This page aims at documenting legitimate Windows services and programs, meaning those that one can expect to find on a regular Windows box.
Please note that, during an investigation, if there is any chance that a code injection happened (using API, or even DLL load order hijack), then one or more of those services might be malicious though, because their code was modified in-memory! The check should then be done at an execution context level, with surrounding processes (and their associated privileges), and behaviour detection-like approach.
- Service_Short_Name: the technical short name of the service, that is likely to be used in commandline.
- e.g.: wuauserv
- CommandLine: the command line of the binary of the service.
- e.g.: C:\WINDOWS\system32\svchost.exe -k netsvcs -p
- Expected_Execution_status: expected to be found on a investigated machine, or not.
- Should be active or (started) on demand = > usually, critical system processes, and should be either permanently present (in the active processes list) or launched on-demand
- Could be active = > may not be critical, but quite commonly present (in the active processes list)
- Might be active = > should not be critical, but could still be present (in the active processes list)
- Startup_Type_(Default): the default autostart setting of the service. Must be one of the following:
- Automatic
- Automatic (delayed start)
- Manual
- Disabled
- Service_Full_Name: the full human-readable name of the service.
- e.g.: Windows Update
- Description: the full (human-readable) description of the service.
- e.g.: Enables detection, download and installation of Windows and other programs updates [...]
This table describes legit system Windows 10/11 services, that are expected to be found on an investigated Windows machine:
| Service_Short_Name | CommandLine | Expected_Execution_status | Startup_Type_(Default) | Service_Full_Name | Description |
|---|---|---|---|---|---|
| AxInstSV | C:\WINDOWS\system32\svchost.exe -k AxInstSVGroup | Could be active | Manual | ActiveX Installer | Provides User Account Control validation for the installation of ActiveX controls from the Internet and enables management of ActiveX control installation based on Group Policy settings. This service is started on demand and if disabled the installation of ActiveX controls behaves according to default browser settings. |
| AJRouter | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Could be active | Manual | AllJoyn Router Service | Routes AllJoyn messages for the local AllJoyn clients. If this service is stopped the AllJoyn clients that don't have their own bundled routers are unable to run. |
| AppReadiness | C:\WINDOWS\System32\svchost.exe -k AppReadiness -p | Should be active or on demand | Manual | App Readiness | Gets apps ready for use the first time a user signs in to this PC and when adding new apps. |
| AppIDSvc | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Should be active or on demand | Manual | Application Identity | Determines and verifies the identity of an application. Disabling this service prevents AppLocker from being enforced. |
| ALG | C:\WINDOWS\System32\alg.exe | Could be active | Manual | Application Layer Gateway Service | Provides support for protocol plug-ins for Internet Connection Sharing |
| AppMgmt | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Could be active | Manual | Application Management | Processes installation, removal, and enumeration requests for software deployed through Group Policy. If the service is disabled, users are unable to install, remove, or enumerate software deployed through Group Policy. If this service is disabled, any services that explicitly depend on it fails to start. |
| AppXSVC | C:\WINDOWS\system32\svchost.exe -k wsappx -p | Could be active | Manual | AppX Deployment Service | Provides infrastructure support for deploying Store applications. This service is started on demand and if disabled Store applications can't be deployed to the system, and doesn't function properly. |
| AssignedAccessManagerSvc | C:\WINDOWS\system32\svchost.exe -k AssignedAccessManagerSvc | Should be active or on demand | Manual | AssignedAccessManager Service | AssignedAccessManager Service supports kiosk experience in Windows. |
| tzautoupdate | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Might be active | Disabled | Auto Time Zone Updater | Automatically sets the system time zone. |
| BthAvctpSvc | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Could be active | Manual | AVCTP Service | This is Audio Video Control Transport Protocol service. |
| BITS | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Could be active | Manual | Background Intelligent Transfer Service | Transfers files in the background using idle network bandwidth. If the service is disabled, then any applications that depend on BITS, such as Windows Update or MSN Explorer, can't automatically download programs and other information. |
| BrokerInfrastructure | C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p | Should be active | Automatic | Background Tasks Infrastructure Service | Windows infrastructure service that controls which background tasks can run on the system. |
| BFE | C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p | Should be active | Automatic | Base Filtering Engine | The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping or disabling the BFE service reduces the security of the system, resulting in unpredictable behavior in IPsec management and firewall applications. |
| BDESVC | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Should be active or on demand | Manual | BitLocker Drive Encryption Service | BDESVC hosts the BitLocker Drive Encryption service. BitLocker Drive Encryption provides secure startup for the operating system, and full volume encryption for OS, fixed or removable volumes. This service allows BitLocker to prompt users for various actions related to their volumes when mounted, and unlocks volumes automatically without user interaction. Additionally, it stores recovery information to Active Directory, if available, and, if necessary, ensures the most recent recovery certificates are used. Stopping or disabling the service would prevent users from using this functionality. |
| wbengine | C:\WINDOWS\system32\wbengine.exe | Might be active | Manual | Block Level Backup Engine Service | The WBENGINE service is used by Windows Backup to perform backup and recovery operations. If this service is disabled, it can cause the currently running backup or recovery operation to fail. Disabling this service prevents backup and recovery operations using Windows Backup on this computer. |
| BTAGService | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted | Could be active | Manual | Bluetooth Audio Gateway Service | Service supporting the audio gateway role of the Bluetooth Handsfree Profile. |
| bthserv | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Could be active | Manual | Bluetooth Support Service | The Bluetooth service supports discovery and association of remote Bluetooth devices. Stopping or disabling this service prevent Bluetooth devices from operating properly and prevent new devices from being discovered or associated. |
| PeerDistSvc | C:\WINDOWS\System32\svchost.exe -k PeerDist | Could be active | Manual | BranchCache | This service caches network content from peers on the local subnet. |
| camsvc | C:\WINDOWS\system32\svchost.exe -k osprivacy -p | Could be active | Manual | Capability Access Manager Service | Capability Access Manager Service supports managing UWP apps access to app capabilities and checking an app's access to specific app capabilities. |
| autotimesvc | C:\WINDOWS\system32\svchost.exe -k autoTimeSvc | Could be active | Manual | Cellular Time | This service sets time based on NITZ messages from a Mobile Network. |
| CertPropSvc | C:\WINDOWS\system32\svchost.exe -k netsvcs | Should be active or on demand | Manual | Certificate Propagation | Certificate Propagation service copies user and root certificates from smart cards into the current user's certificate store, detects when a smart card is inserted into a smart card reader, and installs the smart card Plug and Play minidriver. Reconfiguring CertPropSvc isn't recommended. |
| ClipSVC | C:\WINDOWS\System32\svchost.exe -k wsappx -p | Could be active | Manual | Client License Service | Provides infrastructure support for the Microsoft Store. This service is started on demand and if disabled applications bought using Microsoft Store doesn't behave correctly. |
| KeyIso | C:\WINDOWS\system32\lsass.exe | Should be active or on demand | Manual | CNG Key Isolation | The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements. |
| EventSystem | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Should be active | Automatic | COM+ Event System | Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS closes and aren't able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it fails to start. |
| COMSysApp | C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Should be active or on demand | Manual | COM+ System Application | Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components don't function properly. If this service is disabled, any services that explicitly depend on it fails to start. |
| CDPSvc | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Could be active | Automatic | Connected Devices Platform Service | This service is used for Connected Devices and Universal Glass scenarios. |
| DiagTrack | C:\WINDOWS\System32\svchost.exe -k utcsvc -p | Could be active | Automatic | Connected User Experiences and Telemetry | DiagTrack enables features that supports in-application and connected user experiences and manages the event-driven collection and transmission of diagnostic and usage information, which is used to improve the experience and quality of the Windows Platform, when the diagnostics and usage privacy option settings are enabled under Feedback and Diagnostics. |
| CoreMessagingRegistrar | C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork -p | Should be active | Automatic | CoreMessaging | Manages communication between system components. |
| VaultSvc | C:\WINDOWS\system32\lsass.exe | Should be active or on demand | Manual | Credential Manager | Provides secure storage and retrieval of credentials to users, applications and security service packages. |
| CryptSvc | C:\WINDOWS\system32\svchost.exe -k NetworkService -p | Should be active | Automatic | Cryptographic Services | Cryptograpic Services supports confirmation of file signatures and allows new programs to be installed, management of Trusted Root Certification Authority certificates from this computer, retrieval of root certificates from Windows Update, and enable scenarios such as SSL. Reconfiguring CryptSvc service isn't recommended. If this service is disabled, any services that explicitly depend on it fails to start. |
| DsSvc | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p | Should be active or on demand | Manual | Data Sharing Service | Provides data brokering between applications. |
| DusmSvc | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Should be active | Automatic | Data Usage | Network data usage, data limit, restrict background data, metered networks. |
| DcomLaunch | C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p | Should be active | Automatic | DCOM Server Process Launcher | The DCOMLAUNCH service launches COM and DCOM servers in response to object activation requests. Reconfiguring DcomLaunch service prevents proper functionality of programs using COM or DCOM. Reconfiguring DcomLaunch service isn't recommended. |
| DoSvc | C:\WINDOWS\System32\svchost.exe -k NetworkService -p | Should be active | Automatic | Delivery Optimization | Performs content delivery optimization tasks. |
| DeviceAssociationService | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Device Association Service | Enables pairing between the system and wired or wireless devices. |
| DeviceInstall | C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p | Should be active or on demand | Manual | Device Install Service | Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service results in system instability. |
| DmEnrollmentSvc | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Might be active | Manual | Device Management Enrollment Service | Device Management Enrollment service performs device enrollment activities for device management. |
| dmwappushservice | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Might be active | Manual | Device Management Wireless Application Protocol Push message Routing Service | This service provides wireless application push message routing. |
| DsmSvc | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Should be active or on demand | Manual | Device Setup Manager | Enables the detection, download and installation of device-related software. Reconfiguring DsmSvc results in devices using outdated software and isn't recommended. |
| DevQueryBroker | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Should be active or on demand | Manual | DevQuery Background Discovery Broker | Enables apps to discover devices with a background task. |
| Dhcp | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Should be active | Automatic | DHCP Client | Registers and updates IP addresses and DNS records for this computer. Reconfiguring the Dhcp service prevents receipt of dynamic IP addresses and DNS updates and isn't recommended. If this service is disabled, any services that explicitly depend on it fails to start. |
| diagsvc | C:\WINDOWS\System32\svchost.exe -k diagnostics | Should be active or on demand | Manual | Diagnostic Execution Service | Executes diagnostic actions for troubleshooting support. |
| DPS | C:\WINDOWS\System32\svchost.exe -k LocalServiceNoNetwork -p | Should be active | Automatic | Diagnostic Policy Service | The Diagnostic Policy Service enables problem detection, troubleshooting and resolution for Windows components. If this service is stopped, diagnostics don't function. |
| WdiSystemHost | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p | Should be active or on demand | Manual | Diagnostic System Host | The Diagnostic System Host is used by the Diagnostic Policy Service to host diagnostics that need to run in a Local System context. Reconfiguring the WdiSystemHost service causes diagnostics that depend on it to fail and isn't recommended. |
| DialogBlockingService | C:\WINDOWS\system32\svchost.exe -k DialogBlockingService | Might be active | Disabled | Dialog Blocking Service | Dialog Blocking Service |
| DisplayEnhancementService | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Should be active or on demand | Manual | Display Enhancement Service | A service for managing display enhancement such as brightness control. |
| DispBrokerDesktopSvc | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Should be active | Automatic | Display Policy Service | Manages the connection and configuration of local and remote displays. |
| TrkWks | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p | Might be active | Automatic | Distributed Link Tracking Client | Maintains links between NTFS files within a computer or across computers in a network. |
| MSDTC | C:\WINDOWS\System32\msdtc.exe | Could be active | Automatic | Distributed Transaction Coordinator | Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions fail. If this service is disabled, any services that explicitly depend on it fails to start. |
| Dnscache | C:\WINDOWS\system32\svchost.exe -k NetworkService -p | Should be active | Automatic | DNS Client | The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names continue to be resolved. However, the results of DNS name queries aren't cached and the computer's name isn't registered. If the service is disabled, any services that explicitly depend on it fails to start. |
| MapsBroker | C:\WINDOWS\System32\svchost.exe -k NetworkService -p | Could be active | Automatic | Downloaded Maps Manager | Windows service for application access to downloaded maps. This service is started on-demand by application accessing downloaded maps. Disabling this service prevents apps from accessing maps. |
| embeddedmode | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p | Should be active or on demand | Manual | Embedded Mode | The Embedded Mode service enables scenarios related to Background Applications. Disabling this service prevents Background Applications from being activated. |
| EFS | C:\WINDOWS\System32\lsass.exe | Should be active or on demand | Manual | Encrypting File System | Provides the core file encryption technology used to store encrypted files on NTFS file system volumes. If this service is stopped or disabled, applications are unable to access encrypted files. |
| EntAppSvc | C:\WINDOWS\system32\svchost.exe -k appmodel -p | Could be active | Manual | Enterprise App Management Service | Enables enterprise application management. |
| EapHost | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Could be active | Manual | Extensible Authentication Protocol | The Extensible Authentication Protocol (EAP) service provides network authentication in such scenarios as 802.1x wired and wireless, VPN, and Network Access Protection (NAP). EAP also provides application programming interfaces (APIs) that are used by network access clients, including wireless and VPN clients, during the authentication process. If you disable this service, this computer is prevented from accessing networks that require EAP authentication. |
| Fax | C:\WINDOWS\system32\fxssvc.exe | Could be active | Manual | Fax | |
| fhsvc | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Should be active or on demand | Manual | File History Service | Protects user files from accidental loss by copying them to a backup location. |
| fdPHost | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Could be active | Manual | Function Discovery Provider Host | The FDPHOST service hosts the Function Discovery (FD) network discovery providers. These FD providers supply network discovery services for the Simple Services Discovery Protocol (SSDP) and Web Services - Discovery (WS-D) protocol. Stopping or disabling the FDPHOST service disables network discovery for these protocols when using FD. When this service is unavailable, network services using FD and relying on these discovery protocols are unable to find network devices or resources. |
| FDResPub | C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation -p | Could be active | Manual | Function Discovery Resource Publication | Publishes this computer and resources attached to this computer so they can be discovered over the network. Reconfiguring FDResPub service prevents discovery by other computers on the network. |
| lfsvc | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Could be active | Manual | Geolocation Service | This service monitors the current location of the system and manages geofences (a geographical location with associated events). If you turn off this service, applications are unable to use or receive notifications for geolocation or geofences. |
| GraphicsPerfSvc | C:\WINDOWS\System32\svchost.exe -k GraphicsPerfSvcGroup | Should be active or on demand | Manual | GraphicsPerfSvc | Graphics performance monitor service. |
| gpsvc | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Should be active | Automatic | Group Policy Client | The service is responsible for applying settings configured by administrators for the computer and users through the Group Policy component. Reconfiguring Group Policy Client services prevents management through Group Policy. Any components or applications that depend on the Group Policy component aren't functional if the service is disabled. |
| hidserv | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Should be active or on demand | Manual | Human Interface Device Service | Activates and maintains the use of hot buttons on keyboards, remote controls, and other multimedia devices. Reconfiguring the HidServ service isn't recommended. |
| HvHost | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | HV Host Service | Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system. |
| vmickvpexchange | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Hyper-V Data Exchange Service | Provides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer. |
| vmicguestinterface | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Hyper-V Guest Service Interface | Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine. |
| vmicshutdown | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Hyper-V Guest Shutdown Service | Provides a mechanism to shut down the operating system of this virtual machine from the management interfaces on the physical computer. |
| vmicheartbeat | C:\WINDOWS\system32\svchost.exe -k ICService -p | Could be active | Manual | Hyper-V Heartbeat Service | Monitors the state of this virtual machine by reporting a heartbeat at regular intervals. This service helps you identify running virtual machines that stop responding. |
| vmicvmsession | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Hyper-V PowerShell Direct Service | Provides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network. |
| vmicrdv | C:\WINDOWS\system32\svchost.exe -k ICService -p | Could be active | Manual | Hyper-V Remote Desktop Virtualization Service | Provides a platform for communication between the virtual machine and the operating system running on the physical computer. |
| vmictimesync | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Could be active | Manual | Hyper-V Time Synchronization Service | Synchronizes the system time of this virtual machine with the system time of the physical computer. |
| vmicvss | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Hyper-V Volume Shadow Copy Requestor | Hyper-V Volume Shadow Copy Requestor service coordinates communications required by Volume Shadow Copy Service to back up applications and data on this virtual machine from the operating system on the physical computer. |
| IKEEXT | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Should be active or on demand | Manual | IKE and AuthIP IPsec Keying Modules | The IKEEXT service hosts the Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP) keying modules. These keying modules are used for authentication and key exchange in Internet Protocol security (IPsec). Stopping or disabling the IKEEXT service prevents IKE and AuthIP key exchange with peer computers. Reconfiguring IKEEXT Service compromises security due to IPSec failures and isn't recommended. |
| SharedAccess | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Could be active | Manual | Internet Connection Sharing | Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. |
| iphlpsvc | C:\WINDOWS\System32\svchost.exe -k NetSvcs -p | Could be active | Automatic | IP Helper | Provides tunnel connectivity using IPv6 transition technologies (6to4, ISATAP, Port Proxy, and Teredo), and IP-HTTPS. If this service is stopped, the computer doesn't have the enhanced connectivity benefits that these technologies offer. |
| IpxlatCfgSvc | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | IP Translation Configuration Service | Configures and enables translation from v4 to v6 and vice versa. |
| PolicyAgent | C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted -p | Should be active or on demand | Manual | IPsec Policy Agent | Internet Protocol security (IPsec) supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. This service enforces IPsec policies created through the IP Security Policies snap-in or the command-line tool�netsh ipsec. Reconfiguring PolicyAgent causes network connectivity issues if your policy requires that connections use IPsec, prevents remote management of Windows Firewall and isn't recommended. |
| KtmRm | C:\WINDOWS\System32\svchost.exe -k NetworkServiceAndNoImpersonation -p | Should be active or on demand | Manual | KtmRm for Distributed Transaction Coordinator | Coordinates transactions between the Distributed Transaction Coordinator (MSDTC) and the Kernel Transaction Manager (KTM). Reconfiguring the KtmRm service isn't recommended. Both MSDTC and KTM start this service automatically when needed. If this service is disabled, any MSDTC transaction interacting with a Kernel Resource Manager fails and any services that explicitly depend on it fails to start. |
| LxpSvc | C:\WINDOWS\system32\svchost.exe -k netsvcs | Should be active or on demand | Manual | Language Experience Service | Provides infrastructure support for deploying and configuring localized Windows resources. Reconfiguring the LxpSvc prevents the deployment of Windows languages and isn't recommended. |
| lltdsvc | C:\WINDOWS\System32\svchost.exe -k LocalService -p | Could be active | Manual | Link-Layer Topology Discovery Mapper | Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. If this service is disabled, the Network Map doesn't function properly. |
| wlpasvc | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Could be active | Automatic | Local Profile Assistance Service | This service provides profile management for subscriber identity modules. |
| LSM | C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p | Should be active | Automatic | Local Session Manager | Core Windows Service that manages local user sessions. Reconfiguring Local Session Manager service causes system instability and isn't recommended. |
| diagnosticshub.standardcollector.service | C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | Should be active or on demand | Manual | Microsoft (R) Diagnostics Hub Standard Collector | Diagnostics Hub Standard Collector Service collects real time ETW events and processes them. Reconfiguring this service isn't recommended. |
| wlidsvc | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Could be active | Manual | Microsoft Account Sign-in Assistant | Enables user sign-in through Microsoft account identity services. If this service is stopped, users aren't able to log on to the computer with their Microsoft account. |
| AppVClient | C:\WINDOWS\system32\AppVClient.exe | Might be active | Disabled | Microsoft App-V Client | Manages App-V users and virtual applications. |
| WdNisSvc | C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24070.5-0\NisSrv.exe | Should be active or on demand | Manual | Microsoft Defender Antivirus Network Inspection Service | Helps guard against intrusion attempts targeting known and newly discovered vulnerabilities in network protocols. |
| WinDefend | C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.24070.5-0\MsMpEng.exe | Should be active | Automatic | Microsoft Defender Antivirus Service | Helps protect users from malware and other potentially unwanted software. |
| MicrosoftEdgeElevationService | C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe | Might be active | Automatic | Microsoft Edge Elevation Service | Keeps Microsoft Edge up to update. Disabling MicrosoftEdgeElevationService prevents application updates. |
| edgeupdate | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe /svc | Should be active | Automatic | Microsoft Edge Update Service | Keeps your Microsoft software up to date. If this service is disabled or stopped, your Microsoft software doesn't update. As a result, security vulnerabilities and issues can't be fixed. This service uninstalls itself when there's no Microsoft software using it. |
| edgeupdatem | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe /medsvc | Should be active or on demand | Manual | Microsoft Edge Update Service | Keeps your Microsoft software up to date. If this service is disabled or stopped, your Microsoft software doesn't update. As a result, security vulnerabilities and issues can't be fixed. This service uninstalls itself when there's no Microsoft software using it. |
| MSiSCSI | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Could be active | Manual | Microsoft iSCSI Initiator Service | Manages Internet SCSI (iSCSI) sessions from this computer to remote iSCSI target devices. If this service is stopped, this computer isn't able to login or access iSCSI targets. If this service is disabled, any services that explicitly depend on it fails to start. |
| MsKeyboardFilter | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Might be active | Manual | Microsoft Keyboard Filter | Controls keystroke filtering and mapping. |
| NgcSvc | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Microsoft Passport | Provides process isolation for cryptographic keys used to authenticate to a user's associated identity providers. If this service is disabled, all uses and management of these keys aren't available, which includes machine logon and single-sign on for apps and websites. This service starts and stops automatically. Reconfiguring the NgcSvc service isn't recommended. |
| NgcCtnrSvc | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Could be active | Manual | Microsoft Passport Container | Manages local user identity keys used to authenticate user to identity providers and TPM virtual smart cards. If this service is disabled, local user identity keys and TPM virtual smart cards aren't accessible. Reconfiguring the NgcCtnrSvc isn't recommended. |
| swprv | C:\WINDOWS\System32\svchost.exe -k swprv | Could be active | Manual | Microsoft Software Shadow Copy Provider | Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies can't be managed. If this service is disabled, any services that explicitly depend on it fails to start. |
| smphost | C:\WINDOWS\System32\svchost.exe -k smphost | Could be active | Manual | Microsoft Storage Spaces SMP | Host service for the Microsoft Storage Spaces management provider. If this service is stopped or disabled, Storage Spaces can't be managed. |
| InstallService | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Could be active | Manual | Microsoft Store Install Service | |
| SmsRouter | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Could be active | Manual | Microsoft Windows SMS Router Service | |
| NaturalAuthentication | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Could be active | Manual | Natural Authentication | Signal aggregator service evaluates signals based on time, network, geolocation, bluetooth and cdf factors. Supported features are Device Unlock, Dynamic Lock and Dynamo MDM policies. |
| NetTcpPortSharing | C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe | Might be active | Disabled | Net.Tcp Port Sharing Service | Provides ability to share TCP ports over the net.tcp protocol. |
| Netlogon | C:\WINDOWS\system32\lsass.exe | Could be active | Manual | Netlogon | Maintains a secure channel between this computer and the domain controller for authenticating users and services. If this service is stopped, the computer doesn't authenticate users and services and the domain controller can't register DNS records. If this service is disabled, any services that explicitly depend on it fails to start. |
| NcdAutoSetup | C:\WINDOWS\System32\svchost.exe -k LocalServiceNoNetwork -p | Could be active | Manual | Network Connected Devices Auto-Setup | Network Connected Devices Auto-Setup service monitors and installs qualified devices that connect to a qualified network. Stopping or disabling this service prevents Windows from discovering and installing qualified network connected devices automatically. Users can still manually add network connected devices to a PC through the user interface. |
| NcbService | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Network Connection Broker | Brokers connections that allow Microsoft Store Apps to receive notifications from the internet. |
| Netman | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p | Should be active or on demand | Manual | Network Connections | Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. |
| NcaSvc | C:\WINDOWS\System32\svchost.exe -k NetSvcs -p | Could be active | Manual | Network Connectivity Assistant | Provides DirectAccess status notification for UI components. |
| netprofm | C:\WINDOWS\System32\svchost.exe -k netprofm -p | Might be active | Manual | Network List Service | Network List Service collects and stores properties for connected networks, and notifies applications when these properties change. |
| NlaSvc | C:\WINDOWS\System32\svchost.exe -k netprofm -p | Could be active | Automatic | Network Location Awareness | Collects and stores configuration information for the network and notifies programs when this information is modified. If this service is stopped, configuration information might be unavailable. If this service is disabled, any services that explicitly depend on it fails to start. |
| NetSetupSvc | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Should be active or on demand | Manual | Network Setup Service | The Network Setup Service manages the installation of network drivers and permits the configuration of low-level network settings. Stopping NetSetupSvc causes in-progress driver installations to fail and prevents configuration. Reconfiguring NetSetupSvc isn't recommended. |
| nsi | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Might be active | Automatic | Network Store Interface Service | This service delivers network notifications (for example, interface addition/deleting etc.) to user mode clients. Stopping this service causes loss of network connectivity. If this service is disabled, any other services that explicitly depend on this service fails to start. |
| CscService | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Offline Files | The Offline Files service performs maintenance activities on the Offline Files cache, responds to user logon and logoff events, implements the internals of the public API, and dispatches activity events and changes in cache state. |
| ssh-agent | C:\WINDOWS\System32\OpenSSH\ssh-agent.exe | Might be active | Disabled | OpenSSH Authentication Agent | Agent to hold private keys used for public key authentication. |
| defragsvc | C:\WINDOWS\system32\svchost.exe -k defragsvc | Could be active | Manual | Optimize drives | Helps the computer run more efficiently by optimizing files on storage drives. |
| WpcMonSvc | C:\WINDOWS\system32\svchost.exe -k LocalService | Could be active | Manual | Parental Controls | Enforces parental controls for child accounts in Windows. If this service is stopped or disabled, parental controls aren't enforced. |
| SEMgrSvc | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Could be active | Manual | Payments and NFC/SE Manager | Manages payments and Near Field Communication (NFC) based secure elements. |
| PNRPsvc | C:\WINDOWS\System32\svchost.exe -k LocalServicePeerNet | Could be active | Manual | Peer Name Resolution Protocol | |
| p2psvc | C:\WINDOWS\System32\svchost.exe -k LocalServicePeerNet | Could be active | Manual | Peer Networking Grouping | |
| p2pimsvc | C:\WINDOWS\System32\svchost.exe -k LocalServicePeerNet | Could be active | Manual | Peer Networking Identity Manager | |
| PerfHost | C:\WINDOWS\SysWow64\perfhost.exe | Should be active or on demand | Manual | Performance Counter DLL Host | Enables remote users and 64-bit processes to query performance counters provided by 32-bit DLLs. If this service is stopped, only local users and 32-bit processes are able to query performance counters provided by 32-bit DLLs. |
| pla | C:\WINDOWS\System32\svchost.exe -k LocalServiceNoNetwork -p | Should be active or on demand | Manual | Performance Logs & Alerts | Performance Logs and Alerts Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information isn't collected. If this service is disabled, any services that explicitly depend on it fails to start. |
| PhoneSvc | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Could be active | Manual | Phone Service | Manages the telephony state on the device. |
| PlugPlay | C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p | Might be active | Manual | Plug and Play | Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service results in system instability. |
| PNRPAutoReg | C:\WINDOWS\System32\svchost.exe -k LocalServicePeerNet | Could be active | Manual | PNRP Machine Name Publication Service | |
| WPDBusEnum | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted | Could be active | Manual | Portable Device Enumerator Service | Enforces group policy for removable mass-storage devices. Enables applications such as Windows Media Player and Image Import Wizard to transfer and synchronize content using removable mass-storage devices. |
| Power | C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p | Should be active | Automatic | Power | Manages power policy and power policy notification delivery. |
| Spooler | C:\WINDOWS\System32\spoolsv.exe | Could be active | Automatic | Print Spooler | This service spools print jobs and handles interaction with the printer. If you turn off this service, you aren't able to print or see your printers. |
| PrintNotify | C:\WINDOWS\system32\svchost.exe -k print | Could be active | Manual | Printer Extensions and Notifications | This service opens custom printer dialog boxes and handles notifications from a remote print server or a printer. Reconfiguring PrintNotivy prevents use of printer extensions and prevents notifications. |
| wercplsupport | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Might be active | Manual | Problem Reports and Solutions Control Panel Support | This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. |
| PcaSvc | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Automatic | Program Compatibility Assistant Service | This service provides support for the Program Compatibility Assistant (PCA). PCA monitors programs installed and run by the user and detects known compatibility problems. If this service is stopped, PCA doesn't function properly. |
| QWAVE | C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation -p | Could be active | Manual | Quality Windows Audio Video Experience | Quality Windows Audio Video Experience (qWave) is a networking platform for Audio Video (AV) streaming applications on IP home networks. qWave enhances AV streaming performance and reliability by ensuring network quality-of-service (QoS) for AV applications. It provides mechanisms for admission control, run time monitoring and enforcement, application feedback, and traffic prioritization. |
| RmSvc | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted | Could be active | Manual | Radio Management Service | Radio Management and Airplane Mode Service. |
| TroubleshootingSvc | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Might be active | Manual | Recommended Troubleshooting Service | Enables automatic mitigation for known problems by applying recommended troubleshooting. Disabling TroubleshootingSvc prevents recommended troubleshooting for problems on your device. |
| RasAuto | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Could be active | Manual | Remote Access Auto Connection Manager | Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. |
| RasMan | C:\WINDOWS\System32\svchost.exe -k netsvcs | Could be active | Manual | Remote Access Connection Manager | Manages dial-up and virtual private network. (VPN) connections from this computer to the Internet or other remote networks. If this service is disabled, any services that explicitly depend on it fails to start. |
| SessionEnv | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Should be active or on demand | Manual | Remote Desktop Configuration | Remote Desktop Configuration service. (RDCS) is responsible for all Remote Desktop Services and Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates. |
| TermService | C:\WINDOWS\System32\svchost.exe -k NetworkService | Should be active or on demand | Manual | Remote Desktop Services | Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. To prevent remote use of this computer, clear the checkboxes on the Remote tab of the System properties control panel item. |
| UmRdpService | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p | Should be active or on demand | Manual | Remote Desktop Services UserMode Port Redirector | Allows the redirection of Printers/Drives/Ports for RDP connections. |
| RpcSs | C:\WINDOWS\system32\svchost.exe -k rpcss -p | Should be active | Automatic | Remote Procedure Call | The RPCSS service is the Service Control Manager for COM and DCOM servers. It performs object activations requests, object exporter resolutions and distributed garbage collection for COM and DCOM servers. If this service is stopped or disabled, programs using COM or DCOM don't function properly. Disabling RpcSs service isn't recommended. |
| RpcLocator | C:\WINDOWS\system32\locator.exe | Could be active | Manual | Remote Procedure Call Locator | In Windows 2003 and earlier versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database. In Windows Vista and later versions of Windows, this service doesn't provide any functionality and is present for application compatibility. |
| RemoteRegistry | C:\WINDOWS\system32\svchost.exe -k localService -p | Should be active | Automatic | Remote Registry | Enables remote users to modify registry settings on this computer. Disabling RemoteRegistry service restricts registry updating to local users only and isn't recommended. |
| RetailDemo | C:\WINDOWS\System32\svchost.exe -k rdxgroup | Could be active | Automatic | Retail Demo Service | The Retail Demo service controls device activity while the device is in retail demo mode. |
| RemoteAccess | C:\WINDOWS\System32\svchost.exe -k netsvcs | Might be active | Disabled | Routing and Remote Access | Offers routing services to businesses in local area and wide area network environments. |
| RpcEptMapper | C:\WINDOWS\system32\svchost.exe -k RPCSS -p | Should be active | Automatic | RPC Endpoint Mapper | Resolves RPC interfaces identifiers to transport endpoints. If this service is stopped or disabled, programs using Remote Procedure Call (RPC) services doesn't function properly. |
| seclogon | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Should be active or on demand | Manual | Secondary Logon | Enables starting processes under alternate credentials. If this service is stopped, this type of logon access us unavailable. If this service is disabled, any services that explicitly depend on it fails to start. |
| SstpSvc | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Could be active | Manual | Secure Socket Tunneling Protocol Service | Provides support for the Secure Socket Tunneling Protocol (SSTP) to connect to remote computers using VPN. If this service is disabled, users aren't able to use SSTP to access remote servers. |
| SamSs | C:\WINDOWS\system32\lsass.exe | Should be active | Automatic | Security Accounts Manager | The startup of this service signals other services that the Security Accounts Manager (SAM) is ready to accept requests. Disabling this service prevents other services in the system from being notified when the SAM is ready, which causes those services to fail to start correctly. This service shouldn't be disabled. |
| wscsvc | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Should be active or on demand | Manual | Security Center | The WSCSVC (Windows Security Center) service monitors and reports security health settings on the computer. The health settings include firewall (on/off), antivirus (on/off/out of date), antispyware (on/off/out of date), Windows Update (automatically/manually download and install updates), User Account Control (on/off), and Internet settings (recommended/not recommended). The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service. The Security and Maintenance UI uses the service to provide systray alerts and a graphical view of the security health states in the Security and Maintenance control panel. Network Access Protection (NAP) uses the service to report the security health states of clients to the NAP Network Policy Server to make network quarantine decisions. The service also has a public API that allows external consumers to programmatically retrieve the aggregated security health state of the system. |
| SensorDataService | C:\WINDOWS\System32\SensorDataService.exe | Could be active | Manual | Sensor Data Service | Delivers data from various sensors. |
| SensrSvc | C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation -p | Could be active | Manual | Sensor Monitoring Service | Monitors various sensors in order to expose data and adapt to system and user state. Reconfiguring Sensor Monitoring Service prevents dynamic response to changes in lighting conditions. Stopping this service might affect other system functionality and features as well. |
| SensorService | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Sensor Service | A service for sensors that manages the functionality of different sensors. Manages Simple Device Orientation (SDO) and History for sensors. Loads the SDO sensor that reports device orientation changes. If this service is stopped or disabled, the SDO sensor doesn't load and autorotation doesn't occur. History collection from Sensors stop. |
| LanmanServer | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Could be active | Automatic | Server | Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions are unavailable. If this service is disabled, any services that explicitly depend on it fails to start. |
| shpamsvc | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Could be active | Automatic | Shared PC Account Manager | Manages profiles and accounts on a SharedPC configured device. |
| ShellHWDetection | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Could be active | Automatic | Shell Hardware Detection | Provides notifications for Auto-Play hardware events. |
| SCardSvr | C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation | Could be active | Manual | Smart Card | Manages access to smart cards read by this computer. If this service is stopped, this computer is unable to read smart cards. If this service is disabled, any services that explicitly depend on it fails to start. |
| ScDeviceEnum | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted | Could be active | Manual | Smart Card Device Enumeration Service | Creates software device nodes for all smart card readers accessible to a given session. If this service is disabled, WinRT APIs aren't able to enumerate smart card readers. Needed almost exclusively for WinRT apps. |
| SCPolicySvc | C:\WINDOWS\system32\svchost.exe -k netsvcs | Could be active | Manual | Smart Card Removal Policy | Allows the system to be configured to lock the user desktop upon smart card removal. |
| SNMPTRAP | C:\WINDOWS\System32\snmptrap.exe | Could be active | Manual | SNMP Trap | Receives trap messages generated by local or remote Simple Network Management Protocol (SNMP) agents and forwards the messages to SNMP management programs running on this computer. If this service is stopped, SNMP-based programs on this computer don't receive SNMP trap messages. If this service is disabled, any services that explicitly depend on it fails to start. |
| sppsvc | C:\WINDOWS\system32\sppsvc.exe | Should be active | Automatic | Software Protection | Enables the download, installation and enforcement of digital licenses for Windows and Windows applications. If the service is disabled, the operating system and licensed applications run in a notification mode. Disabling Software Protection isn't recommended. |
| SharedRealitySvc | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Should be active or on demand | Manual | Spatial Data Service | This service is used for Spatial Perception scenarios. |
| svsvc | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Should be active or on demand | Manual | Spot Verifier | Verifies potential file system corruptions. |
| SSDPSRV | C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation -p | Could be active | Manual | SSDP Discovery | Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. If this service is stopped, SSDP-based devices aren't discovered. If this service is disabled, any services that explicitly depend on it fails to start. |
| StateRepository | C:\WINDOWS\system32\svchost.exe -k appmodel -p | Should be active or on demand | Manual | State Repository Service | Provides required infrastructure support for the application model. |
| WiaRpc | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Still Image Acquisition Events | Launches applications associated with still image acquisition events. |
| StorSvc | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p | Might be active | Automatic (Delayed Start) | Storage Service | Provides enabling services for storage settings and external storage expansion. |
| TieringEngineService | C:\WINDOWS\system32\TieringEngineService.exe | Might be active | Manual | Storage Tiers Management | Optimizes the placement of data in storage tiers on all tiered storage spaces in the system. |
| SysMain | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Should be active | Automatic | SysMain | Maintains and improves system performance over time. |
| SENS | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Might be active | Automatic | System Event Notification Service | Monitors system events and notifies subscribers to COM+ Event System of these events. |
| SystemEventsBroker | C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p | Should be active | Automatic | System Events Broker | Coordinates execution of background work for WinRT application. If this service is stopped or disabled, then background work might not be triggered. |
| SgrmBroker | C:\WINDOWS\system32\Sgrm\SgrmBroker.exe | Should be active | Automatic (Delayed Start) | System Guard Runtime Monitor Broker | Monitors and attests to the integrity of the Windows platform. |
| Schedule | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Should be active | Automatic | Task Scheduler | Enables a user to configure and schedule automated tasks on this computer. The service also hosts multiple Windows system-critical tasks. If this service is stopped or disabled, these tasks aren't run at their scheduled times. If this service is disabled, any services that explicitly depend on it fails to start. |
| lmhosts | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Could be active | Manual | TCP/IP NetBIOS Helper | TCP/IP NetBIOS Helper service provides support for the NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network enabling users to share files, print, and log on to the network. If this service is stopped, these functions aren't unavailable. If this service is disabled, any services that explicitly depend on it fails to start. |
| TapiSrv | C:\WINDOWS\System32\svchost.exe -k NetworkService -p | Could be active | Manual | Telephony | Provides Telephony API (TAPI) support for programs that control telephony devices. Disabling breaks Routing and Remote Access service (RRAS). |
| Themes | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Could be active | Automatic | Themes | Provides user experience theme management. Can't set accessibility themes when this service is disabled |
| TimeBrokerSvc | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Should be active or on demand | Manual | Time Broker | Coordinates execution of background work for WinRT application. If this service is stopped or disabled, then background work might not be triggered. |
| TabletInputService | unknown | Could be active | Manual | Touch Keyboard and Handwriting Panel Service | Enables Touch Keyboard and Handwriting Panel pen and ink functionality. |
| UsoSvc | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Should be active or on demand | Manual | Update Orchestrator Service for Windows Update | Manages Windows Updates. Stopping UsoSvc service prevents download and installing of latest updates. Windows Update (incl. WSUS) depends on this service. |
| upnphost | C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation -p | Could be active | Manual | UPnP Device Host | Allows UPnP devices to be hosted on this computer. If this service is stopped, any hosted UPnP devices stop functioning, and hosted devices can't be added. If this service is disabled, any services that explicitly depend on it fails to start. |
| UevAgentService | C:\WINDOWS\system32\AgentService.exe | Might be active | Disabled | User Experience Virtualization Service | Provides support for application and OS settings roaming. |
| UserManager | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Should be active | Automatic | User Manager | User Manager provides the runtime components required for multi-user interaction. Reconfiguring UserManager service might prevent applications from operating correctly and isn't recommended. |
| ProfSvc | C:\WINDOWS\system32\svchost.exe -k UserProfileService -p | Should be active | Automatic | User Profile Service | This service is responsible for loading and unloading user profiles. Disabling or stopping User Profile Service prevents user sign-in and sign-out, apps might have problems getting to user data, and components don't receive profile event notifications. Reconfiguring User Profile Service isn't recommended. |
| vds | C:\WINDOWS\System32\vds.exe | Might be active | Manual | Virtual Disk | Provides management services for disks, volumes, file systems, and storage arrays. |
| VSS | C:\WINDOWS\system32\vssvc.exe | Could be active | Manual | Volume Shadow Copy | Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies are unavailable for backup and the backup might fail. If this service is disabled, any services that explicitly depend on it fails to start. |
| VacSvc | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Could be active | Manual | Volumetric Audio Compositor Service | Hosts spatial analysis for Mixed Reality audio simulation. |
| WalletService | C:\WINDOWS\System32\svchost.exe -k appmodel -p | Could be active | Manual | WalletService | Hosts objects used by clients of the wallet. |
| WarpJITSvc | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted | Could be active | Manual | WarpJITSvc | Enables JIT compilation support in d3d10warp.dll for processes in which code generation is disabled. |
| TokenBroker | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Could be active | Manual | Web Account Manager | This service is used by Web Account Manager to provide single-sign-on to apps and services. |
| WebClient | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Could be active | Manual | Web Client | Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions aren't available. If this service is disabled, any services that explicitly depend on it fails to start. |
| WFDSConMgrSvc | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Could be active | Manual | Wi-Fi Direct Services Connection Manager | Manages connections to wireless services, including wireless display and docking. |
| Audiosrv | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Could be active | Manual | Windows Audio | Manages audio for Windows-based programs. If this service is stopped, audio devices and effects don't function properly. If this service is disabled, any services that explicitly depend on it fails to start. |
| AudioEndpointBuilder | C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Windows Audio Endpoint Builder | Manages audio devices for the Windows Audio service. If this service is stopped, audio devices and effects don't function properly. If this service is disabled, any services that explicitly depend on it fails to start. |
| SDRSVC | C:\WINDOWS\system32\svchost.exe -k SDRSVC | Could be active | Manual | Windows Backup | Provides Windows Backup and Restore capabilities. |
| WbioSrvc | C:\WINDOWS\system32\svchost.exe -k WbioSvcGroup | Could be active | Manual | Windows Biometric Service | The Windows biometric service gives client applications the ability to capture, compare, manipulate, and store biometric data without gaining direct access to any biometric hardware or samples. The service is hosted in a privileged SVCHOST process. |
| FrameServer | C:\WINDOWS\System32\svchost.exe -k Camera | Could be active | Manual | Windows Camera Frame Server | Enables multiple clients to access video frames from camera devices. |
| Wcncsvc | C:\WINDOWS\System32\svchost.exe -k LocalServiceAndNoImpersonation -p | Could be active | Automatic | Windows Connect Now - Config Registrar | WCNCSVC hosts the Windows Connect Now Configuration, which is Microsoft's Implementation of Wireless Protected Setup (WPS) protocol. Wcncsvc service is used to configure Wireless LAN settings for an Access Point (AP) or a Wireless Device. The service is started programmatically as needed. |
| Wcmsvc | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Could be active | Automatic | Windows Connection Manager | Makes automatic connect/disconnect decisions based on the network connectivity options currently available to the PC and enables management of network connectivity based on Group Policy settings. |
| Sense | C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe | Should be active or on demand | Manual | Windows Defender Advanced Threat Protection Service | Helps guard against intrusion attempts targeting known and newly discovered vulnerabilities in network protocols. |
| mpssvc | C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p | Should be active or on demand | Manual | Windows Defender Firewall | Windows Firewall helps protect your computer by preventing unauthorized users from gaining access to your computer through the Internet or a network. |
| WEPHOSTSVC | C:\WINDOWS\system32\svchost.exe -k WepHostSvcGroup | Could be active | Manual | Windows Encryption Provider Host Service | Windows Encryption Provider Host Service brokers encryption related functionalities from non-Microsoft Encryption Providers to processes that need to evaluate and apply EAS policies. Stopping Windows Encryption Provider Host Service compromises EAS compliancy checks established by connected Mail Accounts. |
| WerSvc | C:\WINDOWS\System32\svchost.exe -k WerSvcGroup | Should be active or on demand | Manual | Windows Error Reporting Service | Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services. If this service is stopped, error reporting might not work correctly and results of diagnostic services and repairs might not be displayed. |
| Collects and sends crash/hang data used by both Microsoft and non-Microsoft ISVs/IHVs. The data is used to diagnose crash-inducing bugs, which might include security bugs. Also needed for Corporate Error Reporting. | |||||
| Wecsvc | C:\WINDOWS\system32\svchost.exe -k NetworkService -p | Should be active or on demand | Manual | Windows Event Collector | Windows Event Collector service manages persistent subscriptions to events from remote sources that support WS-Management protocol, including event logs, hardware and IPMI-enabled event sources. The service stores forwarded events in a local Event Log. When this service is stopped or disabled event subscriptions and forwarded events are prevented. Collects ETW events (including security events) for manageability, diagnostics. Lots of features and non-Microsoft tools rely on it, including security audit tools. |
| EventLog | C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted -p | Should be active | Automatic | Windows Event Log | This service manages events and event logs. It supports logging events, querying events, subscribing to events, archiving event logs, and managing event metadata. It can display events in both XML and plain text format. Stopping this service might compromise security and reliability of the system. |
| FontCache | C:\WINDOWS\system32\svchost.exe -k LocalService -p | Should be active | Automatic | Windows Font Cache Service | Optimizes performance of applications by caching commonly used font data. Applications start this service if it isn't already running. Reconfiguring Windows Font Cache Service might degrade application performance and isn't recommended. |
| stisvc | C:\WINDOWS\system32\svchost.exe -k imgsvc | Could be active | Manual | Windows Image Acquisition | Provides image acquisition services for scanners and cameras. |
| wisvc | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Could be active | Manual | Windows Insider Service | Provides infrastructure support for the Windows Insider Program. This service must remain enabled for the Windows Insider Program to work. |
| msiserver | C:\WINDOWS\system32\msiexec.exe /V | Should be active or on demand | Manual | Windows Installer | Adds, modifies, and removes applications provided as a Windows Installer (*.msi, *.msp) package. If this service is disabled, any services that explicitly depend on it fails to start. |
| LicenseManager | C:\WINDOWS\System32\svchost.exe -k LocalService -p | Could be active | Manual | Windows License Manager Service | Provides infrastructure support for the Microsoft Store. This service is started on demand. When disabled, content acquired through the Microsoft Store doesn't function properly. |
| Winmgmt | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Should be active | Automatic | Windows Management Instrumentation | Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software doesn't function properly. If this service is disabled, any services that explicitly depend on it fails to start. |
| WManSvc | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Should be active or on demand | Manual | Windows Management Service | Performs management including Provisioning and Enrollment activities. |
| WMPNetworkSvc | Unknown | Could be active | Manual | Windows Media Player Network Sharing Service | Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play. |
| icssvc | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Could be active | Manual | Windows Mobile Hotspot Service | Provides the ability to share a cellular data connection with another device. |
| TrustedInstaller | C:\WINDOWS\servicing\TrustedInstaller.exe | Should be active or on demand | Manual | Windows Modules Installer | Enables installation, modification, and removal of Windows updates and optional components. If this service is disabled, install or uninstall of Windows updates might fail for this computer. |
| spectrum | C:\WINDOWS\system32\spectrum.exe | Could be active | Manual | Windows Perception Service | Enables spatial perception, spatial input, and holographic rendering. |
| perceptionsimulation | C:\WINDOWS\system32\PerceptionSimulation\PerceptionSimulationService.exe | Could be active | Manual | Windows Perception Simulation Service | Enables spatial perception simulation, virtual camera management and spatial input simulation. |
| WpnService | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Should be active | Automatic | Windows Push Notifications System Service | This service runs in session 0 and hosts the notification platform and connection provider, which handles the connection between the device and WNS server. |
| PushToInstall | C:\WINDOWS\System32\svchost.exe -k netsvcs -p | Could be active | Manual | Windows PushToInstall Service | Provides infrastructure support for the Microsoft Store. This service is started automatically and if disabled then remote installations don't function properly. |
| WinRM | C:\WINDOWS\System32\svchost.exe -k NetworkService -p | Should be active | Automatic | Windows Remote Management | Windows Remote Management: (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. The WinRM Service uses a listener configured with the�winrm.cmd�command line tool or through Group Policy to listen over the network. The WinRM service provides access to WMI data and enables event collection. Event collection and subscription to events require that the service is running. WinRM messages use HTTP and HTTPS as transports. The WinRM service doesn't depend on IIS but is preconfigured to share a port with IIS on the same machine. The WinRM service reserves the /wsman URL prefix. To prevent conflicts with IIS, administrators should ensure that any websites hosted on IIS don't use the /wsman URL prefix. |
| WSearch | C:\WINDOWS\system32\SearchIndexer.exe /Embedding | Could be active | Manual | Windows Search | Provides content indexing, property caching, and search results for files, e-mail, and other content. |
| SecurityHealthService | C:\WINDOWS\system32\SecurityHealthService.exe | Should be active | Automatic | Windows Security Service | Windows Security Service handles unified device protection and health information. |
| W32Time | C:\WINDOWS\system32\svchost.exe -k LocalService | Should be active | Automatic | Windows Time | Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization is prevented. Reconfiguring the Windows Time service isn't recommended. |
| wuauserv | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Could be active | Manual | Windows Update | Enables the detection, download, and installation of updates for Windows and other programs. Disabling Windows Update service prevents Windows Update, its automatic updating feature, and programs aren't able to use the Windows Update Agent (WUA) API. |
| WaaSMedicSvc | C:\WINDOWS\system32\svchost.exe -k wusvcs -p | Should be active or on demand | Manual | Windows Update Medic Service | |
| WinHttpAutoProxySvc | C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p | Should be active or on demand | Manual | WinHTTP Web Proxy Auto-Discovery Service | WinHTTP implements the client HTTP stack and provides developers with a Win32 API and COM Automation component for sending HTTP requests and receiving responses. In addition, WinHTTP provides support for autodiscovering a proxy configuration via its implementation of the Web Proxy Auto-Discovery (WPAD) protocol. |
| Anything that uses the network stack can have a functional dependency on this service. Many organizations rely on WinHTTPAutoProxySvc to configure their internal networks' HTTP proxy routing. Without it, internally originating HTTP connections to the Internet fail. | |||||
| dot3svc | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | Wired AutoConfig | The Wired AutoConfig (DOT3SVC) service is responsible for performing IEEE 802.1X authentication on Ethernet interfaces. If your current wired network deployment enforces 802.1X authentication, the DOT3SVC service should be configured to run for establishing Layer 2 connectivity and/or providing access to network resources. Wired networks that don't enforce 802.1X authentication are unaffected by the DOT3SVC service. |
| WLANSVC | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | WLAN Autoconfig | The WLANSVC service provides the logic required to configure, discover, connect to, and disconnect from a wireless local area network (WLAN) as defined by IEEE 802.11 standards. WLANSVC service also contains the logic to turn your computer into a software access point so that other devices or computers can connect to your computer wirelessly. Stopping or disabling the WLANSVC service make all WLAN adapters on your computer inaccessible from the Windows networking UI. Disabling WLANSVC isn't recommended if your computer has a WLAN adapter. |
| wmiApSrv | C:\WINDOWS\system32\wbem\WmiApSrv.exe | Should be active or on demand | Manual | WMI Performance Adapter | Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network. This service only runs when Performance Data Helper is activated. |
| workfolderssvc | C:\WINDOWS\System32\svchost.exe -k LocalService -p | Could be active | Automatic | Work Folders | This service syncs files with the Work Folders server, enabling you to use the files in Work Folders. |
| LanmanWorkstation | C:\WINDOWS\System32\svchost.exe -k NetworkService -p | Should be active | Automatic | Workstation | Creates and maintains client network connections to remote servers using the SMB protocol. If this service is stopped, these connections are unavailable. If this service is disabled, any services that explicitly depend on it fails to start. |
| WwanSvc | C:\WINDOWS\system32\svchost.exe -k LocalSystemNetworkRestricted -p | Could be active | Manual | WWAN AutoConfig | This service manages mobile broadband (GSM & CDMA) data card/embedded module adapters and connections by autoconfiguring the networks. Disabling WwanSvc isn't recommended for best user experience of mobile broadband devices. |
| XboxGipSvc | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Might be active | Manual | Xbox Accessory Management Service | This service manages connected Xbox Accessories. |
| XblAuthManager | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Might be active | Manual | Xbox Live Auth Manager | Provides authentication and authorization services for interacting with Xbox Live. If this service is stopped, some applications don't operate correctly. |
| XblGameSave | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Might be active | Manual | Xbox Live Game Save | This service syncs save data for Xbox Live save enabled games. If this service is stopped, game save data doesn't upload to or download from Xbox Live. |
| XboxNetApiSvc | C:\WINDOWS\system32\svchost.exe -k netsvcs -p | Might be active | Manual | Xbox Live Networking Service | This service supports the Windows.Networking.XboxLive application programming interface. |
- Windows Internals books
- Microsoft Docs