Windows

Video: Five services you can turn off in Windows XP

Running unnecessary Windows XP services can increase your vulnerability to exploits that might use those services as attack vectors. In this IT Dojo video, Bill Detwiler, Head Technology Editor, discusses five services that you should consider turning off and shows you how to disable them.

Running unnecessary Windows XP services can increase your vulnerability to exploits that might use those services as attack vectors. Disabling unnecessary services can be an important step in securing Windows XP. However, the typical Windows XP system has more than 80 services. Knowing which ones you can safely turn off can be tricky.

In this IT Dojo video, I show you how to disable Windows XP services and discuss the following five services that you may want to disable:

1. Simple File Sharing

2. SSDP Discovery Service

3. Universal Plug and Play Device Host

4. Telnet

5. Windows Messenger Service

The five services I mention in this video are just the beginning. Our download, "Windows XP services that can be disabled," contains a complete list of Windows XP services that can be disabled. This reference sheet lists each Windows XP service, describes each service's function, specifies whether you can safely disable the service, and outlines the ramifications of doing so.

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

80 comments
theonlyrealpersonhere
theonlyrealpersonhere

TOTALLY UNWATCHABLE! Glitch, glitch, glitch. Can't hear a word the man is saying. If you're going to do this sort of thing then either:- (A) Get a server that can deliver the stream continuously, or (B) Deliver a video viewer that can continue buffering the stream whilst on pause. This sort of thing really is not very good for your CREDIBILITY. After all, here you are lecturing us all about how we should be doing things when your own service leaves something to be desired. Something like COMMUNICATION.

PrinceGaz
PrinceGaz

I can list at least 20 services most home users can disable (or set to manual instead of automatic startup) in XP SP3. I've deliberately excluded services which in SP3 are now by default set to Disabled, or which are needed for some essential features to work (like Windows Update). DIS- Computer Browser (not needed, even with a home network) DIS- Distributed Link Tracking Client (only used for corporate online databases) DIS- Distributed Transaction Coordinator (as above) DIS- Error Reporting Service (unless you want to waste time reporting to MS something crashed, which they'll ignore anyway) DIS- Fast User Switching Compatibility (unless your whole family want to use the computer at the same time) DIS- Indexing Service (more trouble than it is worth, disable the options from My Computer for each drive, before disabling it in services.msc) DIS- IPSEC Services (unlikely to ever be needed) DIS- Net Logon (a deceptive name, not needed for home users) DIS- NetMeeting Remote Desktop Sharing (do you want to share your desktop with some remote user?) DIS- Network Provisioning Service (another corporate related function irrelevant to home users) DIS- QoS RSVP (it has its uses, but none of them apply at home) DIS- Remote Desktop Help Session Manager (remote desktop just screams security risk) DIS- Remote Registry (no. no, no, no.) DIS- Secondary Logon (related to fast user switching, not needed and resource using) DIS- Smart Card (unless you need to use a smart card to logon, of course) DIS- Themes (you can disable this if you prefer the WIndows 2000/Classic look, and save a few MB into the bargain) DIS- Uninterruptible Power Supply (most modern UPS use their own service/software) DIS- Wired AutoConfig (irrelevant to most wired ethernet connections) DIS- WMI Performance Adapter (irrelevant to almost everything) The following three services can normally be disabled but either the first or the other two may be needed by some older online MP games: DIS- TCP/IP NetBIOS Helper Service (rarely needed now, though some older MP games might need this so if they fail- try re-enabling this) DIS- SSDP Discovery Service DIS- Universal Plug and Play Device Host In addition I'd set the following two services to Manual (instead of Automatic) startup as they are unlikely to need to be started by most users: MAN- Logical Disk Manager MAN- WebClient (this might be needed for MS WebApps which is why I wouldn't disable it) But why stop there? If you are using a hardware router to share your home internet connection (far better than using Windows ICS), and not using the Windows Firewall (hopefully no-one here relies on it), the following two services can go: DIS- Application Layer Gateway Service DIS- Windows Firewall / Internet Connection Sharing If you don't need Windows Security Centre checking if your AV software is up-to-date, or if Auto-Updates are enabled, etc, then disable all three options in 'Change the way Security Center alerts me', then disable: DIS- Security Center If you don't want to share the files or printers attached to this particular computer over your local network (you will still be able to access shared files/printers on other computers) then security can be increased by: DIS- Server If you don't use Wireless networking then: DIS- Wireless Zero Configuration Once you've done all of that, you'll be a lot more secure as there is an awful lot less running behind the scenes. There are even a few more you can disable if you really want to, like 'Windows Time' if you'd prefer to keep the clock correct manually (or alternatively leave it on Automatic but change the address for it to use a different NTP server than MS's if you are paranoid), but I've really covered all the most important services to disable already.

JCitizen
JCitizen

Doing more videos will be a plus as far as I'm concerned; despite the dial up users complaints. Dial up must die! Sheese, AT&T is selling DSL cheaper than dialup in most markets! I would ignore comments from Enterprise support people too; TechRepublic needs more newbie stuff like this to get them thinking about security even if they don't take the advice and configure. Also it will attract more readers. What in the heck is wrong with providing info for newbies? This is a Tech site, not a PHD in Cisco site!

DrunkWithPower
DrunkWithPower

@David Lengel Not "Plug and Play". It says "Universal Plug and Play Device Host". Keep "Plug and Play" on automatic.

ekennedy1
ekennedy1

Videos may be fine when they are very short as with longish videos one forgets earlier items by the time the video is finished therefore a pdf alternative would be more benificial or even just a plain text file article would also be preferred over videos anyday of the week!

Benny7440
Benny7440

This is the third time I try to view/listen to this video and I can't, probably because I'm using a dial-up conn. Do you have a transcribed (written) version of it? My email addrs is: benny7440@yahoo.com Thanks!

brian.catt
brian.catt

Its a damp Whitsun Holiday (memorial day in Bushland?) The video is useful and very clear but by the time I need it I will have forgotten everything - except where I saw it. So the text script linked for instant download and filing on one sheet of paper in a card folder at time of viewing would be REALLY useful to save subsequnet searching. A key part of TechRepublic is how good and intuitively accessible your archive is for later search (intuitive means like Mac software vs.PC. Google versus Windows Search. etc..). Seems you have PC techies with Jobs - like communications skills but not the style :-) Still rare. Keep up the good work. Minor filming problem - nice guy in lumberjack outfit who did this talked too fast for a trainer, but that's the only criticism of the director, info was clear despite Spandau delivery. Windows needs a speed button on Volume Control for less technically au fait of us ... ... or the text script available for download for use at our own speed along with those screen shots would be REALLY useful - as above. Maybe text is no longer used in the US but I am European and can still concentrate long enough to read without continuous visual, audio, junk food and coffee input/stimulus - and the text file will be a lot smaller, as will the resulting technicians, conserving both bits and bites in a virtuous circle ;-) Thanks, Brian Catt

mukeshe98
mukeshe98

so plz send me the new alert

jonathan_armstrong
jonathan_armstrong

If I deactivate SSDP Discovery Service and/or Universal Plug and Play Device Host, will my USB drive be suomatically recognised next time I insert it?

JandNL
JandNL

We only had to disable the first item. We put the two below on "Manual" and disabled the rest some time ago. What other Windows XP services do you recommend disabling? Our PC runs pretty slow much of the time, although we defragment and clean the hard drive frequently.

mikifinaz1
mikifinaz1

Video, Ha! that is for time wasters or people who can't read. With a PDF I get two advantages, I read faster than the video so it doesn't waste my time; and I have a reference resource.

David Lengel
David Lengel

Took you advice,"BAD", lost all audio by turning off 'Plug and Play". This also stopped the use of the following: Logical Disk Manager Logical Disk Manager Admin Service Messenger Smart Card Telephony Windows Audio Windows Driver Foundation-User-mode Driver Framwork. Careful users, check it out before implementing.

Answerfactory
Answerfactory

The "Windows Services you can turn off" article usually lists 10 services ( 10 is a magic number! ). This has been done to death on any number of sites ( including TR! ) such as ZDNet, Digg, Slashdot, and I probably a 1000 others. How about something different? Like Firefox plugins you have to have ( not ! ) .

enfield_john
enfield_john

Turning off services is one of the least mentioned, yet most helpful ways to make Windows less bloated and run faster. Most people are either unaware that they have stuff running in the background or if they do know about them, are afraid to mess with anything they didn't install themselves. These services are multiplied in Vista and are one of the reasons it takes even more RAM to run than XP does. I wish Microsoft would included a flier with every OS listing where the optional services and widgits are, what they do and most importantly, how to turn them off safely if you aren't going to use them. So many computers would run faster if people knew how to do this.

jkiernan
jkiernan

Add me to the list of users not seeing a necessity for video. I can read much faster than watching a video, and time is money.

slm_49
slm_49

This is great, as I am just getting going with Security. This IT DOJO platform is great!

john
john

Right, let's take a look at the services mentioned in the video: Simple File Sharing - provides blanket access to shares without exception? False. By default, a domain-connected system on a network has only two shares with XP Pro SP2: C$ and IPC$ -- both administrative shares that are useful and crucial in many ways to a knowledgable IT pro. I use the C$ share regularly on my network to push out small updates to internally-developed help software, for example, and many client-management suites out there require an administrative share in order to properly work. SSDP Discovery Service - Used to locate PnP devices. Set to manual by default in Windows XP Pro SP2, meaning the point is once again moot. Universal Plug and Play Device Host - Set to manual by default in Windows XP Pro SP2, meaning the point is once again moot. Bill's reasoning? If your devices are already installed, you won't need to have them install anything again. Unfortunately, those of us who work in the real world know otherwise. Domain-connected computers are overwhelmingly operated by individuals with lowered privileges specifically for the purpose of disallowing installation of hardware and software. That is what ACLs are for in the first place. The reason the two aforementioned services are set to manual by default on a system is so that they are still accessible to administrative users who have elevated privileges. In an actual IT Pro environment, disabling these instead of leaving them on manual is done at the risk of the efficiency of the IT department. Down-time is critical in most offices, and having to take a computer down for longer periods to install something as simple as a card reader or a USB drive to back up a user's profile is unnecessarily time consuming. Telnet Service - Are you kidding me? You mean the Telnet service that is already disabled by default on XP Pro SP2? Welcome to the past, Bill. Windows Messenger Service - Once again, this has to be a joke. Telnet is already disabled by default if you are running Service Pack 2-- which any office running XP should be doing anyway-- so this is a fairly moot point. Judging from the PDF list that this video post also links to on TR, I find it interesting that plagiarizing a hack like blackviper is considered a valid technical advice. Not only does the video include already-disabled services (as in already disabled by default in SP2) like Telnet and Messenger-- seriously, guys, what year is this again?-- but the accompanying PDF actually lists things like BITS and Auto Updates as if those are perfectly valid services to disable in a professional IT setting. I'm sorry, Bill, but I have to not only claim that some pretty weak plagiarizing is going on, but that some really bad information is being presented in this video. The services you mention in the video are not critical nor are they going to break a system by disabling them, but with at least a couple of them there is no sustainable argument for disabling something that is already set to manual and only be accessed using an appropriately privileged account is simply overkill and not adding real security. For the possible concerns relating to the services mentioned in the video, better applications for securing a system exist. For home use, simply not running as an administrator account removes the vast majority of attack vectors that aren't already covered by a firewall (which is on by defualt in SP2) and an antivirus/antispyware solution-- many alternatives out there are free for personal use. For professional environments, standard use of firewalls at the point-of-entry from the internet, managed antivirus, and domain-level ACLs are the numbers 1, 2, and 3 things that should be in place for security, regardless of operating system or hardware platform. I understand that I may be coming off a bit strong here, but as the head of IT for a small company I would refuse to hire someone who came into an interview with the information provided in this video if they thought it was a valid security or performance measure for a company network domain. Posting technically questionable material is just bad mojo for the IT Dojo, in my humble opinion.

dancater
dancater

Audio too choppy to understand.

mstrozewski8304
mstrozewski8304

What do you know...These are already turned off in Xp Pro

jtalley
jtalley

That was very helpful. We are creating images for our school and I am going to shut down all 5 services discussed. Thank you

bjb30
bjb30

Thank you. This was helpful.

hans16
hans16

Do not like the video ... Use slides or text! or do not set the help. video very hard to use!

higleym1
higleym1

Helpful. I had forgotten about the Telnet service completely.

akfaka
akfaka

Only one service needs to be turned off. The power switch of your Windows PC. Get a Mac!!!

jdclyde
jdclyde

What is the benefit of killing Messenger? A breakdown of which tweeks are for security and which are for performance would be helpful as well. Also, a transcript in a PDF of the content in the video would be a good addition. Thanks, jd

Darr247
Darr247

> DIS- IPSEC Services (unlikely to ever be needed) Unless you connect to your work through a VPN... many of those use IPSEC.

Darr247
Darr247

That depends... was it recognized before you turned them off? ;-) If not, possibly a GPO was applied to disable it. e.g. http://support.microsoft.com/kb/555324 Also, the DWord ''Start'' located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR in the registry can disble USB drives. (value 4 = disabled; value 3 = enabled).

Answerfactory
Answerfactory

Generally, ( at least for every guide I have read since 1999 ) the last part of an optimization guide covers services that you can disable. Most guides explain what each service does to help you decide whether its safe or not. However, a guide written just to generate Web traffic will not explain things so well.

JandNL
JandNL

Just found the downloadable list. We'll try it!

Answerfactory
Answerfactory

video limits who can access the information and when. Many companies block access to video, its very iffy ( and always slow ) to access on mobile devices. Lets keep it simple and accessible, Tech Republic!

Bill Detwiler
Bill Detwiler

Wow. You offer a scathing assessment of this video and the associated download's advice. While I appreciate a healthy debate and welcome feedback, both negative and positive, I think your overall assessment of this tip's value is slightly off base. Most of your criticisms are rooted in a belief that this tip is targeted specifically at enterprise computers in a domain environment. At no time during the video or in the blog post, do I assert that this tip is specifically designed for enterprise computers connected to a domain. While most of TechRepublic's content is aimed explicitly at enterprise IT, we also provide information that is applicable only in small and/or home offices. Furthermore, we make no assumptions about the software or service packs our readers have installed. Nor, do we presume to know which settings they have changed, whether they have a software or hardware firewall, or if they regularly run Windows XP under the administrator account, which I would argue most non-enterprise users do. We provide guidance when necessary, but it is always the reader's responsibility to determine which tips are appropriate for their environment. As to your concern about plagiarism, if you have specific evidence that this download's content was copied from another source (blackviper's site, Microsoft, or someone else), please send me that evidence through the private message link on my TechRepublic profile page. Plagiarism is a serious offense that we do not tolerate. I think however, that you're overestimating the similarities between our download and other Internet material on Windows Services. Microsoft and a host of other online outlets provide information on disabling Windows XP services. Our download if an original document that offers not only a list of common Windows XP services, but descriptive information about each service and the effect shutting down each service is likely to have on the machine.

Photogenic Memory
Photogenic Memory

If your truly paranoid about Windows security; then try these valid steps that can secure Windows to the point of virtual invulnerablilty. Here goes: 1.) Turn off Terminal Services 2.) Turn off or disable networking cards 3.) Pull out the ethernet cable or PCMCIA card/Cardbus Adapter. 4.) Last but not least; turn power off to PC/Laptop. 5.) You're done and safe an secure in the knowledge that no one can get to your PC remotely unless they come through the window at night and relieve you of your belongings. Special note: Or you could pop in a live ditro or install Linux( w/SELinux installed).

Bill Detwiler
Bill Detwiler

The Messenger Service was can be a security risk for home users. Prior to SP2, the service was enabled by default and allowed Internet spammers to send unsolicited messages to uses without a firewall. Even though Windows XP included a firewall, most home users disabled it. Messenger was such a concern, that SP2 disables it by default. SP2 also enables the firewall. Although Messenger is less of a problem than it once was, it's still worth checking and disabling if not already turned off. For more information on Windows services, check out our download: http://downloads.techrepublic.com.com/abstract.aspx?docid=172521

cboryslawskyj
cboryslawskyj

For sake I cannot read your typing on drive c: and it showed blurring. So I agreed that it is good idea to include PDF for this video content. Or I cannot hear your sound so what about captions? Thanks, CM, CT

PTCapo
PTCapo

Hello there - Was one of the big things in XP SP2 that Messenger was turned off when you installed SP2? JD - I had to shut down messenger back in 2003 because web-based attackes can occur if you leave it on. Basically I was getting hundreds and hundreds of popups - even when I was not surfing the net. I mean HUNDREDS of pop ups - all claiming to want to sell me a fix for the popups! Turns out the fix is to simply disable Messenger service. Messenger service simply allows for you to do net send messages within a LAN

ajohnsto
ajohnsto

I think the videos are a nice addition however I do agree with an earlier post that there also needs to be a text transcript for those who cannot get access to the video or would prefer to read.

john
john

Bill, now you're shifting goalposts to justify the material. You claimed that messing with services could aid in performance or security, and both of those claims are red herrings that have, throughout repeated testing, been shown to be disproportionately miniscule at best and completely false at worst. Making the excuse that you don't assume which service pack a user is running isn't much of an excuse at all-- with Service Pack 3 out for XP it is not unreasonable to either assume SP2 is present or, in cases where it isn't, simply suggest that it be installed ASAP. Updating one's computer is far less risky than fooling with the services list, especially for novice users, and always has been the first step in any platform-agnostic troubleshooting to begin with. As for the excuse about not every reader/watcher not being enterprise level: the companies I run the IT departments for aren't enterprise level either, but they get the same quality of support for their business units because I hold the same standards that an enterprise level head of IT would have toward configuration management, security, and standards. The best foot for any beginner IT people is to have the fundementals down right the first time, so they don't have to unlearn bad habits as they grow in their careers, which is the primary reason I'm so vocally against the type of advice in this article. In everything from desktop support to administration to software development to department management, the fundementals of this article/video are misleading and predicates to bad habits based on misinterpretations of real-world application. If a home office user or small business user wants to improve security and avoid lowered performance over time, then just like with every other multi-user NOS currently in existence the best advice is to not run with administrative (or root) priveleges, keep regularly updated, and don't install anything extra unless it's necessary. That alone would solve the majority of the Windows (and Macintosh, and Linux) security and performance related questions for home office and SMB users. As for your defense against accusations of plagiarism, that's your problem and not mine to figure out whether the similarities are close enough to be considered questionable in terms of originality. The same flawed argument-- that disabling services helps with performance and hardens security-- has been around on the internet since at least the beginnings of the XP launch, and no matter how many times the realities are explained the propagators of the misinformation continue to make excuses and keep spreading the flawed information. Honestly, it's a pity that more writers like Ed Bott don't get more coverage on the topic of services (http://blogs.zdnet.com/Bott/?p=448 ), because his approach is refreshingly candid, testable, supported by actual real-world application scenarios, and weighted evenly on the question of whether or not a given service is useful for being disabled. I can vouch that while the article I point to by Mr. Bott covers Vista, the application of the concepts therein are completely compatible with XP as well (regardless of the Service Pack). I've run similar tests to Mr. Bott's over the years regarding services, including running stress-testing apps under different service configurations, and I have consistently shown on numerous occasions throughout the years that the claims of performance increases are almost totally bogus-- startup times occasionally imiprove, but with no testable desktop performance change-- and security claims are misleading in that almost all of the risks are mitigated by a firewall in the first place. If you seriously continue to disagree on this issue of disabling services, Bill, I'll make you an offer: you choose the services, you choose the benchmarking/testing software, and I'll perform the tests to those specifications and provide complete documentation for the entire experiment to you. If you like, I can even provide to you a brief summary and commentary of the tests as they are performed, the basics of what is being tested in each case, and ultimately what the results mean in a clear and understandable language. I can provide it for you easily-- screenshots, statistics, and summaries for each service configuration you choose. I'd even happily sign all of the results over to you so that you don't even have to reference my name if you so choose to publish the material at a later date, because the principle of promoting accurate and relevant information is more important than my ego. So, now the offer is there, Bill. I'm not only pointing out what I see as flaws this time-- I'm also offering to you a reasonable, testable, documentable compromise to put to the test the very concepts put forth in the video and accompanying article and document. I'm willing to put my figurative money where my mouth is on this issue because I've consistently had the same results over the last six years I've vetted this subject. There are specific cases where disabling the basic functions of an operating system are warranted, but as a general all-purpose rule the approach should address the sources of risk or the underlying causes of bottlenecks, not treating a network operating system as one might a disk operating system of fifteen years ago.

NickNielsen
NickNielsen

Well, it is two years old. Now to the meat of the response. [u]Turning off services = GOOD[/u]. When the services in question provide back doors around your anti-virus and firewall–and some, like UPnP, do–those services are the last thing you want running. For other services, if you aren't using them and they aren't essential to Windows operation, why even have them enabled? They increase boot time and provide one more vector for system crash or compromise. As for the rest of your argument, do you expect a PC tech to be able to do your job? Why then, do you expect graphic artists to be able to do a PC tech's job? Hire a tech to do the work for you so you can concentrate on your graphics and business without having to worry about the PCs. Disclaimer: Yes, I'm a PC tech. But I don't know anybody in Los Angeles. Snark: Howinell did you find this? It's been dead for two years!

JCitizen
JCitizen

Comodo Firewall Pro, I agree. Best dang firewall I've used short of a hardware one!

CreativeBlue
CreativeBlue

This is a harmful, way-out-of-date article. Maybe when people tried to run XP with 64 MB it was current, but the average machine sold today has 1 GB, enough to run a nuclear submarine, so there's no performance gain, and anybody who doesn't run a third party firewall (XP's only keeps the critters out, but won't do a thing to the critters who phone home) plus a serious anti-virus as well as SpyBot+Tea Timer (the model for Vista's poorly-executed knock-off, Windows Defender) is Asking For It, and this article will just encourage them to crash their machines sooner. As for enterprise level or small-shop: two weeks ago, we opened a new graphics design firm. Just before our LAN server came online in conjunction with our design firm's upgrade to all Adobe Master Collection CS3e with Version Cue, we looked at all the machines in the studio and discovered that out of seven very expensive new PC's (Vista, XP SP2, XP SP3), only 2 had both anti-virus and/or spyware installed and only 1 (mine) were running anything more serious than the Window's firewall (one guy was running with a non-password'd admin account). And two machines spent a couple dozen hours being reformatted and software reinstalled because they were on the company outside Internet line for a couple of hours before we pulled the plug. All of these PC owners are professional computer graphics professionals, who haven't the sense to install anti-spyware, and you're telling them to TURN THINGS OFF? Are you crazy? If you live in a hermetically sealed box, fine, shut off what you want; otherwise, leave the services be. Period. And for Gh*d's sake, use a commercial firewall. Oh, I didn't watch the video. I can read a lot faster than you can talk, thanks.

CreativeBlue
CreativeBlue

This is a harmful, way-out-of-date article. Maybe when people tried to run XP with 64 MB it was current, but the average machine sold today has 1 GB, enough to run a nuclear submarine, so there's no performance gain, and anybody who doesn't run a third party firewall (XP's only keeps the critters out, but won't do a thing to the critters who phone home) plus a serious anti-virus as well as SpyBot+Tea Timer (the model for Vista's poorly-executed knock-off, Windows Defender) is Asking For It, and this article will just encourage them to crash their machines sooner. As for enterprise level or small-shop: two weeks ago, we opened a new graphics design firm. Just before our LAN server came online in conjunction with our design firm's upgrade to all Adobe Master Collection CS3e with Version Cue, we looked at all the machines in the studio and discovered that out of seven very expensive new PC's (Vista, XP SP2, XP SP3), only 2 had both anti-virus and/or spyware installed and only 1 (mine) were running anything more serious than the Window's firewall (one guy was running with a non-password'd admin account). And two machines spent a couple dozen hours being reformatted and software reinstalled because they were on the company outside Internet line for a couple of hours before we pulled the plug. All of these PC owners are professional computer graphics professionals, who haven't the sense to install anti-spyware, and you're telling them to TURN THINGS OFF? Are you crazy? If you live in a hermetically sealed box, fine, shut off what you want; otherwise, leave the services be. Period. And for Gh*d's sake, use a commercial firewall.

john
john

Bill, the article you link to makes the claim about performance, and as I said your claim regarding security is a misleading red herring. Disabling the service is not going to increase the security, only removing or blocking access to a service is going to increase security. You may have missed it in my last post, but I did address the security issue-- a firewall, not running as admin, and up-to-date patches are the way to keep a secure system. For example: Trying to obscure the access to the services by disabling them is meaningless when a simple script can set them to manual and start them up again. Name your service and any number of people (including myself) could write you a script to start it up easily and hide it in a jpeg or even inside another executable file with minimal effort (or even from a remote computer depending on the level of security on the target). Instead, having proper ACLs and a simple firewall running will mitigate the ability of such a script to be run against the system, either accidentally by the user or externally by a remote attacker. Examples aside, what I'm basically saying is that disabling services for the sake of security alone is simply obscuring the access to the services, not removing the access to the services. Security through obscurity is barely security at all. But there's a more important reason to warn against disabling services as a common method or practice (except in specific scenarios involving specifically reducing the capabilities of a system for a purpose): potential risk to usability and self-sabotage to your own system(s). If User A decides to disable services on his system and doesn't see any immediate negative reactions after a restart, it won't take long for the specific service changes to be either partially or totally forgotten. However, within that day, the next day, or possibly even a week or month from that day, when User A tries to use a capability of the OS or some third-party software and experiences a problem, the likelihood is high that the disabled services will not be one of the things User A checks before the regular troubleshooting. Sure, someone might try to convince themselves that they'll keep that in mind, but if I had a dollar for how many times I've helped someone figure out they screwed themselves by disabling a network-related or usability-related service and had to change it back to be able to use the computer how they wanted... well, I'd probably only have about $150 USD, but the point is that the practice of disabling services, whether you think it'll increase performance or security or whatever-- maybe you just want to feel like a tinkerer and disable something innocuous-- is simply a bad idea nine times out of ten. So if you agree that there are no performance increases, then let's examine the security. None of the services you mentioned in your article are security-specific, since the ones that could even be arguably so are already off by default. Do you have any valid services that are on by default that you'd like to claim could or should be disabled? You're not increasing security on a system by disabling PnP, you're simply adding an extra step (or steps) in the eventuality that some peripheral needs to be installed-- remember, in your goal-shifted scenario of an SMB or home office user, these people would be adding or removing things themselves with no IT department to handle their service requests. So Mr. CPA in his home office who just followed your instructions for disabling PnP doesn't realize that he can't just plug a new USB flash drive in and go until three months down the line when a friend stops by with some photos and he can't get his computer to recognize his friend's flash drive. He might blame his "stupid computer" or maybe Microsoft or some other possible culprit for the failure of his computer to work like he expected, but in reality the only person he'd have to thank was you. Or in another scenario, College Kid is finishing up his summer job as a 'computer guy' support for his uncle's small widget-making business, where College Kid decided it would be a good idea to follow your instructions in your video to help secure his uncle's business (a real go-getter). College Kid heads back to school and two months later his uncle buys a fancy new plotting device for his production floor. Unfortunately for uncle, half the computers can't connect to the plotter at all and the ones that manage to be able to connect require a bunch of steps that aren't located in the manual and don't work for every computer in the business (after much futzing around and calls to the plotter's technical support line). So, College Kid's uncle finally has to spend extra money having some local tech support service come out and manually connect each computer to the plotter in order for it to work. To make matters worse, the next time CK's uncle buys another device, he's doomed to face the same costly conundrum. Of course, all that credit for the unnecessary time and money spent by College Kid's uncle goes completely to you. Why am I focusing on the PnP services you mention and not the others? Because the others have been off by default on XP configurations for nearly three years. A simple Service Pack update solves the question of services more reasonably for the end-user, as well as applying a number of critical software patches and security bug-fixes, both of the latter being far more crucial to proper security practices than disabling any service. So, you may think I didn't address your claims about security, and you may really believe what you say when you accuse me of such, but considering I already stated from the start that any given user of XP should be operating at least on SP2 (go ahead and re-read my first post)-- which isn't demanding bleeding-edge updates but also is pointing out a need for a reasaonably updated state-- your attempts to dodge the points I did address regarding security make me doubt your credibility on the topic of security. Attempting to shy away from the more in-depth enterprise methods of handling it was your first mistake, since the simpler methods for smaller, more personal environments are still superior to using the disabling of services like SSDP Discovery or UPNP Host (which are already set to manual and don't start with the system). Your bigger mistake, however, is in failing to admit that you weren't aware that two of the five services you listed have been disabled by default on vanilla XP for years and that SFS does not give "blanket access" to shares. The least you could have done was acknowledge that the presentation of your case in the video is misleading in that it doesn't specify those services are off by default.

Bill Detwiler
Bill Detwiler

According you, I claimed that disabling Windows XP services would improve performance. "You claimed that messing with services could aid in performance or security," you wrote. However, you dedicated nearly all of your response to the issue of performance. You cite an Ed Bott article on TechRepublic's sister site ZDNet as proof that disabling Windows services does little, if anything, for performance. You even offer to submit benchmark tests to validate your assertion. For once, I'm inclined to agree with you. There's just one problem. You're arguing against a point I never made. If you read the blog post or watch the video again, you'll find no reference to improved performance. I never made that claim.

The 'G-Man.'
The 'G-Man.'

that was the point I was trying to make.

Editor's Picks