Professional Documents
Culture Documents
Version 1.04
23 February 2017
Contents
Startup Type
Double-clicking a service allows you to change the Startup Type (e.g.
Automatic, Manual or Disabled) and the Service Status (e.g. Start,
Stop, Pause or Resume).
1. Automatic - Starts automatically during the boot process.
2. Automatic ﴾Delayed Start﴿ - Starts automatically after the boot
process (2 minutes after the last Automatic service starts).
3. Manual - Starts on demand when explicitly requested by a user or
an application. Used when you want to start a service yourself.
4. Manual ﴾Trigger Start﴿ - Starts when a specific event occurs (e.g.
when a USB device is plugged in). Without this setting, a service
would have to be set instead to Automatic resulting in a service
running continually to allow it to periodically “wake up” and scan
the hardware for changes.
5. Disabled - Can’t be started by a user or program.
1
Disabling the wrong Windows’ service can potentially cripple your PC. Many of the services you’ll see listed in the Windows
Service Panel are core features required for your PC to operate properly. Unless you are confident that you know the purpose
of a service, DO NOT change its Startup Type.
Having said that, the List of Disabled Services in this guide have been safely disabled on my PC with no problems noted. My
computer is a 64-bit standalone laptop with the Windows 10 Home Anniversary Update (version 1607) installed. I have no
network connections other than a wireless connection to the Internet and file and printer sharing are turned off.
I follow a few basic rules anytime I disable a Windows service. Here they are:
6. Create a restore point before changing any service.
7. Use only the Services Manager (services.msc) to change a service. This reason for this is explained below.
8. Document every change made to include the date and a detailed description of why the change was made. If problems
arise, this detailed list of changes may help you quickly solve the problem.
9. Change only 1 or 2 services at a time and then test the change. I put my PC through its paces for at least a week
before making additional service changes.
Warning
Although services can be changed using MSConfig (msconfig.exe), do NOT use it to change service settings.
Instead, use only the Services Manager (services.msc). The reason for this is threefold:
10. MSConfig - Unchecking the box beside a service disables that service. There is no option to set a
service to Manual.
11. MSConfig - Allows you to disable services that may be vital to boot your PC while Services Manager
prevents this.
12. MSConfig - Provides a button titled “DISABLE ALL”. Selecting this button will definitely cripple you PC.
I’m not sure why this option is available since no reason exists to justify disabling EVERYTHING.
Caution
Changing the default Service settings may prevent key Services from running correctly. It is especially
important to use caution when changing Startup Types set to Automatic.
Information
2
Stop a Service
13. Double-click the service to stop.
14. Click the Stop button.
15. Wait until the service status shows Stopped then click OK.
Start/Enable a Service
16. Double-click the service to start.
17. If the service is set to Disabled, it must first be changed to Manual, Automatic or Automatic ﴾Delayed Start﴿. Click Apply.
Disable a Service
20. Double-click a service to disable.
21. If the service is Running, then click the Stop button.
22. Wait until the service status shows Stopped then change the Startup type to Disabled.
23. Click OK.
I’ve tried to provide detailed information for all the services that I’ve disabled. I find that the service descriptions provided by
Microsoft are generally vague and difficult to “decode” so I rewrote them to make them clearer. I’ve also included links to articles
and tutorials that may provide additional information to help you decide whether or not a particular service is needed.
For a quick list of the services I’ve disabled, without all the details, see Appendix B: Disabled Services (1-page list).
Warning
It is important to create a restore point before making any changes to Windows services.
Click HERE for a great article from PC Magazine on how to create a restore point and also use that restore point
to perform a system restore if needed.
3
AllJoyn Router Service
Description - This service (AJRouter) is used by the Internet of Things (IoT) to discover and communicate (customize and
control) with “smart” devices using IPv6. Security and privacy risks exist with IoT (see “Additional Information” below).
Reason for Disabling on a Standalone PC
PRIVACY RISK (IoT)
Direct communication with IoT devices not used.
Default Service Settings - The AllJoyn Router Service runs in a shared process (svchost.exe).
Display Name: AllJoyn Router Service
Service Name: AJRouter
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
File: C:\Windows\system32\AJRouter.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AJRouter
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
Additional Information
IoT Applications with Examples (InternetOfThingsWiki.com/)
AllJoyn Consumer Applications (AllSeenAlliance.org)
5 Reasons to Avoid Smart Assistants If You Value Your Privacy (MakeUseOf.com)
The Internet of Things Industry Failed Us (PCMag.com)
Friday's IoT-based DDoS Attack has Security Experts Worried (ComputerWorld.com)
Are My Smarthome Devices Secure? (HowToGeek.com)
GUIDE: How to disable IPv6 or its components in Windows (Microsoft.com)
NOTES
4
Application Layer Gateway Service
Description - This service (ALG) provides support to non-Microsoft (third-party) protocol plug-ins by allowing their proprietary
network protocols to pass through Windows Firewall and work behind Internet Connection Sharing (ICS). These plug-ins are
capable of opening ports and changing data (e.g. IP addresses) embedded in packets. This service is also referred to as
Application Level Gateway
Reason for Disabling on a Standalone PC - PC’s internet connection (ICS) not shared with other computers or devices.
Default Service Settings - The Application Layer Gateway Service runs in its own process (alg.exe).
Display Name: Application Layer Gateway Service
Service Name: ALG
Startup Type: Manual
Path: C:\WINDOWS\system32\alg.exe
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
Additional Information
Application Layer Gateway (Wikipedia.org)
GUIDE: How to Allow Apps to Communicate Through the Windows Firewall (HowToGeek.com)
GUIDE: How to Block an Application from Accessing the Internet with Windows Firewall (HowToGeek.com)
NOTES
5
Certificate Propagation
Description - This service (CertPropSvc) detects when a smart card is inserted into a smart card reader, installs the smart card
Plug and Play driver if needed, and copies the user certificate and root certificate from the smart card onto the PC in the user’s
certificate store.
Reason for Disabling on a Standalone PC - Smart card not used.
Default Service Settings - The Certificate Propagation service runs in a shared process (svchost.exe).
Display Name: Certificate Propagation
Service Name: CertPropSvc
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
File: C:\WINDOWS\system32\certprop.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertPropSvc
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
Additional Information
Smart Card (Wikipedia.org)
Security with Smart Cards (TechNet.Microsoft.com)
NOTES
6
Computer Browser (Browser)
Description - This service (Browser) tracks and maintains a list of the computers and files on a network. This service is only
useful for a LAN setup where the computers share files with each other.
Reason for Disabling on a Standalone PC
No network connections.
File and printer sharing turned off.
Default Service Settings - The Computer Browser service runs in a shared process (svchost.exe).
Display Name: Computer Browser
Service Name: Browser
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
File: C:\WINDOWS\system32\browser.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser
Dependencies: This service depends on the following system components:
Server (LanmanServer)
Workstation (LanmanWorkstation)
The following system components depend on this service:
None
Additional Information
Computer Browser Service (Wikipedia.org)
GUIDE: Guide to Network and Sharing Center (Online-Tech-Tips.com)
GUIDE: How to Turn On or Off File and Printer Sharing (TenForums.com)
GUIDE: How to Turn On or Off Public Folder Sharing (TenForums.com)
GUIDE: How to Turn On or Off Network Discovery (TenForums.com)
NOTES
7
Connected Device Platform Service
Description – Microsoft’s description for this service (CDPSvc) says "This service is used for Connected Devices and Universal
Glass scenarios". I’ve spent a bit of time researching this service and can’t really determine exactly what it is. The default
setting for this service is Disabled. I have left it disabled with no problems noted.
Reason for Disabling on a Standalone PC - Default setting for Startup Type = Disabled.
Default Service Settings - The Connected Devices Platform Service runs in a shared process (svchost.exe).
Display Name: Connected Devices Platform Service
Service Name: CDPSvc
Startup Type: Disabled
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
File: C:\WINDOWS\system32\CDPSvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDPSvc
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
NOTES
8
Connected User Experiences and Telemetry
Description - This service (DiagTrack) collects and transmits diagnostic and usage information to Microsoft. In earlier versions
of Windows 10 this service was called "Diagnostics Tracking Service." Microsoft’s tracking and data collection is a privacy risk
(see “Additional Information” below).
Reason for Disabling on a Standalone PC - PRIVACY RISK (telemetry and data collection). In addition to disabling this
service, I recommend using the portable freeware program Spybot Anti-Beacon to remove all known tracking features in
Windows.
Default Service Settings - The Connected User Experiences and Telemetry service runs in its own process (svchost.exe).
Display Name: Connected User Experiences and Telemetry
Service Name: DiagTrack
Startup Type: Automatic
Path: C:\WINDOWS\system32\svchost.exe -k utcsvc
File: C:\WINDOWS\system32\diagtrack.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DiagTrack
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
Additional Information
Even When Told Not To, Windows 10 Just Can’t Stop Talking to Microsoft (arstechnica.com)
Microsoft Doesn't See Windows 10's Mandatory Data Collection as a Privacy Risk (PCWorld.com)
Microsoft Walks a Thin Line Between Windows 10 Telemetry and Snooping (InfoWorld.com)
Windows 10 Telemetry Secrets: Where, When, and Why Microsoft Collects Your Data (ZDNet.com)
GUIDE: Manage Windows 10 Telemetry and Data Collection Settings (TheWindowsClub.com)
Guide: How to Enable or Disable Cortana (TenForums.com)
NOTES
9
Credential Manager
Description - This service (VaultSvc) is the "digital locker" where Windows stores log-in credentials (username, password, etc.)
for computers on your network and for Internet websites. This service is used whenever you see a prompt asking if you want
Windows or Internet Explorer to remember your password.
Reason for Disabling on a Standalone PC - Log-in usernames and passwords not stored on PC.
Default Service Settings - The Credential Manager service runs in a shared process (lsass.exe).
Display Name: Credential Manager
Service Name: VaultSvc
Startup Type: Manual
Path: C:\WINDOWS\system32\lsass.exe
File: C:\WINDOWS\system32\vaultsvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VaultSvc
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
Windows Biometric Service (WbioSrvc)
Additional Information
GUIDE: How to Add Credentials to the Windows Credential Manager Vault (HowToGeek.com)
GUIDE: Add, Remove, Edit, Backup and Restore Stored User Names and Passwords (TheWindowsClub.com)
NOTES
10
DataCollectionPublishingService
Description - This service (DcpSvc) allows Microsoft apps to upload data to the cloud. Cloud computing presents several
security and privacy risks (see “Additional Information” below).
Reason for Disabling on a Standalone PC
SECURITY & PRIVACY RISK (cloud)
The uploading of data from Microsoft apps to the cloud is not not used.
Additional Information
Cloud Computing Issues (Wikipedia.org)
Top 10 Security Concerns for Cloud-Based Services (Incapsula.com)
The Dirty Dozen: 12 Cloud Security Threats (InfoWorld.com)
Top Ten Major Risks Associated with Cloud Storage (Cloudwards.net)
GUIDE: How to Disable OneDrive and Remove It From File Explorer (HowToGeek.com)
NOTES
11
Delivery Optimization
Description - This service (DoSvc) allows Microsoft to distribute their Windows updates to/from your PC to other computers on
the internet and on your local network. In other words, Microsoft is using your bandwidth to distribute their updates to other
users. You’re not asked if you’d like to participate in this distribution. Instead, MS turns this feature on by default. I can think of
no good reason to leave this service set to anything but “Disabled.”
Reason for Disabling on a Standalone PC
SECURITY & PRIVACY RISK (connecting to unknown computers)
PC is not a Microsoft server. Most users (to include me) have limited bandwidth plans with data caps. I don’t intend to
exceed these caps, and increase my costs, to distribute Microsoft software to other users.
Default Service Settings - The Delivery Optimization service runs in a shared process (svchost.exe).
Display Name: Delivery Optimization
Service Name: DoSvc
Startup Type: Automatic
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
File: C:\WINDOWS\system32\doscv.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
Additional Information
Windows Update Delivery Optimization: FAQ (Microsoft.com)
GUIDE: How to Stop Windows 10 From Uploading Updates to Other PCs Over the Internet (HowToGeek.com)
GUIDE: How to Delete Delivery Optimization Files and Reclaim Lost Disk Space (TheWindowsClub.com)
GUIDE: How to Enable or Disable Automatic Windows Updates (TenForums.com)
GUIDE: Prevent Automatic Windows Update Downloads with a Metered Connection (HowToGeek.com)
GUIDE: How to Monitor Your Internet Bandwidth Usage and Avoid Exceeding Data Caps (HowToGeek.com)
NOTES
12
dmwappushsvc
Description - This service, WAP Push Message Routing Service, is used for receiving mobile text messages that redirect to
web pages. The message arrives as an alert that, when clicked, opens a web page in a mobile browser. For example, a
restaurant may send you a digital coupon when you are near their location. This location tracking service is a privacy risk.
Reason for Disabling on a Standalone PC
PRIVACY RISK (telemetry and data collection)
Push Messages not used.
Default Service Settings - The Dmwappushsvc service runs in a shared process of (svchost.exe).
Display Name: Dmwappushsvc
Service Name: Dmwappushservice
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
File: C:\WINDOWS\system32\dmwappushsvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmwappushservice
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
Additional Information
Wireless Application Protocol (Wikipedia.org)
NOTES
13
Downloaded Maps Manager
Description - This service (MapsBroker) provides offline access to downloaded maps via the Windows Map app.
Reason for Disabling on a Standalone PC - Windows Map app not used.
Default Service Settings - The Downloaded Maps Manager service runs in its own process of (svchost.exe).
Display Name: Downloaded Maps Manager
Service Name: MapsBroker
Startup Type: Automatic
Path: C:\WINDOWS\system32\svchost.exe -k NetworkService
File: C:\WINDOWS\system32\moshost.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
NOTES
14
Enterprise App Management Service
Description - This service (EntAppSvc) is used to manage enterprise applications within a corporate computer-based
information system.
Reason for Disabling on a Standalone PC - Enterprise applications not used.
Default Service Settings - The Enterprise App Management Service runs in a shared process (svchost.exe).
Display Name: Enterprise App Management Service
Service Name: EntAppSvc
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k appmodel
File: C:\WINDOWS\system32\EnterpriseAppMgmtSvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EntAppSvc
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
Additional Information
Enterprise Applications (Wikipedia.org)
NOTES
15
Family Safety Filter Driver
Description - This service (wpcfltr) allows parents to manage and restrict a child’s web content. Web filtering is restricted to
Microsoft Edge and Microsoft Internet Explorer browsers.
Reason for Disabling on a Standalone PC - Microsoft family features not used.
Default Service Settings - The Family Safety Filter Driver service is a kernel mode driver.
Display Name: Family Safety Filter Driver
Service Name: Wpcfltr
Startup Type: Manual
Path: C:\WINDOWS\system32\drivers\wpcfltr.sys
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wpcfltr
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
Additional Information
Microsoft Family Features (Wikipedia.org)
GUIDE: How to Manage Family Settings for a Child (TenForums.com)
NOTES
16
Fax
Description - This service (Fax) allows you to send, receive, and archive faxes from applications using either a local or a
shared network fax device. Instead of using services.msc to disable Fax, this service is disabled through the Control Panel (see
below).
Note: Some programs and features included with Windows (e.g. Internet Information Services) must be turned on before you
can use them. Other features (e.g. Windows Media Player, Windows Fax and Scan) are turned on by default, but you can turn
them off if you don’t use them.
Turn off the Fax service
24. WIN + X
25. Select Control Panel from the menu that pops up
26. Select Programs and Features
27. Select Turn Windows features on or off
28. Click the “+” next to Print and Document Services
29. Deselect Windows Fax and Scan
Reason for Disabling on a Standalone PC - Faxing not used.
Default Service Settings - The Fax service runs in its own process (fxssvc.exe).
Display Name: Fax
Service Name: Fax
Startup Type: Manual
Path: C:\WINDOWS\system32\drivers\fxssvc.exe
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax
Dependencies: This service depends on the following system components:
Print Spooler (Spooler)
Remote Procedure Call (RPC) (RpcSs)
Telephony (TapiSrv)
The following system components depend on this service:
None
Additional Information
Windows Fax and Scan (Wikipedia .org)
How to Send and Receive Faxes Online Without a Fax Machine or Phone Line (HowToGeek.com)
NOTES
17
Function Discovery (2 services)
Description
Function Discovery Provider Host - Enables file sharing with other computers within a network.
Function Discovery Resource Publication - Makes a computer and the resources attached to it (e.g. printer)
discoverable and available within a network.
Default Service Settings - Both the Function Discovery Provider Host service and the Function Discovery Resource Publication
service run in a shared process (svchost.exe).
Display Name: Function Discovery Provider Host
Service Name: fdPHost
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
File: C:\WINDOWS\system32\fdPHost.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fdPHost
Dependencies: This service depends on the following system components:
HTTP Service (http)
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
HomeGroup Provider (HomeGroupProvider)
Additional Information
GUIDE: Guide to Network and Sharing Center (Online-Tech-Tips.com)
GUIDE: How to Turn On or Off File and Printer Sharing (TenForums.com)
GUIDE: How to Turn On or Off Public Folder Sharing (TenForums.com)
GUIDE: How to Turn On or Off Network Discovery (TenForums.com)
NOTES
18
Geolocation Service
Description - This service (lfsvc) tracks a PC’s current location and also manages geofences. Geofencing is the creation of
geographic boundary around a specific location. Crossing this boundary triggers an action (e.g. message). Geofencing is used
with mobile devices such as phones or tablets.
Reason for Disabling on a Standalone PC
PRIVACY RISK (location tracking and location sharing)
Geolocation not used.
Default Service Settings - The Geolocation Service runs in a shared process (svchost.exe).
Display Name: Geolocation Service
Service Name: lfsvc
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
File: C:\WINDOWS\system32\lfsvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
Additional Information
Geolocation (Wikipedia.org)
Geolocation Privacy and Surveillance Act (Wikipedia.org)
Locational Privacy (eff.org)
NOTES
19
HomeGroup (2 services)
Description
HomeGroup Listener - Monitors your PC’s configuration and applies changes to HomeGroups.
HomeGroup Provider - Detects other HomeGroups.
Default Service Settings - Both the HomeGroup Listener service and the HomeGroup Provider service run in a shared process
(svchost.exe).
Display Name: HomeGroup Listener
Service Name: HomeGroupListener
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted
File: C:\WINDOWS\system32\listsvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
Additional Information
HomeGroup from Start to Finish (Microsoft.com)
GUIDE: How to Setup and Manage Windows 10 HomeGroup on a Local Network (WindowsCentral.com)
GUIDE: How to Create a HomeGroup (TenForums.com)
GUIDE: How to Join a HomeGroup (TenForums.com)
GUIDE: How to Leave a HomeGroup (TenForums.com)
NOTES
20
Human Interface Device Service
Description - This service (hidserv) allows you to use special buttons/keys (e.g. volume control, email access, etc.) on
multimedia keyboards, mice, game controllers, remote controls and Human Interface Devices (HID) that connect to your PC via
USB or Bluetooth.
Note: A Logitech 2-button mouse is connected to my PC and works properly without this service.
Reason for Disabling on a Standalone PC - HID devices not connected to PC.
Default Service Settings - The Human Interface Device Service runs in a shared process (svchost.exe).
Display Name: Human Interface Device Service
Service Name: Hidserv
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted
File: C:\WINDOWS\system32\hidserv.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hidserv
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
Additional Information
Introduction to HID Concepts (msdn.Microsoft.com)
Human Interface Device (Wikipedia.org)
NOTES
21
Hyper-V (8 services)
Description - Hyper-V creates Virtual Machines (VM) on x86-64 systems running Windows.
Hyper-V Data Exchange Service - Allows information sharing between the host and VM.
Hyper-V Guest Service Interface - Allows file copying to a running VM without using a network connection.
Hyper-V Guest Shutdown Service - Performs an orderly shutdown of VMs without having to login to a VM.
Hyper-V Heartbeat Service – Identifies VMs that have stopped responding.
Hyper-V Remote Desktop Virtualization Service – Communications between the VM and the OS on a remote computer.
Hyper-V Time Synchronization Service - Synchronizes a VM’s time with the host’s time.
Hyper-V VM Session Service – Manages a VM with PowerShell.
Hyper-V Volume Shadow Copy Requestor – Used to backup and restore VMs.
22
Display Name: Hyper-V Remote Desktop Virtualization Service
Service Name: vmicrdv
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k ICService
File: C:\WINDOWS\system32\icsvcext.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicrdv
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
Additional Information
Hyper-V (Wikipedia.org)
Hyper-V on Windows 10 (Microsoft.com)
23
Intel (2 services)
Description
Intel Management and Security Application Local Management Service - Part of Intel’s Active Management Technology
(AMT) and is aimed enterprise users not home users. AMT uses remote access to computers running this service to
monitor, maintain, update, upgrade, and repair them.
Intel Management and Security Application User Notification Service - Part of Intel’s Active Management Technology
(AMT) and is aimed enterprise users not home users. This services receives messages from AMT and writes them to
Window’s local event log.
Display Name: Intel Management and Security Application User Notification Service
Service Name: UNS
Startup Type: Automatic (Delayed Start)
Path: C:\Program Files (x86)\Intel\Intel Management Engine Components\UNS\UNS.exe
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UNS
Dependencies: This service depends on the following system components:
Intel Management and Security Application User Notification Service (LMS)
The following system components depend on this service:
None
Additional Information
Intel Active Management Technology (Intel.com)
Intel Active Management Technology (Wikipedia.org)
NOTES
24
Internet Connection Sharing (ICS)
Description - This service (ICS) uses a PC with wired access to the internet as a hub or router to provide wireless internet
access to other computers and devices.
Reason for Disabling on a Standalone PC - PC’s internet connection not shared with other computers or devices.
Default Service Settings - The Internet Connection Sharing (ICS) service runs in a shared process (svchost.exe).
Display Name: Internet Connection Sharing (ICS)
Service Name: SharedAccess
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
File: C:\WINDOWS\system32\hidserv.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipnathlp.dll
Dependencies: This service depends on the following system components:
Base Filtering Engine (BFE)
Network Connections (Netman)
Windows Management Instrumentation (Winmgmt)
The following system components depend on this service:
None
Additional Information
Internet Connection Sharing (Wikipedia.org)
GUIDE: How to Share Your Smartphone’s Internet Connection: Hotspots and Tethering Explained (HowToGeek.com)
GUIDE: How to Share a Wired Ethernet Internet Connection with All Your Devices (HowToGeek.com)
GUIDE: How to Turn Your Windows PC into a Wi-Fi Hotspot (HowToGeek.com)
NOTES
25
Internet Explorer ETW Collector Service
Description - This service (IEEtwCollectorService) collects ETW data for Internet Explorer. ETW stands for Event Tracing for
Windows. ETW is a Windows system and software diagnostic feature that captures the sequence and timing of events. These
captured events can be used by software programmers to analyze performance and troubleshoot problems (e.g. data
bottlenecks).
Reason for Disabling on a Standalone PC - Internet Explorer’s ETW feature not used.
Default Service Settings - The Internet Explorer ETW Collector Service runs in its own process (IEEtwCollector.exe).
Display Name: Internet Explorer ETW Collector Service
Service Name: IEEtwCollectorService
Startup Type: Manual
Path: C:\WINDOWS\system32\IEEtwCollector.exe /V
File: C:\WINDOWS\system32\IEEtwCollector.exe
Registry Key: H HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IEEtwCollectorService
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
Additional Information
ETW Introduction and Overview (Microsoft.com)
Event Tracing, MSDN Magazine, Apr 2007 (Microsoft.com)
NOTES
26
IP Helper
Description - This service (iphlpsvc) provides support for an IPv6 connection over an IPv4 network. IPv6 is the newest Internet
Protocal and is intended to replace IPv4. IPv6 is also used to connect to Internet of Things (IoT) devices. Security risks exist
with both IoT and IPv6 (see “Additional Information” below).
Reason for Disabling on a Standalone PC
SECURITY RISK (IPv6 and IoT)
IPv6 connections not used.
Default Service Settings - The IP Helper service runs in a shared process (svchost.exe).
Display Name: IP Helper
Service Name: Iphlpsvc
Startup Type: Automatic
Path: C:\WINDOWS\system32\svchost.exe -k NetSvcs
File: C:\WINDOWS\system32\iphlpsvc.dll.
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc
Dependencies: This service depends on the following system components:
NetIO Legacy TDI Support Driver (tdx)
Network Store Interface Service (nsi)
Remote Procedure Call (RPC) (RpcSs)
TCP/IP Protocol Driver (Tcpip)
WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)
Windows Management Instrumentation (winmgmt)
The following system components depend on this service:
Network Connectivity Assistant (NcaSvc)
Additional Information
IPv6: The Smart Person's Guide (TechRepublic.com)
IPv6: Security Concerns (TechRepublic.com)
IoT Security Issues Unplugged (TechTarget.com)
10 Things to Know about the October 21 IoT DDoS Attacks (WeLiveSecurity.com)
Are My Smarthome Devices Secure? (HowToGeek.com)
NOTES
27
Link-Layer Topology Discovery Mapper
Description - This service (lltdsvc) displays a map of your network. This network map is visible in the Network and Sharing
Center by selecting "See Full Map".
Reason for Disabling on a Standalone PC - Visible network map (in the Network and Sharing Center) not used.
Default Service Settings - The Link-Layer Topology Discovery Mapper runs in a shared process (svchost.exe).
Display Name: Link-Layer Topology Discovery Mapper
Service Name: lltdsvc
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
File: C:\WINDOWS\system32\lltdsvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iphlpsvc
Dependencies: This service depends on the following system components:
Link-Layer Topology Discovery Mapper I/O Driver (lltdio)
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
Additional Information
Link Layer Topology Discovery (Wikipedia.org)
NOTES
28
Microsoft Diagnostics Hub Standard Collector Service
Description - This service (diagnosticshub.standardcollector.service) collects ETW (Event Tracing for Windows) data.. ETW is
a system and software diagnostic component in Windows that captures the sequence and timing of events. These captured
events can be used by software programmers to analyze performance and troubleshoot problems (e.g. data bottlenecks).
Reason for Disabling on a Standalone PC - ETW feature not used.
Default Service Settings - The Microsoft Diagnostics Hub Standard Collector Service runs in its own process
(DiagnosticsHub.StandardCollector.Service.exe).
Display Name: Microsoft Diagnostics Hub Standard Collector Service
Service Name: diagnosticshub.standardcollector.service
Startup Type: Manual
Path: C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\diagnosticshub.standardcollector.service
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
Additional Information
ETW Introduction and Overview (Microsoft.com)
Event Tracing, MSDN Magazine, Apr 2007 (Microsoft.com)
NOTES
29
Microsoft iSCSI Initiator Service
Description - This service (MSiSCSI) manages remote iSCSI devices (disks, tapes, CDs, or other storage devices on network
connected systems).
Reason for Disabling on a Standalone PC - Networked iSCSI devices not used.
Default Service Settings - The Microsoft iSCSI Initiator Service runs i a shared process (svchost.exe).
Display Name: Microsoft iSCSI Initiator Service
Service Name: MSiSCSI
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
File: C:\WINDOWS\system32\iscsiexe.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
Additional Information
iSCSI (Wikipedia.org)
NOTES
30
Microsoft Windows SMS Router Service
Description - This service (SmsRouter) routes messages from a Local Area Network (LAN) server to connected PCs. These
messages support the (1) inventory of hardware and software, (2) distribution and installation of software, and (3) performance
of diagnostic tests.
Reason for Disabling on a Standalone PC - No LAN connections.
Default Service Settings - The Microsoft Windows SMS Router Service. Runs in a shared process (svchost.exe).
Display Name: Microsoft Windows SMS Router Service
Service Name: SmsRouter
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted
File: C:\WINDOWS\system32\SmsRouterSvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SmsRouter
Dependencies: This service depends on the following system components:
NDIS Usermode I/O Protocol (Ndisuio)
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
Additional Information
Systems Management Server (SMS) (Wikipedia.org)
Local Area Network (LAN) (Wikipedia.org)
NOTES
31
Netlogon
Description - This service (Netlogon) authenticates users and other services within a Windows domain.
Reason for Disabling on a Standalone PC - No network connections.
Default Service Settings - The Netlogon service runs in a shared process (lsass.exe).
Display Name: Netlogon
Service Name: Netlogon
Startup Type: Manual
Path: C:\WINDOWS\system32\lsass.exe
File: C:\WINDOWS\system32\netlogon.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon
Dependencies: This service depends on the following system components:
Workstation (LanmanWorkstation)
The following system components depend on this service:
None
NOTES
32
Net.Tcp Port Sharing Service
Description - This service (NetTcpPortSharing) is a part of the Windows Communication Foundation (WCF) in .NET. The
service allows several applications to use the same TCP port for network communications.
Reason for Disabling on a Standalone PC - Default setting for Startup Type = Disabled.
Default Service Settings - The Net.Tcp Port Sharing Service runs in a shared process (SMSvcHost.exe).
Display Name: Net.Tcp Port Sharing Service
Service Name: NetTcpPortSharing
Startup Type: Disabled
Path: C:\WINDOWS\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
Additional Information
Net.TCP Port Sharing (Microsoft.com)
NOTES
33
Network Connected Devices Auto-Setup
Description - This service (NcdAutoSetup) automatically detects, sets up and enables the use of devices for private network
locations (e.g. home or workplace). Within private networks, network discovery is turned on, file and printer sharing are turned
on and HomeGroup connections are allowed.
Reason for Disabling on a Standalone PC - No private network connections.
Default Service Settings - The Network Connected Devices Auto-Setup service runs in a shared process (svchost.exe).
Display Name: Network Connected Devices Auto-Setup
Service Name: NcdAutoSetup
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
File: C:\WINDOWS\system32\NcdAutoSetup.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcdAutoSetup
Dependencies: This service depends on the following system components:
Network List Service (netprofm)
The following system components depend on this service:
None
Additional Information
GUIDE: Guide to Network and Sharing Center (Online-Tech-Tips.com)
GUIDE: How to Turn On or Off File and Printer Sharing (TenForums.com)
GUIDE: How to Turn On or Off Public Folder Sharing (TenForums.com)
GUIDE: How to Turn On or Off Network Discovery (TenForums.com)
NOTES
34
Network Connectivity Assistant
Description - This service (NcaSvc) indicates network connection status and allows data collection when connecting to
DirectAccess servers.
Reason for Disabling on a Standalone PC - No network connections.
Default Service Settings - The Network Connectivity Assistant service runs in a shared process (svchost.exe).
Display Name: Network Connectivity Assistant
Service Name: NcaSvc
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k NetSvcs
File: C:\WINDOWS\system32\ncasvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NcaSvc
Dependencies: This service depends on the following system components:
Base Filtering Engine (BFE)
DNS Client (Dnscache)
IP Helper (iphlpsvc)
Network Store Interface Service (nsi)
The following system components depend on this service:
None
NOTES
35
Peer Networking (3 services)
Services Disabled
Peer Name Resolution Protocol
Peer Networking Grouping
Peer Networking Identity Manager
Description - These services enable peer-to-peer (P2P) and collaborative programs (e.g. HomeGroup and Remote Assistance)
to communicate with each other across a network.
Reason for Disabling on a Standalone PC - No connections to P2P networks, HomeGroup, or Remote Assistance.
Default Service Settings - All 3 Peer Networking services run in a shared process (svchost.exe).
Display Name: Peer Name Resolution Protocol
Service Name: PNRPsvc
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalServicePeerNet
File: C:\WINDOWS\system32\pnrpsvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc
Dependencies: This service depends on the following system components:
Peer Networking Identity Manager (p2pimsvc)
The following system components depend on this service:
PNRP Machine Name Publication Service (PNRPAutoReg)
Peer Networking Grouping (p2psvc)
NOTES
36
Performance Counter DLL Host
Description - This service (PerfHost) runs 32-bit Performance Counters remotely from users on 64-bit servers. These counters
provide performance data for operating systems (OS), applications, services, or drivers and can identify system bottlenecks.
Reason for Disabling on a Standalone PC - Don’t remotely run 32-bit performance counters.
Default Service Settings
Display Name: Performance Counter DLL Host
Service Name: PerfHost
Startup Type: Manual
Path: C:\WINDOWS\SysWow64\perfhost.exe
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PerfHost
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
NOTES
37
Performance Logs & Alerts
Description - This service (pla) collects Performance Counter data from local or remote computers. These counters provide
performance data for operating systems (OS), applications, services, or drivers and can identify system bottlenecks. Based on
counter data, this service can trigger alerts or write performance data to a log file for analysis and report generation. Real-time
performance counter data can be viewed graphically using Performance Monitor (WIN+R perfmon.msc).
Reason for Disabling on a Standalone PC
Performance counter data not needed.
No remote connections.
Default Service Settings - The Performance Logs & Alerts service runs in a shared process (svchost.exe).
Display Name: Performance Logs & Alerts
Service Name: pla
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
File: C:\WINDOWS\system32\pla.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pla
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
NOTES
38
PNRP Machine Name Publication Service
Description
This service (PNRPAutoReg) publishes a PC's name using Peer Name Resolution Protocol. This is a peer-to-peer (P2P)
protocol used by Remote Assistance and HomeGroup.
Reason for Disabling on a Standalone PC - No connections to P2P networks.
Default Service Settings - The Peer Name Resolution Protocol service runs in a shared process (svchost.exe).
Display Name: PNRP Machine Name Publication Service
Service Name: PNRPAutoReg
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalServicePeerNet
File: C:\WINDOWS\system32\pnrpsvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc
Dependencies: This service depends on the following system components:
Peer Networking Identity Manager (p2pimsvc)
The following system components depend on this service:
PNRP Machine Name Publication Service (PNRPAutoReg)
Peer Networking Grouping (p2psvc)
NOTES
39
Program Compatibility Assistant Service
Description - This service (PcaSvc) monitors programs that run to identify Windows 10 compatibility issues. Older programs
may have compatibility problems. If compatibility issues exist, you are notified and offered a remedy. The service can resolve
program conflicts with User Account Control (UAC) and also run programs in a compatibility mode that simulates an earlier
version of Windows.
Reason for Disabling on a Standalone PC - No incompatible programs installed.
Default Service Settings - The Program Compatibility Assistant Service runs in a shared process (svchost.exe).
Display Name: Program Compatibility Assistant Service
Service Name: PcaSvc
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted
File: C:\WINDOWS\system32\pcasvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PcaSvc
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
NOTES
40
Quality Windows Audio Video Experience
Description - This service (QWAVE) enables high performance video streaming across a LAN (home) network.
Reason for Disabling on a Standalone PC - No LAN connections.
Default Service Settings - The Quality Windows Audio Video Experience service runs in a shared process (svchost.exe).
Display Name: Quality Windows Audio Video Experience
Service Name: QWAVE
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
File: C:\WINDOWS\system32\qwave.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QWAVE
Dependencies: This service depends on the following system components:
Link-Layer Topology Discovery Mapper I/O Driver (lltdio)
QWAVE driver (QWAVEdrv)
QoS Packet Scheduler (Psched)
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
NOTES
41
Remote Access (2 services)
Description
Remote Access Auto Connection Manager - Detects unsuccessful attempts to connect to a remote network or computer
and provides alternative methods for connection. Used by some direct cable and DSL providers to logon and connect to
the internet. If you use a hardware gateway or router, this service is not required.
Remote Access Connection Manager - Manages dial-up and VPN connections from your computer to the Internet or
other remote networks. When you double-click a connection in the Network Connections folder and then click the
Connect button, this service either dials the connection or sends a VPN connection request and handles
communications with the remote access server to set up the connection.
Additional Information
Remote Access (TheNetworkEncyclopedia.com)
NOTES
42
Remote Desktop (3 services)
Description - These services allow a user to take control of a remote computer or virtual machine over a network connection.
Remote Desktop is often targeted by hackers and considered a security risk.
Remote Desktop Configuration
Remote Desktop Services
Remote Desktop Services UserMode Port Redirector
Reason for Disabling on a Standalone PC - No remote connections. Remote Assistance connections disabled.
Default Service Settings - All 3 Remote Desktop services run in a shared process (svchost.exe).
Display Name: Remote Desktop Configuration
Service Name: SessionEnv
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
File: C:\WINDOWS\system32\sessenv.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
Workstation (LanmanWorkstation)
The following system components depend on this service:
None
Additional Information
Remote Desktop Protocol Security Issues (Wikipedia.org)
GUIDE: How to Enable and Secure Remote Desktop on Windows (HowToGeek.com)
NOTES
43
Remote Procedure Call (RPC) Locator
Description - This service (RpcLocator) is used to discover Remote Procedure Call (RPC) services. This service is not used by
the operating system and is only present for third-party programs that requires it.
Reason for Disabling - No third-party programs run that require this service.
Default Service Settings - The Remote Procedure Call (RPC) Locator service runs in its own process (locator.exe).
Display Name: Remote Procedure Call (RPC) Locator
Service Name: RpcLocator
Startup Type: Manual
Path: C:\WINDOWS\system32\locator.exe
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator
Dependencies: This service depends on the following system components:
Remote Desktop Device Redirector Driver (RDPDR)
Remote Desktop Services (TermService)
The following system components depend on this service:
None
NOTES
44
Remote Registry
Description - This service (RemoteRegistry) allows remote users to modify registry settings on a computer. If it is disabled, only
locally logged on users can modify the registry. This service presents a security risk should be disabled. "Disabled" is the default
setting in Windows 10 Home 1511.
Reason for Disabling on a Standalone PC
SECURITY RISK (remote access to registry)
Default setting for Startup Type = Disabled.
Default Service Settings - The Remote Registry service runs in a shared process (svchost.exe).
Display Name: Remote Registry
Service Name: RemoteRegistry
Startup Type: Disabled
Path: C:\WINDOWS\system32\svchost.exe -k localService
File: C:\WINDOWS\system32\regsvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
NOTES
45
Retail Demo Service
Description - This service (RetailDemo) allows retail store staff to demonstrate Windows 10 features to customers.
Reason for Disabling on a Standalone PC – Bloatware that is not needed.
Default Service Settings - The Retail Demo Service runs in a shared process (svchost.exe).
Display Name: Retail Demo Service
Service Name: RetailDemo
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
File: C:\WINDOWS\system32\RDXService.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RetailDemo
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
NOTES
46
Routing and Remote Access
Description - This service (RemoteAccess) is used within corporate networks. It allows computers to dial in to a local computer
to gain access to the local network.
Reason for Disabling on a Standalone PC
No connections to remote networks or computers.
Default setting for Startup Type = Disabled.
Default Service Settings - The Routing and Remote Access service runs in a shared process (svchost.exe).
Display Name: Routing and Remote Access
Service Name: RemoteAccess
Startup Type: Disabled
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
File: C:\WINDOWS\system32\mprdim.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess
Dependencies: This service depends on the following system components:
Base Filtering Engine (BFE)
HTTP Service (HTTP)
NetBIOSGroup
Remote Access Connection Manager (RasMan)
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
Additional Information
Routing and Remote Access Service (Technet.Microsoft.com)
NOTES
47
Secondary Logon
Description - This service (seclogon) allows users to use the “Run As” command to elevate their privileges and run commands
available to administrators. This is a great way for administrators to do ordinary work (e-mail, Word, Excel, etc.) as ordinary
users while also performing administrative tasks without logging off and then back on again. However, this presents a security
risk if accessed by users that aren’t intended to have administrative privileges.
Reason for Disabling on a Standalone PC
SECURITY RISK (access administrator privileges)
Administrator command “Run As” not used.
Default Service Settings - The Secondary Logon service runs in a shared process (svchost.exe).
Display Name: Secondary Logon
Service Name: seclogon
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
File: C:\WINDOWS\system32\seclogon.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
NOTES
48
Sensor (3 services)
Description - These services monitor, manage and deliver sensor data. Sensor data includes motion (accelerometer,
gyroscope, magnetometer), barometer, altimeter, ambient light, proximity (human presence), environmental (temperature,
humidity, CO2, UV), Biometric (fingerprint, face, iris scanning), and activity (walking, running).
Sensor Data Service
Sensor Monitoring Service
Sensor Service
Default Service Settings - The Sensor Data Service runs in its own process (SensorDataService.exe). Both Sensor Monitoring
Service and Sensor Service run in a shared process (svchost.exe).
Display Name: Sensor Data Service
Service Name: SensorDataService
Startup Type: Manual
Path: C:\WINDOWS\system32\SensorDataService.exe
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SensorDataService
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
Additional Information
Sensors Overview (msdn.Microsoft.com)
Biometrics Privacy Concerns (eff.org)
NOTES
49
Server
Description - This service (LanmanServer) allows sharing of files and printers with other computes on a network.
Reason for Disabling on a Standalone PC
No network connections.
File and printer sharing turned off.
Default Service Settings - The Server service runs in a shared process (svchost.exe).
Display Name: Server
Service Name: LanmanServer
Startup Type: Automatic
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
File: C:\WINDOWS\system32\srvsvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer
Dependencies: This service depends on the following system components:
Security Accounts Manager (SamSs)
Server SMB 2.xxx Driver (srv2)
The following system components depend on this service:
Computer Browser (Browser)
Additional Information
GUIDE: Turn Off File and Printer Sharing (TenForums.com)
NOTES
50
Smart Card (3 services)
Description - These services enable Smart Card use for authentication purposes.
Smart Card
Smart Card Device Enumeration Service
Smart Card Removal Policy
Additional Information
Smart Card (Wikipedia.org)
Security with Smart Cards (TechNet.Microsoft.com)
NOTES
51
SSDP Discovery
Description - This service (SSDPSRV) enables discovery of UPnP devices on a network. UPnP is a peer-to-peer network
feature that allows smart devices, wireless devices, PCs and peripherals to connect to a network and communicate with each
other. UPnP is also known as Network Discovery. Security risks exist with UPnP and this service should be disabled (see
“Additional Services” below).
Reason for Disabling on a Standalone PC
SECURITY RISK (lack of built-in authentication)
No network connections
Default Service Settings - The SSDP Discovery service runs in a shared process (svchost.exe).
Display Name: SSDP Discovery
Service Name: SSDPSRV
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
File: C:\WINDOWS\system32\ssdpsrv.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV
Dependencies: This service depends on the following system components:
HTTP Service (HTTP)
The following system components depend on this service:
UPnP Device Host (upnphost)
Additional Information
Millions of PCs Exposed Through Network Bugs, Security Researchers Find (ZDNet.com)
Is UPnP a Security Risk? (HowToGeek.com)
GUIDE: How to Turn On or Off Network Discovery (TenForums.com)
NOTES
52
TCP/IP NetBIOS Helper
Description - This service (lmhosts) allows network users to share files, print, and log on to the network
Reason for Disabling on a Standalone PC
No network connections.
File and printer sharing turned off.
Default Service Settings - The TCP/IP NetBIOS Helper service runs in a shared process (svchost.exe).
Display Name: TCP/IP NetBIOS Helper
Service Name: lmhosts
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted
File: C:\WINDOWS\system32\lmhsvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lmhosts
Dependencies: This service depends on the following system components:
Ancillary Function Driver for Winsock (AFD)
The following system components depend on this service:
None
Additional Information
NetBIOS over TCP/IP (Wikipedia.org)
TCP/IP (Wikipedia.org)
Introduction to TCP/IP (Linux-Tutorial.info)
GUIDE: Guide to Network and Sharing Center (Online-Tech-Tips.com)
GUIDE: How to Turn On or Off File and Printer Sharing (TenForums.com)
GUIDE: How to Turn On or Off Public Folder Sharing (TenForums.com)
GUIDE: How to Turn On or Off Network Discovery (TenForums.com)
NOTES
53
Touch Keyboard and Handwriting Panel Service
Description - This service (TabletInputService) is designed for tablets using two Windows features called Touch Keyboard and
Handwriting Panel. These features are not needed on a laptop or desktop computer.
Reason for Disabling on a Standalone PC - Touch Keyboard and Handwriting Panel features not used.
Default Service Settings - The Touch Keyboard and Handwriting Panel Service runs in a shared process (svchost.exe).
Display Name: Touch Keyboard and Handwriting Panel Service
Service Name: TabletInputService
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted
File: C:\WINDOWS\system32\TabSvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TabletInputService
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
NOTES
54
UPnP Device Host
Description - This service (upnphost) allows UPnP devices to be hosted on this computer. UPnP is a peer-to-peer network
feature that allows smart devices, wireless devices, PCs and peripherals to connect to a network and communicate with each
other. UPnP is also known as Network Discovery. Security risks exist with UPnP and this service should be disabled (see
“Additional Information” below).
Reason for Disabling on a Standalone PC
SECURITY RISK (lack of built-in authentication)
No network connections.
Default Service Settings - The UPnP Device Host service runs in a shared process (svchost.exe).
Display Name: UPnP Device Host
Service Name: upnphost
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
File: C:\WINDOWS\system32\upnphost.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost
Dependencies: This service depends on the following system components:
HTTP Service (HTTP)
SSDP Discovery (SSDPSRV)
The following system components depend on this service:
None
Additional Information
Millions of PCs Exposed Through Network Bugs, Security Researchers Find (ZDNet.com)
Is UPnP a Security Risk? (HowToGeek.com)
GUIDE: How to Turn On or Off Network Discovery (TenForums.com)
NOTES
55
WebClient
Description - This service (WebClient) allows you to browse to “Network Places” and create, access and modify files on the
Internet with Windows-based programs This service is not needed for FTP, SSH, SCP or browser-based connections.
Reason for Disabling on a Standalone PC - No network connections.
Default Service Settings - The WebClient service runs in a shared process (svchost.exe).
Display Name: WebClient
Service Name: WebClient
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
File: C:\WINDOWS\system32\webclnt.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient
Dependencies: This service depends on the following system components:
WebDav Client Redirector Driver (MRxDAV)
The following system components depend on this service:
None
Additional Information
GUIDE: How to Add a Network Location to This PC (TenForums.com)
GUIDE: How to Set Network Location to be Public or Private (TenForums.com)
GUIDE: How to Map Network Drive or Disconnect Network Drive (TenForums.com)
NOTES
56
Windows Biometric Service
Description - This service (WbioSrvc) allows applications to capture, compare, manipulate and store biometric data (like finger
prints or iris scans). Security and privacy risks exist with the storage of biometric data (see “Additional Information” below).
Reason for Disabling on a Standalone PC
SECURITY & PRIVACY RISKS (biometrics)
Default Service Settings - The Windows Biometric Service runs in a shared process (svchost.exe).
Display Name: Windows Biometric Service
Service Name: WbioSrvc
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k WbioSvcGroup
File: C:\WINDOWS\system32\wbiosrvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WbioSrvc
Dependencies: This service depends on the following system components:
Credential Manager (VaultSvc)
Remote Procedure Call (RPC) (RpcSs)
Windows Driver Foundation - User-mode Driver Framework (wudfsvc)
The following system components depend on this service:
None
Additional Information
Biometrics are a Grave Threat to Privacy (NYTimes.com)
Biometric Security Poses Huge Privacy Risks (ScientificAmerican.com)
Biometrics are Coming, Along with Serious Security Concerns (Wired.com)
NOTES
57
Windows Connect Now - Config Registrar
Description - This service (wcncsvc) is used by wireless networks in homes and small offices and is geared toward users that
are not familiar with Wi-Fi configuration. Windows Connect Now simplifies the creation and configuration of wireless networks
and allows devices to be easily added to a network while providing a secure connection.
Note: Windows Connect Now is Microsoft’s implementation of Wi-Fi Protected Setup (WPS). Pin-based WPS is vulnerable to a
brute-force attack which can result in rogue devices being allowed to connect to a network.
Reason for Disabling on a Standalone PC - No network (LAN) connections.
Default Service Settings - The Windows Connect Now - Config Registrar service runs in a shared process (svchost.exe).
Display Name: Windows Connect Now - Config Registrar
Service Name: wcncsvc
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
File: C:\WINDOWS\system32\wcncsvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wcncsvc
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
NOTES
58
Windows Error Reporting Service
Description - This service (WerSvc) sends reports of errors on your computer (errors, faults, crashes) to Microsoft. They
acknowledge that personally identifiable information could be contained in the memory and application data compiled in the 100-
200 KB "minidumps" that Windows Error Reporting compiles and sends back to Microsoft. This presents a privacy risk that can
be avoided by disabling the service.
Reason for Disabling on a Standalone PC - Privacy risk (personally identifiable information is transmitted).
Default Service Settings - The Windows Error Reporting Service runs in its own process (svchost.exe).
Display Name: Windows Error Reporting Service
Service Name: WerSvc
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k WerSvcGroup
File: C:\WINDOWS\system32\WerSvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
Additional Information
Windows Error Reporting Privacy Concerns (Wikipedia.org)
NOTES
59
Windows Event Collector
Description - This service (Wecsvc) allows administrators to get events from remote computers and store them in a centralized
place.
Reason for Disabling on a Standalone PC - No remote connections.
Default Service Settings - The Windows Event Collector service runs in a shared process (svchost.exe).
Display Name: Windows Event Collector
Service Name: Wecsvc
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k NetworkService
File: C:\WINDOWS\system32\wecsvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc
Dependencies: This service depends on the following system components:
HTTP Service (HTTP)
Windows Event Log (EventLog)
The following system components depend on this service:
None
NOTES
60
Windows Media Player Network Sharing Service
Description - This service (WMPNetworkSvc) allows the streaming of Windows Media Player (WMP) music and video to home
entertainment systems and other computers/devices over a local network. Instead of using services.msc to disable Windows
Media Player Network Sharing Service, this service is disabled through the Control Panel (see below).
Note: Some programs and features included with Windows (e.g. Internet Information Services) must be turned on before you
can use them. Other features (e.g. Windows Media Player, Windows Fax and Scan) are turned on by default, but you can turn
them off if you don’t use them.
Turn off Windows Media Player Network Sharing Service
30. WIN + X
31. Select Control Panel from the menu that pops up
32. Select Programs and Features
33. Select Turn Windows features on or off
34. Click the “+” next to Media Features
35. Deselect Windows Media Player
Reason for Disabling on a Standalone PC
No network connections.
WMP removed. For playback of music and video, I use the portable Media Player Classic Home Cinema. Another
popular portable WMP replacement is VLC Media Player.
Default Service Settings - The Windows Media Player Network Sharing Service runs in its own process (wmpnetwk.exe).
Display Name: Windows Media Player Network Sharing Service
Service Name: WMPNetworkSvc
Startup Type: Manual
Path: C:\Program Files\Windows Media Player\wmpnetwk.exe
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc
Dependencies: This service depends on the following system components:
HTTP Service (HTTP)
Windows Search (WSearch)
The following system components depend on this service:
None
Additional Information
Freeware: Media Player Classic Home Cinema (MPC-HC.org)
Freeware: VLC Media Player (Videolan.org)
Freeware: Portable Freeware List - Video Players (PortableFreeware.com)
NOTES
61
Windows Mobile Hotspot Service
Description - This service (icssvc) allows a mobile PC or device to share its Internet connection with up to 8 other devices. You
need Wi-Fi to share your connection, but the connection you’re sharing can be an Ethernet (wired), Wi-Fi, or cellular connection.
Reason for Disabling on a Standalone PC - Mobile Hotspot not used.
Default Service Settings - The Windows Mobile Hotspot Service runs in a shared process (svchost.exe).
Display Name: Windows Mobile Hotspot Service
Service Name: icssvc
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted
File: C:\WINDOWS\system32\tetheringservice.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
Windows Connection Manager (Wcmsvc)
The following system components depend on this service:
None
Additional Information
How to Turn Your Windows PC into a Wi-Fi Hotspot (HowToGeek.com)
NOTES
62
Windows Remote Management (WS-Management)
Description - This service (WinRM) provides software and hardware management capabilities to network administrators by
allowing them to access, edit and update data from remote computers.
Reason for Disabling on a Standalone PC - Remote management of hardware and software not used.
Default Service Settings - The Windows Remote Management (WS-Management) service runs in a shared process
(svchost.exe).
Display Name: Windows Remote Management (WS-Management)
Service Name: WinRM
Startup Type: Manual
Path: C:\WINDOWS\system32\svchost.exe -k NetworkService
File: C:\WINDOWS\system32\WsmSvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM
Dependencies: This service depends on the following system components:
HTTP Service (HTTP)
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
None
NOTES
63
Windows Search
Description - This service (WSearch) performs file searches, collects detailed about these files, and stores this information in
an index for use during subsequent searches.
Reason for Disabling on a Standalone PC - Windows Search not used, replaced with Classic Shell or Everything.
Default Service Settings - The Windows Search service runs in its own process (SearchIndexer.exe).
Display Name: Windows Search
Service Name: WSearch
Startup Type: Automatic
Path: C:\WINDOWS\system32\SearchIndexer.exe /Embedding
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSearch
Dependencies: This service depends on the following system components:
Remote Procedure Call (RPC) (RpcSs)
The following system components depend on this service:
Windows Media Player Network Sharing Service (WMPNetworkSvc)
Work Folders (workfolderssvc)
Additional Information
Freeware: Classic Shell (ClassicShell.net)
Freeware: Everything (VoidTools.com)
NOTES
64
WMI Performance Adapter
Description - WMI, or Windows Management Instrumentation, provides network administrators with an interface which
simplifies the remote monitoring and management of corporate networks.
Reason for Disabling on a Standalone PC - No network connections.
Default Service Settings - The WMI Performance Adapter runs in its own process (WmiApSrv.exe).
Display Name: WMI Performance Adapter
Service Name: wmiApSrv
Startup Type: Manual
Path: C:\WINDOWS\system32\wbem\WmiApSrv.exe
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wmiApSrv
Dependencies: This service depends on the following system components:
None
The following system components depend on this service:
None
NOTES
65
Workstation
Description - This service (LanmanWorkstation) enables file and printer sharing over a network.
Reason for Disabling on a Standalone PC
No network connections.
File and printer sharing turned off.
Default Service Settings - The Workstation service runs in a shared process (svchost.exe).
Display Name: Workstation
Service Name: LanmanWorkstation
Startup Type: Automatic
Path: C:\WINDOWS\system32\svchost.exe -k NetworkService
File: C:\WINDOWS\system32\wkssvc.dll
Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
Dependencies: This service depends on the following system components:
Browser Support Driver (bowser)
Network Store Interface Service (nsi)
SMB 2.0 MiniRedirector (mrxsmb20)
The following system components depend on this service:
Computer Browser (Browser)
Netlogon (Netlogon)
Remote Desktop Configuration (SessionEnv)
Additional Information
GUIDE: Guide to Network and Sharing Center (Online-Tech-Tips.com)
GUIDE: How to Turn On or Off File and Printer Sharing (TenForums.com)
GUIDE: How to Turn On or Off Public Folder Sharing (TenForums.com)
GUIDE: How to Turn On or Off Network Discovery (TenForums.com)
NOTES
66
Xbox (3 services)
Description
Xbox Live Auth Manager - Provides authentication and authorization services for interacting with Xbox Live.
Xbox Live Game Save - Syncs save data for Xbox Live save enabled games.
Xbox Live Networking Service - Supports the Windows.Networking.XboxLive application programming interface.
NOTES
67
Appendix A: Internet Resources
TUTORIALS
SERVICE REFERENCES
COMPUTER DICTIONARIES/ENCYCLOPEDIAS
MISCELLANEOUS
The Portable Freeware Collection (PortableFreeware.com)
Windows 10 Version History (Wikipedia.org)
68
Appendix B: Disabled Services (1-page list)
AllJoyn Router Service IP Helper Smart Card Device Enumeration
Service
Application Layer Gateway Link-Layer Topology Discovery
Mapper Smart Card Removal Policy
Certificate Propagation
Microsoft Diagnostics Hub SSDP Discovery
Computer Browser (Browser) Standard Collector Service
TCP/IP NetBIOS Helper
Connected Device Platform Microsoft iSCSI Initiator Service
Service Touch Keyboard and Handwriting
Microsoft Windows SMS Router Panel Service
Connected User Experiences and Service
Telemetry UPnP Device Host
Netlogon
Credential Manager WebClient
Net.Tcp Port Sharing Service
DataCollectionPublishingService Windows Biometric Service
Network Connected Devices Auto-
Delivery Optimization Setup Windows Connect Now - Config
Registrar
dmwappushsvc Network Connectivity Assistant
Windows Error Reporting Service
Downloaded Maps Manager Peer Name Resolution Protocol
Windows Event Collector
Enterprise App Management Peer Networking Grouping
Service Windows Media Player Network
Peer Networking Identity Manager Sharing Service
Family Safety Filter Driver
Performance Counter DLL Host Windows Mobile Hotspot Service
Fax
Performance Logs & Alerts Windows Remote Management
Function Discovery Provider Host (WS-Management)
PNRP Machine Name Publication
Function Discovery Resource Service Windows Search
Publication
Program Compatibility Assistant WMI Performance Adapter
Geolocation Service Service
Workstation
HomeGroup Listener Quality Windows Audio Video
Experience Xbox Live Auth Manager
HomeGroup Provider
Remote Access Auto Connection Xbox Live Game Save
Human Interface Device Service Manager
Xbox Live Networking Service
Hyper-V Data Exchange Service Remote Access Connection
Manager
Hyper-V Guest Service Interface
Hyper-V Guest Shutdown Service Remote Desktop Configuration
(TermService)
Hyper-V Heartbeat Service Remote Desktop Services
Hyper-V Remote Desktop Remote Desktop Services
Virtualization Service
UserMode Port Redirector
Hyper-V Time Synchronization Remote Procedure Call (RPC)
Service
Locator
Hyper-V VM Session Service Remote Registry
Hyper-V Volume Shadow Copy Retail Demo Service
Requestor
70