What services are safe to disable?

UsernameIssues said:

UsernameIssues said:

In more than one place, Microsoft suggests that "Unnecessary services should be disabled".

Doing so is such a difficult task that MS has a Security Configuration Wizard for server operating systems.

There are many W7 users that wish to extend the concept of security hardening via disabling services to non server operating systems... but this is extremely hard to do. You could actually end up lessening your security. The W7 images deployed where I work do indeed have some services disabled via GPO, but you would not believe the time and effort that goes into testing each business related app via Virtual Machines to arrive at the service configurations.

I'm mentioning the security angle because exitPr0gram is in the thread

gregrocker said:

Not MS Services. The "unnecessary" ones can be viewed and deselected after hiding all MS Services on the msconfig Services tab, all except your AV and any sync. Most are on Startup tab but some are deemed Services

The MS documentation that I read concerning making Windows more secure left me with the impression that MS's Security Configuration Wizard disabled MS Services based on the server's role. Watching videos of users configuring MS's Security Configuration Wizard for Windows Server 2008 r2 reinforced that impression. Since I cannot test MS's Security Configuration Wizard first hand, I'll take your word for it that MS does not do that.

I might also be wrong about there being a correlation between Windows 2008 r2 core services and W7 core services. There might be no value in learning from MS's hardening of that server OS.


If a user has Java installed, but does not need/use Java, then they incur Java related security risks for no good reason. If a Windows 7 user does not use the Themes service, why should they leave the Themes service running?

Since the Windows Theme service is a known attack vector for W7 (MS13-071), there does seem to be some security related value in disabling that service if it is not being used. While this particular attack could not be carried out via drive by installation (as far as MS knows), those who keep the Windows Theme service running are accepting the risk that such a different drive by install/attack will strike them. It is fine to run that small risk as long as the user is benefiting from running the Theme service.

A bug was found with Windows 7 Aero (MS10-043). Those that don't use themes probably were not at risk from that bug. Disabling the W7 Themes service probably had no security implications for this bug.


I've already stated that it is extremely difficult to determine which services are safe to disable for a given set of applications. It is certainly possible to lower the security of a computer by turning off the wrong service(s). And each set of operating system patches makes for more uncertainty about the interactions between services. I am aware that users disabling services makes our volunteer jobs harder. Am I wrong to think that a disabled service is less likely to be attacked by malicious objects?

UsernameIssues said:

UsernameIssues said:

In more than one place, Microsoft suggests that "Unnecessary services should be disabled".

Doing so is such a difficult task that MS has a Security Configuration Wizard for server operating systems.

There are many W7 users that wish to extend the concept of security hardening via disabling services to non server operating systems... but this is extremely hard to do. You could actually end up lessening your security. The W7 images deployed where I work do indeed have some services disabled via GPO, but you would not believe the time and effort that goes into testing each business related app via Virtual Machines to arrive at the service configurations.

I'm mentioning the security angle because exitPr0gram is in the thread

gregrocker said:

Not MS Services. The "unnecessary" ones can be viewed and deselected after hiding all MS Services on the msconfig Services tab, all except your AV and any sync. Most are on Startup tab but some are deemed Services

The MS documentation that I read concerning making Windows more secure left me with the impression that MS's Security Configuration Wizard disabled MS Services based on the server's role. Watching videos of users configuring MS's Security Configuration Wizard for Windows Server 2008 r2 reinforced that impression. Since I cannot test MS's Security Configuration Wizard first hand, I'll take your word for it that MS does not do that.

I might also be wrong about there being a correlation between Windows 2008 r2 core services and W7 core services. There might be no value in learning from MS's hardening of that server OS.


If a user has Java installed, but does not need/use Java, then they incur Java related security risks for no good reason. If a Windows 7 user does not use the Themes service, why should they leave the Themes service running?

Since the Windows Theme service is a known attack vector for W7 (MS13-071), there does seem to be some security related value in disabling that service if it is not being used. While this particular attack could not be carried out via drive by installation (as far as MS knows), those who keep the Windows Theme service running are accepting the risk that such a different drive by install/attack will strike them. It is fine to run that small risk as long as the user is benefiting from running the Theme service.

A bug was found with Windows 7 Aero (MS10-043). Those that don't use themes probably were not at risk from that bug. Disabling the W7 Themes service probably had no security implications for this bug.


I've already stated that it is extremely difficult to determine which services are safe to disable for a given set of applications. It is certainly possible to lower the security of a computer by turning off the wrong service(s). And each set of operating system patches makes for more uncertainty about the interactions between services. I am aware that users disabling services makes our volunteer jobs harder. Am I wrong to think that a disabled service is less likely to be attacked by malicious objects?

Thanks for keeping on the topic of Security. Thats the main thing i'm worried about. Prevention is key, not solutions to fixing an infection

When corporate companies image machines, one of the FIRST things that they do is disable services that are not needed by that user (Along with policies, etc). Of course, they adjust which services are disabled based off of the employees job description. But be advised... That these network admin's at these companies KNOW WHAT THEY ARE DOING and mistakes, even by them, are still somewhat common. Usually when bringing on new software or upgrading software.

We are just trying to figure out which ones WE can disable without experiencing problems, and if we mess something up, how to quickly recover from it.

For instance:

Do you use a fax machine via your computer? Then why would you need that service enabled? That service, specifically, is pretty self explanatory as to whether or not we we should disable it.

gregrocker said:

prithvitheprime said:

Does shutting down Windows services affects normal operation; i even thought about stopping Bluetooth, media centre, and most of the vaio services but not the Windows services. Just need some more answers which Windows services we can stop to make the performance very quicker.

Again and ad nauseum, NO MS services should be disabled. You will gain absolutely nothing except troubles.

Vaio services are another matter since like any other factory OEM are all freeloaders on Win7 which interfere with better versions built into the OS and hence can all be unchecked in msconfig. A more thorough way to mitigate them is in the Bloatware tutorial in my signature pic below. But to have the best install of all which benefits from everything we've learned here for five years do the Reinstall tutorial also in siggy pic below.

prithvitheprime said:

Does shutting down Windows services affects normal operation; i even thought about stopping Bluetooth, media centre, and most of the vaio services but not the Windows services. Just need some more answers which Windows services we can stop to make the performance very quicker.

YES. It does affect the "normal" operation of Windows. Anything you have, or will have, installed may need something you've disabled.

gregrocker said:

Simply not necessary, in the end.

After five years in the trenches with Win7 here where most of the repair, install and Best Practice protocols were developed, we would know if there were Service trims that are worthwhile. In the earliest days of Beta we were testing this and quickly learned it's unnecessary.

Previously in XP and Vista many of us had practiced the Black Viper edits to claw back performance. But Win7 became the Black Viper when they developed fast triggers so that almost all Services not always needed at boot can be set to Manual.

With today's modern hardware power it's simply not necessary to trim such a featherlight OS.

That said, on older hardware with less than 4gb RAM I still run 32 bit and edit Visual Effects of hogs like fading, sliding, dragging intact and selection rectangle even those are not noticeable. See Bloatware tutorial in my sig pic below

Hope this helps. I've written it out probably a hundred times in past years and its never been disputed. But other views are always welcome

I think its more than just trimming a "Featherlight OS" for performance reasons... there are secrurity reasons in disabling Microsoft Services as well.

Layback Bear said:

When it comes to Windows 7 Services where did the idea come from that Black Viper is god all know all on Windows 7 Services.
Only Microsoft really knows what all their serves inter connect with and exactly how they do that.

If one wants to experiment; well it's your computer. Have at it. I would suggest freshening up on clean installs by reading the tutorials on this forum.

Dont know what Black Viper is to be honest. Maybe i will give it a shot and check it out and see what i think about it.

UsernameIssues said:

In more than one place, Microsoft suggests that "Unnecessary services should be disabled".

Doing so is such a difficult task that MS has a Security Configuration Wizard for server operating systems.

There are many W7 users that wish to extend the concept of security hardening via disabling services to non server operating systems... but this is extremely hard to do. You could actually end up lessening your security. The W7 images deployed where I work do indeed have some services disabled via GPO, but you would not believe the time and effort that goes into testing each business related app via Virtual Machines to arrive at the service configurations.

I'm mentioning the security angle because exitPr0gram is in the thread

The fact that Microsoft themselves say that disabling services proves that, if you dont need it or wont want to use it, you can benefit from disabling it.

Yup you're right. i linked those websites because they were very explanatory and made me feel safe about disabling them. And yea, companies definitely "Customize" the images they put on each machine they distribute for an employee to use but i doubt those people would be coming to this thread for answers lol

I would say that this is more for "Home PC" configuration as far as Disabling Windows Services goes.


As a test, I have disabled the following services. Honestly, i had to disabled them, reboot, i checked msconfig again, and had to disable 1 or 2 that didn't want to disable, then reboot yet again. If i remember correctly I rebooted once more and ALL the of the following services were disabled.

NOTE: Since i've disabled those services i have used installed and used the following programs with no difficulty: MalwareBytes, Starcraft2, IMGBurn, PowerISO, an alarm clock program i like, and Peerblock.


My Currently Disabled Microsoft Services (From msconfig):

BitLocker Drive Encryption (I do not use it)

Certificate Propagation

Encrypting File System (EFS)

Fax

Homegroup Provider (I do not use Homegroup.)

Microsoft iSCSI Initiator Service

Netlogon

Network Access Protection Agent

Offline Files

Parental Controls

Printer Spooler (I don't have a printer or use PDF Converts, etc.)

Remote Access Auto Connection Manager

Remote Access Aconnection Manager

Remote Desktop Configureation

Remote Desktop Services

Remote Desktop Services UserMode Port Redirector


Remote Procedure Call (RPC) Locator

Remote Registry

Secondary Logon ( I only have one user created for this pc. Dont disable this if you have more than one.)

Smart Card

Smart Card

Removal Policy

Tablet PC Input Service ( I dont use tablets at all.A nice *SS Android phone is all i need

Windows Connect Now - Config Registrar

Windows Defender (I use 3rd party. Much better IMHO)

Windows Media Player Network Sharing Service (I use VLC)



As stated previously these are the websites that i used to decide what to disabled:



Which Windows Services Are Safe to Disable & When?

And

10+ Windows 7 services you may not need - TechRepublic.

The forum does have this tutorial that shows default Windows 7 Services. I could be helpful to some at times needed.

Services - Restore Default Services in Windows 7

Exactly what do you hope to achieve by disabling these Services? There is no performance benefit whatsoever so are you just doing it to play?

What is the reason that anyone would want to disable Services on a featherlight OS that has no substantial overhead like XP or Vista did?

On any modern hardware disabling MS Services is foolhardy because it achieves nothing and causes unintended consequences. As I said we experimented with this during beta and found no useful Win7 MS Service edits except in the case of making it smaller for netbook use.

I'm afraid a MS quote about Servers for IT Pro's to mass customize company computers for Security variances might be confusing a consumer discussion. It seems to be giving ammunition to utterly unnecessary and harmful edits like the list proposed above which is a minefield of unintended consequences. But I understand the point being made about some Security edits being useful in an IT environment.

The Black Viper was very popular and used by many of us to trim XP and Vista resource hogging, but was pretty much put out of business by Win7 which set all all unnecessary Services to Manual using new Fast Triggers we followed here in the developers blog. So Win7 never needed the Black Viper and in fact became the Black Viper since it is as lean as an OS can be while still being visually elegant.

So again, exactly what do you hope to accomplish?