What Are The Four Service Startup Types?

Table of Contents

• The Basics of Windows Services
  • Services Architecture
  • Service Processes
  • Generic Process
  • Service Groups
  • Service Dependencies
  • Functions of the SCM
  • Starting Services
  • Starting Service Processes
  • Automatically Starting Services
  • Starting a Device Driver
  • Starting Services and Drivers Nether Condom Style
  • Accepting the Boot and Concluding Known Proficient Configuration
  • SCM Function in System Shutdown
  • LocalSystem Account
• Additional Resources
  • MSDN

The Basics of Windows Services

Windows arrangement services are applications that showtime when the computer is booted and run in the groundwork.  Services handle
depression-level tasks that require no user interaction. In that location are over 200+ operating system features which implement a organization service(due south), to support features and functionality such as:

• Authentication, Certificate, Encryption services
• Networking features such every bit DNS, DHCP, Network Location Awareness, 802.11 Wireless and Wired Services.
• Hardware related services such as Plug and Play services, display driver enhancements,  audio and effects,  print services, Bluetooth
• Remote admission. Terminal Services allow users to log on to a computer from a remote location.

In addition to cadre services that are part of Windows, 3rd-party applications can implement device or file system drivers. Common examples of third-political party services include video, sound, press,  firewall and antivirus services.

Services Compages

The principal components of the core service architecture are the Service Control Manager (SCM), service control programs, and service applications.  The service control programs do not communicate with services directly; all communication goes through the SCM.  This compages is precisely what makes remote administration transparent to the service control programme and service applications.

Service Command Manager
The SCM is a special system process that runs the image systemroot\System32\Services.exe, which is responsible for starting, stopping, and interacting with services. Services are Win32 applications that call special Win32 functions to collaborate with the SCM to perform such actions as registering the service'due south successful startup, responding to status requests, and pausing or shutting downwardly the service.

Service Control Programs
Service control programs are standard Win32 applications that apply the SCM APIs CreateService, OpenService, StartService, ControlService, QueryServiceStatus, and DeleteService to communicate with or control services. To use the SCM functions, a service control program must offset open a communications channel to the SCM. At the time of the open phone call, the service control program must specify what types of actions it wants to perform. For instance, if a service control program simply wants to enumerate and brandish the services present in the SCM database, it requests Enumerate Service access. During its initialization, the SCM creates an internal object that represents the SCM database and uses Windows security functions to protect the object with a security descriptor that specifies which accounts can open the object by using which admission permissions.

The SCM stores the security descriptor in the service'south registry subkey as the Security value, and it reads the value of Security when information technology scans the registry'due south Services primal during initialization so in the same way that a service control program must specify what types of access it wants to the SCM database, a service command program must too tell the SCM what admission it wants to a service. Examples of accesses that a service command plan tin can request include the ability to query a service'southward status and to configure, stop, and start a service.  For example, the security descriptor indicates that the Authenticated Users group can open the SCM object with enumerate-service access. However, only administrators tin open the object with the access required to create or delete a service.

A service application contains the infrastructure necessary for communicating with the SCM, which sends commands to the service telling information technology to stop, pause, continue, or shut down. A service also calls special functions that communicate its status back to the SCM.   Service applications, such equally Spider web servers, consist of at to the lowest degree 1 awarding that runs every bit a service. A user who wants to showtime, stop, or configure a service uses a service control program. Although Windows provides built-in service control programs that provide full general commencement, terminate, pause, and continue functionality, some service applications include their own service control program that allows administrators to specify configuration settings particular to the service they manage.

Because most services do non (and admittedly should not) accept a user interface, they are built as panel programs. When you install an application that includes a service, the awarding's setup program must annals the service with the SCM. To register the service, the setup program calls the Win32 CreateService function, a services-related function whose customer side is implemented in Advapi32.dll (located in the systemroot\System32 binder). Advapi32.dll, the "Advanced API" DLL, implements all the customer-side SCM APIs.

The primary deviation betwixt services and normal applications is that services are managed by the Service Control Manager (SCM). Services are implemented with the services API, which handles the interaction betwixt the SCM and services. The SCM maintains a database of installed services and provides a unified way to control them, including:

• Starting services.
• Stopping services.
• Managing running services.
• Maintaining service-related state data.

Services have one of three states: started, stopped, or paused.

• Started:  service has successfully started.
• Stopped:  a stopped service has been completely close down and must become through a normal startup procedure to enter the started land again.
• Paused:  a paused service suspends normal processing, but remains in retentiveness and continues to respond to command requests. Paused services can, therefore, return to the started state without going through the startup procedure.

A key characteristic of a service is how information technology is started. The SCM has a database that includes data on how each service should be started. The post-obit are the service startup types:

Automatic: The SCM automatically starts these services during the organisation's boot procedure. They are ofttimes called auto-start services.
Manual:  These services must exist started manually with the sc.exe command-line tool, or programmatically with the StartService office.
They are oft called need-commencement services.
Disabled:  These services cannot be started. To start a disabled service, the user must first alter the startup blazon to automatic or manual and click apply. After a service has started, the SCM uses control requests to manage the service's state. For example, the SCM sends control requests to notify a service that it is pausing, is resuming operation, or should be preparing to shut down. The SCM'south database too contains the security settings for each service. These settings control how much access a service has to arrangement resources and enable system administrators to control access to each service.

Service Processes

Running every service in its ain process, instead of having services share a process whenever possible, wastes system resource. Nonetheless, sharing processes means that if whatever of the services in the process encounters a problem that causes the procedure to exit, all the services in that process stop.

Some Windows Server 2003 congenital-in services run in their ain procedure; however, most services share a process with other services. For example, the SCM process, Services.exe, hosts the Outcome Log and the Plug and Play services.

The security-related services, such every bit the Security Accounts Manager service, the Net Logon service, and the IPSEC Services service, share the Lsass.exe process.

At that place is also a "generic" process named Service Host (Svchost, or the Svchost.exe application), which contains multiple services, located in the systemroot \Windows\System32 folder.

Generic Process

A "generic" procedure named Svchost contains multiple services, and multiple instances of Svchost can run under different security contexts. Services that run in Svchost processes include Telephony, Remote Procedure Phone call (RPC), and Remote Access Connexion Manager.

Windows Server 2003 implements services that run in Svchost as DLLs and specifies the location of the DLL of a service in the value of the registry entry ImagePath (which has the grade " systemroot \System32\svchost.exe -k svchost instance name ") in the corresponding service subkey. Every service's registry subkey must too have a registry entry named ServiceDll under its Parameters subkey that points to the service's DLL file. All services that share a mutual Svchost process specify the same parameter ("-k svchost case proper noun ").

Typically, each Svchost example running on a Windows Server 2003-based computer corresponds to a distinct account. For example, the "netsvcs" instance runs equally LocalSystem, the "LocalService" case runs as NT AUTHORITY\LocalService, and the "NetworkService" instance runs as NT Say-so\NetworkService. There are one or two exceptions – for example, the Remote Procedure Call (RPC) service runs in its own LocalSystem instance for security reasons.

When the SCM encounters the showtime service that has an paradigm path of "svchost.exe -1000 svchost example name " during service startup, it creates a new image database record for the Svchost example proper noun and starts the procedure as configured.

The new Svchost process takes the parameter and looks for a registry subkey having the same name as the parameter in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost. Svchost reads the contents of the SvcHost subkey, interpreting its contents as a list of service names, and notifies the SCM that it is hosting those services when Svchost registers with the SCM.

When the SCM encounters a Svchost process during service startup for which the value of its ImagePath matches that of an entry that SCM already has in the image database, SCM does non start the second process but instead just sends a start control for the service to the Svchost process it already started for that ImagePath value. The existing Svchost process reads the value of ServiceDll in the service's subkey and loads the DLL into its process to start the service.

In general, the reason services share processes is to diminish memory footprint and thread usage, both of which increment dramatically as you lot add boosted processes to the organisation. For example, every procedure typically ends upwards with its own thread pool, such every bit RPC server threads. The different Svchost instances on your computer are, for the most function, all running in different accounts, and each i hosts the services that run in that item account. By running the Tasklist.exe tool with the /svc switch, y'all can see the account name listed for each Svchost example.

Service Groups

Many services volition not work properly unless other components of the arrangement are already running. When a computer is started, it follows an algorithm that dictates the order in which services are started. In Windows, system services are divided into a prepare of predefined groups. Assigning a service to a group has no result other than to fine-tune its startup with respect to other services that belong to different groups.

The SCM builds the internal service database and reads and stores the contents of the List entry in the HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder subkey, a string value that lists the names and order of the defined service groups. A service's registry subkey contains an optional Group entry to be used if that service or device driver needs to control its startup ordering with respect to services from other groups.

The SCM reads the value of a service's Group entry to make up one's mind whether it is a member of a group and associates this value with the grouping'southward entry in the ServiceGroupOrder subkey mentioned before. The SCM as well reads and records in the database the service's grouping and service dependencies by querying its DependOnGroup and DependOnService registry entries.

For example, the Windows Server 2003 networking stack is built from the bottom up, so networking services must specify Grouping entries that place them later in the startup sequence than networking device drivers. The SCM internally creates a group list that preserves the ordering of the groups it reads from the registry. Groups include (merely are non limited to) NDIS, TDI, Primary Disk, Keyboard Port, and Keyboard Class. Add-on and third-party applications tin can even define their ain groups and add them to the list.

Since the introduction of Plug and Play in Microsoft ® Windows ®  2000, the service group society mechanism has become less significant. In Windows Server 2003, Plug and Play is responsible for loading kernel drivers and services. Plug and Play manages the loading of kernel-mode drivers based on the presence of their associated devices.

The SCM is almost never involved in the loading of a driver. The near interesting remaining use of the service group order machinery in kernel mode is for file system filter drivers.

The auto-offset option for kernel-mode drivers is being phased out. Even if a driver is marked every bit AUTO_START, as soon equally information technology starts the get-go time, it will receive a root-enumerated devnode registered on its behalf, and on all subsequent boots that root-enumerated devnode volition cause the driver to be loaded by Plug and Play during the system start phase earlier the SCM is started.

The demand-commencement option is recommended for almost all Plug and Play drivers. Demand-start no longer means "when SCM is requested to outset the driver" (for example, in response to a net showtime control) equally it did in prior versions of Windows. Information technology now means when Plug and Play "demands" information technology because of the discovery of devices associated with that driver.

Service Dependencies

In addition to notifying the SCM that a service is role of a detail load order group, yous can tell the SCM that this service requires other services to be running earlier this service can run. For example, many Internet services — including the FTP Publishing Service, the World Wide Web Publishing Service, and the Simple Mail Transfer Protocol (SMTP) Service — are dependent on the IIS Admin Service. If the IIS Admin Service is not available, then none of these dependent services tin run.

Conversely, you lot cannot terminate the IIS Admin Service without first stopping the dependent services. If you could stop the IIS Admin Service showtime, all its dependent services would fail considering those services cannot run unless IIS Admin Service is besides running. The IIS Admin Service is therefore antecedent to its dependent services.

There are two types of service dependencies:

• The current service depends on other services to start. If Service X is antecedent to Service Y, Service X must be running before you tin run Service Y.
• Other services depend on the current service to first . If Service X is dependent on Service Y, Service Y must be running earlier you lot can run Service X.

For example, if yous run the Sc.exe tool, you will see that three services depend on the Telephony service. If an ambassador attempts to terminate the Telephony service and any dependent services are running, the call fails and the SCM returns the post-obit error:

ERROR_DEPENDENT_SERVICES_RUNNING

For another example, if yous stop the Workstation service by using the following Cyberspace.exe command, you lot will receive a list of dependent services that need to be stopped as well.

net finish workstation

This command displays the following information:

The following services are dependent on the Workstation service.

Stopping the Workstation service will also cease these services.

   Internet Logon

   Distributed File System

   Computer Browser

Do you want to proceed this operation? (Y/N) [N]: y

The Cyberspace Logon service is stopping.

The Net Logon service was stopped successfully.

The Distributed File Organization service is stopping.

The Distributed File System service was stopped successfully.

The Reckoner Browser service is stopping.

The Computer Browser service was stopped successfully.

The Workstation service is stopping.

The Workstation service was stopped successfully.

If you restart the Workstation service past using the following command, the dependent services are not started automatically; you need to manually restart the services.

cyberspace showtime workstation

This command displays the following information:

The Workstation service is starting.

The Workstation service was started successfully.

The reason is that the services being stopped are all the currently running services that depend on the Workstation service. They cannot run unless the Workstation service has already started. Since the Workstation service does non depend on any of those services, there is no requirement for the Workstation service to get-go the other services

Yet, if you were to kickoff a dependent service while the Workstation service was stopped, the Workstation service would be started first.

Functions of the SCM

The SCM runs within Services.exe. The SCM automatically starts when the operating organisation is loaded, and stops when the operating organization is shut down. The SCM runs with system privileges, and provides a unified and secure ways of decision-making service applications. The SCM is responsible for communicating with the various services and instructing them to start, stop, suspension, and keep.

Starting Services

The SCM maintains a database of installed services and device drivers in the registry. The database is used by the SCM and programs that add, alter, or configure services. The registry subkey for this database is HKLM\SYSTEM\CurrentControlSet\Services.

This subkey contains a subkey for each installed service and commuter. The name of the subkey is the proper name the service or commuter had when the SCM installed it.

An initial copy of the SCM database is created during Windows Server 2003 setup. The database includes all the service-related parameters defined for a service, in addition to fields that track the service's condition. Additionally, the database contains records for the device drivers required during system restart. The Type entries are found in the registry in the service subkeys nether the HKLM\Organization\CurrentControlSet\Services subkey.

At that place are four values that utilize to device drivers:

• 1 (SERVICE_KERNEL_DRIVER)
• 2 (SERVICE_FILE_SYSTEM_DRIVER)
• 4 (SERVICE_ADAPTER)
• 8 (SERVICE_RECOGNIZER_DRIVER)

The value of the Start entry determines if and when the service or driver is loaded during organisation startup.

Starting Service Processes

When the SCM starts a service process, the following occurs:

The process immediately invokes a service function, StartServiceCtrlDispatcher, which accepts a list of entry points into services, with ane entry point for each service in the process. Each entry point is identified by the proper noun of the service the entry betoken corresponds to.

StartServiceCtrlDispatcher creates a named pipe communications connection to the SCM and then sits in a loop waiting for commands to come up through the pipe.

The SCM sends a service-offset command each fourth dimension it starts a service the process owns. For each start command information technology receives, the function creates a thread, chosen a service thread, to invoke the starting service's entry betoken.

The StartServiceCtrlDispatcher service role waits indefinitely for commands from the SCM and returns control to the process'due south main function only when all the process'due south service threads have terminated, assuasive the service process to make clean up resources before exiting.

The first activeness of a service's entry point (ServiceMain routine) is to call the RegisterServiceCtrlHandler(Ex) API, which takes a arrow to the service'southward Handler(Ex) function. The Handler(Ex) function is designed to receive and handle command messages sent to the service, which are passed along from the SCM.

The StartServiceCtrlDispatcher service part stores the table in local process memory, and the RegisterServiceCtrlHandler finishes populating information technology with the service'south HandlerEx pointer and SERVICE_STATUS_HANDLE. The service entry point continues initializing the service, which can include allocating memory, creating communications end points, and reading private configuration information from the registry. A convention near services follow is to store their service-specific parameters nether a Parameters subkey in their service registry subkey.

While the entry point is initializing the service, it might periodically send condition messages to the SCM to indicate how the service's startup is progressing. Subsequently the entry point finishes initialization, a service thread usually sits in a loop waiting for requests from customer applications. For instance, a Web server would initialize a Manual Command Protocol (TCP) mind socket and expect for inbound Hypertext Transmission Protocol (HTTP) connection requests.

A service procedure's main thread, which invokes and runs within of StartServiceCtrlDispatcher, receives SCM commands directed at services in the process and uses the tabular array of the services' handler functions to locate and invoke the service function responsible for responding to a command. SCM commands include stop, pause, resume, interrogate, shut down, and application-defined commands.

For more than information about the StartServiceCtrlDispatcher and RegisterServiceCtrlDispatcher APIs, run across the Software Development Kit (SDK) information in the MSDN Library link on the Web Resources page (http://go.microsoft.com/fwlink/?linkid=291) at http://www.microsoft.com/windows/reskits/webresources.

Automatically Starting Services

During service initialization, the SCM starts all services that have Start registry entries with a value of 2 (SERVICE_AUTO_START) and the services on which they depend. For example, if services that are automatically started depend on a manually started service, the demand-kickoff service is besides started automatically. The load order is determined by the following:

1. The social club of service groups in the load-ordering group list subkey, HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder.

The order of drivers within a group specified in the HKLM\SYSTEM\CurrentControlSet\Control\GroupOrderList subkey.

The dependencies listed for each service.

When the startup process is complete, the system executes the boot verification plan specified in the HKLM\Organisation\CurrentControlSet\Command\BootVerificationProgram subkey.

By default, this value is not gear up. The system reports that the startup process was successful after the car-start sequence completes.

After the estimator has started successfully, the operating organisation saves a clone of the database in the Terminal Known Good configuration. The system can restore this copy of the database if changes made to the active database crusade restarting the computer to fail.

For more than data about the Last Known Expert configuration, come across "Accepting the Boot and Last Known Skilful Configuration" afterward in this chapter.

The following sequence describes how services are automatically started:

1. The SCM starts all services that have a First registry entry with a value of two (SERVICE_AUTO_START). The SCM also starts auto-first device drivers.

The algorithm for starting services in the correct society proceeds in various stages, whereby a phase corresponds to a group, and stages proceed in the sequence defined by the group order stored in the List registry entry in the HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder subkey. The value of the List entry includes the names of groups in the order that the SCM starts them.

For more than information about the ServiceGroupOrder subkey, encounter "Service Groups" earlier in this chapter.

The SCM marks all the service entries that vest to the stage's group for startup.

The SCM loops through the marked services, verifying whether it can first each service. The verification consists of determining whether the service has a dependency on some other group, as specified by the existence of the DependOnGroup entry in the subkey for a service.

• If a dependency exists, the group on which the service is dependent must accept already been initialized, and at least i service in that grouping must have successfully started.
• If the service depends on a group that starts later than the service's group in the grouping startup sequence, the SCM logs a round dependency fault for the service.

The SCM checks to see whether the service depends on 1 or more than services, and whether those services accept already started. Service dependencies are indicated by the value of the DependOnService entry in the subkey for a service.

• If a service depends on other services that belong to groups that come up subsequently in the Listing entry in the HKLM\Arrangement\CurrentControlSet\Command\ServiceGroupOrder subkey, the SCM also returns a circular dependency mistake such equally "Detected circular dependencies need to beginning," and does not start the service.
• If the service depends on any services from the same grouping that take not still started, the service is skipped.

When the dependencies of a service have been satisfied, the SCM makes a concluding bank check to run across whether the service is function of the current kick configuration before starting the service.

When the SCM starts a service, it first determines the name of the file that runs the service's process by reading the value of the ImagePath entry in the service'southward registry subkey.

Information technology then examines the value of the Type entry in the service'southward subkey, and if that value is 32 (that is, the service shares a procedure), the SCM ensures that the procedure the service runs in — if already started — is logged on past using the same business relationship as specified for the service being started. A service'southward ObjectName registry entry stores the user business relationship where the service runs. The SCM will fail to start a service with a missing ObjectName, and will return the error ERROR_INVALID_SERVICE_ACCOUNT.

The SCM verifies that the service's process has not already been started in a different business relationship by checking to encounter whether the value of the service'south ImagePath entry has a record in an internal SCM database identified every bit the epitome database .

•  If the image database does not take a record for the ImagePath entry, the SCM creates 1. When the SCM creates a new record, information technology stores the logon business relationship name used for the service and the data from the value of the service's ImagePath entry. The SCM requires services to have an ImagePath entry.
• If a service does non have an ImagePath entry, the SCM returns an error stating that it could not find the service'south path and is not able to start the service.
• If the SCM locates an existing image database record with matching information from the value of the ImagePath entry, the SCM ensures that the user account information for the service it is starting is the same equally the data stored in the database record. A process tin can be logged on as only i account, then the SCM returns an fault (ERROR_DIFFERENT_SERVICE_ACCOUNT) when a service specifies a different business relationship name than some other service that has already started in the aforementioned process.

The SCM logs on a service if the service's configuration specifies the service'southward procedure should be started. The SCM logs on services that practise not run in the system business relationship by calling the LogonUserEx API, implemented by the Local Security Authority (Lsass.exe). Lsass.exe ordinarily requires a password, but the SCM indicates to Lsass.exe that the countersign is stored every bit a Local Security Dominance (LSA) secret in the registry subkey HKLM\SECURITY\Policy\Secrets.

When the SCM calls LogonUserEx, it specifies a service logon as the logon type. Lsass.exe looks upwardly the password in the Secrets subkey in HKLM\SECURITY\Secrets that has a proper name in the form _SC_<service name> . The SCM directs Lsass.exe to store a logon password equally a hugger-mugger when a service control plan configures a service's logon data past using the CreateService or ChangeServiceConfig APIs.

When a logon is successful, LogonUserEx returns a handle to an admission token to the caller. Windows Server 2003 uses access tokens to correspond your security context, and the SCM later associates the access token with the process that implements the service.

Afterward a successful logon, the SCM loads the business relationship's profile information, if it is not already loaded, past calling LoadUserProfile, which is implemented in Userenv.dll from systemroot \System32. The ProfileImagePath registry entry in the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<user profile key> subkey contains the location on disk of a registry hive that loads into the registry, making the information in the hive the HKEY_CURRENT_USER fundamental for the service.

The SCM gain to start the service'south process if the process has not already been started (for a previous service, for example). The SCM starts the process in a suspended country and creates a named piping through which it communicates with the service process, and it assigns the piping the proper name \Pipe\Net\NetControlPipeX, where X is a number that is incremented each fourth dimension the SCM creates a pipe.

The SCM resumes the service process and waits for the service to connect to its SCM pipage.

• If the pipe exists, the value of the ServicesPipeTimeout registry entry in the HKLM\Arrangement\CurrentControlSet\Control subkey determines the length of time that the SCM waits for a service to connect before it gives upward and terminates the procedure.
• If the ServicesPipeTimeout entry does not be, the SCM uses a default time-out of thirty seconds. The SCM uses the aforementioned time-out value for all its service communications.

When a service connects to the SCM through the piping, the SCM sends the service a start command. If the service fails to respond positively to the start control within the fourth dimension-out period, the SCM gives up and moves on to start the next service.

When a service does not respond to a start asking, the SCM will stop the process if the process does not contain other running services. The SCM will terminate the procedure if an OWN_PROCESS service fails or if the get-go SHARED_PROCESS service to be started in a procedure fails. In the latter case, the SCM volition return ERROR_SERVICE_REQUEST_TIMEOUT (for demand-start requests) and log EVENT_CONNECTION_TIMEOUT.

A hung auto-starting time service — for example, a service stuck in SERVICE_START_PENDING forever — is not stopped past the SCM, but will generate an event log message (EVENT_SERVICE_START_HUNG) and possibly a message box popup.

Thus, the SCM continues looping through the services belonging to a group until all the services accept either started or returned errors (the services could fail to outset for other reasons). Looping is way the SCM automatically orders services within a group according to the value of their DependOnService entries. Looping helps the SCM ship first parameters to a dependent service while the arguments are held in the stack until the dependent service is started. The SCM volition get-go the services that other services depend on in earlier loops, skipping the dependent services until subsequent loops.

Afterwards the SCM completely checks for all the groups in the List entry in the HKLM\System\CurrentControlSet\Command\ServiceGroupOrder subkey, information technology performs a check for all the remaining (that is, ungrouped) services.

When the dependencies of a service have been satisfied, the SCM makes a final check to see whether the service is part of the Last Known Good configuration before starting the service.

Starting a Device Driver

The SCM adds entries to the SCM database for device drivers in addition to services. The SCM starts drivers configured every bit auto-get-go and detects startup failures for drivers configured as kicking-commencement and system-start. The I/O Manager loads drivers configured every bit kicking-start and system-start earlier whatever user-mode processes start, and therefore any drivers having these beginning types are loaded before the SCM starts itself.

If a service the SCM starts has a value of one (SERVICE_KERNEL_DRIVER) or 2 (SERVICE_FILE_SYSTEM_DRIVER) for its Type registry entry, the service is a device driver, and the SCM loads the commuter.

The SCM enables the load driver security privilege for the SCM process and then invokes the kernel API NtLoadDriver, passing in the value of the ImagePath entry in the driver's registry subkey.

Starting Services and Drivers Under Condom Fashion

When the operating organisation is started in Safe Mode, the SCM ensures that each service and driver is either identified by name or by group in the appropriate subkey in the SafeBoot registry subkey. At that place are 2 safe boot registry subkeys, Minimal and Network, located in the HKLM\Organization\CurrentControlSet\Control\SafeBoot subkey. The one that the SCM checks depends on which fashion the user selected during a restart of the figurer.

• If you select Rubber Manner or Safety Manner with Control Prompt at the special boot bill of fare (which you lot tin can admission by pressing F8 when prompted in the kick process), the SCM references the HKLM\System\CurrentControlSet\SafeBoot\Minimal subkey.
• If you select Safe Fashion with Networking, the SCM references the HKLM\Arrangement\CurrentControlSet\SafeBoot\Network subkey. The existence of an Option entry of data type string in the SafeBoot subkey indicates non only that the system booted in Safe Fashion but also the mode the user selected.

The minimum services and drivers started under Safe Fashion or Safe Mode with Command Prompt are the following :

• Cryptographic Services
• Event Log
• Aid and Back up
• Logical Disk Director Authoritative Service
• Net Logon
• Plug and Play
• Remote Procedure Call (RPC)
• Windows Management Instrumentation

The minimum services and drivers started under Condom Mode with Networking are the following:

• AFD Networking Support Environment
• Computer Browser
• DHCP Client
• DNS Client
• Event Log
• Help and Support
• Logical Disk Manager
• NetBIOS Interface
• NetBIOS over TCPIP
• Cyberspace Logon
• Network Connections
• Plug and Play
• Remote Procedure Call (RPC)
• Server
• TCP/IP NetBIOS Helper
• TCP/IP Protocol Driver
• Terminal Services
• Windows Management Instrumentation
• Workstation

Accepting the Kick and Last Known Good Configuration

Besides starting services, the system charges the SCM with determining when the system'south registry configuration, HKLM\SYSTEM\CurrentControlSet, needs to exist saved as the Concluding Known Good configuration control set up. The CurrentControlSet registry subkey contains the Services subkey. Therefore, CurrentControlSet includes the registry representation of the SCM database. It likewise contains the Command subkey, which stores many kernel-style and user-mode subsystem configuration settings.

By default, a successful startup consists of a successful startup of automobile-beginning services and a successful user logon. A startup process fails if the operating organization halts because a device driver fails and stops the operating system during startup, or if an car-start service that has an ErrorControl registry entry with a value of 2 (SERVICE_ERROR_SEVERE) or 3 (SERVICE_ERROR_CRITICAL) returns a startup error. For more than information virtually ErrorControl registry entries, come across the Software Development Kit (SDK) information in the MSDN Library link on the Spider web Resources folio (http://go.microsoft.com/fwlink/?linkid=291) at http://world wide web.microsoft.com/windows/reskits/webresources.

The SCM knows when it has completed a successful startup of the auto-kickoff services; yet, the Winlogon application, located in systemroot \System32 , must notify the SCM when there is a successful logon, indicating that the system has successfully proceeded so that the electric current command set can be saved and selected as the new Last Known Skilful configuration command ready. When you log on, Winlogon sends a bulletin to the SCM. Post-obit a successful commencement of the auto-beginning services, the SCM saves the electric current registry startup configuration.

Third-political party vendors can supersede the Winlogon definition of a successful logon with their own definition. For instance, a organisation running SQL Server might not consider the startup process successful until afterward SQL Server is able to have and procedure transactions.

SCM Part in System Shutdown

When your calculator is close downwards, the following occurs:

1. The Winlogon process sends a message to the Client Server Runtime Subsystem (Csrss.exe), the Win32 subsystem process, to invoke the Csrss.exe shutdown routine.

Csrss.exe loops through the active processes and notifies them that the system is shutting down. For every organization process except Services.exe, Csrss.exe waits up to the number of seconds specified by the value of the registry entry WaitToKillAppTimeout in the HKEY_USERS\.DEFAULT\Control Panel\Desktop subkey for the procedure to get out earlier moving on to the next process. The default value of the WaitToKillAppTimeout entry is 20 seconds.

When Csrss.exe encounters the Services.exe process, it as well notifies it that the operating system is shutting downwards, only a time-out specific to the SCM.

Csrss.exe recognizes the SCM by using the process identifier (PID) Csrss.exe saved when the SCM registered with Csrss.exe during system initialization.

The SCM fourth dimension-out differs from that of other processes because the Csrss.exe procedure waits while the SCM communicates with services that need to perform cleanup when they shut downward; therefore, an administrator might need to conform only the SCM time-out. The SCM time-out value resides in the registry entry WaitToKillServiceTimeout in the HKLM\SYSTEM\CurrentControlSet\Command subkey. Its default value is 20 seconds.

The SCM shutdown handler is responsible for sending shutdown notifications asynchronously to only those services that requested shutdown notification when they initialized with the SCM. The shutdown control lawmaking is SERVICE_CONTROL_SHUTDOWN.

The SCM loops through the SCM database, searching for services that need shutdown notification, and sends each 1 a shutdown control.

For each service that is well-nigh to be shut down, the SCM sends a shutdown command and information technology records the value of the service's wait hint — a value that the service also specifies when it registers with the SCM.

A service's wait hint is the amount of time the SCM sits in a loop waiting for a service to start or shut down. The wait hint must point how many milliseconds the programme that is sending the control code should wait earlier polling the service's status again. The SCM keeps track of the largest expect hint it receives.

Afterwards sending the shutdown messages, the SCM waits until all of the services it notified of the shutdown have exited, until the time specified by the largest await hint passes, or until the value of the WaitToKillServiceTimeout entry is exceeded. Services.exe itself is stopped by Csrss.exe.

• If the wait hint expires without a service exiting, the SCM determines whether one or more of the services it was waiting on to leave take sent a bulletin to the SCM telling the SCM that the service is progressing in its shutdown process.
• If at least ane service fabricated progress, the SCM waits again for the duration of the look hint. The SCM continues executing this wait loop until either all the services have exited or none of the services upon which it is waiting has notified it of progress within the wait hint time-out period.

While the SCM is busy telling services to shut down and waiting for them to exit, Csrss.exe waits for the SCM to exit.

• If all services cease in the SERVICE_STOPPED land, the SCM exits on its ain.
• If the services do non all end upward in the SERVICE_STOPPED state, the SCM loops for 30 seconds. The services that did not end upward in the SERVICE_STOPPED state are eventually stopped, along with Services.exe itself, by Csrss.exe as the system shuts down.
• If the wait by Csrss.exe ends without the SCM having exited (that is, the WaitToKillServiceTimeout time expires), Csrss.exe merely continues the shutdown process and eventually stops Services.exe as a result.

The SCM supports handle types or entry points to allow admission to the following objects:

• The database of installed services
• A service
• The database lock

The database of installed services is represented by an internal container object that holds service objects. This handle or entry point is used when installing, deleting, opening, and enumerating services and when locking the services database.

An installed service is represented past a service object. The requested access is granted or denied depending on the access token of the calling procedure and the security descriptor associated with the internal or service object. This level of access is then associated with all subsequent calls that use this handle. If a subsequent call requires a level of admission that was non originally requested for that handle, the call will fail, regardless of whether the current user could take requested a handle that immune that level of access. A best exercise for clients of the SCM APIs is to request only the level of access that volition be required.

The database lock is represented by a lock object that is created during SCM initialization to serialize admission to the database of installed services. The SCM acquires the lock before starting a service or driver. Thus if an installer program has acquired a database lock, a demand-offset cannot progress until the lock is released. It is important for installer programs to release this lock as before long as they can. Whatsoever installer program that subsequently tries to larn this lock volition receive the ERROR_SERVICE_DATABASE_LOCKED fault, and retry afterward a short wait.

Traditionally, services in Windows operating systems earlier than Microsoft® Windows® XP and Windows 2000 have had the option of running nether either the LocalSystem security context or under an arbitrary user business relationship. Creating user accounts for each service is cumbersome, especially considering of password management for those accounts. Because of this, nearly all local services were configured to run as LocalSystem. The problem with this is that the LocalSystem account is highly privileged, and breaking into the service is often an easy way to accomplish a privilege elevation set on.

Many services practice non need an elevated privilege level; hence the demand for a lower privilege level security context available on all computers.

In Windows services tin can run under the post-obit security contexts:

• LocalSystem account
• NetworkService account (NT AUTHORITY\NetworkService)
• LocalService business relationship (NT AUTHORITY\LocalService)
• Domain user account
• Local user account

The security context nether which the service runs affects the access rights that the service has on the computer and on the network. The security context of a service is an important consideration for service developers and organization administrators because it dictates what resources the process can admission. Unless a service installation plan or administrator specifies otherwise, services run in the security context of the LocalSystem business relationship (displayed sometimes as SYSTEM and other times as LocalSystem), which has some special characteristics.

LocalSystem Account

LocalSystem is a special, predefined local account available only to system processes. This account does not have a password.

On computers running whatsoever version of Microsoft ® Windows NT ® , a service that runs in the context of the LocalSystem account inherits the security context of the SCM. The service is non associated with any logged-on user account and does non have credentials (domain name, user proper name, and countersign) to be used for verification. The service has limited access to network resources, such as shared folders and named pipes, because it has no credentials and must connect past using a null session.

On computers running Windows 2000 or Windows Server 2003, a service that runs in the context of the LocalSystem account uses the credentials of the computer when accessing resources over the network and has full admission to local resources. For services that admission the Agile Directory ® directory service, the LocalSystem context is constraining. When a service runs under the LocalSystem account on a computer that is a domain fellow member, such every bit a Windows Server 2003–based computer running as a member server or Microsoft Windows XP Professional, the service runs nether the context of the calculator account when information technology accesses domain resources. Computer accounts typically have very few privileges and do non belong to groups. Adding figurer accounts to groups is not recommended because the accounts are field of study to deletion and re-creation if the reckoner leaves and then rejoins the domain.

On the other hand, a service that runs in the context of LocalSystem on a domain controller has full admission to the directory, because the domain controller hosts a directory replica and LocalSystem has complete access to local resources. The Internet Logon service is an example of a service that runs under the LocalSystem account.

The LocalSystem account is the same account in which all the Windows Server 2003 user-fashion operating system components run, including Session Manager (Smss.exe), Csrss.exe, Lsass.exe, the Winlogon procedure (Winlogon.exe), some services located in the systemroot \System32 folder, and the SCM (Services.exe).

From a security perspective, the LocalSystem account is extremely powerful — more than powerful than any local or domain account when information technology comes to security on a local computer. This account has the following characteristics:

• It is a member of the local Administrators grouping.
• It has the right to enable most every privilege, fifty-fifty privileges not normally granted to the local administrator account, such as creating security tokens.
• Most files and registry keys grant total access to the LocalSystem account. Even if they do not grant full access, a process that runs under the LocalSystem account can practise the Take Buying privilege to gain access.
• Processes running under the LocalSystem account run with the default user contour (HKEY_USERS\.DEFAULT). They tin can access configuration information stored in the user profiles of other accounts through the registry key HKEY_USERS\<SID>.
• When a figurer is a member of a Windows Server 2003–based domain, the LocalSystem account includes the computer security identifier (SID) for the computer on which a service procedure is running. Therefore, a process running in the LocalSystem account will exist automatically authenticated on other computers in the aforementioned forest past using the computer business relationship of the computer running the service process. (A woods is a grouping of domains.)
• Unless the computer account is specifically granted admission to resources (such as shared folders, named pipes, and so on), a procedure tin can admission network resources that let cypher sessions — that is, connections that require no credentials. You can specify the shared folders and named pipes on a item computer that permits null sessions in the NullSessionPipes and NullSessionShares registry entries in the HKLM\System\CurrentControlSet\Services\lanmanserver\parameters subkey.

Additional Resources

It Professionals

Developing Efficient Background Processes for Windows
Impact of Session 0 Isolation on Services and Drivers in Windows

MSDN

Windows Services documentation
Net Connection Sharing and Cyberspace Connexion Firewall
NotifyServiceStatusChange Function
Service ControlHandler Function
Service Trigger Events
Configuring a Service Using SC

Source: https://social.technet.microsoft.com/wiki/contents/articles/12229.windows-system-services-fundamentals.aspx

Posted by: buellthisced.blogspot.com

Share this post