Service Changes for Windows Vista
There have been significant changes to the services model to improve performance, reliability, security, management, and administration of services.
The following table summarizes the enhancements to services for Windows Vista.
||Delayed auto-start services are started shortly after the system has started. This improves system startup performance while still providing automatic startup for these services. To set the delayed auto-start flag, call the ChangeServiceConfig2 function with SERVICE_CONFIG_DELAYED_AUTO_START_INFO.
|Failure Detection and Recovery
||If a service fails, the service control manager (SCM) can perform a failure action, such as restarting the service in an attempt to recover from that failure. To configure a failure action, call ChangeServiceConfig2 with SERVICE_CONFIG_FAILURE_ACTIONS.
||A service can register to receive a SERVICE_CONTROL_PRESHUTDOWN notification in its HandlerEx function before it receives the actual shutdown notification. This provides services with a lengthy shutdown procedure more time to shut down gracefully. To set the time-out value, call ChangeServiceConfig2 with SERVICE_CONFIG_PRESHUTDOWN_INFO.
|Restricted Network Access
||You can use service SIDs to restrict access to ports, protocols, or the direction of network traffic. To restrict a service's access to the network, use the INetFwServiceRestriction interface.
|Running with Least Privilege
||Services can run under any account that contains the required privileges (LocalService, NetworkService, LocalSystem, a domain account, or a local account) and indicate the required privileges by calling ChangeServiceConfig2 with SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO. The SCM removes any privileges that are not required.
||A service can isolate objects, such as files or registry keys, for its exclusive use by securing them with an access control entry that contains a service SID. After this SID has been assigned to a service, the service owner can modify the objects' access control lists to grant access to the SID. This enables a service to access specific objects without running under a high-privilege account or lowering the security on the objects. To set the service SID, call ChangeServiceConfig2 with SERVICE_CONFIG_SERVICE_SID_INFO.
|Service State Change Notifications
||Services can register to be notified when a service is created, deleted, or has a change in status by using the NotifyServiceStatusChange function. This is more efficient than calling the QueryServiceStatusEx function in a loop to poll for status.
|Session 0 Isolation
||Services have always run in session 0. Before Windows Vista, the first user to log on was also assigned to session 0. Now, session 0 is reserved exclusively for services and other applications not associated with an interactive user session. (The first user to log on is connected to session 1, the second user to log on is connected to session 2, and so on.) Session 0 does not support processes that interact with the user.
This change means that a service cannot post or send a message to an application and an application cannot send or post a message to a service. In addition, services cannot display a user interface item such as a dialog box directly. A service can use the WTSSendMessage function to display a dialog box in another session.