how to eliminate unnecessary services?

I have read that services can be a security risk. In my W7 task manager, there are now 169 listed services, some of which are "stopped", some of which are "running". How do I figure out which are necessary and what each one does. I can "stop" a service in task manager, but I doubt that stops it when you shutdown and reboot. Is there a way to permanently kill a service?

What is the difference between a service and a process?

 

Here is nice service configuration guide: http://www.sevenforums.com/tutorials/2495-services-start-disable.html
Which one to disable? Check here: http://www.blackviper.com/service-c...dows-7-service-pack-1-service-configurations/

Be careful what you disable and don't disable anything you don't know or understand.

 

One way of doing this is by simple scripts in powershell. When I uses someones computer and I don't feel like doing much work I usually just plug in an usb containing some powershell scripts (that will remove a lot of junk, even digging deep inside the registry to fix many common weak configurations there, then I reeboot and speed is usually much much better and I don't risk missing anything if I were to do it manually).

Anyway to run powershell scripts search for "powershell ise" its installed in windows xp, 7, 8 and can be found under control panel > administrationtools. Make sure you rightclick powershell and runas > administrator to not have any scripts not work due to privilege issues.

Before you can run (multi line) scripts in powershell you must allow for it, type "Set-ExecutionPolicy unrestricted". Then after you have ran all scripts you want to run I highly recommend typing "Set-ExecutionPolicy restricted" this is the default setting and will prevent any new powershell scripts from running.

Get-ExecutionPolicy will tell you how its configured at the moment. If you want to confirm and make sure that you did disable it afterward.

Here is a suggestion script to disable some common junk in windows 8 + 7. It won't touch encryption (such as bitlocker) and many other stuff that you might want to disable depending on what you use. However its set at high compatibility instead of max security. Also note that it only bother disable stuff, not setting anything to "manual" instead of "automatic".

This is just a suggestion and as you can see, disabling services and making your own script to include what you want is very easy. You probably want to go through the services manually after this to make it a bit more custom for your setup.

You can probably apply OOP programming here to make the script shorter, but I have never bothered learning that with powershell. It can probably help you write this with less code. However scripts like this are small and will run in a second anyway so how nicely planned your code is probably don't matter as long as it works.

 

copy this in .bat or cmd file/

@Echo off
TITLE Services Optimizer

echo Name: Application Experience
sc config AeLookupSvc start= DEMAND

echo Name: Bluethoot Support Service
sc config BthServ start= DEMAND

echo Name: Computer Browser
sc config Browser start= DEMAND

echo Name: Diagnostic Policy Service
sc config DPS start= DISABLED

echo Name: Diagnostic Service Host
sc config WdiServiceHost start= DISABLED

echo Name: Diagnostic System Host
sc config WdiSystemHost start= DISABLED

echo Name: Distributed Link Tracking Client
sc config TrkWks start= DISABLED

echo Name: Distributed Transaction Coordinator
sc config MSDTC start= DISABLED

echo Name: Extensible Authentication Protocol
sc config EapHost start= DEMAND

echo Name: Function Discovery Provider Host
sc config fdPHost start= DISABLED

echo Name: Function Discovery Resource Publication
sc config FDResPub start= DEMAND

echo Name: Human Interface Device Access
sc config hidserv start= DEMAND

echo Name: IP Helper
sc config iphlpsvc start= DISABLED

echo Name: KtmRm for Distributed Transaction Coordinator
sc config KtmRm start= DISABLED

echo Name: Offline Files
sc config CscService start= DISABLED

echo Name: Portable Device Enumerator Service
sc config WPDBusEnum start= DEMAND

echo Name: Program Compatibility Assistant Service
sc config PcaSvc start= DISABLED

echo Name: Protected Storage
sc config ProtectedStorage start= DISABLED

echo Name: Security Center
sc config wscsvc start= DISABLED

echo Name: Tablet PC Input Service
sc config TabletInputService start= DISABLED

echo Name: UPnP Device Host
sc config upnphost start= DISABLED

echo Name: Volume Shadow Copy
sc config VSS start= DISABLED

echo Name: WebClient
sc config WebClient start= DISABLED

echo Name: Windows Defender
sc config WinDefend start= DISABLED

echo Name: Windows Error Reporting Service
sc config WerSvc start= DISABLED

echo Name: Windows Firewall
sc config MpsSvc start= DISABLED

echo Name: Windows Image Acquisition (WIA)
sc config stisvc start= DEMAND

echo Name: Windows Media Player Network Sharing Service
sc config WMPNetworkSvc start= DISABLED

echo Name: Windows Search
sc config WSearch start= DISABLED

exit

 

Confessions of a security pro: I was wrong about host hardening

 

This is another good way to do this and even more user friendly. But its worth noting that when you add stuff to be possible to run "on command" you are not setting it as restricted as might be wished for.

Personally for instance I have the Bluetooth Support Service set to disabled. Your script would set it to Manual, this is more restrictive than standard "Automatic" but less restrictive than Disabled.

I think if you want to bother with setting items to manual you should add a check to make sure its not already set to an even more restrictive "profile". This to prevent weakening anything.

The article makes some valid points. But how much time does it take to run a script (you most likely have several to run anyway that will configure stuff as you want it)? Most likely adding a script to "the list" and disable some common services will add a few sec at most, trying to portray that as "a lot of time wasted that could be used to configure other stuff", I have a hard time buying that.

We have not seen an end to exploitable services yet. And sometimes services are what makes systems unstable/laggy so it could be worth it for that reason alone (those seconds or minutes you spend configuring it can can save a worker/friend/yourself from some random lag or a random crash later, giving you back those seconds and more).

 

For starters, it is always good to stop each service manually to see, what happens, what it breaks instantaneously. You will also see dependencies.
I have only 25 services running, the rest is disabled, do not use task manager to show services, it shows hidden services, that should not be disabled.

 

@TairikuOkami: (in case you didn't know) Microsoft: do not turn off Windows Firewall service, even if using 3rd party firewall

 

I know, I have read about it, but I do not use any firewall, so whatever, but I appreciate your concern.

 

You might want to consider using a utility like Pserv for experimenting with services. It can save your existing services configuration (and any alternate configurations) as a template, enabling you to easily restore to your pre-existing settings.