logo
background
 Home and Links
 Your PC and Security
 Server NAS
 Wargames
 Astronomy
 PhotoStory
 DVD making
 Raspberry Pi
 PIC projects
 Other projects
 Next >>

Expandable list of Windows XP Services

XP Services listed

List of Services on my XP Pro 'sp4**' desktop computer

(and a few in the 'bundle kit' that I had to track down before deleting)


Please read my WARNINGS (previous page) about making 'Restore Points' before playing with Service settings.

DO NOT set 'Disable' on multiple services at once = instead you should 'stop' them one at a time first (& confirm everything is still running) before setting 'disable' on a few at a time and re-booting 'just in case' you disable something vital

AdobeUpdateManagerAlerterApple Software Update (commercial)
Application Layer GatewayApplication ManagementASPdotNET State Service
Automatic UpdatesBackground Intelligent Transfer ServiceBingDesktop
Bluetooth Support ServiceBOCORE (commercial)Bonjour service
ClipBookCOM+ Event SystemCOM+ System Application
COMODO Internet Security Helper ServiceComputer BrowserCreative Service for CDROM Access (commercial)
Cryptographic ServicesDCOM Server Process LauncherDell Support Center Agent
DgiVecp serviceDHCP ClientDigital Persona Update Check
Distributed Link Tracking ClientDistributed Transaction CoordinatorDNS Client
dotNET Runtime Optimization Service (v2 0 50727 (X86)DVD SentryError Reporting Service
Event LogExtensible Authentication Protocol Service (XPsp3)Fast User Switching Compatibility
FAXFTP Publishing Serviceguard32.dll
Health Key and Certificate Management Service (XPsp3)Help and SupportHTTP SSL
Human Interface Device Access, HID Input ServiceICS Managerighfx (set of 3)
IIS AdminIMAPI CD Burning COM ServiceIndexing Service
Intel NCS NetServiceIPSEC ServicesJava Quick Starter
LoadQM.exeLogical Disk Manager Administrative ServiceLogical Disk Manager
Machine Debug ManagerMessengerMicrosoft Connection Manager Monitor
Microsoft Fax Servicemodemmoh.dllMS Software Shadow Copy Provider
MSN Queue Managernassvc.exeNet Logon
Net.Tcp Port Sharing ServiceNetMeeting Remote Desktop SharingNetWaiting
Network Access Protection Agent (XPsp3)Network ConnectionsNetwork DDE DSDM
Network DDENetwork Location AwarenessNetwork Provisioning Service (xmlprov)
NT LM Security Support ProviderNVIDIA Display Driver Service (commercial)NVSvc32.exe
Office Startup ApplicationOffline Files ServicePerformance Logs and Alerts
Personal Web ServerPlug and PlayPortable Media Serial Number Service
Print SpoolerProtected StorageQoS RSVP
Remote Access Auto Connection Manager (RasAuto)Remote Access Connection ManagerRemote Desktop Help Session Manager
Remote Procedure Call (RPC) LocatorRemote Procedure Call (RPC) ServiceRemote Registry
Removable Storage (Ntmssvc)Routing and Remote AccessSecondary Logon
Security Accounts ManagerSecurity CenterServer
Shell Hardware DetectionSigmatelSysTrayApp (stsystra)Simple Mail Transport Protocol
Smart Card [Smart Card Helper removed in XPsp2]SNMP (SNMP Trap Service)SSDP Discovery Service
System Event Notification (SENS)System Restore ServiceTask Scheduler
TCP IP NetBIOS HelperTelephonyTelnet or TlntSvr (Win2k)
Teredo Tunneling Pseudo InterfaceTerminal Services (XP)Themes
Uninterruptible Power SupplyUniversal Plug and Play Device HostVolume Shadow Copy
WebClientWindows AudioWindows CardSpace
Windows Firewall (XPsp2) Internet Connection Firewall (XP) Sharing (w2k) (aka ICS)Windows Image Acquisition (WIA)Windows Installer
Windows Management Instrumentation Driver ExtensionWindows Management InstrumentationWindows Portable Device Shell Service Object (wpdshserviceob dll)
Windows Presentation Foundation Font Cache (n 0 0 0)Windows Time ServiceWindows Update
WinPatrolWired AutoConfig (XPsp3)Wireless Zero Configuration
WLAN Transport (network protocol)WMI Performance AdapterWorkstation

AdobeUpdateManager

AdobeUpdateManager
The first of the useless commercial memory, CPU and Web 'hogs' that almost everyone has. It's installed with all Adobe products, including PDF Reader and performs 'automatic updates'. Unless you want to relearn the meaning of "If it ain't broke don't fix it" at regular intervals, Disable and be done with it

I suggest you switch to the the free Foxit Reader or the Open Source Sumatra PDF Reader. Then you can uninstall Adobe's bloated PDF Reader (along with this annoying 'auto-updater')

** Only set Manual if you have an Adobe product (such as Photoshop) that you REALLY want to waste time going 'on-line' as soon as it's launched to look for updates (and automatically download any it finds). Of course, once 'started' the Service will keep running, even after you exit the application, until you next re-boot

NB. Flame (a pre-cursor to Stuxnet) was spread via a MS Windows & 'Update' - if MS Updates can be 'subverted', you can be sure Adobe updates are vulnerable

This note last modified: 1st Mar 2016 17:51.
DISABLE & remove
(Manual**)
DISABLE & remove
Manual not recommended**
AdobeLM Service

[top]

Alerter

Alerter
Disabled by default, leave it there. Why does MS even provide this ? Well, in a corporate network, this Service 'listens' for messages that tell you your 'Print job' has finished or from the IT Admins who might warn you to reset your password (before it expires at the end of the month) or that they are shutting down the Server (so you can finish up & save your work before you get 'logged-off' and loose everything)

In the home, Alerter is only ever used by criminals and scammers to 'trigger' the display of the 'in your face' Message Box (from the Messenger Service) advertising dubious fake medical products or fake virus 'warnings' (trying to fool you into downloading & installing their virus / key-logger / root-kit / file hi-jacker / blackmail software)

This note last modified: 1st Mar 2016 17:51.
DISABLE (default)
Services.exe
Alerter (alrsvc.dll)

[top]

Apple Software Update (commercial)

Apple Software Update (commercial)
A pointless and annoying 'update' Service that gets installed with 'QuickTime' (and other Apple 'products'). You will find it runs on your computer wasting resources and going off onto the web once a week looking for 'updates'. In the unlikely event it should find one, it then opens an 'in your face' pop-up asking you what you want to do with it.

Just delete QuickTime and get the Open Source Codec pack for QuickTime and use the Open Source VLC player to view your Apple DRM infected .m4v videos (or just rename/recode them .mp4 and forget Apples attempts to control what you view)

This note last modified: 1st Mar 2016 17:51.
DISABLE (UNINSTALL)
 
SoftwareUpdate.exe

[top]

Application Layer Gateway

Application Layer Gateway
"Provides support for plug-ins that allow network protocols to pass through the firewall and work behind Internet Connection Sharing. ALG plug-ins can open ports and change data that is embedded in packets, such as ports and IP addresses." In other words, it's a 'backdoor' provided by MS to allow a virus / keylogger / root kit to 'phone home' without you knowing. Used by MSIE and anything that connects to the internet using Microsoft's Internet Connection Sharing (ICS) (including  Windows Messenger and MSN Messenger) or the MS Internet Connection Firewall. Windows Firewall & ICS only needed this Service PRIOR TO XP Service Pack 2.

** Unfortunately, it appears to be needed by some 3rd party Firewalls. If yours is one such, setting it to Manual at least ensures that it won't start running until your Firewall is ready to protect you

This note last modified: 1st Mar 2016 17:51.
DISABLE**
alg.exe
alg

[top]

Application Management

Application Management
Required by 'Add / Remove Programs' .. however it also supports (listens for) remote installation of software by the Corporate Admins. In a home environment it allows the remote installation of back-doors, key loggers and viruses from the Internet

When installing software from the web yourself, always copy the installer to your local hard disk first. That way, you can be sure your anti-virus software gets a good look at it before it starts trashing your system

** Once you have everything you need on your computer, by all means set this Service to 'disable'

This note last modified: 1st Mar 2016 17:51.
MANUAL (DISABLE**)
Services / svchost.exe
appmgt

[top]

ASPdotNET State Service

ASP.NET State Service
"Provides support for out-of-process session states for ASP.NET". ASP is Microsoft's 'Active Server Pages (a proprietary form of PHP) and you should only see this Service if you have installed a local Web Server (for example, to test your 'active' web pages before uploading them to your Hosting service).

** If you are testing .asp web pages, set Manual. If your pages are .php based, and this Service appears, go find the '.asp support' option in your clever local web server and turn it off.

This note last modified: 1st Mar 2016 17:51.
DISABLE / MANUAL**
aspnet_state.exe
Aspnet_state

[top]

Automatic Updates

Automatic Updates
Used to automatically download and install bug fixes and security patches from Microsoft's web site. In other words, it has the power to install web downloads into the Operating System core - and do so without asking or informing you. MS says that Windows Update (Version 6) requires Automatic Updates (of course), Background Intelligent Transfer Service (maybe), COM+ Event System (not true), Cryptographic Services and the Event Log

Support for Windows XP ended on April 8, 2014, so you can now Disable this Service without problems. Note that it was always possible to run Updates manually without enabling these dangerous 'Services' so you really need to find the .exe files and remove them

This note last modified: 1st Mar 2016 17:51.
DISABLE
svchost.exe -k wugroup
wuauserv

[top]

Background Intelligent Transfer Service

Background Intelligent Transfer Service
This Service was used by MS Updates to continue downloading an update over a power-cycle. Reported to be needed for MSN Explorer, Windows Messenger, Windows Media Player & (some ?) .NET functions.

**It may also help if your ISP keeps dropping your Internet connection, so start by setting it to Manual and waiting. If, after a few months, it's still not started, it can be set to Disable

This note last modified: 1st Mar 2016 17:51.
DISABLE**
svchost.exe -k BITSgroup
BITS

[top]

BingDesktop

BingDesktop
An 'optional' search bar for MSIE that has been automatically installed via MS Updates since Apr 2012. Among other things it is designed to 'fetch' nice new 'desktop wallpaper' on a daily basis.

Just because you don't use MSIE don't assume this 'service' isn't running. Since it's another 'background' service fetching who knows what and 'installing' it without your knowledge or consent I suggest you just DELETE everything 'BING' (and you will have one less 'virus vector')

This note last modified: 1st Mar 2016 17:51.
REMOVE
Bingdesktop.exe
 

[top]

Bluetooth Support Service

Bluetooth Support Service
Only exists on a laptop with 'Bluetooth'. This was a popular way for Mobile phones and other devices to 'auto-connect' to your laptop (and then fail to communicate) all 'in the background' without you 'ever needing to know'. Whilst most vendors quickly dropped Bluetooth (and went over to something a bit more reliable, such as a USB cable) hackers had a field day - especially after MS introduced 'Personal Area Networking' (PAN) in sp2 for Bluetooth. So unless you REALLY need another resource hog 'listening' for some hackers attempts to access your hard drive (from over a mile away) & copy your Banking details etc, just uninstall Bluetooth 'support', turn off Bluetooth in the BIOS and (hopefully) this dangerous Service will just go away. If, however, you have a USB Bluetooth 'dongle', to stop XP re-installing it's own driver every time you plug it in, you will have to track down and delete Bth.inf and Bth.pnf (in the C:\Windows\Inf folder)

** Unfortunately, MS often assumes you will never uninstall any of their 'wonderful services', so in many cases removing the 'usage' (i.e. Device driver) still leaves the Service running. If that happens you will have to manually track down the components, 'de-register' the DLL's and manually delete them (after turning off 'System Restore', of course)

NB. Wireless mice / keyboards all come with their own (USB) 'dongle' and their own drivers which will not need this 'service' If you need to use your laptop's Bluetooth capability, go get the manufacturers own drivers ...

This note last modified: 1st Mar 2016 17:51.
DISABLE (UNINSTALL**)
svchost.exe -k bthsvcs
Bthsvcs

[top]

BOCORE (commercial)

BOCORE (commercial)
The 'real time' service for COMODO BOClean - Anti-Malware software (which also monitors for root-kit viruses and malware). If you have 'real time' turned off, this service should not be running.

Free for personal use, better than ZoneAlarm (fewer 'in your face' adverts and doesn't hang at start-up)

This note last modified: 1st Mar 2016 17:51.
AUTOMATIC
BOCORE.exe
BOCORE

[top]

Bonjour service

Bonjour service
The Apple 'IP=less Print Server' service (allowing connection to RNDIS devices, such as the Raspberry Pi in Gadget mode) when you don't know the IP address.

WARNING uses UDP port 5353 which it opens on the MS Firewall (so make sure that's blocked at your router firewall, or you will be saying 'Bonjour le mond' (come and hack me)


This note last modified: 5th Aug 2016 15:26.
AUTO (DISABLE)
Services / mDNSResponder.exe

[top]

ClipBook

ClipBook
Disabled by default, leave it there. Allows data on your 'ClipBook' to be shared with other PC's across a network !

In a home system it's simply another way for a hacker to send or retrieve data from your PC (note that Clipbrd.exe can still be used to view the contents of the local Clipboard (ctrl+c / right-click copy) even with this Service disabled)

This note last modified: 1st Mar 2016 17:51.
DISABLE (default)
Clipsrv.exe
Clipsrv

[top]

COM+ Event System

COM+ Event System
COM+ is an obsolete Microsoft standard designed to support 'distributed data processes'. The only 'current'  application known actually require it is MS Visual Studio 6 Enterprise Edition. Note, however, that many Services (such as Automatic Updates) 'report' to COM+, so if set to 'Manual' it will always start anyway.

** When set to DISABLE, services (such as DCOM) trying to 'report' to COM+ will 'complain' by writing 'errors' into the Event Viewer log file. NB Automatic Updates would still run with this useless service disabled (even if Microsoft thinks otherwise)

This note last modified: 1st Mar 2016 17:51.
DISABLE**
svchost.exe -k netsvcs
EventSystem

[top]

COM+ System Application

COM+ System Application
see above (and ignore the complaints from DCOM in the Event Log on each reboot)



This note last modified: 1st Mar 2016 17:51.
DISABLE
dllhost.exe
COMSysApp

[top]

COMODO Internet Security Helper Service

COMODO Internet Security Helper Service
GUI part of the COMODO Firewall



This note last modified: 1st Mar 2016 17:51.
AUTOMATIC
cmdagent.exe / cfp.exe
cmdAgent

[top]

Computer Browser

Computer Browser
"Maintains an updated list of computers on the network and supplies this list to computers designated as browsers" - yeah, right, in other words it lays out your entire local network to the first script kiddie who cares to look, as well as helping a virus to spread to other computers. It may be useful in a (Corporate) DOMAIN but is rather irrelevant in a home WORKGROUP based network

Yes, it says 'browser', no it has nothing to do with MSIE or the Internet, nor does it stop you 'mapping' to a network drive

This note last modified: 1st Mar 2016 17:51.
DISABLE
Services.exe
Browser

[top]

Creative Service for CDROM Access (commercial)

Creative Service for CDROM Access (commercial)
This service is added during installation of Creative's Disc Detector, which itself is installed as part of Creative PlayCenter for Live! & Audigy Sound-cards & some motherboard sound chips. The ONLY reason why any 'service' would want to monitor your CD / DVD access is to impose restrictions (or DRM) - in this case it's to force you to play your Audio CD's using Creative's software. Don't let it.

** Creative's Disc Detector has to be turned off in Creative PlayCenter before the Service can be disabled & removed

This note last modified: 1st Mar 2016 17:51.
DISABLE**
services.exe
ctsvccda

[top]

Cryptographic Services

Cryptographic Services
Confirms the 'signatures' of Windows files (including drivers), so required by MS Updates

** You can set Manual if you only ever Update manually, however one of it's more annoying features is that when set to Manual it fails to 'start on demand' when needed at boot time. Since it maintains the list of the 'unsigned drivers' you OK'd to install, if set it to Manual you will get 'Warning - Unsigned Driver' pop-ups every time you re-boot

This note last modified: 1st Mar 2016 17:51.
AUTOMATIC / MANUAL**
svchost.exe
CryptSvc

[top]

DCOM Server Process Launcher

DCOM Server Process Launcher
This is the Service that launches Services.

You have to leave it on Automatic because nothing else will run without it !


This note last modified: 1st Mar 2016 17:52.
AUTOMATIC
svchost.exe
DcomLaunch

[top]

Dell Support Center Agent

Dell Support Center Agent
Dell's 'Support centre', along with every other Dell 'service' is just a pointless time waster at power-on & sometimes even crashes Windows. Go to Add/Remove Programs and 'remove' all the Dell Support, Help and Monitoring software along with this rubbish and, with a bit of luck, all the other useless "Dell xxx" services (which I can't be bothered to list) will all 'go away' (and stop shoving 'you need to buy more ink (for the mega-overpriced Dell printer you got rid of last year)' pop-ups in your face)

No, Dell is NEVER going to 'ring you up' and advise you how to 'fix' your PC when it 'crashes' (although some criminal scam merchant might).

This note last modified: 1st Mar 2016 17:52.
DISABLE & REMOVE
 
DSCA.exe

[top]

DgiVecp service

DgiVecp
When checking my System Log (Admin Tools, Event Viewer) I discovered an 'Error: DgiVecp service failed to start - file missing' report had appeared every time I rebooted. A quick check using Google suggested it had been 'installed' with my Samsung laser printer driver, so it was off to Regedit and a quick look in 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services'. Yes = there it was, with an 'Image Path' set to 'C:\WINDOWS\system32\Drivers\DgiVecp.sys' = and, indeed, no such file exists, so plainly it's not needed for actual printing. Anyway, I changed the 'Start' setting from '2' (automatic) to '4' (disabled) and that stopped it :-)

There is a temptation to delete unwanted Registry entries, however this is a typical case of software that 'repairs itself'. Every time I printed, the actual Samsung printer driver would add this entry back into the Registry ! The only way to put a 'stop' to it, is to leave the entry intact but tell Windows not to run it

This note last modified: 28th Mar 2016 07:44.
Set Start=4 (disable)

[top]

DHCP Client

DHCP Client
Automatically fetches the computers IP address, Default gateway & DNS addresses (using DHCP) from the Router. The DHCP (client) Service starts the NetBT driver, and the NetBT driver holds open port 445 (a well known hacker 'hole')

** On XP (unless using dial-up) you can disable DHCP if you set the TCP/IP Properties (IP Address, Subnet mask, Default gateway, and DNS servers***) manually. You will almost certainly want to do this for your own home Server.

*** You can use the Google 'public' DNS Servers (8.8.8.8 and 8.8.4.4) as your default - they will almost certainly be faster than anything your ISP is offering but has the disadvantage that this will also allow Google to 'profile' your browsing habits and 'tailor' your 'browsing experience' (i.e. shovel even more adverts and fake search results in your direction)

On XP using dial-up, DNS resolution does not work when the DHCP Client service is set to Manual/Disable and Windows 2000 refuses to resolve domain names at all (even if not on dial up)

This note last modified: 1st Mar 2016 17:52.
AUTOMATIC / (DISABLE**)
svchost.exe
Dhcp

[top]

Digital Persona Update Check

Digital Persona Update Check
May be seen in Task Manager, Processes tab, but does not appear in either 'Services' or 'Startups'. Apparently, it's for a FINGERPRINT reader associated with the MS IntelliType keyboard/mouse & periodically checks the web for updates. It does not 'need' to be running for your MS Keyboard/Mouse to work but you can't actually delete it. The only way to stop it is as follows :-

a) In Control Panel, Administrative Tools, open Local Security Policy
b) In Software Security Policies, right-click Additional Rules & choose New Path Rule.
c) BROWSE to C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe.
d) Set the Security Level to Disallowed.
e) Click  OK, Close  "Local Security Policy" & Reboot your PC


The above prevents DPUPDCHK.EXE from starting but allows MS IntelliPoint mouse / KB: to function without problem

NB. Isn't it thoughtful of Microsoft to provide an example of how to create a service that can't be found, can't be stopped and can't be removed by the average computer user ? I bet the virus writers / key-loggers / root-kit criminals wet themselves when they discovered this trick ...

This note last modified: 1st Mar 2016 17:52.
(special = see description & notes)
 
Dpupdchk.exe

[top]

Distributed Link Tracking Client

Distributed Link Tracking Client
Only useful in a DOMAIN (required by Message Queuing)

If you create a 'link' (i.e. a 'shortcut') to a file (or folder) on ANOTHER computer, and then you (or some-one else) sits down at that PC and MOVES the file/folder, this Service, which is 'listening' for any such move, will then 'update' the 'shortcut' on your PC. If you never do this (and not a lot of people do) then this Service is just a waste of resources (as well as 'listening' on TCP Port 135 which it holds 'open' for hackers)

This note last modified: 1st Mar 2016 17:52.
DISABLE
Services.exe / svchost.exe
TrkWks

[top]

Distributed Transaction Coordinator

Distributed Transaction Coordinator
Only used on a DOMAIN (with clustered installations of Microsoft Exchange / SQL Server)

Similar to above, but now if some OTHER PC creates a shortcut to a file or folder on YOUR PC, when you move the file/folder on your PC, this Service 'tells' the other PC where it's gone to (and that PC then updates it's own shortcut)

This note last modified: 1st Mar 2016 17:52.
DISABLE
MSDTC.exe
msdtc

[top]

DNS Client

DNS Client
"Resolves and caches Domain Name System (DNS) names for this computer". What this MEANS is, maintains a 'list' of URL's that any virus or 'phishing' attack can use to 'override' a REAL web site address (by placing fake ones in your local DNS list), thereby directing you to the 'spoof' web site (this is a well known technique called 'cache poisoning'). DNS Client is ACTUALLY only be needed in a DOMAIN, so your PC can locate the local Active Directory domain controllers, which then allows you to Log-in to the Domain & access the real DNS Servers - however in a home WORKGROUP it is just another open invitation to criminals & hackers

** When you Disable this Service, your PC will always have to 'ask' your Router to do a DNS lookup (some Routers also act as DNS 'caches' - others will have always go onto the web and ask a real DNS Server for the real address) of each web site you want to visit. Plainly it's a lot harder for criminals to place 'fake' addresses on your ISP's DNS Servers :-). To maintain a fast response, I use Google's public DNS Servers (8.8.8.8 and 8.8.4.4)

If you get a 'DNS Resolver Failed To Flush The Cache' error message when using the 'network repair' function, cycle (Start & then Stop) this Service ..

I highly recommend using the MVPS unwanted HOSTS list and/or the Peer Block 'black lists' which will block you from ending up in all sorts of unwanted crap when browsing the Internet (these lists even work with MSIE !)

This note last modified: 1st Mar 2016 17:52.
DISABLE**
svchost.exe
Dnscache

[top]

dotNET Runtime Optimization Service (v2 0 50727 (X86)

.NET Runtime Optimization Service v2.0.50727_X86
"Microsoft .NET Framework NGEN" (whatever that is) appeared after a .NET update

I set all 'new' Services appearing after MS Updates to 'DISABLE' and wait for something to fail - so far nothing has

This note last modified: 1st Mar 2016 17:52.
DISABLE
service name
mscorsvw.exe

[top]

DVD Sentry

DVD Sentry
Not everything Dell is named 'Dell ..' - this is Dell's version of 'auto-run' and is aimed at controlling all access to your DVD drive (and, no doubt, imposing Dells interpretation of DRM). It is slightly better the Microsoft 'auto-run', since it actually asks you what you want to do (a bit like the annoying 'MS Office Dog'), so I think it must be aimed at Americans (who plainly don't have a clue what to do after inserting a DVD). In theory, when you un-install Dell 'support' all this rubbish should also disappear

Remember - ANY software that 'monitors' your CD / DVD drive can IMPOSE ACCESS RESTRICTIONS (DRM)

This note last modified: 1st Mar 2016 17:52.
DISABLE & remove
 
Dsentry.exe

[top]

Error Reporting Service

Error Reporting Service
After a program fails, sends a memory image ('crash dump') to Microsoft. It's set to Automatic by default, you should set it to Disable. There is no point in wasting your time (or bandwidth) sending giga-bytes of pointless memory 'dumps' to Microsoft (or anyone else) when an application crashes. For sure, no-one is ever going to fix whatever the problem was

No doubt some key-loggers would find this an excellent way to 'send home' a regular 'dump' of your more interesting activity (bank account names, credit card numbers and passwords etc)

This note last modified: 1st Mar 2016 17:52.
DISABLE
Services.exe
Ersvc

[top]

Event Log

Event Log
Keeps a list of 'errors' and 'warnings' (of the 'service failed to start' type) that can help you diagnose problems (especially if you notice lots of disk access / transfer errors).

Required for Automatic Updates. Used by Simple Mail Transfer Protocol (SMTP), SNMP Service, SNMP Trap Service, Windows Management Instrumentation, IPv6 Helper Service, Security Center & Windows Firewall/Internet Connection Sharing

If you disable Event Log but not Windows Management Instrumentation, you will experience extended boot times as WMI 'times out' waiting for the Log to start

This note last modified: 1st Mar 2016 17:52.
AUTOMATIC
Services.exe
Eventlog

[top]

Extensible Authentication Protocol Service (XPsp3)

Extensible Authentication Protocol Service (XPsp3)
EAP allows a Windows 'Client' computer, with a fingerprint scanner or similar, to authenticate itself to a corporate Domain Server. Unless you are running in a Domain, this is just a total waste of resources and yet another hacker 'hole' (however it is required by the Wired AutoConfig (XPsp3) Service (see below)

** It's possible that some fancy (wired in) 'PIN key pad' issued by your Bank could require EAP (hopefully not, since I have no doubt that this Service is as 'leaky' as all the others)

This note last modified: 1st Mar 2016 17:52.
DISABLE / MANUAL**
eapsvcs
EAPSVC.DLL

[top]

Fast User Switching Compatibility

Fast User Switching Compatibility
When this service is used to 'switches user' (account) your applications are 'suspended' and your files remain 'open' ! It also 'preserves' your 'system state' using up valuable RAM memory. Some-one else can then log-in, crash your PC and corrupt all your open files.

Disable it now, so you have to log-out 'properly', and safely close all your files, before some-one else can use your PC

After your kids and their visiting 'friends' have finished loading your computer with unwanted games, viruses, root kits and key loggers, used it as a 'torrent'/iPlayer/4OD server and 'trashed' all your work files, photo's and music, you will learn why it's cheaper to buy the kids their own computers rather than to let 'some-one else' use yours :-)

This note last modified: 1st Mar 2016 17:52.
DISABLE
svchost.exe
FastUserSwitching Compatibility

[top]

FAX

FAX
Not installed with Windows 'retail' by default, but often is with OEM installs (Dell). If you don't have a Fax machine, I suggest you remove it totally



This note last modified: 1st Mar 2016 17:52.
REMOVE (not installed by default)
faxsvc.exe
Fax

[top]

FTP Publishing Service

FTP Publishing Service
Available on the XP System CD this allows your computer to act as a 'FTP server' on your home network. Whilst you may wish to have your own Home Server provide such as service (eg for Clonezilla), it is highly unlikely you will ever find a need to run this on your own computer

For those wishing to setup an FTP Server, there are better implementations of FTP such as the Open Source FileZilla. MS FTP provides basic ('DOS' level) file transfer functions, similar to Windows 'Mapped drives', that can operate across the internet without passwords - those wishing to use FTP across the Internet should use the secure SFTP implementation instead

SFTP (Secure FTP) is the standard method used by web site authors to 'upload' their web pages across the internet to the web site 'hosting' service. SFTP does not use MS FTP services

This note last modified: 1st Mar 2016 17:52.
REMOVE (not installed by default)
MSFTPSVC
 

[top]

guard32.dll

guard32.dll
Part of the COMODO firewall, found in \WINDOWS\system32\

This note last modified: 1st Mar 2016 17:52.
{leave alone}
guard32.dll
 

[top]

Health Key and Certificate Management Service (XPsp3)

Health Key and Certificate Management Service (XPsp3)
MS says "Manages health certificates and keys (used by NAP)", whatever that means (NAP is Network Access Protection). Since I've no idea what it does, I have disabled it. I'm waiting for something to 'break' (so far, nothing has)

Update: APPARENTLY this has something to do with managing Licence 'keys' for 'volume license users' (i.e. OEM's and Corporates) operating in a DOMAIN - so, as suspected, of no use what-so-ever in a home Workgroup

This note last modified: 1st Mar 2016 17:52.
DISABLE
hkmsvc
KMSVC.DLL

[top]

Help and Support

Help and Support
WARNING This Service allows a remote user to take control over your PC !
Required by the "Program Compatibility Wizard" and the "System Information" system tools.
The day XP was launched, the Help and Support Centre incorporated a "self healing" function. This could be exploited by a malicious web page which, when visited, could automatically 'heal' any file in any folder on your computer by replacing it with anything (or nothing). Whilst this particular vulnerability was fixed after a year (in sp1, Sept 2002, after XP's launch in Aug 2001) this should have been enough to tell you what an unbelievable dangerous piece of badly coded garbage the innocent sounding 'Help & Support' really is

Getting you to enable 'remote access' via this service is fundamental to the telephone fraudsters who claim they are 'calling from Microsoft' and that 'you have a virus'. They will inevitably download a fake 'anti-virus' package containing a Root Kit and a Key Logger. Their fake AV software will then take over your PC & gain System level access to all your files, all the account names & passwords stored in MSIE and your eMail Address Book etc. etc.

If any more proof of the dangers of this Service is required, consider that if you ever use Help and Support, it will place itself back into "Automatic" mode and start up, even if you have set the Service to Disabled ! This makes it very hard to permanently 'disable', so, once again, the best approach is to never install it in the first place (i.e. use nLite to make a 'custom' Windows install CD). Alternatively, you can pull the same trick here as with 'Digital Persona Update Check' (track down helpsvc.exe and set it's security level to 'run=disabled')

Whilst deleting the .exe is safe, be careful not to remove the help DLL's. MS Updates uses at least one of the DLL's to update help files whilst installing updates at power-down. If you remove the 'needed' DLL, your PC can become 'stuck' at power-off in an infinite loop of 'Do not turn off ... Installing updates ...' (of course this can happen anyway if updates 'go wrong')

This note last modified: 1st Mar 2016 17:52.
DISABLE (block)
svchost.exe
helpsvc

[top]

HTTP SSL

HTTP SSL
MS implies this Service is required for HTTPS i.e. secure web browsing. That is not so, not even for MSIE (and for sure no proper web browser would ever rely on Microsoft code for anything 'secure' anyway)

It is, however, required by Windows Media Player (for on-line 'sharing') and by the WebDAV API = so yet another reason to avoid WMP

This note last modified: 1st Mar 2016 17:52.
DISABLE
svchost.exe
HTTPFilter

[top]

Human Interface Device Access, HID Input Service

Human Interface Device Access, HID Input Service
One more waste of resources, needed only to support a remote initiated 'scan' button (or FAX button) or the 'remote controls' on a (non-standard) USB Keyboard or some 'other multi-media device' (whatever that may be).

** Some laptops have additional keys (eg for controlling DVD playback). If HID is found on 'automatic', 'Stop' it and check that these keys still function before setting 'disable' = most often the additional keys will be handled by the laptop manufacturers own drivers and not use HID at all

Those with motherboard integrated graphics from Intel will discover they have another 'hot key' Service "hkcmd.exe". This can be disabled via Control Panel, Intel Graphics (name varies), locate the 'Hot Keys' tab and deselect the 'Enable Hot Keys' option (the Service will be stopped on next reboot). See also NVIDIA Display Driver Service

This note last modified: 1st Mar 2016 17:52.
DISABLE**
Svchost.exe (& hkcmd.exe)
HidServ

[top]

ICS Manager

ICS Manager
Automatic if you are on an 'ICS network' i.e. linked to a computer 'sharing' it's network connection (for example, a 3G mobile phone SIMM card) using Microsoft ICS. If all your computers reach the Internet using 'standard' Ethernet TCP/IP (via a Gateway), you should remove Internet Connection Sharing (ICS) from the Network icon in your Control Panel as its presence can often cause (sometimes serious) conflicts or unnecessary complications when you are trying to configure the network components on your PC.

If your fancy laptop has both WiFi and a 3G SIMM card support, and you can't get WiFi to work, it's likely to be ICS (or, more likely, it's the 3rd party equivalent). Unless you have an 'unlimited data' monthly 3G contract (or can afford the £1,000 bills you will get for 'browsing' the net using 3G) just un-install all the SIMM support crap (including ICS)

This note last modified: 29th May 2018 14:36.
(REMOVE) / AUTOMATIC
service name
ICSMGR.exe

[top]

ighfx (set of 3)

ighfx (set of 3)
igfxtray.exe is a process which allows you to access the Intel Graphics config. & diagnostic app. for the Intel 810 series graphics chip-set via a desktop 'tray' icon. You can still make adjustments (via Control Panel) without this process needing to run all the time, so just stop it

igfxtray.exe itself is not dangerous, however a root-kit of the same name exists, as does a worm named igfxTray.exe

This note last modified: 1st Mar 2016 17:52.
REMOVE
igfxtray.exe
 

[top]

IIS Admin

IIS Admin
NEVER install IIS .. it's one of the LEAST SECURE of all MS applications !!

If you need to run a Web Server (or FTP server) on your home computer / network to test your web pages before uploading them to your hosting site (which, 9 times out of 10, will be Apache/PHP and NOT MS/ASP**), go find something Open Source, such as local PHP/Apache web server (which will let you test your pages LOCALLY and not go off and offer the whole world access to your computer)

Few ISP's 'allow' you to run your own Web Server out onto the Internet (even if your ADSL 'upload' speed could support more than a couple of users, the 'Fair Use' clause is likely to be invoked and your 'web server' blocked). If you really want to run your own Web Site, ask your ISP about Hosting

**Starting with SP2, Microsoft added a new 'user' account to your PC. This is for developers of ASP.NET scripts running under IIS. The existence of this account - 'ASP.NET Machine Account' (or the 'aspnet_wp' account) - can result in USB device 'recognition' delays of up to 5 minutes ! You should delete this account - using the Computer Management (Control Panel, Administrative Tools) tool (it's found in 'Users') - as a security precaution anyway (unless, of course, you are a developer of ASP.NET scripts ..).

Of course Windows also maintains a list of every USB device you ever used so it can 'find the drivers faster'. After a few years you will have hundreds of devices in this list (which also slows down USB 'recognition').

This note last modified: 6th Mar 2016 19:25.
REMOVE (not installed by default)
inetinfo.exe
IISADMIN

[top]

IMAPI CD Burning COM Service

IMAPI CD-Burning COM Service
This allows Windows to control CD/DVD 'burning'. Since Windows XP is 'infected' with DRM (Digital Rights Management) you DO NOT want it controlling access to your CD/DVD drive !!

Whilst some 'commercial' CD/DVD burning software may make use of this service, you can be 100% sure that no Open Source software (such as ImgBurn) will do so

This note last modified: 1st Mar 2016 17:52.
DISABLE
imapi.exe
ImapiService

[top]

Indexing Service

Indexing Service
This is an utter waste of time & resources and always seems to run (& 'lock up' your computer) just when you want to do something - Indexing Service also 'checks' the contents of any network 'share' you map at regular intervals, thereby ensuring your server can never 'go to sleep'.

Whilst 'Start / Search' might take a little longer to find what you are looking for, at least your PC no longer locks up (and you can get on with something else whilst it's searching)

If you 'uninstall' the "Indexing Service" (in the 'Add or Remove Programs' window, click the 'Add/Remove Windows Components' icon to get the Windows Components Wizard window), whilst the Control Panel 'applet' icon will be removed, even after re-booting, the Indexing Service (cisvc.exe) itself can still be found in Control Panel / Admin tools / Services. So make sure you DISABLE the Service, even if you intend to 'uninstall' it's Control Panel icon

NOTE - If Indexing Service was ever allowed to run on your PC, after it's been Stopped, you may wish to delete the index files (*.idx, *.idq, *.ida, and *.htx) left behind. This will save space and improve security (since, of course, these are lists of every file (by name) that existed on the PC and any 'mapped drive' you were connected to at that time)

This note last modified: 1st Mar 2016 17:52.
DISABLE (can't remove)
cisvc.exe
cisvc

[top]

Intel NCS NetService

Intel NCS NetService
Part of the 'full' 31Mb Intel PROSet NIC package (rather than the 1.6Mb NIC Driver set, pro2kxpm.exe). It's exact function is 'unknown' since no one can tell the difference between a system with this or one with the 'basic' network driver only.

It should be in \Program Files\Intel\PROset\Wired\NCS\Sync\.
 If found elsewhere (especially \system or \system32) it's part of a virus/worm/key logger etc.

This note last modified: 1st Mar 2016 17:52.
DISABLE / remove
NetSvc.exe
 

[top]

IPSEC Services

IPSEC Services
This Service 'manages' the Internet Key Exchange (IKE) and 'encrypt' data when linking (via 'VPN') to a remote corporate network DOMAIN. It also holds open Port 500 (so no doubt it also provides the 'Bot Net' criminals yet another way to 'invisibly control' your PC)

Some garbage commercial software appears to require IPSEC even in a home WORKGROUP .. presumably because the lazy programmers couldn't be bothered to check for a DOMAIN first .. if you find one of your 'must have' apps. keeps complaining, by all means set this Service to 'Manual'. I first set mine to 'manual' & a year later (after it failed to start once) DISABLED it

IPv6 is implemented via IPSec so should you ever need to support IPv6 (on your home network :-) ) you will have to re-enable IPSec (or, more likely, it's semi-bug-fixed descendant)

This note last modified: 1st Mar 2016 17:52.
DISABLE (Manual)
Isass.exe
PolicyAgent

[top]

Java Quick Starter

Java Quick Starter
Wastes bandwidth by pre-fetching Java code when you typically won't actually want it to run (the FireFox 'NoScript' add-on will stop it). The Service can also cause a web page to 'hang' as it hogs the Internet by 'pre-fetching' Gb's of who-knows-what (mainly multi-media adverts, background 'movies' and animated images, I suspect)

** Go to Control Panel, Java, Advanced tab, click the + sign next to Miscellaneous, 'un-check' Java Quick Start (& whilst you are at it, 'un-check 'show Java in the system tray')

NOTE - a virus of the same name exists !

This note last modified: 1st Mar 2016 17:52.
DISABLE**
jqs.exe
JQS

[top]

LoadQM.exe

MSN Queue Manager
Installed by MSN Explorer / MSN Messenger and slows your PC to a crawl. Find it, stop it, kill it (rename it so Windows can't 'run' it behind your back) - and then go visit shoot the messenger" and be done with it


You can still use Messenger without the Queue manager, however every time you 'update' LoadQM.exe will be re-installed and restarted

This note last modified: 1st Mar 2016 17:52.
DELETE
LoadQM.exe
n/a

[top]

Logical Disk Manager Administrative Service

Logical Disk Manager Administrative Service
This is started by the Logical Disk Manager (usually when you launch the Disk Management mmc plug-in from the Computer Management tool in Administrator Tools folder. Requires Logical Disk Manager, Plug & Play, RPC.

If, for some reason it's unable to 'start', the 'dmadmin' service will grab 100% of one CPU core and start writing 'complaints' to the Log (you will notice continuous hard drive activity for at least 5 minutes) and your system will become 'un-responsive' (if you don't want to wait, it can be 'killed' from Task Manager)

This note last modified: 1st Mar 2016 17:52.
MANUAL
dmadmin.exe /com
Dmadmin

[top]

Logical Disk Manager

Logical Disk Manager
MS says "Watches the Plug and Play Service for "new (hard) disk drive events". Obtains and passes volume and/or disk information to the Logical Disk Manager Administrative Service (Disk Management MMC snap-in)"

Apparently, it has to be running all the time if you use 'Dynamic Disks'. Requires Play & Play and RPC.

If you only have 'Basic' disks, you can set it to 'Manual' as it will be automatically started when you use the Disk Management MMC console to add (or remove) a 'permanent' hard disks (C:, D: etc) i.e. to install / format / assign drive letters. It has nothing to do with USB 'thumb drives'

NB. In addition local disk management, as you might expect, 'dmremote' allows them to be 'managed' by the 'Corporate IT admin. staff' (so, in the home, this provides yet another way for criminals to abused your PC from the Internet)

This note last modified: 1st Mar 2016 17:52.
AUTOMATIC / MANUAL
services.exe / svchost.exe, dmremote.exe
dmserver

[top]

Machine Debug Manager

Machine Debug Manager
Mysteriously comes and goes from the Task Managers 'Processes' tab as needed by MS Updates & assumed to be the engine behind system security patches.

 If it doesn't go after a few boot-ups you might want to think about 'End Process' and start to worry about which of the recent MS 'patches' failed to install correctly

With the end of support, this component should never need to run again (unless its being used by some Root Kit to modify your Operating System).

This note last modified: 1st Mar 2016 17:52.
(leave alone)
MDM.exe
 

[top]

Messenger

Messenger
Disabled by default, leave it there. Messenger is an obsolete Service that 'listens' for messages from corporate IT staff. These days it just another way for fraudsters and scam artists to place a fake 'virus warning' pop-up in your face. It is also a known memory 'hog' and 'holds open' UDP ports 135, 137, and 138 plus TCP ports 135, 139, and 445 (how nice of MS to provide web-criminals with such a choice !).  Visit "shoot the messenger" and be done with it

NB. The Messenger Service has nothing to do with Windows Messenger or Windows MSN Messenger ('chat' apps. which are also insecure and should be ripped out - see 'PC Hell' instructions on how to remove / prevent it running).

Note. If you lock-down the \Program Files\Messenger folder so the MS Messenger 'chat app' can't be accessed, when you try to install (or re-install) sp3 you will run into a 'unable to find msmsgr.chm file' problems. This has nothing to do with the 'source' (unpacked i386) and everything to do with the SP install not being able to access the \messenger folder (as usual with MS 'all or nothing' approach, if you 'cancel' then the entire sp install is 'aborted', not just the messenger 'help file' (.chm))**If you really need some sort of 'instant messaging' or 'chit chat' application, I suggest the Open Source 'Pidgin' available from it's own web site

This note last modified: 1st Mar 2016 17:52.
DISABLE (default)
Services.exe
Messenger

[top]

Microsoft Connection Manager Monitor

Microsoft Connection Manager Monitor
Appears with the Internet dialler provided by some ancient ISP's (such as AOL)

Disable does not stop the Dial-up connection but letting this 'monitoring' service run is known to impact internet performance

WARNING - a worm (W32/Rbot) using the same display name (but launched by cmmon.pif) exists

This note last modified: 1st Mar 2016 17:52.
DISABLE
Cmmon32.exe
 

[top]

Microsoft Fax Service

Microsoft Fax Service
Yet another useless resource hog 'listening' for something that doesn't exist in the home (in this case, it's going to inform you when there is an incoming FAX)

**Set Manual if you have a Fax machine (and want to send a FAX from within MS Office)

This note last modified: 1st Mar 2016 17:52.
DISABLE (MANUAL**)
FaxSvc.exe / FxSSvc.exe
 

[top]

modemmoh.dll

modemmoh.dll
Installed by MSN Explorer / MSN Messenger and slows your PC to a crawl. Find it, stop it, kill it (rename it so it can't 'run') - and then go and 'shoot the messenger' (above)

You can still use Messenger without the Queue manager, however every time you 'update' LoadQM.exe will be re-installed and restarted

This note last modified: 1st Mar 2016 17:52.
DELETE
LoadQM.exe
 

[top]

MS Software Shadow Copy Provider

MS Software Shadow Copy Provider
Required only when performing MS System (C: disk) Back-ups (not Restore Point, nor simple file copy backups). Also required by (at least one) Open Source software to back-up a running System (C:) Drive

After you disable it, you will find a 'complaint' in Event Log

This note last modified: 1st Mar 2016 17:52.
DISABLE / MANUAL
dllhost.exe
SwPrv

[top]

MSN Queue Manager

MSN Queue Manager
Installed by MSN Explorer / MSN Messenger and slows your PC to a crawl. Find it, stop it, kill it (rename it so it can't 'run') - and then go and 'shoot the messenger' (above)

You can still use Messenger without the Queue manager, however every time you 'update' LoadQM.exe will be re-installed and restarted

This note last modified: 1st Mar 2016 17:52.
DELETE
LoadQM.exe
 

[top]

nassvc.exe

NAS PM Service (NAS Power Management Service)
Another pointless commercial service, this one installed with the 'Buffalo NAS' management utility. Apparently designed to 'keep the NAS awake', so perhaps of some use if you are running 'live backup' software (i.e. software that checks for and auto-backs up every new or modified file every few seconds). Useless waste of resources for those who run over-night backups (since the NAS might well be allowed to sleep during the day). May have originally been intended to 'fix' a old 'refuses to wake-up' bug, however my Buffalo NAS always responds just fine without this pointless service.

There are 3 versions of nassvc.exe in the wild, the latest version being 1.07.120306. It is started as a Windows Service called 'NAS PM Service' with the name 'NasPmService' and described as “NAS Power Management Service”. In addition, it is run under the context of the SYSTEM account with extensive privileges (the administrator accounts have the same privileges).

This note last modified: 1st Mar 2016 17:52.
NasPmService
DISABLE
nassvc.exe

[top]

Net Logon

Net Logon
This is ONLY needed to log-on to a DOMAIN. Unless you are on a corporate DOMAIN, this is a waste of resources & yet another potential security weakness (since it allows your log-in credentials to be sent to a remote machine)

It's not required in a Workgroup, not even to 'log-on' a 'shared folder' / 'mapped drive' (but see the Server & Workstation Service)

This note last modified: 1st Mar 2016 17:52.
DISABLE
Lsass.exe
Netlogon

[top]

Net.Tcp Port Sharing Service

Net.Tcp Port Sharing Service
Another pointless waste of resources that is only ever required to run if you are on a corporate network



This note last modified: 1st Mar 2016 17:52.
DISABLE
 
 

[top]

NetMeeting Remote Desktop Sharing

NetMeeting Remote Desktop Sharing
DANGER ! Allows a remote computer to view what's on your 'desktop' !

 If this Service is running, the hacker doesn't even need to install their own key-logger !



This note last modified: 1st Mar 2016 17:52.
DISABLE
MNMSrvc.exe
Nmnsrvc

[top]

NetWaiting

NetWaiting
More useless garbage (this from 'BVRP Software') installed on Dell computers to 'help modem calls'

** Unless you intend to use your computer (Laptop) with a Modem, this should be removed (via Add/Remove Programs)

This note last modified: 1st Mar 2016 17:52.
REMOVE**
 
modemmoh.dll

[top]

Network Access Protection Agent (XPsp3)

Network Access Protection Agent (XPsp3)
NAP does not 'protect' you from anything and is yet another waste of resources unless you are on a corporate DOMAIN



This note last modified: 1st Mar 2016 17:52.
DISABLE
QAGENTRT.DLL
napagent

[top]

Network Connections

Network Connections
Used to manage "Network Connections" (Start / Settings / Network Connections)

** May be disabled once you have configured your network devices & settings. After disabling this service, you will no longer see the 'Network Connections' icon, however connection still exists (even on incoming shared network drives)

This note last modified: 1st Mar 2016 17:52.
MANUAL / DISABLE**
svchost.exe -k netsvcs
Netman

[top]

Network DDE DSDM

Network DDE DSDM
More of the above



This note last modified: 1st Mar 2016 17:52.
DISABLE
Netdde.exe
NetDDEdsdm

[top]

Network DDE

Network DDE
DDE was yet another clever way for software to access your PC remotely. It is not even used by the corporate IT professionals, only by hackers trying to control your computer across a network

DDE is used by Microsoft's' remote 'ClipBook', 'WinChat' & networked 'Hearts' game ... and by many criminal BotNets ... 

This note last modified: 1st Mar 2016 17:52.
DISABLE (default)
Netdde.exe
NetDDE

[top]

Network Location Awareness

Network Location Awareness
Collects information about your local network and 'notifies applications' = unless you are using WiFi, the only 'application' that's going to want to know about your home network is a Root Kit / Trojan or a Virus that's looking for another local PC to infect

** If your computer is using WiFi, this service may need to be run when you setup a new WiFi 'profile' (or when 'roaming' & using WiFi 'hot-spots'). It is also required on a 'server' computer running ICS (Internet Connection  Sharing i.e. when using your computer as a 'gateway' or 'proxy' for another machine to reach the Internet)

This note last modified: 1st Mar 2016 17:52.
MANUAL** / DISABLE
svchost.exe
Nla

[top]

Network Provisioning Service (xmlprov)

Network Provisioning Service (xmlprov)
Allows corporate IT admins to remotely control your PC using XML scripts across the DOMAIN

Just another 'hacker hole' that must be closed by the home Workgroup user

This note last modified: 1st Mar 2016 17:52.
DISABLE
svchost.exe
 

[top]

NT LM Security Support Provider

NT LM Security Support Provider
Required for Telnet and Message Queuing and in networks with Windows 95 / 98 clients. Not required for Mapped drive 'shares' (see Server & Workstation Service)

NT LM is the 'NT' version of the old 'DOS' LANMAN password system. It's fundamentally insecure in that it automatically generates a poorly encrypted LM Hash of all complete passwords up to 14 characters (so that it can 'drop back' to 'DOS' LANMAN mode 'as required')

Whilst the LM Hash only operates on the first 14 characters of a password, it's often very easy to 'guess' the rest of a password if you have the first 14 :-) The 'LM Hash' is so easy to 'crack' that any computer where it's running will 'give away' the Administrators password within 30 seconds

So the first thing to do is stop Windows creating and storing the 14 character LM Hash for every user on your computer. This is done via RUN, MMC. Add the gpedit 'snap in', open Local computer Policy, Windows Settings, Security Settings, Local Policies, Security Options. Locate "Network security: Do not store LAN Manager hash value on next password change" and set it to 'Enabled' = and then change all your passwords to something completely different !

(whilst the LM version of the new password won't be stored, the first 14 characters of all your old passwords will still exist = and is accessible to any script kiddie who cares to look)

In the Corporate DOMAIN, Kerberos is used instead. However Kerberos requires a Domain Controller, so in a Workgroup the 'best' security that is possible is NTLMv2 (which supports password up to 128 characters in length). The trick is to FORCE all your computers to use NT LM v2, instead of allowing them to keep 'dropping back' to the LAN MAN / NTLM level

To force your computer to use NTLMv2, in the above Security Options window, locate the 'Network Security: LAN Manager authentication level' key and set it to 'Send NTLMv2 response only\refuse LM & NTLM'

This note last modified: 1st Mar 2016 17:52.
DISABLE
Service.exe
NtLmSsp

[top]

NVIDIA Display Driver Service (commercial)

NVIDIA Display Driver Service (commercial)
Supports the memory hogging "nVidia Desktop" utility. Unless you have some reason to keep changing your display card settings (and can't remember how to right-click the desktop) this is just a complete waste of resources

From a 'DOS box', the command 'tasklist /svr' may show the igfxpers.exe Service = Intel driver for graphics chips on motherboards / NVidia cards. This is important for Laptops since it will automatically switch screen resolutions when a docking station or external monitor is found, but not otherwise.

To stop the Intel Graphics 'add-ons' from running at start-up you will have to use Hijack This (and 'fix' NKLM\..\Run igfxtray, igfxhkcmd & igfxpers)

This note last modified: 1st Mar 2016 17:52.
DISABLE / UNINSTALL
nvsvc32.exe
nvcpl.dll (igfxpers.exe)

[top]

NVSvc32.exe


NVSvc32.exe
NVSvc32.exe Manufacturer : 	
NVidia

NVSvc32.exe Status :
	Not OK		NVSvc32.exe
NVSvc32.exe Description :
	NVIDIA Driver Helper Service which gets installed as a service under Windows NT4/2000/XP/2003, and as a startup on Windows 98/ME by the NVIDIA drivers for some of their graphics cards (or graphics cards based on an NVIDIA chipset). We do not at this stage know what this process does except consume memory ! And we also have no idea as to what a "Driver Helper Service" is supposed to do !!
NVSvc32.exe Recommendation :
	This service is often responsible for various glitches, from significant shutdown delays to excessive memory usage. Disabling it, however, does not result in our experience in any ill-effect as regards the proper operation of your NVIDIA or NVIDIA chipset graphics card, so we recommend that you definitely set the Startup Mode of this service to Disabled on the Services tab of The Ultimate Troubleshooter on Windows 2000/XP/2003, and on the Startups tab on Windows 98/ME.

This note last modified: 1st Mar 2016 17:52.
n/a
n/a
n/a

[top]

Office Startup Application

Office Startup Application
The MS Office 'fast startup' service. This joke loads half of MS Office into RAM at power-on so the CPU then has to 'swap it out' to the paging file on disk at the same time as it's trying to start-up Windows - after which normal operations can run you out of space because the 'swap file' is full of Office components

 The problem is, not only does OSA/9 impact start-up performance but it frequently prevents the computer shutting down = XP 'overwrites' the contents of the swap file during power down to 'stop hackers obtaining information from the swap file' (like all your log in and password details) = which is a real pain if you expect MS Updates to 'silently' install overnight (since when you get back in the morning you find the PC stuck after the first update that needed a restart)

MS Office is not the only over-bloated app. that tries to 'speed up' it's 'launch' time by 'pre-loading' multiMB's into RAM - many commercial apps. perform the same trick (especially those from Adobe). This is why the older your PC is (and the more applications you have) the longer it takes to boot-up (and the larger the 'virtual memory' paging file it needs) - so after you install a new application, always use 'HiJack This' to find their 'RUN' entries in the Registry and put a stop to them

This note last modified: 1st Mar 2016 17:52.
DISABLE (remove 'RUN' from Registry)
OSA.exe / OSA9.exe
 

[top]

Offline Files Service

Offline Files Service
Can be used in the Corporate Domain to automatically synchronize folders on the company network Server with the "offline" copy on the employees 'worked at home' laptop

This 'helpful' service is famous for it's willingness to 'silently' replace the files you spent all day updating with the (old) 'master copy' from the Server prior to you 'un-docking' and leaving for home at the end of the day - and then deleting files and folders from the Server next morning when you 'dock in' (and it discovers you have moved or deleted the 'master copy' on your laptop) ... end result, frantic calls to IT Support demanding they 'restore from back up'. These days, company employees who 'work at home' use VPN so they can work directly on the file (held only) on the Corporate Server. If you want to 'sync' a laptop to your own home server, use a proper Open Source sync tool such as DSynchronize (which will warn you before making changes and deleting all your work)

This note last modified: 1st Mar 2016 17:52.
DISABLE (& remove)
Svchost.exe
 

[top]

Performance Logs and Alerts

Performance Logs and Alerts
Required only if you want to 'monitor' performance

Needless to say, if enabled, it reduces performance by monitoring it :-)

This note last modified: 1st Mar 2016 17:52.
DISABLE
smlogsvc.exe
sysmonLog

[top]

Personal Web Server

Personal Web Server
PWS is what Frontpage / Frontpage Express uses to 'preview' your web pages. This is one reason why Frontpage pages never look 'the same' in any real browser !

If you must use a GUI based web page 'writing' tool, at least use one (such as the Open Source BlueGriffon) that let's you preview you web pages in a real browser

This note last modified: 1st Mar 2016 17:52.
REMOVE (along with Frontpage)
PWSTray.exe
 

[top]

Plug and Play

Plug and Play
Detects your Hardware components at power-on

!! Windows will lock up during boot if this Service fails to start !!

This note last modified: 1st Mar 2016 17:52.
AUTOMATIC
Services.exe
PlugPlay

[top]

Portable Media Serial Number Service

Portable Media Serial Number Service
The DRM spy and enforcer service for Windows Media Player music ('PlayForSure'). DO NOT allow this to run on your PC (iTunes, whilst also infected with DRM, uses it's own methods of control, not this Service)

If you get 'errors' using any 'portable media device' with any music track after setting DISABLE, I suggest you simply delete the track (& throw the device away) = it will have been 'infected' with DRM

This note last modified: 1st Mar 2016 17:52.
DISABLE
svchost.exe
WmdmPmSN

[top]

Print Spooler

Print Spooler
Used for printing on a local or networked printer. Also needed for 'Print to File'

** Disable only if this computer will never used to print anything (eg. your home server)

This note last modified: 1st Mar 2016 17:52.
AUTOMATIC (Disable**)
spoolsv.exe
Spooler

[top]

Protected Storage

Protected Storage
Allows MSIE and Outlook Express (which is insecure and should be removed anyway) to store your log-in and password details in a form that any semi-intelligent script kiddie can access and read, otherwise only required if you connect to the internet via a DOMAIN controller/server (which requires auto-authentication)

Proper Browser / email Clients use proper 'saved password' encryption, not the "non-protection" provided by the joke 'Protected Storage' service (although anyone sitting at your computer whilst it is logged in with your account can easily get your saved web ID/passwords out of any web browser)

This note last modified: 1st Mar 2016 17:52.
DISABLE
Pstores.exe
ProtectedStorage

[top]

QoS RSVP

QoS RSVP
Microsoft's attempt at granting Network bandwidth 'priority' to applications that request it. Apparently it never made any difference, so the only applications that ever tried to use it were Microsoft's own Windows Media Player & NetMeeting

It is installed 'by default' as a 'protocol' by Windows on every new Network Card (NIC) / Network 'link' (which is annoying, since few NIC's actually support QoS), and whilst it may have made some sense in the old 56kbps Modem connection days, now it's just another time wasting 'barrier' interfering with your access to the network & web browsing

This note last modified: 1st Mar 2016 17:52.
DISABLE (& uninstall QoS from all Network Properties)
rsvp.exe -s
rsvp

[top]

Remote Access Auto Connection Manager (RasAuto)

Remote Access Auto Connection Manager (RasAuto)
"Helps programs automatically access a remote location". It's required if you use Windows Firewall and Internet Connection Sharing (ICS). SOME brain-dead ISP software running dial-up connections on your computer may need this (AOL perhaps ?)

Allows programs to 'invisibly' access the internet. Yep, it provides yet another way for the bot-net root kits and key-loggers to 'phone-home'

NB. RAS ACM has an 'undocumented' (= bug) dependency on the Event log. If Event Log has not already started, and you try to start RAS ACM, you will get a 1717 'unknown interface' error (even if Event Log is on Manual)

This note last modified: 1st Mar 2016 17:52.
DISABLE
svchost.exe -k netsvcs
 

[top]

Remote Access Connection Manager

Remote Access Connection Manager
'Creates' (provides log-on details for) a network connection. This service is required if you use Dial Up networking or Windows Firewall/Internet Connection Sharing, it is not required if you connect to the Internet via a Gateway / Router

Needed for Remote Access (RAS) to a DOMAIN server

This note last modified: 1st Mar 2016 17:52.
DISABLE
svchost.exe -k netsvcs
Rasman

[top]

Remote Desktop Help Session Manager

Remote Desktop Help Session Manager
Part of the 'we can take over your computer remotely' support that Microsoft provides hackers and fraudsters. 

This service should NEVER be enabled (unless you are happy for some-one to take over your PC from the Internet) !!

This note last modified: 1st Mar 2016 17:52.
DISABLE
sessmgr.exe
RDSessMgr

[top]

Remote Procedure Call (RPC) Locator

Remote Procedure Call (RPC) Locator
Apparently this exists to support the remote running of applications. Seems to be needed by Microsoft ICS for sure, and, apparently by some obscure software needing to 'register' their 'publicly declared procedures' (which means Windows can lock-up if it's disabled).

** Having set this to Manual, I've used the computer for weeks (if not months) without it actually 'starting' ... only to find it's mysteriously "started on it's own" for no obvious reason. I've thus left it set to 'manual'.

This note last modified: 1st Mar 2016 17:52.
MANUAL**
Locator.exe
RpcLocator

[top]

Remote Procedure Call (RPC) Service

Remote Procedure Call (RPC) Service
Since everything else depends on this Service, leave it running on Automatic !

A recent (late 2017) MS Security patch changed the 'log-on as' settings from 'Local System Account' to (a newly created) 'Network Service' account. After this change, at power-on, some laptops not connected to the Internet can experience up to 5 minutes delay (they show a blue screen after the Welcome/log-in waiting for desktop icons to display). This can only be cured by reverting RPC (and any other Services set to the new Network Service account) to the Local System Account (at a risk of making you more vulnerable to threats from the Internet).

This note last modified: 29th May 2018 12:45.
AUTOMATIC
svchost -k rpcss
RpcSs

[top]

Remote Registry

Remote Registry
Allows your REGISTRY to be modified remotely !!

A serious security threat if turned on, disable it now !!

Not needed for LOCAL Registry modification (as happens when you install new software applications).

Only needed in Corporate DOMAINS, so that when you 'log-on' to the Domain the 'Active Directory' 'Policies' (as decided by the Corporate IT Admins) will be remotely applied to 'your' computer (to 'allow', or, more frequently, 'deny' user access to various Windows features). In the home, it's just another way for the criminal to take over and remotely control your computer

This note last modified: 29th May 2018 12:45.
DISABLE
REGSVC.exe
RemoteRegistry

[top]

Removable Storage (Ntmssvc)

Removable Storage (Ntmssvc)
This is for IDE/SATA removable devices such as Zip Drives & Tape Drives and maintains 'a library' of tapes etc. it has 'seen before'. It does NOT apply to anything connected via USB (such as 'memory sticks'). SOME people seem to think it applies to CD/DVD drives, however these are controlled via 'Auto-Insert' (& DRM), not this Service

I suggest you do the same as me = set it to MANUAL and run the computer for a month or two without re-booting ... then check to see if it's been started .. if, like mine, it didn't, you can set it to DISABLE & forget about it

This note last modified: 1st Mar 2016 17:52.
MANUAL -> DISABLE
svchost.exe -k netsvcs
 

[top]

Routing and Remote Access

Routing and Remote Access
'Listens' for incoming VPN or dial-up access to your computer (and then lets the hacker in).

 Yet another service that's only used in a corporate DOMAIN (or by hackers)

This note last modified: 1st Mar 2016 17:52.
DISABLE (default)
svchost.exe -k netsvcs
RemoteAccess

[top]

Secondary Logon

Secondary Logon
Allows applications to 'run' under different 'credentials'. In theory a 'good idea', since you can set-up 'tasks' to run at the lowest necessary security level - however in practice it's only really used to run tasks at a higher level !

**If you log-in as a restricted USER (rather than ADMINISTRATOR) and make use of the 'Run As' command, you will need this Service. Otherwise it must be disabled (before some-one logged in as 'Guest' manages to 'Run As' Administrator ...)

This note last modified: 1st Mar 2016 17:52.
DISABLE (Manual**)
services.exe/svchost.exe
seclogon

[top]

Security Accounts Manager

Security Accounts Manager
Implements Group Policy for the local user (if you use gpedit.msc to modify your Group Policy settings, you need this running for your changes to work)

Also required if you use NTFS Encryption (i.e. you have highlighted a folder, right clicked for Properties, then in the General tab, click 'Advanced' & set the 'Encrypt contents to secure data' box)

Apparently, sp2 / sp3 is supposed to prevent you 'Stopping' this service, however I set it to 'Manual' and it's never 'started' :-)

This note last modified: 1st Mar 2016 17:52.
AUTOMATIC / MANUAL
Isass.exe
SamSs

[top]

Security Center

Security Center
This is not Microsoft's 'Security Center' software at all - only a Service that triggers an annoying 'pop up' to complain when you or your Firewall / AV 'turns' off the Microsoft one. In theory it should complain when a Virus turns off MS Firewall, but even the most stupid Virus writer knows enough to turn off** the 'notification' before acting to turn off the MS firewall ...

To manually turn off the MS Firewall etc., you need this running to 'save' the changes. Having made changes, you can set it to DISABLE.

**Zone Alarm uses Registry Settings to turn off the annoying Security Center 'notifications'. These settings are 'flagged' as a security problem by Malwarebytes - if you see them and DON'T have Zone Alarm, you should start to wonder what else could have turned off the 'notifications'

This note last modified: 1st Mar 2016 17:52.
MANUAL -> DISABLE
svchost.exe
wscsvc

[top]

Server

Server
Allows 'shares' (files/folders or devices, such as a Printer) on THIS computer to be used by OTHER (remote) computers. If you Disable it, 'shares' (& any Printer) on THIS computer will be 'unreachable' by others. This is the service for 'File and Print sharing' setting in your Network cards Preferences - if you remove 'File and Print sharing' from ALL your Network Connections, this service (should) disappear. See also the Workstation Service (below)

On each boot-up, it also automatically creates 'hidden' shares - (this is a Microsoft joke = 'hidden' means 'invisible to the normal user but accessible by any script kiddie with half a brain cell' - go to Start, Run, 'cmd', and type 'net use' to see what your computer is offering to share across your network) - typically you will find admin$ (and C$, D$ etc = 'root' level access to each of your hard drives) that can be accessed using the default 'simple network sharing' Guest account (and by Company DOMAIN IT Admins) without your knowledge ..

ONLY allow this to run if you want to allow other computers to access a 'share' on this computer (and then enforce access security = see my 'Home server (NAS)' pages)

This note last modified: 1st Mar 2016 17:52.
DISABLE (unless this PC is sharing) and remove 'File and Printer sharing' from all Network Connections (properties)
services.exe
lanmanserver

[top]

Shell Hardware Detection

Shell Hardware Detection
It's main function is detect the insertion of a CD/DVD or USB memory stick etc. however it also plays a role in detecting (some) DOCKING STATIONS for your laptop. Since it runs at SYSTEM level and automatically executes any 'autorun' file it finds, this Service is the virus writers 'auto-play' / 'auto-run' wet dream.

You should do everything you can to prevent 'auto-play', including setting the 'no autoplay' registry key (In My computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies, expand 'policies' key. Find or create an 'Explorer' key in 'policies' then New->DWORD Value, Name the DWORD 'NoDriveTypeAutoRun' data value = ff, Base = Hexadecimal).

As with all things Microsoft, this Registry Key can be overridden (by the MountPoints2 key 'historical' data among other things). So even after setting the 'Key', Windows continues to 'look' at anything you plug in (or any 'share' you open) and may still pop-up the 'New Device detected, what to do?' dialogue. To be safe, you must set Windows to totally ignore the content of any 'autorun.inf' files it finds (see How to avoid virus infections later). The 'handlers' can be founs in HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ AutoplayHandlers \ Handlers \ <handler> and HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ AutoplayHandlers \ EventHandlers \ <Event Name>.

Some people have suggested that "USB memory sticks won't auto-play" - plainly they have never heard of the Stuxnet worm (you can even 'build your own'). Of course criminals have been changing the USB device 'micro-code' to make fake 'high capacity' thumbdrives for decades - and now someone has realised that a Memery stick only has to 'redefine' itself as a keyboard (and 'autoplay' a script) to take total control over your PC (read this and weep)

This note last modified: 1st Mar 2016 17:52.
DISABLE
svchost.exe
ShellHWDetection

[top]

SigmatelSysTrayApp (stsystra)

stsystra.sys (SigmatelSysTrayApp)
SigmaTel C-Major Audio Tray Application. Installed on computers with motherboards with built-in SigmaTel audio such as Dell's. "Facilitates" the ability to change the "advanced" settings of the audio device.

This is not essential to the operation of the sound system and can be safely disabled.

This note last modified: 1st Mar 2016 17:52.
DISABLE
stsystra.sys
 

[top]

Simple Mail Transport Protocol

Simple Mail Transport Protocol
This service supports the use of a local (outbound) E-Mail server (i.e it helps an eMail virus spam everyone in your address book).

If found, remove (real email clients, such as Thunderbird, have 'built in' mail transport protocols & do not use the MS bug-ridden implementations)

This note last modified: 1st Mar 2016 17:52.
NOT INSTALLED (Default)
SMTPSVC
SMTP

[top]

Smart Card [Smart Card Helper removed in XPsp2]

Smart Card [Smart Card Helper, removed in XPsp2]
Unless you actually have a Microsoft 'smart card' reader (and use this to authenticate yourself during log-in) this is yet another useless waste of resources :-)

Some on-line Banking services are now supplying 'smart cards'. Hopefully they come with their own secure & well tested drivers (and will not reply on any bug ridden MS code)

This note last modified: 1st Mar 2016 17:52.
DISABLE
SCardSvr.exe
ScardSrv

[top]

SNMP (SNMP Trap Service)

SNMP (SNMP Trap Service)
Simple Network Management Protocol = yet another DOMAIN level service that 'listens for' remote access requests for data and responds without bothering to tell the user



This note last modified: 1st Mar 2016 17:52.
NOT INSTALLED (Default)
SNMP.exe / SNMPTrap.exe
snmp

[top]

SSDP Discovery Service

SSDP Discovery Service
Only needed if YOUR computer is going to be used to display multi-media content from some OTHER computer (which is acting as a DLNA Server i.e. a 'source'), elsewhere on your network.

It is NOT NEEDED if your computer is acting as a DLNA Server 'itself'. See my page setting up your own DLNA Server. Not to be confused with local PnP (Plug-n-Play) supporting, for example, USB memory sticks, which will continue to work just fine with this dangerous service disabled

**You need to make sure UPnP (NOT PnP) is STOPPED and DISABLED before the SSDP Discovery Service can be disabled.

This service broadcasts on UDP port 1900 "a lot" and holds open TCP port 5000 'listening' for (hopefully non-existent) uPnP 'devices' on the network to take control over your computer. If these broadcasts ever get out onto the Internet, it's like waving a big white flag to the script kiddies ("here I am, port 5000 is open, come & hack me")

This note last modified: 1st Mar 2016 17:53.
DISABLE**
svchost.exe
SSDPSRV (Ssdpsrv.dll + Ssdpaip.dll)

[top]

System Event Notification (SENS)

System Event Notification (SENS)
Tracks system events such as Windows logon, network, and power events and notifies COM+ Event System subscribers of these events. Since no known current applications use COM+ (and you will have disabled COM+ anyway) this is just one more useless service

When it's disabled, Windows will 'complain', via the Event Log, of a 'SENS Error'

This note last modified: 1st Mar 2016 17:53.
DISABLE
svchost.exe -k netsvcs
SENS

[top]

System Restore Service

System Restore Service
Generates 'Restore Points' (system back-ups) 'as needed'. The automatic generation of Restore Points is actually very useful if you test lots of 'Trial' software, but not otherwise (it can be a real resource hog)

**WARNING - if you set 'DISABLE', it will automatically and without warning delete all your existing Restore Points, which might free up 10-20 Gb of hard disk space, but is maybe not quite what you were expecting (thank you, Microsoft, for auto-trashing any possibility of ever getting back to a working system) ...

This note last modified: 1st Mar 2016 17:53.
AUTOMATIC / MANUAL
(DISABLE**)
svchost.exe
srservice

[top]

Task Scheduler

Task Scheduler
Required if you want to run Auto Updates (or anything else from MS) automatically at set intervals (such as MS Backup / MS anti-virus updates etc).

To support the Corporate IT Admins (and hackers), Microsoft's Task Scheduler actively 'listens' for tasks 'setup' from the network (by holding open Port 135) and, even worse, when a task is run by the Task Scheduler Service it can gain 'Admin' rights - and this has led to some every well known exploits. As a consequence, most Open Source software incorporates their own Scheduler, so the chances are this is ONLY needed for MS Auto-Updates & and time triggered System Restore point creation and timed Backups (so 'Disable' if you are performing Updates / Backups manually or using a non-Microsoft backup utility)

** When a 'task' is being run, you will see atsvc.exe or mstask.exe in the Processes tab

Unless you use an alternative Task Scheduler such as nnCron Lite, you will have to keep the MS one for Auto-Updates & scheduled MS Backups

This note last modified: 1st Mar 2016 17:53.
DISABLE / (AUTOMATIC)
svchost.exe**
Schedule

[top]

TCP IP NetBIOS Helper

TCP IP NetBIOS Helper
NetBIOS over TCP/IP opens Ports 137 and 139 and ANY open ports can let in the hacker. However, stopping this Service means that, when using 'Map Network Drive', you will have to use the Server's IP address (e.g. '\\192.168.x.x\ShareName') rather than it's 'computer name' URL ('\\ServerName\ShareName')

** Unfortunately, it appears that the DHCP Client needs this Service to run, so, unless you also enter your Network card TCP/IP settings 'by hand', you will have to set it to 'Manual' (and then 'Stop' it again after you log-on). However when DISABLED, it does prevent the 'Server', 'Netlogon' and 'Messenger' services from running, so there's another reason to DISABLE it on your (static IP address) home server :-)

NB. NetBIOS is needed for some 'brain dead' on-line multi-player video games (Unreal Tournament 2003 and Half-Life Counter-strike for example) and also in a Windows 2000 DOMAIN environment (for file sharing).

This note last modified: 1st Mar 2016 17:53.
MANUAL / DISABLE**
Services.exe / Svchost.exe
LmHosts

[top]

Telephony

Telephony
This service is required for dial-up modem connectivity, Faxing and 'Voice over IP' (which is what Skype does using it's own drivers, not this one) and by Remote Access Auto/Connection Manager Services. It is also required for AOL (presumably a 'hang over' from the days when all Internet connection was via dial-up modems).

**If you connect to the Internet via a normal Router (i.e. via an Ethernet cable or WiFi to a 'Default Gateway') - and have already set Remote Access Auto/Connection Manager Services to DISABLE, this service can also be set DISABLE

This note last modified: 1st Mar 2016 17:53.
DISABLE**
Tapisrv.exe
TapiSrv

[top]

Telnet or TlntSvr (Win2k)

Telnet or TlntSvr (Win2k)
Telnet allows some-one on the Internet to 'log-in' on your computer and take it over with Microsoft's blessing !! Supports Remote Desktop, which is yet another way to take over your PC from the Internet !

This from Microsoft "If this service is stopped, remote user access to programs might be unavailable" = well, you didn't think MS would actually let you BLOCK the hackers, did you ??

If you need to use a 'remote terminal window' on your LAN (eg to control a Raspberry Pi) use a proper, secure, Open Source tool such as PuTTY (see below). If you need a file transfer utility to run across the Internet (e.g. to upload your web pages to your hosting service), use WS_FTP95 LE or similar

This note last modified: 1st Mar 2016 17:53.
DISABLE
TlntSvr.exe
 

[top]

Teredo Tunneling Pseudo Interface

Teredo Tunneling Pseudo-Interface
Part of the 'Microsoft TCP/IP version 6' support installed by Windows Updates. 

Until v6 TCP/IP becomes 'common' there is no need for this additional component to run on your computer.

**Remove it from each 'network connection' by 'uninstall' (using Control Panel, Network connections, 'properties' of each connection in turn)

This note last modified: 1st Mar 2016 17:53.
Uninstall**
svchost.exe
 

[top]

Terminal Services (XP)

Terminal Services (XP)
XP version of Telnet (see above). Required for Fast User Switching, Remote Desktop and Remote Assistance

Unless you want to open a very well know 'hole' for hackers, this must be set to DISABLE.

If you need a serial Terminal, use the Open Source secure (SSH) Telnet app. "PuTTY">

This note last modified: 1st Mar 2016 17:53.
DISABLE
svchost.exe
TermService

[top]

Themes

Themes
Used to display the fancy XP graphical interface ("Green Start Button" etc) and allows different users to choose their own preferences

If you have already boosted performance by choosing the "Classic" GUI, you can disable this useless 'service'

This note last modified: 1st Mar 2016 17:53.
DISABLE (AUTOMATIC)
svchost.exe
Themes

[top]

Uninterruptible Power Supply

Uninterruptible Power Supply
Unless you have an actual UPS attached to the SERIAL port of your computer, this is just one more waste of resources (as well as causing problems with any other applications trying to use the serial COM link).

NOT REQUIRED if your UPS connects via USB (and are thus using the manufacturers own control software)

Note that this service may also be the cause of some mysterious 'auto shut downs' as it seems that UPS.exe can occasionally decide the computer has been 'running on batteries' for 'far too long' ...

This note last modified: 1st Mar 2016 17:53.
DISABLE
Ups.exe
UPS

[top]

Universal Plug and Play Device Host

Universal Plug and Play Device Host
Allows your computer to obtain streaming Multi-Media (from some other computer that's acting as a DLNA Media Server). Not to be confused with that massive security hole "SSDP Discovery Service" but must be stopped before SSDP can be. Apparently required by Vista users of Windows Media Player 11

NOT REQUIRED if your computer is the one acting as the DLNA Media Server (i.e. it's being used to store music, movies, photo's etc. that you want to 'serve' to your TV / home cinema system). For more on how DLNA 'works' (and how to set up your own Media Server), see my Setting up DLNA page (part of my Home Server / NAS topic).

Note that removing the 'UPnP User Interface' (in networking services, in Windows Components, in Add or Remove Programs) does NOT remove this (or the SSDP) service. Note also, Skype has it's own 'built in' uPnP (which you can control) & does not use the MS implementation.

This note last modified: 1st Mar 2016 17:53.
DISABLE (see also SSDP)
svchost.exe
UPNPhost (Upnpcont.exe Upnpui.dll Upnp.dll upnphost.dll)

[top]

Volume Shadow Copy

Volume Shadow Copy
Required for System Restore and Windows Backup of a 'running' (live) System (C:) Disk.

If you are using 'ghosting' (or 'cloning') from a bootable CD to make system backups, you may choose DISABLE (however note that some Open Source utilities do need this to back-up a running C: System drive)

This note last modified: 1st Mar 2016 17:53.
MANUAL (default) / DISABLE
vssvc.exe
VSS

[top]

WebClient

WebClient
MS says: "Enables Windows-based programs to create, access, and modify Internet-based files". What this means is: "Used by Microsoft software (such as MSIE) only".

Since it's not needed by Firefox (or any other 'proper' Internet browser) it can be set to Disable (and forgotten about)

** or MANUAL, if you ever use MSIE to manipulate files on the Internet

This note last modified: 1st Mar 2016 17:53.
DISABLE**
svchost.exe
WebClient

[top]

Windows Audio

Windows Audio
Windows own 'Sound Driver'. Unfortunately, this seems to be needed even if your sound card comes with it's own drivers so you have to leave it running (unless you don't have a 'sound card' = eg you home server)



This note last modified: 1st Mar 2016 17:53.
AUTOMATIC
svchost.exe
AudioSrv

[top]

Windows CardSpace

Windows CardSpace
CardSpace is the client software for Microsoft's now-canceled (2011) "Identity Metasystem" system. Since MS decided we would all need this, they ensured it was so tightly integrated with .NET (it is installed with 3.0 - 3.5) that the only way to remove CardSpace was to uninstall the whole .NET Framework, which (of course) will would mean all other software applications that depended on .net would fail. Since NO ONE uses this garbage, all you can do is disable the service.

MS says CardSpace 'Securely enables the creation, management, and disclosure of digital identities' (the words you need to focus on here are 'disclosure' and 'digital identities' = in other words, it's another way for scammers to steal your digital ID. It's also worth noting that if your are running on a FAT formatted system hard drive (rather than NTFS) this 'service' will hang your system.

This note last modified: 1st Mar 2016 17:53.
DISABLE
infocard.exe

[top]

Windows Firewall (XPsp2) Internet Connection Firewall (XP) Sharing (w2k) (aka ICS)

Windows Firewall (XPsp2), Internet Connection Firewall (XP), Sharing (w2k), aka ICS
This is the Windows Firewall / anti-virus service.

It's not needed if you are using '3rd party' firewalls (such as Comodo or Zone Alarm) & anti-virus (!Avast, AVG) etc.

**NOTE. Since the end of XP support, Microsoft no longer supports this, so you must install your own Firewall / AV (after which you can Disable this one)

This note last modified: 1st Mar 2016 17:53.
DISABLE**
svchost.exe -k netsvcs
SharedAccess

[top]

Windows Image Acquisition (WIA)

Windows Image Acquisition (WIA)
Ancient method almost never used by any non-Microsoft application to access scanners, web cams, or (USB linked) cameras = for sure not used by SKYPE. Appears to play a part in 'push scans' (i.e. scanner initiated, rather than a PC initiated, scans) in 'auto-launching' an application to receive the scanned image.

After a Microsoft 'Security Patch', my laptop suddenly started to take an extra 100 seconds or so to finish the boot-up (it would freeze after 'welcome' with a blue screen before, eventually, showing the desktop/icons). After much mucking about with Process Explorer and Microsoft BootVis I eventually discovered that the WIA service had been set to Automatic ! After stopping the service and setting it back to 'disabled', the 100 second delay vanished.

If, after disabling this service, your scanner or web cam fails to function properly, re-enable this service by placing it into Manual

This note last modified: 29th May 2018 12:45.
DISABLE / MANUAL
svchost.exe
imgsvc / stisvc

[top]

Windows Installer

Windows Installer
Required by 'Add/Remove Programs' to install / modify / remove .MSI based programs

** When set to 'Manual' and you use 'Add/Remove Programs' to modify / remove / repair an application, it SHOULD be started automatically (once started, it will remain running until the next re-boot). However, occasionally, to Uninstall some software, I have had to go into Services and 'start' the Windows Installer service manually 

This note last modified: 1st Mar 2016 17:53.
MANUAL** / DISABLE
MsiExec.exe /V
MSIServer

[top]

Windows Management Instrumentation Driver Extension

Windows Management Instrumentation Driver Extension
Since this does not exist on XP Home, I would bet it's going to be the 'network' side of winmgmt (i.e. the bit that opens holes for hackers)

Just set DISABLE and forget about it (I have)

This note last modified: 1st Mar 2016 17:53.
DISABLE
svchost.exe
Wmi

[top]

Windows Management Instrumentation

Windows Management Instrumentation
WMI (Windows Management Instrumentation) allows software developers to write scripts and programs for the management or querying of devices, user accounts, Windows services, running programs, networking, and many other internal technical aspects of Windows (i.e. one more helpful tool for the script kiddies, hackers and viruses writers to use) .

Unfortunately, it is also required to show 'dependencies' in the Services control panel - vital when trying to work out what else has to be 'enabled' to allow a Service to start (it is also required by Security Centre, Windows Firewall and ICS)

WMI also provides data to the 'tools' in 'Help & Support' - if WMI is disabled, the Help 'tools' are totally (rather than just mainly) useless

A virus (W32/Sonebot-B) of the same name - wmiprvse.exe - is found in C:\WINDOWS\System32 (the real wmiprvse.exe component is found in the C:\WINDOWS\System32\Wbem folder)

This note last modified: 1st Mar 2016 17:53.
AUTOMATIC (default) / MANUAL
svchost.exe
winmgmt

[top]

Windows Portable Device Shell Service Object (wpdshserviceob dll)

wpdshserviceobj.dll (Windows Portable Device Shell Service Object)
MS says "Windows Portable Devices (WPD) enables computers to communicate with attached media and storage devices. WPD provides a flexible, robust way for computers to communicate with music players, storage devices, mobile phones, cameras, and many other types of connected devices" = which sounds like meaningless marketing bullsh*t...
... but after noting the word 'robust' and discovering it's installed with Windows Media Player 10 & 11, we can guess it's yet another DRM 'enforcer'. It is 'delay installed' at start-up (by the 'SSODL:' command), presumably so it can be sure to load after (and thus 'hook' = take over) any other media driver / service.

**This service may be responsible for Skype loosing connection to your WebCam /microphone. If you don't use Windows Media Player, there is no reason why you should allow this component to load.

This note last modified: 1st Mar 2016 17:53.
DISABLE**
 
 

[top]

Windows Presentation Foundation Font Cache (n 0 0 0)

Windows Presentation Foundation Font Cache {n.0.0.0}
Installed automatically by a '.NET' update. Claims to "Optimizes performance of Windows Presentation Foundation (WPF) applications by caching"

If you are NOT running .net applications, this is just one more resource hog and potential security hole

This note last modified: 1st Mar 2016 17:53.
DISABLE
WPFFontCache_v0400.exe
 

[top]

Windows Time Service

Windows Time Service
Maintains the correct time (by going off and fetching it from the Web).

If you are NOT running a Time Server, you might as well turn this off .. if your ARE running a Time Server, set AUTOMATIC, UNLESS you have installed a non-Microsoft Time Client on your computer instead

This note last modified: 1st Mar 2016 17:53.
DISABLE / AUTOMATIC
services.exe
W32time

[top]

Windows Update

Windows Update
WUAUSERV is the Automatic Updates service. Now that XP is no longer supported, this can be DISABLED. See also "Automatic Updates".

MS occasionally issues a 'Malicious Software Removal Tool' update for XP. To get these, you need to do the occasional 'manual' Update.

If you try a Windows update with this service DISABLED, you will get the "Windows Update has encountered an error and cannot display the requested page. The necessary service "Automatic Updates" (WUAUSERV) is not started or Background Intelligent Transfer Service (BITS) is disabled. - Error 0x8DDD0018" error report. Just enable the "wuauserv" service and try again.

This note last modified: 1st Aug 2016 14:56.
DISABLED (see notes)
wuauserv
svchost.exe (wuauserv.dll)

[top]

WinPatrol

WinPatrol
WinPatrol is a 'watch dog' that monitors your Registry and will notify you of any attempt to add a 'Service' or add a 'Run' / 'Run Once' command.

Everyone should install WinPatrol = it's often the only thing that will protect you from commercial applications that automatically add their 'auto-update' and 'phone-home' garbage as well as trying to 'pre-load' themselves into RAM at boot time

'Pre-loading' is yet another 'time waster' invented by MS. The idea is to load chunks of your 'most used' applications into RAM during the boot-up in an attempt to make applications 'faster' to launch later. Of course every app. tries the same trick, adding minutes to the boot-up as each successive app. forces Windows to off-load the previous apps. 'pre-load' back to the hard disk (i.e. to the 'swap file') in order to make room for the next apps. 'pre-load'. At the end of the boot, your RAM and swap file will be full of parts of 'important' applications that you may never use at all - and when you do try to 'launch' one, chances are it will end up taking longer to load as Windows will have to unload all the other pre-loaded garbage to the 'swap file' and then wait for that apps. parts to be read back from the 'swap file', whilst at the same time instructing the hard drive to read yet other parts of the app. from the 'Programs' folder. The only way it's ever going to be faster is if you use a separate physical drive for the 'swap file' (in which case you may gain a few seconds) or if your 'swap file' is on 'RAM disk' (which really will result in a noticeable difference)

This note last modified: 1st Mar 2016 17:53.
(not in Services)
WinPatrol.exe
WinPatrol.exe

[top]

Wired AutoConfig (XPsp3)

Wired AutoConfig (XPsp3)
".. performs IEEE 802.1X authentication .." = and that requires a Corporate Domain 'RADIUS' server (on a DOMAIN), so this is of no use what-so-ever in a home LAN 'WORKGROUP'

This MIGHT be of some use to those who 'log-in' to their company mainframe 'remotely', however most 'work at home' executives use VPN with a proprietary 'key fob' (= not MS EAP) = and (according to the Wikipedia link above) the MS 'solution' doesn't' work correctly with Win XP anyway

This note last modified: 1st Mar 2016 17:53.
DISABLE
dot3svc
DOT3SVC.DLL

[top]

Wireless Zero Configuration

Wireless Zero Configuration
If you are using WiFi, set to Manual and Start it. After setting up connection to your own WiFi, STOP and DISABLE Wireless Zero Config. (WZC looks for a new WiFi network every few seconds EVEN AFTER YOU HAVE CONNECTED to your own network. If there is another WiFi network nearby (and these days, there are WiFi networks everywhere) WZC often drops your connection !!). If your computer is not using WiFi, leave it set to DISABLE.

It is claimed (by MS 'supporters' :-) ) that "some software" needs the Wireless Service 'running' even if your computer has no WiFi capability ! Should you succeed in identifying any such, I suggest you un-install "some software" and switch to something more Open Source (and written by rather less 'brain dead' programmers)

This note last modified: 25th Jun 2017 03:24.
DISABLE / MANUAL
svchost.exe
WZCSVC

[top]

WLAN Transport (network protocol)


You will discover WLAN Transport is 'installed' by default on all Wireless Network Connection (Start -> Settings -> Network Connections) device. However, whilst 'WLAN' sounds as if it's vital to WiFi working, it's described as 'A transport for supporting WNMP' - so what's that and, more important, do we need it ?

Well WNMP is yet another 'gift' to hackers and scammers (and has no real business running on a home computer), however WLAN is vital to your laptop achieving a WiFi connection in the first place.

WNMP is designed to let to you 'roam' from one location to another within the coverage of the same Corporate (or University) WiFi system without having to 'log in' again every time you move out of range of one wireless router and into the range of another. In other words, it's the WiFi Internet version of how mobile phones operate. 

Why is it so dangerous ? Well, some 'hacker' with an illegal high power wireless router can 'swamp' your own (legally power restricted) home WiFi base station signal and invisibly 'take over' your Internet connection without you ever noticing - and then feed you their own 'phishing' pages (fake eBay, PayPal, Banking etc website) without you ever finding out. In fact, they don't even have to 'ask' you for your passwords - all modern browsers will automatically 'log you in' (if you clicked 'save password' in FireFox = or even if you didn't in the case of some browsers) when 'requested' by the 'recognised' website.


This note last modified: 6th Mar 2016 19:51.
n/a
n/a
n/a

[top]

WMI Performance Adapter

WMI Performance Adapter
'Collects performance library information' ...

... however the library is used by no useful function that anyone can discover, so DISABLE

This note last modified: 1st Mar 2016 17:53.
DISABLE
wmiapsrv.exe
WmiApSvc

[top]

Workstation

Workstation
Allows THIS computer to use (i.e. Map to) 'shares' on another computer (the other computer must have the SERVER Service enabled).

The following all need Workstation - Alerter, computer Browser, Messenger, Net Logon, Remote Procedure Call (RPC) Locator

If you have a networked NAS or Home Server with a 'share' that you wish to 'Map' (so you can save & fetch photo's, music or backups etc.), set Workstation to Automatic. If you DO NOT want this computer to 'Map' to any shares on other computers, set DISABLE = for example on your home Server/NAS (others will map to your NAS (so it needs the Server Service running), but your NAS will never map to others (so doesn't need Workstation running))

This note last modified: 1st Mar 2016 17:53.
AUTOMATIC / DISABLE
svchost.exe
lanmanworkstation

[top]

The pages in this topic are :-

  + Disable useless services == Latest changes (modified 17th Apr 2017 11:57.)


Next page :- Disable useless services

[top]