth network, allowing it to dynamically adapt to changing network conditions. It also allows applications to prioritize packets in order to make better use of the available bandwidth.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

QoS RSVP Service

QoS is an industry-wide standard that was developed to achieve more efficient use of network resources. It allows clients and servers to differentiate between different data types and to prioritize end-to-end network traffic. The Internet Engineering Task Force (IETF) has helped to ensure that QoS standards enable all affected network devices to participate in the end-to-end QoS-enabled connection. QoS provides applications (or network administrators) with a means by which network resources—such as available bandwidth and latency—can be predicted and managed on both local computers and devices throughout the network.

The QoS RSVP Service implements Windows QoS support. It is installed by default on Windows XP-based computers but is not installed on Windows Server 2003-based computers. When installed, its startup type is Manual. If this service is disabled or uninstalled, the computer cannot participate in QoS connections or make resource reservation requests for QoS-controlled bandwidth.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

ReadyBoost

The ReadyBoost service provides support for improving system performance. It allows you to use non-volatile flash memory, such as that on a universal serial bus (USB) flash drive, to providing additional memory resources without having to provide additional RAM for the system.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Remote Access Auto Connection Manager

The Remote Access Auto Connection Manager service detects unsuccessful attempts to connect to a remote network or computer and provides alternate methods for connection. When a program fails in an attempt to reference a remote DNS or NetBIOS name or address, or when network access is unavailable, the service displays a dialog box that allows you to make a dial-up or VPN connection to the remote computer.

To assist you, the Remote Access Auto Connection Manager service maintains a local database of connections that were previously used to reach named computers or shares. When the service detects an unsuccessful attempt to reach a remote computer or shared folder, it offers to dial the connection that was last used to reach this remote device. This service is installed by default on Windows XP-based and Windows Server 2003-based computers, but its startup type is Manual. It is started automatically on an as-needed basis. If you disable the Remote Access Auto Connection Manager service, you need to manually establish connections to remote computers when you need to access them.

This service startup type is Manual.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Remote Access Connection Manager

The Remote Access Connection Manager system service manages dial-up and VPN connections from your computer to the Internet or other remote networks. When you double-click a connection in the Network Connections folder and then click the Connect button, the Remote Access Connection Manager service either dials the connection or sends a VPN connection request and handles subsequent negotiations with the remote access server to set up the connection.

The Remote Access Connection Manager service unloads itself when no requests are pending. The Network Connections folder calls this service to enumerate the set of connections and to display the status of each one. Although its default startup type is Manual, this service will start if there are one or more VPN or dial-up connections in the Network Connections folder.

If the Remote Access Connection Manager service stops or if you disable it, your computer cannot make dial-up or VPN connections to a remote network or accept inbound connection requests. Also, the Network Connections folder will not display any VPN or dial-up connections, and the Internet Options Control Panel will not allow the user to configure any options that pertain to dial-up or VPN connections.

This service startup type is Manual.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Remote Administration Service

The Remote Administration Service performs the following remote administration tasks when a server restarts:

• Increment the server boot count.

• Send an alert when the computer is running a backup of the operating system.

• Generate a self-signed certificate.

• Send an alert if the date and time has not been set on the server.

• Send an alert if the Alert E-mail functionality has not been configured.

The Remote Administration Service starts to run the appropriate tasks when it is requested to do so by the Remote Server Manager through a COM interface. The service uses the Local System account, and requests on the COM interface are only accepted from clients that use the Administrator or Local System accounts.

If the Remote Administration Service is configured to Manual, it will start when called by the Remote Server Manager service. It can subsequently be stopped with no effect on any server functionality. This service is installed and configured to automatically start by default on Windows Server 2003-based computers.

If the Remote Administration Service stops, some Remote Administration Tools features may not function properly, such as Web interface for remote administration.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Remote Desktop Help Session Manager

The Remote Desktop Help Session Manager service manages and controls the Remote Assistance feature within the Help and Support Center application (Helpctr.exe). It is installed by default on Windows Server 2003 but it is only started when a Remote Assistance request is made or received.

If the Remote Desktop Help Session Manager service stops, Remote Assistance and the ability to request help through Remote Assistance will be unavailable.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Remote Installation

Remote Installation Services (RIS) provides the ability to install Windows 2000, Windows XP, Windows Vista, and Windows Server 2003 on Pre-Boot Execution Environment (PXE) remote boot-enabled client computers. The Boot Information Negotiation Layer (BINL) service, the primary component of RIS, answers PXE clients, checks Active Directory for client validation, and passes client information to and from the server. The BINL service is installed when you add the RIS component from Add/Remove Windows Components or when you select it during initial operating system installation.

RIS is a Windows deployment feature that is included in Windows Server 2003. With RIS, you can support on-demand image-based or script-based operating system installations over a network connection from a RIS server to a client computer. RIS is designed to simplify the deployment of operating systems and applications and to improve failure recoverability.

You can use RIS in a variety of ways, including the following:

• Provide an operating system to users on demand. You can use RIS to create automated installation images of Windows Server 2003, Windows XP, and Windows 2000 operating systems. When a user starts a client computer, even if that computer contains no operating system, the RIS server can respond by installing an operating system over the network; no CD is required. To support this capability, client computers must use PXE through the network adapter.

• Provide operating system images that include specific settings and applications, such as an image that complies with an organization's desktop standard. A particular group of users can be offered the image or images that you designate for that group.

RIS is not installed by default. If you install the service and then stop it, PXE-enabled client computers will be unable to install Windows remotely or use other RIS-based tools from the computer.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Remote Procedure Call (RPC)

The Remote Procedure Call (RPC) service is an inter-process communication (IPC) mechanism that enables data exchange and invocation of functionality that resides in a different process. The different process can be on the same computer, on the local area network, or across the Internet. The Remote Procedure Call (RPC) service serves as the RPC endpoint mapper and COM Service Control Manager (SCM). More than 50 services depend on the RPC service to start successfully.

You cannot stop or disable the Remote Procedure Call (RPC) service. If this service is not available, the operating system will not load.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Remote Procedure Call (RPC) Locator

The Remote Procedure Call (RPC) Locator service enables RPC clients that use the RpcNs* family of APIs to locate RPC servers. It also manages the RPC name service database. This service is turned off by default.

If the Remote Procedure Call (RPC) Locator service stops or if you disable it, RPC clients that need to locate RPC services on other computers may be unable to locate servers, or they may fail to start. RPC clients that rely on RpcNs* APIs from the same computer might not be able to find RPC servers that support a given interface. If the service stops or if you disable it on a domain controller, RPC clients that use the RpcNs* APIs and the domain controller might experience interruption of service when they try to locate clients. RpcNs* APIs are not used internally in Windows; you only need to start this service if non-Microsoft applications require this service.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Remote Registry

The Remote Registry service enables remote users who have the appropriate permissions to modify registry settings on the domain controller. This service is installed and automatically run by default on Windows XP-based and Windows Server 2003-based computers. However, the service's default configuration allows only members of the Administrators and Backup Operators groups to access the registry remotely. This service is required for the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows you to verify which patches are installed on each of the servers in your organization.

If the Remote Registry service stops, only the registry on the local computer can be modified. If you disable this service, any services that explicitly depend on the service will not start, but registry operations on your local computer will not be affected. However, other computers or devices will no longer be able to connect to your local computer's registry.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Remote Server Manager

The Remote Server Manager service provides the following functionality:

• Storage for the Remote Administration alert information.

• Interface to raise, clear, and enumerate Remote Administration alerts.

• Interface to run Remote Administration tasks.

The Remote Server Manager service is installed and set to automatically start by default on computers that run Windows Server 2003. The service acts as a WMI instance provider for Remote Administration Alert Objects and a WMI method provider for Remote Administration Tasks. The service runs under the Local System account, and accepts requests through the COM interface only from clients running under the Administrator or Local System accounts.

If the Remote Server Manager service is configured to Manual, it starts when the next request for Remote Administration Tasks or Remote Administration Alerts is received. If the service stops, it restarts if the Web interface for remote administration is accessed. If you disable this service, any services that explicitly depend on this service do not start. Also, you will lose information about any current Remote Administration Alerts if you disable this service.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Remote Server Monitor

The Remote Server Monitor service monitors critical computer resources and manages optional watchdog timer hardware on remotely managed servers.

If the Remote Server Monitor service stops, it no longer monitors critical computer resources and the hardware watchdog timer will stop.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Remote Storage Notification

The Remote Storage Notification service notifies the user when a user program attempts to read from or write to files that are available only from secondary storage media. Because of the extended period of time it takes to access a file that has been moved to tape, Remote Storage notifies the user when an attempt to read a migrated file occurs. Also, the service allows the user to cancel the request instead of waiting.

The Remote Storage Notification service is not installed by default on Windows Server 2003. If this service stops, you do not receive additional notification when you try to open offline files, nor can you cancel an operation that involves an offline file.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Remote Storage Server

The Remote Storage Server service stores infrequently used files in secondary storage media. This service allows the Remote Storage subsystem in Windows to notify the user when an offline file has been accessed.

Remote Storage is a hierarchical storage management application that moves data from local storage, or data that is frequently accessed and stored locally on high-performance disks to remote storage, or data that is infrequently accessed and stored on less expensive media until it is needed again. Hierarchical storage management reduces storage costs for large quantities of data but ensures that the data is still accessible.

The Remote Storage Server service is installed as part of the Remote Storage Windows component, which must be manually installed. When installed, the service is set to run automatically. If this service stops, files cannot be moved to or retrieved from the secondary storage media.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Removable Storage

The Removable Storage service manages and catalogs removable media and operates automated removable media devices. This service maintains a catalog of information that identifies removable media that are used by your computer, including tapes and CDs. Applications such as Backup and Remote Storage use this service to catalog media and for automation. This service labels and tracks media and controls library drives, slots, and doors. It also provides drive-cleaning operations.

The Removable Storage service is installed by default on Windows Server 2003. Its default configuration is to run only when removable storage access is requested by a program on the local computer. If this service stops, applications that depend on it (such as Backup and Remote Storage) will operate more slowly. If there are no automated devices attached to the computer, the service will run only when applications use it. Therefore, it is not necessary to stop the service. When started under these circumstances, Removable Storage frequently needs to inventory the complete contents of attached devices, which requires each media item to be mounted in a drive.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Resultant Set of Policy Provider

The Resultant Set of Policy Provider service enables you to connect to a Windows Server 2003-based domain controller, access the WMI database for that computer, and simulate Resultant Set of Policy (RSoP) for Group Policy settings. The policy settings are determined for a user or computer that is located in Active Directory. This simulation is commonly referred to as Planning mode.

The Resultant Set of Policy Provider service is installed by default on Windows Server 2003-based computers, but its startup type is Manual. If this service stops on a domain controller, RSoP Planning Mode simulation will be unavailable on that domain controller. RSoP only needs to run on domain controllers; member servers and workstations do not need to run this service to use the feature.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Routing and Remote Access

The Routing and Remote Access service provides multi-protocol LAN-to-LAN, LAN-to-WAN, VPN, and NAT routing services. This service also provides dial-up and VPN remote access services.

The Routing and Remote Access service replaces the Routing and Remote Access Service (RRAS) and Remote Access Service (RAS) features in Windows NT 4.0. The Routing and Remote Access service is a single, integrated service that terminates connections from either dial-up or VPN clients and provides routing of IP, IPX, and Services for Macintosh. Your server can use this service to function as a remote access server, a VPN server, a gateway, or a branch-office router.

From a routing perspective, the Routing and Remote Access service supports the Open Shortest Path First (OSPF) and Routing Information Protocol (RIP) routing protocols, and controls the routing tables for the TCP/IP stack-forwarding engine.

The Routing and Remote Access service is installed by default on Windows Server 2003-based computers. It is disabled by default. If this service stops, your computer will not be able to accept incoming RAS, VPN, or dial-on-demand connections, and routing protocols will not be received or transmitted.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

SAP Agent

The SAP Agent service advertises network services on an IPX network through the IPX Service Advertising Protocol (SAP). It also forwards advertisements on a multi-homed host. Some features, such as the File and Print Services for NetWare from Microsoft, rely on this service.

The SAP Agent service requires installation of the NWLINK IPX/SPX Compatible Transport protocol, and it is not installed or activated by default. If this service is turned off, the referenced features may not function correctly.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Secondary Logon

The Secondary Logon service allows a user to create processes in the context of different security principals. A common use of this service is by administrators who may log on as restricted users but need administrative privileges to run a specific application. They can use a secondary logon to temporarily run such applications.

Another component of the Secondary Logon service is RunAs.exe, which allows you to run programs (*.exe files), saved MMCs (*.msc files), shortcuts to programs and saved MMCs, and Control Panel items as Administrator while you are logged on to your computer as a member of another group, such as the Users group. In Windows 2000, this service was called the RunAs Service.

The Secondary Logon service is installed and run automatically by default on Windows Vista and Windows Server 2003. If the service stops or if you disable it, this type of logon access is unavailable. Any calls to the CreateProcessWithLogonW API will fail. Specifically, if you stop or disable this service, the MMC snap-in that starts applications as other users and the RunAs.exe tool will malfunction.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Security Accounts Manager

The Security Accounts Manager (SAM) service is a protected subsystem that manages user and group account information. In Windows 2000 and Windows Server 2003, workstation security accounts are stored by the service in the local computer registry, and domain controller security accounts are stored in Active Directory. In Windows NT 4.0, both local and domain security accounts are stored in the registry.

The startup of the Security Accounts Manager service signals other services that it is ready to accept requests.

The Security Accounts Manager service is present on all versions of Windows Vista and Windows Server 2003, and you cannot stop it. If you disable this service, other services in the computer may not start correctly. Do not disable this service.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Security Center

The Security Center service provides a central location for computers that run Windows Vista to manage security-related settings. It is configured to run automatically by default. When it runs, it performs the following tasks:

• Checks whether the Windows Firewall service is running and queries specific non-Microsoft WMI providers to see if compatible software firewall applications are present and running.

• Queries specific non-Microsoft WMI providers to see if compatible antivirus software is installed, whether the software is up-to-date, and whether real-time scanning is turned on.

• Checks the configuration of the Windows Automatic Updates service. If the Automatic Updates service is turned off or not configured in accordance with the recommended settings, the Security Center service will inform the user.

• Checks that Internet security settings are set to their recommended levels.

• Checks that User Account Control is enabled.

If the Security Center service determines that a protected component is missing, incorrectly configured, or out of date, it notifies the user through a logon alert message and icon in the notification area of the taskbar.

If you disable the Security Center service, the protected components will continue to function in accordance with their specific configuration settings. However, no centralized monitor service will be provided.

This service is configured for an automatic delayed start.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Server

The Server service provides RPC support, file printing, and named pipe sharing over the network. It allows local resources to be shared, such as disks and printers, so that other users on the network can access them. It also allows named pipe communication between applications that run on other computers and your computer, which is used to support RPC. Named pipe communication is memory that is reserved for the output of one process to be used as input for another process. The input-acceptance process does not need to be local to the computer. This service is installed and runs automatically by default on Windows Vista and Windows Server 2003.

If the Server service stops or if you disable it, the computer cannot share local files and printers with other computers on the network, and it cannot satisfy remote RPC requests.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Shell Hardware Detection

The Shell Hardware Detection service monitors and provides notification for AutoPlay hardware events. AutoPlay is a feature that detects content such as pictures, music, or video files on removable media and removable devices. AutoPlay then automatically starts applications to play or display that content, which simplifies the use of specialized peripheral devices such as MP3 players and digital photo readers. The service also makes it easier for users, because they do not need to know beforehand what software applications are needed to access various content types.

AutoPlay supports a variety of media content types and applications. Both independent hardware vendors (IHVs) and independent software vendors (ISVs) can extend this support to include their hardware devices and applications. A user can configure a different AutoPlay action for any combination of pictures, music files, and video.

Media and device types that are supported by AutoPlay include:

• Removable storage media

• Flash media

• PC cards

• External hot-plug USB or 1394 fixed drives

• Supported content types, which include:

  • Pictures (.jpg, .bmp, .gif, and .tif files)

  • Music files (.mp3 and .wma files)

  • Video (.mpg and .asf files)

The Shell Hardware Detection service is installed and runs automatically by default on Windows Vista and Windows Server 2003. If the service stops, the Hardware AutoPlay functionality does not work and shell performance is also affected.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Simple Mail Transfer Protocol (SMTP)

The Simple Mail Transfer Protocol (SMTP) service is an e-mail submission and relay agent. It can accept and queue e-mail messages for remote destinations and establish connections to other computers at specified intervals. Windows-based domain controllers use the SMTP service for intersite e-mail–based replication. Also, the Collaboration Data Objects (CDO) for the Windows Server 2003 COM component can use this service to submit and queue outbound e-mail.

The SMTP service is installed and run by default on Windows Server 2003 Web Edition. On other Windows Server 2003 editions, it is an optional component that is not installed by default.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Simple TCP/IP Services

The Simple TCP/IP Services service implements support for the following protocols and ports:

• Echo, port 7, RFC 862

• Discard, port 9, RFC 863

• Character Generator, port 19, RFC 864

• Daytime, port 13, RFC 867

• Quote of the Day, port 17, RFC 865

When you enable Simple TCP/IP Services, all five protocols are enabled on all adapters. There is no ability to selectively enable specific services or enable the service on per-adapter basis.

If you stop or disable Simple TCP/IP Services, the rest of the operating system is unaffected. This service must be manually installed. Do not install this service unless you specifically need a computer to support communication with other computers that use the referenced protocols.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Single Instance Storage Groveler

The Single Instance Storage Groveler (SIS) service is an integral component of Remote Installation Services (RIS). This service scans the RIS volume for duplicate files to reduce the overall amount of storage that is required on the volume. If the service finds duplicate files, it copies the original file into single instance storage and leaves a link file in its place. The link file contains information about the original file, such as its current location, size, and attributes. If an image contains duplicate files, those duplicates are copied into the store. As a result, less disk space is required on the RIS server.

The SIS Groveler service has two limitations:

• It cannot act upon any files that are referenced through junction points.

• It cannot be used with any file system except NTFS, which is the only file system supported on RIS servers.

The SIS Groveler service is present only if the Remote Installation Services component has been installed. In that case, it will be started automatically at boot time. If the SIS Groveler service stops, files are no longer automatically linked in this manner, but the existing linked files are still accessible. New RIS installation images will consume their full image size and conserve little space. If the SIS Groveler service is no longer needed on the computer, the proper way to discontinue its use is to use the Add/Remove Windows Components tool to remove the Remote Installation Services component, which disables it.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

SL UI Notification Service

The SL UI Notification Service (SLUINotify) provides notification messages about software licensing and activation. Windows Vista includes a new licensing service, Slsvc.exe, that manages all activity related to Windows licensing. This service implements several anti-tampering technologies intended to detect modifications performed on this service. When modifications are detected, the licensing state of the system is affected and a message is sent to SLUINotify to notify of this change in licensing state. For example, the user might get a notification that the user's copy of Windows is non-genuine through a message box that states, "An unauthorized change was made to your license."

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Smart Card

The Smart Card service manages and controls access to a smart card that is inserted into a smart card reader, which is connected to your computer. The smart card subsystem is based on Personal Computer/Smart Card (PC/SC) Workgroup consortium standards (https://go.microsoft.com/fwlink/?LinkId=120309) and consists of the Resource Manager component, which manages access to readers and smart cards. To manage these resources, the Resource Manager performs the following functions:

• Identifies and tracks resources.

• Allocates readers and resources across multiple applications.

• Supports transaction primitives to access services that are available on a given card.

The Resource Manager also exposes the WinSCard subset of the Win32 API to provide applications with access to a Card/Reader Selection user interface (UI). This component allows simple applications that work with smart cards to access a card and reader with minimum coding.

The Smart Card service is automatically installed by default on Windows Vista and Windows Server 2003-based computers. If this service stops, your computer is unable to read smart cards.

This service startup type is Automatic on Windows Vista and Manual on Windows Server 2003.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Smart Card Removal Policy

The Smart Card Removal Policy service allows the system to be configured to lock the user desktop, disconnect from remote Terminal Services sessions, or log off the user upon smart card removal. Users who walk away from computers that are running an active logon session create a security risk. To enforce the security of your system, it is best practice for users to disconnect from any remote Terminal Services sessions and either log off or lock their computers when they leave. The smart card removal policy allows you to force users to comply with this practice when they remove their smart cards.

Whether or not you use the Smart Card Removal Policy service depends on how your users interact with their computers. For example, this policy might be used for computers in an open floor or kiosk environment. This policy might not be necessary when users have dedicated computers or exclusive use of multiple computers. You can use a password-protected screensaver or other means to lock the computers of these users.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

SNMP

The SNMP service allows inbound Simple Network Management Protocol (SNMP) requests to be serviced by the local computer. This service includes agents that monitor activity in network devices and report to the network console workstation, and provides a way to manage network hosts such as workstation or server computers, routers, bridges, and hubs from a centrally located computer that runs network management software. SNMP performs management services through a distributed architecture of management computers and agents.

You can use SNMP to perform the following tasks:

• Configure remote devices. Configuration information can be sent to each networked host from the management computer.

• Monitor network performance. You can track the speed of processing, network throughput, and collect information about the success of data transmissions.

• Detect network faults or inappropriate access. You can configure trigger alarms on network devices when certain events occur. When an alarm is triggered, the device forwards an event message to the management computer. Common types of alarms include a device being shut down and restarted, a link failure being detected on a router, and inappropriate access.

• Audit network usage. You can monitor overall network usage to identify user or group access as well as types of usage for network devices and services.

The SNMP service also includes an SNMP agent that allows remote, centralized management of computers that run the following versions of the Windows operating system:

• Windows XP Home Edition

• Windows XP Professional

• Windows 2000 Professional

• Windows 2000 Server

• Windows Server 2003

• Windows Vista

The SNMP agent also allows management of the following services:

• Windows XP or Windows Server 2003 and Windows 2000–based WINS

• Windows XP or Windows Server 2003 and Windows 2000–based DHCP

• Windows XP or Windows Server 2003 and Windows 2000–based Internet Information Services

• LAN Manager

The SNMP service is only installed if you manually install the optional SNMP component through the Windows Components wizard. When installed, the service starts automatically. If the SNMP service stops or if you disable it, the computer no longer responds to SNMP requests. If the computer is being monitored by network management tools that rely on SNMP, they can no longer collect data from the computer nor control its functionality through the service.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

SNMP Trap

The SNMP Trap service receives trap messages, which contain information about specific events and are generated by local or remote SNMP agents. The service forwards the messages to SNMP management programs that run on your computer. The SNMP service, when configured for an agent, generates trap messages if any specific events occur, and these messages are sent to a trap destination. For example, an agent can be configured to initiate an authentication trap if an unrecognized management computer sends a request for information. Trap destinations consist of the computer name, the IP address, or IPX address of the management computer. The trap destination must be a network-enabled host that runs SNMP management software. Trap destinations can be configured by a user, but the events, such as computer restarts, that generate trap messages are internally defined by the SNMP agent.

The SNMP Trap service is installed only if you manually install the optional SNMP component through the Windows Components wizard. When installed, the service starts automatically. If the service stops or if you disable it, SNMP-based programs on the computer do not receive SNMP trap messages from other computers. If this computer monitors network devices or server applications with SNMP traps, significant computer events are lost.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Software Licensing

Windows Vista includes a new licensing service, Slsvc.exe, that manages all activity related to Windows licensing. This service implements several anti-tampering technologies intended to detect modifications performed on this service.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Special Administration Console Helper

You can use the Special Administration Console Helper service to perform remote management tasks on a computer running Windows Server 2003 if the computer's functions are halted because of a Stop error message. The Windows Emergency Management Services component supports two out-of-band console interfaces: the Special Administration Console (SAC) and !SAC, which offers a subset of SAC commands for use when the server has been halted.

Both the SAC and !SAC components accept input and send output through the out-of-band port. SAC is a separate entity from both !SAC and Windows Server 2003 command-line environments. After a specific failure point is reached, Emergency Management Services components determine when the shift should be made from SAC to !SAC. !SAC becomes available automatically if SAC fails to load or does not function. The Special Administration Console Helper service allows you to create inbound communication channels through the command prompt. This service is only installed on Windows Server 2003-based computers, and only when you enable the Emergency Management Services functionality as described in the Windows Server 2003 documentation.

If the Special Administration Console Helper service stops, SAC services are no longer be available.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

SQLAgent$* (* UDDI or WebDB)

The SQLAgent$* (* UDDI or WebDB) service is a job scheduler and monitoring service. It also moves information between SQL servers and is used heavily for backups and replication. These services are not installed or active by default.

If the SQLAgent$* (* UDDI or WebDB) service stops, SQL replication does not occur. Also, there will be a disruption of all scheduled jobs, alert or event monitoring, and an automatic restart of the SQL Server service.

This service is present only when UDDI Services are installed.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

SSDP Discovery Service

The UPnP Device Host service that is included with Windows Vista supports peer-to-peer Plug and Play functionality for network devices and services. The UPnP™ specification is designed to simplify device and network service installation and management. The UPnP Device Host service uses SSDP to locate and identify UPnP-certified network devices and service.

The SSDP Discovery Service is installed and the startup type is Manual on Windows Vista-based computers. The service is started only when the computer attempts to locate and configure UPnP-certified devices. If you disable this service, the computer is unable to find UPnP-certified devices on the network and the UPnP Device Host service is not able to find and interact with UPnP-certified devices.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Superfetch

The Superfetch service maintains and improves system performance over time. Superfetch is part of a collection of performance-enhancing features available on Windows Vista that address responsiveness issues related to demand paging.

This service startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

System Event Notification

The System Event Notification (SENS) service monitors and tracks computer events such as Windows logon network and power events. It also notifies COM+ Event System subscribers of these events. This service is installed by default and runs automatically under Windows Vista and Windows Server 2003.

If the System Event Notification service stops, subscribers to the COM+ Event System service do not receive event notifications and the following problems occur:

• Win32 APIs IsNetworkAlive() and IsDestinationReachable() do not work. These APIs are mostly used by mobile applications on portable computers.

• ISens* interfaces do not work. SENS logon/logoff notifications fail.

• SyncMgr (Mobsync.exe) does not work properly. It depends on connectivity information and also on Network Connect/Disconnect and Logon/Logoff notifications from SENS.

• The COM+ EventSystem fails when it tries to notify SENS of some events.

• The Volume Shadow Copy Service does not load properly, which causes the Windows Backup API to fail.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Tablet PC Input Service

The Tablet PC Input Service enables Tablet PC pen and ink functionality. This allows any version of Windows Vista to be installed on a Tablet PC or to use a pen or touch input device.

If your computer does not have tablet functionality or an external pen or touch input device, you should consider disabling this service.

This service is installed by default and is started automatically.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Task Scheduler

The Task Scheduler service enables you to configure and schedule automated tasks on your computer. The service monitors whatever criteria you choose and carries out the task when the criteria have been met.

The Task Scheduler has been updated for Windows Vista to allow more detailed task triggers and assignments. Also, the Task Scheduler in Windows Vista supports a security isolation model that runs tasks in separate sessions according to their security content. As part of this isolation mode, tasks performed for different users are started in separate sessions, in complete isolation from one another and from tasks that are running in the system context. If passwords are required, they are encrypted and stored in Credential Manager and are retrieved as necessary.

You can use the Task Scheduler feature to perform the following tasks:

• Create tasks.

• Schedule tasks to run at specific times or when a specific event occurs. For example, you can have the computer run ScanDisk at 7:00 P.M. every Sunday.

• Change the schedule for a task.

• Customize how tasks are run.

• Stop a scheduled task.

You can start the Task Scheduler service from the Services snap-in console or configure it to start automatically. By default, the Task Scheduler service is installed on Windows Vista-based and Windows Server 2003-based computers. It can be accessed from the Task Scheduler Administrative Tool, through the Task Scheduler API, or from the SchTasks.exe tool. For more information about the Task Scheduler API, see (https://go.microsoft.com/fwlink/?LinkId=119709).

If the Task Scheduler service stops, scheduled tasks will not run at their scheduled times or intervals. Also, this service is needed for Windows Backup and backup applications that rely upon the Windows Backup API. If there are no jobs listed in the %systemroot%\Tasks\ folder, there will be minimal effect if you stop the service. Otherwise, jobs that are required to run will be unable to start. The Systems Management Server Software Update Services Feature Pack will fail if the Task Scheduler service is unavailable. Also, scheduled backups will fail to run if the Task Scheduler service stops.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

TCP/IP NetBIOS Helper Service

The TCP/IP NetBIOS Helper Service provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on your network. It enables users to share files, print, and log on to the network. Specifically, the service performs DNS name resolution and pings a set of IP addresses that return a list of accessible IP addresses to provide support for the NetBT service.

The TCP/IP NetBIOS Helper Service is installed and started automatically by default on Windows Server 2003 and Windows Vista. If this service stops or if you disable it, NetBT, Redirector (RDR), Server (SRV), Net Logon, and Messenger service clients might not be able to share files, printers, and log on to computers. For example, domain-based Group Policy will no longer function.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

TCP/IP Print Server

The TCP/IP Print Server service enables TCP/IP-based printing through the Line Printer Daemon protocol. The Line Printer Daemon Service (LPDSVC) on the server receives documents from native Line Printer Remote (LPR) utilities that run on UNIX-based computers.

The TCP/IP Print Server service is an optional component that must be separately installed from the Windows Components wizard. If this service stops, TCP/IP-based printing will be unavailable.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Telephony

The Telephony service provides Telephony Application Programming Interface (TAPI) support for programs that control telephony devices, as well as IP-based voice connections on the local computer and through LAN servers that also run the service. The service enables applications to act as clients to telephony equipment such as Private Branch Exchanges (PBXs), telephones, and modems. It supports the TAPI under which different wire protocols that communicate with telephony equipment are supported. These protocols are implemented in Telephony Service Providers (TSPs).

The Telephony service is installed by default on Windows Vista and Windows Server 2003, and its startup type is configured to Manual. Applications that require TAPI service may start it. If the Telephony service stops or if you disable it, any services that explicitly depend on it (such as modem support) will not start. You cannot stop the service if there is another dependent service currently active, such as RAS. If you stop the service when no dependent services are active, it will restart when any application makes an initialization call to the TAPI interface.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Telnet

The Telnet service for Windows provides ASCII terminal sessions to Telnet clients. It supports two types of authentication and supports four types of terminals: American National Standards Institute (ANSI), VT-100, VT-52, and VTNT.

The Telnet service also allows a remote user to log on to a computer and run console programs from the command line. A computer that runs the Telnet service can support connections from various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. The Telnet service is installed on Windows Server 2003-based computers by default, but it is disabled. The Telnet service is not installed on Windows Vista but can be added from the Programs and Features control panel. For upgrade installations, the startup type of the Telnet service in the previous version of Windows is preserved.

If the Telnet service stops, remote user access to programs is unavailable through the Telnet client, remote users cannot connect through the Telnet protocol, and users cannot connect to the computer or run console-based applications.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Terminal Services

The Terminal Services service provides a multi-session environment that allows client devices to interact with virtual Windows desktop sessions and Windows-based programs that run on a server.

By default, the Terminal Services service is installed in support of the Remote Desktop for Administration feature on Windows Server 2003-based computers. This feature allows for a maximum of two users to remotely connect to the server and those users must be members of the local Administrators group. To enable multiple users to use Terminal Services, open Add/Remove Windows Components, and then select Terminal Services. Installing Terminal Services will also enable the Terminal Services Licensing Service.

For Windows Server 2003-based computers, this service is required if you wish to use Remote Desktop. On Windows Vista, it is required if you wish to use Fast User Switching, Remote Desktop, and Remote Assistance. In Windows Server 2003 this service startup type is Manual, and in Windows Vista it is Automatic.

If the Terminal Services system service stops or if you disable it, your computer might become unreliable and Remote Assistance is no longer available. To prevent remote use of your computer, clear the Allow Remote Assistance and Allow Remote Desktop check boxes on the Remote tab of System Properties.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Terminal Services Configuration

Terminal Services Configuration service (TSCS) is responsible for all Terminal Services and Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, Terminal Services themes, and Terminal Services certificates.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Terminal Services Licensing

The Terminal Services Licensing service installs a license server and provides registered client licenses when connections are made to a terminal server. The Terminal Services Licensing service is a low-impact service that stores the client licenses that have been issued for a terminal server and then tracks the licenses that have been issued to client computers or terminals. This service is only present and is only required for servers on which Terminal Services is installed.

If the Terminal Services Licensing service is turned off, the server is unavailable to issue terminal server licenses to clients when they request them. If another license server is discoverable on a domain controller in the forest, the requesting terminal server will attempt to use it.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Terminal Services Session Directory

The Terminal Services Session Directory service provides a multi-session environment that allows client devices to access a virtual Windows desktop session and Windows-based programs that run on Windows Server 2003.

The Terminal Services Session Directory service allows clusters of load-balanced terminal servers to properly route a user's connection request to the server where the user already has an active session. The Windows Network Load Balancing service pools the processing resources of several servers that use the TCP/IP networking protocol. You can use the Windows Network Load Balancing service with a cluster of terminal servers to provide a single Terminal Services access point to users while distributing sessions across multiple servers.

The Terminal Services Session Directory service keeps track of disconnected sessions on the cluster, and ensures that users are reconnected to those sessions. This service is installed on Windows Server 2003-based computers that have the Terminal Services component installed, but the service is disabled by default. We recommend that the Terminal Services Session Directory service be installed on a server that is not a terminal server.

If the Terminal Services Session Directory service stops, connection requests are routed to the first available server, regardless of whether it has an active session elsewhere in the cluster.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Terminal Services UserMode Port Redirector

The Terminal Services UserMode Port Redirector allows the redirection of printers, drives, or ports for Remote Desktop connections to enable the Remote Desktop session to use the locally available resources.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Themes

The Themes service provides user experience theme-management services. A desktop theme is a predefined set of icons, fonts, colors, sounds, and other elements that give the computer desktop a unified and distinctive look. On Windows Vista-based computers, the Themes service is set to start automatically. On Windows Server 2003-based computers, it is disabled.

If the Themes service stops or if you disable it, the new Windows Vista visual style—windows, buttons, scrollbars, Start button, and other controls—revert to the Windows Classic visual style.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Thread Ordering Server

The Thread Ordering Server service provides ordered execution for a group of threads within a specific period of time. The Thread Ordering Service controls the running of one or more client threads. It ensures that each client thread runs once during the specific period and in relative order.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

TPM Base Services

The TPM Base Services service enables access to the Trusted Platform Module (TPM), which provides hardware-based cryptographic services to system components and applications. The TPM Base Services (TBS) component centralizes TPM access across applications. It also virtualizes certain limited TPM resources. The TBS uses priorities specified by calling applications to cooperatively schedule TPM access.

The TBS runs as a system service in the Windows Server® 2008 and Windows Vista operating systems. It provides services to other components as an API exposed through remote procedure calls (RPC).

The TBS component is an optional system service that allows transparent sharing of the TPM resources. It simultaneously shares the TPM resources among multiple applications on the same physical computer, even if those applications run on different virtual computers.

The Trusted Computing Group (TCG) defines a Trusted Platform Module that provides cryptographic functions designed to provide trust in the platform. Because this component is implemented in hardware, it has finite resources. The TCG also defines a software stack that makes use of these resources to provide trusted operations for application software. However, no provision is made for running a TSS implementation side-by-side with operating system software that may also be using TPM resources. The TBS component solves this problem by enabling each software stack that communicates with TBS to use TPM resources checking for any other software stacks that may be running on the computer.

If this service is stopped or disabled, application cannot use keys protected by the TPM.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Trivial FTP Daemon

The Trivial FTP Daemon service (TFTP) does not require a user name or password and is an integral part of the Remote Installation Services (RIS) for Windows Server 2003. The service implements support for the TFTP protocol that is defined by the following RFCs:

• RFC 1350—TFTP

• RFC 2347—Option extension

• RFC 2348—Block size option

• RFC 2349—Timeout interval and transfer size options

A RIS server uses the Trivial FTP Daemon service to download the initial files that are required for the remote installation process to begin. The most common file that is downloaded to the client through this service is Startrom.com, which bootstraps the client computer. If the user presses F12 when prompted, the Client Installation Wizard is downloaded to begin the remote installation process.

The Trivial FTP Daemon is not installed by default. If this service stops or if you disable it, client computers that request RIS from this server will fail to install. The correct way to disable this service is to uninstall RIS.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Uninterruptible Power Supply

The Uninterruptible Power Supply service manages an uninterruptible power supply (UPS) that is connected to your computer by a serial port. This service is installed by default on Windows Server 2003, but its startup type is Manual.

If the Uninterruptible Power Supply service stops or if you disable it, communications with the UPS are lost. If there is a loss of power, the UPS may not be able to safely shut down the computer, which could result in loss of data.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

UPnP Device Host

The UPnP Device Host service supports peer-to-peer UPnP functionality for network devices. The UPnP specification is designed to simplify device and network service installation and management. The UPnP architecture accomplishes device and service discovery and control through driver-less, standards-based protocol mechanisms.

UPnP-certified devices can automatically configure network addresses, announce their presence on a network subnet, and enable the exchange of device and service descriptions. When the UPnP Device Host service is installed, a Windows Vista-based computer can act as a UPnP-certified control point to discover and control the devices through a Web or application interface.

This service is installed by default on Windows Vista-based computers. On Windows Vista Ultimate, the service startup type is Automatic. On the other versions of Windows Vista, the service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Upload Manager

The Upload Manager service manages the synchronous and asynchronous file transfers between client computers and servers on the network. Driver data is anonymously uploaded from customer computers to Microsoft and then used to help users find the drivers that are required for their computers. The Microsoft Driver Feedback Server requests the client's permission to upload the computer's hardware profile and then search the Internet for information about how to obtain the appropriate driver or get support from Microsoft or an appropriate non-Microsoft company.

Information that is uploaded from your computer to find driver information will include the hardware identification numbers for the device, the time the Windows Hardware Wizard finished, and an ID for the Windows operating system on your computer. The computer information that is uploaded cannot be tracked to a user, computer, organization, IP address, or any other source information.

The collected data is used to track which devices do not have easily obtainable drivers. If additional device driver information exists, it will be available after the device identification number is uploaded. If additional driver information is not available, Microsoft will record the device's identification number and work with hardware vendors to increase the availability of device drivers for Windows or provide information about driver availability and device support.

The Upload Manager service is installed by default and startup type is Manual on Windows Server 2003-based computers. If this service stops, synchronous and asynchronous file transfers between clients and servers on the network do not occur.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

User Profile Service

The User Profile Service is responsible for loading and unloading user profiles. If this service is stopped or disabled, users can no longer successfully log on or log off, applications may have problems getting to users' data, and components registered to receive profile event notifications do not receive them.

This service should not be stopped or disabled. It is configured by default to start automatically.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Virtual Disk Service

The Virtual Disk Service (VDS) provides a single interface to manage block storage virtualization, whether it is done in operating system software, redundant array of independent disks (RAID) storage hardware subsystems, or other virtualization engines.

VDS provides a vendor-neutral and technology-neutral interface to manage logical volumes (software) and logical units (hardware). You can use this interface to manage bind operations, performance monitoring, topology discovery and tracking, volume status, and fault tracking.

Do not confuse virtual disks with snapshots. Unlike the Volume Shadow Copy Service, VDS does not coordinate with applications or the file system, and the data that is contained on a volume is not synchronized before a volume or disk configuration operation. You can use VDS to configure a mirror plex, but a snapshot provider is necessary to perform the coordination when removing the plex and surfacing the snapshot. That use is outside the scope of this document with two exceptions:

• VDS coordinates with the file system before it extends or shrinks volumes.

• Full copy snapshots appear as plexes to VDS.

VDS is installed and startup type is Manual on Windows Server 2003 and Windows Vista-based computers. The service is started only when an application attempts to use VDS. If it stops, VDS is no longer available.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Volume Shadow Copy

The Volume Shadow Copy Service manages and implements volume shadow copies, which are used for backup and other purposes, and manages the volume snapshots. When a backup application attempts to start a backup with the new snapshots infrastructure, the backup application determines the number of writers that are currently active on the service and then queries each writer to gather the required metadata. The backup application can then collect the volumes that require a shadow copy to ensure a successful backup session. The volumes are presented to the shadow copy coordinator and a shadow copy is created. The shadow copy creates volumes that match the original volumes at the shadow copy point of time.

The Volume Shadow Copy Service is installed on Windows Vista-based and Windows Server 2003-based computers, and its startup type is Manual. While the service is stopped, shadow copies are unavailable for backup and the backup process might not succeed. Specifically, the Volume Shadow Copy Service is needed for Windows Backup and backup applications that rely upon the Windows Backup API.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

WebClient

The WebClient service allows Win32 applications to access documents on the Internet. The service extends the network capability of Windows by allowing standard Win32 applications to create, read, and write files on Internet file servers through the use of WebDAV, a file-access protocol that is described in XML and uses HTTP for communication. Because it uses standard HTTP, WebDAV runs over existing Internet infrastructure, such as firewalls and routers.

The WebClient service is installed on both Windows Vista and Windows Server 2003. In Windows Vista, the service starts automatically. In Windows Server 2003, the service is disabled. If the WebClient service stops, users of the computer cannot use the Web Publishing Wizard to publish data to Internet locations that use the WebDAV protocol.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Web Element Manager

The Web Element Manager service is installed by default only on Windows Server 2003 Web Edition. It serves Web user interface elements for the Administration Web site at port 8098, which determine the following information:

• Tabs to display on the Administration Web site

• Remote administration tasks that are available to the Administrator

• Table of contents

• Help topics

• Remote administration alerts that can be displayed

To remotely manage a server, an administrator can connect to the server at https://servername:8098. When this Web site receives a connection, the default Active Server Pages (ASP) code queries the Web Element Manager service for each of the referenced types of information. After all the information has been collected, the appropriate Web page is displayed to the administrator.

The Web Element Manager service loads all the information at startup time, and the client—the ASP code, in this scenario—requests the Web user interface elements through a COM interface. The service runs under the Local System account and requests on the COM interface are only accepted from clients that run under the Administrator or Local System accounts. If the service stops or its startup type is Manual, it will start when it receives the next request for Web user interface elements.

The Web Element Manager service is automatically restarted when the Web interface for remote administration is accessed. If you disable this service, any services that explicitly depend on this service do not start and the Remote Administration Tools Web user interface for server administration do not function properly.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Windows Audio

The Windows Audio service provides support for sound and related Windows Audio event functions. This service manages Plug and Play–compatible events for audio devices such as sound cards and global audio effects (GFX) for Windows audio application program interfaces. Examples of GFXs are equalization (EQ), bass enhancement, and speaker correction. The service loads, unloads, and saves/restores state for the GFXs on a per-session basis.

Through the Multimedia control panel, users can accomplish the following:

• Enable or disable a GFX.

• Select among several GFX filters if more than one GFX is available that is designed for the specific audio hardware. A GFX driver's .inf file specifies the target hardware for the GFX.

The Windows Audio service is installed on Windows Server 2003-based and Windows Vista-based computers and starts automatically on computers that run Windows Vista and Windows Server 2003 Standard Edition. The service is disabled on other Windows Server 2003 editions.

You cannot stop the Windows Audio service after it is started. If you disable this service, audio functionality may be affected, including the inability to hear sound or process GFXs.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Windows Audio Endpoint Builder

The Windows Audio Endpoint Builder service manages audio devices for the Windows Audio service. If this service is stopped, audio devices and effects do not function properly. The term endpoint device refers to a hardware device at one end of a data path that originates or terminates at an application program. Examples of audio endpoint devices are speakers, headphones, microphones, and CD players.

In Windows Vista, the audio system keeps track of both endpoint devices and dynamic changes in the configuration of audio hardware that has jack-presence detection. While an endpoint device remains plugged in, the system enumerates that device. When the user unplugs an endpoint device, the system ceases to enumerate it. This feature improves the reliability of the audio system, giving more predictable capture and playback experiences across different devices.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Backup

The Windows Backup service supports the four main backup features provided by the new Backup and Restore Center in Windows Vista: File Backup and Restore, Windows Complete PC Backup and Restore, System Restore, and Shadow Copy.

Having a regular backup policy is essential for disaster recovery scenarios, but backups are also a security risk and your security policy must address how data backups are going to be protected so that they are not used to remove confidential information from your data center or your organization. Backup copies that are on removable media should be placed in a secure storage area that only trusted personnel have access to and they should be encrypted. If possible, desktops and portable computers should be backed up onto network servers, which are in turn backed up into secure storage. If that is not feasible, your users should be informed as to the best practices for backing up data securely and be provided a secure location into which to store their backup copies.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows CardSpace

The Windows CardSpace service enables the creation, management, and disclosure of digital identities. Windows CardSpace is client software that enables users to provide their digital identity to online services in a simple and trusted way. It is known as an identity selector: when a user needs to authenticate to a Web site or a Web service, CardSpace presents a dialog box with a set of "information cards" for the user to choose from. Each card has some identity data associated with it—though this is not actually stored in the card—that has either been given to the user by an identity provider such as their bank, employer, or government or has been created by users themselves. The CardSpace UI enables users to create Personal cards (also known as self-issued cards) and associate a limited set of identity data. When the user chooses a card, a signed and encrypted security token containing the required information (for example, name and address, employer's name and address, or credit limit) is generated by the identity provider that created the card. The user, in control at all times, then decides whether to release this information to the requesting online service. If the user approves, the token is sent on to this relying party where the token is processed and the identity information is extracted.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Color System

The Windows Color System service (WcsPlugInService) hosts non-Microsoft Windows Color System color device model and gamut map model plug-in modules. These plug-in modules are vendor specific extensions to the Windows Color System baseline color device and gamut map models. Stopping or disabling the WcsPlugInService service disables this extensibility feature, and the Windows Color System uses its baseline model processing rather than the vendor's desired processing. This might result in inaccurate color rendering. The Windows Color System is a new feature in Windows Vista that provides for more precise color mapping and gradation. Non-Microsoft vendors such as printer manufacturers and photo finishers can use this feature in applications and drivers to explicitly call the color that they want rendered.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Connect Now - Config Registrar

The Windows Connect Now - Config Registrar service acts as a registrar for the Windows Connect Now service and issues network credentials to the Enrollee in the service. Windows Connect Now technology enables stream-lined configuration of secured wireless networks and easier provisioning of wireless hardware. Windows Connect Now-NET (WCNNET) is the Microsoft implementation of the Simple Configuration Protocol, a new standard in the WiFi Alliance. WCNNET supports configuration of devices on out-of-band Ethernet and in-band wireless networks.

Windows Connect Now-NET in Windows Vista communicates with access points and wireless stations by using UPnP architecture, authenticates with them by using a personal identification number (PIN), and provides wireless settings that are based on user selection.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Defender

The Windows Defender service scans your computer and helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. Windows Defender in Windows Vista provides the following real-time protection options:

• Auto Start. Monitors lists of programs that are allowed to automatically run when you start your computer.

• System Configuration (settings). Monitors security-related settings in Windows.

• Internet Explorer Add-ons. Monitors programs that automatically run when you start Internet Explorer.

• Internet Explorer Configurations (settings). Monitors browser security settings.

• Internet Explorer Downloads. Monitors files and programs that are designed to work with Internet Explorer.

• Services and Drivers. Monitors services and drivers as they interact with Windows and your programs.

• Application Execution. Monitors when programs start and any operations they perform while running.

• Application Registration. Monitors tools and files in the operating system where programs can register to run at any time.

• Windows Add-ons. Monitors add-on programs (also known as software tools) for Windows.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Driver Foundation - User-mode Driver Framework

The Windows Driver Foundation - User-mode Driver Framework (UMDF) manages user-mode driver host processes. UMDF supports the creation of user-mode drivers that support protocol-based or serial-bus-based devices. Such drivers handle the same types of I/O requests as kernel-mode drivers and are installed by INF files, just as kernel-mode drivers are. The UMDF is designed to support protocol device classes such as cameras and portable music players. Moving drivers for such devices into user mode can simplify the drivers and improve the overall stability of the operating system.

This service is installed by default on Windows Vista and configured for a manual start. It can be installed on Windows XP by using the Windows Driver Development Kit.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Error Reporting Service (Error Reporting Service)

The error reporting service in Windows Server 2003 and Windows XP was updated for Windows Vista as part of the Windows Diagnostics Framework enhancements. While much of the operation is the same, there are enough differences that it is useful to describe them as two separate services.

Error Reporting Service on Windows Server 2003

The Windows Server 2003 Error Reporting Service collects, stores, and reports unexpected application errors or closures to Microsoft. It also authorizes error reporting for services and applications that run in non-standard environments. This service provides Microsoft product groups with efficient and effective information to debug driver and application faults.

You can configure error reporting to send Microsoft-specific error information and to generate reports for operating system errors, Windows component errors, or program errors. An operating system error causes the computer to display a Stop error. A program or component error causes the program or component to stop working.

If you have an Internet connection, you can report these errors directly to Microsoft. You can configure error reporting to respond to program errors in one of two ways: as soon as an error occurs, the Error Reporting dialog box can prompt any user to send the error to Microsoft, or the next time an administrator logs on, the Error Reporting dialog box can prompt the administrator to send the error report to Microsoft.

Windows treats operating system errors and unplanned shutdowns differently from the way it treats program errors. When operating system errors or unplanned shutdowns occur, Windows writes the error information to a log file. The next time an administrator logs on, the Error Reporting dialog box prompts the administrator to report the error. When you send an error report to Microsoft through the Internet, you provide technical information that can be used to enhance future versions of the product. This data is used for quality control purposes only and is not used to track individual users or installations for any marketing purpose. If information is available to help solve the problem, Windows displays an additional Error Reporting dialog box with a link to that information.

If the Error Reporting Service stops, error reporting does not occur. If the Display Error Notification setting is enabled in the Error Reporting dialog box, users will still see a message that indicates a problem occurred, but they will not have the option to report this information to Microsoft or a local network shared folder.

This service is installed and run by default on all editions of Windows Server 2003.

Windows Error Reporting Service on Windows Vista

The Windows Error Reporting Service on Windows Vista allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. It also allows logs to be generated for the Problem Reports and Solutions diagnostic and repair service. If this service is stopped, error reporting might not work correctly and the results of diagnostic services and repairs might not be displayed.

Windows Error Reporting in Windows Vista is a feature that allows Microsoft to track and address errors relating to the operating system, Windows features, and applications. Windows Error Reporting gives users the opportunity to send data about errors to Microsoft and to receive information about solutions. Solution information can include instructions for working around a problem, or a link to the Windows Update Web site or another Web site for updated drivers, patches, or Microsoft Knowledge Base articles. Microsoft developers can use Windows Error Reporting as a problem-solving tool to address customer problems in a timely manner and to improve the quality of Microsoft products.

Windows Error Reporting has the following "consent levels" that an administrator can configure to control how Windows Error Reporting sends data to Microsoft. These setting are configured in the Advanced settings dialog box of the Problem Reports and Solutions Control Panel. These settings can also be configured through Group Policy under either Computer Configuration or User Configuration in Administrative Templates\Windows Components\Windows Error Reporting\Consent.

• Ask each time a problem occurs. Windows Error Reporting always asks for the users consent before sending an error report to Microsoft.

• Automatically check for solutions (also known as "Send parameters"). Windows Error Reporting sends the minimum data required to check for an existing solution, for example, the application name and version, module name and version, and exception code. After sending this data, Windows Error Reporting prompts for consent before sending any additional data requested by Microsoft.

• Automatically check for solutions and send additional information, if needed (also known as "Send parameters and safe additional data"). Windows Error Reporting sends the minimum data required to check for an existing solution as well as data that the developer of the program has designated as being highly unlikely to contain personally identifiable information. Windows Error Reporting then prompts for consent before sending any additional data requested by Microsoft.

• Send all data (Group Policy setting only). This setting can only be configured through Group Policy, not through the Control Panel interface. Any data requested by Microsoft will be sent, without asking for consent.

User Account Control does affect how Windows Error Reporting works. A standard user does not have the same ability to report errors as an administrator does. If a prompt appears when a user who is logged on as an administrator, the user can choose to report application and operating system errors. If a prompt appears for a user who is not logged on as an administrator, the user can choose to report application errors plus errors for operating system software that does not require administrative credentials to run.

The administrator also has the option to specify a list of programs for which error reports should never be sent.

This service is installed by default on all versions of Windows Vista and the startup type is Automatic.

Windows Event Collector

The Windows Event Collector service manages persistent subscriptions to events from remote sources that support the WS-Management protocol. This includes Windows Vista event logs, hardware, and IPMI-enabled event sources. The service stores forwarded events in a local event log. If this service is stopped or disabled, event subscriptions cannot be created and forwarded events cannot be accepted.

The Event Collector service on the local computer uses the WS-Management protocol to send an event subscription request to a remote computer. The remote computer must be able to receive this information. This subscription request is passed to the Event Forwarder, which is a WS-Management plug-in. The plug-in then creates an event subscription on the remote computer based on the subscription request made by the local computer. Any events delivered to the remote computer are then sent to the Event Collector service on the local computer.

Event collection allows administrators to get events from remote computers and store them in a centralized place. The events are stored in the local event log of the collector computer and persisted in the local event log. The destination log path for the events is a property of the subscription. All data in the received event is saved in the collector computer event log (none of the information is lost). Additional information related to the event forwarding is also added to the event.

This service startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Firewall /Internet Connection Sharing

This service was previously called Internet Connection Sharing in Windows 2000 and Windows XP Service Pack 1. It was not included in the original release of Windows Server 2003.

The Windows Firewall/Internet Connection Sharing service provides network address translation (NAT), address and name resolution, and intrusion-prevention services for all computers on a home or small office network through a dial-up or broadband connection.

When this service is enabled, the computer becomes an "Internet gateway" on the network. It allows other client computers to share one connection to the Internet, share files, and use the same printers. This service has a location-specific Group Policy setting.

The Windows Firewall/Internet Connection Sharing service is a default service on Windows Server 2003 with SP1, but its startup type is Disabled.

If the Windows Firewall/Internet Connection Sharing service stops, network services such as Internet sharing, name resolution, address resolution, and/or intrusion prevention are unavailable. Clients on the network might not be able to access the Internet and their IP addresses will expire, which causes some clients to use Automatic Private IP Addressing (APIPA) for peer-to-peer network connectivity.

Available on:

Windows Server 2003 Standard Edition with SP1

Windows Server 2003 Enterprise Edition with SP1

Windows Server 2003 Datacenter Edition with SP1

Windows Server 2003 Web Edition with SP1

Windows Firewall

The Windows Firewall service helps protect your computer by preventing unauthorized users from gaining access to your computer through the Internet or a network.

Windows Vista and Windows Server 2008 include a new and enhanced version of Windows Firewall. Like the Windows Firewall in Windows XP with Service Pack 2 (SP2) and Windows Server 2003 with Service Pack 1 (SP1), the new Windows Firewall is a stateful host-based firewall that allows or blocks network traffic according to its configuration and the applications that are currently running to provide a level of protection from malicious users and software on a network. The new Windows Firewall includes enhancements for better protection and more advanced configuration.

Windows Firewall in Windows Vista and Windows Server 2008 has the following enhancements over the Windows Firewall in Windows XP with SP2 and Windows Server 2003 with SP1:

• Supports filtering for both incoming and outgoing traffic

• New snap-in for user interface (UI) configuration

• Firewall filtering and IPsec protection settings are integrated

• Rules (exceptions) can be configured for Active Directory® Domain Services (AD DS) accounts and groups, source and destination IP addresses, IP number, source and destination Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports, all or multiple TCP or UDP ports, specific types of interfaces, Internet Control Message Protocol (ICMP) and ICMP for IPv6 (ICMPv6) traffic by type and code, and for services.

This service is installed by default and the startup type is Automatic.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Image Acquisition (WIA)

The Windows Image Acquisition (WIA) service provides image acquisition services for scanners and cameras.

Windows Server 2003 supports still-image devices through this service, which uses the Windows Driver Model (WDM) architecture. The service provides robust communication between applications and image-capture devices, and allows you to capture images efficiently and transfer them to your computer to be edited and used. The service is needed to capture events that are generated by imaging devices.

The Windows Image Acquisition (WIA) service supports Small Computer System Interface (SCSI), IEEE 1394, USB, and serial digital still-image devices. Support for infrared, parallel, and serial still-image devices is provided by the existing infrared, parallel, and serial interfaces. Image scanners and digital cameras are examples of still-image devices. The service also supports Microsoft DirectShow®–based Webcams and digital video camcorders to capture frames from video.

The Windows Image Acquisition (WIA) service is installed and its startup type is Manual on Windows XP-based computers, and it is installed and disabled by default on Windows Server 2003-based computers. If the service stops, events from imaging devices are not captured and processed. The service will restart automatically at startup if there is a WIA device installed. Also, it restarts any time that a WIA-enabled application is started.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Windows Installer

The Windows Installer service manages the installation and removal of applications. It applies a set of centrally defined setup rules during the installation process that specify how applications are installed and configured. You can also use this service to modify, repair, or remove existing applications. The Windows Installer technology consists of the Windows Installer service for the Windows operating systems and the package (.msi) file format that contains application setup and installation information.

The Windows Installer service is not only an installation program, but it is also an extensible software management system. It manages the installation, addition, and deletion of software components, monitors file resiliency, and maintains basic disaster recovery by way of rollbacks. It also supports the installation and operation of software from multiple sources, and can be customized by developers who want to install custom applications.

By default, the Windows Installer service is installed and its startup type is Manual on both Windows Vista-based and Windows Server 2003-based computers. Applications that use the installer start the service. If this service stops, applications that use it cannot be installed, removed, repaired, or modified. Also, a number of applications use this service when they are active, and they might not be able to run.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Windows Internet Name Service (WINS)

The Windows Internet Name Service (WINS) enables NetBIOS name resolution. The presence of WINS servers is crucial to locate network resources that are identified by their NetBIOS names. WINS servers are required unless all domains have been upgraded to Active Directory, and all computers on the network run Windows 2000 Server or subsequent versions of the Windows operating system.

If you stop this service, the following changes in functionality occur:

• Windows NT 4.0 domains and domain controllers cannot be located.

• Windows 2000 or Windows Server 2003 Active Directory domains and domain controllers cannot be located from Windows NT 4.0 clients.

• NetBIOS name resolution fails, unless the device whose name must be resolved is on the same subnet as the device that attempts name resolution. The device must be configured to attempt NetBIOS name resolution through broadcasts.

The WINS service is present only on Windows Server 2003-based computers that have been configured to act in the WINS server role.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Windows Management Instrumentation

The Windows Management Instrumentation (WMI) service provides a common interface and object model to access management information about operating systems, devices, applications, and services. WMI is an infrastructure that provides the ability to build management applications and instrumentation.

The WMI infrastructure is a Windows operating system component that moves and stores information about managed objects. It is composed of two subcomponents: the Windows Management Instrumentation service and the WMI repository. The service acts as an intermediary between the providers, management applications, and the WMI repository, and places information from a provider into the WMI repository. The service also accesses the WMI repository in response to queries and instructions from management applications. Finally, the service can pass information directly between a provider and a management application. In contrast, the WMI repository acts as a storage area for information from the various providers.

The Windows Management Instrumentation service provides access to the management data through a number of interfaces, including COM API, scripts, and command-line interfaces. It is compatible with previous management interfaces and protocols, such as Simple Network Management Protocol (SNMP). The service installs and runs automatically on Windows Vista and Windows Server 2003-based computers. If the service stops, most Windows–based software cannot function properly.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Windows Management Instrumentation Driver Extensions

The Windows Management Instrumentation Driver Extensions service monitors all drivers and event trace providers that are configured to publish WMI or event trace information. By default, this service is installed on Windows Server 2003 and its startup type is Manual.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Windows Media Player Network Sharing Service

The Windows Media Player Network Sharing Service shares Windows Media Player libraries to other networked players and media devices by using the UPnP architecture. By default this service is installed on all versions of Windows Vista and its startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Media Services

Windows Media Services provides streaming media services over IP-based networks. These services replace the four separate services that comprised Windows Media Services versions 4.0 and 4.1:

• Windows Media Monitor service

• Windows Media Program service

• Windows Media Station service

• Windows Media Unicast service

Windows Media Services is now a single service that runs on Windows Server 2003. Its core components were developed with COM to create a flexible architecture that is easily customized for specific applications. It supports a greater variety of control protocols, including Real Time Streaming Protocol (RTSP), Microsoft Media Server (MMS) protocol, and HTTP.

The Windows Media Service platform is compliant with the following industry standards:

• WMI for server event notification and messaging

• SNMP for networking components

• XML, Synchronized Multimedia Integration Language (SMIL) 2.0, and the Document Object Model (DOM) for playlist implementation

• MPEG 1 and 2 for audio and video formats

Most streaming media scenarios use the core components that are installed with Windows Media Services. However, more advanced scenarios may require you to incorporate some custom programming and integration work. For more information about developing Windows Media applications, see the Windows Media Developer Center (https://go.microsoft.com/fwlink/?LinkId=119714).

Windows Media Services is an optional service that must be separately installed on Windows Server 2003-based computers. If this service stops or if you disable it, streaming media services might be unavailable.

Available on:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Windows Server 2003 Web Edition

Windows Modules Installer

The Windows Modules Installer enables installation, modification, and removal of Windows updates and optional components. If this service is disabled, installation or removal of Windows updates might fail for this computer.

This service is installed by default on all versions of Windows Vista and its startup type is Manual.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows Presentation Foundation Font Cache 3.0.0.0

The Windows Presentation Foundation Font Cache 3.0.0.0 service optimizes performance of the Windows Presentation Foundation (WPF) application by caching commonly used font data. WPF applications start this service if it is not already running. It can be disabled but doing so degrades the performance of WPF applications.

WPF is supported by default in Windows Vista. It can be supported in Windows Server 2003 and Windows XP by installing Microsoft .NET Framework version 3.0.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Windows Remote Management (WS-Management)

The Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard Web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The WinRM Service needs to be configured with a listener by using the Winrm command-line tool or by using a Group Policy setting in order for it to listen over the network. The WinRM service provides access to WMI data and enables event collection. Event collection and subscription to events require that the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service does not depend on IIS but is preconfigured to share a port with IIS on the same computer. The WinRM service reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators should ensure that any Web sites hosted on IIS do not use the /wsman URL prefix.

Windows Remote Management (WinRM) is one component of the Windows Hardware Management features introduced with Windows Server 2003 R2 that manage server hardware locally and remotely. These features include a service that implements the WS-Management protocol, hardware diagnosis and control through baseboard management controllers (BMCs), and a COM API and scripting objects that allow you to write applications that communicate remotely through the WS-Management protocol.

WinRM provides an efficient way for management applications and scripts to communicate with local and remote computers by using an encrypted channel. The Windows service that WinRM installs and uses is also named WinRM.

When a server is connected to a BMC that supports the WS-Management standard, applications and scripts can use WinRM to communicate directly with the BMC, even when the operating system is offline (pre-boot or post-failure).

When a server is not connected to a BMC, WinRM can still be used to connect to WMI remotely in situations where DCOM communication is impeded (for example, across a firewall). This is possible because the WS-Management standard uses a single port that is configurable by the system administrator.

WinRM exposes its own application programming interface (API) for scripting, which can be used by scripts written in any Windows Script Host-compatible language. The scripting API communicates with WMI by using syntax different from standard WMI scripts. WinRM syntax is documented in the WinRM Software Development Kit. Hardware Management uses a WMI plug-in to expose WMI classes to WinRM. To call these classes, the WMI namespace and class must be converted into a Uniform Resource Identifier (URI).

WS-Management is based on the following standard specifications:

• HTTPS

• SOAP over HTTP (WS-I profile)

• SOAP 1.2

• WS-Addressing

• WS-Transfer

• WS-Enumeration

• WS-Eventing

As a security measure, if you use WinRM for remote management you should configure the WinRM service to use the HTTPS protocol.

This service is installed by default with Windows Vista and its startup type is Manual.

Available on:

Windows Vista Home Basic	Windows Server 2003 R2
Windows Vista Home Premium
Windows Vista Enterprise
Windows Vista Ultimate

Windows Search

The Windows Search service supports the Instant Search feature in Windows Vista and provides content indexing and property caching for file, e-mail, and other content (by means of extensibility APIs). The service responds to file and e-mail notifications to index modified content. If the service is stopped or disabled, Windows Explorer cannot display virtual folder views of items, and search in Windows Explorer reverts to item-by-item search. Windows Search is a standard component of Windows Vista that is enabled by default and is an add-in for Windows XP.

The content indexed is based on the file and data types supported through add-ins included with Windows Search and the default inclusion and exclusion rules for folders in the file system. For example, the filters included in Windows Search support more than 200 common types of data including support for Microsoft Office documents, Outlook e-mail (in conjunction with the MAPI protocol handler), plain-text files, and HTML.

The main component of Windows Search is the indexer process, which is implemented as a Windows service running in the Local System account. The process is always running for all users (even if no user is logged on), enabling Windows Search to maintain one index shared among all users with security restrictions on content access and to process remote queries from client computers on the network.

The Windows Search service includes a number of features to ensure it protects the user experience and system performance when indexing. A number of conditions cause the service to throttle back or pause indexing:

• High CPU usage by non-search–related processes

• High system I/O rate including file reads and writes, page file and file cache I/O, and mapped file I/O

• Low memory availability

• Low battery life

• Low disk space on the drive storing the index

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Windows System Resource Manager

The Windows System Resource Manager (WSRM) service is an optional tool to help customers deploy applications into consolidation scenarios. It provides policy-based management of CPU and memory consumption of processes that run on a single instance of an operating system. Planned scenarios include multiple heterogeneous server applications, multiple Terminal Services users, multiple SQL Server instances, and multiple IIS V6 application pools, or Exchange and IIS V6 together on the same computer.

The primary option for CPU management is bandwidth targets, which are expressed as a percentage of CPU usage. To maintain targets, process priorities are dynamically monitored and adjusted. The WSRM service also provides affinity management, which is provided through per-process APIs for hard affinity.

Memory management options include working set limits and committed memory maximum applied on a per-process basis. Working set limits are defined in policy and applied by WSRM through a kernel API. Subsequently, the kernel memory manager will page the process as necessary to apply and maintain the limits on working set size. Committed memory is simply monitored against an upper limit. When the upper limit is exceeded, the process is ended or an event is logged—at the user's discretion.

Additional features include full calendar features to schedule desired policies, sophisticated pattern matching to identify processes at runtime, WSRM-specific counters, and a basic job accounting system.

The WSRM service is implemented as an option and runs on versions of the Windows operating system that were released after Windows 2000 Service Pack 3. The server components may be installed on Windows Server 2003 Datacenter Edition and Windows Server 2003 Enterprise Edition (plus the x64 versions of these editions). The WSRM client must be installed on each managed computer. For administration of the service, an MMC snap-in and command-line tools are provided. These client components may be installed and run on any Windows 2000, Windows XP Professional, or Windows Vista-based computer.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Windows Time

The Windows Time service maintains date and time synchronization on all computers on a Windows network. It uses the Network Time Protocol (NTP) to synchronize computer clocks so that an accurate clock value, or timestamp, can be assigned to network validation and resource access requests. The implementation of NTP and the integration of time providers make Windows Time a reliable and scalable time service for administrators. For computers that are not joined to a domain, you can configure the Windows Time service to synchronize time with an external time source. If this service is turned off, the time setting for local computers will not be synchronized with any time service in the Windows domain or external time service.

If the Windows Time service stops or if you disable it, date and time synchronization is unavailable in the forest or from an external NTP server. There are two possible scenarios:

• If you stop the Windows Time service on a workstation, the workstation cannot synchronize its time with another source but no other external server will be affected.

• If you stop the Windows Time service on a domain controller, the same effect as in the previous scenario applies but domain members are also unable to synchronize time with it. This inability to synchronize may adversely affect time synchronization in the organization.

By default, the Windows Time service is installed and started automatically on Windows Vista and Windows Server 2003-based computers.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Windows Update (Automatic Updates)

The Windows Update service enables the download and installation of security updates for Windows and Office. It automatically provides Windows computers with the latest updates, drivers, and enhancements. When an Internet connection is available, the operating system searches for applicable updates from the Windows Update service. Depending on the configuration settings, the service will notify the user before download, notify the user before installation, or automatically install the updates.

You can disable the Windows Update feature through the Control Panel.

You can also use the Group Policy Object Editor snap-in to configure an intranet server that is configured with Windows Server Update Services to host updates from the Microsoft Update sites. This setting lets you specify a server on your network to function as an internal update service. The Windows Updates client searches this service for updates that apply to the computers on your network.

If the Windows Update service stops or if you disable it, updates are not automatically downloaded to the computer automatically. You will need to search for, download, and install applicable fixes manually.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

WinHTTP Web Proxy Auto-Discovery Service

The WinHTTP Web Proxy Auto-Discovery Service implements the Web Proxy Auto-Discovery (WPAD) protocol for Windows HTTP Services (WinHTTP). WPAD is a protocol that enables an HTTP client to automatically discover a proxy configuration.

If the WinHTTP Web Proxy Auto-Discovery Service stops or if you disable it, the WPAD protocol runs within the HTTP client's process instead of an external service process and there would be no loss of functionality. This service is installed on Windows Server 2003-based and Windows Vista-based computers by default and its startup type is Manual.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Wired AutoConfig

The Wired AutoConfig service performs IEEE 802.1X authentication on Ethernet interfaces. The Wired Network (IEEE 802.3) Policies Group Policy and client-side extension is a new feature in Windows Server 2008. You can use the Wired Network (IEEE 802.3) Policies Group Policy and client-side extension to specify network settings for computers running Windows Vista and Windows Server 2008 that connect to an Ethernet network through an 802.1X-compatible switch in an Active Directory environment.

The new functionality in Wired Network (IEEE 802.3) Policies in Windows Server 2008 enables administrators to programmatically configure 802.1X-based connectivity and security settings on domain member computers running Windows Vista or Windows Server 2008.

Additionally, you can use Wired Network (IEEE 802.3) Policies to integrate client wired Ethernet connectivity and security settings with Network Access Protection (NAP) to restrict network access for clients that do not meet system health requirements.

Available on:

Windows Vista Home Basic

Windows Vista Home Premium

Windows Vista Enterprise

Windows Vista Ultimate

Wireless Configuration (WLAN Autoconfig)

The Wireless Configuration (WLAN Autoconfig) service enables automatic configuration for IEEE 802.11 wireless adapters for wireless communications. Microsoft has worked with 802.11 network adapter vendors to automate the network adapter configuration process, which associates the network adapter with an available network and improves the wireless roaming experience on Windows.

The wireless network adapter and its Network Driver Interface Specification (NDIS) driver need to do little more than provide support for a few new NDIS object identifiers (also known as OIDs) that are used to query and set device and driver behavior. The network adapter scans for available networks and passes the information to Windows. The Wireless Configuration service configures the network adapter for an available network. When two networks cover the same area, the user can configure a preferred network order and the computer will try each network in order until it finds an active one. It is also possible to limit association to only the configured, preferred networks.

The Wireless Configuration service installs and starts automatically on Windows Server 2003 (with the exception of Windows Server 2003 Web Edition, on which the startup type is Manual). On Windows Vista the service installs and its startup type is Manual. If this service stops, automatic wireless configuration is unavailable.

On Windows Server 2008 and Windows Vista the WLAN AutoConfig (WLANSVC) service enumerates wireless adapters, and manages both wireless connections and the wireless profiles that contain the settings required to configure a wireless client to connect to wireless networks. The WLAN AutoConfig System Services Group Policy settings in Windows Server 2008 enable administrators to specify the service startup type of the WLAN AutoConfig service for domain member computers running Windows Vista and Windows Server 2008 that have wireless network adapters and the associated Windows Vista adapter drivers installed.

WLAN AutoConfig Group Policy settings enable administrators to prevent domain member users from altering the startup mode of the WLAN AutoConfig service.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

WMI Performance Adapter

The WMI Performance Adapter service provides performance library information from WMI High Performance providers. Applications and services that need to provide performance counters today can do so in two ways: they can write a WMI High Performance provider or write a performance library. Consumers of high performance data also have two ways to request performance data: through WMI or through the Performance Data Helper (PDH) APIs. There are mechanisms in place that allow the two models to interact, so that clients that access counters through each model can still see the counters provided by the other model. The Reverse Adapter is one of those mechanisms.

The WMI Performance Adapter service transforms performance counters that are supplied by WMI High Performance providers into counters that can be consumed by PDH through the Reverse Adapter Performance Library. This approach provides PDH clients such as Sysmon with the ability to consume performance counters from any WMI High Performance providers on the computer.

Although it is installed by default on Windows Vista and Windows Server 2003, the WMI Performance Adapter service is a manual service; it does not run by default. It runs on demand when a performance client such as Sysmon uses PDH to query performance data. After the client disconnects, the service stops.

If the WMI Performance Adapter service stops, WMI performance counters are unavailable.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

Workstation

The Workstation service is installed and runs automatically on Windows Vista and Windows Server 2003. This service creates and maintains client network connections and communications. The Workstation service is a user-mode wrapper for the Microsoft Networks redirector. It loads and performs configuration functions for the redirector, supports network connections to remote servers, supports the WNet APIs, and provides redirector statistics.

If the Workstation service stops, clients cannot establish connections to remote servers or access files through named pipes. Clients and programs cannot access files and printers on other remote computers, but TCP/HTTP connectivity is not affected. Internet browsing and Web Client access will still work.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition

World Wide Web Publishing Service

The World Wide Web Publishing Service provides Web connectivity and administration of Web sites through the IIS snap-in. The service provides HTTP services for applications on the Windows platform and contains a process manager and a configuration manager. The process manager controls the processes in which custom applications and simple Web sites reside. The configuration manager reads the stored computer configuration and ensures that Windows is configured to route HTTP requests to the appropriate application pools or operating system processes.

This service can monitor the processes that contain custom applications and provide recycling services for these applications. Recycling is a configuration property of an application pool and can be done on the basis of memory limits, request limits, processing time, or time of day. The service queues HTTP requests if custom applications stop responding, and also attempts to restart custom applications.

This service is an optional component that may be installed on Windows Server 2003 or Windows Vista as part of the IIS package. If the World Wide Web Publishing Service stops, the Windows Server 2003 operating system cannot serve any form of Web request.

Available on:

Windows Vista Home Basic	Windows Server 2003 Standard Edition
Windows Vista Home Premium	Windows Server 2003 Enterprise Edition
Windows Vista Enterprise	Windows Server 2003 Datacenter Edition
Windows Vista Ultimate	Windows Server 2003 Web Edition