NNT Hardened Services Guide V1 3

NNT Security Control Guide * *
Hardening System Services 0 1 9

R 2
VE
Version 1.3 ©Copyright New Net Technologies 2019 All Rights Reserved
E R
S S
O W
W IND
O R
D F
E
D AT
U P
N OW
**
NNT Security Control Guide: Hardened Services Guide
Introduction
This guide will help the reader to understand:
Why the active services on a host increase the attack surface
Why it is always recommended to minimize functionality on any system
Why you should avoid sharing any platform between multiple applications
How to identify which services should be disabled and which are essential?
Background
In the United States, over 10 million people a year contract appendicitis, with over
50,000 cases resulting in death. More than 300,000 will have their appendix removed.
Since it has long been believed that the appendix is a ‘vestigial organ’(one that serves
little or no purpose) surgical removal is seen as an effective treatment, providing
permanent immunity from future problems.
Clearly there are always inherent risks associated with surgery, otherwise appendix
removal may well have become a common precautionary procedure - no appendix, no
risk of appendicitis, and no downside with losing a seemingly useless body part?
And in the world of IT, just as the appendix is not serving any useful purpose in
the body, many default services provided with a modern IT platform are equally
superfluous to requirements. At the same time, just like the infection time-bomb of
the appendix, in the world of exploits and vulnerabilities, every service increases
the ‘attack surface’ of a platform. Service functions can be misused and abused by
hackers, and the more services you have active, the greater the range of potential
attack methods you are exposed to.
Fortunately in the IT world, removal of unnecessary services is a pain-free operation

with an immediate recovery afterwards.
Figure 1: Even for a vestigial So just like the appendix, if a service

organ, pre-emptive surgery is is not really needed in the first place,
an unnecessary risk... best course of action is to ‘whip it
out’, or at least disable it.
Removing or disabling unnecessary

function from IT systems is a key
security control and is a core
dimension to any system hardening
project. Some are obvious, for
example, remove FTP and Web
services if not needed, but now that
today’s Windows Operating Systems
are being shipped with over 200
default services, the job has become
progressively more difficult. Hence
the reason for NNT publishing this
guide to provide detailed advice
on default services and their ‘safe’
states.
There are plenty of services that can

be safely disabled but also a number
to retain, even if, like an appendix,
they don’t look like they are that
important!
www.nntws.com page 1
Why is the control of system services a critical security control?
The main reasons why disabling or removing unnecessary services is ordained a key
security control:
The more function a platform has, the greater the potential for misuse/abuse
Many services will enable network-accessible ports which an attacker can use to
disrupt or gain access to the platform (see the separate NNT Security Control Guide
for Hardening Open Ports and Protocols)
An approved services configuration, and a process to verify and approve any

changes, provides a clear opportunity for breach detection and for cyber defense
measures to be maintained
The Center for Internet Security provides this rationale for CIS Control 5:
“Establish, implement, and actively manage the security configuration of mobile devices,
servers, and workstations using a rigorous configuration management and change control
process in order to prevent attackers from exploiting vulnerable services and settings...
And then for CIS Control 9: “Ensure that only network ports, protocols, and services
listening on a system with validated business needs are running on each system.”
Similarly, the NERC CIP standard mandates the need to “Authorize and document
changes that deviate from the existing baseline configuration”
“Standard CIP-007-3 requires Responsible Entities to define methods, processes, and

procedures for securing those systems...
R2. Ports and Services — The Responsible Entity shall...ensure that only those
ports and services required for normal and emergency operations are enabled.
R2.1. The Responsible Entity shall enable only those ports and services required
for normal and emergency operations.
R2.2. The Responsible Entity shall disable other ports and services...
And for NIST 800-53
“CM-6 CONFIGURATION SETTINGS - Control: The organization monitors and controls

changes to the configuration settings in accordance with organizational policies and
procedures
Configuration settings are the set of parameters that can be changed in software
components of the information system that affect the security posture and/or
functionality of the system… Security-related parameters are those parameters impacting
the security state of information systems including…settings for functions, ports,
protocols, services, and remote connections. Organizations establish configuration
settings and subsequently derive specific settings for information systems. The
established settings become part of the systems configuration baseline”
And finally for PCI DSS V3.2.1
“Requirement 2.2: Develop configuration standards for all system components. Assure
that these standards address all known security vulnerabilities and are consistent with
industry-accepted system hardening standards…Enabling only necessary services, proto-
cols, daemons, etc., as required for the function of the system, Implementing additional
security features for any required services, protocols or daemons that are considered to
be insecure”
Baselining and Change-Tracking Services
Various technologies are available that can play a role in identifying, baselining and
change-tracking services configurations. The best vulnerability scanners can report on
services using a credentialed scan, but because it significantly extends scan durations,
it is seldom used. Equally a SIEM system monitoring hosts with a suitable audit policy
defined to report on services activity can track changes, but not report on the initial
baseline state.
The most complete solution is host-resident, system

integrity monitoring. This option not only gathers
details of installed services with their running and
startup states, but by being host-resident, also has
the advantage of being able to continuously track
changes to service configuration settings.
For example, NNT Change Tracker™ Gen 7 R2 uses

distributed agents covering each device so unlike a
Vulnerability Scanner, the collection of services data
is performed in a massively parallel manner with
each device being queried simultaneously.
This means that both for
Change Control (reporting any drift from

the baseline configuration build), and
Breach Detection (reporting unexpected

new services and processes)
So the true intent of the security control is being

delivered.
Security controls are subject to a ‘bang-for-buck’

rating like anything else, and one that is easier to
operate, with easier to interpret results, will always
be more effective.
And while the incidence of breaches continues to

Figure 2: Contemporary Windows Operating Systems have over 200 increase, anything that makes security best practices
services installed. Deciding which of these can be safely disabled easier to implement and us more secure should be
without affecting required functionality is far from straightforward welcomed.
Implementing a Hardened Services Standard
In summary, any service will increase the potential opportunity for an attacker. If a
service isn’t needed for business-service delivery, it should be disabled or removed as
a precuationary measure.
These services, like the appendix of the human body, aren’t needed and, as long as
they are present, provide a foothold for a life-threatening infection to take hold in the
future.
Now that we know what the options are for monitoring and reporting on which
services are resident on a host, the next sections of this guide will explain how to
decide which services are ‘safe’ to remove or disable, and how to go about doing so.
How do I decide which services should be removed or disabled?
Ultimately, as with any configuration hardening project, only you can decide which
services are essential for delivering your organizations’ business applications. You may
set maximum security as the objective but there will always be compromises in favor
of optimizing service delivery. Your usage, applications and environment are going to
be unique and therefore the appropriate hardening measures can only be determined
by you.
CIS Control 9 “Ensure that only network ports, protocols, and services listening on a
system with validated business needs, are running on each system”
Just as there is no such thing as ‘100% secure’, there are no truly ‘safe’ services, but
the more you can minimize functionality, the more you can reduce the attack surface
presented.
Figure 3: NNT and CIS Help is at hand: This guide includes expert guidance
hardening resources from on service hardening, with detailed Hardened
www.nntws.com Services Lists in the Appendices at the end (Who ever
said appendices are useless? ☺ ). These have been
developed as a ‘one size fits all’ hardened services
profiles that will suit any base Enterprise Server
build.
In addition, NNT in conjunction with the Center for

Internet Security provide extensive resources to
help you with wider configuration hardening. The
CIS Benchmark secure configuration guides specify a
huge range of configuration settings recommended
to improve security, including all significant Windows
Security Policy settings and their equivalents for
Linux platforms.
Finally there is also the NNT Security Control Guide

for Open Port Hardening, covering the issues related
to Open Ports and Protocols, how to identify those
present on your network and how to decide which
can be changed or removed.
You can download CIS Benchmarks for all platforms

and applications at the NNT Website here.
NNT also provide a number of ‘Remediation Kits’ which can be used to automatically
apply hardened configuration settings in line with the CIS Benchmarks. The
Remediation Kit takes the form of either a Windows Group Policy Object template or a
Shell Script for Linux.
See Step 2 – Harden Systems to Eliminate Unwanted/Unnecessary Services for detailed

guidance on disabling services/protocols/ports, including commands to use.
System Services Hardening Guide

Step 1 – List Services/Applications
First step in determining whether you have unwanted or unnecessary services in use is to get a list of what is configured. You
can then use the next steps to identify details of the services concerned and then either stop and/or disable the service from
running in the future. For example, telnet should never be used on any system where the alternative SSH option is available.
List services on Windows

Use run -> services.msc and use the Services Console to stop and/or disable services.
Use Windows PowerShell (RunAs Administrator) to list all services
Get-Service -Name *
List services on Linux

From a terminal/putty session,
service --status-all
chkconfig --list
systemctl -a
Note: In the Appendices for this guide you will find a complete list of Default Services and the recommendations for a
hardened profile.
Automated Solutions
Best options are to use an automated solution that continuously operates and also covers more security controls than just the
CIS ‘Establish standard secure configurations of operating systems and software applications’. NNT Change Tracker™ Gen 7 R2
provides an integrated, host-based services and processes tracker to highlight any policy violation. The solution is flexible in
allowing new processes and services to be categorized as ‘Blacklisted, Whitelisted or Greylisted’ depending on whether the
process/service should never be active, always be active, or be an optional, non-mandatory element.
Process/Service names can be defined manually or imported from a donor device making the definition of your hardened
services policy a ‘point and click’ operation.
Change Tracker™ Gen 7 R2 also automates a wide range of vital security controls too, including unauthorized changes to files,
registry keys and values, directories, processes, services, open ports, and much more, so should be an essential part of any
organizations’ cyber security strategy.
Figure 4: How long do you want to wait before you find out you have been hacked? Average time to detect a breach is still
around 200 days: Change Tracker will enforce a hardened services and processes policy, continuously and in real-time,
exposing indicators of compromise immediately
Step 2 – Harden Systems to Eliminate Unwanted/Unnecessary Services

Control services on Windows
Use Windows PowerShell (RunAs Administrator)
To stop a service, use
Stop-Service -Name <Service_Name_of_Interest>

To disable a service
Set-Service -Name <Service_Name_of_Interest> -StartupType Disabled
hardened profile.
Control services on Linux

From a terminal/putty session,
To stop a service use
Service <Service-Name> stop

Chkconfig <Service-Name>
Systemctl stop <Service-Name>
To disable a service use
Systemctl disable <Service-Name>

Chkconfig <Service-Name> off
Also inspect the /etc/init.d/ path for any service control scripts, run an ls /etc/init.d/ to expose all startup scripts
and rename/remove any that are to be disabled.
hardened profile.
Conclusion - The NNT View
Security hardening is always a balance between maximizing security and delivering

the required functions for a platform. Put simply, the more functions provided by a
platform, the greater the opportunity for attack, because any functionality has the
potential to be abused.
Services are a key dimension of system hardening because default platform

configurations will always include a ‘one-size fits all’ setup, optimized for a quick-
start and fast deployment of common applications. There will almost always be
unnecessary functionality built-in that can be removed and with it, the risk of an
attack based on the misuse of these services.
Even then, there are many other facets to system hardening. NNT technology will
provide you with not just simple-to-use tools for identifying and tracking changes to
services, but as a matter of course encompass visibility of all other key vulnerability
considerations.
This includes the analysis of
open network ports and protocols
installed software and related known vulnerabilities
security-related configuration settings
any new and changed system files
NNT Secure Ops® automates these functions for you within the context of your day-
to-day IT Service Operations to maintain security and expose breach activity. Even
in a dynamic enterprise where security threats would otherwise remain hidden,
NNT can cut out the change noise to clearly identify security issues.
About New Net Technologies (NNT)
New Net Technologies (NNT) is the leading provider of Secure Ops®, which leverages
security through System Integrity along with Intelligent Closed Loop Change Control,
focused on helping organizations reduce their security risk, increase service
availability and achieve continuous compliance.
NNT delivers its Secure Ops® suite by combining:
System Configuration Hardening
Closed Loop Change Control
Vulnerability Management and
Event Log Management
These core security disciplines are defined by the Center for Internet Security and
the SANS Institute as the essential Critical Security Controls for any cyber security
initiative. For more information, visit www.newnettechnologies.com
TO REQUEST A FREE TRIAL OR DISCUSS ANY AREA COVERED IN THIS WHITEPAPER,

PLEASE CONTACT US AT info@nntws.com
New Net Technologies Ltd Copyright ©; All rights reserved. NNT and Change Tracker are registered trademarks of New Net Technologies Ltd. All other
names and trademarks are property of their respective owners.
Hardened Services Guides
Appendix A: Windows Server 2019......................................................Page 10

Appendix B: Windows Server 2016......................................................Page 14
Appendix C: Windows 10.................................................................Page 18
Appendix D: Windows Server 2012R2..................................................Page 23
Appendix E: Windows Server 2008R2.................................................... Page 26
Appendix F: Windows Server RedHat Linux 7........................................Page 29
Appendix G: Windows Server CentOS 7................................................Page 31
Display Name Hardened Start Mode and State Name Service Description Windows Server 2019
ActiveX Installer (AxInstSV) Service Start Mode: Disabled, Expected State: Stopped AxInstSV Provides User Account Control validation for the installation of ActiveX controls from the Internet and enables management of ActiveX control..
AllJoyn Router Service Start Mode: Manual, Expected State: Stopped, Running AJRouter Routes AllJoyn messages for the local AllJoyn clients. If this service is stopped the AllJoyn clients that do not have their own bundled routers...
App Readiness Service Start Mode: Manual, Expected State: Stopped, Running AppReadiness Gets apps ready for use the first time a user signs in to this PC and when adding new apps.
Application Identity Service Start Mode: Manual, Expected State: Stopped, Running AppIDSvc Determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced.
Application Information Service Start Mode: Manual, Expected State: Stopped, Running Appinfo Facilitates the running of interactive applications with additional administrative privileges.
Application Layer Gateway Service Start Mode: Disabled, Expected State: Stopped ALG Provides support for 3rd party protocol plug-ins for Internet Connection Sharing
Application Management Service Start Mode: Manual, Expected State: Stopped, Running AppMgmt Processes installation, removal, & enumeration requests for software deployed through Group Policy.
AppX Deployment Service (AppXSVC) Start Mode: Manual, Expected State: Stopped, Running AppXSvc Provides infrastructure support for deploying Store applications.
Auto Time Zone Updater Service Start Mode: Disabled, Expected State: Stopped tzautoupdate Automatically sets the system time zone.
Background Intelligent Transfer Service Start Mode: Manual, Expected State: Stopped, Running BITS Transfers files in the background using idle network bandwidth.
Background Tasks Infrastructure Service Start Mode: Auto, Expected State: Running BrokerInfrastructure Windows infrastructure service that controls which background tasks can run on the system.
Base Filtering Engine Service Start Mode: Auto, Expected State: Running BFE The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode...
Bluetooth Support Service (bthserv) Start Mode: Disabled, Expected State: Stopped bthserv The Bluetooth service supports discovery and association of remote Bluetooth devices.
CDPUserSvc (cdpusersvc) Service Start Mode: Disabled, Expected State: Stopped CDPUserSvc This user service is used for Connected Devices Platform scenarios
Certificate Propagation Service Start Mode: Manual, Expected State: Stopped, Running CertPropSvc Copies user certificates and root certificates from smart cards into the current user’s certificate store, detects when a smart card is inserted...
Client License Service (ClipSVC) Service Start Mode: Manual, Expected State: Stopped, Running ClipSVC Provides infrastructure support for the Microsoft Store. This service is started on demand and if disabled applications bought using Windows...
CNG Key Isolation Service Start Mode: Manual, Expected State: Stopped, Running KeyIso The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated...
COM+ Event System Service Start Mode: Auto, Expected State: Running EventSystem Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model...
COM+ System Application Service Start Mode: Manual, Expected State: Stopped, Running COMSysApp Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based...
Computer Browser Service Start Mode: Disabled, Expected State: Stopped Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers.
Connected Devices Platform Service Start Mode: Auto, Expected State: Running, Stopped CDPSvc This service is used for Connected Devices and Universal Glass scenarios
Connected User Experiences/Telemetry Start Mode: Auto, Expected State: Running DiagTrack The Connected User Experiences and Telemetry service enables features that support in-application and connected user experiences...
Contact Data (PimIndexMaintenanceSvc) Start Mode: Disabled, Expected State: Stopped PimIndexMaintenanceSvc Indexes contact data for fast contact searching. If you stop or disable this service, contacts might be missing from your search results.
CoreMessaging (CoreMessagingRegistrar) Start Mode: Auto, Expected State: Running CoreMessagingRegistrar Manages communication between system components.
Credential Manager Service Start Mode: Manual, Expected State: Stopped, Running VaultSvc Provides secure storage and retrieval of credentials to users, applications and security service packages.
Cryptographic Services Service Start Mode: Auto, Expected State: Running CryptSvc Provides 3 management services: Catalog Database Service, confirms the signatures of Windows files and allows new programs to be installed...
Data Sharing (DsSvc) Service Start Mode: Manual, Expected State: Stopped, Running DsSvc Provides data brokering between applications.
Data Sharing (DcpSvc) Service Start Mode: Manual, Expected State: Stopped, Running DcpSvc The DCP (Data Collection and Publishing) service supports first party apps to upload data to cloud.
DCOM Server Process Launcher Service Start Mode: Auto, Expected State: Running DcomLaunch The DCOMLAUNCH service launches COM and DCOM servers in response to object activation requests.
Device Association Service Start Mode: Manual, Expected State: Stopped, Running DeviceAssociationService Enables pairing between the system and wired or wireless devices.
Device Install (DeviceInstall) Service Start Mode: Manual, Expected State: Stopped, Running DeviceInstall Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result.
Device Management Enrollment Service Start Mode: Manual, Expected State: Stopped, Running DmEnrollmentSvc Performs Device Enrollment Activities for Device Management
Device Setup (DsmSvc) Service Start Mode: Manual, Expected State: Stopped, Running DsmSvc Enables the detection, download and installation of device-related software. If this service is disabled, devices may be configured with outdated.
DevQuery Background Discovery Broker Start Mode: Manual, Expected State: Stopped, Running DevQueryBroker Enables apps to discover devices with a backgroud task
DHCP Client Service Start Mode: Auto, Expected State: Running Dhcp Registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer will not receive dynamic IP...
Diagnostic Policy Service Start Mode: Auto, Expected State: Running DPS The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components.
Diagnostic Service Host Service Start Mode: Disabled, Expected State: Stopped WdiServiceHost The Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service context.
Diagnostic System Host Service Start Mode: Disabled, Expected State: Stopped WdiSystemHost The Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System context.
Distributed Link Tracking Client Service Start Mode: Auto, Expected State: Running TrkWks Maintains links between NTFS files within a computer or across computers in a network.
Distributed Transaction Coordinator Start Mode: Auto, Expected State: Running MSDTC Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.
DMWAPPushService Start Mode: Disabled, Expected State: Stopped dmwappushservice WAP Push Message Routing Service
DNS Client Service Start Mode: Auto, Expected State: Running Dnscache The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer.
Downloaded Maps Manager Start Mode: Disabled, Expected State: Stopped MapsBroker Windows service for application access to downloaded maps. This service is started on-demand by application accessing...
Embedded Mode Service Start Mode: Manual, Expected State: Stopped, Running embeddedmode The Embedded Mode service enables scenarios related to Background Applications.
Encrypting File System (EFS) Service Start Mode: Manual, Expected State: Stopped, Running EFS Provides the core file encryption technology used to store encrypted files on NTFS file system volumes.
Enterprise App Management (EntAppSvc) Start Mode: Manual, Expected State: Stopped, Running EntAppSvc Enables enterprise application management.
Extensible Authentication Protocol Start Mode: Disabled, Expected State: Stopped EapHost The Extensible Authentication Protocol (EAP) service provides network authentication in such scenarios as 802.1x wired and wireless...
Function Discovery Provider Host Service Start Mode: Disabled, Expected State: Stopped fdPHost The FDPHOST service hosts the Function Discovery (FD) network discovery providers. These FD providers supply network discovery...
Function Discovery Resource Publication Start Mode: Disabled, Expected State: Stopped FDResPub Publishes this computer and resources attached to this computer so they can be discovered over the network.
Geolocation (lfsvc) Service Start Mode: Disabled, Expected State: Stopped lfsvc This service monitors the current location of the system and manages geofences (a geographical location with associated events).
Group Policy Client Service Start Mode: Auto, Expected State: Running gpsvc The service is responsible for applying settings configured by administrators for the computer and users through the Group Policy...disabled.
Human Interface Device Access Service Start Mode: Disabled, Expected State: Stopped hidserv Activates and maintains the use of hot buttons on keyboards, remote controls, and other multimedia devices.
HV Host Service Start Mode: Manual, Expected State: Stopped, Running HvHost Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
Hyper-V Data Exchange Service Service Start Mode: Manual, Expected State: Stopped, Running vmickvpexchange Provides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.
Hyper-V Guest Service Interface Service Start Mode: Manual, Expected State: Running, Stopped vmicguestinterface Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Hyper-V Guest Shutdown Service Service Start Mode: Manual, Expected State: Running, Stopped vmicshutdown A mechanism to shut down the operating system of this virtual machine from the management interfaces on the physical computer.
Hyper-V Heartbeat Service Service Start Mode: Manual, Expected State: Running, Stopped vmicheartbeat Monitors the state of this virtual machine by reporting a heartbeat at regular intervals.
Hyper-V PowerShell Direct Service Start Mode: Manual, Expected State: Running, Stopped vmicvmsession Provides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.
Hyper-V Remote Desktop Virtualization Start Mode: Manual, Expected State: Running, Stopped vmicrdv Provides a platform for communication between the virtual machine and the operating system running on the physical computer.
Hyper-V Time Synchronization Service Start Mode: Manual, Expected State: Running, Stopped vmictimesync Synchronizes the system time of this virtual machine with the system time of the physical computer.
Hyper-V Volume Shadow Copy Requestor Start Mode: Manual, Expected State: Running, Stopped vmicvss Coordinates the communications that are required to use Volume Shadow Copy Service to back up applications and data on this virtual...
IKE and AuthIP IPsec Keying Modules Start Mode: Manual, Expected State: Stopped, Running IKEEXT The IKEEXT service hosts the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) keying modules.
Interactive Services Detection Service Start Mode: Disabled, Expected State: Stopped UI0Detect Enables user notification of user input for interactive services, enables access to dialogs created by interactive services
Internet Connection Sharing (ICS) Service Start Mode: Disabled, Expected State: Stopped SharedAccess Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home/small office network.
IP Helper Service Start Mode: Disabled, Expected State: Stopped iphlpsvc Provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS.
IPsec Policy Agent Service Start Mode: Manual, Expected State: Stopped, Running PolicyAgent Supports network-level peer/data origin authentication, data integrity, confidentiality (encryption), and replay protection.
KDC Proxy Server service Service Start Mode: Manual, Expected State: Stopped, Running KPSSVC KDC Proxy Server service runs on edge servers to proxy Kerberos protocol messages to domain controllers on the corporate network.
KtmRm Dist’ed Transaction Coordinator Start Mode: Manual, Expected State: Stopped, Running KtmRm Coordinates transactions between the Distributed Transaction Coordinator (MSDTC) and the Kernel Transaction Manager (KTM).
Link-Layer Topology Discovery Mapper Start Mode: Disabled, Expected State: Stopped lltdsvc Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device.
Local Session Manager Service Start Mode: Automatic, Expected State: Running LSM Core Windows Service that manages local user sessions. Stopping or disabling this service will result in system instability.
Microsoft Diagnostics Hub Std. Collector Start Mode: Manual, Expected State: Stopped, Running diagnosticshub. Diagnostics Hub Standard Collector Service. When running, this service collects real time ETW events and processes them.
standardcollector.service
Microsoft App-V Client Service Start Mode: Disabled, Expected State: Stopped wlidsvc Enables user sign-in through Microsoft account identity services.
Microsoft Account Sign-in Assistant Start Mode: Disabled, Expected State: Stopped AppVClient Manages App-V users and virtual applications
Microsoft iSCSI Initiator Service Start Mode: Manual, Expected State: Stopped MSiSCSI Manages Internet SCSI (iSCSI) sessions from this computer to remote iSCSI target devices.
Microsoft Passport (NgcSvc) Service Start Mode: Disabled, Expected State: Stopped NgcSvc Provides process isolation for cryptographic keys used to authenticate to a user’s associated identity providers.
Microsoft Passport Container Service Start Mode: Disabled, Expected State: Stopped NgcCtnrSvc Manages local user identity keys used to authenticate user to identity providers as well as TPM virtual smart cards.
Microsoft Software Shadow Copy Provider Start Mode: Manual, Expected State: Stopped, Running swprv Manages software-based volume shadow copies taken by the Volume Shadow Copy service.
Microsoft Storage Spaces SMP (smphost) Start Mode: Manual, Expected State: Stopped, Running smphost Host service for the Microsoft Storage Spaces management provider.
Net.Tcp Port Sharing Service Start Mode: Disabled, Expected State: Stopped NetTcpPortSharing Provides ability to share TCP ports over the net.tcp protocol.
Netlogon Service Start Mode: Manual, Expected State: Stopped, Running Netlogon Maintains a secure channel between this computer and the domain controller for authenticating users and services.
Network Access Protection Agent Start Mode: Disabled, Expected State: Stopped NcbService Brokers connections that allow Windows Store Apps to receive notifications from the internet.
Network Connections Service Start Mode: Manual, Expected State: Stopped, Running Netman Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Network Connectivity Assistant Start Mode: Disabled, Expected State: Stopped NcaSvc Provides DirectAccess status notification for UI components
Network List Service Start Mode: Manual, Expected State: Stopped, Running netprofm Identifies networks connected to, collects/stores properties for these networks, notifies applications properties change.
Network Location Awareness Service Start Mode: Auto, Expected State: Stopped, Running NlaSvc Collects and stores configuration information for the network and notifies programs when this information is modified.
Network Setup (NetSetupSvc) Service Start Mode: Manual, Expected State: Stopped, Running NetSetupSvc The Network Setup Service manages the installation of network drivers and permits the configuration of low-level network settings.
Network Store Interface Service Start Mode: Auto, Expected State: Running nsi This service delivers network notifications (e.g. interface addition/deleting etc) to user mode clients.
Offline Files (CscService) Service Start Mode: Disabled, Expected State: Stopped CscService The Offline Files service performs maintenance activities on the Offline Files cache, responds to user logon and logoff events...
Optimize Drives (defragsvc) Service Start Mode: Manual, Expected State: Stopped, Running defragsvc Helps the computer run more efficiently by optimizing files on storage drives.
Performance Counter DLL Host Start Mode: Manual, Expected State: Stopped, Runnin PerfHost Enables remote users and 64-bit processes to query performance counters provided by 32-bit DLLs.
Performance Logs and Alerts Service Start Mode: Manual, Expected State: Stopped, Running pla Performance Logs and Alerts Collects performance data from local or remote computers based on preconfigured schedule parameters...
Phone (PhoneSvc) Service Start Mode: Disabled, Expected State: Stopped PhoneSvc Manages the telephony state on the device
Plug and Play Service Start Mode: Manual, Expected State: Stopped, Running PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input.
Portable Device Enumerator Service Start Mode: Manual, Expected State: Stopped, Running WPDBusEnum Enforces group policy for removable mass-storage devices. Enables applications such as Windows Media Player and Image Import Wizard to...
Power Service Start Mode: Auto, Expected State: Running Power Manages power policy and power policy notification delivery.
Print Spooler Service Start Mode: Disabled, Expected State: Stopped Spooler Spools print jobs and handles interaction with the printer. If you turn off this service, you won’t be able to print or see your printers.
Printer Extensions and Notifications Start Mode: Disabled, Expected State: Stopped PrintNotify This service opens custom printer dialog boxes and handles notifications from a remote print server or a printer.
Problem Reports/Solutions Ctrl Panel Start Mode: Disabled, Expected State: Stopped wercplsupport Provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel.
Program Compatibility Assistant (PcaSvc) Start Mode: Disabled, Expected State: Stopped PcaSvc Program Compatibility Assistant monitors programs installed and run by a user and detects known compatibility problems.
Quality Windows Audio Video Experience Start Mode: Disabled, Expected State: Stopped QWAVE Quality Windows Audio Video Experience (qWave) is a networking platform for Audio Video (AV) streaming applications on IP home networks.
Radio Management Service Service Start Mode: Disabled, Expected State: Stopped RmSvc Radio Management and Airplane Mode Service
Remote Access Auto Connection Manager Start Mode: Disabled, Expected State: Stopped RasAuto Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
Remote Access Connection Manager Start Mode: Disabled, Expected State: Stopped RasMan Manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks.
Remote Desktop Configuration Service Start Mode: Manual, Expected State: Running SessionEnv Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop Services and Remote Desktop related configuration and...
Remote Desktop Services Service Start Mode: Manual, Expected State: Running TermService Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service.
RDP UserMode Port Redirector Start Mode: Manual, Expected State: Running UmRdpService Allows the redirection of Printers/Drives/Ports for RDP connections
Remote Procedure Call (RPC) Service Start Mode: Auto, Expected State: Running RpcSs The RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activations requests, object exporter resolutions
Remote Procedure Call (RPC) Locator Start Mode: Disabled, Expected State: Stopped RpcLocator In Windows 2003 and earlier versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database.
Remote Registry Service Start Mode: Auto, Expected State: Stopped/Running RemoteRegistry Enables remote users to modify registry settings on this computer.
Resultant Set of Policy Provider Service Start Mode: Manual, Expected State: Stopped, Running RSoPProv Provides a network service that processes requests to simulate application of Group Policy settings for a target user or computer in various...
Routing and Remote Access Service Start Mode: Disabled, Expected State: Stopped RemoteAccess Offers routing services to businesses in local area and wide area network environments.
RPC Endpoint Mapper Service Start Mode: Auto, Expected State: Running RpcEptMapper Resolves RPC interfaces identifiers to transport endpoints.
Secondary Logon Service Start Mode: Manual, Expected State: Stopped, Running seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable.
Secure Socket Tunneling Protocol Service Start Mode: Manual, Expected State: Stopped, Running SstpSvc Provides support for the Secure Socket Tunneling Protocol (SSTP) to connect to remote computers using VPN.
Security Accounts Manager Service Start Mode: Auto, Expected State: Running SamSs Startup of this service signals that the Security Accounts Manager (SAM) is ready to accept requests.
Sensor Data Service Service Start Mode: Disabled, Expected State: Stopped SensorDataService Delivers data from a variety of sensors
Sensor Monitoring Service Service Start Mode: Disabled, Expected State: Stopped SensrSvc Monitors various sensors in order to expose data and adapt to system and user state.
Sensor Service (SensorService) Service Start Mode: Disabled, Expected State: Stopped SensorService A service for sensors that manages different sensors’ functionality. Manages Simple Device Orientation (SDO) and History for sensors.
Server Service Start Mode: Auto, Expected State: Running LanmanServer Supports file, print, and named-pipe sharing over the network for this computer.
Shell Hardware Detection Service Start Mode: Auto, Expected State: Running ShellHWDetection Provides notifications for AutoPlay hardware events.
Smart Card Service Start Mode: Disabled, Expected State: Stopped SCardSvr Manages access to smart cards read by this computer.
Smart Card Device Enumeration Service Start Mode: Disabled, Expected State: Stopped ScDeviceEnum Creates software device nodes for all smart card readers accessible to a given session.
Smart Card Removal Policy Service Start Mode: Disabled, Expected State: Stopped SCPolicySvc Allows the system to be configured to lock the user desktop upon smart card removal.
SNMP Trap Service Start Mode: Disabled, Expected State: Stopped SNMPTRAP Receives trap messages generated by local or remote Simple Network Management Protocol (SNMP) agents.
Software Protection Service Start Mode: Auto, Expected State: Stopped, Running sppsvc Enables the download, installation and enforcement of digital licenses for Windows and Windows applications.
Special Administration Console Helper Start Mode: Manual, Expected State: Stopped, Running sacsvr Allows administrators to remotely access a command prompt using Emergency Management Services.
Spot Verifier Service Start Mode: Manual, Expected State: Stopped, Running svsvc Verifies potential file system corruptions.
SSDP Discovery Service Start Mode: Disabled, Expected State: Stopped SSDPSRV Discovers networked devices & services using SSDP discovery protocol, such as UPnP devices.
State Repository Service Start Mode: Manual, Expected State: Stopped, Running StateRepository Provides required infrastructure support for the application model.
Still Image Acquisition Events Service Start Mode: Disabled, Expected State: Stopped WiaRpc Launches applications associated with still image acquisition events.
Storage (StorSvc) Service Start Mode: Manual, Expected State: Stopped, Running StorSvc Provides enabling services for storage settings and external storage expansion
Storage Tiers Management Service Start Mode: Manual, Expected State: Stopped, Running TieringEngineService Optimizes the placement of data in storage tiers on all tiered storage spaces in the system.
Superfetch Service Start Mode: Disabled, Expected State: Stopped SysMain Maintains and improves system performance over time.
Sync Host (OneSyncSvc) Service Start Mode: Disabled, Expected State: Stopped OneSyncSvc This service synchronizes mail, contacts, calendar and various other user data.
System Event Notification Service Start Mode: Auto, Expected State: Running SENS Monitors system events and notifies subscribers to COM+ Event System of these events.
System Events Broker Service Start Mode: Auto, Expected State: Running SystemEventsBroker Coordinates execution of background work for WinRT application. If service is stopped/disabled, background work might not be triggered.
Task Scheduler Service Start Mode: Auto, Expected State: Running Schedule Enables a user to configure & schedule automated tasks on this computer. The service also hosts multiple Windows system-critical tasks.
TCP/IP NetBIOS Helper Service Start Mode: Manual, Expected State: Running lmhosts Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network...
Telephony Service Start Mode: Disabled, Expected State: Stopped TapiSrv Provides Telephony API (TAPI) support for programs that control telephony devices on the local computer and, through the LAN...
Themes Service Start Mode: Disabled, Expected State: Stopped Themes Provides user experience theme management.
Tile Data model server Service Start Mode: Auto, Expected State: Running tiledatamodelsvc Tile Server for tile updates.
Time Broker (TimeBrokerSvc) Service Start Mode: Manual, Expected State: Stopped, Running TimeBrokerSvc Coordinates execution of background work for WinRT application. If service is stopped, background work might not be triggered.
Touch Keyboard and Handwriting Panel Start Mode: Disabled, Expected State: Stopped TabletInputService Enables Touch Keyboard and Handwriting Panel pen and ink functionality
Update Orchestrator for Windows Update Start Mode: Manual, Expected State: Stopped, Running UsoSvc Manages Windows Updates. If stopped, your devices will not be able to download and install latest updates.
UPnP Device Host Service Start Mode: Disabled, Expected State: Stopped upnphost Allows UPnP devices to be hosted on this computer.
User Access Logging Service Start Mode: Auto, Expected State: Running UALSVC Logs unique client access requests, in the form of IP addresses and user names, of installed products and roles on the local server.
User Data Access (UserDataSvc) Service Start Mode: Disabled, Expected State: Stopped UserDataSvc Provides apps access to structured user data, including contact info, calendars, messages, and other content.
User Data Storage (UnistoreSvc) Service Start Mode: Disabled, Expected State: Stopped UnistoreSvc Handles storage of structured user data, including contact info, calendars, messages, and other content.
User Experience Virtualization Service Start Mode: Disabled, Expected State: Stopped UevAgentService Provides support for application and OS settings roaming
User Manager (UserManager) Service Start Mode: Auto, Expected State: Running UserManager User Manager provides the runtime components required for multi-user interaction.
User Profile (ProfSvc) Service Start Mode: Auto, Expected State: Running ProfSvc This service is responsible for loading and unloading user profiles.
Virtual Disk Service Start Mode: Manual, Expected State: Stopped, Running vds Provides management services for disks, volumes, file systems, and storage arrays.
Volume Shadow Copy Service Start Mode: Manual, Expected State: Stopped, Running VSS Manages and implements Volume Shadow Copies used for backup and other purposes.
WalletService (WalletService) Service Start Mode: Disabled, Expected State: Stopped WalletService Hosts objects used by clients of the wallet
Windows Audio Service Start Mode: Disabled, Expected State: Stopped Audiosrv Manages audio for Windows-based programs. If this service is stopped, audio devices and effects will not function properly.
Windows Audio Endpoint Builder Service Start Mode: Disabled, Expected State: Stopped AudioEndpointBuilder Manages audio devices for the Windows Audio service. If this service is stopped, audio devices and effects will not function properly.
Windows Biometric Service Start Mode: Disabled, Expected State: Stopped WbioSrvc The Windows biometric service gives client applications the ability to capture, compare, manipulate, and store biometric data without...
Windows Connection Manager Service Start Mode: Auto, Expected State: Running FrameServer Enables multiple clients to access video frames from camera devices.
Windows Camera Frame Service Start Mode: Disabled, Expected State: Stopped Wcmsvc Makes automatic connect/disconnect decisions based on the network connectivity options currently available to the PC and enables...
Windows Defender Network Inspection Start Mode: Manual, Expected State: Stopped/Running WdNisSvc Helps guard against intrusion attempts targeting known and newly discovered vulnerabilities in network protocols
Windows Defender (WinDefend) Service Start Mode: Auto, Expected State: Running WinDefend Helps protect users from malware and other potentially unwanted software
Win Drvr Foundation User-mode Drvr FW Start Mode: Manual, Expected State: Running/Stopped wudfsvc Creates and manages user-mode driver processes. This service cannot be stopped.
Windows Encryption Provider Host Start Mode: Disabled, Expected State: Stopped WEPHOSTSVC Windows Encryption Provider Host Service brokers encryption related functionalities from 3rd Party Encryption Providers to processes...
Windows Error Reporting Service Start Mode: Manual, Expected State: Running/Stopped WerSvc Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered.
Windows Event Collector Service Start Mode: Manual, Expected State: Running/Stopped Wecsvc This service manages persistent subscriptions to events from remote sources that support WS-Management protocol.
Windows Event Log Service Start Mode: Auto, Expected State: Running EventLog This service manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs...
Windows Firewall Service Start Mode: Auto, Expected State: Running MpsSvc Windows Firewall protects your computer by preventing unauthorized users from gaining access through the Internet or a network.
Windows Font Cache Service Start Mode: Auto, Expected State: Stopped, Running FontCache Optimizes performance of applications by caching commonly used font data.
Windows Image Acquisition Service Start Mode: Disabled, Expected State: Stopped stisvc Provides image acquisition services for scanners and cameras
Windows Insider (wisvc) Service Start Mode: Disabled, Expected State: Stopped wisvc wisvc
Windows Installer Service Start Mode: Manual, Expected State: Stopped, Running msiserver Adds, modifies, and removes applications provided as a Windows Installer (*.msi, *.msp) package.
Windows License Manager Service Start Mode: Manual, Expected State: Stopped, Running LicenseManager Provides infrastructure support for the Windows Store.
Windows Management Instr’tion Start Mode: Auto, Expected State: Running Winmgmt Provides a common interface and object model to access management information about OS, devices, applications and services.
Windows Mobile Hotspot Service Start Mode: Disabled, Expected State: Stopped icssvc Provides the ability to share a cellular data connection with another device.
Windows Modules Installer Service Start Mode: Manual, Expected State: Stopped, Running TrustedInstaller Enables installation, modification, and removal of Windows updates and optional components.
Windows Push Notifications System Start Mode: Disabled, Expected State: Stopped WpnService Runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server.
Win Push Notifications User Service Start Mode: Disabled, Expected State: Stopped WpnUserService Hosts Windows notification platform which provides support for local and push notifications. Supported notifications are tile, toast and raw.
Windows Remote Management Start Mode: Auto, Expected State: Stopped, Running WinRM Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management.
Windows Search (WSearch) Service Start Mode: Disabled, Expected State: Stopped WSearch Provides content indexing, property caching, and search results for files, e-mail, and other content.
Windows Time Service Start Mode: Auto, Expected State: Running W32Time Maintains date and time synchronization on all clients and servers in the network.
Windows Update Service Start Mode: Manual, Expected State: Stopped/Running wuauserv Enables the detection, download, and installation of updates for Windows and other programs
WinHTTP Web Proxy Auto-Discovery Start Mode: Manual, Expected State: Stopped/Running WinHttpAutoProxySvc Client HTTP stack, provides developers with a Win32 API/COM Automation component for sending HTTP requests/receiving responses.
Wired AutoConfig Service Start Mode: Disabled, Expected State: Stopped dot3svc The Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces.
WMI Performance Adapter Service Start Mode: Manual, Expected State: Stopped, Running wmiApSrv Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network.
Workstation Service Start Mode: Auto, Expected State: Running LanmanWorkstation Creates and maintains client network connections to remote servers using the SMB protocol.
Xbox Live Auth Manager Service Start Mode: Disabled, Expected State: Stopped XblAuthManager Provides authentication and authorization services for interacting with Xbox Live.
Xbox Live Game Save Service Start Mode: Disabled, Expected State: Stopped XblGameSave This service syncs save data for Xbox Live save enabled games.
ActiveX Installer (AxInstSV) Service Start Mode: Disabled, Expected State: Stopped AxInstSV Provides User Account Control validation for the installation of ActiveX controls from the Internet and enables management of ActiveX control..
AllJoyn Router Service Start Mode: Manual, Expected State: Stopped, Running AJRouter Routes AllJoyn messages for the local AllJoyn clients. If this service is stopped the AllJoyn clients that do not have their own bundled routers...
App Readiness Service Start Mode: Manual, Expected State: Stopped, Running AppReadiness Gets apps ready for use the first time a user signs in to this PC and when adding new apps.
Application Host Helper Service Start Mode: Auto, Expected State: Running AppHostSvc Provides administrative services for IIS, for example configuration history and Application Pool account mapping.
Application Identity Service Start Mode: Manual, Expected State: Stopped, Running AppIDSvc Determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced.
Application Information Service Start Mode: Manual, Expected State: Stopped, Running Appinfo Facilitates the running of interactive applications with additional administrative privileges.
Application Layer Gateway Service Start Mode: Disabled, Expected State: Stopped ALG Provides support for 3rd party protocol plug-ins for Internet Connection Sharing
Application Management Service Start Mode: Manual, Expected State: Stopped, Running AppMgmt Processes installation, removal, & enumeration requests for software deployed through Group Policy.
AppX Deployment Service (AppXSVC) Start Mode: Manual, Expected State: Stopped, Running AppXSvc Provides infrastructure support for deploying Store applications.
ASP.NET State Service (aspnet_state) Start Mode: Manual, Expected State: Stopped, Running aspnet_state Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed.
Auto Time Zone Updater Service Start Mode: Disabled, Expected State: Stopped tzautoupdate Automatically sets the system time zone.
Background Intelligent Transfer Service Start Mode: Manual, Expected State: Stopped, Running BITS Transfers files in the background using idle network bandwidth.
Background Tasks Infrastructure Service Start Mode: Auto, Expected State: Running BrokerInfrastructure Windows infrastructure service that controls which background tasks can run on the system.
Base Filtering Engine Service Start Mode: Auto, Expected State: Running BFE The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode...
Bluetooth Support Service (bthserv) Start Mode: Disabled, Expected State: Stopped bthserv The Bluetooth service supports discovery and association of remote Bluetooth devices.
CDPUserSvc (cdpusersvc) Service Start Mode: Disabled, Expected State: Stopped CDPUserSvc This user service is used for Connected Devices Platform scenarios
Certificate Propagation Service Start Mode: Manual, Expected State: Stopped, Running CertPropSvc Copies user certificates and root certificates from smart cards into the current user’s certificate store, detects when a smart card is inserted...
Client License Service (ClipSVC) Service Start Mode: Manual, Expected State: Stopped, Running ClipSVC Provides infrastructure support for the Microsoft Store. This service is started on demand and if disabled applications bought using Windows...
CNG Key Isolation Service Start Mode: Manual, Expected State: Stopped, Running KeyIso The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated...
COM+ Event System Service Start Mode: Auto, Expected State: Running EventSystem Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model...
COM+ System Application Service Start Mode: Manual, Expected State: Stopped, Running COMSysApp Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based...
Computer Browser Service Start Mode: Disabled, Expected State: Stopped Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers.
Connected Devices Platform Service Start Mode: Auto, Expected State: Running, Stopped CDPSvc This service is used for Connected Devices and Universal Glass scenarios
Connected User Experiences/Telemetry Start Mode: Auto, Expected State: Running DiagTrack The Connected User Experiences and Telemetry service enables features that support in-application and connected user experiences...
Contact Data (PimIndexMaintenanceSvc) Start Mode: Disabled, Expected State: Stopped PimIndexMaintenanceSvc Indexes contact data for fast contact searching. If you stop or disable this service, contacts might be missing from your search results.
CoreMessaging (CoreMessagingRegistrar) Start Mode: Auto, Expected State: Running CoreMessagingRegistrar Manages communication between system components.
Credential Manager Service Start Mode: Manual, Expected State: Stopped, Running VaultSvc Provides secure storage and retrieval of credentials to users, applications and security service packages.
Cryptographic Services Service Start Mode: Auto, Expected State: Running CryptSvc Provides 3 management services: Catalog Database Service, confirms the signatures of Windows files and allows new programs to be installed...
Data Sharing (DsSvc) Service Start Mode: Manual, Expected State: Stopped, Running DsSvc Provides data brokering between applications.
Data Sharing (DcpSvc) Service Start Mode: Manual, Expected State: Stopped, Running DcpSvc The DCP (Data Collection and Publishing) service supports first party apps to upload data to cloud.
DCOM Server Process Launcher Service Start Mode: Auto, Expected State: Running DcomLaunch The DCOMLAUNCH service launches COM and DCOM servers in response to object activation requests.
Device Association Service Start Mode: Manual, Expected State: Stopped, Running DeviceAssociationService Enables pairing between the system and wired or wireless devices.
Device Install (DeviceInstall) Service Start Mode: Manual, Expected State: Stopped, Running DeviceInstall Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result.
Device Management Enrollment Service Start Mode: Manual, Expected State: Stopped, Running DmEnrollmentSvc Performs Device Enrollment Activities for Device Management
Device Setup (DsmSvc) Service Start Mode: Manual, Expected State: Stopped, Running DsmSvc Enables the detection, download and installation of device-related software. If this service is disabled, devices may be configured with outdated.
DevQuery Background Discovery Broker Start Mode: Manual, Expected State: Stopped, Running DevQueryBroker Enables apps to discover devices with a backgroud task
DHCP Client Service Start Mode: Auto, Expected State: Running Dhcp Registers and updates IP addresses and DNS records for this computer. If this service is stopped, this computer will not receive dynamic IP...
Diagnostic Policy Service Start Mode: Auto, Expected State: Running DPS The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components.
Diagnostic Service Host Service Start Mode: Disabled, Expected State: Stopped WdiServiceHost The Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service context.
Diagnostic System Host Service Start Mode: Disabled, Expected State: Stopped WdiSystemHost The Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System context.
Distributed Link Tracking Client Service Start Mode: Auto, Expected State: Running TrkWks Maintains links between NTFS files within a computer or across computers in a network.
Distributed Transaction Coordinator Start Mode: Auto, Expected State: Running MSDTC Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.
DMWAPPushService Start Mode: Disabled, Expected State: Stopped dmwappushservice WAP Push Message Routing Service
DNS Client Service Start Mode: Auto, Expected State: Running Dnscache The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer.
Downloaded Maps Manager Start Mode: Disabled, Expected State: Stopped MapsBroker Windows service for application access to downloaded maps. This service is started on-demand by application accessing...
Embedded Mode Service Start Mode: Manual, Expected State: Stopped, Running embeddedmode The Embedded Mode service enables scenarios related to Background Applications.
Enhanced Mitigation Experience Toolkit Start Mode: Manual, Expected State: Stopped, Running emet_service The Enhanced Mitigation Experience Toolkit (EMET) helps prevent vulnerabilities in software from being successfully exploited.
Encrypting File System (EFS) Service Start Mode: Manual, Expected State: Stopped, Running EFS Provides the core file encryption technology used to store encrypted files on NTFS file system volumes.
Enterprise App Management (EntAppSvc) Start Mode: Manual, Expected State: Stopped, Running EntAppSvc Enables enterprise application management.
Extensible Authentication Protocol Start Mode: Disabled, Expected State: Stopped EapHost The Extensible Authentication Protocol (EAP) service provides network authentication in such scenarios as 802.1x wired and wireless...
Function Discovery Provider Host Service Start Mode: Disabled, Expected State: Stopped fdPHost The FDPHOST service hosts the Function Discovery (FD) network discovery providers. These FD providers supply network discovery...
Function Discovery Resource Publication Start Mode: Disabled, Expected State: Stopped FDResPub Publishes this computer and resources attached to this computer so they can be discovered over the network.
Geolocation (lfsvc) Service Start Mode: Disabled, Expected State: Stopped lfsvc This service monitors the current location of the system and manages geofences (a geographical location with associated events).
Group Policy Client Service Start Mode: Auto, Expected State: Running gpsvc The service is responsible for applying settings configured by administrators for the computer and users through the Group Policy...disabled.
Human Interface Device Access Service Start Mode: Disabled, Expected State: Stopped hidserv Activates and maintains the use of hot buttons on keyboards, remote controls, and other multimedia devices.
HV Host Service Start Mode: Manual, Expected State: Stopped, Running HvHost Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
Hyper-V Data Exchange Service Service Start Mode: Manual, Expected State: Stopped, Running vmickvpexchange Provides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.
Hyper-V Guest Service Interface Service Start Mode: Manual, Expected State: Running, Stopped vmicguestinterface Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Hyper-V Guest Shutdown Service Service Start Mode: Manual, Expected State: Running, Stopped vmicshutdown A mechanism to shut down the operating system of this virtual machine from the management interfaces on the physical computer.
Hyper-V Heartbeat Service Service Start Mode: Manual, Expected State: Running, Stopped vmicheartbeat Monitors the state of this virtual machine by reporting a heartbeat at regular intervals.
Hyper-V PowerShell Direct Service Start Mode: Manual, Expected State: Running, Stopped vmicvmsession Provides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.
Hyper-V Remote Desktop Virtualization Start Mode: Manual, Expected State: Running, Stopped vmicrdv Provides a platform for communication between the virtual machine and the operating system running on the physical computer.
Hyper-V Time Synchronization Service Start Mode: Manual, Expected State: Running, Stopped vmictimesync Synchronizes the system time of this virtual machine with the system time of the physical computer.
Hyper-V Volume Shadow Copy Requestor Start Mode: Manual, Expected State: Running, Stopped vmicvss Coordinates the communications that are required to use Volume Shadow Copy Service to back up applications and data on this virtual...
IKE and AuthIP IPsec Keying Modules Start Mode: Manual, Expected State: Stopped, Running IKEEXT The IKEEXT service hosts the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) keying modules.
Interactive Services Detection Service Start Mode: Disabled, Expected State: Stopped UI0Detect Enables user notification of user input for interactive services, enables access to dialogs created by interactive services
Internet Connection Sharing (ICS) Service Start Mode: Disabled, Expected State: Stopped SharedAccess Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home/small office network.
IP Helper Service Start Mode: Disabled, Expected State: Stopped iphlpsvc Provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS.
IPsec Policy Agent Service Start Mode: Manual, Expected State: Stopped, Running PolicyAgent Supports network-level peer/data origin authentication, data integrity, confidentiality (encryption), and replay protection.
KDC Proxy Server service Service Start Mode: Manual, Expected State: Stopped, Running KPSSVC KDC Proxy Server service runs on edge servers to proxy Kerberos protocol messages to domain controllers on the corporate network.
KtmRm Dist’ed Transaction Coordinator Start Mode: Manual, Expected State: Stopped, Running KtmRm Coordinates transactions between the Distributed Transaction Coordinator (MSDTC) and the Kernel Transaction Manager (KTM).
Link-Layer Topology Discovery Mapper Start Mode: Disabled, Expected State: Stopped lltdsvc Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device.
Local Session Manager Service Start Mode: Automatic, Expected State: Running LSM Core Windows Service that manages local user sessions. Stopping or disabling this service will result in system instability.
Microsoft Diagnostics Hub Std. Collector Start Mode: Manual, Expected State: Stopped, Running diagnosticshub. Diagnostics Hub Standard Collector Service. When running, this service collects real time ETW events and processes them.
standardcollector.service
Microsoft App-V Client Service Start Mode: Disabled, Expected State: Stopped wlidsvc Enables user sign-in through Microsoft account identity services.
Microsoft Account Sign-in Assistant Start Mode: Disabled, Expected State: Stopped AppVClient Manages App-V users and virtual applications
Microsoft iSCSI Initiator Service Start Mode: Manual, Expected State: Stopped MSiSCSI Manages Internet SCSI (iSCSI) sessions from this computer to remote iSCSI target devices.
Microsoft Passport (NgcSvc) Service Start Mode: Disabled, Expected State: Stopped NgcSvc Provides process isolation for cryptographic keys used to authenticate to a user’s associated identity providers.
Microsoft Passport Container Service Start Mode: Disabled, Expected State: Stopped NgcCtnrSvc Manages local user identity keys used to authenticate user to identity providers as well as TPM virtual smart cards.
Microsoft Software Shadow Copy Provider Start Mode: Manual, Expected State: Stopped, Running swprv Manages software-based volume shadow copies taken by the Volume Shadow Copy service.
Microsoft Storage Spaces SMP (smphost) Start Mode: Manual, Expected State: Stopped, Running smphost Host service for the Microsoft Storage Spaces management provider.
Net.Tcp Port Sharing Service Start Mode: Disabled, Expected State: Stopped NetTcpPortSharing Provides ability to share TCP ports over the net.tcp protocol.
Netlogon Service Start Mode: Manual, Expected State: Stopped, Running Netlogon Maintains a secure channel between this computer and the domain controller for authenticating users and services.
Network Access Protection Agent Start Mode: Disabled, Expected State: Stopped NcbService Brokers connections that allow Windows Store Apps to receive notifications from the internet.
Network Connections Service Start Mode: Manual, Expected State: Stopped, Running Netman Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Network Connectivity Assistant Start Mode: Disabled, Expected State: Stopped NcaSvc Provides DirectAccess status notification for UI components
Network List Service Start Mode: Manual, Expected State: Stopped, Running netprofm Identifies networks connected to, collects/stores properties for these networks, notifies applications properties change.
Network Location Awareness Service Start Mode: Auto, Expected State: Stopped, Running NlaSvc Collects and stores configuration information for the network and notifies programs when this information is modified.
Network Setup (NetSetupSvc) Service Start Mode: Manual, Expected State: Stopped, Running NetSetupSvc The Network Setup Service manages the installation of network drivers and permits the configuration of low-level network settings.
Network Store Interface Service Start Mode: Auto, Expected State: Running nsi This service delivers network notifications (e.g. interface addition/deleting etc) to user mode clients.
Offline Files (CscService) Service Start Mode: Disabled, Expected State: Stopped CscService The Offline Files service performs maintenance activities on the Offline Files cache, responds to user logon and logoff events...
Optimize Drives (defragsvc) Service Start Mode: Manual, Expected State: Stopped, Running defragsvc Helps the computer run more efficiently by optimizing files on storage drives.
Performance Counter DLL Host Start Mode: Manual, Expected State: Stopped, Runnin PerfHost Enables remote users and 64-bit processes to query performance counters provided by 32-bit DLLs.
Performance Logs and Alerts Service Start Mode: Manual, Expected State: Stopped, Running pla Performance Logs and Alerts Collects performance data from local or remote computers based on preconfigured schedule parameters...
Phone (PhoneSvc) Service Start Mode: Disabled, Expected State: Stopped PhoneSvc Manages the telephony state on the device
Plug and Play Service Start Mode: Manual, Expected State: Stopped, Running PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input.
Portable Device Enumerator Service Start Mode: Manual, Expected State: Stopped, Running WPDBusEnum Enforces group policy for removable mass-storage devices. Enables applications such as Windows Media Player and Image Import Wizard to...
Power Service Start Mode: Auto, Expected State: Running Power Manages power policy and power policy notification delivery.
Print Spooler Service Start Mode: Disabled, Expected State: Stopped Spooler Spools print jobs and handles interaction with the printer. If you turn off this service, you won’t be able to print or see your printers.
Printer Extensions and Notifications Start Mode: Disabled, Expected State: Stopped PrintNotify This service opens custom printer dialog boxes and handles notifications from a remote print server or a printer.
Problem Reports/Solutions Ctrl Panel Start Mode: Disabled, Expected State: Stopped wercplsupport Provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel.
Program Compatibility Assistant (PcaSvc) Start Mode: Disabled, Expected State: Stopped PcaSvc Program Compatibility Assistant monitors programs installed and run by a user and detects known compatibility problems.
Quality Windows Audio Video Experience Start Mode: Disabled, Expected State: Stopped QWAVE Quality Windows Audio Video Experience (qWave) is a networking platform for Audio Video (AV) streaming applications on IP home networks.
Radio Management Service Service Start Mode: Disabled, Expected State: Stopped RmSvc Radio Management and Airplane Mode Service
Remote Access Auto Connection Manager Start Mode: Disabled, Expected State: Stopped RasAuto Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
Remote Access Connection Manager Start Mode: Disabled, Expected State: Stopped RasMan Manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks.
Remote Desktop Configuration Service Start Mode: Manual, Expected State: Running SessionEnv Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop Services and Remote Desktop related configuration and...
Remote Desktop Services Service Start Mode: Manual, Expected State: Running TermService Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service.
RDP UserMode Port Redirector Start Mode: Manual, Expected State: Running UmRdpService Allows the redirection of Printers/Drives/Ports for RDP connections
Remote Procedure Call (RPC) Service Start Mode: Auto, Expected State: Running RpcSs The RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activations requests, object exporter resolutions
Remote Procedure Call (RPC) Locator Start Mode: Disabled, Expected State: Stopped RpcLocator In Windows 2003 and earlier versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database.
Remote Registry Service Start Mode: Auto, Expected State: Stopped/Running RemoteRegistry Enables remote users to modify registry settings on this computer.
Resultant Set of Policy Provider Service Start Mode: Manual, Expected State: Stopped, Running RSoPProv Provides a network service that processes requests to simulate application of Group Policy settings for a target user or computer in various...
Routing and Remote Access Service Start Mode: Disabled, Expected State: Stopped RemoteAccess Offers routing services to businesses in local area and wide area network environments.
RPC Endpoint Mapper Service Start Mode: Auto, Expected State: Running RpcEptMapper Resolves RPC interfaces identifiers to transport endpoints.
Secondary Logon Service Start Mode: Manual, Expected State: Stopped, Running seclogon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable.
Secure Socket Tunneling Protocol Service Start Mode: Manual, Expected State: Stopped, Running SstpSvc Provides support for the Secure Socket Tunneling Protocol (SSTP) to connect to remote computers using VPN.
Security Accounts Manager Service Start Mode: Auto, Expected State: Running SamSs Startup of this service signals that the Security Accounts Manager (SAM) is ready to accept requests.
Sensor Data Service Service Start Mode: Disabled, Expected State: Stopped SensorDataService Delivers data from a variety of sensors
Sensor Monitoring Service Service Start Mode: Disabled, Expected State: Stopped SensrSvc Monitors various sensors in order to expose data and adapt to system and user state.
Sensor Service (SensorService) Service Start Mode: Disabled, Expected State: Stopped SensorService A service for sensors that manages different sensors’ functionality. Manages Simple Device Orientation (SDO) and History for sensors.
Server Service Start Mode: Auto, Expected State: Running LanmanServer Supports file, print, and named-pipe sharing over the network for this computer.
Shell Hardware Detection Service Start Mode: Auto, Expected State: Running ShellHWDetection Provides notifications for AutoPlay hardware events.
Smart Card Service Start Mode: Disabled, Expected State: Stopped SCardSvr Manages access to smart cards read by this computer.
Smart Card Device Enumeration Service Start Mode: Disabled, Expected State: Stopped ScDeviceEnum Creates software device nodes for all smart card readers accessible to a given session.
Smart Card Removal Policy Service Start Mode: Disabled, Expected State: Stopped SCPolicySvc Allows the system to be configured to lock the user desktop upon smart card removal.
SNMP Trap Service Start Mode: Disabled, Expected State: Stopped SNMPTRAP Receives trap messages generated by local or remote Simple Network Management Protocol (SNMP) agents.
Software Protection Service Start Mode: Auto, Expected State: Stopped, Running sppsvc Enables the download, installation and enforcement of digital licenses for Windows and Windows applications.
Special Administration Console Helper Start Mode: Manual, Expected State: Stopped, Running sacsvr Allows administrators to remotely access a command prompt using Emergency Management Services.
Spot Verifier Service Start Mode: Manual, Expected State: Stopped, Running svsvc Verifies potential file system corruptions.
SSDP Discovery Service Start Mode: Disabled, Expected State: Stopped SSDPSRV Discovers networked devices & services using SSDP discovery protocol, such as UPnP devices.
State Repository Service Start Mode: Manual, Expected State: Stopped, Running StateRepository Provides required infrastructure support for the application model.
Still Image Acquisition Events Service Start Mode: Disabled, Expected State: Stopped WiaRpc Launches applications associated with still image acquisition events.
Storage (StorSvc) Service Start Mode: Manual, Expected State: Stopped, Running StorSvc Provides enabling services for storage settings and external storage expansion
Storage Tiers Management Service Start Mode: Manual, Expected State: Stopped, Running TieringEngineService Optimizes the placement of data in storage tiers on all tiered storage spaces in the system.
Superfetch Service Start Mode: Disabled, Expected State: Stopped SysMain Maintains and improves system performance over time.
Sync Host (OneSyncSvc) Service Start Mode: Disabled, Expected State: Stopped OneSyncSvc This service synchronizes mail, contacts, calendar and various other user data.
System Event Notification Service Start Mode: Auto, Expected State: Running SENS Monitors system events and notifies subscribers to COM+ Event System of these events.
System Events Broker Service Start Mode: Auto, Expected State: Running SystemEventsBroker Coordinates execution of background work for WinRT application. If service is stopped/disabled, background work might not be triggered.
Task Scheduler Service Start Mode: Auto, Expected State: Running Schedule Enables a user to configure & schedule automated tasks on this computer. The service also hosts multiple Windows system-critical tasks.
TCP/IP NetBIOS Helper Service Start Mode: Manual, Expected State: Running lmhosts Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network...
Telephony Service Start Mode: Disabled, Expected State: Stopped TapiSrv Provides Telephony API (TAPI) support for programs that control telephony devices on the local computer and, through the LAN...
Themes Service Start Mode: Disabled, Expected State: Stopped Themes Provides user experience theme management.
Tile Data model server Service Start Mode: Auto, Expected State: Running tiledatamodelsvc Tile Server for tile updates.
Time Broker (TimeBrokerSvc) Service Start Mode: Manual, Expected State: Stopped, Running TimeBrokerSvc Coordinates execution of background work for WinRT application. If service is stopped, background work might not be triggered.
Touch Keyboard and Handwriting Panel Start Mode: Disabled, Expected State: Stopped TabletInputService Enables Touch Keyboard and Handwriting Panel pen and ink functionality
Update Orchestrator for Windows Update Start Mode: Manual, Expected State: Stopped, Running UsoSvc Manages Windows Updates. If stopped, your devices will not be able to download and install latest updates.
UPnP Device Host Service Start Mode: Disabled, Expected State: Stopped upnphost Allows UPnP devices to be hosted on this computer.
User Access Logging Service Start Mode: Auto, Expected State: Running UALSVC Logs unique client access requests, in the form of IP addresses and user names, of installed products and roles on the local server.
User Data Access (UserDataSvc) Service Start Mode: Disabled, Expected State: Stopped UserDataSvc Provides apps access to structured user data, including contact info, calendars, messages, and other content.
User Data Storage (UnistoreSvc) Service Start Mode: Disabled, Expected State: Stopped UnistoreSvc Handles storage of structured user data, including contact info, calendars, messages, and other content.
User Experience Virtualization Service Start Mode: Disabled, Expected State: Stopped UevAgentService Provides support for application and OS settings roaming
User Manager (UserManager) Service Start Mode: Auto, Expected State: Running UserManager User Manager provides the runtime components required for multi-user interaction.
User Profile (ProfSvc) Service Start Mode: Auto, Expected State: Running ProfSvc This service is responsible for loading and unloading user profiles.
Virtual Disk Service Start Mode: Manual, Expected State: Stopped, Running vds Provides management services for disks, volumes, file systems, and storage arrays.
Volume Shadow Copy Service Start Mode: Manual, Expected State: Stopped, Running VSS Manages and implements Volume Shadow Copies used for backup and other purposes.
WalletService (WalletService) Service Start Mode: Disabled, Expected State: Stopped WalletService Hosts objects used by clients of the wallet
Windows Audio Service Start Mode: Disabled, Expected State: Stopped Audiosrv Manages audio for Windows-based programs. If this service is stopped, audio devices and effects will not function properly.
Windows Audio Endpoint Builder Service Start Mode: Disabled, Expected State: Stopped AudioEndpointBuilder Manages audio devices for the Windows Audio service. If this service is stopped, audio devices and effects will not function properly.
Windows Biometric Service Start Mode: Disabled, Expected State: Stopped WbioSrvc The Windows biometric service gives client applications the ability to capture, compare, manipulate, and store biometric data without...
Windows Connection Manager Service Start Mode: Auto, Expected State: Running FrameServer Enables multiple clients to access video frames from camera devices.
Windows Camera Frame Service Start Mode: Disabled, Expected State: Stopped Wcmsvc Makes automatic connect/disconnect decisions based on the network connectivity options currently available to the PC and enables...
Windows Defender Network Inspection Start Mode: Manual, Expected State: Stopped/Running WdNisSvc Helps guard against intrusion attempts targeting known and newly discovered vulnerabilities in network protocols
Windows Defender (WinDefend) Service Start Mode: Auto, Expected State: Running WinDefend Helps protect users from malware and other potentially unwanted software
Win Drvr Foundation User-mode Drvr FW Start Mode: Manual, Expected State: Running/Stopped wudfsvc Creates and manages user-mode driver processes. This service cannot be stopped.
Windows Encryption Provider Host Start Mode: Disabled, Expected State: Stopped WEPHOSTSVC Windows Encryption Provider Host Service brokers encryption related functionalities from 3rd Party Encryption Providers to processes...
Windows Error Reporting Service Start Mode: Manual, Expected State: Running/Stopped WerSvc Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered.
Windows Event Collector Service Start Mode: Manual, Expected State: Running/Stopped Wecsvc This service manages persistent subscriptions to events from remote sources that support WS-Management protocol.
Windows Event Log Service Start Mode: Auto, Expected State: Running EventLog This service manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs...
Windows Firewall Service Start Mode: Auto, Expected State: Running MpsSvc Windows Firewall protects your computer by preventing unauthorized users from gaining access through the Internet or a network.
Windows Font Cache Service Start Mode: Auto, Expected State: Stopped, Running FontCache Optimizes performance of applications by caching commonly used font data.
Windows Image Acquisition Service Start Mode: Disabled, Expected State: Stopped stisvc Provides image acquisition services for scanners and cameras
Windows Insider (wisvc) Service Start Mode: Disabled, Expected State: Stopped wisvc wisvc
Windows Installer Service Start Mode: Manual, Expected State: Stopped, Running msiserver Adds, modifies, and removes applications provided as a Windows Installer (*.msi, *.msp) package.
Windows License Manager Service Start Mode: Manual, Expected State: Stopped, Running LicenseManager Provides infrastructure support for the Windows Store.
Windows Management Instr’tion Start Mode: Auto, Expected State: Running Winmgmt Provides a common interface and object model to access management information about OS, devices, applications and services.
Windows Mobile Hotspot Service Start Mode: Disabled, Expected State: Stopped icssvc Provides the ability to share a cellular data connection with another device.
Windows Modules Installer Service Start Mode: Manual, Expected State: Stopped, Running TrustedInstaller Enables installation, modification, and removal of Windows updates and optional components.
Windows Push Notifications System Start Mode: Disabled, Expected State: Stopped WpnService Runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server.
Win Push Notifications User Service Start Mode: Disabled, Expected State: Stopped WpnUserService Hosts Windows notification platform which provides support for local and push notifications. Supported notifications are tile, toast and raw.
Win Presentation Foundation Font Cache Start Mode: Manual, Expected State: Stopped, Running FontCache3.0.0.0 The Windows Presentation Foundation Font Cache 3.0.0.0 service optimizes performance of the Windows Presentation Foundation (WPF)...
Windows Remote Management Start Mode: Auto, Expected State: Stopped, Running WinRM Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management.
Windows Search (WSearch) Service Start Mode: Disabled, Expected State: Stopped WSearch Provides content indexing, property caching, and search results for files, e-mail, and other content.
Windows Time Service Start Mode: Auto, Expected State: Running W32Time Maintains date and time synchronization on all clients and servers in the network.
Windows Update Service Start Mode: Manual, Expected State: Stopped/Running wuauserv Enables the detection, download, and installation of updates for Windows and other programs
WinHTTP Web Proxy Auto-Discovery Start Mode: Manual, Expected State: Stopped/Running WinHttpAutoProxySvc Client HTTP stack, provides developers with a Win32 API/COM Automation component for sending HTTP requests/receiving responses.
Wired AutoConfig Service Start Mode: Disabled, Expected State: Stopped dot3svc The Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces.
WMI Performance Adapter Service Start Mode: Manual, Expected State: Stopped, Running wmiApSrv Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network.
Workstation Service Start Mode: Auto, Expected State: Running LanmanWorkstation Creates and maintains client network connections to remote servers using the SMB protocol.
Xbox Live Auth Manager Service Start Mode: Disabled, Expected State: Stopped XblAuthManager Provides authentication and authorization services for interacting with Xbox Live.
Xbox Live Game Save Service Start Mode: Disabled, Expected State: Stopped XblGameSave This service syncs save data for Xbox Live save enabled games.
Display Name Hardened Start Mode and State Name Service Description Microsoft Windows
Windows Server 10
2016
ActiveX Installer (AxInstSV) Service Start Mode: Disabled, Expected State: Stopped) AxInstSV Provides User Account Control validation for the installation of ActiveX controls from the Internet and enables management of ActiveX control.
AllJoyn Router Service Start Mode: Manual, Expected State: Stopped, Running) AJRouter Provides User Account Control validation for the installation of ActiveX controls from the Internet and enables management of ActiveX control..
App Readiness Service Start Mode: Manual, Expected State: Stopped, Running) AppReadiness Gets apps ready for use the first time a user signs in to this PC and when adding new apps.
Application Identity Service Start Mode: Manual, Expected State: Stopped, Running) AppIDSvc Determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced.
Application Information Service Start Mode: Manual, Expected State: Stopped, Running) Appinfo Facilitates the running of interactive applications with additional administrative privileges.
Application Layer Gateway Service Start Mode: Disabled, Expected State: Stopped) ALG Provides support for 3rd party protocol plug-ins for Internet Connection Sharing
Application Management Service Start Mode: Manual, Expected State: Stopped, Running) AppMgmt Processes installation, removal, & enumeration requests for software deployed through Group Policy.
AppX Deployment Service Service Start Mode: Manual, Expected State: Stopped, Running) AppXSvc Provides infrastructure support for deploying Store applications.
AssignedAccessManager Service Start Mode: Manual, Expected State: Stopped, Running) AssignedAccessManagerSvc AssignedAccessManager Local Server
Auto Time Zone Updater Service Start Mode: Disabled, Expected State: Stopped) tzautoupdate Automatically sets the system time zone.
Background Intelligent Transfer Service Start Mode: Manual, Expected State: Stopped, Running) BITS Transfers files in the background using idle network bandwidth.
Background Tasks Infrastructure Service Start Mode: Auto, Expected State: Running) BrokerInfrastructure Windows infrastructure service that controls which background tasks can run on the system.
Base Filtering Engine Service Start Mode: Auto, Expected State: Running) BFE The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode...
BitLocker Drive Encryption Service Start Mode: Manual, Expected State: Stopped, Running) BDESVC Allows BitLocker to prompt users for actions related to drives when accessed and supports unlocking of BL-protected drives automatically...
Block Level Backup Engine Service Start Mode: Disabled, Expected State: Stopped) wbengine The WBENGINE service is used by Windows Backup to perform backup and recovery operations.
Bluetooth Handsfree Service Start Mode: Disabled, Expected State: Stopped) BthHFSrv Enables wireless Bluetooth headsets to run on this computer.
Bluetooth Support Service Start Mode: Disabled, Expected State: Stopped) bthserv The Bluetooth service supports discovery and association of remote Bluetooth devices.
BranchCache Start Mode: Disabled, Expected State: Stopped) PeerDistSvc This service caches network content from peers on the local subnet.
Capability Access Manager Service Start Mode: Manual, Expected State: Stopped, Running) camsvc Provides facilities for managing UWP apps access to app capabilities as well as checking an app’s access to specific app capabilities
CDPUserSvc (cdpusersvc) Service Start Mode: Disabled, Expected State: Stopped) CDPUserSvc This user service is used for Connected Devices Platform scenarios
Certificate Propagation Service Start Mode: Manual, Expected State: Stopped, Running) CertPropSvc Copies user certificates and root certificates from smart cards into the current user’s certificate store, detects when a smart card is inserted...
Client License Service (ClipSVC) Service Start Mode: Manual, Expected State: Stopped, Running) ClipSVC Provides infrastructure support for the Microsoft Store.
CNG Key Isolation Service Start Mode: Manual, Expected State: Stopped, Running) KeyIso The CNG key isolation service is hosted in the LSA process.
COM+ Event System Service Start Mode: Auto, Expected State: Running) EventSystem Supports System Event Notification Service, provides automatic distribution of events to subscribing Component Object Model (COM)
COM+ System Application Service Start Mode: Manual, Expected State: Stopped, Running) COMSysApp Manages the configuration and tracking of Component Object Model (COM)+-based components.
Connected Devices Platform Service Start Mode: Auto, Expected State: Running, Stopped) CDPSvc This service is used for Connected Devices and Universal Glass scenarios
Connected User Experiences Telemetry Start Mode: Auto, Expected State: Running) DiagTrack The Connected User Experiences and Telemetry service enables features that support in-application and connected user experiences.
Contact Data Service Start Mode: Disabled, Expected State: Stopped) PimIndexMaintenanceSvc Indexes contact data for fast contact searching. If you stop or disable this service, contacts might be missing from your search results.
CoreMessaging Service Start Mode: Auto, Expected State: Running) CoreMessagingRegistrar Manages communication between system components.
Credential Manager Service Start Mode: Manual, Expected State: Stopped, Running) VaultSvc Provides secure storage and retrieval of credentials to users, applications and security service packages.
Cryptographic Services Service Start Mode: Auto, Expected State: Running) CryptSvc Provides 3 management services: Catalog Database Service, confirms the signatures of Windows files and allows new programs to be installed...
Data Sharing (DsSvc) Service Start Mode: Manual, Expected State: Stopped, Running) DsSvc Provides data brokering between applications.
Data Usage Service Start Mode: Auto, Expected State: Running) DusmSvc Network data usage, data limit, restrict background data, metered networks.
DCOM Server Process Launcher Service Start Mode: Auto, Expected State: Running) DcomLaunch The DCOMLAUNCH service launches COM and DCOM servers in response to object activation requests.
Delivery Optimization Service Start Mode: Auto, Expected State: Stopped/Running) DoSvc Performs content delivery optimization tasks
Device Association Service Start Mode: Manual, Expected State: Stopped, Running) DeviceAssociationService Enables pairing between the system and wired or wireless devices.
Device Install (DeviceInstall) Service Start Mode: Manual, Expected State: Stopped, Running) DeviceInstall Enables a computer to recognize and adapt to hardware changes with little or no user input.
Device Management Enrollment Service Start Mode: Manual, Expected State: Stopped, Running) DmEnrollmentSvc Performs Device Enrollment Activities for Device Management
Device Setup (DsmSvc) Service Start Mode: Manual, Expected State: Stopped, Running) DsmSvc Enables the detection, download and installation of device-related software. If this service is disabled, devices may be configured with outdated.
DevicesFlow Start Mode: Manual, Expected State: Stopped, Running) DevicesFlowUserSvc Device Discovery and Connecting
DevQuery Background Discovery Broker Start Mode: Manual, Expected State: Stopped, Running) DevQueryBroker Enables apps to discover devices with a backgroud task
DHCP Client Service Start Mode: Auto, Expected State: Running) Dhcp Registers and updates IP addresses and DNS records for this computer.
Diagnostic Execution Service Start Mode: Manual, Expected State: Stopped, Running) diagsvc Executes diagnostic actions for troubleshooting support
Diagnostic Policy Service Start Mode: Auto, Expected State: Running) DPS The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components.
Diagnostic Service Host Service Start Mode: Disabled, Expected State: Stopped) WdiServiceHost The Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service context.
Diagnostic System Host Service Start Mode: Disabled, Expected State: Stopped) WdiSystemHost The Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System context.
Distributed Link Tracking Client Service Start Mode: Auto, Expected State: Running) TrkWks Maintains links between NTFS files within a computer or across computers in a network.
Display Name Hardened Start Mode and State Name Service Description Windows Server
Microsoft 2016
Windows 10
Distributed Transaction Coordinator Start Mode: Auto, Expected State: Running) MSDTC Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.
DMWAPPushService Service Start Mode: Disabled, Expected State: Stopped) dmwappushservice WAP Push Message Routing Service
DNS Client Service Start Mode: Auto, Expected State: Running) Dnscache The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer.
Downloaded Maps Manager Service Start Mode: Disabled, Expected State: Stopped) MapsBroker Windows service for application access to downloaded maps. This service is started on-demand by application accessing downloaded maps.
Embedded Mode Service Start Mode: Manual, Expected State: Stopped, Running) embeddedmode The Embedded Mode service enables scenarios related to Background Applications.
Encrypting File System (EFS) Service Start Mode: Manual, Expected State: Stopped, Running) EFS Provides the core file encryption technology used to store encrypted files on NTFS file system volumes.
Enterprise App Management Service Start Mode: Manual, Expected State: Stopped, Running) EntAppSvc Enables enterprise application management.
Extensible Authentication Protocol Start Mode: Disabled, Expected State: Stopped) EapHost Provides network authentication in such scenarios as 802.1x wired and wireless, VPN, and Network Access Protection (NAP).
Fax Service Start Mode: Disabled, Expected State: Stopped) Fax The Fax service, a Telephony API (TAPI)-compliant service, provides fax capabilities from users’ computers.
File History Service Start Mode: Disabled, Expected State: Stopped) fhsvc Protects user files from accidental loss by copying them to a backup location.
Function Discovery Provider Host Service Start Mode: Disabled, Expected State: Stopped) fdPHost The FDPHOST service hosts the Function Discovery (FD) network discovery providers.
Function Discovery Resource Publication Start Mode: Disabled, Expected State: Stopped) FDResPub Publishes this computer and resources attached to this computer so they can be discovered over the network.
Geolocation (lfsvc) Service Start Mode: Disabled, Expected State: Stopped) lfsvc This service monitors the current location of the system and manages geofences (a geographical location with associated events).
GraphicsPerfSvc Start Mode: Manual, Expected State: Stopped, Running) GraphicsPerfSvc Graphics performance monitor service
Group Policy Client Service Start Mode: Auto, Expected State: Running) gpsvc The service is responsible for applying settings configured by administrators for the computer and users through the Group Policy component.
HomeGroup Listener Start Mode: Disabled, Expected State: Stopped) HomeGroupListener Makes local computer changes associated with configuration and maintenance of the homegroup-joined computer.
HomeGroup Provider Start Mode: Disabled, Expected State: Stopped) HomeGroupProvider Performs networking tasks associated with configuration and maintenance of homegroups.
Human Interface Device Access Service Start Mode: Disabled, Expected State: Stopped) hidserv Activates and maintains the use of hot buttons on keyboards, remote controls, and other multimedia devices.
HV Host Service Start Mode: Manual, Expected State: Stopped, Running) HvHost Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
Hyper-V Data Exchange Service Start Mode: Manual, Expected State: Stopped, Running) vmickvpexchange Provides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.
Hyper-V Guest Service Interface Start Mode: Manual, Expected State: Running, Stopped) vmicguestinterface Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Hyper-V Guest Shutdown Service Start Mode: Manual, Expected State: Running, Stopped) vmicshutdown Provides a mechanism to shut down the operating system of this virtual machine from the management interfaces on the physical computer.
Hyper-V Heartbeat Service Start Mode: Manual, Expected State: Running, Stopped) vmicheartbeat Monitors the state of this virtual machine by reporting a heartbeat at regular intervals.
Hyper-V PowerShell Direct Service Start Mode: Manual, Expected State: Running, Stopped) vmicvmsession Provides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.
Hyper-V Remote Desktop Virtualization Start Mode: Manual, Expected State: Running, Stopped) vmicrdv Provides a platform for communication between the virtual machine and the operating system running on the physical computer.
Hyper-V Time Synchronization Service Start Mode: Manual, Expected State: Running, Stopped) vmictimesync Synchronizes the system time of this virtual machine with the system time of the physical computer.
Hyper-V Volume Shadow Copy Requestor Start Mode: Manual, Expected State: Running, Stopped) vmicvss Coordinates the communications that are required to use Volume Shadow Copy Service to back up applications and data on this virtual machine
IIS Admin (IISADMIN) Service Start Mode: Disabled, Expected State: Stopped) IISADMIN The IISAdmin service hosts the IIS 6.0 configuration compatibility component (metabase) required by IIS 6.0 administrative scripts, SMTP & FTP.
IKE and AuthIP IPsec Keying Modules Start Mode: Manual, Expected State: Stopped, Running) IKEEXT The IKEEXT service hosts the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) keying modules.
Infrared monitor service Start Mode: Disabled, Expected State: Stopped) irmon Detects other Infrared devices that are in range and launches the file transfer application.
Interactive Services Detection Service Start Mode: Disabled, Expected State: Stopped) UI0Detect Enables user notification of user input for interactive services, which enables access to dialogs created by interactive services when they appear.
Internet Connection Sharing (ICS) Start Mode: Disabled, Expected State: Stopped) SharedAccess Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
IP Helper Service Start Mode: Disabled, Expected State: Stopped) iphlpsvc Provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS.
IP Translation Configuration Service Start Mode: Disabled, Expected State: Stopped) IpxlatCfgSvc Configures and enables translation from v4 to v6 and vice versa
IPsec Policy Agent Service Start Mode: Manual, Expected State: Stopped, Running) PolicyAgent Internet Protocol security supports network-level peer/data origin authentication, data integrity, data confidentiality, and replay protection.
KtmRm Distbd Transaction Coordinator Start Mode: Manual, Expected State: Stopped, Running) KtmRm Coordinates transactions between the Distributed Transaction Coordinator (MSDTC) and the Kernel Transaction Manager (KTM).
Link-Layer Topology Discovery Mapper Start Mode: Disabled, Expected State: Stopped) lltdsvc Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device.
Local Profile Assistant Service Start Mode: Manual, Expected State: Stopped/Running) wlpasvc This service provides profile management for subscriber identity modules
Local Session Manager Service Start Mode: Auto, Expected State: Running) LSM Core Windows Service that manages local user sessions. Stopping or disabling this service will result in system instability.
LxssManager Service Start Mode: Disabled, Expected State: Stopped) LxssManager The LXSS Manager service supports running native ELF binaries.
MessagingService Start Mode: Disabled, Expected State: Stopped) MessagingService Service supporting text messaging and related functionality.
Microsoft Diagnostics Hub Standard Start Mode: Manual, Expected State: Stopped, Running) diagnosticshub. Diagnostics Hub Standard Collector Service. When running, this service collects real time ETW events and processes them.
Collector Service Service standardcollector.service
Microsoft Account Sign-in Assistant Start Mode: Disabled, Expected State: Stopped) AppVClient Manages App-V users and virtual applications
Microsoft App-V Client Service Start Mode: Disabled, Expected State: Stopped) wlidsvc Enables user sign-in through Microsoft account identity services.
Microsoft FTP Service Start Mode: Disabled, Expected State: Stopped) FTPSVC Enables the server to be a File Transfer Protocol (FTP) server.
Microsoft iSCSI Initiator Service Start Mode: Disabled, Expected State: Stopped) MSiSCSI Manages Internet SCSI (iSCSI) sessions from this computer to remote iSCSI target devices.
Microsoft Passport (NgcSvc) Service Start Mode: Disabled, Expected State: Stopped) NgcSvc Provides process isolation for cryptographic keys used to authenticate to a user’s associated identity providers.
Display Name Hardened Start Mode and State Name Service Description Windows
MicrosoftServer 2016
Windows 10
Microsoft Software Shadow Copy Provider Start Mode: Manual, Expected State: Stopped, Running) swprv Manages software-based volume shadow copies taken by the Volume Shadow Copy service.
Microsoft Storage Spaces SMP Service Start Mode: Manual, Expected State: Stopped, Running) smphost Host service for the Microsoft Storage Spaces management provider. If this service is stopped or disabled, Storage Spaces cannot be managed.
Microsoft Windows SMS Router Service Start Mode: Disabled, Expected State: Stopped) SmsRouter Routes messages based on rules to appropriate clients.
Natural Authentication Start Mode: Manual, Expected State: Stopped, Running) NaturalAuthentication Signal aggregator service, that evaluates signals based on time, network, geolocation, bluetooth and cdf factors.
Net.Tcp Port Sharing Service Start Mode: Disabled, Expected State: Stopped) NetTcpPortSharing Provides ability to share TCP ports over the net.tcp protocol.
Netlogon Service Start Mode: Manual, Expected State: Stopped, Running) Netlogon Maintains a secure channel between this computer and the domain controller for authenticating users and services.
Network Access Protection Agent Service Start Mode: Disabled, Expected State: Stopped) NcbService Brokers connections that allow Windows Store Apps to receive notifications from the internet.
Network Connected Devices Auto-Setup Start Mode: Disabled, Expected State: Stopped) NcdAutoSetup Network Connected Devices Auto-Setup service monitors and installs qualified devices that connect to a qualified network.
Network Connections Service Start Mode: Manual, Expected State: Stopped, Running) Netman Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Network Connectivity Assistant Service Start Mode: Disabled, Expected State: Stopped) NcaSvc Provides DirectAccess status notification for UI components
Network List Service Start Mode: Manual, Expected State: Stopped, Running) netprofm Identifies, collects & stores properties for networks to which computer has connected, notifies applications when properties change.
Network Location Awareness Service Start Mode: Auto, Expected State: Stopped, Running) NlaSvc Collects and stores configuration information for the network and notifies programs when this information is modified.
Network Setup (NetSetupSvc) Service Start Mode: Manual, Expected State: Stopped, Running) NetSetupSvc The Network Setup Service manages the installation of network drivers and permits the configuration of low-level network settings.
Network Store Interface Service Start Mode: Auto, Expected State: Running) nsi This service delivers network notifications (e.g. interface addition/deleting etc) to user mode clients.
Offline Files (CscService) Service Start Mode: Disabled, Expected State: Stopped) CscService Performs maintenance activities on the Offline Files cache, responds to user logon and logoff events, implements the internals of the public API..
Optimize Drives (defragsvc) Service Start Mode: Manual, Expected State: Stopped, Running) defragsvc Helps the computer run more efficiently by optimizing files on storage drives.
Payments and NFC/SE Manager Start Mode: Disabled, Expected State: Stopped) SEMgrSvc Manages payments and Near Field Communication
Peer Name Resolution Protocol Start Mode: Disabled, Expected State: Stopped) PNRPsvc Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP).
Peer Networking Grouping Service Start Mode: Disabled, Expected State: Stopped, Running) p2psvc Enables multi-party communication using Peer-to-Peer Grouping. If disabled, some applications, such as HomeGroup, may not function.
Peer Networking Identity Manager Start Mode: Disabled, Expected State: Stopped, Running) p2pimsvc Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services.
Performance Counter DLL Host Service Start Mode: Manual, Expected State: Stopped, Running) PerfHost Enables remote users and 64-bit processes to query performance counters provided by 32-bit DLLs.
Performance Logs and Alerts Service Start Mode: Manual, Expected State: Stopped, Running) pla Collects performance data from local/remote computers based on preconfigured schedule parameters, then writes data to a log/triggers alerts.
Phone (PhoneSvc) Service Start Mode: Disabled, Expected State: Stopped) PhoneSvc Manages the telephony state on the device
Plug and Play Service Start Mode: Manual, Expected State: Stopped, Running) PlugPlay Enables a computer to recognize and adapt to hardware changes with little or no user input.
PNRP Machine Name Publication Service Start Mode: Disabled, Expected State: Stopped) PNRPAutoReg This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context ‘p2p pnrp peer’
Portable Device Enumerator Service Start Mode: Manual, Expected State: Stopped, Running) WPDBusEnum Enforces group policy for removable mass-storage devices, enables multimedia applications to transfer/synchronize content to removable storage
Power Service Start Mode: Auto, Expected State: Running) Power Manages power policy and power policy notification delivery.
Print Spooler Service Start Mode: Disabled, Expected State: Stopped) Spooler This service spools print jobs and handles interaction with the printer.
Print Workflow Service Start Mode: Disabled, Expected State: Stopped) PrintWorkflow Print Workflow
Printer Extensions and Notifications Start Mode: Disabled, Expected State: Stopped) PrintNotify This service opens custom printer dialog boxes and handles notifications from a remote print server or a printer.
Problem Reports Solutions Ctrl Panel Start Mode: Disabled, Expected State: Stopped) wercplsupport Provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel.
Program Compatibility Assistant Start Mode: Disabled, Expected State: Stopped) PcaSvc Program Compatibility Assistant monitors programs installed/run and detects known compatibility problems.
Quality Windows Audio Video Experience Start Mode: Disabled, Expected State: Stopped) QWAVE Quality Windows Audio Video Experience (qWave) is a networking platform for Audio Video (AV) streaming applications on IP home networks.
Radio Management Service Start Mode: Disabled, Expected State: Stopped) RmSvc Radio Management and Airplane Mode Service
Remote Access Auto Connection Manager Start Mode: Disabled, Expected State: Stopped) RasAuto Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
Remote Access Connection Manager Start Mode: Disabled, Expected State: Stopped) RasMan Manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks.
Remote Desktop Configuration Service Start Mode: Disabled, Expected State: Stopped, Running) SessionEnv Supports all Remote Desktop Services/related configuration/session maintenance activities that require SYSTEM context.
Remote Desktop Services Service Start Mode: Disabled, Expected State: Stopped, Running) TermService Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service.
RDP UserMode Port Redirector Start Mode: Disabled, Expected State: Stopped/Running) UmRdpService Allows the redirection of Printers/Drives/Ports for RDP connections
Remote Procedure Call (RPC) Locator Start Mode: Disabled, Expected State: Stopped) RpcLocator In Windows 2003 and earlier versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database.
Remote Procedure Call (RPC) Service Start Mode: Auto, Expected State: Running) RpcSs The RPCSS service is the Service Control Manager for COM and DCOM servers.
Remote Registry Service Start Mode: Disabled, Expected State: Stopped/Running) RemoteRegistry Enables remote users to modify registry settings on this computer.
Retail Demo Service Start Mode: Disabled, Expected State: Stopped) RetailDemo The Retail Demo service controls device activity while the device is in retail demo mode.
Routing and Remote Access Service Start Mode: Disabled, Expected State: Stopped) RemoteAccess Offers routing services to businesses in local area and wide area network environments.
RPC Endpoint Mapper Service Start Mode: Auto, Expected State: Running) RpcEptMapper Resolves RPC interfaces identifiers to transport endpoints.
Secondary Logon Service Start Mode: Manual, Expected State: Stopped, Running) seclogon Enables starting processes under alternate credentials.
Secure Socket Tunneling Protocol Service Start Mode: Manual, Expected State: Stopped, Running) SstpSvc Provides support for the Secure Socket Tunneling Protocol (SSTP) to connect to remote computers using VPN.
Security Accounts Manager Service Start Mode: Auto, Expected State: Running) SamSs The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests.
Windows 10
Security Center Start Mode: Manual, Expected State: Stopped, Running) wscsvc The Security Center (wscsvc) service monitors and reports security health settings on the computer.
Sensor Data Service Service Start Mode: Disabled, Expected State: Stopped) SensorDataService Delivers data from a variety of sensors
Sensor Monitoring Service Service Start Mode: Disabled, Expected State: Stopped) SensrSvc Monitors various sensors in order to expose data and adapt to system and user state.
Sensor Service (SensorService) Service Start Mode: Disabled, Expected State: Stopped) SensorService A service for sensors that manages different sensors’ functionality. Manages Simple Device Orientation (SDO) and History for sensors.
Server Service Start Mode: Disabled, Expected State: Stopped, Running) LanmanServer Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable.
Shared PC Account Manager Start Mode: Disabled, Expected State: Stopped) shpamsvc Manages profiles and accounts on a SharedPC configured device
Shell Hardware Detection Service Start Mode: Auto, Expected State: Running) ShellHWDetection Provides notifications for AutoPlay hardware events.
Simple TCP/IP Services Service Start Mode: Disabled, Expected State: Stopped) simptcp Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day.
Smart Card Device Enumeration Service Start Mode: Disabled, Expected State: Stopped) ScDeviceEnum Creates software device nodes for all smart card readers accessible to a given session.
Smart Card Removal Policy Service Start Mode: Disabled, Expected State: Stopped) SCPolicySvc Allows the system to be configured to lock the user desktop upon smart card removal.
Smart Card Service Start Mode: Disabled, Expected State: Stopped) SCardSvr Manages access to smart cards read by this computer.
SNMP Service Start Mode: Disabled, Expected State: Stopped) SNMP Enables Simple Network Management Protocol (SNMP) requests to be processed by this computer.
SNMP Trap Service Start Mode: Disabled, Expected State: Stopped) SNMPTRAP Receives trap messages SNMP agents and forwards the messages to SNMP management programs running on this computer.
Software Protection Service Start Mode: Auto, Expected State: Stopped, Running) sppsvc Enables the download, installation and enforcement of digital licenses for Windows and Windows applications.
Spatial Data Service Start Mode: Disabled, Expected State: Stopped) SharedRealitySvc This service is used for Spatial Perception scenarios
Spot Verifier Service Start Mode: Manual, Expected State: Stopped, Running) svsvc Verifies potential file system corruptions.
SSDP Discovery Service Start Mode: Disabled, Expected State: Stopped) SSDPSRV Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices.
State Repository Service Start Mode: Manual, Expected State: Stopped, Running) StateRepository Provides required infrastructure support for the application model.
Still Image Acquisition Events Service Start Mode: Disabled, Expected State: Stopped) WiaRpc Launches applications associated with still image acquisition events.
Storage (StorSvc) Service Start Mode: Manual, Expected State: Stopped, Running) StorSvc Provides enabling services for storage settings and external storage expansion
Storage Tiers Management Service Start Mode: Manual, Expected State: Stopped, Running) TieringEngineService Optimizes the placement of data in storage tiers on all tiered storage spaces in the system.
Superfetch Service Start Mode: Disabled, Expected State: Stopped) SysMain Maintains and improves system performance over time.
Sync Host (OneSyncSvc) Service Start Mode: Disabled, Expected State: Stopped) OneSyncSvc This service synchronizes mail, contacts, calendar and various other user data.
System Event Notification Service Start Mode: Auto, Expected State: Running) SENS Monitors system events and notifies subscribers to COM+ Event System of these events.
System Events Broker Service Start Mode: Auto, Expected State: Running) SystemEventsBroker Coordinates execution of background work for WinRT application.
Task Scheduler Service Start Mode: Auto, Expected State: Running) Schedule Enables a user to configure and schedule automated tasks on this computer.
TCP/IP NetBIOS Helper Service Start Mode: Manual, Expected State: Running) lmhosts Supports NetBIOS over TCP/IP/name resolution for clients on the network, enabling users to share files, print, and log on to the network.
Telephony Service Start Mode: Disabled, Expected State: Stopped) TapiSrv Provides Telephony API support for programs that control telephony devices on the local computer and on servers also running the service.
Enhanced Mitigation Experience Toolkit Start Mode: Auto, Expected State: Running) emet_service EMET helps prevent vulnerabilities in software from being successfully exploited by using security mitigation technologies.
Themes Service Start Mode: Disabled, Expected State: Stopped) Themes Provides user experience theme management.
Tile Data model server Service Start Mode: Auto, Expected State: Running) tiledatamodelsvc Tile Server for tile updates.
Time Broker (TimeBrokerSvc) Service Start Mode: Manual, Expected State: Stopped, Running) TimeBrokerSvc Coordinates execution of background work for WinRT application.
Touch Keyboard and Handwriting Panel Start Mode: Disabled, Expected State: Stopped) TabletInputService Enables Touch Keyboard and Handwriting Panel pen and ink functionality
Update Orchestrator Service for Windows Start Mode: Manual, Expected State: Stopped, Running) UsoSvc Manages Windows Updates. If stopped, your devices will not be able to download and install latest updates.
UPnP Device Host Service Start Mode: Disabled, Expected State: Stopped) upnphost Allows UPnP devices to be hosted on this computer.
User Data Access (UserDataSvc) Service Start Mode: Disabled, Expected State: Stopped) UserDataSvc Provides apps access to structured user data, including contact info, calendars, messages, and other content.
User Data Storage (UnistoreSvc) Service Start Mode: Disabled, Expected State: Stopped) UnistoreSvc Handles storage of structured user data, including contact info, calendars, messages, and other content.
User Experience Virtualization Service Start Mode: Disabled, Expected State: Stopped) UevAgentService Provides support for application and OS settings roaming
User Manager (UserManager) Service Start Mode: Auto, Expected State: Running) UserManager User Manager provides the runtime components required for multi-user interaction.
User Profile (ProfSvc) Service Start Mode: Auto, Expected State: Running) ProfSvc This service is responsible for loading and unloading user profiles.
Virtual Disk Service Start Mode: Manual, Expected State: Stopped, Running) vds Provides management services for disks, volumes, file systems, and storage arrays.
Volume Shadow Copy Service Start Mode: Manual, Expected State: Stopped, Running) VSS Manages and implements Volume Shadow Copies used for backup and other purposes.
WalletService (WalletService) Service Start Mode: Disabled, Expected State: Stopped) WalletService Hosts objects used by clients of the wallet
WarpJITSvc Start Mode: Manual, Expected State: Stopped, Running) WarpJITSvc Provides a JIT out of process service for WARP when running with ACG enabled.
Web Account Manager Start Mode: Manual, Expected State: Running) TokenBroker This service is used by Web Account Manager to provide single-sign-on to apps and services.
Web Management Service Start Mode: Disabled, Expected State: Stopped) WMSvc Enables remote and delegated management capabilities for administrators to manage Web server, sites and applications present on the machine.
WebClient Start Mode: Disabled, Expected State: Stopped) WebClient Enables Windows-based programs to create, access, and modify Internet-based files.
Wi-Fi Direct Services Connection Manager Start Mode: Disabled, Expected State: Stopped) WFDSConMgrSvc Manages connections to wireless services, including wireless display and docking.
Windows 10
Windows Audio Endpoint Builder Service Start Mode: Disabled, Expected State: Stopped) AudioEndpointBuilder Manages audio devices for the Windows Audio service.
Windows Audio Service Start Mode: Disabled, Expected State: Stopped) Audiosrv Manages audio for Windows-based programs.
Windows Backup Start Mode: Disabled, Expected State: Stopped) SDRSVC Provides Windows Backup and Restore capabilities.
Windows Biometric Service Start Mode: Disabled, Expected State: Stopped) WbioSrvc Enables applications to capture/compare/manipulate/store biometric data without gaining direct access to any biometric hardware or samples.
Windows Camera Frame Service Start Mode: Disabled, Expected State: Stopped) Wcmsvc Automates connect/disconnect decisions based on network connectivity options available & mgmt of connectivity based on Group Policy settings.
Windows Connect Now/Config Registrar Start Mode: Disabled, Expected State: Stopped) WCNCSVC The Windows Connect Now - Config Registrar
Windows Connection Manager (wcmsvc) Start Mode: Auto, Expected State: Running) FrameServer Enables multiple clients to access video frames from camera devices.
Windows Defender (WinDefend) Service Start Mode: Auto, Expected State: Running) WinDefend Helps protect users from malware and other potentially unwanted software
Win Defender Advcd Threat Protection Start Mode: Auto, Expected State: Running) Sense Protects against advanced threats by monitoring and reporting security events that happen on the computer.
Windows Defender Network Inspection Start Mode: Manual, Expected State: Stopped/Running) WdNisSvc Helps guard against intrusion attempts targeting known and newly discovered vulnerabilities in network protocols
Windows Defender Security Centre Start Mode: Auto, Expected State: Running) SecurityHealthService Windows Defender Security Centre Service handles unified device protection and health information.
Windows Encryption Provider Host Start Mode: Disabled, Expected State: Stopped) WEPHOSTSVC Brokers encryption related functionalities from 3rd Party Encryption Providers to processes that need to evaluate and apply EAS policies.
Windows Error Reporting Service Start Mode: Disabled, Expected State: Running/Stopped) WerSvc Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered.
Windows Event Collector Service Start Mode: Disabled, Expected State: Running/Stopped) Wecsvc This service manages persistent subscriptions to events from remote sources that support WS-Management protocol.
Windows Event Log (EventLog) Service Start Mode: Auto, Expected State: Running) EventLog Manages events and event logs: supports logging/querying/subscribing/archiving event logs, and managing event metadata.
Windows Firewall (MpsSvc) Service Start Mode: Auto, Expected State: Running) MpsSvc Helps protect your computer by preventing unauthorized users from gaining access to your computer through the Internet or a network.
Windows Font Cache (FontCache) Service Start Mode: Auto, Expected State: Stopped, Running) FontCache Optimizes performance of applications by caching commonly used font data. Applications will start this service if it is not already running.
Windows Image Acquisition (WIA) (stisvc) Start Mode: Disabled, Expected State: Stopped) stisvc Provides image acquisition services for scanners and cameras
Windows Insider (wisvc) Service Start Mode: Disabled, Expected State: Stopped) wisvc wisvc
Windows Installer Service Start Mode: Manual, Expected State: Stopped, Running) msiserver Adds, modifies, and removes applications provided as a Windows Installer (*.msi, *.msp) package.
Windows License Manager Start Mode: Manual, Expected State: Stopped, Running) LicenseManager Provides infrastructure support for the Windows Store.
Windows Licensing Monitoring Service Start Mode: Auto, Expected State: Stopped, Running) WLMS This service monitors the Windows software license state.
Windows Management Instrumentation Start Mode: Auto, Expected State: Running) Winmgmt Provides a common interface and object model to access management information about operating system, devices, applications and services.
Windows Media Player Network Sharing Start Mode: Disabled, Expected State: Stopped) WMPNetworkSvc Shares Windows Media Player libraries to other networked players and media devices by using the UPnP architecture.
Windows Mobile Hotspot Service Start Mode: Disabled, Expected State: Stopped) icssvc Provides the ability to share a cellular data connection with another device.
Windows Modules Installer Service Start Mode: Manual, Expected State: Stopped, Running) TrustedInstaller Enables installation, modification, and removal of Windows updates and optional components.
Windows Perception Service Start Mode: Disabled, Expected State: Stopped) spectrum Enables spatial perception, spatial input, and holographic rendering.
Windows Push Notifications System Start Mode: Disabled, Expected State: Stopped) WpnService Service runs in session 0 and hosts the notification platform and connection provider, handles connection between device & WNS server.
Windows Push Notifications User Start Mode: Disabled, Expected State: Stopped) WpnUserService This service hosts Windows notification platform which provides support for local and push notifications.
Windows PushToInstall Service Start Mode: Disabled, Expected State: Stopped) PushToInstall Provides infrastructure support for the Windows Store.
Windows Remote Management Start Mode: Disabled, Expected State: Stopped) WinRM Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management.
Windows Search (WSearch) Service Start Mode: Disabled, Expected State: Stopped) WSearch Provides content indexing, property caching, and search results for files, e-mail, and other content.
Windows Store Install Service Start Mode: Disabled, Expected State: Stopped) InstallService Provides infrastructure support for the Windows Store.
Windows Time Service Start Mode: Auto, Expected State: Running) W32Time Maintains date and time synchronization on all clients and servers in the network.
Windows Update Service Start Mode: Manual, Expected State: Stopped/Running) wuauserv Enables the detection, download, and installation of updates for Windows and other programs.
WinHTTP Web Proxy Auto-Discovery Start Mode: Disabled, Expected State: Stopped/Running) WinHttpAutoProxySvc Client HTTP stack, provides developers with a Win32 API/COM Automation component for sending HTTP requests/receiving responses.
Wired AutoConfig Service Start Mode: Disabled, Expected State: Stopped) dot3svc The Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces.
WLAN Autoconfig (WlanSvc) Service Start Mode: Disabled, Expected State: Stopped) WlanSvc The WLAN Autoconfig service enables automatic configuration for IEEE 802.11 wireless adapters for wireless communications.
WMI Performance Adapter Service Start Mode: Manual, Expected State: Stopped, Running) wmiApSrv Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network.
Work Folders Start Mode: Disabled, Expected State: Stopped) workfolderssvc Syncs files with the Work Folders server, enabling you to use the files on any of the PCs and devices on which you’ve set up Work Folders.
Workstation Service Start Mode: Auto, Expected State: Running) LanmanWorkstation Creates and maintains client network connections to remote servers using the SMB protocol.
WWAN AutoConfig Start Mode: Disabled, Expected State: Stopped) WwanSvc Manages mobile broadband (GSM & CDMA) data card/embedded module adapters and connections by auto-configuring the networks.
Xbox Accessory Management Service Start Mode: Disabled, Expected State: Stopped) XboxGipSvc This service manages connected Xbox Accessories.
Xbox Game Monitoring Start Mode: Disabled, Expected State: Stopped) xbgm This service monitors games.
Xbox Live Auth Manager Service Start Mode: Disabled, Expected State: Stopped) XblAuthManager Provides authentication and authorization services for interacting with Xbox Live.
Xbox Live Game Save Service Start Mode: Disabled, Expected State: Stopped) XblGameSave This service syncs save data for Xbox Live save enabled games.
Xbox Live Networking Service Start Mode: Disabled, Expected State: Stopped) XboxNetApiSvc This service supports the Windows.Networking.XboxLive application
Display Name Hardened Mode and State Service Description WindowsServer
Windows Server2012R2
2012R2
App Readiness Service Start Mode: Manual, Expected State: Stopped, Running The App Readiness Service gets apps ready for use the first time a user signs in to this PC and when adding new apps.
Application Experience Service Start Mode: Disabled, Expected State: Stopped The Application Experience service processes application compatibility cache requests for applications as they are launched.
Application Host Helper Service Start Mode: Auto, Expected State: Running Handles administrative tasks for Internet Information Services (IIS), Microsoft’s web server. This process can be safely disabled if you do not use IIS.
Application Identity Service Start Mode: Manual, Expected State: Stopped, Running This service determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced. This service is configured by default
Application Information Service Start Mode: Manual, Expected State: Stopped, Running Facilitates the running of interactive applications with additional administrative privileges.
Application Layer Gateway Service Start Mode: Disabled, Expected State: Stopped The Application Layer Gateway Service service provides support for 3rd party protocol plug-ins for Internet Connection Sharing.
Application Management Service Start Mode: Disabled, Expected State: Stopped The Application Management service processes installation, removal, and enumeration requests for software deployed through Group Policy.
AppX Deployment Service (AppXSVC) Start Mode: Manual, Expected State: Stopped, Running The AppX Deployment Service provides infrastructure support for deploying Store applications. The AppX Deployment Service service is started on demand
ASP.NET State Service (aspnet_state) Start Mode: Auto, Expected State: Running Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed.
Background Intelligent Transfer Service Start Mode: Auto, Expected State: Running The Background Intelligent Transfer Service service transfers files in the background using idle network bandwidth.
Background Tasks Infrastructure Service Start Mode: Auto, Expected State: Running The Background Tasks Infrastructure service is a Windows infrastructure service that controls which background tasks can run on the system.
Base Filtering Engine Service Start Mode: Auto, Expected State: Running Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering.
Certificate Propagation Service Start Mode: Auto, Expected State: Running Copies user/root certificates from smart cards into the current user’s certificate store, detects when a smart card is inserted and installs smart card Plug/Play minidriver.
CNG Key Isolation Service Start Mode: Manual, Expected State: Stopped, Running The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria.
COM+ Event System Service Start Mode: Auto, Expected State: Running The COM+ Event System service provides automatic distribution of events to subscribing Component Object Model (COM) components.
COM+ System Application Service Start Mode: Disabled, Expected State: Stopped The COM+ System Application service manages the configuration and tracking of Component Object Model (COM)+-based components.
Computer Browser Service Start Mode: Disabled, Expected State: Stopped The Computer Browser service maintains an updated list of computers on the network and supplies this list to computers designated as browsers.
Credential Manager Service Start Mode: Manual, Expected State: Stopped, Running The Credential Manager service provides secure storage and retrieval of credentials to users, applications and security service packages.
Cryptographic Services Service Start Mode: Auto, Expected State: Running Provides four management services: Catalog Database Service, Protected Root Service, Automatic Root Certificate Update Service and Key Service.
DCOM Server Process Launcher Service Start Mode: Auto, Expected State: Running The DCOM Server Process Launcher service the DCOMLAUNCH service launches COM and DCOM servers in response to object activation requests.
Device Association Service Start Mode: Manual, Expected State: Stopped, Running The Device Association service enables pairing between the system and wired or wireless devices.
Device Install (deviceinstall) Service Start Mode: Manual, Expected State: Stopped, Running The Device Install service enables a computer to recognize and adapt to hardware changes with little or no user input.
Device Setup (dsmsvc) Service Start Mode: Manual, Expected State: Stopped, Running The Device Setup service enables the detection, download and installation of device-related software.
DHCP Client Service Start Mode: Disabled, Expected State: Stopped The DHCP Client service registers and updates IP addresses and DNS records for this computer.
Diagnostic Policy Service Start Mode: Disabled, Expected State: Stopped The Diagnostic Policy Service service the Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components.
Diagnostic Service Host Service Start Mode: Disabled, Expected State: Stopped The Diagnostic Service Host service the Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service context.
Diagnostic System Host Service Start Mode: Disabled, Expected State: Stopped The Diagnostic System Host service the Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System context.
Distributed Link Tracking Client Service Start Mode: Disabled, Expected State: Stopped The Distributed Link Tracking Client service maintains links between NTFS files within a computer or across computers in a network.
Distributed Transaction Coordinator Start Mode: Disabled, Expected State: Stopped The Distributed Transaction Coordinator service coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.
DNS Client Service Start Mode: Auto, Expected State: Running The DNS Client service caches Domain Name System (DNS) names and registers the full computer name for this computer.
The Enhanced Mitigation Experience Start Mode: Manual, Expected State: Stopped, Running The Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited.
Encrypting File System (EFS) Service Start Mode: Manual, Expected State: Stopped, Running Encrypting File System (EFS) is a feature of Windows that you can use to store information on your hard disk in an encrypted format.
Extensible Authentication Protocol Start Mode: Disabled, Expected State: Stopped The Extensible Authentication Protocol service provides network authentication in such scenarios as 802.1x wired and wireless, VPN, and Network Access Protection (NAP).
Function Discovery Provider Host Start Mode: Disabled, Expected State: Stopped The Function Discovery Provider Host service hosts the Function Discovery (FD) network discovery providers.
Function Discovery Resource Publication Start Mode: Disabled, Expected State: Stopped The Function Discovery Resource Publication service publishes this computer and resources attached to this computer so they can be discovered over the network.
Group Policy Client Service Start Mode: Auto, Expected State: Running The Group Policy Client service is responsible for applying settings configured by administrators for the computer and users through the Group Policy component.
Health Key and Certificate Management Start Mode: Disabled, Expected State: Stopped The Health Key and Certificate Management service provides X.509 certificate and key management services for the Network Access Protection Agent (NAPAgent).
Human Interface Device Access Service Start Mode: Disabled, Expected State: Stopped Enables generic input access to Human Interface Devices, activates and maintains the use of predefined hot buttons on keyboards/remote controls/multimedia devices.
Hyper-V Data Exchange Service Start Mode: Disabled, Expected State: Stopped Provides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.
Hyper-V Guest Service Interface Start Mode: Disabled, Expected State: Stopped Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Hyper-V Guest Shutdown Service Start Mode: Disabled, Expected State: Stopped Provides a mechanism to shut down the operating system of this virtual machine from the management interfaces on the physical computer.
Hyper-V Heartbeat Service Start Mode: Disabled, Expected State: Stopped Monitors the state of this virtual machine by reporting a heartbeat at regular intervals.
Hyper-V Remote Desktop Virtualization Start Mode: Disabled, Expected State: Stopped Provides a platform for communication between the virtual machine and the operating system running on the physical computer.
Hyper-V Time Synchronization Service Start Mode: Disabled, Expected State: Stopped Synchronizes the system time of this virtual machine with the system time of the physical computer.
Hyper-V Volume Shadow Copy Requestor Start Mode: Disabled, Expected State: Stopped Coordinates the communications that are required to use Volume Shadow Copy Service to back up applications and data on this virtual machine from the operating system
IKE and AuthIP IPsec Keying Modules Start Mode: Manual, Expected State: Stopped, Running The IKE and AuthIP IPsec Keying Modules service the IKEEXT service hosts the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) keying modules.
Interactive Services Detection Service Start Mode: Disabled, Expected State: Stopped The Interactive Services Detection service enables user notification of user input for interactive services, which enables access to dialogs created by interactive services...
Internet Connection Sharing Service Start Mode: Disabled, Expected State: Stopped Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
Display Name Hardened Mode and State Service Description Windows Server 2012R2
Internet Explorer ETW Collector Service Start Mode: Disabled, Expected State: Stopped ETW Collector Service for Internet Explorer. When running, this service collects real time ETW events and processes them.
IP Helper Service Start Mode: Auto, Expected State: Running The IP Helper service provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS.
IPsec Policy Agent Service Start Mode: Disabled, Expected State: Stopped Internet Protocol security supports network-level peer/data origin authentication, data integrity, data confidentiality, and replay protection.
KDC Proxy Server service Service Start Mode: Manual, Expected State: Stopped, Running The KDC Proxy Server service runs on edge servers to proxy Kerberos protocol messages to domain
KtmRm Distbd Transaction Coordinator Start Mode: Disabled, Expected State: Stopped Coordinates transactions between the Distributed Transaction Coordinator (MSDTC) and the Kernel Transaction Manager (KTM).
Link-Layer Topology Discovery Mapper Start Mode: Disabled, Expected State: Stopped Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device.
Microsoft iSCSI Initiator Service Start Mode: Manual, Expected State: Stopped The Microsoft iSCSI Initiator Service service manages Internet SCSI (iSCSI) sessions from this computer to remote iSCSI target devices.
MS Software Shadow Copy Provider Start Mode: Manual, Expected State: Stopped, Running The Microsoft Software Shadow Copy Provider service manages software-based volume shadow copies taken by the Volume Shadow Copy service.
Microsoft Storage Spaces SMP Service Start Mode: Manual, Expected State: Stopped, Running Host service for the Microsoft Storage Spaces management provider. If this service is stopped or disabled, Storage Spaces cannot be managed.
Multimedia Class Scheduler Service Start Mode: Disabled, Expected State: Stopped The Multimedia Class Scheduler service enables relative prioritization of work based on system-wide task priorities.
Net.Tcp Port Sharing Service Start Mode: Disabled, Expected State: Stopped The Net.Tcp Port Sharing Service (NetTcpPortSharing) provides the ability for multiple user processes to share TCP ports over the net.tcp protocol.
Netlogon Service Start Mode: Disabled, Expected State: Stopped The Netlogon service maintains an encrypted channel between your computer and the domain controller that it uses to authenticate users and services.
Network Access Protection Agent Service Start Mode: Disabled, Expected State: Stopped Network Access Protection Agent service the Network Access Protection (NAP) agent service collects and manages health information for client computers on a network.
Network Connections Service Start Mode: Manual, Expected State: Stopped, Running The Network Connections service manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Network Connectivity Assistant Service Start Mode: Disabled, Expected State: Stopped, Running Provides DirectAccess status notification for UI components.
Network List Service Start Mode: Auto, Expected State: Running Identifies the networks to which the computer has connected, collects and stores properties for these networks, and notifies applications when these properties change.
Network Location Awareness Service Start Mode: Auto, Expected State: Running The Network Location Awareness service collects and stores configuration information for the network and notifies programs when this information is modified.
Network Store Interface Service Start Mode: Auto, Expected State: Running The Network Store Interface Service service this service delivers network notifications (e.g. interface addition/deleting etc) to user mode clients.
Optimize Drives (defragsvc) Service Start Mode: Manual, Expected State: Stopped, Running Performs maintenance activities on the Offline Files cache, responds to user logon and logoff events, implements the internals of the public API...
Performance Counter DLL Host Service Start Mode: Manual, Expected State: Stopped, Running Collects performance data from local or remote computers based on preconfigured schedule parameters, and then writes the data to a log or triggers an alert.
Performance Logs and Alerts Service Start Mode: Manual, Expected State: Stopped, Running Collects performance data from local or remote computers based on preconfigured schedule parameters, and then writes the data to a log or triggers an alert.
Plug and Play Service Start Mode: Manual, Expected State: Stopped, Running The Plug and Play service enables a computer to recognize and adapt to hardware changes with little or no user input.
Portable Device Enumerator Service Start Mode: Disabled, Expected State: Stopped The Portable Device Enumerator Service service enforces group policy for removable mass-storage devices.
Power Service Start Mode: Auto, Expected State: Running The Power service manages power policy and power policy notification delivery.
Print Spooler Service Start Mode: Disabled, Expected State: Stopped The Print Spooler service loads files to memory for later printing.
Printer Extensions and Notifications Start Mode: Manual, Expected State: Stopped, Running This service opens custom printer dialog boxes and handles notifications from a remote print server or a printer.
Problem Reports/Solutions Ctrl Panel Start Mode: Disabled, Expected State: Stopped The Problem Reports and Solutions Control Panel Support service this service provides support for viewing, sending and deletion of system-level problem reports...
Remote Access Auto Connection Manager Start Mode: Disabled, Expected State: Stopped The Remote Access Auto Connection Manager service creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
Remote Access Connection Manager Start Mode: Disabled, Expected State: Stopped Manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks.
Remote Desktop Configuration Service Start Mode: Disabled, Expected State: Stopped Responsible for all Remote Desktop Services and Remote Desktop related configuration and session maintenance activities that require SYSTEM context.
Remote Desktop Services Service Start Mode: Disabled, Expected State: Stopped Remote Desktop and Remote Desktop Session Host Server depend on this service.
RDP Services UserMode Port Redirector Start Mode: Disabled, Expected State: Stopped The Remote Desktop Services UserMode Port Redirector (UmRdpService) service allows the redirection of printers, drives, and ports for remote desktop sessions.
Remote Procedure Call (RPC) Service Start Mode: Auto, Expected State: Running RPCSS service is the Service Control Manager for COM and DCOM servers.
Remote Procedure Call (RPC) Locator Start Mode: Disabled, Expected State: Stopped In Windows 2003/earlier versions of Windows this manages the RPC name service database, but does not provide any functionality for later versions of Windows.
Remote Registry Service Start Mode: Auto, Expected State: Running The Remote Registry service enables remote users to modify registry settings on this computer.
Resultant Set of Policy Provider Service Start Mode: Disabled, Expected State: Stopped Provides a network service that processes requests to simulate application of Group Policy settings for a target user or computer.
Routing and Remote Access Service Start Mode: Disabled, Expected State: Stopped The Routing and Remote Access service offers routing services to businesses in local area and wide area network environments.
RPC Endpoint Mapper Service Start Mode: Auto, Expected State: Running The RPC Endpoint Mapper service resolves RPC interfaces identifiers to transport endpoints.
Secondary Logon Service Start Mode: Disabled, Expected State: Stopped The Secondary Logon service enables starting processes under alternate credentials.
Secure Socket Tunneling Protocol Service Start Mode: Disabled, Expected State: Stopped Provides support for the Secure Socket Tunneling Protocol (SSTP) to connect to remote computers using VPN.
Security Accounts Manager Service Start Mode: Auto, Expected State: Stopped The Security Accounts Manager (SamSs) service is a protected subsystem that manages user and group account information.
Server Service Start Mode: Disabled, Expected State: Stopped The Server service supports file, print, and named-pipe sharing over the network for this computer.
Shell Hardware Detection Service Start Mode: Auto, Expected State: Running The Shell Hardware Detection service provides notifications for AutoPlay hardware events.
Smart Card Service Start Mode: Auto, Expected State: Stopped, Running The Smart Card service manages access to smart cards read by this computer.
Smart Card Device Enumeration Service Start Mode: Manual, Expected State: Stopped, Running Creates software device nodes for all smart card readers accessible to a given session.
Smart Card Removal Policy Service Start Mode: Manual, Expected State: Stopped, Running The Smart Card Removal Policy service allows the system to be configured to lock the user desktop upon smart card removal.
Software Protection Service Start Mode: Auto, Expected State: Stopped, Running The Software Protection service enables the download, installation and enforcement of digital licenses for Windows and Windows applications.
Special Administration Console Helper Start Mode: Disabled, Expected State: Stopped The Special Administration Console Helper service allows administrators to remotely access a command prompt using Emergency Management Services.
Display Name Hardened Mode and State Service Description Windows Server 2012R2
SNMP Trap Service Start Mode: Disabled, Expected State: Stopped Receives trap messages generated by local or remote Simple Network Management Protocol (SNMP) agents and forwards the messages to SNMP management programs.
Spot Verifier Service Start Mode: Manual, Expected State: Stopped, Running Verifies potential file system corruptions.
SSDP Discovery Service Start Mode: Disabled, Expected State: Stopped Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running...
Storage Tiers Management Service Start Mode: Manual, Expected State: Stopped, Running The Storage Tiers Management (TieringEngineService) service Optimizes the placement of data in storage tiers on all tiered storage spaces in the system.
Superfetch Service Start Mode: Disabled, Expected State: Stopped The Superfetch (Sysmain) service maintains and improves system performance over time.
System Event Notification Service Start Mode: Disabled, Expected State: Stopped The System Event Notification Service service monitors system events and notifies subscribers to COM+ Event System of these events.
System Events Broker Service Start Mode: Auto, Expected State: Running The Storage Tiers Management (systemeventsbroker) service coordinates execution of background work for WinRT application.
Task Scheduler Service Start Mode: Auto, Expected State: Running The Task Scheduler service enables a user to configure and schedule automated tasks on this computer. The service also hosts multiple Windows system-critical tasks.
TCP/IP NetBIOS Helper Service Start Mode: Auto, Expected State: Running Provides support for the NetBIOS over TCP/IP service/NetBIOS name resolution for clients on the network, enabling users to share files, print, and log on to the network.
Telephony Service Start Mode: Disabled, Expected State: Stopped Provides Telephony API support for programs that control telephony devices on the local computer and, through the LAN, on servers that are also running the service.
Themes Service Start Mode: Disabled, Expected State: Stopped Provides user experience theme-management services. A desktop theme is a predefined set of icons, fonts, colors, sounds, and other elements.
Thread Ordering Server Service Start Mode: Disabled, Expected State: Stopped The Thread Ordering Server service provides ordered execution for a group of threads within a specific period of time.
UPnP Device Host Service Start Mode: Disabled, Expected State: Stopped The UPnP Device Host service allows UPnP devices to be hosted on this computer.
User Access Logging Service Start Mode: Auto, Expected State: Running Logs unique client access requests, in the form of IP addresses and user names, of installed products and roles on the local server.
User Profile Service Start Mode: Auto, Expected State: Running The User Profile Service service this service is responsible for loading and unloading user profiles.
Virtual Disk Service Start Mode: Manual, Expected State: Stopped, Running The Virtual Disk service provides management services for disks, volumes, file systems, and storage arrays.
Volume Shadow Copy Service Start Mode: Manual, Expected State: Stopped, Running The Volume Shadow Copy service manages and implements Volume Shadow Copies used for backup and other purposes.
Windows Audio Service Start Mode: Disabled, Expected State: Stopped The Windows Audio service manages audio for Windows-based programs.
Windows Audio Endpoint Builder Service Start Mode: Disabled, Expected State: Stopped The Windows Audio Endpoint Builder service manages audio devices for the Windows Audio service.
Windows Color System Service Start Mode: Disabled, Expected State: Stopped The Windows Color System service the WcsPlugInService service hosts third-party Windows Color System color device model and gamut map model plug-in modules.
Windows Connection Manager Service Start Mode: Auto, Expected State: Running Makes automatic connect/disconnect decisions based on the network connectivity options available, enables mgmt of network connectivity based on Group Policy settings.
Windows Driver Foundation/User-mode Start Mode: Disabled, Expected State: Stopped The Windows Driver Foundation - User-mode Driver Framework service manages user-mode driver host processes.
Driver Framework Service
Windows Encryption Provider Host Start Mode: Disabled, Expected State: Stopped Brokers encryption related functionalities from 3rd Party Encryption Providers to processes that need to evaluate and apply EAS policies.
Windows Error Reporting Service Start Mode: Disabled, Expected State: Stopped The Windows Error Reporting Service service allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered.
Windows Event Collector Service Start Mode: Disabled, Expected State: Stopped The Windows Event Collector service this service manages persistent subscriptions to events from remote sources that support WS-Management protocol.
Windows Event Log Service Start Mode: Auto, Expected State: Running Manages events and event logs, supports logging events, querying events, subscribing to events, archiving event logs, and managing event metadata.
Windows Firewall Service Start Mode: Auto, Expected State: Running Helps protect your computer by preventing unauthorized users from gaining access to your computer through the Internet or a network.
Windows Font Cache (fontcache) Service Start Mode: Manual, Expected State: Stopped, Running Otimizes performance of applications by caching commonly used font data. Applications will start this service if it is not already running.
Windows Installer Service Start Mode: Manual, Expected State: Stopped, Running The Windows Installer service adds, modifies, and removes applications provided as a Windows Installer (*.msi) package.
Windows Management Instrumentation Start Mode: Auto, Expected State: Running Provides a common interface and object model to access management information about operating system, devices, applications and services.
Windows Modules Installer Service Start Mode: Manual, Expected State: Stopped, Running The Windows Modules Installer service enables installation, modification, and removal of Windows updates and optional components.
Windows Presentation Foundation Font Start Mode: Manual, Expected State: Stopped, Running The Windows Font Cache Service service optimizes performance of applications by caching commonly used font data.
Cache (fontcache3.0.0.0) Service
Windows Process Activation Service Start Mode: Auto, Expected State: Running Manages the activation and lifetime of the worker processes that contain applications that host Windows Communication Foundation (WCF) services.
Windows Remote Management Service Start Mode: Disabled, Expected State: Stopped Implements the WS-Management protocol for remote management.
Windows Store Service (WSService) Start Mode: Manual, Expected State: Stopped, Running Provides infrastructure support for Windows Store.This service is started on demand and if disabled applications bought using Windows Store will not behave correctly.
Windows Time Service Start Mode: Auto, Expected State: Running The Windows Time service maintains date and time synchronization on all clients and servers in the network.
Windows Update Service Start Mode: Auto, Expected State: Running The Windows Update service enables the detection, download, and installation of updates for Windows and other programs.
WinHTTP Web Proxy Auto-Discovery Start Mode: Disabled, Expected State: Stopped Client HTTP stack, provides developers with a Win32 API/COM Automation component for sending HTTP requests/receiving responses.
Wired AutoConfig Service Start Mode: Disabled, Expected State: Stopped The Wired AutoConfig service the Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces.
WMI Performance Adapter Service Start Mode: Manual, Expected State: Stopped, Running Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network.
Workstation Service Start Mode: Auto, Expected State: Running The Workstation service creates and maintains client network connections to remote servers using the SMB protocol.
Display Name Mode and State Service Description Windows Server 2008R2
Application Experience Service Start Mode:Disabled, Expected State: Stopped The Application Experience service processes application compatibility cache requests for applications as they are launched.
Application Host Helper Service Start Mode:Auto, Expected State: Running Handles administrative tasks for Internet Information Services (IIS), Microsoft’s web server.
Application Identity Service Start Mode:Manual, Expected State: Stopped, Running This service determines and verifies the identity of an application. Disabling this service will prevent AppLocker from being enforced.
Application Information Service Start Mode:Manual, Expected State: Stopped, Running Facilitates the running of interactive applications with additional administrative privileges.
Application Layer Gateway Service Start Mode:Disabled, Expected State: Stopped The Application Layer Gateway Service service provides support for 3rd party protocol plug-ins for Internet Connection Sharing.
Application Management Service Start Mode:Disabled, Hardened, Epected State: Stopped The Application Management service processes installation, removal, and enumeration requests for software deployed through Group Policy.
Background Intelligent Transfer Service Start Mode:Auto, Expected State: Running The Background Intelligent Transfer Service service transfers files in the background using idle network bandwidth.
Base Filtering Engine Service Start Mode:Auto, Expected State: Running Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering.
Certificate Propagation Service Start Mode:Auto, Expected State: Running Copies user/root certificates from smart cards into the current user’s certificate store, detects when a smart card is inserted and installs smart card Plug/Play minidriver.
CNG Key Isolation Service Start Mode:Manual, Expected State: Stopped, Running The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria.
COM+ Event System Service Start Mode:Auto, Expected State: Running The COM+ Event System service provides automatic distribution of events to subscribing Component Object Model (COM) components
COM+ System Application Service Start Mode:Disabled, Expected State: Stopped The COM+ System Application service manages the configuration and tracking of Component Object Model (COM)+-based components.
Computer Browser Service Start Mode:Disabled, Expected State: Stopped The Computer Browser service maintains an updated list of computers on the network and supplies this list to computers designated as browsers.
Credential Manager Service Start Mode:Manual, Expected State: Stopped, Running The Credential Manager service provides secure storage and retrieval of credentials to users, applications and security service packages.
Cryptographic Services Service Start Mode:Auto, Expected State: Running Provides four management services: Catalog Database Service, Protected Root Service, Automatic Root Certificate Update Service and Key Service.
DCOM Server Process Launcher Service Start Mode:Auto, Expected State: Running The DCOM Server Process Launcher service the DCOMLAUNCH service launches COM and DCOM servers in response to object activation requests.
Desktop Window Manager Session Start Mode:Disabled, Expected State: Stopped Provides Desktop Window Manager startup/maintenance services, supports Themes service, checks applications are compatible with Aero user experience in Vista.
Diagnostic Policy Service Start Mode:Disabled, Expected State: Stopped The Diagnostic Policy Service service the Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components.
Diagnostic Service Host Service Start Mode:Disabled, Expected State: Stopped The Diagnostic Service Host service the Diagnostic Service Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local Service context.
Diagnostic System Host Service Start Mode:Disabled, Expected State: Stopped The Diagnostic System Host service the Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System context.
Distributed Link Tracking Client Service Start Mode:Disabled, Expected State: Stopped The Distributed Link Tracking Client service maintains links between NTFS files within a computer or across computers in a network.
Distributed Transaction Coordinator Start Mode:Disabled, Expected State: Stopped The Distributed Transaction Coordinator service coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems.
DHCP Client Service Start Mode:Disabled, Expected State: Stopped The DHCP Client service registers and updates IP addresses and DNS records for this computer.
DNS Client Service Start Mode:Auto, Expected State: Running The DNS Client service the DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer.
Encrypting File System (EFS) Service Start Mode:Manual, Expected State: Stopped, Running Encrypting File System (EFS) is a feature of Windows that you can use to store information on your hard disk in an encrypted format
Extensible Authentication Protocol Start Mode:Disabled, Expected State: Stopped The Extensible Authentication Protocol service provides network authentication in such scenarios as 802.1x wired and wireless, VPN, and Network Access Protection (NAP).
Function Discovery Provider Host Service Start Mode:Disabled, Expected State: Stopped The Function Discovery Provider Host service the FDPHOST service hosts the Function Discovery (FD) network discovery providers.
Function Discovery Resource Publication Start Mode:Disabled, Expected State: Stopped The Function Discovery Resource Publication service publishes this computer and resources attached to this computer so they can be discovered over the network.
Group Policy Client Service Start Mode:Auto, Expected State: Running Responsible for applying settings configured by administrators for the computer and users through the Group Policy component.
Health Key and Certificate Management Start Mode:Disabled, Expected State: Stopped The Health Key and Certificate Management service provides X.509 certificate and key management services for the Network Access Protection Agent (NAPAgent).
Human Interface Device Access Service Start Mode:Disabled, Expected State: Stopped Enables generic input access to Human Interface Devices, activates/maintains use of predefined hot buttons on keyboards, remote controls, and other multimedia devices.
IKE and AuthIP IPsec Keying Modules Start Mode:Manual, Expected State: Stopped, Running The IKE and AuthIP IPsec Keying Modules service the IKEEXT service hosts the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) keying modules.
Interactive Services Detection Service Start Mode:Disabled, Expected State: Stopped Enables user notification of user input for interactive services, which enables access to dialogs created by interactive services when they appear.
Internet Connection Sharing (ICS) Service Start Mode:Disabled, Expected State: Stopped Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
Internet Explorer ETW Collector Service Start Mode:Disabled, Expected State: Stopped ETW Collector Service for Internet Explorer. When running, this service collects real time ETW events and processes them.
IP Helper Service Start Mode:Auto, Expected State: Running The IP Helper service provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS.
IPsec Policy Agent Service Start Mode:Disabled, Expected State: Stopped Supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.
KDC Proxy Server service (kpssvc) Start Mode:Manual, Expected State: Stopped, Running The KDC Proxy Server service runs on edge servers to proxy Kerberos protocol messages to domain
KtmRm for Distributed Transaction Start Mode:Disabled, Expected State: Stopped Coordinates transactions between the Distributed Transaction Coordinator (MSDTC) and the Kernel Transaction Manager (KTM).
Link-Layer Topology Discovery Mapper Start Mode:Disabled, Expected State: Stopped Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device.
Microsoft Fibre Channel Platform Start Mode:Manual, Expected State: Stopped, Running The Microsoft Fibre Channel Platform Registration Service registers the platform with all available Fibre Channel fabrics and maintains the registrations.
Microsoft iSCSI Initiator Service Start Mode:Manual, Expected State: Stopped The Microsoft iSCSI Initiator Service service manages Internet SCSI (iSCSI) sessions from this computer to remote iSCSI target devices.
Microsoft Software Shadow Copy Provider Start Mode:Manual, Expected State: Stopped, Running The Microsoft Software Shadow Copy Provider service manages software-based volume shadow copies taken by the Volume Shadow Copy service.
Microsoft Storage Spaces SMP Service Start Mode:Manual, Expected State: Stopped, Running Host service for the Microsoft Storage Spaces management provider. If this service is stopped or disabled, Storage Spaces cannot be managed.
Multimedia Class Scheduler Service Start Mode:Disabled, Expected State: Stopped The Multimedia Class Scheduler service enables relative prioritization of work based on system-wide task priorities.
Net.Tcp Port Sharing Service Start Mode:Disabled, Expected State: Stopped The Net.Tcp Port Sharing Service (NetTcpPortSharing) provides the ability for multiple user processes to share TCP ports over the net.tcp protocol.
Netlogon Service Start Mode:Disabled, Expected State: Stopped The Netlogon service maintains an encrypted channel between your computer and the domain controller that it uses to authenticate users and services.
Network Access Protection Agent Service Start Mode:Disabled, Expected State: Stopped Collects and manages health information for client computers on a network.
Network Connections Service Start Mode:Manual, Expected State: Stopped, Running The Network Connections service manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Network Connectivity Assistant Service Start Mode:Disabled, Expected State: Stopped, Running Provides DirectAccess status notification for UI components.
Network List Service Start Mode:Auto, Expected State: Running Identifies the networks to which the computer has connected, collects and stores properties for these networks, and notifies applications when these properties change.
Network Location Awareness Service Start Mode:Auto, Expected State: Running The Network Location Awareness service collects and stores configuration information for the network and notifies programs when this information is modified.
Network Store Interface Service Start Mode:Auto, Expected State: Running The Network Store Interface Service service this service delivers network notifications (e.g. interface addition/deleting etc) to user mode clients.
Optimize Drives (defragsvc) Service Start Mode:Manual, Expected State: Stopped, Running Helps the computer run more efficiently by optimizing files on storage drives.
Performance Counter DLL Host Service Start Mode:Manual, Expected State: Stopped, Running Service collects performance data from local or remote computers based on preconfigured schedule parameters, and then writes the data to a log or triggers an alert.
Performance Logs and Alerts Service Start Mode:Manual, Expected State: Stopped, Running Service collects performance data from local or remote computers based on preconfigured schedule parameters, and then writes the data to a log or triggers an alert.
Plug and Play Service Start Mode:Manual, Expected State: Stopped, Running The Plug and Play service enables a computer to recognize and adapt to hardware changes with little or no user input.
PnP-X IP Bus Enumerator Service Start Mode:Disabled, Expected State: Stopped The PnP-X IP Bus Enumerator (IPBusEnum) service manages the virtual network bus.
Portable Device Enumerator Service Start Mode:Disabled, Expected State: Stopped The Portable Device Enumerator Service service enforces group policy for removable mass-storage devices.
Power Service Start Mode:Auto, Expected State: Running The Power service manages power policy and power policy notification delivery.
Print Spooler Service Start Mode:Disabled, Expected State: Stopped The Print Spooler service loads files to memory for later printing.
Printer Extensions and Notifications Start Mode:Manual, Expected State: Stopped, Running This service opens custom printer dialog boxes and handles notifications from a remote print server or a printer.
Problem Reports/Solutions Ctrl Panel Start Mode:Disabled, Expected State: Stopped Provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel.
Protected Storage Service Start Mode:Manual, Expected State: Stopped, Running The Protected Storage service protects storage of sensitive information, such as private keys, and prevents access by unauthorized services, processes, or users.
Quality Windows Audio Video Experience Start Mode:Manual, Expected State: Stopped, Running Quality Windows Audio Video Experience (qWave) is a networking platform for Audio Video (AV) streaming applications on IP home networks.
Remote Access Auto Connection Manager Start Mode:Disabled, Expected State: Stopped The Remote Access Auto Connection Manager service creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
Remote Access Connection Manager Start Mode:Disabled, Expected State: Stopped Manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks.
Remote Desktop Services Service Start Mode:Disabled, Expected State: Stopped Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service
Remote Desktop Configuration Service Start Mode:Disabled, Expected State: Stopped The Remote Desktop Services service allows users to connect interactively to a remote computer.
RDP Services UserMode Port Redirector Start Mode:Disabled, Expected State: Stopped The Remote Desktop Services UserMode Port Redirector (UmRdpService) service allows the redirection of printers, drives, and ports for remote desktop sessions.
Remote Procedure Call (RPC) Service Start Mode:Auto, Expected State: Running The Remote Procedure Call (RPC) service the RPCSS service is the Service Control Manager for COM and DCOM servers.
Remote Procedure Call (RPC) Locator Start Mode:Disabled, Expected State: Stopped In Windows 2003 and earlier versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database.
Remote Registry Service Start Mode:Auto, Expected State: Running The Remote Registry service enables remote users to modify registry settings on this computer.
Resultant Set of Policy Provider Service Start Mode:Disabled, Expected State: Stopped Provides a network service that processes requests to simulate application of Group Policy settings for a target user or computer in various...
Routing and Remote Access Service Start Mode:Disabled, Expected State: Stopped The Routing and Remote Access service offers routing services to businesses in local area and wide area network environments.
RPC Endpoint Mapper Service Start Mode:Auto, Expected State: Running The RPC Endpoint Mapper service resolves RPC interfaces identifiers to transport endpoints.
Secondary Logon Service Start Mode:Disabled, Expected State: Stopped The Secondary Logon service enables starting processes under alternate credentials.
Secure Socket Tunneling Protocol Service Start Mode:Disabled, Expected State: Stopped Provides support for the Secure Socket Tunneling Protocol (SSTP) to connect to remote computers using VPN.
Security Accounts Manager Service Start Mode:Auto, Expected State: Stopped The Security Accounts Manager (SamSs) service is a protected subsystem that manages user and group account information.
Server Service Start Mode:Disabled, Expected State: Stopped Supports file, print, and named-pipe sharing over the network for this computer.
Shell Hardware Detection Service Start Mode:Auto, Expected State: Running The Shell Hardware Detection service provides notifications for AutoPlay hardware events.
Smart Card Service Start Mode:Auto, Expected State: Stopped, Running Manages access to smart cards read by this computer.
Smart Card Device Enumeration Service Start Mode:Manual, Expected State: Stopped, Running Creates software device nodes for all smart card readers accessible to a given session.
Smart Card Removal Policy Service Start Mode:Manual, Expected State: Stopped, Running The Smart Card Removal Policy service allows the system to be configured to lock the user desktop upon smart card removal.
SNMP Trap Service Start Mode:Disabled, Expected State: Stopped Receives trap messages generated by local or remote Simple Network Management Protocol (SNMP) agents
Software Protection Service Start Mode:Auto, Expected State: Stopped, Running Enables the download, installation and enforcement of digital licenses for Windows and Windows applications.
Special Administration Console Helper Start Mode:Disabled, Expected State: Stopped The Special Administration Console Helper service allows administrators to remotely access a command prompt using Emergency Management Services.
Spot Verifier Service Start Mode:Manual, Expected State: Stopped, Running Verifies potential file system corruptions.
SPP Notification Service Start Mode:Manual, Expected State: Stopped, Running Provides Software Licensing activation and notification.
SSDP Discovery Service Start Mode:Disabled, Expected State: Stopped The SSDP Discovery service discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices.
Storage Tiers Management Service Start Mode:Manual, Expected State: Stopped, Running The Storage Tiers Management (TieringEngineService) service Optimizes the placement of data in storage tiers on all tiered storage spaces in the system.
Superfetch Service Start Mode:Disabled, Expected State: Stopped The Superfetch (Sysmain) service maintains and improves system performance over time.
System Event Notification Service Start Mode:Disabled, Expected State: Stopped The System Event Notification Service service monitors system events and notifies subscribers to COM+ Event System of these events.
System Events Broker Service Start Mode:Auto, Expected State: Running The Storage Tiers Management (systemeventsbroker) service coordinates execution of background work for WinRT application.
Task Scheduler Service Start Mode:Auto, Expected State: Running The Task Scheduler service enables a user to configure and schedule automated tasks on this computer. The service also hosts multiple Windows system-critical tasks.
TCP/IP NetBIOS Helper Service Start Mode:Auto, Expected State: Running Provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network...
Telephony Service Start Mode:Disabled, Expected State: Stopped Provides Telephony API (TAPI) support for programs that control telephony devices on the local computer and, through the LAN...
Themes Service Start Mode:Disabled, Expected State: Stopped The Themes service provides user experience theme-management services.
Thread Ordering Server Service Start Mode:Disabled, Expected State: Stopped The Thread Ordering Server service provides ordered execution for a group of threads within a specific period of time.
TPM Base Services Service Start Mode:Manual, Expected State: Stopped, Running Enables access to the Trusted Platform Module (TPM), which provides hardware-based cryptographic services to system components and applications.
UPnP Device Host Service Start Mode:Disabled, Expected State: Stopped The UPnP Device Host service allows UPnP devices to be hosted on this computer.
User Access Logging Service Start Mode:Auto, Expected State: Running This service logs unique client access requests, in the form of IP addresses and user names, of installed products and roles on the local server.
User Profile Service Start Mode:Auto, Expected State: Running The User Profile Service service this service is responsible for loading and unloading user profiles.
Virtual Disk Service Start Mode:Manual, Expected State: Stopped, Running The Virtual Disk service provides management services for disks, volumes, file systems, and storage arrays.
Volume Shadow Copy Service Start Mode:Manual, Expected State: Stopped, Running The Volume Shadow Copy service manages and implements Volume Shadow Copies used for backup and other purposes.
Windows Audio Service Start Mode:Disabled, Expected State: Stopped The Windows Audio service manages audio for Windows-based programs. If this service is stopped, audio devices and effects will not function properly.
Windows Audio Endpoint Builder Service Start Mode:Disabled, Expected State: Stopped The Windows Audio Endpoint Builder service manages audio devices for the Windows Audio service.
Windows CardSpace Service Start Mode:Manual, Expected State: Stopped, Running The Windows CardSpace service enables the creation, management, and disclosure of digital identities.
Windows Color System Service Start Mode:Disabled, Expected State: Stopped The Windows Color System service the WcsPlugInService service hosts third-party Windows Color System color device model and gamut map model plug-in modules.
Windows Connection Manager Service Start Mode:Auto, Expected State: Running Makes automatic connect/disconnect decisions based on network connectivity options currently available, enables mgmt of network connectivity based on Group Policy.
Windows Driver Foundation - User-mode Start Mode:Disabled, Expected State: Stopped The Windows Driver Foundation - User-mode Driver Framework service manages user-mode driver host processes.
Driver Framework Service
Windows Encryption Provider Host Start Mode:Disabled, Expected State: Stopped Brokers encryption related functionalities from 3rd Party Encryption Providers to processes that need to evaluate and apply EAS policies.
Service
Windows Error Reporting Service Start Mode:Disabled, Expected State: Stopped The Windows Error Reporting Service service allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered.
Windows Event Collector Service Start Mode:Disabled, Expected State: Stopped The Windows Event Collector service this service manages persistent subscriptions to events from remote sources that support WS-Management protocol.
Windows Event Log Service Start Mode:Auto, Expected State: Running This service manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs...
Windows Firewall Service Start Mode:Auto, Expected State: Running Helps protect your computer by preventing unauthorized users from gaining access to your computer through the Internet or a network.
Windows Installer Service Start Mode:Manual, Expected State: Stopped, Running The Windows Installer service adds, modifies, and removes applications provided as a Windows Installer (*.msi) package.
Windows Management Instrumentation Start Mode:Auto, Expected State: Running Provides a common interface and object model to access management information about operating system, devices, applications and services.
Service
Windows Modules Installer Service Start Mode:Manual, Expected State: Stopped, Running The Windows Modules Installer service enables installation, modification, and removal of Windows updates and optional components.
Windows Font Cache (fontcache) Service Start Mode:Manual, Expected State: Stopped, Running The Windows Font Cache Service service optimizes performance of applications by caching commonly used font data.
Windows Presentation Foundation Font Start Mode:Manual, Expected State: Stopped, Running The Windows Font Cache Service service optimizes performance of applications by caching commonly used font data.
Cache (fontcache3.0.0.0) Service
Windows Process Activation Service Start Mode:Auto, Expected State: Running Manages the activation and lifetime of the worker processes that contain applications that host Windows Communication Foundation (WCF) services.
Windows Remote Management (WS- Start Mode:Disabled, Expected State: Stopped Implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software/hardware management.
Management) Service
Windows Store Service (WSService) Start Mode:Manual, Expected State: Stopped, Running Provides infrastructure support for Windows Store.This service is started on demand and if disabled applications bought using Windows Store will not behave correctly.
Windows Time Service Start Mode:Auto, Expected State: Running The Windows Time service maintains date and time synchronization on all clients and servers in the network.
Windows Update Service Start Mode:Auto, Expected State: Running The Windows Update service enables the detection, download, and installation of updates for Windows and other programs.
WinHTTP Web Proxy Auto-Discovery Start Mode:Disabled, Expected State: Stopped Client HTTP stack, provides developers with a Win32 API/COM Automation component for sending HTTP requests/receiving responses.
Wired AutoConfig Service Start Mode:Disabled, Expected State: Stopped The Wired AutoConfig service the Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces.
WMI Performance Adapter Service Start Mode:Manual, Expected State: Stopped, Running Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network.
Workstation Service Start Mode:Auto, Expected State: Running The Workstation service creates and maintains client network connections to remote servers using the SMB protocol.
Service Name Action Command Service Description RHEL 7
Audit (auditd) Service Enable systemctl enable auditd auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or
aureport utilities.
Avahi Server Disable systemctl disable avahi-daemon The Avahi mDNS/DNS-SD daemon implements Apple's Zeroconf architecture (also known as "Rendezvous" or "Bonjour")
Berkeley RSH-Server (rsh-server) Service Remove yum erase rsh-server The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text.
Chargen Server (chargen-dgram) Service Disable chkconfig chargen-dgram off chargen-dgram is a network service that responds with 0 to 512 ASCII characters for each datagram it receives. This service is intended for debugging and testing
purposes. It is recommended that this service be disabled.
Chargen Server (chargen-stream) Service Disable chkconfig chargen-stream off chargen-stream is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing
purposes. It is recommended that this service be disabled
Chrony Service Install yum install chrony chrony is a pair of programs for keeping computer clocks accurate. chronyd is a background (daemon) program and chronyc is a command-line interface to it.
Chrony Service Enable systemctl enable chronyd chrony is a pair of programs for keeping computer clocks accurate. chronyd is a background (daemon) program and chronyc is a command-line interface to it.
Common Unix Print System (CUPS) Disable systemctl disable cups cupsd is the scheduler for CUPS. It implements a printing system based upon the Internet Printing Protocol, version 2.1. If no options are specified on the command-
line then the default configuration file /etc/cups/cupsd.conf will be used.
CRON Scheduler (crond) Service Enable systemctl enable crond Cron is a daemon to execute scheduled command. Cron examines all stored crontabs, checking each command to see if it should be run in the current minute
Daytime Server (daytime-dgram) Service Disable chkconfig daytime-dgram off daytime-dgram is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is
recommended that this service be disabled.
Daytime Server (daytime-stream) Service Disable chkconfig daytime-stream off daytime-stream is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is
DHCP Server (dhcpd) Disable systemctl disable dhcpd DHCP allows hosts on a TCP/IP network to request and be assigned IP addresses, and also to discover information about the network to which they are attached.
Discard Server (discard-dgram) Service Disable chkconfig discard-dgram off discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service
be disabled.
Discard Server (discard-stream) Service Disable chkconfig discard-stream off discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service
be disabled.
DNS Server (bind) Remove yum erase bind The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a
network
Echo Server (echo-stream) Service Disable chkconfig echo-stream off echo-stream is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is
recommended that this service be disabled
Echo Server (echo-dgram) Service Disable chkconfig echo-dgram off echo-dgram is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is
Email Server Services (dovecot) Remove yum erase dovecot Dovecot is an open source IMAP and POP3 server for Linux based systems. Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that
the service be deleted to reduce the potential attack surface.
eXtended InterNET Daemon (xinetd) Disable yum erase xinetd The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known
services and dispatches the appropriate daemon to properly respond to service requests.
Firewall (firewalld) Service Enable systemctl enable firewalld IPtables is an application that allows a system administrator to configure the IP tables, chains and rules provided by the Linux kernel firewall. The firewalld service
provides a dynamic firewall allowing changes to be made at anytime without disruptions cause by reloading.
FTP Server (vsftpd) Remove yum erase vsftpd The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files.
HTTP Proxy Server (squid) Remove yum erase squid The default HTTP proxy package shipped with CentOS Linux is squid
HTTP Server (httpd) Remove yum erase httpd HTTP or web servers provide the ability to host web site content. The default HTTP server shipped with CentOS Linux is Apache.
IPTables (Note: firewalld now preferred) Install yum install iptables Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a
number of built-in chains and may also contain user-defined chains.
IPTables (Note: firewalld now preferred) Enable chkconfig --level 345 iptables on Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a
LDAP Client Services Remove yum erase openldap-clients The Lightweight Directory Access Protocol was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a
central database. The default client/server LDAP application for CentOS is OpenLDAP
Lightweight Directory Access Protocol Disable systemctl disable slapd Slapd is the stand-alone LDAP daemon. It listens for LDAP connections on any number of ports (default 389), responding to the LDAP operations it receives over
Server (LDAP) these connections.
MCS Translation Service (mcstrans) Remove yum erase mcstrans The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/
setrans.conf
Network File System Service (NFS) Disable systemctl disable nfs The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file
systems of other servers through the network.
Network Information Service (NIS) Remove yum erase ypbind The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files.
The NIS client (ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files.
Network Information Service Server (NIS) Disable systemctl disable ypserv The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The
(Yellow Pages) NIS server is a collection of programs that allow for the distribution of configuration files.
Service Name Action Command Service Description RHEL 7
NIS Server Remove yum erase ypserv The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The
NIS server is a collection of programs that allow for the distribution of configuration files.
NTP Service Install yum install ntp The Network Time Protocol is designed to synchronize system clocks across a variety of systems, using a source that is highly accurate. CIS guidance is to use "at
least two synchronized time sources from which all servers/network devices retrieve time information on a regular basis so that timestamps in logs are consistent"
NTP Service Enable systemctl enable ntpd The Network Time Protocol is designed to synchronize system clocks across a variety of systems, using a source that is highly accurate. CIS guidance is to use “at
least two synchronized time sources from which all servers/network devices retrieve time information on a regular basis so that timestamps in logs are consistent”
RPCbind Service (rpcbind) Disable systemctl disable rpcbind The rpcbind utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server
on that machine.
RSH Client Services (rsh , rcp and rlogin) Remove yum erase rsh The rsh package contains the client commands for the rsh services. Note that removing the rsh package removes the clients for rsh, rcp and rlogin.
RSH Server (rexec.socket) Service Disable systemctl disable rexec.socket The rsh package contains the client commands for the rsh services. Note that removing the rsh package removes the clients for rsh, rcp and rlogin.
RSH Server (rlogin.socket) Service Disable systemctl disable rlogin.socket The rsh package contains the client commands for the rsh services. Note that removing the rsh package removes the clients for rsh, rcp and rlogin.
RSH Server (rsh.socket) Service Disable systemctl disable rsh.socket The rsh package contains the client commands for the rsh services. Note that removing the rsh package removes the clients for rsh, rcp and rlogin.
RSYNC Server (rsyncd) Service Disable systemctl disable rsyncd Rsync is a fast and extraordinarily versatile file copying tool. It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon.
Rsyslog (rsyslog) Service Install yum install rsyslog Rsyslogd is a system utility providing support for message logging. Support of both internet and unix domain sockets enables this utility to support both local and
remote logging.
Rsyslog (rsyslog) Service Enable systemctl enable rsyslog Rsyslogd is a system utility providing support for message logging. Support of both internet and unix domain sockets enables this utility to support both local and
remote logging.
Syslog-NG (syslog-ng) Service Install yum install syslog-ng The syslog-ng application is a flexible and highly scalable system logging application. Typically, syslog-ng is used to manage log messages and implement centralized
logging
Syslog-NG (syslog-ng) Service Enable systemctl enable syslog-ng The syslog-ng application is a flexible and highly scalable system logging application. Typically, syslog-ng is used to manage log messages and implement centralized
logging
Samba Server (SMB) Remove yum erase samba The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise
the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter
drives on their systems.
SETroubleshoot Service (SETroubleshoot) Remove yum erase setroubleshoot setroubleshoot is used to diagnose SELinux denials and attempts to provide user friendly explanations for a SELinux denial (e.g. AVC) and recommendations for how
one might adjust the system to prevent the denial in the future.
SNMP Server (net-snmp) Remove yum erase net-snmp The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect
the information and then send results back to the requesting system
Talk Client Services Remove yum erase talk The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initialization of talk
sessions) is installed by default.
Talk Server (ntalk) Service Disable yum erase talk-server The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions)
is installed by default.
TCPmux Server Service Disable chkconfig tcpmux-server off tcpmux-server is a network service that allows a client to access other network services running on the server. It is recommended that this service be disabled.
Telnet Client (telnet) Service Remove yum erase telnet The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol
Telnet Server (telnet.socket) Service Disable systemctl disable telnet.socket The telnet-server package contains the telnetd daemon, which accepts connections from users from other systems via the telnet protocol.
Telnet Server (telnet-server) Service Remove yum erase telnet-server The telnet-server package contains the telnetd daemon, which accepts connections from users from other systems via the telnet protocol.
tftp-server Remove yum erase tftp-server Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The
package tftp-server is the server package used to define and support a TFTP server
Time Server (time-dgram) Service Disable chkconfig time-dgram off time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is
Time Server (time-stream) Service Disable chkconfig time-stream off time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is
Trivial File Transfer Protocol (TFTP) Remove yum erase tftp Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. TFTP
does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server.
Trivial File Transfer Protocol Server (TFTP) Disable chkconfig tftp off Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. TFTP
Service does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server.
TFTP (TFTP.socket) Service Disable systemctl disable tftp.socket Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. TFTP
X Window System (xorg-x11-server- Remove yum remove xorg-x11* The X Window System is a network transparent window system which runs on a wide range of computing and graphics machines
common)
Service Name Action Command Service Description CentOS 7
Audit (auditd) Service Enable systemctl enable auditd auditd is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the ausearch or
aureport utilities.
Avahi Server Disable systemctl disable avahi-daemon The Avahi mDNS/DNS-SD daemon implements Apple's Zeroconf architecture (also known as "Rendezvous" or "Bonjour")
Berkeley RSH-Server (rsh-server) Service Remove yum erase rsh-server The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text.
Chargen Server (chargen-dgram) Service Disable chkconfig chargen-dgram off chargen-dgram is a network service that responds with 0 to 512 ASCII characters for each datagram it receives. This service is intended for debugging and testing
purposes. It is recommended that this service be disabled.
Chargen Server (chargen-stream) Service Disable chkconfig chargen-stream off chargen-stream is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing
purposes. It is recommended that this service be disabled
Chrony Service Install yum install chrony chrony is a pair of programs for keeping computer clocks accurate. chronyd is a background (daemon) program and chronyc is a command-line interface to it.
Chrony Service Enable systemctl enable chronyd chrony is a pair of programs for keeping computer clocks accurate. chronyd is a background (daemon) program and chronyc is a command-line interface to it.
Common Unix Print System (CUPS) Disable systemctl disable cups cupsd is the scheduler for CUPS. It implements a printing system based upon the Internet Printing Protocol, version 2.1. If no options are specified on the command-
line then the default configuration file /etc/cups/cupsd.conf will be used.
CRON Scheduler (crond) Service Enable systemctl enable crond Cron is a daemon to execute scheduled command. Cron examines all stored crontabs, checking each command to see if it should be run in the current minute
Daytime Server (daytime-dgram) Service Disable chkconfig daytime-dgram off daytime-dgram is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is
Daytime Server (daytime-stream) Service Disable chkconfig daytime-stream off daytime-stream is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is
DHCP Server (dhcpd) Disable systemctl disable dhcpd DHCP allows hosts on a TCP/IP network to request and be assigned IP addresses, and also to discover information about the network to which they are attached.
Discard Server (discard-dgram) Service Disable chkconfig discard-dgram off discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service
be disabled.
Discard Server (discard-stream) Service Disable chkconfig discard-stream off discard is a network service that simply discards all data it receives. This service is intended for debugging and testing purposes. It is recommended that this service
be disabled.
DNS Server (bind) Remove yum erase bind The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a
network
Echo Server (echo-stream) Service Disable chkconfig echo-stream off echo-stream is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is
Echo Server (echo-dgram) Service Disable chkconfig echo-dgram off echo-dgram is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is
Email Server Services (dovecot) Remove yum erase dovecot Dovecot is an open source IMAP and POP3 server for Linux based systems. Unless POP3 and/or IMAP servers are to be provided to this server, it is recommended that
the service be deleted to reduce the potential attack surface.
eXtended InterNET Daemon (xinetd) Disable yum erase xinetd The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known
services and dispatches the appropriate daemon to properly respond to service requests.
Firewall (firewalld) Service Enable systemctl enable firewalld IPtables is an application that allows a system administrator to configure the IP tables, chains and rules provided by the Linux kernel firewall. The firewalld service
provides a dynamic firewall allowing changes to be made at anytime without disruptions cause by reloading.
FTP Server (vsftpd) Remove yum erase vsftpd The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files.
HTTP Proxy Server (squid) Remove yum erase squid The default HTTP proxy package shipped with CentOS Linux is squid
HTTP Server (httpd) Remove yum erase httpd HTTP or web servers provide the ability to host web site content. The default HTTP server shipped with CentOS Linux is Apache.
IPTables (Note: firewalld now preferred) Install yum install iptables Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a
IPTables (Note: firewalld now preferred) Enable chkconfig --level 345 iptables on Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a
LDAP Client Services Remove yum erase openldap-clients The Lightweight Directory Access Protocol was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a
central database. The default client/server LDAP application for CentOS is OpenLDAP
Lightweight Directory Access Protocol Disable systemctl disable slapd Slapd is the stand-alone LDAP daemon. It listens for LDAP connections on any number of ports (default 389), responding to the LDAP operations it receives over
Server (LDAP) these connections.
MCS Translation Service (mcstrans) Remove yum erase mcstrans The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/
setrans.conf
Network File System Service (NFS) Disable systemctl disable nfs The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file
systems of other servers through the network.
Network Information Service (NIS) Remove yum erase ypbind The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files.
The NIS client (ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files.
Network Information Service Server (NIS) Disable systemctl disable ypserv The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The
(Yellow Pages) NIS server is a collection of programs that allow for the distribution of configuration files.
Service Name Action Command Service Description CentOS 7
NIS Server Remove yum erase ypserv The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The
NIS server is a collection of programs that allow for the distribution of configuration files.
NTP Service Install yum install ntp The Network Time Protocol is designed to synchronize system clocks across a variety of systems, using a source that is highly accurate. CIS guidance is to use "at
least two synchronized time sources from which all servers/network devices retrieve time information on a regular basis so that timestamps in logs are consistent"
NTP Service Enable systemctl enable ntpd The Network Time Protocol is designed to synchronize system clocks across a variety of systems, using a source that is highly accurate. CIS guidance is to use “at
least two synchronized time sources from which all servers/network devices retrieve time information on a regular basis so that timestamps in logs are consistent”
RPCbind Service (rpcbind) Disable systemctl disable rpcbind The rpcbind utility is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server
on that machine.
RSH Client Services (rsh , rcp and rlogin) Remove yum erase rsh The rsh package contains the client commands for the rsh services. Note that removing the rsh package removes the clients for rsh, rcp and rlogin.
RSH Server (rexec.socket) Service Disable systemctl disable rexec.socket The rsh package contains the client commands for the rsh services. Note that removing the rsh package removes the clients for rsh, rcp and rlogin.
RSH Server (rlogin.socket) Service Disable systemctl disable rlogin.socket The rsh package contains the client commands for the rsh services. Note that removing the rsh package removes the clients for rsh, rcp and rlogin.
RSH Server (rsh.socket) Service Disable systemctl disable rsh.socket The rsh package contains the client commands for the rsh services. Note that removing the rsh package removes the clients for rsh, rcp and rlogin.
RSYNC Server (rsyncd) Service Disable systemctl disable rsyncd Rsync is a fast and extraordinarily versatile file copying tool. It can copy locally, to/from another host over any remote shell, or to/from a remote rsync daemon.
Rsyslog (rsyslog) Service Install yum install rsyslog Rsyslogd is a system utility providing support for message logging. Support of both internet and unix domain sockets enables this utility to support both local and
remote logging.
Rsyslog (rsyslog) Service Enable systemctl enable rsyslog Rsyslogd is a system utility providing support for message logging. Support of both internet and unix domain sockets enables this utility to support both local and
remote logging.
Syslog-NG (syslog-ng) Service Install yum install syslog-ng The syslog-ng application is a flexible and highly scalable system logging application. Typically, syslog-ng is used to manage log messages and implement centralized
logging
Syslog-NG (syslog-ng) Service Enable systemctl enable syslog-ng The syslog-ng application is a flexible and highly scalable system logging application. Typically, syslog-ng is used to manage log messages and implement centralized
logging
Samba Server (SMB) Remove yum erase samba The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise
the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter
drives on their systems.
SETroubleshoot Service (SETroubleshoot) Remove yum erase setroubleshoot setroubleshoot is used to diagnose SELinux denials and attempts to provide user friendly explanations for a SELinux denial (e.g. AVC) and recommendations for how
one might adjust the system to prevent the denial in the future.
SNMP Server (net-snmp) Remove yum erase net-snmp The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect
the information and then send results back to the requesting system
Talk Client Services Remove yum erase talk The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initialization of talk
sessions) is installed by default.
Talk Server (ntalk) Service Disable yum erase talk-server The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions)
is installed by default.
TCPmux Server Service Disable chkconfig tcpmux-server off tcpmux-server is a network service that allows a client to access other network services running on the server. It is recommended that this service be disabled.
Telnet Client (telnet) Service Remove yum erase telnet The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol
Telnet Server (telnet.socket) Service Disable systemctl disable telnet.socket The telnet-server package contains the telnetd daemon, which accepts connections from users from other systems via the telnet protocol.
Telnet Server (telnet-server) Service Remove yum erase telnet-server The telnet-server package contains the telnetd daemon, which accepts connections from users from other systems via the telnet protocol.
tftp-server Remove yum erase tftp-server Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The
package tftp-server is the server package used to define and support a TFTP server
Time Server (time-dgram) Service Disable chkconfig time-dgram off time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is
Time Server (time-stream) Service Disable chkconfig time-stream off time is a network service that responds with the server's current date and time as a 32 bit integer. This service is intended for debugging and testing purposes. It is
Trivial File Transfer Protocol (TFTP) Remove yum erase tftp Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. TFTP
Trivial File Transfer Protocol Server (TFTP) Disable chkconfig tftp off Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. TFTP
Service does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server.
TFTP (TFTP.socket) Service Disable systemctl disable tftp.socket Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. TFTP
X Window System (xorg-x11-server- Remove yum remove xorg-x11* The X Window System is a network transparent window system which runs on a wide range of computing and graphics machines
common)
Visit
https://www.newnettechnologies.com/resources.html
for the latest version of this guide and to browse

our extensive library of Security Control guides,
whitepapers, Expert Knowledgebase articles and
more.
All material is copyright New Net Technologies Limited and any reproduction is prohibited, thank you!

NNT Hardened Services Guide V1 3

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NNT Hardened Services Guide V1 3

Uploaded by

Copyright:

Available Formats

NNT Security Control Guide * *

Hardening System Services 0 1 9

 Why the active services on a host increase the attack surface

 Why it is always recommended to minimize functionality on any system

Fortunately in the IT world, removal of unnecessary services is a pain-free operation

Figure 1: Even for a vestigial So just like the appendix, if a service

Removing or disabling unnecessary

There are plenty of services that can

Why is the control of system services a critical security control?

 An approved services configuration, and a process to verify and approve any

“Standard CIP-007-3 requires Responsible Entities to define methods, processes, and

And for NIST 800-53

“CM-6 CONFIGURATION SETTINGS - Control: The organization monitors and controls

And finally for PCI DSS V3.2.1

Baselining and Change-Tracking Services

The most complete solution is host-resident, system

For example, NNT Change Tracker™ Gen 7 R2 uses

This means that both for

 Change Control (reporting any drift from

 Breach Detection (reporting unexpected

So the true intent of the security control is being

Security controls are subject to a ‘bang-for-buck’

And while the incidence of breaches continues to

Implementing a Hardened Services Standard

How do I decide which services should be removed or disabled?

In addition, NNT in conjunction with the Center for

Finally there is also the NNT Security Control Guide

You can download CIS Benchmarks for all platforms

See Step 2 – Harden Systems to Eliminate Unwanted/Unnecessary Services for detailed

System Services Hardening Guide

List services on Windows

Use Windows PowerShell (RunAs Administrator) to list all services

List services on Linux

Step 2 – Harden Systems to Eliminate Unwanted/Unnecessary Services

Stop-Service -Name <Service_Name_of_Interest>

Set-Service -Name <Service_Name_of_Interest> -StartupType Disabled

Control services on Linux

To stop a service use

Service <Service-Name> stop

Systemctl disable <Service-Name>

Conclusion - The NNT View

Security hardening is always a balance between maximizing security and delivering

Services are a key dimension of system hardening because default platform

This includes the analysis of

 open network ports and protocols

 installed software and related known vulnerabilities

 security-related configuration settings

 any new and changed system files

About New Net Technologies (NNT)

NNT delivers its Secure Ops® suite by combining:

 System Configuration Hardening

 Closed Loop Change Control

 Vulnerability Management and

 Event Log Management

TO REQUEST A FREE TRIAL OR DISCUSS ANY AREA COVERED IN THIS WHITEPAPER,

Hardened Services Guides

 Appendix A: Windows Server 2019......................................................Page 10

for the latest version of this guide and to browse

You might also like

Why the active services on a host increase the attack surface

Why it is always recommended to minimize functionality on any system

An approved services configuration, and a process to verify and approve any

Change Control (reporting any drift from

Breach Detection (reporting unexpected

open network ports and protocols

installed software and related known vulnerabilities

security-related configuration settings

any new and changed system files

System Configuration Hardening

Closed Loop Change Control

Vulnerability Management and

Event Log Management

Appendix A: Windows Server 2019......................................................Page 10