Which Windows Services Do We Need?

 

When you look at Microsoft Windows services, it can be confusing to sort through them and understand which ones you need. In this blog entry I'm going to take a more detailed look at Windows services and see if we can identify any services that might not be needed, or determine whether any are suspicious.

 

I think that services can be categorized into two different types: server services and client services. Server services are a bit easier to deal with because they typically do not directly interface with local users and should not be installed on a client computer.

 

Services that probably should not run on a client computer (laptop or desktop):

Description

Executable

FTP

Msftpsvr

Telnet

Tintsvr

World Wide Web (www)

w3svc

SMTP

Smtpsvc

SQL Express

mssql$sqlexpress

SQL Server

Mssqlserver

Web service

Iisadmin

 

Services that run on server computers as client services can be a bit harder to identify, because several services might be called by a server service that would be viable on a server. The list in the following table does not list services that could be determined to be viable on a typical server.

 

Services that you would not expect on a server:

Description

Executable

Peer Networking Grouping

P2psvc

Computer Browser services

Browser

Routing and Remote Access

RemoteAccess

Windows Audio

Audiosrv

Bluetooth

Bthserv

MultiMedia Class scheduler

Mmcss

Peer Networking Identity Manager

Pnrpsvc

Windows Themes

Themes

 

Now that we have a list of services that can be considered for evaluation, it would be nice to somehow automate the process of obtaining service information.

 

I started to dabble in PowerShell a while ago, and the following example is a perfect illustration of a simple but quick way to obtain service information without having to manually look at services on a device.

 

Looking for services using PowerShell

 

If you're not familiar with PowerShell, I recommend you take a look at it. In my book it's the best thing for an administrator since the advent of the automobile! http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx

 

Step 1. Create a check file of service that you want to flag

 

Create a text file that identifies the services you want to flag. For instance I have a file called c:\temp\base.txt, and its contents are as follows:

 

Ftp service

telnet service

www service

SMTP service

sql express

sql server

web service

 

You can use your favorite editing tool such as Notepad.exe to create the file.

 

Step 2. Use Compare-Object to find the service

 

From a PowerShell command prompt, run the following command:

 

Compare-Object $(get-service | foreach { $_.Name } ) $(get-content c:\temp\base.txt) -includeequal  -excludeDifferent

 

Simple, right?

 

Other Services

 

When you run the script it provides you with all kinds of great information. But maybe it's not enough information.

 

If you run this script I'd be interested in your results. Did  you see something you did not expect? What was it? Have you identified any services that did not make my list? Are you aware of services (third-party, maybe malware) that should be watched for?

 

And what about services like BITS (Background Intelligent Transfer Service) and RPC? Because there's a need to allow Windows Update to run as expected, these services would need to run most of the time.

 

Finally, do scripts like this one provide value to you? What would you recommend to improve on it?