🖥️
Windows DFIR
  • Introduction
  • Windows Artifacts
    • Windows Quick Tips
      • Windows Command Line
      • Workstation File/Folder Locations
      • Server File/Folder Locations
    • Account Usage
      • Authentications SAM Artifacts
        • Last Login
        • Last Failed Login
        • Last Password Change
      • Authentications (Windows Event Log)
        • Logon ID
      • Group Membership
        • Event ID: 4798
        • Event ID: 4799
      • RDP
        • Source System Artifacts - Quick Reference
        • Destination System Artifacts - Quick Reference
      • SSH
      • Rouge Local Accounts
      • CrowdStrike Searches
        • Event Name - UserLogon
        • Event Name - UserLogonFailed
        • Event Name - UserLogonFailed2
        • Event Name - SsoApplicationAccess
    • Browser Usage
      • History & Downloads
        • Viewing History Files - DB Browser
        • Transition Types
      • Auto-Complete Data
      • Bookmarks
      • Browser Preferences
      • Cache
      • Cookies
      • Extensions
      • Super Cookies (HTML5 Web Storage)
      • Media History
      • Private Browsing
      • Session Restore
      • Stored Credentials
      • Suggested/Frequent Sites
      • DB Browser Queries
        • Firefox
        • Chrome
        • Media History
      • PowerShell Scripts
        • Browser Extension Finder
        • Browser History Finder
    • Processes
      • at.exe
      • explorer.exe
      • lsass.exe
      • lsaiso.exe
      • PuTTy.exe
        • X11 Forwarding
      • runtimebroker.exe
      • services.exe
      • smss.exe
      • System
      • svchost.exe
        • Services
      • winlogon.exe
      • wininit.exe
    • Cloud Storage
    • Deleted File or File Knowledge
      • WordWheelQuery (Win 7+)
      • ACMRU (Win XP)
      • Internet Explorer file:///
      • Last Visited MRU
      • Thumbs.db (Win XP)
      • Thumbcache
      • Recycle Bin
      • User Typed Paths
      • Windows Search Database
    • File Download
      • Zone.Identifer
      • Open/Save Most Recently Used (MRU)
      • Email
      • Drive By Downloads
        • Malvertising
      • Web Browsing
        • Cache Files
      • CrowdStrike Searches
        • MoTW
    • Folder/File Opening/Creation
      • Recent Files
      • Office Recent Files
      • Shell Bags
      • .lnk Files
      • Jump Lists
        • AppIDs
      • Prefetch
      • Index.dat file://
      • PowerShell Scripts
        • .lnk Files
    • Persistence
      • Registry
        • NTUSER.DAT & HKU\SID
        • Run and Run Once
        • Shell Folders and UserInit Key
        • Services
        • Logon Scripts
        • Office Add-ins
        • Winlogon Shell
        • Image File Execution Options (IFEO)
        • AppInit_DLLs
        • Scheduled Tasks
      • Scheduled Tasks
        • Scheduled Task Destination System Artifacts
        • Scheduled Task Source System Artifacts
      • Startup
      • Tool: AutoRuns
      • Accounts
      • WMI Event Consumers
        • WMI: Source System Artifacts
        • WMI: Destination System Artifacts
        • WMI: PowerShell Analysis
      • PowerShell Scripts
        • Startup Programs
      • CrowdStrike Searches
        • Files Written to Startup Folder
        • Files Written to Startup Folder from the Internet
        • Local Account Creation/Deletion
        • Azure Account Creation/Deletion
        • Scheduled Tasks
    • Physical Location
      • Time zone
      • Wireless SSID
      • Network History (Vista/Win7–11)
      • Cookies
      • Browser Search Terms
    • Program Execution
      • Prefetch
        • Decoding Prefetch Files with Eric Zimmerman's PECmd Tool
      • BAM/DAM
      • CapabilityAccessManager
      • UserAssist
      • Last Visited MRU
      • RunMRU
      • MUI Cache
      • ShimCache
      • Amcache
      • Jump Lists
    • Shadow Copies
      • VSC Permissions
      • Event ID 8193: Volume Shadow Copy Service Error
    • USB Usage
      • Key Identification
      • Drive Letter and Volume Name
      • Connection Timestamps
      • User
      • Volume Name
      • Plug & Play Event Log
    • Windows Services
      • DoSvc (Delivery Optimization)
    • System Information
    • Event IDs
      • Authentication / Account
        • 4624 - Authentication Success
          • Logon Types
        • 4625 - Authentication Failure
          • SubStatus Codes
        • 4634 - Account Logoff
        • 4648 - Explicit Credentials Success
        • 4672 - Special Privileges
        • 4720 - Account Creation
        • 4722 - Account Enabled
        • 4732 - Addition to Local Group
        • 4738 - Account Changed
        • 4776 - Kerberos Authentication Attempt
          • Substatus Codes
        • 4771 - Kerberos Failure
        • 4768
      • File System
        • 1006
        • 4688 - Process Created
        • 4663
        • 4656
        • 6416
        • 20001
        • 20003
  • Windows DFIR & MITTR
    • Initial Access
      • Content Injection
      • Drive-by Compromise
        • Watering Hole Attack
        • Microsoft Files (Payload Execution)
        • Exploit Delivery
        • Viewing Browser History Files
      • Phishing
    • Execution
    • Persistence
    • Privilege Escalation
    • Defense Evasion
    • Credential Access
      • Logon ID
    • Discovery
    • Lateral Movement
    • Collection
    • Command and Control
    • Exfiltration
    • Impact
  • SOC Related
    • Cached Credentials
    • Domain Controller Password Spraying
Powered by GitBook
On this page

Was this helpful?

  1. Windows Artifacts

Windows Services

ActiveX Installer (AxInstSV)

UAC validation to control the installation of Active-X controls via the internet.

Manual

Agent Activation Runtime_?????

Chatbot Runtime for activating Conversational agent applications - Clippy returns.

Manual

AllJoyn Router Service

IoT integration.

Manual (Trigger Start)

App Readiness

Runs at first logon to prepare apps for use.

Manual

Application Identity

Verify Application identity, used by AppLocker.

Manual (Trigger Start)

Application Information

Facilitates running applications with additional administrative privileges. If disabled those additional privileges will not be available.

Manual (Trigger Start, Running)

Application Layer Gateway Service

Enables plugins for the now ancient internet connection sharing.

Manual

Application Management

Required for Group Policy software management, Not Available in Win 10 home.

Manual

AppX Deployment Service (AppXSVC)

Windows Store integration. Cannot be disabled.

Manual

AssignedAccessManager Service

Kiosk mode, Not Available in Win 10 home.

Manual

Auto Time Zone Updater

Automatically set the Time Zone.

Disabled

AVCTP service

Audio Video Control TP service - Bluetooth / Wireless.

Manual (Trigger Start)

Background Intelligent Transfer Service

Transfer files.

Manual or Automatic (Delayed Start, Running)

Background Tasks Infrastructure Service

Cannot be disabled.

Automatic (Running)

Base Filtering Engine

Manage Windows Firewall and IPsec policies and implements user mode filtering. Do not disable.

Automatic (Running)

BitLocker Drive Encryption Service

Secure startup and volume encryption.

Manual (Trigger Start)

Block Level Backup Engine Service

Used by Windows Backup.

Manual

Bluetooth Audio Gateway Service

Bluetooth Audio - Wireless headsets.

Manual (Trigger Start)

Bluetooth Support Service

Discovery of Bluetooth devices.

Manual (Trigger Start)

Bluetooth User Support Service_?????

Bluetooth features.

Manual (Trigger Start)

BranchCache

Used by Windows Update for download sharing on the local subnet.

Manual

Capability Access Manager Service

Manage UWP apps.

Manual

CaptureService_?????

Screen Capture Service via the Windows.Grapics.Capture API.

Manual

Cellular Time

Set the time based on NITZ messages from a mobile network.

Manual

Certificate Propagation

Manage certificates for Smart Card login.

Manual (Trigger Start)

Client License Service (ClipSVC)

Support for Microsoft store, cannot be disabled.

Manual (Trigger Start)

Clipboard User Service_?????

Clipboard.

Manual

CNG Key Isolation

Secure long lived keys for cryptographic operations.

Manual (Trigger Start, Running)

COM+ Event System

COM Event notification service, required for COM+

Manual

COM+ System Application

Network discovery of systems on local network.

Manual (Trigger Start)

Connected Devices Platform Service

Connected Devices Platform.

Automatic (Delayed Start, Trigger Start)

Connected Devices Platform User Service_?????

Connected Devices Platform.

Automatic (Running)

Connected User Experiences and Telemetry

Feedback and Diagnostics.

Automatic (Running)

ConsentUX_?????

Connect and pair WiFi and Bluetooth devices, ConnectUX.

Manual

Contact Data_?????

Indexes contact data for fast contact searching.

Manual

CoreMessaging

Cannot be disabled. Manages communication between system components.

Automatic (Running)

Credential Manager

Secure storage and retrieval of credentials. Control Panel: Credential Manager.

Manual

CredentialEnrollmentManagerUserSvc_?????

Credential Enrolment Manager.

Manual

Cryptographic Services

Manage root certificates.

Automatic (Running)

Data Sharing Service

Data brokering between applications.

Manual (Trigger Start)

Data Usage

Network data usage,data limit/metered networks.

Automatic (Running)

DCOM Server Process Launcher

Required for COM and DCOM object activation requests.

Automatic (Running)

Delivery Optimization

Content delivery Optimisation.

Automatic (Delayed Start)

Device Association Service

Pairing between the system and wired or wireless devices.

Manual (Trigger Start)

Device Install Service

Recognise new hardware, do not disable.

Manual (Trigger Start)

Device Management Enrollment Service

Device enrolment/management.

Manual

Device Management Wireless Application Protocol (WAP) Push message Routing Service

WAP - Sync device sessions.

Manual

Device Setup Manager

Install device drivers.

Manual (Trigger Start)

DeviceAssociationBroker_?????

Pair devices.

Manual

DevicePicker_?????

Manage Miracast DLNA and DIAL UI.

Manual

DevicesFlow_?????

Connect and pair WiFi and Bluetooth devices, ConnectUX/PC settings.

Manual

DevQuery Background Discovery Broker

Enable apps to discover devices with a background task.

Manual (Trigger Start)

DHCP Client

Allocate an IP address to this computer automatically.

Automatic (Running)

Diagnostic Execution Service

Enable troubleshooting support.

Manual (Trigger Start)

Diagnostic Policy Service

Enable problem detection, troubleshooting and resolution for Windows components.

Automatic (Running)

Diagnostic Service Host

Diagnostics for Local Services.

Manual (Running)

Diagnostic System Host

Diagnostics for the Local System.

Manual

DialogBlockingService

DialogBlockingService

Disabled

Display Enhancement Service

Brightness.

Manual (Trigger Start)

Display Policy Service

Connection and configuration of local and remote displays.

Automatic (Delayed Start)

Distributed Link Tracking Client

Attempt to maintain valid links between NTFS files across a network.

Automatic (Running)

Distributed Transaction Coordinator

Co-ordinate transactions between resource managers, database, file and message queues.

Manual

DNS Client

Cache DNS queries and register the computername.

Automatic (Trigger Start, Running)

Downloaded Maps Manager

Windows/Bing maps.

Automatic (Delayed Start)

Embedded Mode

Activate background applications.

Manual (Trigger Start)

Encrypting File System (EFS)

Allow storage of encrypted files on NTFS file systems.

Manual (Trigger Start)

Enterprise App Management Service

Cannot be disabled. Enterprise Application management.

Manual

Extensible Authentication Protocol

Network Authentication - VPN NAP and Wireless.

Manual

File History Service

Used by Windows Backup.

Manual (Trigger Start)

Function Discovery Provider Host

Network discovery and Web Service discovery.

Manual

Function Discovery Resource Publication

Publish this computer and resources over the network.

Manual (Running)

GameDVR and Broadcast User Service_?????

Game recordings and Live broadcasts. Cannot be disabled.

Manual (Trigger Start)

Geolocation Service

Manage Geofences - a geographic location with associated events.

Manual (Trigger Start, Running)

GraphicsPerfSvc

Monitor graphics performance.

Manual (Trigger Start)

Group Policy Client

Cannot be disabled. Apply admin settings through group policy.

Automatic (Trigger Start)

Human Interface Device Service

Activate and maintain hot buttons on keyboards and other controls.

Manual (Trigger Start)

HV Host Service

Hyper-V interface for performance counters.

Manual (Trigger Start)

Hyper-V Data Exchange Service

Hyper-V interface for data exchange.

Manual (Trigger Start)

Hyper-V Guest Service Interface

Hyper-V interface for VM services.

Manual (Trigger Start)

Hyper-V Guest Shutdown Service

Hyper-V interface for VM shutdown.

Manual (Trigger Start)

Hyper-V Heartbeat Service

Hyper-V identify frozen VMs.

Manual (Trigger Start)

Hyper-V PowerShell Direct Service

Hyper-V interface for PowerShell.

Manual (Trigger Start)

Hyper-V Remote Desktop Virtualization Service

Hyper-V desktop interface. Not Available in Win 10 home.

Manual (Trigger Start)

Hyper-V Time Synchronization Service

Hyper-V time sync.

Manual (Trigger Start)

Hyper-V Volume Shadow Copy Requestor

Hyper-V shadow copy/backup.

Manual (Trigger Start)

IKE and AuthIP IPsec Keying Modules

Internet Key exchange.

Manual (Trigger Start)

Internet Connection Sharing (ICS)

Provides NAT/name resolution for small office networks. Very rarely needed.

Manual (Trigger Start)

IP Helper

IPv6 translation.

Automatic (Running)

IP Translation Configuration Service

IPv6 translation.

Manual (Trigger Start)

IPsec Policy Agent

Network level peer authentication. Enforces IPsec policies.

Manual (Trigger Start)

KtmRm for Distributed Transaction Coordinator

Co-ordinates distributed transactions. MSDTC/KTM.

Manual (Trigger Start)

Language Experience Service

Deployment infrastructure for configuring additional languages.

Manual

Link-Layer Topology Discovery Mapper

Creates a Network map describing each PC and device.

Manual

Local Profile Assistant Service

Profile management for local subscriber identity modules.

Manual (Trigger Start)

Local Session Manager

Cannot be disabled. Manage local user sessions.

Automatic (Running)

MessagingService_?????

Text Messaging.

Manual (Trigger Start)

Microsoft (R) Diagnostics Hub Standard Collector Service

Collect real-time Event Tracing for Windows (ETW) events.

Manual

Microsoft Account Sign-in Assistant

Running if using MS account to log in to computer.

Manual (Trigger Start)

Microsoft App-V Client

Manage App-V users and virtual applications. Not Available in Win 10 home.

Disabled

Microsoft iSCSI Initiator Service

Manage iSCSI devices.

Manual

Microsoft Keyboard Filter

Control keystroke filtering and mapping.

Not Installed (Disabled)

Microsoft Passport

Process isolation for cryptographic keys. Cannot be disabled.

Manual (Trigger Start)

Microsoft Passport Container

Manage Local user identity keys and smartcard access. Cannot be disabled.

Manual (Trigger Start)

Microsoft Software Shadow Copy Provider

Volume Shadow Copy. Used by Windows Backup.

Manual (Runs at boot, then stops)

Microsoft Storage Spaces SMP

Manage storage pools with multiple disks (WSS).

Manual

Microsoft Store Install Service

Microsoft Store.

Manual

Microsoft Windows SMS Router Service.

Route messages.

Manual (Trigger Start)

Natural Authentication

Signal aggregator service for automatic device lock/unlock.

Manual (Trigger Start)

Net.Msmq/Net.Pipe/Net.Tcp Listener Adapter

NetMsmqActivator/NetPipeActivator/NetTcpActivator

Not installed

Net.Tcp Port Sharing Service

Provides ability to share TCP ports over net.tcp

Disabled

Netlogon

Connect to a domain controller.

Manual

Network Connected Devices Auto-Setup

Discover and install qualified devices.

Manual (Trigger Start, Running)

Network Connection Broker

Broker connections between Windows store apps and the internet.

Manual (Trigger Start, Running)

Network Connections

Manage network and Dial-up connections.

Manual

Network Connectivity Assistant

DirectAccess status notification.

Manual (Trigger Start)

Network List Service

Identify networks.

Manual (Running)

Network Location Awareness

Notify changes in the network configuration.

Automatic (Running)

Network Setup Service

Manage installation and configuration of network drivers.

Manual (Trigger Start)

Network Store Interface Service

Network notifications for user mode clients.

Automatic (Running)

Offline Files

Perform offline maintenance on the offline files cache. Not Available in Win 10 home.

Manual (Trigger Start)

OpenSSH Authentication Agent

Agent to hold private keys used for public key authentication.

Manual

Optimize drives

Optimise file storage by defragmenting on disc.

Manual

Parental Controls

Enforces parental controls in Windows.

Manual

Payments and NFC/SE Manager

Manage payments and Near Field Communication (NFC) based secure elements.

Manual (Trigger Start)

Peer Name Resolution Protocol

Enable serverless peer name resolution over the internet (Remote Assistance).

Manual

Peer Networking Grouping

Enables multi-party communication using peer-peer grouping. (Home Group).

Manual

Peer Networking Identity Manager

Identity services for peer Name resolution and peer-peer grouping services.

Manual

Performance Counter DLL Host

Enable remote users and 64 bit processes to query perf counters provided by 32-bit DLLs.

Manual

Performance Logs & Alerts

Collect performance data from local or remote computers.

Manual

Phone Service

Manage the telephony state.

Manual (Trigger Start)

Plug and Play

Recognise new hardware. Do not disable.

Manual (Running)

PNRP Machine Name Publication Service

Publish a machine name using Peer name resolution protocol.

Manual

Portable Device Enumerator Service

Enforce group policy for removable mass storage devices. Enables transferring and synchronising content.

Manual (Trigger Start)

Power

Manage power policy and power policy notifications.

Automatic (Running)

Print Spooler

Spool print jobs. Do not disable.

Automatic (Running)

Printer Extensions and Notifications

Open custom printer dialogue boxes and handle notifications from a remote print server or printer.

Manual

PrintWorkflow_?????

Print Workflow. Cannot be disabled.

Manual

Problem Reports and Solutions Control Panel Support

System level problem reports.

Manual

Program Compatibility Assistant Service

Program Compatibility Assistant (PCA)

Automatic (Running)

Quality Windows Audio Video Experience

Platform for A/V streaming applications on IP home networks.

Manual

Radio Management Service

Radio Management and Airplane Mode - wireless comms / Bluetooth.

Manual

Recommended Troubleshooting Service

Automatic mitigation for known problems and recommended troubleshooting options.

Manual

Remote Access Auto Connection Manager

Automatically connect to a remote network whenever a DNS name is used.

Manual

Remote Access Connection Manager

Manage Dial-Up and VPM connections.

Manual

Remote Desktop Configuration

Remote Desktop related activities, temporary folders,themes and certificates.

Manual

Remote Desktop Services

Allow users to connect interactively with a remote computer. To prevent remote use of this computer clear the checkboxes on the Remote tab of the system properties control panel item.

Manual

Remote Desktop Services UserMode Port Redirector

Allow redirection of Printers/Drivers/Ports for RDP connections.

Manual

Remote Procedure Call (RPC)

Object activation for COM and DCOM. Cannot be disabled.

Automatic (Running)

Remote Procedure Call (RPC) Locator

No functionality in Windows 10, this is provided for Application Compatibility.

Manual

Remote Registry

Enable remote users to modify the registry on this computer.

Disabled

Retail Demo Service

Manual

Routing and Remote Access

LAN and WAN routing to other businesses.

Disabled

RPC Endpoint Mapper

Resolve RPC interface identifiers to a transport endpoint. Cannot be disabled.

Automatic (Running)

Runtime Broker

Microsoft core process, manages permissions for all universal (Windows Store) apps.

Automatic (Running)

Secondary Logon

Enable starting processes under alternate credentials.

Manual

Secure Socket Tunneling Protocol Service

SSTP VPN Capability.

Manual

Security Accounts Manager

Allows SAM to accept request from other services.

Automatic (Running)

Security Center

Monitor and report security health settings: Firewall, Anti-Virus,Anti-Spyware.

Automatic (Delayed Start, Running)

Sensor Data Service

Delivers data from a variety of sensors.

Manual (Trigger Start)

Sensor Monitoring Service

Monitor sensors to expose data and user state e.g. Adjust brightness.

Manual (Trigger Start)

Sensor Service

Manage Simple Device Orientation (SDO) and History for sensors. Reports device orientation changes.

Manual (Trigger Start)

Server

File, Print and named pipe sharing over the network.

Automatic (Running)

Shared PC Account Manager

Manage profiles and accounts on a SharedPC configured device.

Disabled

Shell Hardware Detection

Autoplay notification.

Automatic (Running)

Smart Card

Support for Smart Card login/logout.

Disabled

Smart Card Device Enumeration Service

Support for Smart Card login/logout.

Manual (Trigger Start)

Smart Card Removal Policy

Support for Smart Card login/logout.

Manual

SNMP Trap

Handle Simple Network Management Protocol (SNMP) agent messages.

Manual

Software Protection

Download and install Digital Licences. Cannot be disabled.

Automatic (Delayed Start,Trigger Start)

Spatial Data Service

Virtual Reality data manager.

Manual

Spot Verifier

Verify potential file system corruptions.

Manual (Trigger Start)

SSDP Discovery

Discover UPnP /SSDP devices. Enables SSDP device discovery. Can be disabled.

Manual (Running)

State Repository Service

Reports Application State. Cannot be disabled.

Manual (Running)

Still Image Acquisition Events

Launch applications associated with still image acquisition.

Manual

Storage Service

Adds 'System Volume Information' folder to external USB memory devices. Required for Windows Store.

Manual (Trigger Start)

Storage Tiers Management

Optimise the placement of data in storage tiers on all tiered storage spaces.

Manual

Sync Host_?????

Sync mail, contacts calendar and other user data.

Automatic (Delayed Start)

SysMain

Tune system performance over time.

Automatic (Running)

System Event Notification Service

Monitor system events and notify COM+ subscribers.

Automatic (Running)

System Events Broker

Co-ordinates background work for WinRT. Cannot be disabled.

Automatic (Trigger Start, Running)

System Guard Runtime Monitor Broker

Attests to Windows platform integrity.

Automatic (Delayed Start, Running)

Task Scheduler

Schedule Automated Tasks. Cannot be Stopped or disabled.

Automatic (Running)

TCP/IP NetBIOS Helper

Provides NetBIOS over TCP/IP (NetBT) Enables sharing Files, Printers and logon to the network.

Manual (Trigger Start, Running)

Telephony

Support for programs that control telephony devices.

Manual

Themes

User Theme Management.

Automatic (Running)

Time Broker

Background work for WinRT application.

Manual (Trigger Start, Running)

Touch Keyboard and Handwriting Panel Service

Enables touch keyboard and handwriting panel pan and ink functionality.

Manual (Trigger Start)

Update Orchestrator Service

Manages Windows Updates.

Manual (Running)

UPnP Device Host

Allows UPnP devices to be hosted on this computer.

Manual

User Data Access_?????

Provides apps access to structured user data, including contact info, calendars, messages. Cannot be disabled.

Manual (Running)

User Data Storage_?????

Handles storage of structured user data, including contact info, calendars, messages.Cannot be disabled.

Manual (Running)

User Experience Virtualization Service

Support for the roaming of OS and application settings. Not Available in Win 10 home.

Disabled

User Manager

Support for Multi-User interaction.

Automatic (Trigger Start, Running)

User Profile Service

Loading and unloading of user profiles.

Automatic (Running)

Virtual Disk

Magagement of disks and volumes.

Manual

Volume Shadow Copy

Manages and implements Volume Shadow copies used for backup and other purposes.

Manual

Volumetric Audio Compositor Service

Hosts spacial analysis for mixed reality audio simulation.

Not Installed

WalletService

Objects used by clients of the wallet.

Manual

WarpJITSvc

JIT out of process service for Windows Advanced Rasterization Platform (WARP) when running with Arbitrary Code Guard (ACG) enabled.

Manual (Trigger Start)

Web Account Manager

Provide single sign on to apps and services.

Manual (Running)

WebClient

Enable Windows based programs to create access and modify internet based files.

Manual (Trigger Start)

Wi-Fi Direct Services Connection Manager Service

Connect to wireless display and/or dock.

Manual (Trigger Start)

Windows Audio

Manage Audio.

Automatic (Running)

Windows Audio Endpoint Builder

Manage Audio devices.

Automatic (Running)

Windows Backup

Windows Backup.

Manual

Windows Biometric Service

Capture and edit biometric data without gaining direct access to any biometric hardware or samples.

Manual (Trigger Start)

Windows Camera Frame Server

Access video frames from camera devices.

Manual (Trigger Start)

Windows Connect Now - Config Registrar

Wireless Protected Setup (WPS) protocol.

Manual

Windows Connection Manager

Makes automatic connect/disconnect decisions based on the network connectivity options currently available to the PC.

Automatic (Trigger Start, Running)

Windows Defender Advanced Threat Protection Service

Security event monitor. Not Available in Win 10 home

Manual

Windows Defender Antivirus Network Inspection Service

Anti-Virus Cannot be disabled.

Manual (Running)

Windows Defender Antivirus Service

Malware detection. Cannot be disabled.

Automatic (Running)

Windows Defender Firewall

Firewall. Cannot be disabled.

Automatic (Running)

Windows Encryption Provider Host Service

Exchange Active Sync (EAS) policies for Email encryption with 3rd parties.

Manual (Trigger Start)

Windows Error Reporting Service

Allows errors to be reported.

Manual (Trigger Start)

Windows Event Collector

Remote event log management.

Manual

Windows Event Log

Manage and query event logs.

Automatic (Running)

Windows Font Cache Service

Cache font data.

Automatic (Running)

Windows Image Acquisition (WIA)

Image acquisition for scanners and cameras.

Manual

Windows Insider Service

Used only for Windows insider - beta testing of new versions of Windows.

Manual (Trigger Start)

Windows Installer

Install applications from an .MSI or .MSP package. Cannot be disabled.

Manual

Windows License Manager Service

Windows Store.

Manual (Trigger Start)

Windows Management Instrumentation

Windows Management Instrumentation (WMI).

Automatic (Running)

Windows Management Service

Provisioning and enrolment services.

Manual

Windows Media Player Network Sharing Service

Share Windows Media Player libraries with other devices using PnP.

Disabled

Windows Mixed Reality OpenXR Service

Enable Mixed reality OpenXR runtime.

Manual

Windows Mobile Hotspot Service

Share a Mobile Data Connection with another device.

Manual (Trigger Start)

Windows Modules Installer

Windows Update, installer service.

Manual

Windows Perception Service

Virtual Reality Service.

Manual (Trigger Start)

Windows Perception Simulation Service

Enables spatial perception simulation - camera and spatial input simulation.

Manual

Windows Presentation Foundation Font Cache 3.0.0.0

Optimise the performance of WPF applications by caching commonly used files.

Not Installed (Manual)

Windows Push Notifications System Service

Push Notifications.

Automatic (Running)

Windows Push Notifications User Service_?????

Local and push notifications: tile, toast and raw.

Automatic (Running)

Windows PushToInstall Service

Windows Store.

Manual

Windows Remote Management (WS-Management)

Remote Management.

Manual

Windows Search

Search content indexing.

Automatic (Delayed Start, Running)

Windows Security Service

Device protection.

Manual

Windows Time

Date and Time Synchronisation.

Manual (Trigger Start)

Windows Update

Windows Update.

Manual (Trigger Start)

Windows Update Medic Service

Remediation and protection of Windows Update components.

Manual

WinHTTP Web Proxy Auto-Discovery Service

Web Proxy Auto-Discovery over HTTP.

Manual (Running)

Wired AutoConfig

IEEE 802.1 authentication over Ethernet.

Manual

WLAN AutoConfig

Connect and Disconnect from a Wireless LAN, it is strongly recommended that this service is left set to Automatic if a Wireless Card is installed.

Automatic

WMI Performance Adapter

Provide performance information from WMI providers to clients on the network.

Manual

Work Folders

Sync files with the Work Folders server enabling you to use the files on any PC where you have setup Work Folders.

Manual

Workstation

Connect to remote servers using SMB 2.0 or 3.0

Automatic (Running)

WWAN AutoConfig

Manual

Xbox Accessory Management Service

Xbox Accessories.

Manual (Trigger Start)

Xbox Live Auth Manager

Xbox Authentication.

Manual

Xbox Live Game Save

Xbox sync with game server.

Manual (Trigger Start)

Xbox Live Networking Service

Xbox API.

Manual

PreviousPlug & Play Event LogNextDoSvc (Delivery Optimization)

Last updated 1 year ago

Was this helpful?

Allows running the which will erase all files and restore Windows to a factory default. You may prefer to disable this.

Manages Mobile Data Connections (GSM and CDMA) by auto-configuring the network.

AxInstSV
AarSvc_?????
AJRouter
AppReadiness
AppIDSvc
Appinfo
ALG
AppMgmt
AppXSvc
AssignedAccessManagerSvc
tzautoupdate
BthAvctpSvc
BITS
BrokerInfrastructure
BFE
BDESVC
wbengine
BTAGService
bthserv
BluetoothUserService_?????
PeerDistSvc
camsvc
CaptureService_?????
autotimesvc
CertPropSvc
ClipSVC
cbdhsvc_?????
KeyIso
EventSystem
COMSysApp
CDPSvc
CDPUserSvc_?????
DiagTrack
ConsentUxUserSvc_?????
PimIndexMaintenanceSvc_?????
CoreMessagingRegistrar
VaultSvc
CredentialEnrollmentManagerUserSvc_?????
CryptSvc
DsSvc
DusmSvc
DcomLaunch
DoSvc
DeviceAssociationService
DeviceInstall
DmEnrollmentSvc
dmwappushservice
DsmSvc
DeviceAssociationBrokerSvc_?????
DevicePickerUserSvc_?????
DevicesFlowUserSvc_?????
DevQueryBroker
Dhcp
diagsvc
DPS
WdiServiceHost
WdiSystemHost
DialogBlockingService
DisplayEnhancementService
DispBrokerDesktopSvc
TrkWks
MSDTC
Dnscache
MapsBroker
embeddedmode
EFS
EntAppSvc
Eaphost
fhsvc
fdPHost
FDResPub
BcastDVRUserService_?????
lfsvc
GraphicsPerfSvc
gpsvc
hidserv
HvHost
vmickvpexchange
vmicguestinterface
vmicshutdown
vmicheartbeat
vmicvmsession
vmicrdv
vmictimesync
vmicvss
IKEEXT
SharedAccess
iphlpsvc
IpxlatCfgSvc
PolicyAgent
KtmRm
LxpSvc
lltdsvc
wlpasvc
LSM
MessagingService_?????
diagnosticshub.standardcollector.service
wlidsvc
AppVClient
MSiSCSI
MsKeyboardFilter
NgcSvc
NgcCtnrSvc
swprv
smphost
InstallService
SmsRouter
NaturalAuthentication
Netlogon
NcdAutoSetup
NcbService
Netman
NcaSvc
netprofm
NlaSvc
NetSetupSvc
nsi
CscService
ssh-agent
defragsvc
WpcMonSvc
SEMgrSvc
PNRPsvc
p2psvc
p2pimsvc
PerfHost
pla
PhoneSvc
PlugPlay
PNRPAutoReg
WPDBusEnum
Power
Spooler
PrintNotify
PrintWorkflowUserSvc_?????
wercplsupport
PcaSvc
QWAVE
RmSvc
TroubleshootingSvc
RasAuto
RasMan
SessionEnv
TermService
UmRdpService
RpcSs
RpcLocator
RemoteRegistry
RetailDemo
Retail Demo mode
RemoteAccess
RpcEptMapper
RuntimeBroker
seclogon
SstpSvc
SamSs
wscsvc
SensorDataService
SensrSvc
SensorService
LanmanServer
shpamsvc
ShellHWDetection
SCardSvr
ScDeviceEnum
SCPolicySvc
SNMPTRAP
sppsvc
SharedRealitySvc
svsvc
SSDPSRV
StateRepository
WiaRpc
StorSvc
TieringEngineService
OneSyncSvc_?????
SysMain
SENS
SystemEventsBroker
SgrmBroker
Schedule
lmhosts
TapiSrv
Themes
TimeBrokerSvc
TabletInputService
UsoSvc
upnphost
UserDataSvc_?????
UnistoreSvc_?????
UevAgentService
UserManager
ProfSvc
vds
VSS
VacSvc
WalletService
WarpJITSvc
TokenBroker
WebClient
WFDSConMgrSvc
Audiosrv
AudioEndpointBuilder
SDRSVC
WbioSrvc
FrameServer
wcncsvc
Wcmsvc
Sense
WdNisSvc
WinDefend
mpssvc
WEPHOSTSVC
WerSvc
Wecsvc
EventLog
FontCache
stisvc
wisvc
msiserver
LicenseManager
Winmgmt
WManSvc
WMPNetworkSvc
MixedRealityOpenXRSvc
icssvc
TrustedInstaller
spectrum
perceptionsimulation
FontCache3.0.0.0
WpnService
WpnUserService_?????
PushToInstall
WinRM
WSearch
SecurityHealthService
W32Time
wuauserv
WaaSMedicSvc
WinHttpAutoProxySvc
dot3svc
WlanSvc
wmiApSrv
workfolderssvc
LanmanWorkstation
WwanSvc
Broadband
XboxGipSvc
XblAuthManager
XblGameSave
XboxNetApiSvc
Page cover image