Understanding Windows Services
In order to understand the functions that Windows services perform, we need to first understand the role breakdown of Windows systems in general.
Many people have heard of classifications such as desktops, laptops, workstations and servers, and for the most part, these are very self-explanatory. Desktop computers sit on top (relatively speaking) a desk. Laptops can be used in portable situations on top of laps. Workstations are computer stations that are specifically built to do a particular kind of work very efficiently. But what do we mean by servers?
If we think about the other scenarios where the term “server” is used, we can imagine this in the context of a restaurant — where a server takes the instructions from the customers and translates those into requests that the cooking staff can understand in a timely fashion. When the task is complete, the server will then return the output of the kitchen to the customers.
In the context of a computer system, servers perform a very similar task. Depending on the service involved, they can receive requests from users which need to be processed in a particular fashion and the results fed back to the users as quickly as possible. Servers are optimized to provide services to other systems as efficiently as possible, but be sure to remember that all Windows systems use at least a limited number of services for critical system operations.
Individual services can be likened to different requests that the customers can make. If the customers wanted to put in a request for a particular song to be played to the server, the operation that the server would have to perform would be significantly different than that of a standard order and thus may have to be handled by a different service.
Up until Windows Server 2016 and Windows 10, there were relatively few Windows services that were installed and enabled by default. That changed drastically with the launch of these newer operating systems, where many potential use cases were activated from the factory.
To view the list of services available on most modern Windows-based systems, you can right-click on the Start Menu and select Computer Management. Once this screen appears, go down to Services and Applications and select Services.
Examining the menu
Services themselves are simply programs that run automatically based on particular criteria. Under the “Startup Type” value, you can tell which ones start at boot time (Automatic), after almost everything else has powered up (Automatic Delayed), which ones are started either by a user or specific circumstances (Manual) and which ones should not run at all (Disabled). If you're running into problems with certain services not starting properly at boot, such as ones that are highly dependent on network status, Automatic Delayed may help with this.
Every service requires an account to run as, which acts as the permission level for the service. Many organizations running important applications or in-house custom programs will choose to use a dedicated purpose-built user account, such as a domain or local user account. In this way, they can specifically assign permissions to the program if it needs to access resources in different areas of the local system or across the network but doesn't actually require elevated permissions on the local box. By default, however, Windows services out of the box will have one of three different built-in accounts assigned to them:
- Local system: A higher level of access than a standard local Administrator account
- Local service: A generic standard user account, can connect to certain network resources if they do not require credentials
- Network service: Higher permissions than Local Service but not as much as Local System. Network Service also has the ability to access network resources based on the Computer account
Another area to consider when examining services is the Recovery tab. In this location, it is possible to set services to automatically restart themselves if they should fail, crash or otherwise be ended. This can make dealing with malicious services difficult if it brings itself back immediately after you shut it down.
Setting these values to “Take no Action” and changing the Startup Type to “Disabled” before dealing with a malicious service can help a great deal but be careful when modifying system services. If a required service is set to disabled or force-ended, it can cause the entire system to shut down or BSOD, and potentially not be able to come back up.
Complications with the order
Not all services can be easily shut down, however, as certain ones (such as antivirus programs) remove the ability to modify their Startup Type and start/stop the service without additional modifications — they do this in order to prevent malicious programs from simply turning the protections off.
A consideration to keep in mind when looking for potentially malicious services is an executable swap-out. If a service runs with a high level of system access but does not cause system instability when stopped, a bad actor may be able to stop the service, swap out the executable and restart it without necessarily causing noticeable issues.
If you're troubleshooting potential problems, be sure to examine the system log and timestamps of known good versions of programs versus potentially compromised ones. Also be sure to check the path to the executable on the General tab, and “This system depends on the following system components” on the Dependencies tab. This can help to narrow down what executable the service is running.
When it comes to troubleshooting programs that just seem to keep coming back all the time, checking a system's services can be a fantastic place to start. Just be sure to pay attention to any actions you are taking when it comes to changing or disabling services, as turning off the wrong one can lead to unintended consequences.
If you are looking for deeper dives into Windows administration, be sure to check out the offerings at Infosec, where they have a wide variety of training options to assist you!
- LocalService Account, Microsoft
- Local Service, Local System or Network Service?, Microsoft SQL Server (forum)
- Automatic VS Automatic - Delayed as a startup-type for a service, Microsoft SQL Server (forum)