A service
is a long-running executable that performs
specific functions and which is designed not to require user
intervention. Services can be configured to start when the
operating system is booted and run in the background as long as Windows
is running, or they can be started manually when required.
Servcies can be divided into two types: windows service
and driver service
. The windows service
is running as a user-mode process, while the driver service
, as name indicated, is running as kernel-mode process.
There are some basic concepts that we better know before we dive into services.
1.
SCM
(Service Control Manager
) - A Windows system program, that
manages
installed services (both windows services and driver services) and running processes of started services. The SCM,
services.exe,
is automatically started at system boot time and running in the
background. It provides following functions.
- Maintaining the database of installed services.
- Starting
services and driver services either upon system startup or upon demand. - Enumerating
installed services and driver services. - Maintaining status
information for running services and driver services. - Transmitting
control requests to running services. - Locking and unlocking the
service databas
2.
Service program
: A program that provides executable code for one or more services.
For windows service
, it is usually be a standalone exe or a dll file implementing the SCM required interfaces. A standalone exe can run in its own process (the service type is SERVICE_WIN32_OWN_PROCESS
) while dll requires a host process to run it (the service type is SERVICE_WIN32_SHARE_PROCESS
). The most famous windows service host exe is svchost.exe. Try to use command "tasklist /svc
", you can see many services are resided in this process.
Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 528 N/A
csrss.exe 600 N/A
winlogon.exe 624 N/A
services.exe 668 Eventlog, PlugPlay
lsass.exe 680 PolicyAgent, ProtectedStorage, SamSs
vmacthlp.exe 836 VMware Physical Disk Helper Service
svchost.exe 852 DcomLaunch, TermService
svchost.exe 928 RpcSs
svchost.exe 1024 AudioSrv, CryptSvc, Dhcp, dmserver, ERSvc,
EventSystem, FastUserSwitchingCompatibility,
helpsvc, lanmanserver, lanmanworkstation,
Netman, Nla, Schedule, seclogon, SENS,
SharedAccess, ShellHWDetection, srservice,
Themes, TrkWks, W32Time, winmgmt, wscsvc,
wuauserv, WZCSVC
svchost.exe 1068 Dnscache
svchost.exe 1112 Alerter, LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe 1508 Spooler
For driver service
, its service program is a .sys file, which should follow windows driver model to implement the required driver functions. Depends on its type, for SERVICE_BOOT_START and SERVICE_SYSTEM_TYPE drivers, they will be loaded and started during the boot and kernel initialization, for SERVICE_AUTO_START, the SCM starts it.
3. An Installed Service:
A registry entry defined to represent a service with several attributes
like name, description, startup type, path of the service program, etc.
4. Database of Installed Services:
The SCM maintains a database of installed services in the registry. The
database is used by the SCM and programs that add, modify, or configure
services. The following is the registry key for this database: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services
. An initial copy of the database is created when the system is
installed.
This key contains a subkey for each installed windows service
and driver
service
. The name of the subkey is the name of the service. Under each service key, there are some values to define the service's characteristics, such as service type, start type.
5. Service configuration program
: A program that queries or modifies the services database. Service
configuration programs use functions that open the database, install or
delete services in the database, and query or modify the configuration
and security parameters for installed services. Service configuration
programs manage both services and driver services
. An example of service configuration programs is "sc.exe
".
6. Service Control Program
: A program that starts and controls services and driver services. Service
control programs use functions that send requests to the SCM, which
carries out the request. Examples of service control programs are
"msconfig.exe
" and "services.msc
". "sc.exe
" also can be called a service control program since it can start/pause/stop services.
Please note
that "msconfig.exe
" and "services.msc
" can only control user-mode windows services, while "sc.exe
" can be used to control both user-mode windows services and kernel driver services.
Here is a simple graph to demostrate the relationship among the above concepts.
Before ending this session, let's do some comparison between windows service and driver service, illustrated as below table.
|
|
Windows |
Driver |
|
Access |
User-mode |
Kernel-mode |
|
Service program |
Standalone |
.sys |
|
Service |
SERVICE_WIN32_OWN_PROCESS| |
SERVICE_KERNEL_DRIVER |
|
Start |
SERVICE_AUTO_START|SERVICE_DEMAND_START|SERVICE_DISABLED |
SERVICE_BOOT_START| |
|
Service |
Registry |
Registry |
|
Service Configuration Program |
sc.exe |
sc.exe |
|
Service Control Program |
msconfig.exe, services.msc, sc.exe |
sc.exe |
|
Service Control Manager |
SCM(services.exe) |
SCM(services.exe) |
Ref:
http://msdn.microsoft.com/en-us/library/ms681921%28v=VS.85%29.aspx
http://www.herongyang.com/Windows/Service-What-Is-Windows-Service.html