Windows XP - SECURITY, SERVICES & STARTUP!

Notes on Services and Local Security Settings and control of Startup programs and services  for Win XP Professional, SP1, with added notes for an SP2 installation.

This page is a copy of a file used in the administration of the author's pesonal computer systems.  It includes some references to files on those computers which have not been published to a website.
The page is a working file. It is updated as needed on the author's machines, and only occasionally published to the web.

Status:  This working draft originated November 4, 2003, the SP2 notes were updated in November 2008.  The file needs editorial and formatting work.

Related (not availble on the web): 
USERS! : notes on Win XP Pro User and Mozilla Browser User setup
INVESTIGATE! : notes on system operations questions and issues. 


NOTE:  The information and settings procedures discussed here are available to Win XP Pro 'Administrator' users under 'Administrative Tools'.   If you do not see those tools, and are an Administrator for the machine, you can show or hide them by using the setting for 'System Administrative Tools' on the 'Advanced' tab of the 'Customize Start Menu'  option available when you open the 'Properties' sheet for your Start menu.

Contents:

Part 1:  Review of local security settings (Local Policies)

Audit policy
User rights assignment
Security  options
Shared resources

Part 2:  Stopping unneeded and unused Windows services 
Starting point Windows XP Service Pack 1 (SP1)
Recap:  Changes to the Black Viper 'safe' profile settings
Notes:  Windows XP Service Pack 2 (SP2)
Checkpoints:  Active Services and Processes
Part 3:  Controlling Windows Startup
Mike Lin's Startup Monitor and Startup Control Panel
 
Windows Startup Online®.
NOTE: Repair of DHCP, Windows Sockets and TCP/IP when DHCP will not start

Appendix:  Supplemental information for stopping unused networking services and closing open ports.

Minimization of network services on Windows  2000 and Windows XP installations
Recap:  Minimization of network services
Open Port 1025-1029 problems

Links:
Resources for minimizing Windows services

Miscellaneous networking and services issues





Review of Local Security Settings

AUDIT POLICY:  Options under Audit Policy seem simple enough as individual items; the concern would be what strategy to employ in selecting them.   Success audits give information about what has happened, failure audits give information about what has not happened (or has been prevented from happening).  Selecting too much, especially in success auditing, seems to bury the significant in a mass of detail.   For now, auditing is set at failures only except for account logon, logon, (no, I don't know the difference) and policy change events, and excluding Object Access, where even failure reporting is excessive.  

I note that policy change event success establishing these audit policies is logged at each system startup.   This is likely an artifact of the way in which Windows refreshes its security settings generally, I should review that process and note it here.   An example log entry follows.
Event Type:    Success Audit
Event Source:    Security
Event Category:    Policy Change
Event ID:    612
Date:        11/4/2003 but modified:  05/15/2004;
Time:        2:36:44 PM
User:        NT AUTHORITY\SYSTEM
Computer:    AN6313xxxxx
Description:
Audit Policy Change:
 New Policy:
     Success    Failure
         +        +    Logon/Logoff
         -        -    Object Access
         -        +    Privilege Use
         -        +    Account Management
         -        +    Policy Change               May 15, 2004; removed Success audit from policy
         -        +    System
         -        +    Detailed Tracking
         -        +    Directory Service Access
         +        +    Account Logon

 Changed By:
       User Name:    AN6313xxxxxC
       Domain Name:    WORKGROUP
       Logon ID:    (0x0,0x3E7)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The link warns about the security implications of changes in Security logging policy, and does not indicate why this policy change event success is being recorded - if it is the effect of policy refresh at logon, it would be useful if the link noted that possibility.

Note:  14:35 11/04/2003 A review of event logging for security showed no events being recorded.  Check of Properties for Security Event viewer found that the 512 Kb space was full.  Reserved 1024Kb for the log, and changed the overwrite criteria to 'Overwrite events as needed'.

Note:  05/16/2004  I changed Audit Policies to stop reporting of Policy Change Success.  

USER RIGHTS ASSIGNMENT: 


FIXED:  10:00 AM 10/29/2003 - Added (restored?) default groups to the security settings for "Deny access to this computer from network"

For User Rights settings I found one significant departure from the 'default' settings listed in help for the Microsoft Management Console (mmc) and several less significant departures.

I infer from this that MS Security updates modify the help files for the Microsoft Management Console to reflect new recommendations and default settings for security settings, including User Rights Assignment (Priveleges/Logon Rights), and do not effect modifications to those settings themselves, which remain in their prior state.  This makes a lot of sense, but is not per se obvious.  It implies a requirement that the 'default' User Rights security settings on a machine, or within a network, be evaluated and reset - periodically and after major security updates - based on the new defaults listed in the modified help files .  

I have identified a number of 'problems' (differences between defaults listed in MS mmc help and actual settings) with the settings on this relatively new machine, which result, I assume, from such modifications.  Changes I have made to conform the settings on this machine to the default settings I find in the mmc help area are noted below, to preserve information about the state prior to my changes. 
Note:  05/16/2004  I modified user Jim to include in the Power User Group.   I got to this point after hours of attempting to determine a way to give users authority to use Task Manager to end processes.   In the course of that effort I found that the XP Help facilities for most of the Administrative Tools, and for Security Settings, are not available - the pages do not display properly or in most cases do not display at all.  


SECURITY OPTIONS:  

Only departures from the default settings listed in MMC Help are noted here:
SECURING  SHARED  RESOURCES

May 16, 2004:  Uninstalled File and Printer Sharing, as described in Help for Shared Folders. 
The File and Printer Sharing for Microsoft Networks option appears when you view the properties of any connection in Network Connections. Click Uninstall to remove this component; clearing the File and Printer Sharing for Microsoft Networks check box will not work. For more information, see File and Printer Sharing for Microsoft Networks.
This action has the poosbly unwelcome side effect of removing the Server service from the list of available services.  In turn, that eliminates access to management of shared folders - which is logical - and to management of users and groups, which is a problem.  Reinstalling File and Printer Sharing may restore the Server service, which then has to be started.

On the other hand, the error below may be a  reason to be glad Server is not available:

Event Type:    Error
Event Source:    PerfNet  (a MS perfnet.dll, part of performance mgt. trying to become or report on a server service!)
Event Category:    None
Event ID:    2004
Date:        5/14/2004
Time:        3:49:50 PM
User:        N/A
Computer:    AN631322416
Description:
Unable to open the Server service. Server performance data will not be returned. Error code returned is in data DWORD 0.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 34 00 00 c0               4..À   


fini


STOPPING UNNEEDED AND UNUSED WINDOWS SERVICES

Section 1:  Stopping unused services generally.
Section 2:  Stopping unused networking services.

Background:
http://www.computersecuritytool.com/windows_services_home.html

A perfectly secure operating system would not work at all; function creates security issues.  Active but unused functions needlessly create security issues.  Windows XP, in its original default configuration, had most services active, so the user did not have to activate them.  Stopping unneeded services both increases security, and significantly decreases demands on computer resources, with no loss of function.

These notes are for stand alone client machines used for internet browsing and not a part of any business or home networking setup.  For a networking setup to work, some, but by no means all, of the services disabled through the recommendations at the sites and by the procedures described would have to be left enabled.

Section 1:  Stopping unused services generally

STARTING POINT:

I applied the Gibson Research Corporation service shutdowns for Windows XP SP1:
I also verified that my Win XP installation was not running 'raw sockets':

I then applied  services settings suggested at BV.com, to stop additional unneeded services.   Using the "Profiles" method defined at the BV site I established additional Win XP startup profiles.  My primary profile is an extension of the 'BVSafe' profile which uses settings suggested as 'safe' for normal operation.  That procedure and the resulting settings are described at:
Another good source of information about XP Services is at a posting by TheWhiteLady at EmpyreanHalls.com
http://www.empyreanhalls.com/forums/viewtopic.php?t=141

Finally, I modified the BVSafe profile by applying the reasoning of M. Jean-Baptiste Marchand to shut down services holding  communications Ports open.   That process is described separately below (Section 2).   I have also extended M. Marchand's reasoning and the Black Viper site's suggestions in a few cases.  Those experimental extensions and modifications beyond the Black Viper 'safe' settings are noted here:  


DISABLING UNNEEDED SERVICES IN WINDOWS XP - SP1
DESCRIPTION OF ACTIONS MODIFYING THE "BLACK VIPER" SAFE CONFIGURATION

THE NOTES FOLLOWING APPLY  TO THE "BVSAFE" HARDWARE PROFILE, AND CHANGES TO IT!  An additional 'Default' profile is kept on the machine as a failsafe.  If system behavior deteriorates or seems unusual it can be tested in its original unmodified condition.

LISTING
OF CHANGES TO THE BLACK VIPER "SAFE" SETTINGS FOR WIN XP SP1  - for Win XP SP2 see here:
 
(After 2004 the primary system for which this file was prepared was relatively stable, and this file was not updated until November, 2008.)

Note: 
When the status of a service is described in these notes the first term (enabled or disabled) refers to the "Log On" tab of the Properties sheet for the service, which permits enabling or disabling the service in each of the machine's Hardware Profiles.   The second term refers to the "General" tab of the Properties sheet, where one of three 'Startup type' options (automatic, manual, or disabled) can be selected. 

For modifications to my system beyond those in the well documented BVSafe profile I do not use the disabled startup type option; that would affect all profiles.   I usually enable  or disable the service in the hardware profile.  I  sometimes enable a service in the BVsafe profile, but set a startup type of manual instead of automatic; this often lets the service (such as
Help and Support) start when called on, instead of running automatically.

Notes for Service Pack 2:  This service pack is intended to increase security and the operation of Windows XP.  Limited experience on a machine with SP2 installed suggests that there are significant tradeoffs involved in installing it, and that some of those actually reduce security.  This is primarily through SP2's increased demands that Windows services be open.  This increases the processing resource demand load on the system, makes system behavior more complex to analyze and understand, and forces the opening of at least one service, DCOM, which is inherently insecure.

STOPS (remote administration):
  • XFR.EXE - "Intel Lan Desk Management Suite" has been disabled, service is not present in Services manager. Formerly Stopping in Services Manager
  • PDS.EXE - "Intel Lan Desk Management Suite" has been disabled, service is not present in Services manager. Formerly Stopping in Services Manager
  • MSGSYS.EXE - "Intel Lan Desk Management Suite" has been disabled, service is not present in Services manager. Formerly Stopping in Task Mgr, until what starts it is identified.
  • Remote Registry - Disabled in Services Manager; after it started with startup set to manual.
  • All of these - and others - may be necessary for Remote Administration of the computer; having them run unless specifically stopped makes sense on a machine only if remote administration is an intended option.
Processes running or stopped:
  • ctfmon.exe - this program wants to run when certain Windows components, including the Services manager, IE and OE, and MS Office components are opened.  Each time it opens, it attempts to register itself to run automatically at startup.  It is a part of the MS Office suite, and supports something called "alternative user input".  MS says "Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies."  (Apparently support for speech recognition is automatic with installation of either the Office Suite or SP2.)  It is not clear whether this support is for all programs supporting these technologies, or only MS programs.  My normal use of a machine would suggest uninstall of the AUI interface and removal of ctfmon.exe per http://support.microsoft.com/?kbid=282599#XSLTH3153121122120121120120 - but with Office installed that seems pointless.
  • XFR.EXE, PDS.EXE, MSGSYS.EXE - these programs start automatically and support something called the "Intel Lan Desk Management Suite"  The name suggests that it is unnecessary in a stand alone machine environment not a part of a LAN.  While stopping the programs has no adverse effect on the operation of the machine, a better approach will be to identify what component is causing the ILDMS to run, and killing from that point.  This appears to be in the Services manager, where both the Intel File Transfer service and the Intel PDS service were starting automatically.  MSGSYS.EXE is used by LANDesk or AMS network management software packages to allow remote interaction with your pc. If your computer is on a network you should leave this process running. If it is not you should be able to safely terminate this process. 
  • wdfmgr.exe - this program is a part of SP2's (premature) implementation of the "windows driver framework".  Eventually (Windows Vista?) that system may permit management of drivers in separate classes.  So far as I can determine it has not yet been implemented in practice, and is unnecessary for operation of a machine.  It has been stopped by setting the associated Windows Driver Foundation - User-mode Driver Framework Service to manual startup.

Services left running and not:
  • NOTE - Essential Services: - msconfig lists only three Services as "Essential".  DCOM Server Process Launcher is one of them.  (The others are RPC, which is absolutely essential, and the RPC Locater. The RPC Locater is NOT ESSENTIAL, it is set to manual start and is not started, and is dependant on the Workstation service which is not started!
  • DCOM server process launcher
    • DCOM - RPC dependency - The RPC service is started automatically, and is essential even in minimally configured systems.  Yet, when attempting to install programs through the InstallShield installation manager in the SP2 environment, InstallShield returns a message "The RPC service is unavailable" unless "DCOM server process launcher" has been started.  This is the result of a new tie in to the DCOM service, which apparently must be running for InstallShield to recognize the availability of RPC in an SP2 environment!  This dependency is undocumented in Services manager.  Since DCOM has been widely regarded as insecure, many people have turned the DCOM service off, meaning that many InstallShield installs fail.  Microsoft strikes another blow at independent software producers!  For a discussion of this issue see http://www.cybertechhelp.com/forums/archive/index.php/t-59046.html  and
    • http://www.google.com/search?hl=en&lr=&q=%22rpc+server+is+unavailable%22+installshield+dcom&btnG=Search
    • DCOM DEPENDENCY within Services manager?  - Services dependencies did not show in the Services manager, on the test system.  I have been unable to find www references to this, so do not know whether it is pecuiar to this installation or is a common issue with SP2.  After starting (also after attempting to start and getting status of "starting") DCOM server process launcher these dependencies were displayed.  Is there an undisclosed dependency here?  Note that according to Services manager's "properties" for the service DCOM is shown as dependent on nothing, and having no dependencies.  The service also has no "start-stop" capability.  Although the Startup type can be changed to Manual instead of Automatic it did not complete it's start, and showed "starting" with no way to stop it when in Manual startup mode. 
    • At http://www.msusenet.com/archive/index.php/t-2787633.html  is a discussion of a failure of MS Office Pro to start properly after an upgrade to Win XP SP2.  The problem manifested as error messages along the line of "This document could not be registered. It will not be possible to create links from this document to other documents."  Also the Office Assistant did not start.  The discussion indicates resolution by turning DCOM on and notes that "Before SP2, many people regarded DCOM as a security risk - and no real need for it to be running. So, DCOM on my machines was safely turned off. Upon installing SP2 -- this was needed to be switched ON but remained OFF."
    • This insecure service has been left on Automatic startup.  :-(   Another reason not to install SP2.
  • LexBce Server - C:\WINDOWS\system32\LEXBCES.EXE is run as a Windows Service supporting an onboard network print server on some Lexmark and Dell branded printers.  No regular provision is made for limiting or uninstalling the servied on printers which are not intended for a networked environment, despite its being unnecessary in stand alone computing environments.  The service also has the unfortunate quality of making the Print Spooler Service dependent on it. This may (or may not) be necessary when a Lexmark printer is present.  But that LexBce Server does not relinquish this dependency control when the printer is removed is definitely a problem!  Four approaches to eliminating the dependency are described below:
    • At http://www.bleepingcomputer.com/startups/LexBce_Server-7634.html - This is installed by Lexmark printers, and some Dell printers which are made by Lexmark, to configure the onboard network print server. Disabling this service will make it so that print spooler service will no longer startup, which effectively disables printing on your computer.
      This can be fixed by removing the LexBceS dependency. To remove the dependency you should use the following command and start the print spooler service:
      sc config spooler depend= RPCSS
      Note: Notice the space after depend= . This is necessary.
    • At http://www.helpscreen.com.au/index.php?msgid=275320197&cid=6  In a response to "Lexmark printer drivers"  Posted Mon Apr 05 10:14:53 EST 2004 by Mark E: "Here is the fix to stop the print spooler to be dependent on the darn LexBce Server. . . . I had to delete the string in both ControlSet001\Services, ControlSet002\Services. (CurrentControlSet as well, most likely.)
      This will allow you to disable a service or uninstall it from your system without affecting another service that depends on it."  
    • At http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=38545
      • I recently installed Lexmark's MarkVision Professional print server utility to monitor my Windows 2000 Professional printers' network printer models. After the installation, all the printer icons disappeared from my Win2K Pro desktops. When I selected the Add Printer icon in an attempt to solve the problem, I received the error message Print Spooler service was not started. I tried to start the Print Spooler service and received the error message A Dependency service has not been started.
        To check the dependencies, I started the Control Panel Administrative Tools applet and double-clicked Services. I right-clicked the Print Spooler service and selected Properties. Then, I selected the Dependencies tab. The Dependencies window contained the item LexBceS, but the item was shaded out and not accessible for removal. I tried to use the Control Panel Add/Remove Programs applet to remove the Lexmark utility but was unsuccessful.
        Finally, I decided to edit the registry. I navigated to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler registry subkey and found an entry with the name DEPENDSonService, of type REG_Multi_SZ, and value of LexBceS. I deleted this entry, closed the registry editor, and restarted the workstation. Afterward, all my printer icons reappeared and the Add Printer applet worked.
        —Cy Tymony - cy@sneakyuses.com
    • I took a slightly different approach.  
      • After exporting the Spooler key, I modified the Key's "DependOnService" to remove LexBce as an item, while leaving the RPCSS entry.
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler=DependOnService REG_MULTI_SZ LexBceS RPCSS
      • I also modified the LexBce key's "Description" entry to record the change.
  • Print Spooler - This service would need to be changed back to Automatic if a scanner/printer were attached, to avoid intermittent outages.  Setting the Print Spooler to Manual start seemed to result in the service's being unable to start, and being unable to start from within the Services control function, though both of those observations need to be verified.
  • Shell Hardware Detection - WHAT IS THIS?  I run SP1 without it, and see no problems resulting. 

DISABLED
in Startup

  • Messenger service - Disabled.
  • Remote Registry - Disabled. Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer.  Why is the default for this to start automatically?  I changed it to manual startup on the test machine, in the event it is needed for the remote management processes I may wish to be able to use on this SP2 test machine.  It seems to have changed itself back to Automatic startup once, and is currently disabled.
  • Secondary Logon - Disabled. "Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. "  But what are "alternate credentials" and what is "this type of logon access"?  WWW research and separate testing is needed on this one.  Does it need to start automatically, or at all?

CHANGED to Manual from Automatic
  • Application Layer Gateway Service
  • Computer Browser  
  • DHCP Client  
  • DNS Client 
  • Error Reporting Service  
  • Task Scheduler 
  • TCP/IP NetBIOS Helper  (if it reverts to automatic, or starts itself, disable it.)
  • Machine Debug Manager
  • Network Location Awareness (NLA) - It is starting anyway, at least part of the time.
  • Remote Procedure Call (RPC) Locater - This service is dependant on the Workstation Service, which is stopped by setting to manual start.  It has no other service listed as dependent on it.
  • Server - See Workstation, below.
  • SSDP Discovery Service  (if it reverts to automatic, or starts itself, disable it.)
  • WebClient -  This is set (default) to run automatically at startup.  While I was unclear about it's relationship to WebDAV I left it that way, but now believe it should be changed to manual start or disabled.  It has been stopped by setting the startup to "manual" in Services Manager.  It is dependant on the "WebDav Client Redirector", which clarifies its distinction from WebDav.  The distinction is reinforced by this comment:
    • "If you are USING an XP Client (ie Windows XP Home or Pro) to guarantee compatibility using Remote Shares (ie Web Folders) you must turn off the Microsoft Web Client Service. Your reByte might work ok with out turning off your Microsoft Web Client Service, but we CAN NOT guarantee it. This is a little-known Microsoft bug--Microsoft does not adhere to WebDAV protocol standards and actually runs two different and incompatible versions of it's own WebDAV services."  http://www.rebyte.com/content/view/129/25/
  • Windows Firewall/Internet Connection Sharing (ICS) (ICS unused, Zone Alarm is substituted for the XP SP2 Firewall.)
  • Windows Time - until behavior is better understood.  Disabled on SP1 machine in 2003, after bad behavior.   
  • Windows User Mode Driver Framework (wdfmgr.exe - Stopped by setting startup to "manual" in Services Manager.) - Is it a premature Windows Vista (Longhorn) component?
  • Wireless Zero Configuration - no wireless connection here, or wireless connection handled by computer vendor software.
  • Workstation - Workstation and Server were temporarily started and Run DLL as an App was given Zone Alarm access permission when establishing access to WebDAV sites through the "Add Network Place" wizard. 
    • How much of this Chinese gunpowder was necessary, is unknown.  Now that the Folders are established, access seems to work with none of these services active. 
    • Windows XP sometimes requires the Server and Workstation services to be running when making changes to basic Windows XP features, while they are not required to run those features.
    • It is unlikely that Run DLL as an App is needed for Web Folder access, but that has not been tested.


Checkpoints:

After the original modificatons the stats on the machine were: 
Date:
9/15/2003 9/18/2003 9/24/2003 10/24/2003 11/23/2008

Services running: 19
22/21 16



Applications at startup: 0
0
0
0


Processes at startup 14
14
15



Notes

1
2

























Not bad for an XP installation.    But these are below de minimus, as Help and Support and Fast User Switching are both needed for me to learn and establish User ID's with appropriate security/authority settings.

(1) 9/18/2003 services running are 21; the difference would likely be the FUS and Term. Services, which were restarted.
(2) 9/24/2003 No detail to support the number of processes.

What is have running at boot:  (Excludes mmc and taskmgr started after boot to monitor services and processes) XP SP2
Services at boot:  SP2
9/18/2003
9/24/2003 10/29/2003
6/10/2004
12/22/2004
03/30/2008
Automatic Updates
SP2





2
Cryptographic Services
X
X
X
X
X
X
Com+ Event System
X
STOPPED



X
DCOM Server Process Launcher
SP2





2
Dell Wireless WLAN
Dell I 1501





X
DHCP
  STOPPED


X

X
DNS

STOPPED





Event Log
X
X
X
X
X
X
Fast User Switching Compatibility

STOPPED




X
Help and Support
STOPPED


FOUND ON!
X
Logical Disk Manager
X
X
X
X
X

Network Connections
X
X
X
X
X

NICCONFIGSVC
Dell I 1501




X
Plug and Play
X
X
X
X
X
X
Print Spooler (LexBce dep'cy removed)






X
Protected Storage
X
X
X
X
X
X
Remote Access Connection Manager*
X
X
X
X
X
X
Remote Procedure Call (RPC)
X
X
X
X
X
X
Security Accounts Manager
X
X
X
X
X
X
Security Center
SP2




X
Shell Hardware Detection
X
X
X
 


System Event Notification






X
System Restore Service






X
Telephony
X
X
X
X
X
X
Terminal Services

STOPPED




X
Themes
X
X
X
X
X

TrueVector Internet Monitor
X
X
X
X
X
X
Windows Audio
X
X
X
X
X
X
Windows Management Instrumentation
X
X
X
X
X
X
Wireless Zero Configuration




X










Server SPECIAL
 



FOUND ON!

Workstation SPECIAL
X
X


FOUND ON!

Total Services

21/17
17/16
15
16
17-3=14


Processes at boot:  (ex TM)

System Idle Process
X

X
X
X

System                                 PID 4
X

X
X
X

smss

X

X
X
X

csrss
X

X
X
X

winlogon
X

X
X
X

services
X

X
X
X

lsass
X

X
X
X

svchost
X

X
X
X

svchost 2

X

X
X
X

svchost 3                             PID 776

STOPPED





vsmon  (Zone Alarm)

X

X
X
X

explorer
X

X
X
X

hkcmd  (Rem. from startup.)

X

STOPPED



zonealarm
X

X
X
X

Startup Monitor



X
X
X

NWClient



X
X
X

Total Processes

14/13
15?
15/14
14
14


Services changes 10/14/2003 
  1. Help and Support - Enables Help and Support Center to run on this computer.  If this service is stopped, Help and Support Center will be unavailable.   10/14 status:  Enabled; Manual
  2. Server - Supports file, print, and named-pipe sharing over the network for this computer.  10/14 status:  Enabled; Automatic;  changed to  Disabled, Manual
  3. Workstation - Creates and maintains client network connections to remote servers.   10/14 status:  Enabled, Automatic; changed to Enabled, Manual
Server and Workstation most likely started when Web Folders (WebDav) and FTP were started.   Neither service is needed for normal WWW browsing.

CheckBack: 031029 - AM
Workstation
WMI

Networking changes:  040610
  1. DHCP supports securing of IP addresses and the DNS server address.
  2. Wireless Zero Configuration supports installation of wireless networks.


Netstat -ano:
October 14, 2003
with with no applications running.
Active Connections

  Proto  Local Address          Foreign Address        State           PID     
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING       4        

November 3, 2003  with no active adapters, no network connections, but Mozilla and the MMC running.
Active Connections

  Proto  Local Address          Foreign Address        State           PID   Image Name
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING       4     System
  TCP    0.0.0.0:1031           0.0.0.0:0              LISTENING       416   Mozilla
  TCP    127.0.0.1:1030         0.0.0.0:0              LISTENING       416
  TCP    127.0.0.1:1030         127.0.0.1:1031         ESTABLISHED     416
  TCP    127.0.0.1:1031         127.0.0.1:1030         ESTABLISHED     416
  UDP    127.0.0.1:1028         *:*                                    1840  mmconsole



Part 3:  Controlling Windows Startup

Mike Lin's Startup Monitor and Startup Control Panel

Windows Startup Online®


Michael Otey
TOP 10
InstantDoc #27100
Windows & .NET Magazine

 

Hunting down and stopping programs that launch themselves at system startup whether you want them to or not is a pain. Windows can automatically start programs according to two folders and eight core registry subkeys. Here are the 10 locations from which Windows XP, Windows 2000, and Windows NT can automatically run programs at system startup.

10. The user Startup folder—The user's Startup folder is the most common location for programs that Windows automatically loads at boot time. You can find the user Startup folder at Documents and Settings, user, Start Menu, Programs, Startup. If you've migrated from NT, you'll find the Startup folder at WinNT, Profiles, user, Start Menu, Programs, Startup.

9. The All Users Startup folder—The next most common place to find autostart programs is the All Users Startup folder. Whereas the user Startup folder runs programs for only the user who's logged on, the All Users Startup folder autostarts programs no matter who logs on to the system. You can find this folder at Documents and Settings, All Users, Start Menu, Programs, Startup. If you've migrated from NT, you'll find the folder at WinNT, Profiles, user, Start Menu, Programs, Startup.

8. The load entry—Several registry subkeys also can start programs automatically. One esoteric location is the load entry at HKEY_CURRENT_USER\Software\Microsoft\WindowsNT\CurrentVersion\Windows\load.

7. The Userinit entry—The Userinit entry, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit, can also initiate programs when the system boots. You'll usually see an entry for userinit.exe, but this subkey can accept multiple comma-separated values (CSVs), so other programs can tack themselves onto the end of the entry.

6. The Explorer\Run entry—Unlike the load and Userinit entries, the Explorer\Run entry works in both the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE root keys. You can find the Explorer\Run subkey at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run and at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run.

5. The RunServicesOnce subkey—The RunServicesOnce subkey is designed to start service programs before the user logs on and before the other registry autostart subkeys start their programs. You'll find the RunServicesOnce subkey at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce and at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce.

4. The RunServices subkey—The RunServices subkey loads immediately after the RunServicesOnce subkey and runs before the user logs on. You'll find the RunServices subkey at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices and at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices.

3. The RunOnce\Setup subkey—The RunOnce\Setup subkey's default value specifies programs to run after the user logs on. The RunOnce\Setup subkey is in the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE root keys. You'll find it at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\Setup and at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup.

2. The RunOnce subkey—Setup programs typically use the RunOnce subkey to run programs automatically. You'll find this subkey at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce and at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce. The RunOnce entry in the HKEY_LOCAL_MACHINE root runs associated programs immediately after logon and before the other registry Run entries start their programs. The RunOnce subkey in the HKEY_CURRENT_USER root runs after the OS processes the other registry Run subkeys and the contents of the Startup folder. If you run XP, you can also check the RunOnceEx subkey at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx.

1. The Run subkey—By far the most common registry location for autorun programs is the Run entry, which you'll find at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. The Run entry in the HKEY_LOCAL_MACHINE root runs immediately before the Run entry in the HKEY_CURRENT_USER root, and both subkeys precede the processing of the Startup folder. 


Regarding Michael Otey's Top 10: "Windows Program Startup Locations" (December 2002, http://www.winnetmag.com, InstantDoc ID 27100), I hate to say this, but there's an 11th place to look for pesky, unwanted Windows programs. The load and run lines in win.ini, a holdover from the Windows 3.1 days, still work, and many programs lurk there. I run Sysedit to check for real-mode drivers in config.sys and autoexec.bat files at the same time."

Bruce Ballard -January 15, 2004


Appendix:  Stopping unused networking services.

Minimization of network services on Windows  2000 and Windows XP installations

Jean-Baptiste Marchand

http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html

I ran across a link to M. Marchand's paper long before I could even begin to understand it, and found it again while trying to secure my Win XP installation in September, 2003.  It was updated in August, 2003, and from my browsing seems to be the best description available, by and large, focused on elimination of unused network services.   

M. Marchand relies on command line for his actions; I prefer to use Windows interfaces when such exist to accomplish the same result.   Determing which of the command line actions he describes equate to the various Windows interface actions available requires some puzzling.

The diagnostic tool used here is primarily the 'netstat' command, which is run 'as a command' in Win XP's 'Command prompt' window.  I also use the command line program 'fport' obtained by download from Foundstone, Inc.; and the Windows GUI program TCPView from www.sysinternals.com.   Tools are run with no applications active, as some of these, including Mozilla and the Microsoft Management Console, hold ports even when the machine is not connected to the internet.  Fortunately, Notepad does not.

September 18, 2003
After applying the recommendations of several internet sites to minimize running services in Windows XP, as described above, 'netstat' still showed three active Ports that were not the result of active, user initiated connections.   Two of the three items seem to have been initiated by an RPC service run by svchost (but not DCOM/RPC which had already been neutralized).  The third connection seems to be initiated by the "System" process.  I imagined these were the result of not yet having been able to minimize RPC services, as M. Marchand notes is required, or not having done so properly.  

In fact, testing disclosed that it was the unneeded service 'DNS Client Service' that was responsible for the svchost items:

With no applications using the internet, there originally remained the following connection traces:

netstat -ano 10

 Proto  Local Address          Foreign Address        State           PID     Image Name    User Name
 TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING       4       System        SYSTEM
 UDP    0.0.0.0:1026           *:*                                    768     svchost       NETWORK SERVICE
 UDP    0.0.0.0:1040           *:*                                    768     svchost       NETWORK SERVICE  

AKA

FPort v2.0 - TCP/IP Process to Port Mapper - Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com
 Pid   Process            Port  Proto Path
 4     System         ->  1025  TCP
 4     System         ->  1026  UDP

 7471215              ->  1040  UDP

The UDP at Port 1040 seemed to float between apps, as I saw it reported as Winamp, Mozilla, and System while working the problem.

Also, sometimes there is a 127.0.0.1:102n connection, (in addition to or instead of?) the 0.0.0.0: item.

After disabling the Workstation, RPC Locater, and Terminal Services services the number of Windows Services running are at 17; yet netstat -ano still showed:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
     Image Name    User Name
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING       4       System        SYSTEM
  UDP    0.0.0.0:1026           *:*                                    776     svchost        
  UDP    0.0.0.0:1027           *:*                                    776

 
Both UDP connections were in use by svchost PID 776.  I used Ctrl-Alt-Del Task Manager to kill that process, and it seemingly had no effect on my connection!   I noted that Event viewer had this entry:

Event Type:    Error
Event Source:    Service Control Manager
Event Category:    None
Event ID:    7034
Date:        9/18/2003
Time:        11:57:24 PM
User:        N/A
Computer:    AN631322416
Description:
The DNS Client service terminated unexpectedly.  It has done this 1 time(s).

Permanent disabling of the DNS Client service is safe on a machine not a part of a local network served by it's own Domain Controller.  DNS resolution for WWW browsing is handled by the stand alone client machines' ISP, through the ISP's DNS servers.  

The number of active services was reduced to17, open processes at bootup at 13, including 2 svchost processes and the System Idle process .  That is pretty tight for an XP installation.   Gives me room to re enable Help and Support, and the services supporting  Webfolders/webdav/webclient.  

It is possible that I will be unable to eliminate the remaining open Port held by a system process, because the XP native PPPoE facility supporting my DSL connection may be  somehow tied to it.  The system Marchand did his testing on may not have had such a constraint.   I have tried to verify that the Remote Access Connection Manager (RasMan) is required to establish and maintain my PPPoE DSL connection by switching it off, and noted that the connection has failed. 


Recap of  Minimization of Network Services

The following is quoted from M. Marchand's paper, with my comments  indented and in bold:

----[ Summary ]----

Minimization of network services can be realized in three steps:
 - disabling of unused services

Done in two steps:
Applied Gibson Research tools to Unplug UPnP and Decombobulate DCOM
Using the "Hardware Profiles" method
Applied Black Viper information on disabling of unused services, .
Disabled some additional networking specific services
   Alerter - disabled, manual, not started
   BITS (Background Intell. Trans. S.) - disabled, manual, not started.  (Subsquent Microsoft actions tie Windows Update functions to BITS, requiring that it be started when running Windows Update.   It cannot be disabled, but must be enabled and started to run wupdate.)
   Computer Browser - disabled, automatic, not started.
   Messenger - disabled, disabled, not started.
   Net Logon - disabled, manual, not started.
   RPC Locater - enabled, manual, not started.  Disabled in BV Safe 2:37 PM 9/18/2003
   Terminal Services DISABLED 2:41 PM 9/18/2003
   Fast User Switching TEMPORARILY DISABLED 2:40 PM 9/18/2003
   Workstation DISABLED,  later changed to enabled to support User management functions; may be needed to create Web folders
 - disabling of NetBIOS over TCP/IP and CIFS over TCP 

NetBios over TCP/IP can be disabled in at least two ways,

Neither Port 135 nor 445 are any longer active, so CIFS over TCP/IP is apparently dealt with as well.

Here is  yet another way to handle it:

# Alternate Procedure: The following information was developed, tested, and supplied by T-1 (t1@san.rr.com) #

 Go to :
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\
Value Name: TransportBindName
Data: \device\
Either Rename TransportBindName to something like TransportBindNameX (Easier to change back later) Or Delete \device\
Then Reboot.

The Registry tweak is more flexible because the NetBT driver is allowed to run  (and therefore allows the dependent services to run), but it never opens port 445 (either TCP or UDP).  [This would likely kill the NBT load failure message in the event log.)
Note:  Since the worm attacks of August, 2003, many ISP's and networked organizations have disabled Ports 445 and 135, no longer providing them as a service to their customers.   In effect, NetBios over TCP/IP and CIFS over IP were killed as services by the worms and the security holes they exploited.   Disabling these services at the operating system level is less essential, but even more appropriate, since there remains no use for them.  (Typically, as anticipated long ago by Gibson Research, the provider recommends that the NetBUI protocol be used for the networking functions formerly served by NetBios over TCP/IP.  Another option is the establishment of IPTunneling VPN's.)

Note:  Disabling of the NetBT driver will interfere with Local Area Networking access to the internet via a Dhcp controlled connection if the Dhcp service is dependent on the NetBt service.  That dependency can be terminated by editing the registry to remove the NetBT service from the Dhcp dependency list.

 - minimization of RPC services

Services to disable are:
 Windows 2000:
  - IIS 5: iisadmin, w3svc, smtpsvc
  - Others: messenger, msdtc, policyagent, schedule
 Windows XP:
  - messenger, policyagent, schedule, ssdpsrv, w32time
 

SSDP (UPnP) -    using www.grc.com program "Unplugnpray"
Messenger, w32time, Task Scheduler -     disabled using Windows Services manager
Also DCOM -     using www.grc.com program "Decombobulator"
policyagent -     part of IPSEC services, which is disabled, automatic, not started, using Windows Services manager.

(I also installed www.grc.com program "socketlock' to prevent any user from using 'raw sockets' available in XP.)


Disabling of NetBIOS over TCP/IP is specific to each network interface. To globally disable CIFS over TCP (port 445), the SmbDeviceEnabled registry value must be added and set to 0 in the registry.

Net BIOS over TCP/IP - Disabled at TCP/IP properties for the network interface.  Port 445 was dealt with using Device Manager, per http://www.uksecurityonline.com/husdg/windows2000/close445.htm


Minimization of RPC services starts by disabling services that register RPC services.

Activation  of  Ports  1026, and 1027 seems to have been dealt with by disabling the DNS Client  service.  See below.   However this is complicated by the way in which these are apparently interchangeable with one another and with Port 1025, each being used by different services at different times.


The removal of the 'Connection-oriented TCP/IP' protocol sequence in the dcomcnfg utility allows to close TCP port 135.

Closing of TCP Port 135 was accomplished through the Win XP interfaces described above.  (And by closing DCOM?)


If necessary, listening interfaces restriction can be configured for some RPC services on Windows 2000, using the rpccfg tool.

Apparently not applicable to Win XP.   Will require more review. 


Port 1026 action:  Quoting from Marchand:
Starting with Windows 2000, Windows systems include a caching DNS service 
(dnscache), that keeps in memory results of DNS requests.

On Windows 2000, this service sends DNS requests on UDP, using a different UDP
source port for each request. On Windows XP, the same port is always used: it is
allocated at the first DNS request and remains the same, as long as the dnscache
service is running.

On our Windows XP system, the port used by the dnscache service is UDP port
1026. If we stop the dnscache service, this port will be closed.

It is possible to disable the socket caching mechanism used by the Windows XP
dnscache service, adding a registry value under the service key:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\
Value: MaxCachedSockets
Type: REG_DWORD
Content: 0

With this setting, the Windows XP dnscache service will behave as under Windows
2000, i.e, different UDP sockets are used for each DNS requests.

-[ Windows XP ]-

On our Windows XP system, UDP port 1027 is used by RPC services started by the
Messenger service. As in Windows 2000, this port and UDP port 135 will no longer
be opened after disabling this service and rebooting.

But on my machine, for both of  the two active svchost UDP Ports 1026 and 1027, disabling the DNS Client service (different than the dnscache service?) has apparently closed them.  I do not recall having executed the change to the registry he discusses.  The Messenger service he ties to Port 1027 was one of the very first I had disabled and cannot account for that Port being open on this machine. 

Port 1026 UDP and another nearby Port UDP (usually 1027) were in use by a svchost PID 776.  I used Task Manager to kill the 776 process.  Both UDP connections went away,  and my overall connectivity was NOT harmed.    Event Viewer logged the message " The DNS Client service terminated unexpectedly.  It has done this 1 time(s)."

NOTE:  9/25/2003 - Netstat is not showing any UDP ports in use, and was not even before I  again disabled DNS Client services.   This may be the result of having turned off the Microsoft Windows Networking,  but as noted above, killing the process which had been using the UDP ports also shut down DNS client services, earlier.   Perplexing.

I have observed, in connection with DCOM 'error' logging, that Windows will attempt to start a service as an apparent prerequisite to initiating another service, e.g. DCOM.   Could it be that Windows is 'using' various services as hooks for these UDP Port connections, and when one is disabled simply finds another, active one and attaches the UDP Port connection to it?  On 11/03/03 I note that with mmc running, and no internet connection, Windows is attributing a Port 1028 UDP connection to  mmc : UDP    127.0.0.1:1028         *:*                                    1840  mmconsole

Port 1025/6 TCP held open by System PID 4 - problem?
For Port  1025 TCP the Marchand recommendations do not seem to work:

TCP port 1025 is used by RPC services of the Task Scheduler service. Again, as
in Windows 2000, this service must be disabled.
Both the Messenger service and Task Scheduler had been disabled, yet the Port is still active.    The statement that the active TCP Port 1025 can be attributed to Task Scheduler must be questioned.  I  have been unable to use  the rpcdump.exe program (obtained from the internet) to determine which, if any, RPC services are using the Port, the program returns a "binding" error. 

On my machine Port [1025, 1026] TCP is held by PID 4, System.   System process id 4 looks pretty basic to me.
http://www-tcsn.experts-exchange.com/Security/Win_Security/Q_20530309.html
http://www.tek-tips.com/gpviewthread.cfm/qid/71426/pid/23/lev2/3/lev3/17                           Good notes, several...
http://support.microsoft.com/support/kb/articles/Q280/1/32.ASP
The machine is trying to connect to a LAN through the Ethernet card it seems, as I get a red flag in the Systray when the DSL modem is off.  The message is:  "A network cable is unplugged."


FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid   Process            Port  Proto Path
4     System         ->  1025  TCP

Slightly Enlightened (Visitor) Jul 9, 2002
I used a tool called fport which I got from www.Foundstone.com (no I don't work for them). That traced the port back to the svchost.exe of which there were several instances running in the processes box. These can then be traced back to the registry
HKLM/Software/Microsoft/Windows NT/CurrentVersion/SVCHOST
In there you will find entries corresponding to the processes that are running. By process of elimination I found svcimg in the registry and that seemed to be the one opening the port. Blitzed it (backed up the registry first) and the port is no longer a problem and the machine still works! Hope it helps.

But no, this is NOT a SVCHOST process on my machine, it is a system process, PID 4.   



Links:
HSC - Brève - Minimization of network services on Windows systems
Windows 2000 Home User Self-Defence Guide - Close port 445 TCP/UDP by disabling NetBT in Device Manager
Windows XP - Home User Self-Defence
Gibson Research Corporation Home Page...
Windows XP Home and Professional Service Configurations by Black Viper
Windows XP Services Registry Files and Information
SSDP Discovery Service
Woody's Windows XP - Archives
Disable Windows Messenger broadcasts on UDP port 1900



---

"My Network Places" problems
On 9/18/2003 I found BOTH Microsoft Terminal Services (MTS) and Microsoft Windows Networking (MWN) containing a "workgroup" in "My Network Places".   It is not my intent, yet, to run a network on this machine, so if possible these should be killed.

9/24/2003  I made Microsoft Windows Networking go away  from My Network Places (don't remember how), but MTS is still listed, even though not started. Why?

10/14/2003  Both MTS and MWN are showing under "Entire Network" in MyNetPL.   "Workgroup" is showing under MWN.  I still need to kill them, if I can figure out how.

06/15/2004  MyNetworkPlaces/EntireNetwork is now showing MTS, MWN, and the "Web Client Network" (WCN).  Only MTS appears to be active, as attempts to open the other two returns "Unable to browse the network.  The network is not present or not started."

--------------------------------------------------------------------------

3:56 PM 9/10/2003

Computer Management Console - Services and Applications -Services  Most of the Windows XP services available are logged on as "Local System".   However ten services listed as "Local Service" and four listed as "Network Service" are set to  "Log on as: This account" as opposed to "Local System account".  For instance, the disabled "Alerter" service is set to "Log on as: This account: NT AUTHORITY\LocalService".   ("This account" I would have thought would be the current User account - namely me, but that seems not to be the case.)  

Note that the "Local System Account" and the LocalService and NetworkService accounts are quite different in scope and authority. 
MS Help states that the LocalService and NetworkService accounts "are special built-in accounts that are similar to authenticated user accounts. These accounts have the same level of access to resources and objects as members of the Users groups. This limited access helps safeguard your system if individual services or processes are compromised." 

These accounts are shown as having a 15 character password assigned.  It seems that all of these services are logged into two built in Windows "NT AUTHORITY" accounts (LocalService\NetworkService) with their own secret Microsoft password.   All of the services in these two groups are disabled in the profile I use for daily operations. 



The note above should be correlated  with a warning message indicating that a particular problem condition can be avoided by "configuring the services to run in either the LocalService or NetworkService account."  

Event Type:    Warning
Event Source:    Userenv
Event Category:    None
Event ID:    1517
Date:        10/31/2003
Time:        11:20:00 AM
User:        NT AUTHORITY\SYSTEM
Computer:    AN631322416
Description:
Windows saved user AN631322416\Chuang Tzu registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.

 This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

This is complicated by the fact that all of the services currently running run in the Local System account, not in a user account and not in either of the accounts suggested.  That would seem to mean that:
MS web site states:

"Windows unloads each user's profile and user's section of the registry when the user logs off. This message indicates that Windows could not unload the user's profile because a program was referencing the user's section of the registry. This locked the profile. The registry cannot unload profiles that are locked and in use. When the program that is locking the profile is no longer referencing the registry, the profile will be unloaded."

One inference from this is that services running as a user account persist later in the log off process than those running as LocalService or NetworkService accounts.  Careful closing of all open programs which may be accessing the user profile before logging off - with emphasis on User initiated programs -  may prevent the warning message, and offer a way to determine what program is causing the warning.

A step by step, second by second review of the logoff process and events may disclose events occuring after the warning message is created that identify a program or service which had locked the profile.