0% found this document useful (0 votes)

148 views

Netwrix Hardened Services Guide

Uploaded by

hurgoz

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

148 views

Netwrix Hardened Services Guide

Uploaded by

hurgoz

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 116

Security Control

Guide: Hardened
Services Guide

1
Introduction
This guide will help the reader to understand:

Why the active services on a host increase the attack surface

Why it is always recommended to minimize functionality on any system

Why you should avoid sharing any platform between multiple applications

How to identify which services should be disabled and which are essential?

Background

In the United States, over 10 million people a year contract appendicitis, with over 50,000 cases resulting in death.
More than 300,000 will have their appendix removed. Since it has long been believed that the appendix is a
‘vestigial organ’(one that serves little or no purpose) surgical removal is seen as an effective treatment, providing
permanent immunity from future problems.

Clearly there are always inherent risks associated with surgery, otherwise appendix removal may well have
become a common precautionary procedure - no appendix, no risk of appendicitis, and no downside with losing
a seemingly useless body part?

And in the world of IT, just as the appendix is not serving any useful purpose in the body, many default services
provided with a modern IT platform are equally superfluous to requirements. At the same time, just like the
infection time-bomb of the appendix, in the world of exploits and vulnerabilities, every service increases the
‘attack surface’ of a platform. Service functions can be misused and abused by hackers, and the more services you
have active, the greater the range of potential attack methods you are exposed to.

Fortunately in the IT world, removal of unnecessary services is a pain-free operation with an immediate recovery
afterwards.

So just like the appendix, if a service is not really needed in the first place, best course of action is to ‘whip it out’,
or at least disable it.

Removing or disabling unnecessary function from IT systems is a key security control and is a core dimension

2
to any system hardening project. Some are obvious, for example, remove FTP and Web services if not needed,
but now that today’s Windows Operating Systems are being shipped with over 200 default services, the job has
become progressively more difficult. Hence the reason for Netwrix publishing this guide to provide detailed advice
on default services and their ‘safe’ states.

There are plenty of services that can be safely disabled but also a number to retain, even if, like an appendix, they
don’t look like they are that important!

Why is the control of system services a critical security

control?

The main reasons why disabling or removing unnecessary services is ordained a key security control:

The more function a platform has, the greater the potential for misuse/abuse

Many services will enable network-accessible ports which an attacker can use to disrupt or gain access to the platform

An approved services configuration, and a process to verify and approve any changes, provides a clear
opportunity for breach detection and for cyber defense measures to be maintained

The Center for Internet Security provides this rationale for CIS Control 5:

“Establish, implement, and actively manage the security configuration of mobile devices, servers, and worksta-
tions using a rigorous configuration management and change control process in order to prevent attackers from
exploiting vulnerable services and settings...”

“And then for CIS Control 9: “Ensure that only network ports, protocols, and services listening on a system with
validated business needs are running on each system.”

Similarly, the NERC CIP standard mandates the need to “Authorize and document changes that deviate from the
existing baseline configuration”
“Standard CIP-007-3 requires Responsible Entities to define methods, processes, and procedures for securing
those systems...

R2. Ports and Services — The Responsible Entity shall...ensure that only those ports and services required for
normal and emergency operations are enabled.

R2.1. The Responsible Entity shall enable only those ports and services required for normal and emergency operations.
3
R2.2. The Responsible Entity shall disable other ports and services...

And for NIST 800-53

“CM-6 CONFIGURATION SETTINGS - Control: The organization monitors and controls changes to the configura-
tion settings in accordance with organizational policies and procedures

Configuration settings are the set of parameters that can be changed in software components of the information
system that affect the security posture and/or functionality of the system… Security-related parameters are those
parameters impacting the security state of information systems including…settings for functions, ports, protocols,
services, and remote connections. Organizations establish configuration settings and subsequently derive specif-
ic settings for information systems. The established settings become part of the systems configuration baseline”

And finally for PCI DSS V3.2.1

“Requirement 2.2: Develop configuration standards for all system components. Assure that these standards ad-
dress all known security vulnerabilities and are consistent with industry-accepted system hardening standards…
Enabling only necessary services, protocols, daemons, etc., as required for the function of the system, Imple-
menting additional security features for any required services, protocols or daemons that are considered to be
insecure”

Baselining and Change-Tracking Services

Various technologies are available that can play a role in identifying, baselining and change-tracking services
configurations. The best vulnerability scanners can report on services using a credentialed scan, but because it
significantly extends scan durations, it is seldom used. Equally a SIEM system monitoring hosts with a suitable
audit policy defined to report on services activity can track changes, but not report on the initial baseline state.

The most complete solution is host-resident, system integrity monitoring. This option not only gathers details
of installed services with their running and startup states, but by being host-resident, also has the advantage of
being able to continuously track changes to service configuration settings.

For example, Netwrix Change Tracker uses distributed agents covering each device so unlike a Vulnerability Scan-
ner, the collection of services data is performed in a massively parallel manner with each device being queried
simultaneously.

This means that both for

Change Control (reporting any drift from the baseline configuration build), and

Breach Detection (reporting unexpected new services and processes)

4
So the true intent of the security control is being delivered.

Security controls are subject to a ‘bang-for-buck’ rating like anything else, and one that is easier to operate, with
easier to interpret results, will always be more effective.

And while the incidence of breaches continues to increase, anything that makes security best practices easier to
implement and us more secure should be welcomed.

Implementing a Hardened Services Standard

In summary, any service will increase the potential opportunity for an attacker. If a service isn’t needed for busi-
ness-service delivery, it should be disabled or removed as a precuationary measure.

These services, like the appendix of the human body, aren’t needed and, as long as they are present, provide a
foothold for a life-threatening infection to take hold in the future.

Now that we know what the options are for monitoring and reporting on which services are resident on a host,
the next sections of this guide will explain how to decide which services are ‘safe’ to remove or disable, and how
to go about doing so.

How do I decide which services should be removed or disabled?

Ultimately, as with any configuration hardening project, only you can decide which services are essential for de-
livering your organizations’ business applications. You may set maximum security as the objective but there will
always be compromises in favor of optimizing service delivery. Your usage, applications and environment are
going to be unique and therefore the appropriate hardening measures can only be determined by you.

5
Figure 1: Contemporary Windows Operating Systems have over 200 services installed. Deciding which of
these can be safely disabled without affecting required functionality is far from straightforward

CIS Control 9 “Ensure that only network ports, protocols, and services listening on a system with validated busi-
ness needs, are running on each system”

Just as there is no such thing as ‘100% secure’, there are no truly ‘safe’ services, but the more you can minimize
functionality, the more you can reduce the attack surface presented.

6
Help is at hand: This guide includes expert guidance on service hardening, with detailed Hardened Services Lists
in the Appendices at the end (Who ever said appendices are useless? These have been developed as a ‘one size
fits all’ hardened services profiles that will suit any base Enterprise Server build.

In addition, Netwrix in conjunction with the Center for Internet Security provides extensive resources to help you
with wider configuration hardening. The CIS Benchmark secure configuration guides specify a huge range of con-
figuration settings recommended to improve security, including all significant Windows Security Policy settings
and their equivalents for Linux platforms.

Netwrix also provides a number of ‘Remediation Kits’ which can be used to automatically apply hardened configura-
tion settings in line with the CIS Benchmarks. The Remediation Kit takes the form of either a Windows Group Policy
Object template or a Shell Script for Linux.

See Step 2 – Harden Systems to Eliminate Unwanted/Unnecessary Services for detailed guidance on disabling services/
protocols/ports, including commands to use.

System Services Hardening Guide

Step 1 – List Services/Applications

First step in determining whether you have unwanted or unnecessary services in use is to get a list of what is config-
ured. You can then use the next steps to identify details of the services concerned and then either stop and/or disable
the service from running in the future. For example, telnet should never be used on any system where the alternative
SSH option is available.

List services on Windows

Use run -> services.msc and use the Services Console to stop and/or disable services.

Use Windows PowerShell (RunAs Administrator) to list all services

Get-Service - Name *

7
List services on Linux

From a terminal/putty session,

service --status-all

chkconfig --list

systemctl -a

Note: In the Appendices for this guide you will find a complete list of Default Services and the recommendations for a
hardened profile.

Automated Solutions

Best options are to use an automated solution that continuously operates and also covers more security controls than
just the CIS ‘Establish standard secure configurations of operating systems and software applications’. Netwrix Change
Tracker provides an integrated, host-based services and processes tracker to highlight any policy violation. The solution
is flexible in allowing new processes and services to be categorized as ‘Blacklisted, Whitelisted or Greylisted’ depending
on whether the process/service should never be active, always be active, or be an optional, non-mandatory element.

Process/Service names can be defined manually or imported from a donor device making the definition of your hard-
ened services policy a ‘point and click’ operation.

Netwrix Change Tracker also automates a wide range of vital security controls too, including unauthorized changes to
files, registry keys and values, directories, processes, services, open ports, and much more, so should be an essential
part of any organizations’ cyber security strategy.

Figure 2: How long do you want to wait before you find out you have been hacked? Average time to detect a breach is still around 200
days: Change Tracker will enforce a hardened services and processes policy, continuously and in real-time, exposing indicators of com-
promise immediately

8
Step 2 – Harden Systems to Eliminate Unwanted/Unnecessary Services

Control services on Windows

Use Windows PowerShell (RunAs Administrator)

To stop a service, use

Stop-Service -Name <Service_Name_of_Interest>

To disable a service

Set-Service -Name <Service_Name_of_Interest> -StartupType Disabled

Note: In the Appendices for this guide you will find a complete list of Default Services and the recommendations for a
hardened profile.

Control services on Linux

From a terminal/putty session,

To stop a service use

Service <Service-Name> stop Chkconfig <Service-Name> Systemctl stop <Service-Name>

To disable a service use

Systemctl disable <Service-Name> Chkconfig <Service-Name> off

Also inspect the /etc/init.d/ path for any service control scripts, run an ls /etc/init.d/ to expose all startup scripts
and rename/remove any that are to be disabled.

Note: In the Appendices for this guide you will find a complete list of Default Services and the recommendations for a
hardened profile.

9
Conclusion
Security hardening is always a balance between maximizing security and delivering the required functions for a
platform. Put simply, the more functions provided by a platform, the greater the opportunity for attack, because
any functionality has the potential to be abused.

Services are a key dimension of system hardening because default platform configurations will always include a
‘one-size fits all’ setup, optimized for a quick-start and fast deployment of common applications. There will almost
always be unnecessary functionality built-in that can be removed and with it, the risk of an attack based on the
misuse of these services.

Even then, there are many other facets to system hardening. Netwrix technology will provide you with not just
simple-to-use tools for identifying and tracking changes to services, but as a matter of course encompass visibility
of all other key vulnerability considerations.

This includes the analysis of

open network ports and protocols

installed software and related known vulnerabilities

security-related configuration settings

any new and changed system files

Netwrix Secure Ops automates these functions for you within the context of your day-to-day IT Service Operations
to maintain security and expose breach activity. Even in a dynamic enterprise where security threats would other-
wise remain hidden, Netwrix can cut out the change noise to clearly identify security issues.

10
Hardened Services Guides
Appendix A: Windows Server 2019 12

Appendix B: Windows Server 2016 31

Appendix C: Windows 10 51

Appendix D: Windows Server 2012R2 75

Appendix E: Windows Server 2008R2 87

Appendix F: Windows Server RedHat Linux 7 101

Appendix G: Windows Server CentOS 7 109

11
Windows Server 2019
Display Name Hardened Start Name Service Description
Mode and State

ActiveX Installer Start Mode: Disabled, Expected AxInstSV Provides User Account Control validation
(AxInstSV) Service State: Stopped for the installation of ActiveX controls from
the Internet and enables management of
ActiveX control..

AllJoyn Router Start Mode: Manual, Expected AJRouter Routes AllJoyn messages for the local
Service State: Stopped, Running AllJoyn clients. If this service is stopped the
AllJoyn clients that do not have their own
bundled routers...

App Readiness Start Mode: Manual, Expected AppReadiness Gets apps ready for use the first time a
Service State: Stopped, Running user signs in to this PC and when adding
new apps.

Application Identity Start Mode: Manual, Expected AppIDSvc Determines and verifies the identity of
Service State: Stopped, Running an application. Disabling this service will
prevent AppLocker from being enforced.

Application Informa- Start Mode: Manual, Expected Appinfo Facilitates the running of interactive ap-
tion Service State: Stopped, Running plications with additional administrative
privileges.

Application Layer Start Mode: Disabled, Expected ALG Provides support for 3rd party protocol
Gateway Service State: Stopped plug-ins for Internet Connection Sharing

Application Manage- Start Mode: Manual, Expected AppMgmt Processes installation, removal, & enu-
ment Service State: Stopped, Running meration requests for software deployed
through Group Policy.

AppX Deployment Start Mode: Manual, Expected AppXSvc Provides infrastructure support for de-
Service (AppXSVC) State: Stopped, Running ploying Store applications.

Auto Time Zone Start Mode: Disabled, Expected tzautoupdate Automatically sets the system time zone.
Updater Service State: Stopped

Background Start Mode: Manual, Expected BITS Transfers files in the background using
Intelligent Transfer State: Stopped, Running idle network bandwidth.
Service

12
Display Name Hardened Start Name Service Description
Mode and State

Background Tasks Start Mode: Auto, Expected BrokerInfra- Windows infrastructure service that con-
Infrastructure State: Running structure trols which background tasks can run on
Service the system.

Base Filtering Start Mode: Auto, Expected BFE The Base Filtering Engine (BFE) is a service
Engine Service State: Running that manages firewall and Internet Pro-
tocol security (IPsec) policies and imple-
ments user mode...

Bluetooth Support Start Mode: Disabled, bthserv The Bluetooth service supports discovery
Service (bthserv) Expected State: Stopped and association of remote Bluetooth
devices.

CDPUserSvc (cd- Start Mode: Disabled, CDPUserSvc This user service is used for Connected
pusersvc) Service Expected State: Stopped Devices Platform scenarios

Certificate Start Mode: Manual, Expected CertPropSvc Copies user certificates and root
Propagation State: Stopped, Running certificates from smart cards into the
Service current user’s certificate store, detects
when a smart card is inserted...

Client License Start Mode: Manual, Expected ClipSVC Provides infrastructure support for the
Service (ClipSVC) State: Stopped, Running Microsoft Store. This service is started
Service on demand and if disabled applications
bought using Windows...

CNG Key Start Mode: Manual, Expected KeyIso The CNG key isolation service is hosted
Isolation Service State: Stopped, Running in the LSA process. The service provides
key process isolation to private keys and
associated...

COM+ Event Start Mode: Auto, Expected EventSystem Supports System Event Notification
System Service State: Running Service (SENS), which provides automatic
distribution of events to subscribing
Component Object Model...

COM+ System Start Mode: Manual, Expected COMSysApp Manages the configuration and tracking
Application State: Stopped, Running of Component Object Model (COM)+-
Service based components. If the service is
stopped, most COM+-based...

13
Display Name Hardened Start Name Service Description
Mode and State

Computer Browser Start Mode: Disabled, Expected Browser Maintains an updated list of computers on
Service State: Stopped the network and supplies this list to com-
puters designated as browsers.

Connected Devices Start Mode: Auto, Expected CDPSvc This service is used for Connected Devices
Platform Service State: Running, Stopped and Universal Glass scenarios

Connected User Start Mode: Auto, Expected DiagTrack The Connected User Experiences and
Experiences/ State: Running Telemetry service enables features that
Telemetry support in-application and connected
user experiences...

Contact Data Start Mode: Disabled, PimIndex- Indexes contact data for fast contact
(PimIndexMainte- Expected State: Stopped Maintenanc- searching. If you stop or disable this
nanceSvc) eSvc service, contacts might be missing from
your search results.

CoreMessaging Start Mode: Auto, CoreMessag- Manages communication between sys-

(CoreMessaging Expected State: Running ingRegistrar tem components.
Registrar)

Credential Manager Start Mode: Manual, Expected VaultSvc Provides secure storage and retrieval of
Service State: Stopped, Running credentials to users, applications and se-
curity service packages.

Cryptographic Start Mode: Auto, Expected CryptSvc Provides 3 management services: Cata-
Services Service State: Running log Database Service, confirms the sig-
natures of Windows files and allows new
programs to be installed...

Data Sharing Start Mode: Manual, Expected DsSvc Provides data brokering between
(DsSvc) Service State: Stopped, Running applications.

Data Sharing (DcpSvc) Start Mode: Manual, Expected DcpSvc The DCP (Data Collection and Publishing)
Service State: Stopped, Running service supports first party apps to
upload data to cloud.

DCOM Server Process Start Mode: Auto, Expected DcomLaunch The DCOMLAUNCH service launches
Launcher Service State: Running COM and DCOM servers in response to
object activation requests.

Device Association Start Mode: Manual, Expected DeviceAssoci- Enables pairing between the system and
Service State: Stopped, Running ationService wired or wireless devices.

14
Display Name Hardened Start Name Service Description
Mode and State

Device Install (De- Start Mode: Manual, Expected DeviceInstall Enables a computer to recognize and
viceInstall) Service State: Stopped, Running adapt to hardware changes with little or
no user input. Stopping or disabling this
service will result.

Device Manage- Start Mode: Manual, Expected DmEnroll- Performs Device Enrollment Activities for
ment Enrollment State: Stopped, Running mentSvc Device Management
Service

Device Setup Start Mode: Manual, Expected DsmSvc Enables the detection, download and in-
(DsmSvc) Service State: Stopped, Running stallation of device-related software. If this
service is disabled, devices may be config-
ured with outdated.

DevQuery Back- Start Mode: Manual, Expected DevQuery Enables apps to discover devices with a
ground Discovery State: Stopped, Running Broker backgroud task
Broker

DHCP Client Start Mode: Auto, Expected Dhcp Registers and updates IP addresses and
Service State: Running DNS records for this computer. If this ser-
vice is stopped, this computer will not re-
ceive dynamic IP...

Diagnostic Policy Start Mode: Auto, Expected DPS The Diagnostic Policy Service enables
Service State: Running problem detection, troubleshooting and
resolution for Windows components.

Diagnostic Service Start Mode: Disabled, WdiService- The Diagnostic Service Host is used by the
Host Service Expected State: Stopped Host Diagnostic Policy Service to host diagnostics
that need to run in a Local Service context.

Diagnostic System Start Mode: Disabled, WdiSystem- The Diagnostic System Host is used by the
Host Service Expected State: Stopped Host Diagnostic Policy Service to host diagnostics
that need to run in a Local System context.

Distributed Link Start Mode: Auto, TrkWks Maintains links between NTFS files within
Tracking Client Expected State: Running a computer or across computers in a net-
Service work.

Distributed Trans- Start Mode: Auto, MSDTC Coordinates transactions that span multi-
action Coordinator Expected State: Running ple resource managers, such as databases,
message queues, and file systems.

15
Display Name Hardened Start Name Service Description
Mode and State

DMWAPPush Start Mode: Disabled, dmwappush- WAP Push Message Routing Service
Service Expected State: Stopped service

DNS Client Service Start Mode: Auto, Expected Dnscache The DNS Client service (dnscache) caches
State: Running Domain Name System (DNS) names and
registers the full computer name for this
computer.

Downloaded Start Mode: Disabled, MapsBroker Windows service for application access to
Maps Manager Expected State: Stopped downloaded maps. This service is started
on-demand by application accessing...

Embedded Start Mode: Manual, Expected embedded- The Embedded Mode service enables sce-
Mode Service State: Stopped, Running mode narios related to Background Applications.

Encrypting File Start Mode: Manual, Expected EFS Provides the core file encryption technol-
System (EFS) State: Stopped, Running ogy used to store encrypted files on NTFS
Service file system volumes.

Enterprise App Start Mode: Manual, Expected EntAppSvc Enables enterprise application
Management State: Stopped, Running management.
(EntAppSvc)

Extensible Start Mode: Disabled, EapHost The Extensible Authentication Protocol

Authentication Expected State: Stopped (EAP) service provides network authenti-
Protocol cation in such scenarios as 802.1x wired
and wireless...

Function Discov- Start Mode: Disabled, fdPHost The FDPHOST service hosts the Function
ery Provider Host Expected State: Stopped Discovery (FD) network discovery provid-
Service ers. These FD providers supply network
discovery...

Function Dis- Start Mode: Disabled, FDResPub Publishes this computer and resources
covery Resource Expected State: Stopped attached to this computer so they can be
Publication discovered over the network.

Geolocation Start Mode: Disabled, lfsvc This service monitors the current location
(lfsvc) Service Expected State: Stopped of the system and manages geofences
(a geographical location with associated
events).

16
Display Name Hardened Start Name Service Description
Mode and State

Group Policy Start Mode: Auto, gpsvc The service is responsible for applying set-
Client Service Expected State: Running tings configured by administrators for the
computer and users through the Group
Policy...disabled.

Human Interface Start Mode: Disabled, hidserv Activates and maintains the use of hot but-
Device Access Expected State: Stopped tons on keyboards, remote controls, and
Service other multimedia devices.

HV Host Service Start Mode: Manual, Expected HvHost Provides an interface for the Hyper-V hyper-
State: Stopped, Running visor to provide per-partition performance
counters to the host operating system.

Hyper-V Data Start Mode: Manual, Expected vmickvpex- Provides a mechanism to exchange data
Exchange Service State: Stopped, Running change between the virtual machine and the oper-
Service ating system running on the physical com-
puter.

Hyper-V Guest Start Mode: Manual, Expected vmicguestint- Provides an interface for the Hyper-V host
Service Interface State: Running, Stopped erface to interact with specific services running in-
Service side the virtual machine.

Hyper-V Guest Start Mode: Manual, Expected vmicshut- A mechanism to shut down the operating
Shutdown Service State: Running, Stopped down system of this virtual machine from the
Service management interfaces on the physical
computer.

Hyper-V Heart- Start Mode: Manual, Expected vmicheartbeat Monitors the state of this virtual machine by
beat Service State: Running, Stopped reporting a heartbeat at regular intervals.
Service

Hyper-V Power- Start Mode: Manual, Expected vmicvmses- Provides a mechanism to manage virtual
Shell Direct State: Running, Stopped sion machine with PowerShell via VM session
Service without a virtual network.

Hyper-V Remote Start Mode: Manual, Expected vmicrdv Provides a platform for communication
Desktop State: Running, Stopped between the virtual machine and the op-
Virtualization erating system running on the physical
computer.

17
Display Name Hardened Start Name Service Description
Mode and State

Hyper-V Time Start Mode: Manual, Expected vmictimesync Synchronizes the system time of this vir-
Synchronization State: Running, Stopped tual machine with the system time of the
Service physical computer.

Hyper-V Volume Start Mode: Manual, Expected vmicvss Coordinates the communications that are
Shadow Copy State: Running, Stopped required to use Volume Shadow Copy Ser-
Requestor vice to back up applications and data on
this virtual...

IKE and AuthIP Start Mode: Manual, Expected IKEEXT The IKEEXT service hosts the Internet Key
IPsec Keying State: Stopped, Running Exchange (IKE) and Authenticated Internet
Modules Protocol (AuthIP) keying modules.

Interactive Ser- Start Mode: Disabled, Expect- UI0Detect Enables user notification of user input for
vices Detection ed State: Stopped interactive services, enables access to dia-
Service logs created by interactive services

Internet Connec- Start Mode: Disabled, Expect- SharedAccess Provides network address translation, ad-
tion Sharing (ICS) ed State: Stopped dressing, name resolution and/or intru-
Service sion prevention services for a home/small
office network.

IP Helper Service Start Mode: Disabled, Expect- iphlpsvc Provides tunnel connectivity using IPv6
ed State: Stopped transition technologies (6to4, ISATAP, Port
Proxy, and Teredo), and IP-HTTPS.

IPsec Policy Agent Start Mode: Manual, Expected PolicyAgent Supports network-level peer/data origin
Service State: Stopped, Running authentication, data integrity, confidential-
ity (encryption), and replay protection.

KDC Proxy Server Start Mode: Disabled, Expect- KPSSVC KDC Proxy Server service runs on edge
service Service ed State: Stopped servers to proxy Kerberos protocol mes-
sages to domain controllers on the corpo-
rate network.

KtmRm Dist’ed Start Mode: Disabled, Expect- KtmRm Coordinates transactions between the
Transaction Coor- ed State: Stopped Distributed Transaction Coordinator (MS-
dinator DTC) and the Kernel Transaction Manager
(KTM).

18
Display Name Hardened Start Name Service Description
Mode and State

Link-Layer Topol- Start Mode: Disabled, lltdsvc Creates a Network Map, consisting of PC
ogy Discovery Expected State: Stopped and device topology (connectivity) infor-
Mapper mation, and metadata describing each PC
and device.

Local Session Start Mode: Automatic, LSM Core Windows Service that manages local
Manager Service Expected State: Running user sessions. Stopping or disabling this
service will result in system instability.

Microsoft Diag- Start Mode: Manual, Expected diagnos- Diagnostics Hub Standard Collector Ser-
nostics Hub Std. State: Stopped, Running ticshub.stand- vice. When running, this service collects
Collector ardcollector. real time ETW events and processes them.
service

Microsoft App-V Start Mode: Disabled, wlidsvc Enables user sign-in through Microsoft ac-
Client Service Expected State: Stopped count identity services.

Microsoft Account Start Mode: Disabled, AppVClient Manages App-V users and virtual applica-
Sign-in Assistant Expected State: Stopped tions

Microsoft iSCSI Start Mode: Manual, MSiSCSI Manages Internet SCSI (iSCSI) sessions
Initiator Service Expected State: Stopped from this computer to remote iSCSI target
devices.

Microsoft Pass- Start Mode: Disabled, NgcSvc Provides process isolation for cryptograph-
port (NgcSvc) Expected State: Stopped ic keys used to authenticate to a user’s as-
Service sociated identity providers.

Microsoft Pass- Start Mode: Disabled, NgcCtnrSvc Manages local user identity keys used to
port Container Expected State: Stopped authenticate user to identity providers as
Service well as TPM virtual smart cards.

Microsoft Soft- Start Mode: Manual, Expected swprv Manages software-based volume shadow
ware Shadow State: Stopped, Running copies taken by the Volume Shadow Copy
Copy Provider service.

Microsoft Storage Start Mode: Manual, Expected smphost Host service for the Microsoft Storage
Spaces SMP State: Stopped, Running Spaces management provider.
(smphost)

Net.Tcp Port Start Mode: Disabled, NetTcpPort- Provides ability to share TCP ports over the
Sharing Service Expected State: Stopped Sharing net.tcp protocol.

19
Display Name Hardened Start Name Service Description
Mode and State

Netlogon Service Start Mode: Manual, Expected Netlogon Maintains a secure channel between this
State: Stopped, Running computer and the domain controller for
authenticating users and services.

Network Access Start Mode: Disabled, NcbService Brokers connections that allow Windows
Protection Agent Expected State: Stopped Store Apps to receive notifications from
the internet.

Network Connec- Start Mode: Manual, Expected Netman Manages objects in the Network and
tions Service State: Stopped, Running Dial-Up Connections folder, in which you
can view both local area network and
remote connections.

Network Connec- Start Mode: Disabled, NcaSvc Provides DirectAccess status notification
tivity Assistant Expected State: Stopped for UI components

Network List Start Mode: Manual, Expected netprofm Identifies networks connected to, collects/
Service State: Stopped, Running stores properties for these networks,
notifies applications properties change.

Network Location Start Mode: Auto, Expected NlaSvc Collects and stores configuration informa-
Awareness Service State: Stopped, Running tion for the network and notifies programs
when this information is modified.

Network Setup Start Mode: Manual, Expected NetSetupSvc The Network Setup Service manages
(NetSetupSvc) State: Stopped, Running the installation of network drivers and
Service permits the configuration of low-level
network settings.

Network Store Start Mode: Auto, Expected nsi This service delivers network notifications
Interface Service State: Running (e.g. interface addition/deleting etc) to user
mode clients.

Offline Files (Csc- Start Mode: Disabled, CscService The Offline Files service performs mainte-
Service) Service Expected State: Stopped nance activities on the Offline Files cache,
responds to user logon and logoff events...

Optimize Drives Start Mode: Manual, Expected defragsvc Helps the computer run more efficiently
(defragsvc) Service State: Stopped, Running by optimizing files on storage drives.

Performance Start Mode: Manual, Expected PerfHost Enables remote users and 64-bit process-
Counter DLL Host State: Stopped, Runnin es to query performance counters provid-
ed by 32-bit DLLs.

20
Display Name Hardened Start Name Service Description
Mode and State

Performance Logs Start Mode: Manual, Expected pla Performance Logs and Alerts Collects per-
and Alerts Service State: Stopped, Running formance data from local or remote com-
puters based on preconfigured schedule
parameters...

Phone (PhoneSvc) Start Mode: Disabled, PhoneSvc Manages the telephony state on the device
Service Expected State: Stopped

Plug and Play Start Mode: Manual, Expected PlugPlay Enables a computer to recognize and
Service State: Stopped, Running adapt to hardware changes with little or
no user input.

Portable Device Start Mode: Manual, Expected WPDBusEnum Enforces group policy for removable
Enumerator State: Stopped, Running mass-storage devices. Enables applica-
Service tions such as Windows Media Player and
Image Import Wizard to...

Power Service Start Mode: Auto, Expected Power Manages power policy and power policy
State: Running notification delivery.

Print Spooler Start Mode: Disabled, Spooler Spools print jobs and handles interac-
Service Expected State: Stopped tion with the printer. If you turn off this
service, you won’t be able to print or see
your printers.

Printer Extensions Start Mode: Disabled, PrintNotify This service opens custom printer dialog
and Notifications Expected State: Stopped boxes and handles notifications from a
remote print server or a printer.

Problem Reports/ Start Mode: Disabled, wercplsup- Provides support for viewing, sending
Solutions Ctrl Expected State: Stopped port and deletion of system-level problem re-
Panel ports for the Problem Reports and Solu-
tions control panel.

Program Compat- Start Mode: Disabled, PcaSvc Program Compatibility Assistant monitors
ibility Assistant Expected State: Stopped programs installed and run by a user and
(PcaSvc) detects known compatibility problems.

Quality Windows Start Mode: Disabled, QWAVE Quality Windows Audio Video Experience
Audio Video Expected State: Stopped (qWave) is a networking platform for Au-
Experience dio Video (AV) streaming applications on
IP home networks.

21
Display Name Hardened Start Name Service Description
Mode and State

Radio Manage- Start Mode: Disabled, RmSvc Radio Management and Airplane Mode
ment Service Expected State: Stopped Service
Service

Remote Access Start Mode: Disabled, RasAuto Creates a connection to a remote network
Auto Connection Expected State: Stopped whenever a program references a remote
Manager DNS or NetBIOS name or address.

Remote Access Start Mode: Disabled, RasMan Manages dial-up and virtual private net-
Connection Expected State: Stopped work (VPN) connections from this computer
Manager to the Internet or other remote networks.

Remote Desktop Start Mode: Manual, SessionEnv Remote Desktop Configuration service
Configuration Expected State: Running (RDCS) is responsible for all Remote Desk-
Service top Services and Remote Desktop related
configuration and...

Remote Desktop Start Mode: Manual, TermService Allows users to connect interactively to a
Services Service Expected State: Running remote computer. Remote Desktop and
Remote Desktop Session Host Server de-
pend on this service.

RDP UserMode Start Mode: Manual, UmRdpSer- Allows the redirection of Printers/Drives/
Port Redirector Expected State: Running vice Ports for RDP connections

Remote Proce- Start Mode: Auto, RpcSs The RPCSS service is the Service Control
dure Call (RPC) Expected State: Running Manager for COM and DCOM servers. It
Service performs object activations requests, ob-
ject exporter resolutions

Remote Proce- Start Mode: Disabled, RpcLocator In Windows 2003 and earlier versions
dure Call (RPC) Expected State: Stopped of Windows, the Remote Procedure Call
Locator (RPC) Locator service manages the RPC
name service database.

Remote Registry Start Mode: Auto, Expected RemoteReg- Enables remote users to modify registry
Service State: Stopped/Running istry settings on this computer.

Resultant Set of Start Mode: Manual, Expected RSoPProv Provides a network service that process-
Policy Provider State: Stopped, Running es requests to simulate application of
Service Group Policy settings for a target user or
computer in various...

22
Display Name Hardened Start Name Service Description
Mode and State

Routing and Start Mode: Disabled, RemoteAccess Offers routing services to businesses in
Remote Access Expected State: Stopped local area and wide area network environ-
Service ments.

RPC Endpoint Start Mode: Auto, Expected RpcEptMap- Resolves RPC interfaces identifiers to trans-
Mapper Service State: Running per port endpoints.

Secondary Logon Start Mode: Manual, Expected seclogon Enables starting processes under alternate
Service State: Stopped, Running credentials. If this service is stopped, this
type of logon access will be unavailable.

Secure Socket Start Mode: Manual, Expected SstpSvc Provides support for the Secure Socket
Tunneling Proto- State: Stopped, Running Tunneling Protocol (SSTP) to connect to re-
col Service mote computers using VPN.

Security Accounts Start Mode: Auto, Expected SamSs Startup of this service signals that the Se-
Manager Service State: Running curity Accounts Manager (SAM) is ready to
accept requests.

Sensor Data Start Mode: Disabled, SensorData- Delivers data from a variety of sensors
Service Service Expected State: Stopped Service

Sensor Monitor- Start Mode: Disabled, SensrSvc Monitors various sensors in order to expose
ing Service Service Expected State: Stopped data and adapt to system and user state.

Sensor Service Start Mode: Disabled, SensorService A service for sensors that manages differ-
(SensorService) Expected State: Stopped ent sensors’ functionality. Manages Sim-
Service ple Device Orientation (SDO) and History
for sensors.

Server Service Start Mode: Auto, Lanman Supports file, print, and named-pipe shar-
Expected State: Running Server ing over the network for this computer.

Shell Hardware Start Mode: Auto, ShellHWDe- Provides notifications for AutoPlay hard-
Detection Service Expected State: Running tection ware events.

Smart Card Start Mode: Disabled, SCardSvr Manages access to smart cards read by
Service Expected State: Stopped this computer.

Smart Card Device Start Mode: Disabled, ScDevice Creates software device nodes for all
Enumeration Expected State: Stopped Enum smart card readers accessible to a given
Service session.

23
Display Name Hardened Start Name Service Description
Mode and State

Smart Card Start Mode: Disabled, SCPolicySvc Allows the system to be configured to
Removal Policy Expected State: Stopped lock the user desktop upon smart card
Service removal.

SNMP Trap Start Mode: Disabled, SNMPTRAP Receives trap messages generated by local
Service Expected State: Stopped or remote Simple Network Management
Protocol (SNMP) agents.

Software Start Mode: Auto, Expected sppsvc Enables the download, installation and en-
Protection Service State: Stopped, Running forcement of digital licenses for Windows
and Windows applications.

Special Adminis- Start Mode: Manual, Expected sacsvr Allows administrators to remotely access
tration Console State: Stopped, Running a command prompt using Emergency
Helper Management Services.

Spot Verifier Start Mode: Manual, Expected svsvc Verifies potential file system corruptions.
Service State: Stopped, Running

SSDP Discovery Start Mode: Disabled, SSDPSRV Discovers networked devices & services
Service Expected State: Stopped using SSDP discovery protocol, such as
UPnP devices.

State Repository Start Mode: Manual, Expected StateReposi- Provides required infrastructure support
Service State: Stopped, Running tory for the application model.

Still Image Start Mode: Disabled, WiaRpc Launches applications associated with
Acquisition Events Expected State: Stopped still image acquisition events.
Service

Storage (StorSvc) Start Mode: Manual, Expected StorSvc Provides enabling services for storage
Service State: Stopped, Running settings and external storage expansion

Storage Tiers Start Mode: Manual, Expected TieringEngine- Optimizes the placement of data in stor-
Management State: Stopped, Running Service age tiers on all tiered storage spaces in
Service the system.

Superfetch Start Mode: Disabled, SysMain Maintains and improves system perfor-
Service Expected State: Stopped mance over time.

24
Display Name Hardened Start Name Service Description
Mode and State

Sync Host Start Mode: Disabled, OneSyncSvc This service synchronizes mail, contacts,
(OneSyncSvc) Expected State: Stopped calendar and various other user data.
Service

System Event No- Start Mode: Auto, SENS Monitors system events and notifies
tification Service Expected State: Running subscribers to COM+ Event System of
these events.

System Events Start Mode: Auto, System Coordinates execution of background

Broker Service Expected State: Running EventsBroker work for WinRT application. If service is
stopped/disabled, background work might
not be triggered.

Task Scheduler Start Mode: Auto, Schedule Enables a user to configure & schedule
Service Expected State: Running automated tasks on this computer. The
service also hosts multiple Windows sys-
tem-critical tasks.

TCP/IP NetBIOS Start Mode: Manual, lmhosts Provides support for the NetBIOS over
Helper Service Expected State: Running TCP/IP (NetBT) service and NetBIOS name
resolution for clients on the network...

Telephony Service Start Mode: Disabled, TapiSrv Provides Telephony API (TAPI) support
Expected State: Stopped for programs that control telephony de-
vices on the local computer and, through
the LAN...

Themes Service Start Mode: Disabled, Themes Provides user experience theme
Expected State: Stopped management.

Tile Data model Start Mode: Auto, tiledatamod- Tile Server for tile updates.
server Service Expected State: Running elsvc

Time Broker Start Mode: Manual, Expected TimeBro- Coordinates execution of background
(TimeBrokerSvc) State: Stopped, Running kerSvc work for WinRT application. If service is
Service stopped, background work might not be
triggered.

Touch Keyboard Start Mode: Disabled, TabletInput- Enables Touch Keyboard and Handwrit-
and Handwriting Expected State: Stopped Service ing Panel pen and ink functionality
Panel

25
Display Name Hardened Start Name Service Description
Mode and State

Update Orches- Start Mode: Manual, Expected UsoSvc Manages Windows Updates. If stopped,
trator for Win- State: Stopped, Running your devices will not be able to download
dows Update and install latest updates.

UPnP Device Host Start Mode: Disabled, upnphost Allows UPnP devices to be hosted on this
Service Expected State: Stopped computer.

User Access Start Mode: Auto, UALSVC Logs unique client access requests, in the
Logging Service Expected State: Running form of IP addresses and user names, of
installed products and roles on the local
server.

User Data Access Start Mode: Disabled, UserDataSvc Provides apps access to structured user
(UserDataSvc) Expected State: Stopped data, including contact info, calendars,
Service messages, and other content.

User Data Storage Start Mode: Disabled, UnistoreSvc Handles storage of structured user data,
(UnistoreSvc) Expected State: Stopped including contact info, calendars, messag-
Service es, and other content.

User Experience Start Mode: Disabled, UevAgent Provides support for application and OS
Virtualization Expected State: Stopped Service settings roaming
Service

User Manager Start Mode: Auto, UserManager User Manager provides the runtime
(UserManager) Expected State: Running components required for multi-user
Service interaction.

User Profile Start Mode: Auto, ProfSvc This service is responsible for loading
(ProfSvc) Service Expected State: Running and unloading user profiles.

Virtual Disk Start Mode: Manual, Expected vds Provides management services for disks,
Service State: Stopped, Running volumes, file systems, and storage arrays.

Volume Shadow Start Mode: Manual, Expected VSS Manages and implements Volume
Copy Service State: Stopped, Running Shadow Copies used for backup and
other purposes.

WalletService Start Mode: Disabled, WalletService Hosts objects used by clients of the wallet
(WalletService) Expected State: Stopped
Service

26
Display Name Hardened Start Name Service Description
Mode and State

Windows Audio Start Mode: Disabled, Audiosrv Manages audio for Windows-based
Service Expected State: Stopped programs. If this service is stopped, au-
dio devices and effects will not function
properly.

Windows Audio Start Mode: Disabled, AudioEnd- Manages audio devices for the Windows
Endpoint Builder Expected State: Stopped pointBuilder Audio service. If this service is stopped,
Service audio devices and effects will not function
properly.

Windows Start Mode: Disabled, WbioSrvc The Windows biometric service gives client
Biometric Service Expected State: Stopped applications the ability to capture, com-
pare, manipulate, and store biometric data
without...

Windows Start Mode: Auto, FrameServer Enables multiple clients to access video
Connection Expected State: Running frames from camera devices.
Manager Service

Windows Camera Start Mode: Disabled, Wcmsvc Makes automatic connect/disconnect de-
Frame Service Expected State: Stopped cisions based on the network connectivity
options currently available to the PC and
enables...

Windows De- Start Mode: Manual, Expected WdNisSvc Helps guard against intrusion attempts
fender Network State: Stopped/Running targeting known and newly discovered
Inspection vulnerabilities in network protocols

Windows Defend- Start Mode: Auto, WinDefend Helps protect users from malware and
er (WinDefend) Expected State: Running other potentially unwanted software
Service

Win Drvr Founda- Start Mode: Manual, Expected wudfsvc Creates and manages user-mode driv-
tion User-mode State: Running/Stopped er processes. This service cannot be
Drvr FW stopped.

Windows Encryp- Start Mode: Disabled, WEPHOSTSVC Windows Encryption Provider Host Ser-
tion Provider Host Expected State: Stopped vice brokers encryption related function-
alities from 3rd Party Encryption Provid-
ers to processes...

27
Display Name Hardened Start Name Service Description
Mode and State

Windows Error Start Mode: Manual, Expected WerSvc Allows errors to be reported when pro-
Reporting Service State: Running/Stopped grams stop working or responding and al-
lows existing solutions to be delivered.

Windows Event Start Mode: Manual, Expected Wecsvc This service manages persistent
Collector Service State: Running/Stopped subscriptions to events from remote
sources that support WS-Management
protocol.

Windows Event Start Mode: Auto, EventLog This service manages events and event
Log Service Expected State: Running logs. It supports logging events, querying
events, subscribing to events, archiving
event logs...

Windows Firewall Start Mode: Auto, MpsSvc Windows Firewall protects your com-
Service Expected State: Running puter by preventing unauthorized users
from gaining access through the Internet
or a network.

Windows Font Start Mode: Auto, Expected FontCache Optimizes performance of applications by
Cache Service State: Stopped, Running caching commonly used font data.

Windows Image Start Mode: Disabled, stisvc Provides image acquisition services for
Acquisition Expected State: Stopped scanners and cameras
Service

Windows Insider Start Mode: Disabled, wisvc wisvc

(wisvc) Service Expected State: Stopped

Windows Installer Start Mode: Manual, Expected msiserver Adds, modifies, and removes applications
Service State: Stopped, Running provided as a Windows Installer (*.msi,
*.msp) package.

Windows License Start Mode: Manual, Expected License Provides infrastructure support for the
Manager Service State: Stopped, Running Manager Windows Store.

Windows Manage- Start Mode: Auto, Winmgmt Provides a common interface and object
ment Instr’tion Expected State: Running model to access management informa-
tion about OS, devices, applications and
services.

Windows Mobile Start Mode: Disabled, icssvc Provides the ability to share a cellular data
Hotspot Service Expected State: Stopped connection with another device.

28
Display Name Hardened Start Name Service Description
Mode and State

Windows Modules Start Mode: Manual, Expected TrustedIn- Enables installation, modification, and
Installer Service State: Stopped, Running staller removal of Windows updates and op-
tional components.

Windows Push Start Mode: Disabled, WpnService Runs in session 0 and hosts the notification
Notifications Expected State: Stopped platform and connection provider which
System handles the connection between the device
and WNS server.

Win Push Notifica- Start Mode: Disabled, WpnUser Hosts Windows notification platform which
tions User Service Expected State: Stopped Service provides support for local and push noti-
fications. Supported notifications are tile,
toast and raw.

Windows Remote Start Mode: Auto, Expected WinRM Windows Remote Management (WinRM)
Management State: Stopped, Running service implements the WS-Management
protocol for remote management.

Windows Search Start Mode: Disabled, WSearch Provides content indexing, property cach-
(WSearch) Service Expected State: Stopped ing, and search results for files, e-mail,
and other content.

Windows Time Start Mode: Auto, W32Time Maintains date and time synchronization
Service Expected State: Running on all clients and servers in the network.

Windows Update Start Mode: Manual, Expected wuauserv Enables the detection, download, and
Service State: Stopped/Running installation of updates for Windows and
other programs

WinHTTP Web Start Mode: Manual, Expected WinHttpAuto- Client HTTP stack, provides developers
Proxy Auto-Dis- State: Stopped/Running ProxySvc with a Win32 API/COM Automation com-
covery ponent for sending HTTP requests/receiv-
ing responses.

Wired AutoConfig Start Mode: Disabled, dot3svc The Wired AutoConfig (DOT3SVC) service
Service Expected State: Stopped is responsible for performing IEEE 802.1X
authentication on Ethernet interfaces.

WMI Performance Start Mode: Manual, Expected wmiApSrv Provides performance library informa-
Adapter Service State: Stopped, Running tion from Windows Management Instru-
mentation (WMI) providers to clients on
the network.

29
Display Name Hardened Start Name Service Description
Mode and State

Workstation Start Mode: Auto, Lanman Creates and maintains client network
Service Expected State: Running Workstation connections to remote servers using the
SMB protocol.

Xbox Live Auth Start Mode: Disabled, XblAuth Provides authentication and authorization
Manager Service Expected State: Stopped Manager services for interacting with Xbox Live.

Xbox Live Game Start Mode: Disabled, XblGameSave This service syncs save data for Xbox Live
Save Service Expected State: Stopped save enabled games.

30
Windows Server 2016
Display Name Hardened Start Name Service Description
Mode and State

App Readiness Start Mode: Manual, Expected AppReadiness Gets apps ready for use the first time a
Service State: Stopped, Running user signs in to this PC and when adding
new apps.

Application Informa- Start Mode: Manual, Expected Appinfo Facilitates the running of interactive ap-
tion Service State: Stopped, Running plications with additional administrative
privileges.

Application Layer Start Mode: Disabled, ALG Provides support for 3rd party protocol
Gateway Service Expected State: Stopped plug-ins for Internet Connection Sharing

Application Manage- Start Mode: Manual, Expected AppMgmt Processes installation, removal, & enu-
ment Service State: Stopped, Running meration requests for software deployed
through Group Policy.

AppX Deployment Start Mode: Manual, Expected AppXSvc Provides infrastructure support for
Service (AppXSVC) State: Stopped, Running deploying Store applications.

31
Display Name Hardened Start Name Service Description
Mode and State

ASP.NET State Start Mode: Manual, Expected aspnet_state Provides support for out-of-process ses-
Service (aspnet_ State: Stopped, Running sion states for ASP.NET. If this service is
state) stopped, out-of-process requests will not
be processed.

Auto Time Zone Start Mode: Disabled, tzautoupdate Automatically sets the system time zone.
Updater Service Expected State: Stopped

Background In- Start Mode: Manual, Expected BITS Transfers files in the background using idle
telligent Transfer State: Stopped, Running network bandwidth.
Service

Background Tasks Start Mode: Auto, BrokerInfra- Windows infrastructure service that con-
Infrastructure Expected State: Running structure trols which background tasks can run on
Service the system.

Base Filtering Start Mode: Auto, BFE The Base Filtering Engine (BFE) is a service
Engine Service Expected State: Running that manages firewall and Internet Proto-
col security (IPsec) policies and implements
user mode...

Bluetooth Support Start Mode: Disabled, bthserv The Bluetooth service supports discovery
Service (bthserv) Expected State: Stopped and association of remote Bluetooth de-
vices.

CDPUserSvc (cd- Start Mode: Disabled, CDPUserSvc This user service is used for Connected
pusersvc) Service Expected State: Stopped Devices Platform scenarios

Certificate Propa- Start Mode: Manual, Expected CertPropSvc Copies user certificates and root certifi-
gation Service State: Stopped, Running cates from smart cards into the current
user’s certificate store, detects when a
smart card is inserted...

CNG Key Isolation Start Mode: Manual, Expected KeyIso The CNG key isolation service is hosted
Service State: Stopped, Running in the LSA process. The service provides
key process isolation to private keys and
associated...

32
Display Name Hardened Start Name Service Description
Mode and State

COM+ Event Start Mode: Auto, EventSystem Supports System Event Notification Ser-
System Service Expected State: Running vice (SENS), which provides automatic
distribution of events to subscribing
Component Object Model...

COM+ System Ap- Start Mode: Manual, Expected COMSysApp Manages the configuration and tracking of
plication Service State: Stopped, Running Component Object Model (COM)+-based
components. If the service is stopped, most
COM+-based...

Computer Start Mode: Disabled, Browser Maintains an updated list of computers on

Browser Service Expected State: Stopped the network and supplies this list to com-
puters designated as browsers.

Connected Start Mode: Auto, Expected CDPSvc This service is used for Connected Devices
Devices Platform State: Running, Stopped and Universal Glass scenarios
Service

Connected User Start Mode: Auto, DiagTrack The Connected User Experiences and
Experiences/ Expected State: Running Telemetry service enables features that
Telemetry support in-application and connected user
experiences...

Contact Data Start Mode: Disabled, PimIndexMain- Indexes contact data for fast contact
(PimIndexMainte- Expected State: Stopped tenanceSvc searching. If you stop or disable this ser-
nanceSvc) vice, contacts might be missing from your
search results.

CoreMessaging Start Mode: Auto, CoreMessag- Manages communication between system

(CoreMessagin- Expected State: Running ingRegistrar components.
gRegistrar)

Credential Start Mode: Manual, Expected VaultSvc Provides secure storage and retrieval of
Manager Service State: Stopped, Running credentials to users, applications and secu-
rity service packages.

Cryptographic Start Mode: Auto, CryptSvc Provides 3 management services: Catalog

Services Service Expected State: Running Database Service, confirms the signatures
of Windows files and allows new programs
to be installed...

33
Display Name Hardened Start Name Service Description
Mode and State

Data Sharing Start Mode: Manual, Expected DsSvc Provides data brokering between
(DsSvc) Service State: Stopped, Running applications.

Data Sharing Start Mode: Manual, Expected DcpSvc The DCP (Data Collection and Publishing)
(DcpSvc) Service State: Stopped, Running service supports first party apps to
upload data to cloud.

DCOM Server Start Mode: Auto, DcomLaunch The DCOMLAUNCH service launches COM
Process Launcher Expected State: Running and DCOM servers in response to object
Service activation requests.

Device Associa- Start Mode: Manual, Expected DeviceAssoci- Enables pairing between the system and
tion Service State: Stopped, Running ationService wired or wireless devices.

Device Install Start Mode: Manual, Expected DeviceInstall Enables a computer to recognize and
(DeviceInstall) State: Stopped, Running adapt to hardware changes with little or
Service no user input. Stopping or disabling this
service will result.

Device Manage- Start Mode: Manual, Expected DmEnroll- Performs Device Enrollment Activities for
ment Enrollment State: Stopped, Running mentSvc Device Management
Service

DevQuery Back- Start Mode: Manual, Expected DevQueryBro- Enables apps to discover devices with a
ground Discovery State: Stopped, Running ker backgroud task
Broker

DHCP Client Start Mode: Auto, Dhcp Registers and updates IP addresses and
Service Expected State: Running DNS records for this computer. If this ser-
vice is stopped, this computer will not re-
ceive dynamic IP...

Diagnostic Policy Start Mode: Auto, DPS The Diagnostic Policy Service enables
Service Expected State: Running problem detection, troubleshooting and
resolution for Windows components.

34
Display Name Hardened Start Name Service Description
Mode and State

Diagnostic Service Start Mode: Disabled, WdiService- The Diagnostic Service Host is used by
Host Service Expected State: Stopped Host the Diagnostic Policy Service to host
diagnostics that need to run in a Local
Service context.

Diagnostic System Start Mode: Disabled, WdiSystem- The Diagnostic System Host is used by
Host Service Expected State: Stopped Host the Diagnostic Policy Service to host
diagnostics that need to run in a Local
System context.

Distributed Link Start Mode: Auto, TrkWks Maintains links between NTFS files with-
Tracking Client Expected State: Running in a computer or across computers in a
Service network.

Distributed Trans- Start Mode: Auto, MSDTC Coordinates transactions that span mul-
action Coordinator Expected State: Running tiple resource managers, such as data-
bases, message queues, and file systems.

DMWAPPush Start Mode: Disabled, dmwappush- WAP Push Message Routing Service
Service Expected State: Stopped service

DNS Client Service Start Mode: Auto, Dnscache The DNS Client service (dnscache) caches
Expected State: Running Domain Name System (DNS) names and
registers the full computer name for this
computer.

Embedded Mode Start Mode: Manual, Expected embedded- The Embedded Mode service enables
Service State: Stopped, Running mode scenarios related to Background Appli-
cations.

Enhanced Mitiga- Start Mode: Manual, Expected emet_service The Enhanced Mitigation Experience Toolkit
tion Experience State: Stopped, Running (EMET) helps prevent vulnerabilities in soft-
Toolkit ware from being successfully exploited.

Encrypting File Start Mode: Manual, Expected EFS Provides the core file encryption technol-
System (EFS) State: Stopped, Running ogy used to store encrypted files on NTFS
Service file system volumes.

35
Display Name Hardened Start Name Service Description
Mode and State

Enterprise App Start Mode: Manual, Expected EntAppSvc Enables enterprise application
Management State: Stopped, Running management.
(EntAppSvc)

Extensible Start Mode: Disabled, EapHost The Extensible Authentication Protocol

Authentication Expected State: Stopped (EAP) service provides network authenti-
Protocol cation in such scenarios as 802.1x wired
and wireless...

Geolocation (lfsvc) Start Mode: Disabled, lfsvc This service monitors the current loca-
Service Expected State: Stopped tion of the system and manages geofenc-
es (a geographical location with associat-
ed events).

Group Policy Start Mode: Auto, gpsvc The service is responsible for applying
Client Service Expected State: Running settings configured by administrators
for the computer and users through the
Group Policy...disabled.

Human Interface Start Mode: Disabled, hidserv Activates and maintains the use of hot
Device Access Expected State: Stopped buttons on keyboards, remote controls,
Service and other multimedia devices.

HV Host Service Start Mode: Manual, Expected HvHost Provides an interface for the Hyper-V
State: Stopped, Running hypervisor to provide per-partition per-
formance counters to the host operating
system.

Hyper-V Data Start Mode: Manual, Expected vmickvpex- Provides a mechanism to exchange data
Exchange Service State: Stopped, Running change between the virtual machine and the op-
Service erating system running on the physical
computer.

36
Display Name Hardened Start Name Service Description
Mode and State

Hyper-V Guest Start Mode: Manual, Expected vmicguestint- Provides an interface for the Hyper-V
Service Interface State: Running, Stopped erface host to interact with specific services run-
Service ning inside the virtual machine.

Hyper-V Heart- Start Mode: Manual, Expected vmicheartbeat Monitors the state of this virtual machine by
beat Service State: Running, Stopped reporting a heartbeat at regular intervals.
Service

Hyper-V Pow- Start Mode: Manual, Expected vmicvmses- Provides a mechanism to manage virtual
erShell Direct State: Running, Stopped sion machine with PowerShell via VM session
Service without a virtual network.

Hyper-V Remote Start Mode: Manual, Expected vmicrdv Provides a platform for communication
Desktop Virtual- State: Running, Stopped between the virtual machine and the op-
ization erating system running on the physical
computer.

Hyper-V Time Start Mode: Manual, Expected vmictimesync Synchronizes the system time of this virtual
Synchronization State: Running, Stopped machine with the system time of the phys-
Service ical computer.

Interactive Ser- Start Mode: Disabled, UI0Detect Enables user notification of user input for
vices Detection Expected State: Stopped interactive services, enables access to dia-
Service logs created by interactive services

37
Display Name Hardened Start Name Service Description
Mode and State

Internet Connec- Start Mode: Disabled, SharedAccess Provides network address translation,
tion Sharing (ICS) Expected State: Stopped addressing, name resolution and/or in-
Service trusion prevention services for a home/
small office network.

IP Helper Service Start Mode: Disabled, iphlpsvc Provides tunnel connectivity using IPv6
Expected State: Stopped transition technologies (6to4, ISATAP,
Port Proxy, and Teredo), and IP-HTTPS.

KDC Proxy Server Start Mode: Manual, Expected KPSSVC KDC Proxy Server service runs on edge
service Service State: Stopped, Running servers to proxy Kerberos protocol mes-
sages to domain controllers on the cor-
porate network.

KtmRm Dist’ed Start Mode: Manual, Expected KtmRm Coordinates transactions between the
Transaction Coor- State: Stopped, Running Distributed Transaction Coordinator
dinator (MSDTC) and the Kernel Transaction
Manager (KTM).

Microsoft Diag- Start Mode: Manual, Expected diagnos- Diagnostics Hub Standard Collector
nostics Hub Std. State: Stopped, Running ticshub.stand- Service. When running, this service
Collector ardcollector. collects real time ETW events and
service processes them.

Microsoft App-V Start Mode: Disabled, wlidsvc Enables user sign-in through Microsoft ac-
Client Service Expected State: Stopped count identity services.

Microsoft Account Start Mode: Disabled, AppVClient Manages App-V users and virtual
Sign-in Assistant Expected State: Stopped applications

38
Display Name Hardened Start Name Service Description
Mode and State

Microsoft iSCSI Start Mode: Manual, MSiSCSI Manages Internet SCSI (iSCSI) sessions
Initiator Service Expected State: Stopped from this computer to remote iSCSI tar-
get devices.

Microsoft Pass- Start Mode: Disabled, NgcSvc Provides process isolation for cryp-
port (NgcSvc) Expected State: Stopped tographic keys used to authenticate to a
Service user’s associated identity providers.

Microsoft Soft- Start Mode: Manual, Expected swprv Manages software-based volume shad-
ware Shadow State: Stopped, Running ow copies taken by the Volume Shadow
Copy Provider Copy service.

Microsoft Storage Start Mode: Manual, Expected smphost Host service for the Microsoft Storage
Spaces SMP (sm- State: Stopped, Running Spaces management provider.
phost)

Net.Tcp Port Start Mode: Disabled, NetTcpPort- Provides ability to share TCP ports over
Sharing Service Expected State: Stopped Sharing the net.tcp protocol.

Netlogon Service Start Mode: Manual, Expected Netlogon Maintains a secure channel between this
State: Stopped, Running computer and the domain controller for
authenticating users and services.

Network Access Start Mode: Disabled, NcbService Brokers connections that allow Windows
Protection Agent Expected State: Stopped Store Apps to receive notifications from
the internet.

Network Connec- Start Mode: Manual, Expected Netman Manages objects in the Network and Di-
tions Service State: Stopped, Running al-Up Connections folder, in which you
can view both local area network and re-
mote connections.

Network Connec- Start Mode: Disabled, NcaSvc Provides DirectAccess status notification
tivity Assistant Expected State: Stopped for UI components

39
Display Name Hardened Start Name Service Description
Mode and State

Network List Start Mode: Manual, Expected netprofm Identifies networks connected to, col-
Service State: Stopped, Running lects/stores properties for these net-
works, notifies applications properties
change.

Network Loca- Start Mode: Auto, Expected NlaSvc Collects and stores configuration infor-
tion Awareness State: Stopped, Running mation for the network and notifies pro-
Service grams when this information is modified.

Network Setup Start Mode: Manual, Expected NetSetupSvc The Network Setup Service manages the
(NetSetupSvc) State: Stopped, Running installation of network drivers and per-
Service mits the configuration of low-level net-
work settings.

Network Store Start Mode: Auto, nsi This service delivers network notifica-
Interface Service Expected State: Running tions (e.g. interface addition/deleting etc)
to user mode clients.

Offline Files (Csc- Start Mode: Disabled, CscService The Offline Files service performs main-
Service) Service Expected State: Stopped tenance activities on the Offline Files
cache, responds to user logon and logoff
events...

Optimize Drives Start Mode: Manual, Expected defragsvc Helps the computer run more efficiently
(defragsvc) Service State: Stopped, Running by optimizing files on storage drives.

Performance Start Mode: Manual, Expected PerfHost Enables remote users and 64-bit pro-
Counter DLL Host State: Stopped, Runnin cesses to query performance counters
provided by 32-bit DLLs.

Performance Logs Start Mode: Manual, Expected pla Performance Logs and Alerts Collects
and Alerts Service State: Stopped, Runnin performance data from local or remote
computers based on preconfigured
schedule parameters...

Phone (PhoneSvc) Start Mode: Disabled, PhoneSvc Manages the telephony state on the device
Service Expected State: Stopped

40
Display Name Hardened Start Name Service Description
Mode and State

Plug and Play Start Mode: Manual, Expected PlugPlay Enables a computer to recognize and
Service State: Stopped, Running adapt to hardware changes with little or
no user input.

Portable Device Start Mode: Manual, Expected WPDBusEnum Enforces group policy for removable
Enumerator State: Stopped, Running mass-storage devices. Enables applications
Service such as Windows Media Player and Image
Import Wizard to...

Problem Reports/ Start Mode: Disabled, wercplsup- Provides support for viewing, sending and
Solutions Ctrl Expected State: Stopped port deletion of system-level problem reports
Panel for the Problem Reports and Solutions con-
trol panel.

Quality Windows Start Mode: Disabled, QWAVE Quality Windows Audio Video Experience
Audio Video Expe- Expected State: Stopped (qWave) is a networking platform for Au-
rience dio Video (AV) streaming applications on IP
home networks.

Radio Manage- Start Mode: Disabled, RmSvc Radio Management and Airplane Mode
ment Service Expected State: Stopped Service
Service

41
Display Name Hardened Start Name Service Description
Mode and State

Remote Access Start Mode: Disabled, RasMan Manages dial-up and virtual private net-
Connection Expected State: Stopped work (VPN) connections from this com-
Manager puter to the Internet or other remote
networks.

Remote Desktop Start Mode: Manual, SessionEnv Remote Desktop Configuration service
Configuration Expected State: Running (RDCS) is responsible for all Remote
Service Desktop Services and Remote Desktop
related configuration and...

RDP UserMode Start Mode: Manual, UmRdpSer- Allows the redirection of Printers/Drives/
Port Redirector Expected State: Running vice Ports for RDP connections

Remote Start Mode: Auto, Expected Remote Enables remote users to modify registry
Registry Service State: Stopped/Running Registry settings on this computer.

Routing and tart Mode: Disabled, RemoteAccess Offers routing services to businesses in
Remote Access Expected State: Stopped local area and wide area network envi-
Service ronments.

42
Display Name Hardened Start Name Service Description
Mode and State

RPC Endpoint Start Mode: Auto, RpcEpt- Resolves RPC interfaces identifiers to
Mapper Service Expected State: Running Mapper transport endpoints.

Secure Socket Start Mode: Manual, Expected SstpSvc Provides support for the Secure Socket
Tunneling Proto- State: Stopped, Running Tunneling Protocol (SSTP) to connect to
col Service remote computers using VPN.

Security Accounts Start Mode: Auto, SamSs Startup of this service signals that the Se-
Manager Service Expected State: Running curity Accounts Manager (SAM) is ready to
accept requests.

Sensor Data Start Mode: Disabled, Sensor- Delivers data from a variety of sensors
Service Service Expected State: Stopped DataService

Sensor Monitor- Start Mode: Disabled, SensrSvc Monitors various sensors in order to ex-
ing Service Service Expected State: Stopped pose data and adapt to system and user
state.

Sensor Service Start Mode: Disabled, SensorService A service for sensors that manages differ-
(SensorService) Expected State: Stopped ent sensors’ functionality. Manages Simple
Service Device Orientation (SDO) and History for
sensors.

Server Service Start Mode: Auto, Lanman- Supports file, print, and named-pipe shar-
Expected State: Running Server ing over the network for this computer.

Shell Hardware Start Mode: Auto, ShellHW- Provides notifications for AutoPlay hard-
Detection Service Expected State: Running Detection ware events.

Smart Card Start Mode: Disabled, SCardSvr Manages access to smart cards read by this
Service Expected State: Stopped computer.

Smart Card Device Start Mode: Disabled, ScDevice- Creates software device nodes for all smart
Enumeration Expected State: Stopped Enum card readers accessible to a given session.
Service

43
Display Name Hardened Start Name Service Description
Mode and State

Smart Card Start Mode: Disabled, SCPolicySvc Allows the system to be configured to
Removal Policy Expected State: Stopped lock the user desktop upon smart card
Service removal.

SNMP Trap Start Mode: Disabled, SNMPTRAP Receives trap messages generated by lo-
Service Expected State: Stopped cal or remote Simple Network Manage-
ment Protocol (SNMP) agents.

Software Protec- Start Mode: Auto, Expected sppsvc Enables the download, installation and
tion Service State: Stopped, Running enforcement of digital licenses for Win-
dows and Windows applications.

Special Adminis- Start Mode: Manual, Expected sacsvr Allows administrators to remotely access
tration Console State: Stopped, Running a command prompt using Emergency
Helper Management Services.

Spot Verifier Start Mode: Manual, Expected svsvc Verifies potential file system corruptions.
Service State: Stopped, Running

SSDP Discovery Start Mode: Disabled, SSDPSRV Discovers networked devices & services
Service Expected State: Stopped using SSDP discovery protocol, such as
UPnP devices.

State Repository Start Mode: Manual, Expected State- Provides required infrastructure support
Service State: Stopped, Running Repository for the application model.

Still Image Start Mode: Disabled, WiaRpc Launches applications associated with
Acquisition Expected State: Stopped still image acquisition events.
Events Service

Storage (StorSvc) Start Mode: Manual, Expected StorSvc Provides enabling services for storage
Service State: Stopped, Running settings and external storage expansion

Superfetch Start Mode: Disabled, SysMain Maintains and improves system perfor-
Service Expected State: Stopped mance over time.

44
Display Name Hardened Start Name Service Description
Mode and State

Sync Host Start Mode: Disabled, OneSyncSvc This service synchronizes mail, contacts,
(OneSyncSvc) Expected State: Stopped calendar and various other user data.
Service

System Event No- Start Mode: Auto, SENS Monitors system events and notifies sub-
tification Service Expected State: Running scribers to COM+ Event System of these
events.

System Events Start Mode: Auto, SystemEv- Coordinates execution of background

Broker Service Expected State: Running entsBroker work for WinRT application. If service
is stopped/disabled, background work
might not be triggered.

TCP/IP NetBIOS Start Mode: Manual, lmhosts Provides support for the NetBIOS over TCP/
Helper Service Expected State: Running IP (NetBT) service and NetBIOS name reso-
lution for clients on the network...

Telephony Service Start Mode: Disabled, TapiSrv Provides Telephony API (TAPI) support for
Expected State: Stopped programs that control telephony devices
on the local computer and, through the
LAN...

Themes Service Start Mode: Disabled, Themes Provides user experience theme manage-
Expected State: Stopped ment.

Tile Data model Start Mode: Auto, tiledatamo- Tile Server for tile updates.
server Service Expected State: Running delsvc

Time Broker Start Mode: Manual, Expected TimeBro- Coordinates execution of background work
(TimeBrokerSvc) State: Stopped, Running kerSvc for WinRT application. If service is stopped,
Service background work might not be triggered.

Touch Keyboard Start Mode: Disabled, TabletInput- Enables Touch Keyboard and Handwriting
and Handwriting Expected State: Stopped Service Panel pen and ink functionality
Panel

45
Display Name Hardened Start Name Service Description
Mode and State

UPnP Device Start Mode: Disabled, upnphost Allows UPnP devices to be hosted on this
Host Service Expected State: Stopped computer.

User Access Log- Start Mode: Auto, UALSVC Logs unique client access requests, in the
ging Service Expected State: Running form of IP addresses and user names, of
installed products and roles on the local
server.

User Data Storage Start Mode: Disabled, UnistoreSvc Handles storage of structured user data, in-
(UnistoreSvc) Expected State: Stopped cluding contact info, calendars, messages,
Service and other content.

User Experience Start Mode: Disabled, UevAgent- Provides support for application and OS
Virtualization Expected State: Stopped Service settings roaming
Service

User Manager Start Mode: Auto, UserManager User Manager provides the runtime compo-
(UserManager) Expected State: Running nents required for multi-user interaction.
Service

User Profile Start Mode: Auto, ProfSvc This service is responsible for loading and
(ProfSvc) Service Expected State: Running unloading user profiles.

Virtual Disk Start Mode: Manual, Expected vds Provides management services for disks,
Service State: Stopped, Running volumes, file systems, and storage arrays.

Volume Shadow Start Mode: Manual, Expected VSS Manages and implements Volume Shadow
Copy Service State: Stopped, Running Copies used for backup and other purposes.

WalletService Start Mode: Disabled, Expect- WalletService Hosts objects used by clients of the wallet
(WalletService) ed State: Stopped
Service

46
Display Name Hardened Start Name Service Description
Mode and State

Windows Biomet- Start Mode: Disabled, WbioSrvc The Windows biometric service gives cli-
ric Service Expected State: Stopped ent applications the ability to capture,
compare, manipulate, and store biome-
tric data without...

Windows Con- Start Mode: Auto, FrameServer Enables multiple clients to access video
nection Manager Expected State: Running frames from camera devices.
Service

Windows Camera Start Mode: Disabled, Wcmsvc Makes automatic connect/disconnect de-
Frame Service Expected State: Stopped cisions based on the network connectiv-
ity options currently available to the PC
and enables...

Windows Defend- Start Mode: Auto, WinDefend Helps protect users from malware and
er (WinDefend) Expected State: Running other potentially unwanted software
Service

Win Drvr Founda- Start Mode: Manual, Expected wudfsvc Creates and manages user-mode driv-
tion User-mode State: Running/Stopped er processes. This service cannot be
Drvr FW stopped.

47
Display Name Hardened Start Name Service Description
Mode and State

Windows Font Start Mode: Auto, Expected FontCache Optimizes performance of applications by
Cache Service State: Stopped, Running caching commonly used font data.

Windows Image Start Mode: Disabled, stisvc Provides image acquisition services for
Acquisition Expected State: Stopped scanners and cameras
Service

Windows Insider Start Mode: Disabled, wisvc wisvc

(wisvc) Service Expected State: Stopped

Windows Installer Start Mode: Manual, Expected msiserver Adds, modifies, and removes applications
Service State: Stopped, Running provided as a Windows Installer (*.msi,
*.msp) package.

Windows License Start Mode: Manual, Expected License Provides infrastructure support for the
Manager Service State: Stopped, Running Manager Windows Store.

Windows Mobile Start Mode: Disabled, icssvc Provides the ability to share a cellular data
Hotspot Service Expected State: Stopped connection with another device.

48
Display Name Hardened Start Name Service Description
Mode and State

Windows Modules Start Mode: Manual, Expected TrustedIn- Enables installation, modification, and
Installer Service State: Stopped, Running staller removal of Windows updates and op-
tional components.

Windows Remote Start Mode: Auto, Expected WinRM Windows Remote Management (WinRM)
Management State: Stopped, Running service implements the WS-Management
protocol for remote management.

Windows Search Start Mode: Disabled, WSearch Provides content indexing, property cach-
(WSearch) Service Expected State: Stopped ing, and search results for files, e-mail,
and other content.

Windows Time Start Mode: Auto, W32Time Maintains date and time synchronization
Service Expected State: Running on all clients and servers in the network.

Windows Update Start Mode: Manual, Expected wuauserv Enables the detection, download, and
Service State: Stopped/Running installation of updates for Windows and
other programs

Wired AutoConfig Start Mode: Disabled, dot3svc The Wired AutoConfig (DOT3SVC) service
Service Expected State: Stopped is responsible for performing IEEE 802.1X
authentication on Ethernet interfaces.

49
Display Name Hardened Start Name Service Description
Mode and State

Workstation Start Mode: Auto, Lanman Creates and maintains client network
Service Expected State: Running Workstation connections to remote servers using the
SMB protocol.

Xbox Live Auth Start Mode: Disabled, XblAuth Provides authentication and authorization
Manager Service Expected State: Stopped Manager services for interacting with Xbox Live.

Xbox Live Game Start Mode: Disabled, XblGameSave This service syncs save data for Xbox Live
Save Service Expected State: Stopped save enabled games.

50
Microsoft Windows 10
Display Name Hardened Start Name Service Description
Mode and State

AllJoyn Router Start Mode: Manual, Expected AJRouter Provides User Account Control validation
Service State: Stopped, Running for the installation of ActiveX controls from
the Internet and enables management of
ActiveX control..

App Readiness Start Mode: Manual, Expected AppReadiness Gets apps ready for use the first time a
Service State: Stopped, Running user signs in to this PC and when adding
new apps.

Application Informa- Start Mode: Manual, Expected Appinfo Facilitates the running of interactive ap-
tion Service State: Stopped, Running plications with additional administrative
privileges.

Application Layer Start Mode: Disabled, Expected ALG Provides support for 3rd party protocol
Gateway Service State: Stopped plug-ins for Internet Connection Sharing

Application Manage- Start Mode: Manual, Expected AppMgmt Processes installation, removal, & enu-
ment Service State: Stopped, Running meration requests for software deployed
through Group Policy.

AppX Deployment Start Mode: Manual, Expected AppXSvc Provides infrastructure support for de-
Service Service State: Stopped, Running ploying Store applications.

Assigned Access Start Mode: Manual, Expected AssignedAccess- AssignedAccessManager Local Server
Manager Service State: Stopped, Running ManagerSvc

Auto Time Zone Start Mode: Disabled, tzautoupdate Automatically sets the system time zone.
Updater Service Expected State: Stopped

51
Display Name Hardened Start Name Service Description
Mode and State

Background Start Mode: Manual, Expected BITS Transfers files in the background using idle
Intelligent State: Stopped, Running network bandwidth.
Transfer Service

Background Tasks Start Mode: Auto, BrokerInfra- Windows infrastructure service that con-
Infrastructure Expected State: Running structure trols which background tasks can run on
Service the system.

BitLocker Drive Start Mode: Manual, Expected BDESVC Allows BitLocker to prompt users for ac-
Encryption Service State: Stopped, Running tions related to drives when accessed and
supports unlocking of BL-protected drives
automatically...

Block Level Back- Start Mode: Disabled, wbengine The WBENGINE service is used by Windows
up Engine Service Expected State: Stopped Backup to perform backup and recovery
operations.

Bluetooth Hands- Start Mode: Disabled, BthHFSrv Enables wireless Bluetooth headsets to
free Service Expected State: Stopped run on this computer.

Bluetooth Support Start Mode: Disabled, bthserv The Bluetooth service supports discovery
Service Expected State: Stopped and association of remote Bluetooth de-
vices.

BranchCache Start Mode: Disabled, PeerDistSvc This service caches network content from
Expected State: Stopped peers on the local subnet.

Capability Access Start Mode: Manual, Expected camsvc Provides facilities for managing UWP
Manager Service State: Stopped, Running apps access to app capabilities as well as
checking an app’s access to specific app
capabilities

CDPUserSvc (cd- Start Mode: Disabled, CDPUserSvc This user service is used for Connected
pusersvc) Service Expected State: Stopped Devices Platform scenarios

52
Display Name Hardened Start Name Service Description
Mode and State

Client License Start Mode: Manual, Expected ClipSVC Provides infrastructure support for the
Service (ClipSVC) State: Stopped, Running Microsoft Store.
Service

COM+ Event Start Mode: Auto, EventSystem Supports System Event Notification Ser-
System Service Expected State: Running vice, provides automatic distribution of
events to subscribing Component Object
Model (COM)

COM+ System Ap- Start Mode: Manual, Expected COMSysApp Manages the configuration and tracking of
plication Service State: Stopped, Running Component Object Model (COM)+-based
components.

Connected Start Mode: Auto, Expected CDPSvc This service is used for Connected Devices
Devices Platform State: Running, Stopped and Universal Glass scenarios
Service

Contact Data Start Mode: Disabled, PimIndexMain- Indexes contact data for fast contact
Service Expected State: Stopped tenanceSvc searching. If you stop or disable this ser-
vice, contacts might be missing from your
search results.

CoreMessaging Start Mode: Auto, CoreMessa- Manages communication between system

Service Expected State: Running gingRegistrar components.

53
Display Name Hardened Start Name Service Description
Mode and State

Credential Start Mode: Manual, Expected VaultSvc Provides secure storage and retrieval of
Manager Service State: Stopped, Running credentials to users, applications and secu-
rity service packages.

Cryptographic Start Mode: Auto, CryptSvc Provides 3 management services: Catalog

Services Service Expected State: Running Database Service, confirms the signatures
of Windows files and allows new programs
to be installed...

Data Sharing Start Mode: Manual, Expected DsSvc Provides data brokering between
(DsSvc) Service State: Stopped, Running applications.

Data Usage Start Mode: Manual, Expected DusmSvc Network data usage, data limit, restrict
Service State: Stopped, Running background data, metered networks.

DCOM Server Start Mode: Auto, DcomLaunch The DCOMLAUNCH service launches COM
Process Launcher Expected State: Running and DCOM servers in response to object
Service activation requests.

Delivery Optimiza- Start Mode: Auto, DoSvc Performs content delivery optimization
tion Service Expected State: Running tasks

Device Associa- Start Mode: Manual, Expected DeviceAssoci- Enables pairing between the system and
tion Service State: Stopped, Running ationService wired or wireless devices.

Device Install Start Mode: Manual, Expected DeviceInstall Enables a computer to recognize and
(DeviceInstall) State: Stopped, Running adapt to hardware changes with little or
Service no user input.

Device Manage- Start Mode: Manual, Expected DmEnroll- Performs Device Enrollment Activities for
ment Enrollment State: Stopped, Running mentSvc Device Management
Service

DevicesFlow Start Mode: Manual, Expected Devices- Device Discovery and Connecting
State: Stopped, Running FlowUserSvc

54
Display Name Hardened Start Name Service Description
Mode and State

DevQuery Back- Start Mode: Manual, Expected DevQuery Enables apps to discover devices with a
ground Discovery State: Stopped, Running Broker backgroud task
Broker

DHCP Client Start Mode: Auto, Dhcp Registers and updates IP addresses and
Service Expected State: Running DNS records for this computer.

Diagnostic Execu- Start Mode: Manual, Expected diagsvc Executes diagnostic actions for trouble-
tion Service State: Stopped, Running shooting support

Data Usage Start Mode: Auto, DPS The Diagnostic Policy Service enables
Service Expected State: Running problem detection, troubleshooting and
resolution for Windows components.

Diagnostic Service Start Mode: Disabled, WdiService- The Diagnostic Service Host is used by
Host Service Expected State: Stopped Host the Diagnostic Policy Service to host diag-
nostics that need to run in a Local Service
context.

Diagnostic System Start Mode: Disabled, WdiSystem- The Diagnostic System Host is used by
Host Service Expected State: Stopped Host the Diagnostic Policy Service to host diag-
nostics that need to run in a Local System
context.

Distributed Link Start Mode: Auto, TrkWks Maintains links between NTFS files with-
Tracking Client Expected State: Running in a computer or across computers in a
Service network.

Distributed Start Mode: Auto, MSDTC Maintains links between NTFS files with-
Transaction Expected State: Running in a computer or across computers in a
Coordinator network.

DMWAP Push Start Mode: Disabled, dmwappush- WAP Push Message Routing Service
Service Service Expected State: Stopped service

DNS Client Service Start Mode: Auto, Dnscache The DNS Client service (dnscache) caches
Expected State: Running Domain Name System (DNS) names and
registers the full computer name for this
computer.

55
Display Name Hardened Start Name Service Description
Mode and State

Downloaded Start Mode: Disabled, MapsBroker Windows service for application access to
Maps Manager Expected State: Stopped downloaded maps. This service is started
Service on-demand by application accessing down-
loaded maps.

Embedded Mode Start Mode: Manual, Expected embedded- The Embedded Mode service enables sce-
Service State: Stopped, Running mode narios related to Background Applications.

Encrypting File Start Mode: Manual, Expected EFS Provides the core file encryption technol-
System (EFS) State: Stopped, Running ogy used to store encrypted files on NTFS
Service file system volumes.

Enterprise App Start Mode: Manual, Expected EntAppSvc Enables enterprise application
Management State: Stopped, Running management.
Service

Extensible Start Mode: Disabled, EapHost Provides network authentication in such

Authentication Expected State: Stopped scenarios as 802.1x wired and wireless,
Protocol VPN, and Network Access Protection
(NAP).

Fax Service Start Mode: Disabled, Fax The Fax service, a Telephony API
Expected State: Stopped (TAPI)-compliant service, provides fax ca-
pabilities from users’ computers.

File History Ser- Start Mode: Disabled, fhsvc Protects user files from accidental loss by
vice Expected State: Stopped copying them to a backup location.

Function Start Mode: Disabled, fdPHost The FDPHOST service hosts the Function
Discoery Provider Expected State: Stopped Discovery (FD) network discovery providers.
Host Service

56
Display Name Hardened Start Name Service Description
Mode and State

GraphicsPerfSvc Start Mode: Manual, Expected Graphics- Graphics performance monitor service
State: Stopped, Running PerfSvc

HomeGroup Start Mode: Disabled, HomeGrou- Makes local computer changes associated
Listener Expected State: Stopped pListener with configuration and maintenance of the
homegroup-joined computer.

HomeGroup Pro- Start Mode: Disabled, HomeGroup- Performs networking tasks associated
vider Expected State: Stopped Provider with configuration and maintenance of
homegroups.

Human Interface Start Mode: Disabled, hidserv Activates and maintains the use of hot
Device Access Expected State: Stopped buttons on keyboards, remote controls,
Service and other multimedia devices.

Hyper-V Guest Start Mode: Disabled, Expect- vmicguestint- Provides an interface for the Hyper-V
Service Interface ed State: Stopped erface host to interact with specific services run-
ning inside the virtual machine.

Hyper-V Guest Start Mode: Manual, Expected vmicshut- Provides a mechanism to shut down the
Shutdown Service State: Running, Stopped down operating system of this virtual machine
from the management interfaces on the
physical computer.

57
Display Name Hardened Start Name Service Description
Mode and State

Hyper-V Heartbeat Start Mode: Manual, Expected vmicheart- Monitors the state of this virtual machine by
Service State: Running, Stopped beat reporting a heartbeat at regular intervals.

Hyper-V Remote Start Mode: Manual, Expected vmicrdv Provides a platform for communication
Desktop State: Running, Stopped between the virtual machine and the
Virtualization operating system running on the physical
computer.

IIS Admin (IISAD- Start Mode: Disabled, IISADMIN The IISAdmin service hosts the IIS 6.0
MIN) Service Expected State: Stopped configuration compatibility component
(metabase) required by IIS 6.0 adminis-
trative scripts, SMTP & FTP.

Infrared monitor Start Mode: Disabled, irmon Detects other Infrared devices that are in
service Expected State: Stopped range and launches the file transfer ap-
plication.

Interactive Start Mode: Disabled, UI0Detect Enables user notification of user input for
Services Detection Expected State: Stopped interactive services, which enables access
Service to dialogs created by interactive services
when they appear.

58
Display Name Hardened Start Name Service Description
Mode and State

Internet Connec- Start Mode: Disabled, Shared- Provides network address translation,
tion Sharing (ICS) Expected State: Stopped Access addressing, name resolution and/or in-
trusion prevention services for a home or
small office network.

IP Helper Service Start Mode: Disabled, iphlpsvc Provides tunnel connectivity using IPv6
Expected State: Stopped transition technologies (6to4, ISATAP,
Port Proxy, and Teredo), and IP-HTTPS.

IP Translation Start Mode: Disabled, IpxlatCfgSvc Configures and enables translation from
Configuration Expected State: Stopped v4 to v6 and vice versa
Service

IPsec Policy Agent Start Mode: Manual, Expected PolicyAgent Internet Protocol security supports net-
Service State: Stopped, Running work-level peer/data origin authentica-
tion, data integrity, data confidentiality,
and replay protection.

KtmRm Distbd Start Mode: Manual, Expected KtmRm Coordinates transactions between the
Transaction State: Stopped, Running Distributed Transaction Coordinator
Coordinator (MSDTC) and the Kernel Transaction
Manager (KTM).

Link-Layer Start Mode: Disabled, lltdsvc Creates a Network Map, consisting of PC

Topology Expected State: Stopped and device topology (connectivity) infor-
Discovery Mapper mation, and metadata describing each
PC and device.

Local Profile Start Mode: Manual, Expected wlpasvc This service provides profile manage-
Assistant Service State: Stopped/Running ment for subscriber identity modules

Local Session Start Mode: Auto, Expected LSM Core Windows Service that manages
Manager Service State: Running local user sessions. Stopping or disa-
bling this service will result in system
instability.

LxssManager Start Mode: Disabled, LxssManager The LXSS Manager service supports
Service Expected State: Stopped running native ELF binaries.

MessagingService Start Mode: Disabled, Messaging- Service supporting text messaging and
Expected State: Stopped Service related functionality.

59
Display Name Hardened Start Name Service Description
Mode and State

Microsoft Diagnos- Start Mode: Manual, Expected diagnosticshub. Diagnostics Hub Standard Collector Service.
tics Hub Standard State: Stopped, Running standardcollec- When running, this service collects real time ETW
Collector Service tor.service events and processes them.
Service

Microsoft Account Start Mode: Disabled, AppVClient Manages App-V users and virtual
Sign-in Assistant Expected State: Stopped applications

Microsoft App-V Start Mode: Disabled, wlidsvc Enables user sign-in through Microsoft ac-
Client Service Expected State: Stopped count identity services.

Microsoft FTP Start Mode: Disabled, FTPSVC Enables the server to be a File Transfer
Service Expected State: Stopped Protocol (FTP) server.

Microsoft iSCSI Start Mode: Disabled, MSiSCSI Manages Internet SCSI (iSCSI) sessions
Initiator Service Expected State: Stopped from this computer to remote iSCSI tar-
get devices.

Microsoft Start Mode: Disabled, NgcSvc Provides process isolation for cryptograph-
Passport Expected State: Stopped ic keys used to authenticate to a user’s as-
(NgcSvc) Service sociated identity providers.

Microsoft Soft- Start Mode: Manual, Expected swprv Manages software-based volume shadow
ware Shadow State: Stopped, Running copies taken by the Volume Shadow Copy
Copy Provider service.

Microsoft Stor- Start Mode: Manual, Expected smphost Host service for the Microsoft Storage
age Spaces SMP State: Stopped, Running Spaces management provider. If this ser-
Service vice is stopped or disabled, Storage Spac-
es cannot be managed.

Microsoft Start Mode: Disabled, SmsRouter Routes messages based on rules to ap-
Windows SMS Expected State: Stopped propriate clients.
Router Service

Natural Start Mode: Manual, Expected NaturalAu- Signal aggregator service, that evaluates
Authentication State: Stopped, Running thentication signals based on time, network, geoloca-
tion, bluetooth and cdf factors.

Net.Tcp Port Start Mode: Disabled, NetTcpPort- Provides ability to share TCP ports over the
Sharing Service Expected State: Stopped Sharing net.tcp protocol.

60
Display Name Hardened Start Name Service Description
Mode and State

Netlogon Service Start Mode: Manual, Expected Netlogon Maintains a secure channel between this
State: Stopped, Running computer and the domain controller for
authenticating users and services.

Network Access Start Mode: Disabled, NcbService Brokers connections that allow Windows
Protection Agent Expected State: Stopped Store Apps to receive notifications from the
Service internet.

Network Con- Start Mode: Disabled, NcdAutoSetup Network Connected Devices Auto-Setup
nected Devices Expected State: Stopped service monitors and installs qualified de-
Auto-Setup vices that connect to a qualified network.

Network Connec- Start Mode: Manual, Expected Netman Manages objects in the Network and Di-
tions Service State: Stopped, Running al-Up Connections folder, in which you can
view both local area network and remote
connections.

Network Connec- Start Mode: Disabled, NcaSvc Provides DirectAccess status notification
tivity Assistant Expected State: Stopped for UI components
Service

Network List Start Mode: Manual, Expected netprofm Identifies, collects & stores properties for
Service State: Stopped, Running networks to which computer has con-
nected, notifies applications when prop-
erties change.

Network Loca- Start Mode: Manual, Expected NlaSvc Collects and stores configuration infor-
tion Awareness State: Stopped, Running mation for the network and notifies pro-
Service grams when this information is modified.

Network Store Start Mode: Auto, nsi This service delivers network notifica-
Interface Service Expected State: Running tions (e.g. interface addition/deleting etc)
to user mode clients.

61
Display Name Hardened Start Name Service Description
Mode and State
Offline Files (Csc- Start Mode: Disabled, CscService Performs maintenance activities on the
Service) Service Expected State: Stopped Offline Files cache, responds to user logon
and logoff events, implements the internals
of the public API..

Optimize Drives Start Mode: Manual, Expected defragsvc Helps the computer run more efficiently by
(defragsvc) Service State: Stopped, Running optimizing files on storage drives.

Payments and Start Mode: Disabled, SEMgrSvc Manages payments and Near Field
NFC/SE Manager Expected State: Stopped Communication

Peer Name Reso- Start Mode: Disabled, PNRPsvc Enables serverless peer name resolution
lution Protocol Expected State: Stopped over the Internet using the Peer Name Res-
olution Protocol (PNRP).

Peer Networking Start Mode: Disabled, Expected p2psvc Enables multi-party communication using
Grouping Service State: Stopped, Running Peer-to-Peer Grouping. If disabled, some
applications, such as HomeGroup, may not
function.

Peer Networking Start Mode: Disabled, Expected p2pimsvc Provides identity services for the Peer
Identity Manager State: Stopped, Running Name Resolution Protocol (PNRP) and
Peer-to-Peer Grouping services.

Performance Start Mode: Manual, Expected PerfHost Enables remote users and 64-bit process-
Counter DLL Host State: Stopped, Running es to query performance counters pro-
Service vided by 32-bit DLLs.

Performance Logs Start Mode: Manual, Expected pla Collects performance data from local/re-
and Alerts Service State: Stopped, Running mote computers based on preconfigured
schedule parameters, then writes data to
a log/triggers alerts.

Phone (PhoneSvc) Start Mode: Disabled, PhoneSvc Manages the telephony state on the device
Service Expected State: Stopped

Plug and Play Start Mode: Manual, Expected PlugPlay Enables a computer to recognize and
Service State: Stopped, Running adapt to hardware changes with little or
no user input.

62
Display Name Hardened Start Name Service Description
Mode and State

PNRP Machine Start Mode: Disabled, PNRPAutoReg This service publishes a machine name
Name Publication Expected State: Stopped using the Peer Name Resolution Protocol.
Service Configuration is managed via the netsh
context ‘p2p pnrp peer’

Portable Device Start Mode: Manual, Expected WPDBusEnum Enforces group policy for removable
Enumerator State: Stopped, Running mass-storage devices, enables multimedia
Service applications to transfer/synchronize con-
tent to removable storage

Power Service Start Mode: Auto, Power Manages power policy and power policy
Expected State: Running notification delivery.

Print Spooler Start Mode: Disabled, Spooler This service spools print jobs and handles
Service Expected State: Stopped interaction with the printer.

Print Workflow Start Mode: Disabled, PrintWorkflow Print Workflow

Service Expected State: Stopped

Problem Reports Start Mode: Disabled, wercplsup- Provides support for viewing, sending
Solutions Ctrl Expected State: Stopped port and deletion of system-level problem re-
Panel ports for the Problem Reports and Solu-
tions control panel.

Program Compati- Start Mode: Disabled, PcaSvc Program Compatibility Assistant moni-
bility Assistant Expected State: Stopped tors programs installed/run and detects
known compatibility problems.

Radio Manage- Start Mode: Disabled, RmSvc Radio Management and Airplane Mode
ment Service Expected State: Stopped Service

63
Display Name Hardened Start Name Service Description
Mode and State

Remote Desktop Start Mode: Disabled, Expected SessionEnv Supports all Remote Desktop Services/re-
Configuration State: Stopped, Running lated configuration/session maintenance
Service activities that require SYSTEM context.

Remote Desktop Start Mode: Disabled, Expected TermService Allows users to connect interactively to a
Services Service State: Stopped, Running remote computer. Remote Desktop and
Remote Desktop Session Host Server de-
pend on this service.

RDP UserMode Start Mode: Disabled, Expected UmRdpService Allows the redirection of Printers/Drives/
Port Redirector State: Stopped/Running Ports for RDP connections

Remote Proce- Start Mode: Disabled, RpcLocator In Windows 2003 and earlier versions of
dure Call (RPC) Expected State: Stopped Windows, the Remote Procedure Call (RPC)
Locator Locator service manages the RPC name
service database.

Remote Proce- Start Mode: Auto, RpcSs The RPCSS service is the Service Control
dure Call (RPC) Expected State: Running Manager for COM and DCOM servers.
Service

Remote Registry Start Mode: Disabled, Expected Remote- Enables remote users to modify registry
Service State: Stopped/Running Registry settings on this computer.

Retail Demo Start Mode: Disabled, RetailDemo The Retail Demo service controls device
Service Expected State: Stopped activity while the device is in retail demo
mode.

Routing and Start Mode: Disabled, Remote- Offers routing services to businesses in
Remote Access Expected State: Stopped Access local area and wide area network envi-
Service ronments.

RPC Endpoint Start Mode: Auto, RpcEpt- Resolves RPC interfaces identifiers to trans-
Mapper Service Expected State: Running Mapper port endpoints.

64
Display Name Hardened Start Name Service Description
Mode and State

Secondary Logon Start Mode: Manual, Expected seclogon Enables starting processes under alternate
Service State: Stopped, Running credentials.

Security Accounts Start Mode: Auto, SamSs The startup of this service signals other ser-
Manager Service Expected State: Running vices that the Security Accounts Manager
(SAM) is ready to accept requests.

Security Center Start Mode: Manual, Expected wscsvc The Security Center (wscsvc) service moni-
State: Stopped, Running tors and reports security health settings on
the computer.

Sensor Data Start Mode: Disabled, SensorData- Delivers data from a variety of sensors
Service Service Expected State: Stopped Service

Sensor Monitor- Start Mode: Disabled, SensrSvc Monitors various sensors in order to ex-
ing Service Service Expected State: Stopped pose data and adapt to system and user
state.

Server Service Start Mode: Disabled, Expected Lanman- Supports file, print, and named-pipe shar-
State: Stopped, Running Server ing over the network for this computer. If
this service is stopped, these functions will
be unavailable.

Shared PC Start Mode: Disabled, shpamsvc Manages profiles and accounts on a

Account Manager Expected State: Stopped SharedPC configured device

Shell Hardware Start Mode: Auto, ShellHW- Provides notifications for AutoPlay hard-
Detection Service Expected State: Running Detection ware events.

Simple TCP/IP Start Mode: Disabled, simptcp Supports the following TCP/IP services:
Services Service Expected State: Stopped Character Generator, Daytime, Discard,
Echo, and Quote of the Day.

65
Display Name Hardened Start Name Service Description
Mode and State

Smart Card Device Start Mode: Disabled, ScDevice- Creates software device nodes for all smart
Enumeration Expected State: Stopped Enum card readers accessible to a given session.
Service

Smart Card Start Mode: Disabled, SCPolicySvc Allows the system to be configured to lock
Removal Policy Expected State: Stopped the user desktop upon smart card removal.
Service

Smart Card Start Mode: Disabled, SCardSvr Manages access to smart cards read by this
Service Expected State: Stopped computer.

SNMP Service Start Mode: Disabled, SNMP Enables Simple Network Management Pro-
Expected State: Stopped tocol (SNMP) requests to be processed by
this computer.

SNMP Trap Start Mode: Disabled, SNMPTRAP Receives trap messages SNMP agents and
Service Expected State: Stopped forwards the messages to SNMP manage-
ment programs running on this computer.

Software Protec- Start Mode: Auto, Expected sppsvc Enables the download, installation and
tion Service State: Stopped, Running enforcement of digital licenses for Win-
dows and Windows applications.

Spatial Data Start Mode: Disabled, Shared- This service is used for Spatial Perception
Service Expected State: Stopped RealitySvc scenarios

Spot Verifier Start Mode: Manual, Expected svsvc Verifies potential file system corruptions.
Service State: Stopped, Running

SSDP Discovery Start Mode: Disabled, SSDPSRV Discovers networked devices and servic-
Service Expected State: Stopped es that use the SSDP discovery protocol,
such as UPnP devices.

State Repository Start Mode: Manual, Expected State- Provides required infrastructure support
Service State: Stopped, Running Repository for the application model.

Still Image Acquisi- Start Mode: Disabled, WiaRpc Launches applications associated with still
tion Events Service Expected State: Stopped image acquisition events.

Storage (StorSvc) Start Mode: Manual, Expected StorSvc Provides enabling services for storage set-
Service State: Stopped, Running tings and external storage expansion

66
Display Name Hardened Start Name Service Description
Mode and State

Superfetch Start Mode: Disabled, SysMain Maintains and improves system perfor-
Service Expected State: Stopped mance over time.

Sync Host Start Mode: Disabled, OneSyncSvc This service synchronizes mail, contacts,
(OneSyncSvc) Expected State: Stopped calendar and various other user data.
Service

SNMP Trap Start Mode: Disabled, SNMPTRAP Receives trap messages SNMP agents and
Service Expected State: Stopped forwards the messages to SNMP manage-
ment programs running on this computer.

System Event No- Start Mode: Auto, SENS Monitors system events and notifies sub-
tification Service Expected State: Running scribers to COM+ Event System of these
events.

System Events Start Mode: Auto, Expected SystemEv- Coordinates execution of background
Broker Service State: Stopped, Running entsBroker work for WinRT application.

Task Scheduler Start Mode: Auto, Schedule Enables a user to configure and schedule
Service Expected State: Running automated tasks on this computer.

TCP/IP NetBIOS Start Mode: Manual, lmhosts Supports NetBIOS over TCP/IP/name reso-
Helper Service Expected State: Running lution for clients on the network, enabling
users to share files, print, and log on to the
network.

Telephony Service Start Mode: Disabled, TapiSrv Provides Telephony API support for pro-
Expected State: Stopped grams that control telephony devices on
the local computer and on servers also
running the service.

Enhanced Mitiga- Start Mode: Auto, emet_service EMET helps prevent vulnerabilities in soft-
tion Experience Expected State: Running ware from being successfully exploited by
Toolkit using security mitigation technologies.

Themes Service Start Mode: Disabled, Themes Provides user experience theme
Expected State: Stopped management.

67
Display Name Hardened Start Name Service Description
Mode and State

Tile Data model Start Mode: Auto, tiledata- Tile Server for tile updates.
server Service Expected State: Running modelsvc

Time Broker Start Mode: Manual, Expected TimeBrokerSvc Coordinates execution of background
(TimeBrokerSvc) State: Stopped, Running work for WinRT application.
Service

Touch Keyboard Start Mode: Disabled, TabletInput- Enables Touch Keyboard and Handwriting
and Handwriting Expected State: Stopped Service Panel pen and ink functionality
Panel

UPnP Device Start Mode: Disabled, upnphost Allows UPnP devices to be hosted on this
Host Service Expected State: Stopped computer.

User Experience Start Mode: Disabled, UevAgent- Provides support for application and OS
Virtualization Expected State: Stopped Service settings roaming
Service

User Manager Start Mode: Auto, UserManager User Manager provides the runtime com-
(UserManager) Expected State: Running ponents required for multi-user interaction.
Service

User Profile Start Mode: Auto, ProfSvc This service is responsible for loading
(ProfSvc) Service Expected State: Running and unloading user profiles.

Virtual Disk Start Mode: Manual, Expected vds Provides management services for
Service State: Stopped, Running disks, volumes, file systems, and stor-
age arrays.

Volume Shadow Start Mode: Manual, Expected VSS Manages and implements Volume Shad-
Copy Service State: Stopped, Running ow Copies used for backup and other
purposes.

68
Display Name Hardened Start Name Service Description
Mode and State

WalletService Start Mode: Disabled, WalletService Hosts objects used by clients of the
(WalletService) Expected State: Stopped wallet
Service

WarpJITSvc Start Mode: Manual, Expected WarpJITSvc Provides a JIT out of process service for
State: Stopped, Running WARP when running with ACG enabled.

Web Account Start Mode: Manual, TokenBroker This service is used by Web Account
Manager Expected State: Running Manager to provide single-sign-on to
apps and services.

Web Management Start Mode: Disabled, WMSvc Enables remote and delegated manage-
Service Expected State: Stopped ment capabilities for administrators to
manage Web server, sites and applica-
tions present on the machine.

WebClient Start Mode: Disabled, WebClient Enables Windows-based programs

Expected State: Stopped to create, access, and modify Inter-
net-based files.

Wi-Fi Direct Start Mode: Disabled, WFDSCon- Manages connections to wireless servic-
Services Connec- Expected State: Stopped MgrSvc es, including wireless display and docking.
tion Manager

Windows Audio Start Mode: Disabled, AudioEnd- Manages audio devices for the Windows
Endpoint Builder Expected State: Stopped pointBuilder Audio service.
Service

Windows Audio Start Mode: Disabled, Audiosrv Manages audio for Windows-based
Service Expected State: Stopped programs.

Windows Backup Start Mode: Disabled, SDRSVC Provides Windows Backup and Restore
Expected State: Stopped capabilities.

Windows Start Mode: Disabled, WbioSrvc Enables applications to capture/compare/

Biometric Service Expected State: Stopped manipulate/store biometric data without
gaining direct access to any biometric
hardware or samples.

69
Display Name Hardened Start Name Service Description
Mode and State

Windows Camera Start Mode: Disabled, Wcmsvc Automates connect/disconnect decisions

Frame Service Expected State: Stopped based on network connectivity options
available & mgmt of connectivity based
on Group Policy settings.

Windows Con- Start Mode: Manual, Expected WCNCSVC The Windows Connect Now - Config Reg-
nect Now/Config State: Stopped, Running istrar
Registrar

Windows Con- Start Mode: Auto, FrameServer Enables multiple clients to access video
nection Manager Expected State: Running frames from camera devices.
(wcmsvc)

Windows Defend- Start Mode: Auto, WinDefend Helps protect users from malware and
er (WinDefend) Expected State: Running other potentially unwanted software
Service

Win Defender Start Mode: Auto, Sense Protects against advanced threats by
Advcd Threat Expected State: Running monitoring and reporting security events
Protection that happen on the computer.

Windows Defend- Start Mode: Auto, Security- Windows Defender Security Centre Ser-
er Security Centre Expected State: Running HealthService vice handles unified device protection
and health information.

Windows Encryp- Start Mode: Disabled, WEPHOSTSVC Brokers encryption related functionalities
tion Provider Host Expected State: Stopped from 3rd Party Encryption Providers to
processes that need to evaluate and ap-
ply EAS policies.

Windows Error Start Mode: Disabled, Expected WerSvc Allows errors to be reported when pro-
Reporting Service State: Running/Stopped grams stop working or responding and
allows existing solutions to be delivered.

Windows Event Start Mode: Disabled, Expected Wecsvc This service manages persistent subscrip-
Collector Service State: Running/Stopped tions to events from remote sources that
support WS-Management protocol.

70
Display Name Hardened Start Name Service Description
Mode and State

Windows Event Start Mode: Auto, EventLog Manages events and event logs: sup-
Log (EventLog) Expected State: Running ports logging/querying/subscribing/ar-
Service chiving event logs, and managing event
metadata.

Windows Firewall Start Mode: Auto, MpsSvc Helps protect your computer by prevent-
(MpsSvc) Service Expected State: Running ing unauthorized users from gaining ac-
cess to your computer through the Inter-
net or a network.

Windows Font Start Mode: Auto, Expected FontCache Optimizes performance of applications
Cache (FontCache) State: Stopped, Running by caching commonly used font data.
Service Applications will start this service if it is
not already running.

Windows Image Start Mode: Disabled, stisvc Provides image acquisition services for
Acquisition (WIA) Expected State: Stopped scanners and cameras
(stisvc)

Windows Insider Start Mode: Disabled, wisvc wisvc

(wisvc) Service Expected State: Stopped

Windows Installer Start Mode: Manual, Expected msiserver Adds, modifies, and removes applications
Service State: Stopped, Running provided as a Windows Installer (*.msi,
*.msp) package.

Windows License Start Mode: Manual, Expected License- Provides infrastructure support for the
Manager State: Stopped, Running Manager Windows Store.

Windows Licens- Start Mode: Auto, Expected WLMS This service monitors the Windows soft-
ing Monitoring State: Stopped, Running ware license state.
Service

Windows Start Mode: Auto, Winmgmt Provides a common interface and object
Management Expected State: Running model to access management informa-
Instrumentation tion about operating system, devices, ap-
plications and services.

Windows Media Start Mode: Disabled, WMPNet- Shares Windows Media Player libraries to
Player Network Expected State: Stopped workSvc other networked players and media de-
Sharing vices by using the UPnP architecture.

71
Display Name Hardened Start Name Service Description
Mode and State

Windows Mobile Start Mode: Disabled, icssvc Provides the ability to share a cellular
Hotspot Service Expected State: Stopped data connection with another device.

Windows Modules Start Mode: Manual, Expected Trusted- Enables installation, modification, and
Installer Service State: Stopped, Running Installer removal of Windows updates and op-
tional components.

Windows Percep- Start Mode: Disabled, spectrum Enables spatial perception, spatial input,
tion Service Expected State: Stopped and holographic rendering.

Windows Push Start Mode: Disabled, WpnService Service runs in session 0 and hosts the
Notifications Expected State: Stopped notification platform and connection
System provider, handles connection between
device & WNS server.

Windows Push Start Mode: Disabled, WpnUser- This service hosts Windows notification
Notifications User Expected State: Stopped Service platform which provides support for lo-
cal and push notifications.

Windows Push- Start Mode: Disabled, PushToInstall Provides infrastructure support for the
ToInstall Service Expected State: Stopped Windows Store.

Windows Remote Start Mode: Disabled, WinRM Windows Remote Management (WinRM)
Management Expected State: Stopped service implements the WS-Management
protocol for remote management.

Windows Search Start Mode: Disabled, WSearch Provides content indexing, property cach-
(WSearch) Service Expected State: Stopped ing, and search results for files, e-mail,
and other content.

Windows Store Start Mode: Disabled, InstallService Provides infrastructure support for the
Install Service Expected State: Stopped Windows Store.

Windows Time Start Mode: Auto, W32Time Maintains date and time synchronization
Service Expected State: Running on all clients and servers in the network.

Windows Update Start Mode: Manual, Expected wuauserv Enables the detection, download, and
Service State: Stopped/Running installation of updates for Windows and
other programs.

72
Display Name Hardened Start Name Service Description
Mode and State

WinHTTP Web Start Mode: Disabled, Expected WinHttpAuto- Client HTTP stack, provides developers
Proxy Auto-Dis- State: Stopped/Running ProxySvc with a Win32 API/COM Automation com-
covery ponent for sending HTTP requests/re-
ceiving responses.

Wired AutoConfig Start Mode: Disabled, dot3svc The Wired AutoConfig (DOT3SVC) service
Service Expected State: Stopped is responsible for performing IEEE 802.1X
authentication on Ethernet interfaces.

WLAN Autoconfig Start Mode: Disabled, WlanSvc The WLAN Autoconfig service enables
(WlanSvc) Service Expected State: Stopped automatic configuration for IEEE
802.11 wireless adapters for wireless
communications.

Work Folders Start Mode: Disabled, workfold- Syncs files with the Work Folders server,
Expected State: Stopped erssvc enabling you to use the files on any of
the PCs and devices on which you’ve set
up Work Folders.

Workstation Start Mode: Disabled, PushToInstall Provides infrastructure support for the
Service Expected State: Stopped Windows Store.

Windows Remote Start Mode: Auto, Lanman- Creates and maintains client network con-
Management Expected State: Running Workstation nections to remote servers using the SMB
protocol.

WWAN Auto- Start Mode: Disabled, WwanSvc Manages mobile broadband (GSM &
Config Expected State: Stopped CDMA) data card/embedded module
adapters and connections by auto-config-
uring the networks.

Xbox Accessory Start Mode: Disabled, XboxGipSvc This service manages connected Xbox
Management Expected State: Stopped Accessories.
Service

73
Display Name Hardened Start Name Service Description
Mode and State

Xbox Game Start Mode: Disabled, xbgm This service monitors games.
Monitoring Expected State: Stopped

Xbox Live Auth Start Mode: Disabled, XblAuth- Provides authentication and authoriza-
Manager Service Expected State: Stopped Manager tion services for interacting with Xbox
Live.

Xbox Live Game Start Mode: Disabled, XblGameSave This service syncs save data for Xbox Live
Save Service Expected State: Stopped save enabled games.

Xbox Live Net- Start Mode: Disabled, Xbox- This service supports the Windows.Net-
working Service Expected State: Stopped NetApiSvc working.XboxLive application

74
Windows Server 2012R2
Display Name Hardened Mode Service Description
and State

App Readiness Start Mode: Manual, Expected The App Readiness Service gets apps ready for use the first
Service State: Stopped, Running time a user signs in to this PC and when adding new apps.

Application Experi- Start Mode: Disabled, The Application Experience service processes application
ence Service Expected State: Stopped compatibility cache requests for applications as they are
launched.

Application Host Start Mode: Auto, Expected Handles administrative tasks for Internet Information Services
Helper Service State: Running (IIS), Microsoft’s web server. This process can be safely disabled
if you do not use IIS.

Application Identity Start Mode: Manual, Expected This service determines and verifies the identity of an
Service State: Stopped, Running application. Disabling this service will prevent AppLocker from
being enforced. This service is configured by default

Application Start Mode: Manual, Expected Facilitates the running of interactive applications with additional
Information Service State: Stopped, Running administrative privileges.

Application Layer Start Mode: Disabled, Expect- The Application Layer Gateway Service service provides
Gateway Service ed State: Stopped support for 3rd party protocol plug-ins for Internet
Connection Sharing.

Application Start Mode: Disabled, Expect- The Application Management service processes installation,
Management ed State: Stopped removal, and enumeration requests for software deployed
Service through Group Policy.

AppX Deployment Start Mode: Manual, Expected The AppX Deployment Service provides infrastructure sup-
Service (AppXSVC) State: Stopped, Running port for deploying Store applications. The AppX Deployment
Service service is started on demand

ASP.NET State Ser- Start Mode: Auto, Expected Provides support for out-of-process session states for ASP.NET.
vice (aspnet_state) State: Running If this service is stopped, out-of-process requests will not be
processed.

Background Start Mode: Auto, Expected The Background Intelligent Transfer Service service transfers
Intelligent Transfer State: Running files in the background using idle network bandwidth.
Service

75
Display Name Hardened Mode Service Description
and State

Background Start Mode: Auto, Expected The Background Tasks Infrastructure service is a Windows
Tasks Infrastruc- State: Running infrastructure service that controls which background tasks
ture Service can run on the system.

Base Filtering Start Mode: Auto, Expected Base Filtering Engine (BFE) is a service that manages firewall
Engine Service State: Running and Internet Protocol security (IPsec) policies and implements
user mode filtering.

Certificate Propaga- Start Mode: Auto, Expected Copies user/root certificates from smart cards into the current
tion Service State: Running user’s certificate store, detects when a smart card is inserted
and installs smart card Plug/Play minidriver.

CNG Key Isolation Start Mode: Manual, Expected The service provides key process isolation to private keys
Service State: Stopped, Running and associated cryptographic operations as required by the
Common Criteria.

COM+ Event System Start Mode: Auto, Expected The COM+ Event System service provides automatic distri-
Service State: Running bution of events to subscribing Component Object Model
(COM) components.

COM+ System Start Mode: Disabled, The COM+ System Application service manages the config-
Application Service Expected State: Stopped uration and tracking of Component Object Model (COM)+-
based components.

Computer Browser Start Mode: Disabled, The Computer Browser service maintains an updated list of
Service Expected State: Stopped computers on the network and supplies this list to comput-
ers designated as browsers.

Credential Manager Start Mode: Manual, Expected The Credential Manager service provides secure storage and
Service State: Stopped, Running retrieval of credentials to users, applications and security
service packages.

Cryptographic Ser- Start Mode: Auto, Expected Provides four management services: Catalog Database Ser-
vices Service State: Running vice, Protected Root Service, Automatic Root Certificate Up-
date Service and Key Service.

DCOM Server Start Mode: Auto, Expected The DCOM Server Process Launcher service the DCOM-
Process Launcher State: Running LAUNCH service launches COM and DCOM servers in re-
Service sponse to object activation requests.

Device Association Start Mode: Manual, Expected The Device Association service enables pairing between the
Service State: Stopped, Running system and wired or wireless devices.

76
Display Name Hardened Mode Service Description
and State

Device Install Start Mode: Manual, Expected The Device Install service enables a computer to recognize
(deviceinstall) Service State: Stopped, Running and adapt to hardware changes with little or no user input.

Device Setup Start Mode: Manual, Expected The Device Setup service enables the detection, download
(dsmsvc) Service State: Stopped, Running and installation of device-related software.

DHCP Client Service Start Mode: Disabled, The DHCP Client service registers and updates IP addresses
Expected State: Stopped and DNS records for this computer.

Diagnostic Policy Start Mode: Disabled, Expected The Diagnostic Policy Service service the Diagnostic Policy
Service State: Stopped Service enables problem detection, troubleshooting and
resolution for Windows components.

Diagnostic Service Start Mode: Disabled, The Diagnostic Service Host service the Diagnostic Service
Host Service Expected State: Stopped Host is used by the Diagnostic Policy Service to host
diagnostics that need to run in a Local Service context.

Diagnostic System Start Mode: Disabled, The Diagnostic System Host service the Diagnostic System
Host Service Expected State: Stopped Host is used by the Diagnostic Policy Service to host
diagnostics that need to run in a Local System context.

Distributed Link Start Mode: Disabled, The Distributed Link Tracking Client service maintains links
Tracking Client Expected State: Stopped between NTFS files within a computer or across computers
Service in a network.

Distributed Start Mode: Disabled, The Distributed Transaction Coordinator service coordinates
Transaction Expected State: Stopped transactions that span multiple resource managers, such as
Coordinator databases, message queues, and file systems.

DNS Client Service Start Mode: Auto, Expected The DNS Client service caches Domain Name System
State: Running (DNS) names and registers the full computer name for this
computer.

The Enhanced Start Mode: Manual, Expected The Enhanced Mitigation Experience Toolkit (EMET) is a
Mitigation Experience State: Stopped, Running utility that helps prevent vulnerabilities in software from
being successfully exploited.

Encrypting File Start Mode: Manual, Expected Encrypting File System (EFS) is a feature of Windows that
System (EFS) Service State: Stopped, Running you can use to store information on your hard disk in an
encrypted format.

Extensible Start Mode: Disabled, The Extensible Authentication Protocol service provides
Authentication Expected State: Stopped network authentication in such scenarios as 802.1x wired
Protocol and wireless, VPN, and Network Access Protection (NAP).

77
Display Name Hardened Mode Service Description
and State

Function Discovery Start Mode: Disabled, The Function Discovery Provider Host service hosts the
Provider Host Expected State: Stopped Function Discovery (FD) network discovery providers.

Function Discovery Start Mode: Disabled, The Function Discovery Resource Publication service
Resource Publication Expected State: Stopped publishes this computer and resources attached to this
computer so they can be discovered over the network.

Group Policy Client Start Mode: Auto, Expected The Group Policy Client service is responsible for applying
Service State: Running settings configured by administrators for the computer and
users through the Group Policy component.

Health Key and Start Mode: Disabled, Expected The Health Key and Certificate Management service provides
Certificate State: Stopped X.509 certificate and key management services for the Net-
Management work Access Protection Agent (NAPAgent).

Human Interface Start Mode: Disabled, Enables generic input access to Human Interface Devices,
Device Access Service Expected State: Stopped activates and maintains the use of predefined hot buttons on
keyboards/remote controls/multimedia devices.

Hyper-V Data Start Mode: Disabled, Provides a mechanism to exchange data between the virtual
Exchange Service Expected State: Stopped machine and the operating system running on the physical
computer.

Hyper-V Guest Start Mode: Disabled, Provides an interface for the Hyper-V host to interact with
Service Interface Expected State: Stopped specific services running inside the virtual machine.

Hyper-V Guest Start Mode: Disabled, Provides a mechanism to shut down the operating system of
Shutdown Service Expected State: Stopped this virtual machine from the management interfaces on the
physical computer.

Hyper-V Heartbeat Start Mode: Disabled, Monitors the state of this virtual machine by reporting a
Service Expected State: Stopped heartbeat at regular intervals.

Hyper-V Remote Start Mode: Disabled, Provides a platform for communication between the virtual
Desktop Virtualization Expected State: Stopped machine and the operating system running on the physical
computer.

Hyper-V Time Start Mode: Disabled, Synchronizes the system time of this virtual machine with the
Synchronization Expected State: Stopped system time of the physical computer.
Service

78
Display Name Hardened Mode Service Description
and State

Hyper-V Volume Start Mode: Disabled, Coordinates the communications that are required to use
Shadow Copy Expected State: Stopped Volume Shadow Copy Service to back up applications and
Requestor data on this virtual machine from the operating system

IKE and AuthIP IPsec Start Mode: Manual, Expected The IKE and AuthIP IPsec Keying Modules service the
Keying Modules State: Stopped, Running IKEEXT service hosts the Internet Key Exchange (IKE) and
Authenticated Internet Protocol (AuthIP) keying modules.

Interactive Services Start Mode: Disabled, Expect- The Interactive Services Detection service enables user
Detection Service ed State: Stopped notification of user input for interactive services, which
enables access to dialogs created by interactive services...

Internet Connection Start Mode: Disabled, Provides network address translation, addressing, name
Sharing Service Expected State: Stopped resolution and/or intrusion prevention services for a home
or small office network.

Internet Explorer Start Mode: Disabled, Expected ETW Collector Service for Internet Explorer. When running,
ETW Collector Service State: Stopped this service collects real time ETW events and processes them.

IP Helper Service Start Mode: Auto, Expected The IP Helper service provides tunnel connectivity using
State: Running IPv6 transition technologies (6to4, ISATAP, Port Proxy, and
Teredo), and IP-HTTPS.

IPsec Policy Agent Start Mode: Disabled, Internet Protocol security supports network-level peer/data
Service Expected State: Stopped origin authentication, data integrity, data confidentiality, and
replay protection.

KDC Proxy Server Start Mode: Manual, Expected The KDC Proxy Server service runs on edge servers to proxy
service Service State: Stopped, Running Kerberos protocol messages to domain

KtmRm Distbd Start Mode: Disabled, Coordinates transactions between the Distributed
Transaction Expected State: Stopped Transaction Coordinator (MSDTC) and the Kernel Transaction
Coordinator Manager (KTM).

Link-Layer Topology Start Mode: Disabled, Creates a Network Map, consisting of PC and device topology
Discovery Mapper Expected State: Stopped (connectivity) information, and metadata describing each PC
and device.

Microsoft iSCSI Initi- Start Mode: Manual, Expected The Microsoft iSCSI Initiator Service service manages
ator Service State: Stopped Internet SCSI (iSCSI) sessions from this computer to remote
iSCSI target devices.

79
Display Name Hardened Mode Service Description
and State

MS Software Shadow Start Mode: Manual, Expected The Microsoft Software Shadow Copy Provider service
Copy Provider State: Stopped, Running manages software-based volume shadow copies taken by
the Volume Shadow Copy service.

Microsoft Storage Start Mode: Manual, Expected Host service for the Microsoft Storage Spaces management
Spaces SMP Service State: Stopped, Running provider. If this service is stopped or disabled, Storage
Spaces cannot be managed.

Multimedia Class Start Mode: Disabled, The Multimedia Class Scheduler service enables relative
Scheduler Service Expected State: Stopped prioritization of work based on system-wide task priorities.

Net.Tcp Port Sharing Start Mode: Disabled, The Net.Tcp Port Sharing Service (NetTcpPortSharing)
Service Expected State: Stopped provides the ability for multiple user processes to share TCP
ports over the net.tcp protocol.

Netlogon Service Start Mode: Disabled, The Netlogon service maintains an encrypted channel
Expected State: Stopped between your computer and the domain controller that it
uses to authenticate users and services.

Network Access Start Mode: Disabled, Expected Network Access Protection Agent service the Network Ac-
Protection Agent State: Stopped cess Protection (NAP) agent service collects and manages
Service health information for client computers on a network.

Network Start Mode: Manual, Expected The Network Connections service manages objects in the
Connections Service State: Stopped, Running Network and Dial-Up Connections folder, in which you can
view both local area network and remote connections.

Network Connectivi- Start Mode: Disabled, Expected Provides DirectAccess status notification for UI components.
ty Assistant Service State: Stopped, Running

Network List Service Start Mode: Auto, Expected Identifies the networks to which the computer has connected,
State: Running collects and stores properties for these networks, and
notifies applications when these properties change.

Network Location Start Mode: Auto, Expected The Network Location Awareness service collects and stores
Awareness Service State: Running configuration information for the network and notifies
programs when this information is modified.

Network Store Start Mode: Auto, Expected The Network Store Interface Service service this service
Interface Service State: Running delivers network notifications (e.g. interface addition/
deleting etc) to user mode clients.

80
Display Name Hardened Mode Service Description
and State

Optimize Drives Start Mode: Manual, Expected Performs maintenance activities on the Offline Files cache,
(defragsvc) Service State: Stopped, Running responds to user logon and logoff events, implements the
internals of the public API...

Performance Coun- Start Mode: Manual, Expected Collects performance data from local or remote computers
ter DLL Host Service State: Stopped, Running based on preconfigured schedule parameters, and then
writes the data to a log or triggers an alert.

Performance Logs Start Mode: Manual, Expected Collects performance data from local or remote computers
and Alerts Service State: Stopped, Running based on preconfigured schedule parameters, and then
writes the data to a log or triggers an alert.

Plug and Play Ser- Start Mode: Manual, Expected The Plug and Play service enables a computer to recognize
vice State: Stopped, Running and adapt to hardware changes with little or no user input.

Portable Device Start Mode: Disabled, The Portable Device Enumerator Service service enforces
Enumerator Service Expected State: Stopped group policy for removable mass-storage devices.

Power Service Start Mode: Auto, Expected The Power service manages power policy and power policy
State: Running notification delivery.

Print Spooler Start Mode: Disabled, Expected The Print Spooler service loads files to memory for later
Service State: Stopped printing.

Printer Extensions Start Mode: Manual, Expected This service opens custom printer dialog boxes and handles
and Notifications State: Stopped, Running notifications from a remote print server or a printer.

Problem Reports/ Start Mode: Disabled, The Problem Reports and Solutions Control Panel Support
Solutions Ctrl Panel Expected State: Stopped service this service provides support for viewing, sending
and deletion of system-level problem reports...

Remote Access Auto Start Mode: Disabled, The Remote Access Auto Connection Manager service creates
Connection Manager Expected State: Stopped a connection to a remote network whenever a program
references a remote DNS or NetBIOS name or address.

Remote Access Start Mode: Disabled, Manages dial-up and virtual private network (VPN)
Connection Manager Expected State: Stopped connections from this computer to the Internet or other
remote networks.

Remote Desktop Start Mode: Disabled, Responsible for all Remote Desktop Services and Remote
Configuration Expected State: Stopped Desktop related configuration and session maintenance
Service activities that require SYSTEM context.

81
Display Name Hardened Mode Service Description
and State

Remote Desktop Start Mode: Disabled, Remote Desktop and Remote Desktop Session Host Server
Services Service Expected State: Stopped depend on this service.

RDP Services Start Mode: Disabled, The Remote Desktop Services UserMode Port Redirector
UserMode Port Expected State: Stopped (UmRdpService) service allows the redirection of printers,
Redirector drives, and ports for remote desktop sessions.

Remote Procedure Start Mode: Auto, Expected RPCSS service is the Service Control Manager for COM and
Call (RPC) Service State: Running DCOM servers.

Remote Procedure Start Mode: Disabled, In Windows 2003/earlier versions of Windows this manages
Call (RPC) Locator Expected State: Stopped the RPC name service database, but does not provide any
functionality for later versions of Windows.

Remote Registry Start Mode: Auto, Expected The Remote Registry service enables remote users to modify
Service State: Running registry settings on this computer.

Resultant Set of Poli- Start Mode: Disabled, Provides a network service that processes requests to
cy Provider Service Expected State: Stopped simulate application of Group Policy settings for a target
user or computer.

Routing and Remote Start Mode: Disabled, The Routing and Remote Access service offers routing
Access Service Expected State: Stopped services to businesses in local area and wide area network
environments.

RPC Endpoint Start Mode: Auto, Expected The RPC Endpoint Mapper service resolves RPC interfaces
Mapper Service State: Running identifiers to transport endpoints.

Secondary Logon Start Mode: Disabled, The Secondary Logon service enables starting processes
Service Expected State: Stopped under alternate credentials.

Secure Socket Start Mode: Disabled, Provides support for the Secure Socket Tunneling Protocol
Tunneling Protocol Expected State: Stopped (SSTP) to connect to remote computers using VPN.
Service

Security Accounts Start Mode: Auto, Expected The Security Accounts Manager (SamSs) service is a
Manager Service State: Stopped protected subsystem that manages user and group account
information.

Server Service Start Mode: Disabled, The Server service supports file, print, and named-pipe
Expected State: Stopped sharing over the network for this computer.

82
Display Name Hardened Mode Service Description
and State

Shell Hardware Start Mode: Auto, Expected The Shell Hardware Detection service provides notifications
Detection Service State: Running for AutoPlay hardware events.

Smart Card Service Start Mode: Auto, Expected The Smart Card service manages access to smart cards read
State: Stopped, Running by this computer.

Smart Card Device Start Mode: Manual, Expected Creates software device nodes for all smart card readers
Enumeration Service State: Stopped, Running accessible to a given session.

Smart Card Removal Start Mode: Manual, Expected The Smart Card Removal Policy service allows the system to be
Policy Service State: Stopped, Running configured to lock the user desktop upon smart card removal.

Software Protection Start Mode: Auto, Expected The Software Protection service enables the download,
Service State: Stopped, Running installation and enforcement of digital licenses for Windows
and Windows applications.

Special Start Mode: Disabled, The Special Administration Console Helper service allows
Administration Expected State: Stopped administrators to remotely access a command prompt using
Console Helper Emergency Management Services.

SNMP Trap Service Start Mode: Disabled, Receives trap messages generated by local or remote Simple
Expected State: Stopped Network Management Protocol (SNMP) agents and forwards
the messages to SNMP management programs.

Spot Verifier Service Start Mode: Manual, Expected Verifies potential file system corruptions.
State: Stopped, Running

SSDP Discovery Start Mode: Disabled, Discovers networked devices and services that use the SSDP
Service Expected State: Stopped discovery protocol, such as UPnP devices. Also announces
SSDP devices and services running...

Storage Tiers Start Mode: Manual, Expected The Storage Tiers Management (TieringEngineService) ser-
Management State: Stopped, Running vice Optimizes the placement of data in storage tiers on all
Service tiered storage spaces in the system.

Superfetch Service Start Mode: Disabled, The Superfetch (Sysmain) service maintains and improves
Expected State: Stopped system performance over time.

System Event Start Mode: Disabled, The System Event Notification Service service monitors
Notification Service Expected State: Stopped system events and notifies subscribers to COM+ Event
System of these events.

83
Display Name Hardened Mode Service Description
and State

System Events Start Mode: Auto, Expected The Storage Tiers Management (systemeventsbroker)
Broker Service State: Running service coordinates execution of background work for
WinRT application.

Task Scheduler Start Mode: Auto, Expected The Task Scheduler service enables a user to configure and
Service State: Running schedule automated tasks on this computer. The service
also hosts multiple Windows system-critical tasks.

TCP/IP NetBIOS Start Mode: Auto, Expected Provides support for the NetBIOS over TCP/IP service/
Helper Service State: Running NetBIOS name resolution for clients on the network, enabling
users to share files, print, and log on to the network.

Telephony Service Start Mode: Disabled, Provides Telephony API support for programs that control
Expected State: Stopped telephony devices on the local computer and, through the
LAN, on servers that are also running the service.

Themes Service Start Mode: Disabled, Provides user experience theme-management services. A
Expected State: Stopped desktop theme is a predefined set of icons, fonts, colors,
sounds, and other elements.

Thread Ordering Start Mode: Disabled, The Thread Ordering Server service provides ordered execution
Server Service Expected State: Stopped for a group of threads within a specific period of time.

UPnP Device Host Start Mode: Disabled, The UPnP Device Host service allows UPnP devices to be
Service Expected State: Stopped hosted on this computer.

User Access Logging Start Mode: Auto, Expected Logs unique client access requests, in the form of IP
Service State: Running addresses and user names, of installed products and roles
on the local server.

User Profile Service Start Mode: Auto, Expected The User Profile Service service this service is responsible for
State: Running loading and unloading user profiles.

Virtual Disk Service Start Mode: Manual, Expected The Virtual Disk service provides management services for
State: Stopped, Running disks, volumes, file systems, and storage arrays.

Volume Shadow Start Mode: Manual, Expected The Volume Shadow Copy service manages and implements
Copy Service State: Stopped, Running Volume Shadow Copies used for backup and other purposes.

Windows Audio Start Mode: Disabled, The Windows Audio service manages audio for Windows-
Service Expected State: Stopped based programs.

84
Display Name Hardened Mode Service Description
and State

Windows Audio Start Mode: Disabled, The Windows Audio Endpoint Builder service manages audio
Endpoint Builder Expected State: Stopped devices for the Windows Audio service.
Service

Windows Color Start Mode: Disabled, The Windows Color System service the WcsPlugInService
System Service Expected State: Stopped service hosts third-party Windows Color System color device
model and gamut map model plug-in modules.

Windows Start Mode: Auto, Expected Makes automatic connect/disconnect decisions based on
Connection State: Running the network connectivity options available, enables mgmt of
Manager Service network connectivity based on Group Policy settings.

Windows Driver Foun- Start Mode: Disabled, The Windows Driver Foundation - User-mode Driver Framework
dation/User-mode Expected State: Stopped service manages user-mode driver host processes.
Driver Framework
Service

Windows Encryption Start Mode: Disabled, Brokers encryption related functionalities from 3rd Party
Provider Host Expected State: Stopped Encryption Providers to processes that need to evaluate and
apply EAS policies.

Windows Error Start Mode: Disabled, The Windows Error Reporting Service service allows errors
Reporting Service Expected State: Stopped to be reported when programs stop working or responding
and allows existing solutions to be delivered.

Windows Event Start Mode: Disabled, The Windows Event Collector service this service manages
Collector Service Expected State: Stopped persistent subscriptions to events from remote sources that
support WS-Management protocol.

Windows Event Log Start Mode: Auto, Expected Manages events and event logs, supports logging events,
Service State: Running querying events, subscribing to events, archiving event logs,
and managing event metadata.

Windows Firewall Start Mode: Auto, Expected Helps protect your computer by preventing unauthorized
Service State: Running users from gaining access to your computer through the
Internet or a network.

Windows Font Cache Start Mode: Manual, Expected Otimizes performance of applications by caching commonly
(fontcache) Service State: Stopped, Running used font data. Applications will start this service if it is not
already running.

Windows Installer Start Mode: Manual, Expected The Windows Installer service adds, modifies, and removes
Service State: Stopped, Running applications provided as a Windows Installer (*.msi) package.

85
Display Name Hardened Mode Service Description
and State

Windows Manage- Start Mode: Auto, Expected Provides a common interface and object model to access
ment Instrumentation State: Running management information about operating system, devices,
applications and services.

Windows Modules Start Mode: Manual, Expected The Windows Modules Installer service enables installation,
Installer Service State: Stopped, Running modification, and removal of Windows updates and optional
components.

Windows Presentation Start Mode: Manual, Expected The Windows Font Cache Service service optimizes perfor-
Foundation Font Cache State: Stopped, Running mance of applications by caching commonly used font data.
(fontcache3.0.0.0)
Service

Windows Process Start Mode: Auto, Expected Manages the activation and lifetime of the worker processes
Activation Service State: Running that contain applications that host Windows Communication
Foundation (WCF) services.

Windows Remote Start Mode: Disabled, Implements the WS-Management protocol for remote man-
Management Service Expected State: Stopped agement.

Windows Store Start Mode: Manual, Expected Provides infrastructure support for Windows Store.This
Service (WSService) State: Stopped, Running service is started on demand and if disabled applications
bought using Windows Store will not behave correctly.

Windows Time Start Mode: Auto, Expected The Windows Time service maintains date and time synchro-
Service State: Running nization on all clients and servers in the network.

Windows Update Start Mode: Auto, Expected The Windows Update service enables the detection, download,
Service State: Running and installation of updates for Windows and other programs.

WinHTTP Web Proxy Start Mode: Disabled, Client HTTP stack, provides developers with a Win32 API/
Auto-Discovery Expected State: Stopped COM Automation component for sending HTTP requests/
receiving responses.

Wired AutoConfig Start Mode: Disabled, The Wired AutoConfig service the Wired AutoConfig
Service Expected State: Stopped (DOT3SVC) service is responsible for performing IEEE 802.1X
authentication on Ethernet interfaces.

WMI Performance Start Mode: Manual, Expected Provides performance library information from Windows
Adapter Service State: Stopped, Running Management Instrumentation (WMI) providers to clients on
the network.

Workstation Service Start Mode: Auto, Expected The Workstation service creates and maintains client net-
State: Running work connections to remote servers using the SMB protocol.

86
Windows Server 2008R2
Display Name Hardened Start Service Description
Mode and State

Application Expe- Start Mode:Disabled, The Application Experience service processes application com-
rience Service Expected State: Stopped patibility cache requests for applications as they are launched.

Application Host Start Mode:Auto, Handles administrative tasks for Internet Information Services
Helper Service Expected State: Running (IIS), Microsoft’s web server.

Application Start Mode:Manual, Expected This service determines and verifies the identity of an applica-
Identity Service State: Stopped, Running tion. Disabling this service will prevent AppLocker from being
enforced.

Application Infor- Start Mode:Manual, Expected Facilitates the running of interactive applications with addition-
mation Service State: Stopped, Running al administrative privileges.

Application Layer Start Mode:Disabled, The Application Layer Gateway Service service provides sup-
Gateway Service Expected State: Stopped port for 3rd party protocol plug-ins for Internet Connection
Sharing.

Application Man- Start Mode:Disabled, Hard- The Application Management service processes installation,
agement Service ened, Epected State: Stopped removal, and enumeration requests for software deployed
through Group Policy.

Background Start Mode:Auto, The Background Intelligent Transfer Service service transfers
Intelligent Expected State: Running files in the background using idle network bandwidth.
Transfer Service

Base Filtering Start Mode:Auto, Base Filtering Engine (BFE) is a service that manages firewall
Engine Service Expected State: Running and Internet Protocol security (IPsec) policies and implements
user mode filtering.

Certificate Propa- Start Mode:Auto, Copies user/root certificates from smart cards into the current
gation Service Expected State: Running user’s certificate store, detects when a smart card is inserted
and installs smart card Plug/Play minidriver.

CNG Key Start Mode:Manual, Expected The service provides key process isolation to private keys and
Isolation Service State: Stopped, Running associated cryptographic operations as required by the Com-
mon Criteria.

87
Display Name Hardened Start Service Description
Mode and State

COM+ Event Start Mode:Auto, The COM+ Event System service provides automatic distribu-
System Service Expected State: Running tion of events to subscribing Component Object Model (COM)
components

COM+ System Start Mode:Disabled, The COM+ System Application service manages the
Application Service Expected State: Stopped configuration and tracking of Component Object Model
(COM)+-based components.

Computer Start Mode:Disabled, The Computer Browser service maintains an updated list of
Browser Service Expected State: Stopped computers on the network and supplies this list to computers
designated as browsers.

Credential Start Mode:Manual, Expected The Credential Manager service provides secure storage and
Manager Service State: Stopped, Running retrieval of credentials to users, applications and security ser-
vice packages.

Cryptographic Start Mode:Auto, Provides four management services: Catalog Database Service,
Services Service Expected State: Running Protected Root Service, Automatic Root Certificate Update Ser-
vice and Key Service.

DCOM Server Start Mode:Auto, The DCOM Server Process Launcher service the DCOMLAUNCH
Process Launcher Expected State: Running service launches COM and DCOM servers in response to object
Service activation requests.

Desktop Window Start Mode:Disabled, Provides Desktop Window Manager startup/maintenance ser-
Manager Session Expected State: Stopped vices, supports Themes service, checks applications are com-
patible with Aero user experience in Vista.

Diagnostic Policy Start Mode:Disabled, The Diagnostic Policy Service service the Diagnostic Policy Ser-
Service Expected State: Stopped vice enables problem detection, troubleshooting and resolu-
tion for Windows components.

Diagnostic Service Start Mode:Disabled, The Diagnostic Service Host service the Diagnostic Service Host
Host Service Expected State: Stopped is used by the Diagnostic Policy Service to host diagnostics that
need to run in a Local Service context.

Diagnostic System Start Mode:Disabled, The Diagnostic System Host service the Diagnostic System Host
Host Service Expected State: Stopped is used by the Diagnostic Policy Service to host diagnostics that
need to run in a Local System context.

88
Display Name Hardened Start Service Description
Mode and State

Distributed Link Start Mode:Disabled, The Distributed Link Tracking Client service maintains links be-
Tracking Client Expected State: Stopped tween NTFS files within a computer or across computers in a
Service network.

Distributed Transac- Start Mode:Disabled, The Distributed Transaction Coordinator service coordinates
tion Coordinator Expected State: Stopped transactions that span multiple resource managers, such as
databases, message queues, and file systems.

DHCP Client Start Mode:Disabled, The DHCP Client service registers and updates IP addresses
Service Expected State: Stopped and DNS records for this computer.

DNS Client Service Start Mode:Auto, The DNS Client service the DNS Client service (dnscache) cach-
Expected State: Running es Domain Name System (DNS) names and registers the full
computer name for this computer.

Encrypting File Start Mode:Manual, Expected Encrypting File System (EFS) is a feature of Windows that you
System (EFS) State: Stopped, Running can use to store information on your hard disk in an encrypted
Service format

Extensible Start Mode:Disabled, The Extensible Authentication Protocol service provides net-
Authentication Expected State: Stopped work authentication in such scenarios as 802.1x wired and
Protocol wireless, VPN, and Network Access Protection (NAP).

Function Discov- Start Mode:Disabled, The Function Discovery Provider Host service the FDPHOST
ery Provider Host Expected State: Stopped service hosts the Function Discovery (FD) network discovery
Service providers.

Function Dis- Start Mode:Disabled, The Function Discovery Resource Publication service publishes
covery Resource Expected State: Stopped this computer and resources attached to this computer so they
Publication can be discovered over the network.

Group Policy Start Mode:Auto, Responsible for applying settings configured by administra-
Client Service Expected State: Running tors for the computer and users through the Group Policy
component.

Health Key and Start Mode:Disabled, The Health Key and Certificate Management service provides
Certificate Expected State: Stopped X.509 certificate and key management services for the Net-
Management work Access Protection Agent (NAPAgent).

89
Display Name Hardened Start Service Description
Mode and State

Human Interface Start Mode:Disabled, Enables generic input access to Human Interface Devices, acti-
Device Access Expected State: Stopped vates/maintains use of predefined hot buttons on keyboards,
Service remote controls, and other multimedia devices.

IKE and AuthIP IPsec Start Mode:Manual, Expected The IKE and AuthIP IPsec Keying Modules service the IKEEXT
Keying Modules State: Stopped, Running service hosts the Internet Key Exchange (IKE) and Authenticated
Internet Protocol (AuthIP) keying modules.

Interactive Ser- Start Mode:Disabled, Enables user notification of user input for interactive services,
vices Detection Expected State: Stopped which enables access to dialogs created by interactive services
Service when they appear.

Internet Connec- Start Mode:Disabled, Provides network address translation, addressing, name reso-
tion Sharing (ICS) Expected State: Stopped lution and/or intrusion prevention services for a home or small
Service office network.

Internet Explorer Start Mode:Disabled, ETW Collector Service for Internet Explorer. When running, this
ETW Collector Expected State: Stopped service collects real time ETW events and processes them.
Service

IP Helper Service Start Mode:Auto, The IP Helper service provides tunnel connectivity using IPv6
Expected State: Running transition technologies (6to4, ISATAP, Port Proxy, and Teredo),
and IP-HTTPS.

IPsec Policy Start Mode:Disabled, Supports network-level peer authentication, data origin au-
Agent Service Expected State: Stopped thentication, data integrity, data confidentiality (encryption),
and replay protection.

KDC Proxy Server Start Mode:Manual, Expected The KDC Proxy Server service runs on edge servers to proxy
service (kpssvc) State: Stopped, Running Kerberos protocol messages to domain

KtmRm for Start Mode:Disabled, Coordinates transactions between the Distributed Transac-
Distributed Expected State: Stopped tion Coordinator (MSDTC) and the Kernel Transaction Man-
Transaction ager (KTM).

Link-Layer Start Mode:Disabled, Creates a Network Map, consisting of PC and device topology
Topology Expected State: Stopped (connectivity) information, and metadata describing each PC
Discovery Mapper and device.

Microsoft Fibre Start Mode:Manual, Expected The Microsoft Fibre Channel Platform Registration Service
Channel Platform State: Stopped, Running registers the platform with all available Fibre Channel fabrics
and maintains the registrations.

90
Display Name Hardened Start Service Description
Mode and State

Microsoft iSCSI Start Mode:Manual, The Microsoft iSCSI Initiator Service service manages Internet
Initiator Service Expected State: Stopped SCSI (iSCSI) sessions from this computer to remote iSCSI target
devices.

Microsoft Software Start Mode:Manual, Expected The Microsoft Software Shadow Copy Provider service
Shadow Copy State: Stopped, Running manages software-based volume shadow copies taken by the
Provider Volume Shadow Copy service.

Microsoft Start Mode:Manual, Expected Host service for the Microsoft Storage Spaces management
Storage Spaces State: Stopped, Running provider. If this service is stopped or disabled, Storage Spaces
SMP Service cannot be managed.

Multimedia Class Start Mode:Disabled, Expected The Multimedia Class Scheduler service enables relative prior-
Scheduler Service State: Stopped itization of work based on system-wide task priorities.

Net.Tcp Port Start Mode:Disabled, The Net.Tcp Port Sharing Service (NetTcpPortSharing) provides
Sharing Service Expected State: Stopped the ability for multiple user processes to share TCP ports over
the net.tcp protocol.

Netlogon Service Start Mode:Disabled, The Netlogon service maintains an encrypted channel be-
Expected State: Stopped tween your computer and the domain controller that it uses to
authenticate users and services.

Network Access Start Mode:Disabled, Collects and manages health information for client comput-
Protection Agent Expected State: Stopped ers on a network.
Service

Network Connec- Start Mode:Manual, Expected The Network Connections service manages objects in the Net-
tions Service State: Stopped, Running work and Dial-Up Connections folder, in which you can view
both local area network and remote connections.

Network Start Mode:Disabled, Expected Provides DirectAccess status notification for UI components.
Connectivity State: Stopped, Running
Assistant Service

Themes Service Start Mode:Disabled, The Themes service provides user experience theme-manage-
Expected State: Stopped ment services.

Thread Ordering Start Mode:Disabled, The Thread Ordering Server service provides ordered execu-
Server Service Expected State: Stopped tion for a group of threads within a specific period of time.

91
Display Name Hardened Start Service Description
Mode and State

Network List Start Mode:Auto, Identifies the networks to which the computer has connected,
Service Expected State: Running collects and stores properties for these networks, and notifies
applications when these properties change.

Network Location Start Mode:Auto, The Network Location Awareness service collects and stores
Awareness Service Expected State: Running configuration information for the network and notifies
programs when this information is modified.

Network Store Start Mode:Auto, The Network Store Interface Service service this service deliv-
Interface Service Expected State: Running ers network notifications (e.g. interface addition/deleting etc)
to user mode clients.

Optimize Drives Start Mode:Manual, Expected Helps the computer run more efficiently by optimizing files on
(defragsvc) State: Stopped, Running storage drives.
Service

Performance Start Mode:Manual, Expected Service collects performance data from local or remote com-
Counter DLL Host State: Stopped, Running puters based on preconfigured schedule parameters, and
Service then writes the data to a log or triggers an alert.

Performance Logs Start Mode:Manual, Expected Service collects performance data from local or remote com-
and Alerts Service State: Stopped, Running puters based on preconfigured schedule parameters, and
then writes the data to a log or triggers an alert.

Plug and Play Start Mode:Manual, Expected The Plug and Play service enables a computer to recognize and
Service State: Stopped, Running adapt to hardware changes with little or no user input.

PnP-X IP Bus Enu- Start Mode:Disabled, The PnP-X IP Bus Enumerator (IPBusEnum) service manages
merator Service Expected State: Stopped the virtual network bus.

Portable Device Start Mode:Disabled, The Portable Device Enumerator Service service enforces
Enumerator Expected State: Stopped group policy for removable mass-storage devices.
Service

Power Service Start Mode:Auto, Expected The Power service manages power policy and power policy no-
State: Running tification delivery.

The Print Spooler service loads files to memory for later

Print Spooler Start Mode:Disabled,
printing.
Service Expected State: Stopped

92
Display Name Hardened Start Service Description
Mode and State

Printer Extensions Start Mode:Manual, Expected This service opens custom printer dialog boxes and handles
and Notifications State: Stopped, Running notifications from a remote print server or a printer.

Problem Reports/ Start Mode:Disabled, Provides support for viewing, sending and deletion of system-
Solutions Ctrl Panel Expected State: Stopped level problem reports for the Problem Reports and Solutions
control panel.

Protected Storage Start Mode:Manual, Expected The Protected Storage service protects storage of sensitive in-
Service State: Stopped, Running formation, such as private keys, and prevents access by unau-
thorized services, processes, or users.

Quality Windows Start Mode:Manual, Expected Quality Windows Audio Video Experience (qWave) is a network-
Audio Video Expe- State: Stopped, Running ing platform for Audio Video (AV) streaming applications on IP
rience home networks.

Remote Access Start Mode:Disabled, The Remote Access Auto Connection Manager service creates
Auto Connection Expected State: Stopped a connection to a remote network whenever a program refer-
Manager ences a remote DNS or NetBIOS name or address.

Remote Access Start Mode:Disabled, Manages dial-up and virtual private network (VPN) connections
Connection Expected State: Stopped from this computer to the Internet or other remote networks.
Manager

Remote Desktop Start Mode:Disabled, Allows users to connect interactively to a remote computer.
Services Service Expected State: Stopped Remote Desktop and Remote Desktop Session Host Server
depend on this service

Remote Desktop Start Mode:Disabled, The Remote Desktop Services service allows users to connect
Configuration Expected State: Stopped interactively to a remote computer.
Service

RDP Services Start Mode:Disabled, Expected The Remote Desktop Services UserMode Port Redirector
UserMode Port State: Stopped (UmRdpService) service allows the redirection of printers,
Redirector drives, and ports for remote desktop sessions.

Remote Start Mode:Auto, The Remote Procedure Call (RPC) service the RPCSS service is
Procedure Call Expected State: Running the Service Control Manager for COM and DCOM servers.
(RPC) Service

93
Display Name Hardened Start Service Description
Mode and State

Remote Proce- Start Mode:Disabled, In Windows 2003 and earlier versions of Windows, the Remote
dure Call (RPC) Expected State: Stopped Procedure Call (RPC) Locator service manages the RPC name
Locator service database.

Remote Registry Start Mode:Auto, The Remote Registry service enables remote users to modify
Service Expected State: Running registry settings on this computer.

Resultant Set of Start Mode:Disabled, Provides a network service that processes requests to simulate
Policy Provider Expected State: Stopped application of Group Policy settings for a target user or com-
Service puter in various...

Routing and Start Mode:Disabled, The Routing and Remote Access service offers routing services
Remote Access Expected State: Stopped to businesses in local area and wide area network environments.
Service

RPC Endpoint Start Mode:Auto, The RPC Endpoint Mapper service resolves RPC interfaces
Mapper Service Expected State: Running identifiers to transport endpoints.

Secondary Logon Start Mode:Disabled, The Secondary Logon service enables starting processes under
Service Expected State: Stopped alternate credentials.

Secure Socket Start Mode:Disabled, Provides support for the Secure Socket Tunneling Protocol
Tunneling Proto- Expected State: Stopped (SSTP) to connect to remote computers using VPN.
col Service

Security Accounts Start Mode:Auto, The Security Accounts Manager (SamSs) service is a protected
Manager Service Expected State: Stopped subsystem that manages user and group account information.

Server Service Start Mode:Disabled, Supports file, print, and named-pipe sharing over the net-
Expected State: Stopped work for this computer.

Shell Hardware Start Mode:Auto, The Shell Hardware Detection service provides notifications for
Detection Service Expected State: Running AutoPlay hardware events.

Smart Card Start Mode:Auto, Expected Manages access to smart cards read by this computer.
Service State: Stopped, Running

Smart Card Device Start Mode:Manual, Expected Creates software device nodes for all smart card readers acces-
Enumeration State: Stopped, Running sible to a given session.
Service

94
Display Name Hardened Start Service Description
Mode and State

Smart Card Start Mode:Manual, Expected The Smart Card Removal Policy service allows the system to be
Removal Policy State: Stopped, Running configured to lock the user desktop upon smart card removal.
Service

SNMP Trap Service Start Mode:Auto, Expected Receives trap messages generated by local or remote Simple
State: Stopped, Running Network Management Protocol (SNMP) agents

Software Protec- Start Mode:Disabled, Enables the download, installation and enforcement of digital
tion Service Expected State: Stopped licenses for Windows and Windows applications.

Special Adminis- Start Mode:Disabled, The Special Administration Console Helper service allows ad-
tration Console Expected State: Stopped ministrators to remotely access a command prompt using
Helper Emergency Management Services.

Spot Verifier Start Mode:Manual, Expected Verifies potential file system corruptions.
Service State: Stopped, Running

SPP Notification Start Mode:Manual, Expected Provides Software Licensing activation and notification.
Service State: Stopped, Running

SSDP Discovery Start Mode:Disabled, The SSDP Discovery service discovers networked devices
Service Expected State: Stopped and services that use the SSDP discovery protocol, such as
UPnP devices.

Storage Tiers Start Mode:Manual, Expected The Storage Tiers Management (TieringEngineService) service
Management State: Stopped, Running Optimizes the placement of data in storage tiers on all tiered
Service storage spaces in the system.

Superfetch Start Mode:Disabled, The Superfetch (Sysmain) service maintains and improves
Service Expected State: Stopped system performance over time.

System Event No- Start Mode:Disabled, The System Event Notification Service service monitors system
tification Service Expected State: Stopped events and notifies subscribers to COM+ Event System of these
events.

TPM Base Services Start Mode:Manual, Expected Enables access to the Trusted Platform Module (TPM), which
Service State: Stopped, Running provides hardware-based cryptographic services to system
components and applications.

UPnP Device Host Start Mode:Disabled, The UPnP Device Host service allows UPnP devices to be hosted
Service Expected State: Stopped on this computer.

95
Display Name Hardened Start Service Description
Mode and State

System Events Start Mode:Auto, The Storage Tiers Management (systemeventsbroker) ser-
Broker Service Expected State: Running vice coordinates execution of background work for WinRT
application.

Task Scheduler Start Mode:Auto, The Task Scheduler service enables a user to configure and
Service Expected State: Running schedule automated tasks on this computer. The service
also hosts multiple Windows system-critical tasks.

TCP/IP NetBIOS Start Mode:Auto, Provides support for the NetBIOS over TCP/IP (NetBT) service
Helper Service Expected State: Running and NetBIOS name resolution for clients on the network...

Telephony Service Start Mode:Disabled, Provides Telephony API (TAPI) support for programs that control
Expected State: Stopped telephony devices on the local computer and, through the LAN...

Themes Service Start Mode:Disabled, The Themes service provides user experience theme-manage-
Expected State: Stopped ment services.

Thread Ordering Start Mode:Disabled, The Thread Ordering Server service provides ordered execu-
Server Service Expected State: Stopped tion for a group of threads within a specific period of time.

UPnP Device Host Start Mode:Disabled, The UPnP Device Host service allows UPnP devices to be host-
Service Expected State: Stopped ed on this computer.

User Access Start Mode:Auto, This service logs unique client access requests, in the form of
Logging Service Expected State: Running IP addresses and user names, of installed products and roles
on the local server.

User Profile Start Mode:Manual, Expected The Virtual Disk service provides management services for
Service State: Stopped, Running disks, volumes, file systems, and storage arrays.

Volume Shadow Start Mode:Manual, Expected The Volume Shadow Copy service manages and implements
Copy Service State: Stopped, Running Volume Shadow Copies used for backup and other purposes.

Windows Audio Start Mode:Disabled, The Windows Audio service manages audio for Windows-based
Service Expected State: Stopped programs. If this service is stopped, audio devices and effects
will not function properly.

96
Display Name Hardened Start Service Description
Mode and State