Larry Osterman's WebLog

Confessions of an Old Fogey
Blog - Title

Applet Mitigations - Services.

Applet Mitigations - Services.

  • Comments 22

As a senior developer at Microsoft, you often find yourself participating on a number of v-teams.  One of the v-teams I'm on is responsible for approving new services added to Windows.  As I've mentioned before, I'm a nutcase about stuff running on my machines, and services are absolutely among the things I care about passionately.  As a part of my work on that v-team, I wrote this little bit up a couple of years ago (it's been edited slightly to remove proprietary information):

I've been sitting watching the <new services v-team> process for a couple of months now, and I've seen a number of trends that concern me.

Every single new feature (and it seems like there have been thousands of new features) seems to require its own service to perform operations.  Don't get me wrong - it's wonderful that these functions are running as services and not as separate processes.

But every single one of the new services that I see being requested is enabled on all SKUs of Windows.  All of them, it seems.  And they're all auto-start.

The <new services v-team> has done a terrific job of reducing the number of own-process services that are running.  That's truly awesome, and it's great for our customers.

But I don't think that they're going far enough.  We need to take a harder line on our services.  Because even if multiple services are hosted in a single process, they each still burns at least one thread.  And that thread consumes working set.  And it affects startup time.  And if your code has memory (or GDI/User object) leaks, it can render computers unusable.  The other thing to consider is that every running service in Windows increases the Windows attack surface. 

In Windows XP, we had 40ish services on a running system.  We've got almost twice that on a default Vista install these days (assuming my test machine is a default longhorn install).[1]

Now I appreciate that everyone's feature is critical for their customers, but I'm wondering if they're all necessary for all customers.  Do you REALLY believe that your code is going to be used by every single one of the nearly a billion users of Windows?  Is your service going to make every single one of those billion people's lives better?  If your service isn't, then maybe every one of those billion people don't need to be running your code.

As I've said, I've been thinking about this for a while, and I think I've got a few things that should be considered when you're trying to figure out if your service really needs to be installed.

First off,  I know that your feature is the most important thing you're doing, but that's true for every single one of the developers working on the Windows product.  We can't all be number one, so think very seriously about the relative importance of your feature.

If your service is auto-start, is it REALLY necessary?  Will every user of Windows achieve positive benefits from your service?

If your service is tied to a piece of hardware, does your service need to be running if the hardware isn't present?  Can you tie the service to the installer for your hardware?

If your service is tied to a particular UI, and the user never invokes your UI, is your service doing the user any good?  Can your UI start the service if it's not running?

Does your service REALLY need to be enabled and auto-start (even auto-start-delay) on every SKU?  Really?

How is your feature/service discoverable?  If your feature isn't easily discoverable, does the service that supports that feature really have to be run until the user discovers your feature and starts to use it?

Now for some services this is clearly the case.  But for a huge number of the services that we've been coming up with, it's equally clearly not.

Even my own service, Windows Audio doesn't meet all of these criteria.  I'd be more than willing to have the service be manual start unless there's an audio card present, and to change the installer for audio adapters to enable the service.  Because on a machine without audio hardware, there's no point in the service running until the hardware arrives.  There IS one important scenario where it's important to have the Windows Audio service running: that's Remote Desktop - when running a remote desktop, even if the server doesn't have audio hardware, we can still play audio using the TS client's audio hardware.[2]

But that's a relatively weak scenario.  And I'd be willing to change it (or work to change the remote desktop service to ensure that the audio service is started when a client connects).  Are you?

This all is a bit of a digression - it's not about mitigations, it's about the hard decisions you should make when thinking about adding services, but it's worth publishing anyway.

So how do you mitigate services?  First off, combine like services into a single process.  That way, instead of taking two processes, you only consume one process (see my earlier post where I listed the costs of a process). 

Secondly, as I indicated above, consider making your service a manual start service that's triggered by some UI action.  Unless there's a real need for your service to be running all the time, let the UI (or an API if your service surfaces an API) start your service.

Third, seriously consider making your service a delayed auto-start service - this is functionality new in Vista/Windows Server 2K8 that allows the service controller to delay starting your service so it doesn't interfere with boot time[3].

In addition, seriously consider how much time you spend in your service's start routine.  The less time the better (especially if you're an auto-start service).  The less work you can do before reporting that your service has started to the service controller, the faster the system will boot.

 

Tomorrow: Applet best practices - collecting the thoughts of the previous several posts into a single post.

[1] Please note: While there ARE more services in Vista than in XP, this comment is mostly hyperbole.

[2] This didn't happen, the powers that be decided that since every workstation class machine with a Vista logo had to have an audio solution that it was ok to keep the audio service as an auto-start service (they also felt that audio was going to be used by every one of those users :)

[3] Yeah, I know - it's a vista-only mitigation, but it's a good one.

  • "Is there a way around this?"

    Yes it is, it is called Run As Administrator. Either that or redesign your application so that it doesn't require admin access.

    Larry, I was wondering, why Windows has MSDTC service and why it has to be started even if you don't have any NTFS volumes around?

    May I give you an idea for a next bunch of posts?

    I am annoyed by Recycle Bin, Recycler, and System Volume Information.

    I never delete to recycle bin, I never use system restore (I disable it and the sr service too), but I still get those folders created on my disks.

    There is a shell API IsBitBucketableDrive() which should check the registry and not create recycle bin folders if the drive is marked as non bit bucketable. That doesn't seem to work for some reason so I resolved it by patching the API.

    What is left is that darn System Volume Information folder which has MountPointManagerRemoteDatabase (0 bytes) and tracking.log (usually also 0 bytes). My question is whether is that really neccessary to exist if I do not have a need for it?

    I mean, isn't it a bad design to scatter folders and files all over _my_ drives? Many new applcations now follow suit and create folders and files I never use and there is no way to prevent them from recreating them. With drives getting bigger and bigger, the space is no longer a concern, but I still like my drives to be tidy and organized.

    I would really like if Windows had some way of managing this. Heck, even a simple text file with a list of folder and file names which will not be accepted by CreateFile() and CreateDirectory() would suffice.

  • Oh about services, Apple is shoveling their Bonjour Service (aka mDNSResponder.exe) with almost every recent application they sell.

    Take note that if you use dial-up and you delete it, you might not be able to use Internet because it inserts itself into the LSP stack.

  • Igor and Matthew: I just realized that there's a workaround.

    If you register your COM object as LocalService, you can call CoCreateInstance as a limited user and as long as you have COM launch permissions for the object, the service controller will start your service.

  • Friday, August 24, 2007 12:06 PM by Hob Gadling

    > A case in point is the Windows Media Player Network Sharing

    > Service (WMPNetwk.exe and WMPNSCFG.exe) which is

    > installed by default with WMP11. Unfortunately it keeps

    > running even after turning off media sharing from the UI.

    Thank you very much for this news.  I hadn't had time yet to investigate why Windows Media Player suddenly started to attempt network connections when I wasn't even using Windows Media Player.  And if I recall correctly they're outbound connections, just like malware logging into a botnet, so they don't get caught by Windows XP's default firewall.  Nice to see that there's a UI that I can go hunting for in order to say I want to turn it off, somehow typical to see that it still won't turn off.  Sigh.  Thank you anyway, since the information is useful.

  • Larry,

    You are a gem - we will look into this option. You may have just removed one craplet from the world. :)

    We are using .NET - I assume there is no 'pure' way to do this (ie we will be forced to use COM Interop)?

  • August wrote: "I think it was Windows Update, but I was never sure. Problem is gone now anyways."

    Your suspicion is probably correct. The Register ran several articles a few months ago about Windows Update burning 100% CPU. I observed the phenomena on several computers, and it seems to be a problem of the past now.

  • After having my CPU almost come to a complete stop when I connected my xbox 360 media edition extender sharing on using wmp11 the file WMPNetwk.exe  hogs up to 90% of my quad core system. What gives? just google that file name and if you think that is bad, wait to you see what Vista does with WMP11 when any system sound or music file is playing > http://blogs.zdnet.com/hardware/?p=702

    I rolled back to wm10 and my Xbox360 is now no longer a media extender like all the hype marketing Microsoft pitches that xbox360 is a certified Media Center extender? They fail to mention that when you are not even sharing, that wmp11 and shares almost your entire CPU power to a very horrible bug that should be registered as certified mailware.

Page 2 of 2 (22 items) 12