What are the most dangerous and useless Windows Services ?
Almost all of them. Use Alt-Ctrl-Del and select Task Manager. Click the 'Processes' tab. A least half of what you see will be garbage that Microsoft has 'decided' needs to be run from power-on for the 'benefit' of the user - and many of the rest exist simply for the 'convenience' of lazy (and incompetent) software vendors.
Most Services are run at the 'operating system' level, so can be used to do all sorts of nasty hidden & unstoppable things to your computer. Virus writers and hackers know this, so they 'target' these Services - and achieve a fair degree of success. Some Services are vital to ensure MS Updates 'work' - however now that XP is 'out of support' you can disable these as well. Of course, given the power of Services, almost all 'back-doors' (Trojans, bot nets, hijackers) will also install their own Services to 'take over your computer' without you knowing about it
Some Services are essentially 'harmless' but still time wasting resource hogs (eg the notorious 'Indexing Service') which, if needed at all, are needed only occasionally. Those that are needed can be set to 'manual' so they are started only when (first) needed. Of course, once started, most are never stopped, so when your PC slows down too much, you will need to reboot to turn them all off again
Note - if you set a Service to 'Manual' then it will be started by Windows 'as needed'. Since Windows can not distinguish between 'legitimate need' and an attempt by a hacker to take over your PC, plainly dangerous Services should never be set to 'Manual' :-)
Finally there are the dozen (or less) Services that are actually vital to the running of Windows itself. These have to be left set to 'Automatic' = and you just have to hope that MS finds the 'holes' in them before the hackers do
You can use 'Start' - 'Run' - 'msconfig' to get an 'overview' of what's running, however (as usual) MS 'hides stuff' we "don't need to know" (and it's a trivial task for any half clever virus writer to 'tell Windwos' put their malware into the "don't need to know" category) Fortunately, 'Sysinternals' (a 3rd party developer) made available tools that 'revealed all' .. and these tools are now available from Microsoft ! Download the 'Autoruns' tool now and compare what it finds against what 'msconfig' allows you to see. NOTE, to make changes to 'hidden' services you have to be running in 'Safe Mode' Download the 'Process Explorer' to discover what's actually running (and hiding behind the 'svchost.exe' wrapper). This tool can also be used to track down 'mystery disk activity', something that can be really annoying when you have a nice silent SSD C: drive and the old mechanical D: drive is ticking away like a bamb :-)
What makes a Service most 'dangerous' ?
Any Service that is 'listening' on the network (by holding open 'ports') for instructions (even when no-one is logged in) and then 'running' those instructions at 'System' security level (i.e. above Administrator) is a 'Gods Gift' to hackers wanting to access and take over your computer 'remotely'
Yes, that's right - many of the Services are actually designed to provide control over 'your' computer from the network without 'you' (the local user) having any ability to prevent it (or even discover what's happening). This is because the 'real' Windows customer is the Corporate IT Admins (who require total remote control over the employees computers) and not the 'end user' (who might wish to prevent any such remote control)
Of course, in the home, 'the corporate network' means 'the Internet', so what those Services are doing is 'listening' for instructions from criminals who want to hijack your PC = and the only thing that keeps them out is your Firewall !
You might think MS would have encoded such Services so they only functioned on a Company Domain (after validating the remote users ID using Kerberos security) and then obtaining a valid Certificate, before using a Public Key Encryption key to decode the executable before running it ??? Dream on ... small businesses (the 'SOHO' market) don't use a Domain (or Certificates) but will still pay Microsoft full price for their "Server" software, so MS isn't going to 'encourage' them to go elsewhere for their 'employee remote control' system
This is not to say that other Services are 'safe', since almost anything running as a Service has system level access and, even after 10 years of patching, will still contain 'holes' allowing a hacker to gain control over your computer. So the fewer Services you have running, the fewer 'holes' any criminal can exploit
I have a list (on the previous page) of all Services I found on my (Dell) Windows XP Pro computer. After tracking down what they are used for, I formed my own view of how 'necessary' they actually are (most aren't). The fewer Services you allow to run, the safer you will be. No doubt most of the Services listed will also exist (and be enabled to run automatically by default) in Vista and Windows 7, no matter what the 'Edition'. Of course any 'new' Service that comes with Vista / Windows 7 will contain even more 'holes' than the older ones that have had 10 years of 'patches' ....
How does Indexing Service help the hacker ?
Indexing Service, if ever allowed to run, creates 'index' lists of all files by name and location on your computer (and any 'shares' it might Map to). These files are not 'encrypted' and can be accessed by 'anybody' (why not go look now ? = *.idx, *.idq, *.ida, and *.htx). These files are not removed just because you Disabled the Indexing Service ...
Whilst there is little harm in a 'hacker' knowing that 'Image0001.jpg' can be found in the '\My Photos\My Holiday' folder, it's a little less funny when you realise they will also discover that 'MyPasswords.xls' can be found in the '\My Documents\hidden\dont look here\safe' folder ....
In case you are wondering how the 'script kiddies' can 'auto-interpret' the *.idx, *.idq, *.ida, and *.htx file, just take a look at how Microsoft itself helpfully provides links to assist the Visual Basic Scripting Edition (VBScript) user (bottom of page, in SDK paragraph)
It's not just Indexing Service that 'gives away' your file names & locations - by default, Windows XP actually LISTS those files you accessed most recently in the Start Menu (and, before those who use the Classic Menu start sneering, Windows XP also lists the 'Recent Files' in the Registry on an application by application basis ... go look see, for example, what's in HKEY_CURRENT_USER\Software\Microsoft\Office\{version}\Excel\Recent Files )
Needless to say, the truly paranoid will rename 'MyPasswords.xls' as 'Image0123.jpg' and stick it in with 10,000 other holiday photo's on a NAS share
How can I discover what services are 'listening' on my network PORTS ?
You can't. Yes, a list of 'port use' by MS Services can be found in c:\windows\system32\drivers\etc\services = however this list is not 'updated' when you enable/disable a Service (nor does it contain entries of port use by any '3rd party software' (such as a virus) you might have accidentally installed)
All you can do is install a Firewall and 'close everything' - and then try to work out which (if any) you actually need open in order to let your PC 'run normally'.
To help you work out what you might need to 'open', you can find a list ports and the Services that use them on Wikipedia
What about commercial software ?
Of course many commercial software packages will install their own useless 'Services', ESPECIALLY those that use some form of 'auto-update' - and whilst auto-update is vital for your anti-virus / firewall software, it is just a pointless waste of time to allow any other application (such as those from Adobe) to 'query the web' at regular intervals (especially when you are not using them).
What's the problem with letting software 'auto-update' then ?
Obvious .. unless you think it's a 'good idea' to allow some unknown software 'update' package to be automatically fetched from some unknown web site and automatically installed on your computer without your knowledge.
Plus, of course, allowing software to 'update' itself automatically will soon help you understand why the "old boy's" of the computer industry are so fond of saying "If it ain't broke, don't fix it" :-)
As with any rule, there are exceptions, and in this case, it's your Anti-virus (eg Avast!) & Firewall (eg Comodo) packages - these should be set to auto-update every day !
How do I stop a Service / application running at start-up ?
A1. Ideally you stop the service being installed in the first place. So, at 'install' time, if you are offered 'custom install' always choose this and then 'deselect' anything that looks like it might be an 'auto-updater'
You will, of course, have installed the WinPatrol application which will notify you of any attempt to add a 'Service' or 'Run' key to your Registry. So if you fail to spot the updater, you will usually get a 'sceond chnace' to spot and block it when WinPatrol pops up
A2. The simplest way to 'fix' an application / Service after it's been installed is to use Hijack This. You should use Hijack-This to do a 'System Scan with Log File' before installing any new application or updating any 'driver'. A second System Scan after installing will show any new Registry entries
NOTE that most vendors install their Services into the same folder as their application. Most hackers put their Trojans, Root-kits and Key-loggers into the root of \system32. Unfortunately, some 'legitimate' Services (eg Intel Graphics 'helper' Services) can also be found in \system32. You should thus Google ANY new Service or Run 'target' you find in the System32 folder
I've 'fixed' the Service / Run for a commercial 'auto-update' but it keeps coming back ?
Some applications 'self heal' (a technique adopted with enthusiasm by virus writers) in that they 'monitor' the Registry and re-insert the 'Run' or 'Service' command as soon as they discover it's missing ('due to accidental deletion').
Often two (or more) components will monitor each other .. so whilst you can (usually) find and kill them in 'Safe Mode', you only have to overlook one for the whole lot to return.
Of course, if you actually use the application, it will immediately set the Registry to 'auto-start' it's 'updater' service again
There is no easy way to prevent this, although it is usually possible to delete the 'target' file if you are willing to put up with it's errors and complaints (eg. "Service: Skype Updater (SkypeUpdate) - Unknown owner - C:\Program Files\Skype\Updater\Updater.exe (file missing)") - which only works so long as the running application doesn't have another copy of the file 'hidden away' (i.e. like Windows itself does in the \DLLCACHE folder) In other cases you can replace the 'target' file with an empty file of the same name set to 'Read Only' (& set all users (including System) to access = 'denied') The final technique is to change the 'security' settings of the the 'target' file to 'Run = disabled'
Should I allow Windows Update (MS Auto-Updates) ?
Yes. Although Auto-Updates use a number of Services that are extremely dangerous** and not used for anything else (so there was a time when the criminal hacker was so far ahead of MS bug fixes that I would have recommended NOT using Updates), after 3 major XP Service Packs and over 10 years of 'patches' many criminals have 'moved on' to easier targets (such as Vista and Windows 7 & 8) MS is finally 'winning' the 'war' against the XP hacker. So these days I advise you to always allow Auto-Updates to 'run'.
** All Services that allow access to the network are dangerous, and those that are capable of automatically fetching and running code and making changes to the Operating System 'behind your back' especially so. What makes the 'auto-update' Services even more dangerous than most is that the criminal KNOWS the vast majority of home computers will always be 'running' them on 'Automatic' - so ANY successful 'hacking' of these Services will always pay dividends.
Those in a 'high risk' environment (i.e those with kids) might want to set the Update Services to 'manual', then manually run Updates at least once a week - (say Friday night, before your kids invite their 'wannabee hacker' friends in at the week-end) - and then always reboot so everything that was 'started' is 'reset' (stopped) back to manual.
For more on securing your PC, read the rest of this topic, especially locking down your User Accounts and Securing your Network
What is 'svchost' ?
Svchost is a 'harness', provided by Microsoft ('the hackers friend') that is used to run other software components (DLL's) 'as a service'.
MS programmers too lazy to write a 'proper' service use this 'harness' themselves, so MS Task Manager will typically show half a dozen instances of the 'svchost' process running. Needless to say, worms, back-doors, root kits and virus writers were all too quick to take advantage of svchost, especially as Microsoft provides no easy way for the poor user to discover what 'component' svchost is actually running.At least one common virus actually 'impersonates' svchost itself, thus making it doubly difficult to 'spot' the intruder !
How do I find out what's hiding behind 'svchost' ?
A1. In XP Pro, Start / Run / CMD to open a 'command window' (aka 'DOS Box') and type 'tasklist /svc' (to stop XP Home users getting too clever, this command is 'not available' in Windows XP Home). Make a note of the 'PID' & you can 'match up' the svchost with the same PID in Task Manager (in Task Manager, Processes, select View, Select Columns, & 'tick' PID)
When you run 'tasklist /svc' you will discover many of the Services listed on my Next>> page never actually appear with their 'own' name (indeed, it is often hard to work out what Service is behind many of the 'Image Names' listed in the Task Manager, Processes tab). To find out what DLL's are being used by each 'Process', type tasklist /m (the list will be so long you might want to use 'tasklist /m > dlllist.tmp' :-) )
A2. In Windows 2000, the command is 'TLIST -s' instead (assuming you installed DOS support - if not go to MS web site & find TLIST)
What are 'hidden' Services ?
Task Manager will only show services that are not 'hidden' .. yep, that's right, Microsoft (the hackers friend) provides a way for back-doors, key-loggers and root-kits to hide themselves from the Task Manager ....
You will, no doubt, be quite puzzled to see what services Microsoft thinks needs to be 'hidden' from the user - for example, why 'hide' the mouse (Intellimouse) service ? When you 'compare' the list from 'Tasklist /SVC' against what's shown in the Task Manager (Applications + Processes), you will typically discover another half-dozen or so additional 'tasks'
Is there a better Task manager ?
Yes = DTaskManager (found 2/3rds down the web page). This is the Task Manager that MS should have provided. It's main advantage, is that it shows the date/time when a service started. If you set many services to 'manual', this helps you work out what 'triggered' them
DTaskManager won't show hidden services, but it does allow you to 'suspend' normal services and to 'stop' (abort) 'system level' Services that MS Task Manager refuses to touch ...
What Service(s) are used by Windows Update ?
Windows Update requires Automatic Updates, Background Intelligent Transfer Service (BITS)* [which needs RPC], COM+ Event System** [which also needs (RPC)], Cryptographic Services [also needs RPC], Remote Procedure Call (RPC) itself and the Event Log all to be running. It also needs some of the more dangerous components of MSIE, such as the Active-X script processor (of which see more later).
Occasionally, MS Updates will update a 'help' file - this is done by running one of the help system DLL's. This means you can 'disabled' the Help service and Updates will still run, but if you actually remove the Help DLL's, Updates will (eventually) 'collapse', typically with an 'Installing updates ..' message at power-off that never completes (see later)
* BITS is only needed so that a download that is 'interrupted' by a power-cycle/reboot can 'resume' where it left off. These days, with 'always on' PC's and Internet, that's a very rare event** If COM+ Event System is disabled, Automatic Updates will actually run OK, however you will see 'errors' in the Event Viewer (Settings / Control Panel / Administrative Tools / Event Viewer).
As of Q1 2014, MS is still issuing Critical Security Updates for XP ... yep, 12 years on and they are still finding 'holes', so any computer that can 'browse' the web needs to have Updates running.
MS Updates requires components of MS Internet Explorer (MSIE) which it uses to automatically download and install system patches from the MS web site. This means hackers are constantly on the look-out for (and finding) 'holes' in MSIE that lets them automatically download and install system level viruses, back-doors, root kits and key-loggers etc. from their own web sites (when you made the mistake of visiting them and clicking on almost anything) Many of these 'holes' have allowed criminals to take over your PC in the past - one 'hole' even allowed criminals to auto-download and run code when you simply stumbled across their web pages (such sites - 'Attack Sites' as Google calls them - still exist today, waiting to catch the morons who turn off their Firewalls and use MSIE)
If you prevent MSIE being installed** in the first place, you won't be able to run Updates, whilst if you "choose" Firefox (or some other browser) AFTER installing XP, Updates will run just fine - in other words, 'choosing' Firefox does NOT remove MSIE, all it does is hide it !
**Early 'MSIE prevention' tools would also kill "Add/Remove Programs" (which MS had thoughtfully made dependent on parts of MSIE) - this is no longer the case with current versions of nLite, XPLite etc.
Stop Press - XP 'support' will end in mid 2014 ! After that date you can finally KILL MSIE and remove all those uber-dangerous 'auto-update' Services
Those that believe the Microsoft hype can switch to Windows 7/8/10 (and experience another 10 years of Microsoft 'auto-updates' tying to 'plug' the virus / hacker holes before your computer is taken over ....)
What is DCOM (as opposed to the vital 'DCOM Server Process Launcher' (svchost.exe) Service)
DCOM allows a computer to be remotely controlled over the 'corporate network' or, for the home user, the Internet (via Port TCP 135). Whilst DCOM was 'killed off' by Microsoft itself in Windows XP sp2, it is such a hacker 'target' that you might want to double check your system has not already been infected and DCOM restarted
MS warns that "If DCOM is Disabled, COM objects cannot be started remotely, the local COM+ snap-in will not be able to connect to remote servers, Certificate auto-enrollment will not function correctly and Windows Management Instrumentation (WMI) will not connect to remote servers".
What this MEANS is that in the Corporate Domain the Company IT Network Administrators will get 'very upset' when the applications they use to remotely control your computer are unable to 'connect' to it and take it over.
What this means for the home user is that killing off DCOM will block a whole load of 'hacker holes', but if you don't kill all the other rubbish as well, your 'Event Log' will fill up with 'complaints'.
To stop DCOM, follow the Microsoft instructions (or just find HKEY_LOCAL_MACHINE\Software\Microsoft\OLE and set the 'EnableDCOM' string value to N (and don't forget to DISABLE the 'Remote Registry' Service, otherwise Mr. Hacker will simply set the 'N' back to 'Y').
Ideally you want to track down the actual DCOM software DLL's & delete them. Unfortunately, XP will spot this 'accidental' removal and restore them from the System Restore DLL Cache ! If you are building your own 'custom install' CD (eg using nLite / XPLite), make sure DCOM is removed from the list of components included on the disc To double check for DCOM, use Gibson Research DCOM killer
The 'DCOM Server Process Launcher' (file name rpcss.dll) is launched by svchost (C:\Windows\system32\svchost.exe -k DcomLaunch). Unfortunately, the DCOMLAUNCH service launches both COM and DCOM - so if rpcss.dll is removed, programs using COM will also fail.
Tracking down the actual DLL's is an exercise in futility - MS has 'interlinked' so many of their services that removing any one component risks effecting other, totally unrelated services. For this reason I recommend you use 'nLite' to remove the unwanted components (rather then try to do it manually).
Whats to stop a 'hacker' changing a Service from 'Disabled' to 'Automatic' ?
Unfortunately, not a lot. All you can really do is make it as difficult as possible.
a1) First, if you can track down the actual software modules you can delete them (and the copies in the System Restore DLL Cache) from your hard disk, although it's better not to install them at all in the first place (which means making your own 'custom' Windows XP install disc using XPLite or similar)
The danger here is that when one of the deleted Services needs to be replaced ('patched') by MS Automatic Updates, it will automatically install the 'patched' version and set it to the default start-up settings.One way to 'prevent' this is to replace the deleted Service file by an 'empty' file with the same name and set it to 'Read Only' and remove ALL access rights (including 'System' access rights and 'RUN' Security right). This will result in an Update 'fail' but will at least stop MS reinstalling the Service
a2) Next, to change the Service start-up settings (or re-install the modules) you have to be an Administrator - so if you set the local Administrators Group to DENY 'Remote Logon' rights this will at least stop some-one 'logging on' remotely using any account in your Admin Group (see my other pages on this topic).
Needless to say, you can still obtain Administrator level rights without being in the Administrators Group, but it's a start
How do Root Kits and Key Loggers 'phone home' ?
By 'hooking' your Internet connection, of course. To find out what's hooked to your internet, use a Winsock monitor such as LSP-fix. If you 'spot' anything you don't like the look of, Google it before trying to remove it (it might turn out to be part of Windows XP !)
When run on my computer I find 3 items :- mswsock.dll = Tcpip winrnr.dll = NTDS {LDAP RnR provider} rsvpsp.dll = (Protocol handler)
WARNING - if you find "nihlsp.dll" this is the 'net nanny' NetIntelligence 'hook' designed for parents (and Schools) to stop kids accessing 'improper' / 'undesirable' web sites. If you 'delete' nihlsp.dll ALL ACCESS TO THE INTERNET is blocked .. (see removing NetIntelligence first)
How do I avoid unwanted Services being installed in the first place ?
Check out nLite site (free) and the XPLite site (not free) or for a more DIY approach, check out Fred Vorck's pages (which is mainly focused on eliminating MSIE from 2000 / XP but can also eliminate other files at install time).
Check out also Barts PE (freeware) for how to build a you own 'custom' Live CD / Windows XP 'install' package.
How do I Disable unwanted Services ?
First, make a System Restore Point !
(and make sure you are familiar with 'F8', 'Last known good' :-) )
A1. To disable a Service, log in as an Administrator, go to Start/Control Panel/Administrative Tools/ and launch Services. Find the Services named below, right click, Properties and set 'Start Up type' = Disabled or Manual etc. (as below). Next time you boot, the Service 'start up' mode will be changed.
It's a good idea to disable Services in 'sets' of 4 or 5 at a time (& then reboot and make sure things are still working). This way if (when) your system stops booting you will be able to identify the problem a lot faster
If you get into a total mess, you can run Black Vipers 'safe' Service .reg settings to 'reset' your Windows XP Pro sp3 to a 'known working' config.
A2. Services can be found in the Registry at HKEY_LOCAL_MACHINE \System \CurrentControlSet \Services. The 'Start' value controls how a Service starts up, 0 = Boot, 1 = System, 2 = Automatic, 3 = Manual, 4 = Disabled
For more information on a XP Pro services, check out Black Vipers list.
For more information on a NON-MICROSOFT service you may have running on your computer, check here.
How do I 'delete' a Service ?
Using the 'SC' ('service control') command simply removes the service from those listed in the 'Services' GUI. You have to track down the components (.dll's .exe's etc) and manually remove them - needless to say, many components have multiple uses and inter-dependencies, so by far the best approach is to simple 'not install' them in the first place (using nLite etc)
What about removing Windows Components ?
Whilst you might think that using 'Add / Remove Software' to remove Microsoft components would actually delete the .exe files and remove the DLL's etc. you are in for a shock !
You couldn't be more wrong - when you 'remove' Microsoft applications, such as Outlook Express etc., all that ACTUALLY happens is that it's entry in 'Add / Remove programs' is removed ! Yep, that's right = all the dangerous code remains on your hard disk, along with all the registered DLL's etc., just waiting for some hacker to use it, or 'just in case' you decide you want to reinstall it ! So the actual code just sits there, all those perfectly well known .exe's in perfectly well known locations, with perfectly well known registered DLL's, all just waiting for some hacker or virus to make use of it ... .. and did you ever wonder how a virus is able to 'mail' itself to all the 'contacts' in some ancient Outlook Address Book (or to everyone you ever sent or received an email to / from), despite the fact that you removed Outlook years ago ??? You guessed it - in addition leaving all that dangerous code for the script kiddies to use, Microsoft also saves all the 'user data' files as well !! This means, if you EVER made the mistake of using Outlook, your Address Book and email 'archive' (including all those in the 'sent' and 'deleted folder') will stay on your hard drive 'for ever'. So there you have it = Microsoft's final 'golden gift' to hackers and virus writers - pretending to 'delete' Microsoft applications whilst actually saving just about everything the dumbest hacker needs to steal your ID, spam your friends and otherwise make your life hell years after you thought you had safely deleted it all.
The ONLY way to avoid being 'infected' with unwanted Microsoft applications is to 'never install them' in the first place - so go check out nLite and XPLite now
With the end of Support, you can finally be sure that 'Microsoft Updates' won't install any unwanted Microsoft application ... ... so things like Outlook can no longer provide a path for viruses to spread, Messenger / Net Meeting can no longer be used to infect your system and Remote Desktop / MS Terminal Services / Telnet can no longer be used to take over your system