"I don't have any solution but I certainly admire the problem." -- Ashleigh Brilliant
What's wierd about the services in Windows XP is not so much the vagueness with which they are documented, but the mythical overtones with with they are discussed on other websites. Many of the sites I've found on the subject contain more propaganda than not -- long on emotion and short on facts. This document started out as a way for me to research the myths versus realities of a specific collection of XP Services. This document was written for the "hypothetical ignorant but intelligent user" who has just bought a PC with Windows XP pre-installed and is now examining XP Services for the first time. The most important thing you'll find here is motivation: Explaining why someone configuring their system might want to enable/disable any given service.
A service is an application that runs in the background, independent of any user session. It is not unlike the daemon processes one hears about on Linux. Microsoft currently defines services as: “An executable object, installed in a registry, maintained by the Service Control Manager. The executable file associated with a service can be started at boot time by a boot program, or on demand by the Service Control Manager”.
In short, the descriptions offered by Microsoft are vague and, at best, appear to have been massaged by their Marketing division. Take, for example, the Fluffy Gerbil Deathmatch Interchanger Service. The description of the service says that it "Groks the Endless Regressive Recursion (ERR) interface and allows for the dynamic thrashing of Universal Service Instances (USI). If this service is disabled, existing Gerbils may no longer be grokable and may render other Gerbils unusuable." This smacks of Microsoft Marketing HappySpeak and is, ultimately, useless without additional factual information.
The easiest way to approach XP services is by direct manipulation of the registry. Therfore, this article has been geared towards this end. Savvy system administrators will know what this means ;-) In a pinch, you can cut and paste the information here into a *.REG file, although no claims of warranty are made - you have been warned!
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter]
"Description"="Sends alert messages to specified users that are connected to the server computer. Alert messages
warn users about security, access, and user session problems. Use Server Manager (Srvmgr.exe) to specify the administrators who
you want to receive administrative alerts. Server Manager is available on Windows 2000 Server computers only. Alert messages
are sent as messages from the server to a user's computer. The Messenger service must be running on the user's computer
for the user to receive alert messages. If in doubt, choose Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG]
"Description"="Allows the addition of 3rd party software plug-ins to work with either Internet Connection
Sharing or Internet Connection Firewall (ICF). For example, enhanced firewall monitoring and logging software could be
installed as a plug-in with ICF only with this setting enabled. If unsure, choose Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt]
"Description"="Allows software to tap directly into the Add/Remove Programs feature via the Windows Installer
technology. If uncertain, choose Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"Description"="BITS enables developers to write client applications that transfer files asynchronously between a
client and server. BITS automatically resumes file transfers after network disconnects and machine reboots. Future versions of
BITS will add upload file transfers ability, the ability for the server application to send a reply to the client after an
upload, command-line execution for event notification, and down-level support. BITS is essentially a set of Application
Programming Interfaces (API) available for programs to hook into. If a program is BITS aware, it can download part of a file
and finish the download at a later time even if the user disconnects from the Internet. You can do lots of neat stuff with
this; for example, Windows XP's Automatic Updates feature is BITS aware, although BITS is not required for this to run. If
you're running Automatic Updates and are on a slow or latent network connection, or if unsure, select Automatic."
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser]
"Description"="Microsoft Active Directory services in Windows 2000 and Windows XP is intended to replace the
computer browser service used in earlier versions of Windows to provide the network basic input/output system (NetBIOS) name
resolution. The Computer Browser service is provided for backwards compatibility for communication among client computers that
are not Active Directory aware. The primary function of the browser service is to provide a list of computers sharing resources
in a client's domain along with a list of other domain and workgroup names across the wide-area network (WAN). This list is
provided to clients that view network resources with Network Neighborhood or the NET VIEW command. If you're part of a
local area network and don't use a WINS server, or if in doubt, select Automatic. If you're using a stand-alone
computer that dials up to the Internet, select Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv]
"Description"="ClipBook permits you to cut and paste text and graphics over the network. Normally, information
you cut or copy from a program is moved to the Clipboard and remains there until you clear it or cut/copy another piece of
information. Enabling this service allows you to share ClipBook pages with others who have ClipBook Viewer installed on their
computers, and they can share their ClipBook pages with you. The ClipBook Viewer isn’t listed in the Accessories folder
on the Start menu in Windows XP, so you might want to create a shortcut to it at %SYSTEMROOT%\System32\clipbrd.exe. The local
ClipBook Viewer will still run with this service turned off. If you think you have a use for sharing Clipbook information among
users, select Automatic. If in doubt, select Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COMSysApp]
"Description"="Allows COM-aware software components to communicate with each other regardless of what machine,
operating system, and language they're running on. If in doubt, select Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc]
"Description"="This service essentially describes the parameters for allowed use of cryptographic algorithms for
authentication, encoding, and encryption. Specifically, it confirms the signatures of all Windows protected files to make sure
they haven't been replaced by a different version; adds and removes Trusted Root Certification Authorities in Internet
Explorer; and allows your computer to request its own security certificate for authentication. Automatic Updates requires this
service, as does the Windows Update web site. If in doubt, select Automatic."
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc]
"Description"="Allows applications to send error reports to Microsoft in the event of an application fault. If
in doubt, choose Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem]
"Description"="The Component Object Model (COM) is intended to make it easier for developers to create and use
software components in any language, using any tool. COM+ is an extension to the original COM standard. COM+ provides many new
services, such as application partitions, process recycling, public/private components, configurable isolation levels,
applications as Windows NT services, memory gates, component aliasing, and pausing/disabling applications. Enabling this
service allows COM-aware software components to communicate connection bandwidth and latency information with each other. If in
doubt, select Automatic."
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility]
"Description"="Windows XP allows users to switch quickly between accounts, without requiring them to log off.
All personal data and network connections are preserved, providing simultaneous use of the computer by multiple users. The
primary advantage to this is for a shared computer where it is likely that more than one person will be using the computer at
the same time. If you're unclear if this applies to you, select Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\helpsvc]
"Description"="Allows the XP Built-in Help and Support Center to run. If in doubt, choose Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ICFS]
"Description"="Internet Connection Sharing and Firewall (ICSF) makes it possible for home and small office users
to create and manage private networks in which multiple computers share a single connection to the Internet. The ICSF API
features shared connections, Internet connection protection (personal firewall), and network address translation (NAT)
application definitions. If unsure, select Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation]
"Description"="The Workstation service enables a computer to connect to and use network resources. This is
generally considered a good thing, so you might want to choose Automatic."
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts]
"Description"="Enables NetBIOS over TCP/IP (NetBT) services. NetBT services provide NetBIOS datagrams, NetBIOS
sessions, and NetBIOS name management (such as name registration and resolution) for NetBIOS applications that are using the
TCP/IP protocol. If you connect to other computers on a local area network, chances are you'll want to set this to
Automatic."
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger]
"Description"="The Messenger service enables a computer to receive messages. A message is sent to a computer
using the names assigned to the computer as identification. If you're on a network and plan to send/receive messages
directly to other computers, select Automatic. If in doubt, select manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc]
"Description"="Allows remote computers to access this local computer via the NetMeeting program. If in doubt,
select Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSDTC]
"Description"="Provides data replication between a client and multiple Windows servers. The servers must be
running an MSDTC-aware application in order for a client to benefit from running this service. If in doubt, select
Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer]
"Description"="Windows Installer version 2.0 enables the installation of 64-bit Windows Installer Packages on
64-bit Windows operating systems. This latest version of the installer enables the installation and management of COM+
assemblies by the Windows Installer and provides better isolation of existing Windows applications using assemblies. It also
enables the use of optional file hashing and supports configurable merge modules. If in doubt, select Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla]
"Description"="Enables applications to identify the logical network to which the computer is attached, and to
identify to which physical network interface a given application has saved specific information. NLA is implemented as a
generic Windows Sockets 2 Name Resolution service. If your computer has multiple active network connections across multiple
network cards or is multihomed, or if unsure, select Automatic."
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent]
"Description"="Provides IPSec services for secure TCP/IP. Unless you have a need for this, select Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage]
"Description"="Allows the local computer to save passwords for web pages, e-mail programs, etc., on the local
drive in an encrypted state. If you don't want users to be able to save this kind of data, which is considered somewhat
insecure, select Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr]
"Description"="Provides the Remote Assistance feature which allows remote access and control of the local
computer. If in doubt, select Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Description"="Allows remote computers to access and modify the registry on the local computer. If in doubt,
select Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP]
"Description"="See Windows XP Quality of Service (QoS) Enhancements and Behavior (MS-Technet Q316666) for
additional vagueness. If in doubt, choose Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCLocator]
"Description"="Allows distributed applications to use the Microsoft RPC name service. The Remote Procedure Call
(RPC) Locator service is the RPC name service for Microsoft Windows XP. The RPC Locator manages the RPC name service database.
The server side of the distributed application registers its availability with the RPC Locator service. The client side of the
distributed application queries the RPC Locator service to find available compatible server applications. If you don't know
what all this is, select Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon]
"Description"="Enables starting processes under alternate credentials. See
http://www.microsoft.com/windowsxp/home/using/productdoc/en/sys_srv_secondary_logon.asp. If in doubt, choose Automatic."
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS]
"Description"="Applications designed for use by mobile users require a unique set of connectivity functions and
notifications. In the past these individual applications were required to implement these features internally. The System Event
Notification Service (SENS) now provides these capabilities in the operating system, creating a uniform connectivity and
notification interface for applications. Using SENS developers can determine connection bandwidth and latency information from
within their application and optimize the application's operation based on those conditions. The connectivity functions and
notifications of SENS are useful for applications written for mobile computers or computers connected to high latency local
area networks. If unsure, choose Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler]
"Description"="The Print Spooler service loads files to memory for printing. If you plan to print, choose
Automatic."
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice]
"Description"="System Restore actively monitors system (and some application) file changes record or store
previous versions before the changes occurred. Monitored files include those that are not in excluded directories (My
Documents) and that do not have known data file extensions (such as .doc). Restore points are created at the time of
significant system events (such as application or driver install) and periodically (every day). System Restore will not revert
user data or document files, so restoring will not cause users to lose their work, mail, or even browsing history and
favorites. If you have extra hard drive space and make frequent changes to your system, select Automatic. If in doubt, select
Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule]
"Description"="With Task Scheduler, you can start programs at a specified time with the at command. You might
need to have other services running before you can run scheduled commands. Task Scheduler is initially configured to run in the
System account on the local computer. When Task Scheduler runs using this account, there are no restrictions on the jobs that
you can run with Task Scheduler. However, these jobs have limited network access because the System account on a local computer
is not recognized by other computers. To overcome network access limitations, you can configure Task Scheduler to run in a
user's account. If you do this, jobs executed by Task Schedule are governed by the user account's network access.
However, because Task Scheduler is not using the local System account in this case, you can only run jobs that do not require
the presence of a window. A lot of automatic updating programs depend on this service, so it's a good idea to choose
Automatic."
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV]
"Description"="Allows the local computer to send discovery packets in an attempt to locate UPnP (Universal Plug
and Play) devices on the local network segment. UPnP devices have yet to catch on, and several security issues have been
discovered with this service. If in doubt, select Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService]
"Description"="The Terminal Services Windows Management Instrumentation (WMI) provider allows the user to
administer one or more Terminal Services servers using standard WMI interfaces and the Terminal Services
Configuration/Connections Microsoft Management Console (MMC) snap-in. Windows .NET Server introduces the ADSI Extension for
Terminal Services User Configuration, which extends an ADSI object that allows domain administrators to write scripts to
automate maintenance of Terminal Services-specific user properties. If in doubt, select Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Themes]
"Description"="Applies visual styles to the user interface via ComCtl32.dll version 6. Disabling this saves in
computer performance. If in doubt, choose Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrkWks]
"Description"="The distributed link tracking client is in charge of updating the location of links (shortcuts)
that are moved. For example, if you move a shortcut from one location to another on an NTFS filesystem, your computer will
notify a Domain Controller of the change, which is recorded for use by other clients. If you don't know what this is,
select Manual. If your computer is part of an NT-Domain and your Domain Controller is running the Distributed Link Tracking
Server service, select Automatic. If in doubt, select Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]
"Description"="Universal Plug and Play (UPnP) enables dynamic networking of intelligent appliances, wireless
devices, and PCs. UPnP technology defines a set of HTTP servers to handle device discovery, description, control, events, and
presentation. Windows XP includes UPnP technology through a Control Point API, allowing the PC to control these devices. In
addition, Windows XP also allows developers to build compliant UPnP devices through a device host API. UPnP technology provides
support for communication between "control points" and devices and services. XML descriptions of devices and the
associated services can be defined and published using UPnP technology. Control points, for example an application using the
control point API in Windows XP, can then discover the devices and use information from these descriptions to control or
subscribe to the services provided. Unless you have a specific need for this, select Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS]
"Description"="The Uninterruptible Power Supply service manages an uninterruptible power supply (UPS) connected
to the computer. You can configure the Uninterruptible Power Supply service by using Power Options in Control Panel. If you
configure the Uninterruptible Power Supply service to execute a command file upon shutdown the command file must finish running
in 30 seconds. If you have a UPS and have installed the monitoring cable that comes with it, choose Automatic. If in doubt,
choose Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time]
"Description"="Allows the local computer to synchronize its clock with one of the Internet Time Servers on a
regular basis. Note that if you are a member of a Domain, this service will not be used by default. If in doubt, select
Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]
"Description"="Enables Windows-based programs to create, access, and modify non-local files across the Internet.
Most people will want to choose Manual here.
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winmgmt]
"Description"="Microsoft's implementation of Web-Based Enterprise Management (WBEM), similiar to Simple
Network Management Protocol (SNMP) and Desktop Management Interface (DMI). If in doubt, choose Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSp]
"Description"="This seemingly odd service is devoted to determining the serial number of any portable music
player connected to the local computer. If in doubt, or if at least somewhat suspicious, select Disabled."
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi]
"Description"="With the Windows XP release, several new features and improvements have been added to Windows
Management Instrumentation (WMI), including running providers out-of-process using the NetworkService security account and the
ability to generate XML representations of objects and classes using the XML encoder component. Essentially, WIM provides
SNMP-like management information specifically from and to WMI-aware drivers. Select Manual."
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Description"="Downloads the latest Microsoft software patches automatically in the background. You can
configure this behavior by using the System icon in the Control Panel. Alternately, you can visit the Windows Update site and
retrieve the updates manually. New content is added to the site regularly. If you'd rather update your system manually,
select Manual. If in doubt, choose Automatic."
"Start"=dword:00000002