Which Windows Services Do We Need?


When you look at Microsoft Windows services, it can be confusing to sort through them and understand which ones you need. In this blog entry I'm going to take a more detailed look at Windows services and see if we can identify any services that might not be needed, or determine whether any are suspicious.


I think that services can be categorized into two different types: server services and client services. Server services are a bit easier to deal with because they typically do not directly interface with local users and should not be installed on a client computer.


Services that probably should not run on a client computer (laptop or desktop):







World Wide Web (www)




SQL Express


SQL Server


Web service



Services that run on server computers as client services can be a bit harder to identify, because several services might be called by a server service that would be viable on a server. The list in the following table does not list services that could be determined to be viable on a typical server.


Services that you would not expect on a server:



Peer Networking Grouping


Computer Browser services


Routing and Remote Access


Windows Audio




MultiMedia Class scheduler


Peer Networking Identity Manager


Windows Themes



Now that we have a list of services that can be considered for evaluation, it would be nice to somehow automate the process of obtaining service information.


I started to dabble in PowerShell a while ago, and the following example is a perfect illustration of a simple but quick way to obtain service information without having to manually look at services on a device.


Looking for services using PowerShell


If you're not familiar with PowerShell, I recommend you take a look at it. In my book it's the best thing for an administrator since the advent of the automobile! http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx


Step 1. Create a check file of service that you want to flag


Create a text file that identifies the services you want to flag. For instance I have a file called c:\temp\base.txt, and its contents are as follows:


Ftp service

telnet service

www service

SMTP service

sql express

sql server

web service


You can use your favorite editing tool such as Notepad.exe to create the file.


Step 2. Use Compare-Object to find the service


From a PowerShell command prompt, run the following command:


Compare-Object $(get-service | foreach { $_.Name } ) $(get-content c:\temp\base.txt) -includeequal  -excludeDifferent


Simple, right?


Other Services


When you run the script it provides you with all kinds of great information. But maybe it's not enough information.


If you run this script I'd be interested in your results. Did  you see something you did not expect? What was it? Have you identified any services that did not make my list? Are you aware of services (third-party, maybe malware) that should be watched for?


And what about services like BITS (Background Intelligent Transfer Service) and RPC? Because there's a need to allow Windows Update to run as expected, these services would need to run most of the time.


Finally, do scripts like this one provide value to you? What would you recommend to improve on it?


Comments (6)
  1. Anonymous says:

    This is a quiet blog full of posts that invite feedback – but if you find them "too late", you can’t post comments because comments are closed.

    I can understand closing comments on a busy blog that has a set audience who have been following it regularly for a while, but a new blog is likely to be found and read from newest to oldest, and folks may want to comment on "old" stuff – as I will do here, off-topic or not! 🙂

  2. frasim says:

    -Whoa, there, it’s 2008, right? Someone pinch me.

    -Are you seriously asking the public to comment on what services should be enabled or disabled for client versus server security?

    Actually I the idea is to get exposure to Powershell, as a shell tool.

    Asking public to comment….

    The blog is a discussion, and comments are always welcome.

    -And you think that using shell is a good way to admin a system?

    You have an opinion on this, could you elaborate your concern?

    -It’s like I’m reading a UNIX BBS from the late 1980s.

    -Too weird.

  3. Anonymous says:

    When working with ill or ?infected stand-alone PCs, the safest approach is via a CDR-based maintenance OS such as Bart or WinPE.  

    In these cases, a challenge is how to apply tools that require registry access, e.g. HiJackThis, registry-aware scanners, etc.

    Bart has a solution in the form of Paraglider’s RunScanner plugin (I have not tested this on Vista via WinPE, but I don’t expect it to work).

    However, enumeration of services and drivers are not effectively redirected by RunScanner, presumably because the APIs involved look to "live" behavior rather than registry settings.  So managing these items "from orbit" (i.e. without running the stricken or infected HD installation) is a problem.

  4. Anonymous says:

    When considering services, risks can arise from small forms that are legit, but arrive as bundled with something else, e.g.

    1)  Apache web server (e.g. dropped by HP)

    2)  Old Sun Java JREs

    3)  mIRC, remote access tools, etc.

    4)  SQL servers (e.g. as part of office suite)

    On (2), it’s harder to miss a modern JRE’s bulk, but really old 1.4.xx, 1.3.xx JREs are small enough to drop.  I find bits of these in DPF etc. and it’s unclear whether these are functional, or pose a threat as an exploitable surface.

    The shape of this problem is similar to patching GDIPlus, i.e. it can be hard to round ’em all up or know what to do with them!

  5. Oliver Carr says:

    The phrase "probably would/wouldn’t expect" sadly puts a lot of conjecture into an otherwise very informative post. If You’re looking for solid advice on the services required for specific server roles on Windows Server 2003, and how to get to a secured system using the built-in tools, then the Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=14845) is a must-read. System services are covered in Chapter 7.



  6. Davi Ottenheimer says:

    Whoa, there, it’s 2008, right? Someone pinch me.

    Are you seriously asking the public to comment on what services should be enabled or disabled for client versus server security?

    And you think that using shell is a good way to admin a system?

    It’s like I’m reading a UNIX BBS from the late 1980s.

    Too weird.

Comments are closed.

Skip to main content