Windows 10 - services on 1511

As with most previous version of Windows, it would be a big improvement in the security of Windows 10 if Microsoft didn`t run a lot of services by default, and instead left it to users to switch on services if they need them.

Every service that is running or can be run increases the attack surface of the computer, and provides facilities within the operating system that malware or attackers might find useful.

To help harden Windows 10, there are many services that can be disabled - but as before, it depends on how you want to use the computer - so be prepared to spend quite a lot of time working out which services can be safely disabled, and which ones are required for the way you want to use the computer. You need to take account of service dependencies, as well as the primary function of the service.

You can control services through the "System Configuration" GUI tool available through "Control Panel" / "Administrative Tools", but using it for this is more for stopping services in the course of fault finding, rather than for permanent configuration.

A better tool is the "Services" tool available through "Control panel" / "Administrative Tools" / "Services".

To change whether a service starts up automatically, is started manually, or is disbled, highlight the service, right click on it, and select Properties.

Some of the services in Windows 10 are legacy services that are the same as on previous versions of Windows - if you don`t want interaction with older versions of Windows, they can and should be disabled.

Windows 10 has many of the same services that exist in Windows 8.1, however some have been dropped, and quite a few have been added. And would you believe, some of the famously insecure services that appeared in Windows NT are still there in Windows 10, and running by default.

I`m still working my way through them all, but here are some of the services that so far, I reckon can be disabled - this list is built around the way I expect to use Windows 10 as a desktop - your list will probably need to be different. The Startup Type after each service is the original setting.

• ActiveX Installer --- manual
• Alljoyn Router Service --- manual
• Application Layer Gateway Service --- manual
• Background Tasks Infrastructure Service --- automatic - can`t be stopped or disabled
• Bluetooth Handsfree Service --- manual
• Bluetooth support service --- manual
• Computer browser --- manual
• Connected User Experiences and Telemetry --- automatic
• Diagnostic Policy Service --- automatic
• Diagnostic Service Host --- automatic
• Diagnostic System Host --- automatic
• dmwappushsvc --- manual
• Downloaded Maps Manager --- automatic delayed start
• Encrypting File Systems --- manual
• Fax --- manual
• Function discovery resource host --- manual
• Function discovery resource publication --- manual
• Geolocation Service --- manual
• HomeGroup listener --- manual
• HomeGroup provider --- manual
• Internet Connection Sharing --- manual
• IP helper --- automatic
• IPsec Policy Agent --- manual
• Link-layer topology discovery mapper --- manual
• Microsoft account sign-in assistant --- manual
• Microsoft iSCSI Initiator Service --- manual
• Microsoft Windows SMS Router service --- manual
• Netlogon --- manual
• Network Connection Broker --- manual
• Network List Service --- manual
• Network Location Awareness --- manual
• Peer Name Resolution Protocol --- manual
• Peer Networking Grouping --- manual
• Peer Networking Identity Manager --- manual
• Performance Counter DLL Host --- manual
• Phone Service --- manual
• PNRP Machine Name Publication Service --- manual
• Quality Windows Audio Video Experience --- manual
• Remote access auto connection manager --- manual
• Remote access connection manager --- manual
• Remote desktop configuration --- manual
• Remote desktop services --- manual
• Remote desktop services usermode port redirector --- manual
• Remote registry --- disabled by default
• Retail Demo Service --- manual
• Secondary logon --- manual
• Secure Sockets Tunneling Protocol Service --- manual
• Server --- automatic
• Smart Card --- automatic
• Smart Card Device Enumeration Service --- manual
• Smart Card Removal Policy --- manual
• SNMP Trap --- manual
• SSDP discovery --- manual
• TCP/IP NetBIOS helper --- manual
• Telephony --- manual
• UPnP Device host --- manual
• Wallet Service --- manual
• Web client --- manual
• Windows biometric service --- automatic
• Windows connect now - config register --- manual
• Windows Error Reporting --- manual
• Windows media player network sharing service --- manual
• Windows Mobile Hotspot Service --- manual
• Windows Remote Management --- manual
• Windows search --- automatic
• Wired autoconfig --- manual
• WMI Performance Adapter --- manual
• Work Folders --- manual
• Workstation --- automatic
• WWAN autoconfig --- manual
• Xbox Live Auth Manager --- manual
• Xbox Live Game Save --- manual
• Xbox Live Networking Service --- manual

User tracking

When Microsoft was developing Windows 10, one of the things that emerged was their enthusiasm for the idea of tracking everything that users were doing.

Not content with setting up Windows 10 to do user tracking, they also pushed down the ability to do user tracking on Windows 7 and Windows 8.1, by using the update service to push down an optional update.

On a Windows 7 Pro machine that was set to receive optional updates, this update installed a service called "Diagnostics Tracking Service", which was the service that was to do user tracking. I of course disabled it, and went for broke, and also disabled the other three diagnostic services. The machine runs fine without them, and so does Windows 8.1. Hopefully, by reducing the amount of diagnostics going on, there is less data for Microsoft to get its hands on.

I have included these three diagnostic services in the list above of services to disable, and I have also included another one which is new to Windows 10, called "Connected User Experiences and Telemetry". There is some information on the web that this service manages the collection of various bits of useage information. So it seems to be a good one to disable.

Windows Update

There are two services that are particularily involved in Windows Update - the primary one is of course "Windows Update", and at the moment on my Windows 10 laptop, I have it disabled.

There is another service that is required for Windows update to work, it is "Background Intelligent Transfer Service" - this is the service that interacts with the networking side of Windows, and uses unused periods of network time to do the uploading and downloading of Windows updates.

So if it is disabled, Windows update doesn`t work.

• home page
• image gallery
• about this website
• about the colour bar

website design by ron-t

website hosting by freevirtualservers.com

© 2024   Ron Turner

+                                   +  

• grayscale