Introduction

It describes programming services
on Windows (I will also use the term
"service", which is equivalent to the term "service"),
an example of use for
downloading drivers or rootkits.

Services

When the OS starts, the service manager (SCM
Manager) by reading data from the registry (name
service, download method, driver type, etc.),
he compiles a database to manage
services. I will describe some of the functions, with
with which you can manage services.
First you need to create a link with this
database (SCM database), then transfer
database pointer to some functions,
managing services.

As I said, the first step is to
create a link to the SCM database. For this
serves as the OpenSCManager function.

SC_HANDLE OpenSCManager (LPCTSTR lpMachineName, LPCTSTR
lpDatabaseName, DWORD dwDesiredAccess);

LPCTSTR lpMachineName - pointer to string,
null-terminated pointing to a name
local computer. This parameter
can be set to NULL.

LPCTSTR lpDatabaseName is a pointer to a string,
null-terminated containing a name
the database to open. This parameter
should also be set to NULL.

DWORD dwDesiredAccess - this parameter contains
flags indicating database access rights
data. I will not list all the flags in
in this article, I only consider those
service programming capabilities needed
to download rootkits.

SC_MANAGER_ALL_ACCESS - standard database access rights.
SC_MANAGER_CONNECT - allows to connect to the SCM database.
SC_MANAGER_CREATE_SERVICE- allows creating new
services.

By creating a link to the SCM database, you can manage
services.

The OpenService function is used to receive
service descriptor. Please note that this function is not
creates a service, serves to create a service
CreateService, and opens the previously created one
service.

SC_HANDLE OpenService (SC_HANDLE hSCManager, LPCTSTR
lpServiceName, DWORD dwDesiredAccess);

SC_HANDLE hSCManager - the pointer returned
by the OpenSCManager function.

LPCTSTR lpServiceName is the name of the service to open.

DWORD dwDesiredAccess- rights with which we can
open service. Here is some of them:

SERVICE_ALL_ACCESS are standard access rights.
SERVICE_START-allows the start of the service.
SERVICE_STOP - allows stopping the service.

This function returns a pointer
service to open. Having received it we can
manage the service in accordance with
given rights.

This function is needed to create a service (service).

SC_HANDLE CreateService (SC_HANDLE hSCManager, LPCTSTR
lpServiceName, LPCTSTR lpDisplayName, DWORD dwDesiredAccess, DWORD dwServiceType,
DWORD dwStartType, DWORD dwErrorControl, LPCTSTR lpBinaryPathName, LPCTSTR
lpLoadOrderGroup, LPDWORD lpdwTagId, LPCTSTR lpDependencies, LPCTSTR
lpServiceStartName, LPCTSTR lpPassword);

The first parameter (hSCManager) points to
the pointer returned by the OpenSCManager function.
The next two parameters indicate
strings containing the name of the service being created and
the name to be used
user interface. Following
the parameter contains flags,
defining access rights to the service. Here
uses the same flags as in the function
OpenService. In most cases, you will need
setting this flag to SERVICE_ALL_ACCESS. Parameter
dwServiceType defines the type of the generated
service. In this case, you need to install
its in SERVICE_KERNEL_DRIVER, which in turn
means that the service will manage
a kernel-level driver. Other meanings
mean that it will be a file driver
systems, etc. The dwStartType parameter is very important because
defines how the service starts. In our
if it should be installed in
SERVICE_BOOT_START or SERVICE_AUTO_START which means
almost the same thing - starting the service during
the startup time of the operating system itself.
The dwErrorControl parameter indicates the way
error handling in our
if it should be set to SERVICE_ERROR_NORMAL.
The next parameter is lpBinaryPathName - a pointer to
a null-terminated string pointing to
full path to the driver (in our case
rootkit) that the service will manage.
The following parameters should be
set to NULL, because they are not important in this
case.

To start the service there is a function
StartService.

BOOL StartService (SC_HANDLE hService, DWORD
dwNumServiceArgs, LPCTSTR * lpServiceArgVectors);

SC_HANDLE hService The service handle returned
function CreateService or OpenService. Parameter
dwNumServiceArgs contains the number of parameters,
specified in the lpServiceArgVectors array. In that
the array specifies parameters that
will be transferred to the service. Please note that services
drivers do not use this parameter,
so the last two parameters in our
case must be set to NULL. If the function
succeeds, then it returns
nonzero value. Stop functions
there is no service, but it can be easily written with
using the ControlService function:

BOOL ControlService (SC_HANDLE hService, DWORD dwControl,
LPSERVICE_STATUS lpServiceStatus);

The dwControl parameter contains flags using
which you ask what to do with
service. If you need to stop working
services, you can install it in
SERVICE_CONTROL_STOP. With this function you can
more convenient to stop and start
service. For example, to pause the service,
set the dwControl parameter to SERVICE_CONTROL_PAUSE and
to continue working in SERVICE_CONTROL_CONTINUE.
LpServiceStatus parameter - pointer to structure
SERVICE_STATUS, where the current status is written
service. Set it to NULL if you don't
the current status of the service is important. This
the function returns non-zero when
successful completion.

I have listed all the required functions for
download rootkits (drivers).
DT SCM structures use the function
CloseServiceHandle. She takes the only one
parameter - DT SCM, i.e. description returned
by the OpenSCManager function.

All these functions are sufficient for
downloading and executing rootkits. Below I
I will give an example of using these functions.

#define rootkitname "myrootkit" //
set the name of our rootkit
BOOL StopRootkit (SC_HANDLE hService) //We declare
functions to stop and start the service
BOOL StartRootkit (SC_HANDLE hService) //
int main ()
{
SC_HANDLE hManager, hService; //descriptors
SCM bases and services
LPVTSTR rootkpath \u003d "C: \\ myrootkit.sys"; //
full path to our rootkit

hManager \u003d OpenSCManager (NULL, NULL, SC_MANAGER_ALL_ACCESS); //create
communication with the SCM database

if (hManager) // if everything is ok
{

hService \u003d CreateService (hManager, rootkitname, rootkitname, SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER, SERVICE_BOOT_START, SERVICE_ERROR_NORMAL, \\ rootkpath,
NULL, NULL, NULL, NULL, NULL, NULL); // create
the service that manages our rootkit

if (hService) // is everything ok?
{
StartService (hService, NULL, NULL); //launch
the created service, thereby starting our
rootkit
}

if (StopRootkit (hService)) // if a
the stop was successful,
{
StartRootkit (hService); //then again
launch it
};
CloseServiceHandle (hManager); //close
DT SCM (DB SCM).
}
BOOL StopRootkit (SC_HANDLE hService)
{
BOOL ok \u003d true;
if (hService)
{
ok \u003d ControlService (hService, SERVICE_CONROL_STOP, NULL); //call
the ControlService function with the SERVCE_CONTROL_STOP flag, so
if (! ok) // most stopping
service work
{
ok \u003d false;
};
};
return ok;
}

BOOL StartRootkit (SC_HANDLE hService)
{
BOOL ok \u003d true;
if (hService)
{
ok \u003d ControlService (hService, SERVICE_CONTROL_START, NULL); // call
the ControlService function with the SERVCE_CONTROL_START flag, so
if (! ok) // with amym starting service
{
ok \u003d false;
};
};
return ok;
}

This example just demonstrates what I mean.
wrote above. You can add
additional checks for
preventing possible errors.

I advise you to read in the book of Sven
Schreiber ("Undocumented
Windows 2000 Features ") section on
driver programming. Also
I recommend a series of articles from Four-F dedicated to
creating drivers in Windows NT. Take a look
article from Ms-Rem, "Intercepting API Functions on Windows NT
(part 3). Zero ring ". And do not pass
past rootkit.com.

How to load drivers and services in Windows ​

For those who are interested in the internal structure of the operating room windows systems, I suggest a little research. We will try to find out what is responsible for the order of loading drivers and services in Windows and whether this order can be changed.

First, let's take a look at the current system startup order using Sysinternals' LoadOrder program. The program will show us what is loaded and in what order when the operating system starts.

As you can see from the figure, first the device drivers needed to start the system are loaded, and then various Windows services. Since there are some differences between loading services and loading drivers, we will consider them separately.

Drivers

As a test case, let's take the Microsoft ACPI (Advanced Configuration and Power Interface) driver, which is responsible for hardware detection and power management. ACPI's job is to provide communication between the operating system and the hardware, so the ACPI driver is loaded at the very beginning.

The Loadorder program provides rather limited information about the loading order, so for more accurate data we go to the registry. Each driver and Windows service has its own subkey in the HKLM \\ SYSTEM \\ CurrentControlSet \\ Services registry branch. The sections are named by the driver \\ service name, so we need the ACPI section.

Three registry parameters are responsible for the driver loading order. Main parameter Start - defines the type of driver startup. Here are the rules by which drivers set the value of their Start parameter:

Drivers that should load bootloader when operating system starts, indicate the value Start equal 0 (startup at system boot ). Example - drivers system bus and the file system driver used when the system boots;
A driver that not required directly to boot the system, points to Start value equal to 1 (system launch ). An example is a standard video card driver (VgaSave);
Driver, optional to boot the system, sets the value Start equal 2 (autostart). An example is a Multiple UNC Provider (MUP) driver that supports UNC names for remote resources (type);
Drivers, not required for the operating system (such as network adapter drivers) indicate the value Start equal 3 (launch on demand ).

Also device drivers can use parameters Group and Tag to control its boot order at system startup. The Group parameter is used by drivers \\ services to indicate the group to which they belong, and the load order of the groups is determined by the parameter Listlocated under HKLM \\ SYSTEM \\ CurrentControlSet \\ Control \\ ServiceGroupOrder \\.

By the way, the Group parameter is optional. If the driver \\ service is not included in any group, then it is loaded at the very end of the queue.

A driver can further refine the order of its loading by using the Tag parameter, which specifies the specific position of the driver in the group. The I / O manager sorts the drivers in the group by the value of this parameter, and drivers that do not have a Tag parameter are moved to the end of the list of drivers in the group.

Looking at the loading order, you might think that drivers with lower Tag values \u200b\u200bare loaded first, then with large ones, but this is not entirely true. The precedence of Tag parameter values \u200b\u200bwithin a group is defined in HKLM \\ SYSTEM \\ CurrentControlSet \\ Control \\ GroupOrderList.

For example, let's open the Boot Bus Extender binary parameter, which corresponds to the group of the same name, to which the ACPI driver belongs. The parameter is a set of double words (4 bytes each). The first word (highlighted in red) sets the total length of the variable (the number of double words), in our example 06. The rest of the double words are just tags. The ACPI driver has a tag of 01 (highlighted in green).

The priority of a tag is determined not by the tag value, but by its position: the higher the tag is located, the higher its priority in the group, and the higher the priority of the driver to which this tag corresponds. And since 01 is higher than the rest of the tags, the ACPI driver is loaded first in the group.

Services

Order windows boot-services are slightly different from the order in which drivers are loaded. Take the automatic update service (wuauserv) as an example. It is not particularly critical for system operation and therefore is loaded last.

Go to the registry again. Service startup parameters are located in the HKLM \\ SYSTEM \\ CurrentControlSet \\ Services \\ wuauserv section. I have highlighted two main parameters responsible for the loading order of this service.

Windows services are started by the Service Control Manager (SCM) according to the parameter value Start... This parameter for services can take the following values:

Auto start (2) - the service starts automatically, immediately after starting the main SCM process Services.exe;
Launch on demand (3) - the service is launched as needed, at the request of any service or program;
Disabled (4) - the service is disabled and does not start under any circumstances.

The values \u200b\u200b0 (start at system boot) and 1 (start by system) for services cannot be specified, only for device drivers.

In addition, starting with Windows Vista \\ Server 2008, another startup mode appeared for services - delayed autorun. The parameter is responsible for it DelayedAutoStart \u003d 1which tells the SCM to automatically start this service with a delay. The SCM starts the services for which Delayed Start is selected after loading the services marked for autostart.

The startup mode of services can be controlled not only from the registry, but also graphically, from the Services console.

Just like drivers, Windows services can use the Group parameter in their registry key to specify the group to which they belong. Now, for clarity, let's take our wuauserv service, located at the very end of the download list. Use the Group key to place it in the Event Log group, reboot and see the loading order in Loadorder. As you can see, the order has changed and wuauserv has risen from the last place, loading right after its classmate - the eventlog service. True, the order of placement within the group cannot be changed, since Tag is not used for services.

And one more parameter that indirectly affects the order of loading services - DependOnService... It indicates which services this service depends on. Accordingly, the service is not loaded until the services listed in DependOnService are loaded.

Dependencies work as follows - if the services are in the same group, then the dependent service is moved to the end of the list and starts after the services it depends on. If the groups are different, then the service simply will not start, and the SCM will generate an error.

This is shown more clearly in the Services snap-in, where on the Dependency tab both the services on which this service depends and the services that depend on it are specified.

So we found out in what order drivers and services are loaded in Windows and how this order can be changed. But before you rush to edit the registry, remember that the order of loading drivers and services is determined automatically, and you should not make changes to it without a good reason. Just one incorrectly set parameter can lead to a complete inoperability of the system, and not the fact that it can be restored. Therefore, before you start editing the registry, be sure to do it backupand it is also advisable to have a bootable media on hand.

In the previous part of this series, we covered two approaches ("let Windows decide" and "let me decide") that you can use to manage out-of-band drivers when you perform a Lite Touch installation with MDT 2010. In this part, we wrap up our discussion of driver management , here will be some tips, tricks and one story. The first story was provided to me by one of my readers, Tim Lors, and is a great example of the problems you might encounter when trying to manage drivers during installation:

"Over a year ago, I wrote a software script that installs all drivers on a WinXP PC. The problem I faced when choosing drivers was not OS related. It was the manufacturer's inability to properly implement PnP between their driver inf files and the hardware itself. More specifically, the inf file indicated that it was the best driver for a particular hardware devicewhen, in fact, it does not work with such a device. The only way to find the right driver in such a difficult situation was to compare the PnP ID numbers of the hardware with a list of known problem drivers, and if I found a match, I would manually select the appropriate driver based on additional criteria "usually the PC model number. The most common additional criteria needed for The "let me decide" choice was the model number of the PC, but sometimes it included the BIOS version and PnP subset ID, and in some rare cases it was trial and error. Of course, the trial and error is pretty tricky because when Windows installed that driver which I thought was the most appropriate, you had to isolate the non-working driver from Windows, or the system simply reinstalled it. Note that this situation occurred in an environment containing almost 10,000 PCs of more than 25 different models. "

Most of the IT professionals I spoke to told me that drivers are one of the biggest headaches, and the story above just confirms that. So, with the last four parts devoted to this topic, I want to end this discussion of drivers with some tips and tricks to help make your life easier.

Driver search

The first difficulty is finding the freelance drivers that your systems might need. Some manufacturers make this easier, others don't, and Dell is in the first group because it provides drivers for each desktop system as a .cab file for each operating system. To download these .cab files, go to http://www.delltechcenter.com/ and select Home, Microsoft, Microsoft System Center, SCCM "System Center Configuration Manager, Dell Business Client Operating System Deployment, Dell Business Client from the scrolling menu on the left. Operating System Deployment "The .CAB Files and you will see the page shown in Figure 1:

Figure 1: Downloading Drivers for Dell Client Systems as .cab Files

After downloading the .cab file, you can extract it to a folder, then reference that folder when importing drivers into your installation resource.

Other manufacturers also provide tools for downloading drivers, but in my opinion, these tools are not as easy and convenient as Dell's approach. Here are some examples of such tools and links to them:

Extract INF files from EXE

Sometimes system manufacturers supply device drivers in the form of .exe files rather than .cab files. In this case, WinRAR is a great toolkit, which allows you to extract driver files from an .exe file into a folder. Remember, in order to import a driver, MDT requires the .inf file and the corresponding driver files "cannot import the .exe file as a driver."

Preventing drivers from being enabled

To prevent enabling the driver you imported (for example, if your checks showed that the driver is causing problems after installation), simply open the driver properties and clear the Enable This Driver field (Figure 2):

Figure 2: You can disable or enable the driver to enable

Please note that the above driver was designed for both 32 and 64 bit Windows. If you find that it does not work under 64-bit Windows, you can leave the driver enabled, but uncheck the x64 box to prevent it from being enabled during 64-bit Windows installation.

Optionally, you can even disable all drivers in the folder by disabling the folder (Figure 3):

Figure 3: You can disable a custom folder in the installation resource

Controlling boot drivers with selection profiles

You can also use selection profiles to control drivers during the Windows PE boot phase in an LTI installation. To do this, open the properties of your installation resource and select the Windows PE x64 Components or Windows PE x86 Components tab to manage the drivers for the architecture of the OS you are installing (Figure 4):

By default, the All Drivers And Packages selection profile is selected, but only network drivers and storage drivers from this selection profile are included in the Windows PE boot image. If necessary, you can create your own selection profile that will include hardware-specific WinPE drivers for your target systems.

Using multiple driver groups to install by make and model

In the previous part, we looked at how to define one driver group called DriverGroup001 and use it to control drivers during installation based on the make and model of the target computers. Keith Garner, Systems Deployment Specialist at Xtreme Consulting Group, has a great post that provides additional information on this topic and shows you how you can organize your drivers more efficiently and then use multiple driver groups to control how they are included during installation.

Another helpful post is this post on Using Model Aliases by Michael Mergolo, Senior Consultant at Microsoft Consulting Services.

Adding drivers to the image

You can use the DISM.exe command to add drivers to offline images, just mount the image and use the DISM command with the / add-driver option (see for more information on using DISM.exe).

You can use the PnPutil.exe command to add drivers to the driver store (that is, to preview drivers so that they are available when Windows detects devices that need drivers). This command can be useful if, for example, you used the Microsoft Update Catalog to download a .cab file of drivers for a printer and want to pre-expose these drivers on your reference computer so that these drivers are available during installation. More information about this command can be found and.

Serving Driver Configuration During Windows Imaging

Finally, if you create a reference image and install it on identical hardware, you can provide more quick way first boot for users by configuring the PersistAllDeviceInstalls parameters in their answer file to sysprepping their reference computer. See details

Devices and drivers for them fall into two categories: with and without PnP support. For most PnP devices, the driver is on the CD with Windows Server 2003. When installing a new device, the system automatically finds a driver for it and allocates resources for it (requests for interrupting IRQ and channels of direct access to DNA memory). If the system cannot find a suitable driver, it will ask the user for it, and the device will be marked in the Task Manager console exclamation mark in a yellow triangle. If the system is unable to determine the device type at all, then no driver request is issued, and the device is marked with a question mark in the yellow triangle as unknown.

To update the device configuration, use the Device Manager snap-in. It can be used in two ways: with a device tree, with a resource tree for devices (it is not recommended to configure resources manually). The Device Manager snap-in for editing configuration can only be used on local computer, it is read-only on the remote computer. For a detailed summary of devices and drivers, you can use the utility command line DriverQuery.

Computer administrators can install any device and driver. Regular users can install drivers in the following cases: the driver is digitally signed, the driver files are already on the computer and further installation does not require additional user intervention, and all three conditions must be met simultaneously (these conditions are usually true for printers, USB devices, etc. for the IEE1394 bus).

Beginning with Windows 2000, device drivers are digitally signed, which indicates that the file has not been modified during use. Some drivers may not have digital signature... If the driver is not signed, you can configure three options for the system action: Skip (install the driver even if there is no signature. Available only for the administrator), Warn (ask the user to install the driver), Block (does not install drivers without a digital signature).

In the Device Manager snap-in, you can update the drivers for the selected device (for example, if the manufacturer has released new version). If, after installing a new driver, the device has problems, you can return to the previous version of the driver by clicking the Rollback button. You can also uninstall drivers for devices (if it is a PnP device, uninstalling a driver will remove the device itself; if a device driver was added manually, it will remain in the system, but without a configured driver. If the device has additional properties that can be used to to configure it, they will be accessed with the same rights as the Task Manager.You can also restrict access to such settings using Group Policy.

If there are problems with the operation of devices, you can use the following tools: return the previous version of the driver (if the system boots), load the last known good configuration (it will work if the problem happened before the last successful login), safe mode (the minimum set of drivers and subsystems is loaded (after loading, you can disable it in the Device Manager), the recovery console (used if all of the above has no effect, allows you to control devices and drivers from the command line, but you need to know the device name or driver file). When device errors occur, Device Manager displays status codes to help you determine the type of error, for a description of the codes, see the Windows Help system.

A warning: this process involves some degree of risk, and therefore it is desirable to have at least a general idea of \u200b\u200bwhat we are going to do. If you need to return all services to the default state, then you can download ready-made reg-files. Choose your system and download the archive. After downloading the archive, unpack and run the reg file.

The full description of the services, as well as the name and display name, can be viewed and changed the state along this path: Start - Control Panel - Administrative Tools - Services.

However, not all services are required for the computer to function properly. Below is a list of services that are disabled or enabled in my configuration. User one (with administrator rights), to the network not connected... To access the Internet, I use cellular telephone as a modem connection.

AST Service (Nalpeiron Licensing Service) - Disabled.

BranchCache (This service caches network content received from caching hosts on the local subnet) - Manually.

DHCP client (Registers and updates IP addresses and DNS records for this computer) - Auto

DNS client (The DNS Client service (dnscache) caches DNS (Domain Name System) names and registers the fully qualified name this computer.) - Disabled... If there is a network - Auto

KtmRm for Distributed Transaction Coordinator (Coordinates transactions between MS DTC and the Kernel Transaction Manager (KTM).) \u200b\u200b- Manually.

Microsoft. NET Framework NGEN v2.0.50727_X86 (Microsoft .NET Framework NGEN) - Manual.

Parental Controls (This service is a stub for functionality service parental control Windows that existed in Vista OS.) - Manually.

Plug-and-play (Allows the computer to recognize and adjust to changes in installed hardware, either without requiring user intervention or minimizing it) - Auto

Quality Windows Audio Video Experience (Quality Windows Audio Video Experience (qWave) - network platform for streaming audio and video in home networks based on IP protocol) - Manually.

Remote Desktop Configuration (Remote Desktop Configuration) - Manually.

Superfetch (Maintains and improves system performance.) - Auto

Windows Audio (Managing audio tools for windows programs.) - Auto.

Windows CardSpace (This provides a robust ability to create, manage, and disclose digital identities.) - Manually

Windows Driver Foundation - User-mode Driver Framework (Manage host processes of user mode drivers.) - Manually.

Windows Search (Indexing content, caching properties and search results for files, email and other content.) - Auto... If you do not use search on your computer, then you can Disable.

WMI Performance Adapter (Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network.) - Manually.

WWAN Auto Config (This service manages mobile broadband (GSM and CDMA) data cards and built-in modular adapters, as well as connections and auto-configuring networks.) - Manually.

Offline files (The Offline Files service does the job of maintaining the Offline Files cache,) - Manually.

Network Access Protection Agent (The Network Access Protection agent collects and manages health information client computers online) - Manually.

AND iPsec Policy Gent (Internet Protocol Security (IPsec) supports network layer authentication of caching nodes) - Manually.

Adaptive brightness control (Designed to monitor the ambient light sensor and adjust the monitor brightness according to changes in illumination.) - Manually.

Windows backup (Supports backup and restore on Windows.) - Manually.

Windows biometric service (Windows Biometric Service is designed to collect, compare, process and store biometric data in client applications without directly accessing biometric samples or hardware) - Manually.

Windows firewall (Windows Firewall helps prevent unauthorized access to your computer over the Internet or network.) - Disabled... Third party Firewall is used.

Web client (Allows Windows programs to create, access and modify files stored on the Internet) - Manually.

Virtual disk (Providing services for managing disks, volumes, file systems, and storage arrays.) - Manually.

IP Helper (Provides tunnel connectivity using IPv6 transition technologies) - Manually.

Secondary login (Allows to run processes as another user) - Manually.

Grouping network participants (Includes multi-way interactions using peer-to-peer grouping.) - Manually.

Disk Defragmenter (Provides the ability to defragment disks.) - Manually... You can leave and Autoby setting the schedule to run.

Remote Access Automatic Connection Manager (Creates a connection to a remote network when the program accesses a remote DNS or NetBIOS name or address.) - Manually.

Print manager (Loading files into memory to print later) - Auto... If there is no printer, then Disabled.

Remote Access Connection Manager (Manages dial-up and virtual private network (VPN) connections from this computer to the Internet or other remote networks.) - Manually.

Desktop Window Manager Session Manager (Provides startup and maintenance of the desktop window manager) - Auto.

Network Participant Identity Manager (Provides identity services for Peer-to-Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping) - Manually.

Credential manager (Provides secure storage and retrieval of user credentials,) - Manually.

Security Accounts Manager (Starting this service signals to other services that the Security Accounts Manager (SAM) is ready to accept requests.) - Auto.

Access to HID devices (Provides universal access to HID devices) - Manually.

Windows event log (This service manages events and event logs) - Auto.

Performance Logs and Alerts (The Performance Logs and Alerts Service collects data from local and remote computers according to the specified schedule parameters, and then writes the data to the log or issues an alert.) - Manually.

Protection software (Allows download, installation and enforcement of digital licenses for Windows and windows applications) - Auto.

Windows defender (Protection against spyware and potentially dangerous programs) - Auto... However, it is recommended that you use third-party products to protect your computer from viruses.

CNG key isolation (The CNG Key Isolation Service is hosted in the LSA process) - Manually.

Windows Management Instrumentation (Provides a common interface and object model for accessing operating system, device, application, and service management information.) - Auto.

Application compatibility information (Handling compatibility check requests for apps as they run) - Manually.

Group Policy Client (This service responsible for applying the settings defined by administrators for computers and users through the Group Policy component.) - Auto.

Changed links tracking client (Supports linking NTFS files moved within a computer or between computers on a network.) - Auto.

Distributed Transaction Coordinator (Coordination of transactions spanning multiple resource managers such as databases, message queues, and file systems.) - Manually.

Windows Presentation Foundation Font Cache (Optimizes the performance of Windows Presentation Foundation (WPF) applications by caching commonly used font data.) - Manually.

SNMP Trap (Receives trap messages generated by local or remote SNMP agents and forwards them to SNMP management programs running on this computer.) - Manually.

Remote Procedure Call (RPC) Locator (On Windows 2003 and earlier windows versions the Remote Procedure Call (RPC) Locator service managed the RPC name service database.) - Manually.

Routing and remote access (Offers routing services to organizations on LAN and WAN) - Disabled.

IPsec Key Modules for Internet Key Exchange and Authenticated IP (The IKEEXT service contains modules for Internet Key Operations (IKE) and Authenticated IP (AuthIP).) - Auto.

DCOM Server Process Launcher (DCOMLAUNCH service starts COM and DCOM servers in response to object activation requests) - Auto.

NetBIOS over TCP / IP Helper (Provides NetBIOS support over TCP / IP Service (NetBT) and NetBIOS name resolution for clients on the network) - Manually.

Windows Immediate Connections - Configuration Recorder (WCNCSVC service contains Windows Connect Now configuration (Microsoft's implementation of WPS protocol)) - Manually

SSDP detection (Detects network devices and services using SSDP discovery protocol such as UPnP devices) - Manually.

Discovery of online services (Includes notifying the user about the need for user input for interactive services, which provides access to dialog boxes created by the interactive services as they appear.) - Manually

Computer Browser (Serves a list of computers on the network and issues it to programs upon request) - Manually.

Internet Connection Sharing (ICS) (Provides network address translation, addressing, name resolution, and intrusion prevention services for a home or small office network.) - Disabled.

Determination of enclosure hardware (Provides notifications for autostart events on various devices.) - Auto.

TPM Core Services(Allows access to the Trusted Platform Module (TPM), which provides hardware-based cryptography services to system components and applications.) - Manually