The Core Technologies Blog

Professional Software for Windows Services / 24×7 Operation


Q&A: How Do You Make Sure Your Software Is Secure?

What Do You Do Make Sure Your Software Is Safe/Secure?
  We’re conducting an evaluation of your software from a security perspective and have some questions that we’d like to address to ensure it meets our requirements. To start, can you please explain what your company does to make sure that your software and office infrastructure are free of viruses and malware?

— Kimberly Z.

Hi, Kimberly.

Even though we’re a tiny company, security is a big deal around here.

Most importantly, we realize that our number one job is to keep customers like you safe, and that our reputation as a trusted, secure software partner depends on doing that.

But it’s not only about protecting our commercial software. Yes, securing our code is very important, but so are the emails we send, the documents we share and the order information we collect. The truth is that all parts of our business must meet a high standard of privacy and security to fulfill our obligations to the hundreds of companies that have put their faith in us.

So let’s dig into the details of our security program to answer your questions. Here are a dozen things that we do to make sure that we are good stewards of your trust.


1. We digitally sign all our products

When you download a program over the internet, how can you be sure that it’s authentic? That it comes to you straight from the authors — and wasn’t doctored to include a virus or malware?

To make sure that you receive our applications tamper-free, we code sign all our executables. That way when you see our company information prominently displayed, you can rest assured that what you’re installing is valid and intact.

Windows will prompt you with our company information when you’re installing one of our programs:

AlwaysUp is code signed secure software

And you’ll always find our digital certificate when you view the properties of any of our secure software:

Core Technologies Consulting: Digital certificate

We should also mention that our company only deploys higher-grade Extended Validation (EV) code signing certificates, which are subject to additional validation and technical requirements. Because of their stringent requirements, only verified, legitimate companies are granted EV certificates.


2. We virus-check every software release

It’s very important to check for viruses at every stage of the software production pipeline. And, most importantly, the final product must be pristine. That’s why we engage third-party services to verify that nothing strange has crept into our software.

Virustotal — a well-respected online virus-scanning engine owned by Google — is our tool of choice in this area. We run all our applications through Virustotal — and we don’t release if it detects any oddities.

For example, you can see the results of checking Service Protector here. None of the 96 virus scanners found a problem:

Service Protector Virustotal Summary

In addition to Virustotal, we also rely on Download3K. They regularly verify our programs with popular antivirus engines, including McAfee, Avast and Avira.

As you can see below, Download3K’s Service Protector Antivirus Report shows no trouble either:

Service Protector Antivirus Report

Note that in the unusual circumstance where one of the antivirus scanners actually raises a flag with our software (or site), it usually turns out to be a false alarm. To resolve the issue, we promptly report the details to the antivirus manufacturer and they update their scanners to fix the problem. That happens once or twice a year — often after we publish a new release.


3. We’re trained in secure coding practices

We're trained in the OWASP Top Ten

Our team of senior engineers is well versed in secure coding techniques. Indeed, we’ve seen a lot of exploits over the past 20+ years!

But new threats are constantly emerging and resting on our experience is not an option.

To keep us on our toes, regular developer training focuses on the OWASP Top Ten and covers common issues like:

  • Buffer overflows
  • SQL injection
  • Input validation and sanitization
  • Cross-Site Scripting (XSS)

Everyone on the technical team must participate.


4. We review 100% of our code for security issues

We do security code reviews

With our deeper understanding of the pitfalls associated with developing secure software, all code changes must be double-checked for quality, accuracy, and security before committing the updates to our repository. Quite often, that second look identifies edge cases which we must cover prior to release, so it’s well worth the investment.


5. We keep third-party libraries up to date for security

We update third-party libraries for security

As part of good software hygiene, we regularly update third-party libraries and tools to fix relevant security vulnerabilities. All dependencies are checked at least once per year.


6. We patch our computers regularly

We patch our computers regularly

While bulletproofing our code is essential, it’s just as important to secure the supporting systems. That’s why we make it a point to apply operating system patches on a regular basis.

In general:

  1. Patches to fix critical vulnerabilities are applied as soon as possible — automatically if possible and usually within 30 days.
  2. On Linux, high, medium and low vulnerabilities are addressed as part of quarterly updates.
  3. We update Windows machines at least monthly (after Patch Tuesday).

7. We protect all our PC’s with auto-updating antivirus software

All our Windows machines are protected by Microsoft Defender Antivirus, often in conjunction with well-known anti-malware packages like Avira Free Antivirus or Malwarebytes.

Windows security virus and threat protection

Virus definition files are updated automatically and manual scans are performed at least once per year (and whenever anything suspicious happens).


8. Everyone attends annual security training

Everyone takes Data Security and Privacy training

Each year, our entire staff must attend information security training. The most recent sessions focused on the major threats and defenses relevant to online businesses, including:

  • Phishing
  • Password hygiene
  • Multi Factor Authentication (MFA)
  • Ransomware
  • Data security and privacy

Side note: If you’re looking for free, high-quality security training modules for your small business be sure to check out Cyber101.com. Their courses are friendly and concise — and the short quizzes after each module do a good job of measuring the learning.


9. We subscribe to industry security alerts

We subscribe to CISA alerts

It’s important to be aware of the threat landscape and get an early warning of what other businesses are facing. That’s why we subscribe to several well respected security sources, which keep us in the loop on cyberattacks, ransomware and much more.

Our team relies on timely alerts from:


10. We’re trained in the ISO 27001 information security framework

Certified ISO 27001:2022 ISMS Lead Implementer Training

In 2025, the chief security principal at Core Technologies Consulting completed Certified ISO 27001 ISMS Lead Implementer Training. The in-depth, 3-day course focused on designing an information security management system (ISMS) and a framework for its continual management and improvement.

The knowledge obtained from the coursework guides our corporate activities — pushing us to maintain confidentiality, integrity and accuracy in everything that we do.


11. We’ve documented (and enforce) our data privacy obligations

We've documented our privacy obligations

Core Technologies Consulting is committed to protecting your privacy. We will never sell, market or abuse your information.

In fact, the limited information we collect when you purchase our software (name and email address) is used only to process your order, notify you of your order status, and assist you after your purchase. Please see our privacy policy for additional details.


12. We’ve created an information security program

We've created an information security program

Even though we’re a tiny company, we felt that it was important to create an information security program to guide our work.

All employees and independent contractors must read, acknowledge and abide by our ISO 27001-aligned information security policy. We do that because we understand that information security decisions extend well beyond the bounds of the IT department. Everyone is responsible for security.


Hopefully this gives you a better understanding of how we infuse security best practices throughout our company. Thanks again for your question, and, of course, please be sure to get in touch if you have any other questions about our security posture or practices.

Posted in Company | Tagged , , , , , , , , | Leave a comment

Essential Windows Services: Windows Time / W32Time

Windows Time Service

What is the Windows Time (W32Time) service?

The Windows Time service (W32Time) implements the Network Time Protocol (NTP) specification to synchronize the date and time of computers managed by Active Directory (AD).

It may not be obvious but keeping the clock accurate and synchronized with the rest of the domain is an essential task. That’s because modern authentication methods (like Kerberos V5) may fail when networked machines are not coordinated. As such, W32Time plays a key role on computers joined to Active Directory. Otherwise, it’s not really important.

The Windows Time service runs as LocalSystem inside the service host process, svchost.exe:

W32Time Windows Service

And because the service doesn’t need to run all the time on most systems, it’s often classified as Manual (Trigger start). In that case, it only wakes up to run if:

  1. a program or another service asks it to start, or

  2. whenever a one or more Windows “trigger” events occur.

Indeed, if you examine the trigger events with our free Service Trigger Editor utility, you will see that Windows will launch the service whenever “the computer joins a domain”:

Windows Time Service Triggers

That makes sense. When your PC joins a network, Windows Time jumps into action and synchronizes your clock if you’re connected to Active Directory. Afterwards, it stops and waits for the next network-join event or request to start. It’s a much more efficient way to operate versus starting at boot and running 24/7.


What happens if I stop W32Time?

If you’re working in a home environment or without Active Directory, not much will happen if you stop the Windows Time service. In fact, most of the time you will find that the service is idle on your computer.

And even if you’re in a corporate environment with networked PC’s, temporarily stopping W32Time should be fine. If it’s needed by a program or another service, they will simply start W32Time.


Is it OK to disable the Windows Time service?

It’s fine to disable the Windows Time service if your computer isn’t joined to Active Directory. But don’t expect a huge, CPU-saving impact because the service doesn’t spend much time running in that situation anyway.

However, if your computer is joined to Active Directory, you should keep the service active. You don’t want to have any trouble signing in to your PC!

In any case, if you insist on disabling the service you can do so the conventional way — by setting the Startup type to Disabled in the Services app:

Disable the Windows Time Service

After you make that change, no person or program will be able to start W32Time. It will be inert.

But if that’s not good enough and you really want to get rid of the service, you should run W32tm /unregister from an elevated command prompt. That command will stop the service (if necessary) and uninstall it from the list of services. Afterwards, Windows Time will be completely gone from your system.

Don’t worry; if you change your mind and the Windows Time service becomes your friend again, simply run W32tm /register to restore the service. You’ll be good to go.


Questions? Problems?

If you would like to know more about the Windows Time service, or you have a specific problem, please feel free to get in touch. We’ll do our best to help you!

Posted in Windows Services | Tagged , , , , | Leave a comment

How We Control Our AlwaysUp Applications From ChatGPT

How We Control Our AlwaysUp Applications From ChatGPT

Why integrate with AI?

The current generation of Artificial Intelligence (AI) is rapidly evolving. Indeed, we’ve moved from playfully going back and forth with conversational chatbots to relying on adept autonomous agents at breakneck speed.

And like every other software development shop on the planet, we’ve been thinking about how these astonishing new technologies will impact our corner of the world. In particular, can AI help our customers get more value from our professional products?

In our view, the answer to that question is a resounding “yes”. Even though it’s still early days, we anticipate a state where natural language will be the primary interface for most software, even desktop applications like ours. Why click when you can speak?

With that in mind, this article discusses one technique to bring AlwaysUp — our popular run-anything-24×7 tool — into the AI world. We’ll show how we connected AlwaysUp to OpenAI’s ChatGPT, so that we can effortlessly check, start or stop our applications from a chat interface. You’ll see how this work allows us to have conversations that take action, like this:

Start Google Drive from ChatGPT

Cool, right?

What does integration look like?

The “bridge” between ChatGPT — which runs in the cloud — and AlwaysUp — which runs on your computer — is our free AlwaysUp Web Service tool. When everything’s in place, we communicate with ChatGPT, ChatGPT tells AlwaysUp Web Service what to do and AlwaysUp Web Service manipulates our AlwaysUp applications.

This is what the final arrangement looks like:

ChatGPT driving AlwaysUp Web Service

The next section recounts how we implemented this solution.


How we connected AlwaysUp and ChatGPT

Step 1: Installed AlwaysUp Web Service

First, we installed AlwaysUp Web Service. We downloaded the installer, ran it, and followed the straightforward prompts to complete the deployment. It only took a minute to do that.

In the settings, we enabled HTTPS because it will be needed to communicate securely with ChatGPT later on:

HTTPS enabled in AlwaysUp Web Service

Step 2: Allowed AlwaysUp Web Service through the firewall

Next, we relaxed the computer’s Windows firewall rules to permit AlwaysUp Web Service to receive network traffic:

AlwaysUp Web Service allowed through the firewall

Step 3: Generated a SSL certificate for AlwaysUp Web Service

At this point, we generated a SSL certificate for our computer hosting AlwaysUp, auws.coretechnologies.com.

Afterwards, we copied both the SSL certificate and the key into the AlwaysUp Web Service certificates folder, overwriting the “certificate.pem” and “certificate-key.pem” files already there:

SSL certificate files installed

Doing so instructed AlwaysUp Web Service to use our new certificate the next time it started.

Step 4: Configured networking

To receive instructions from ChatGPT, AlwaysUp Web Service must be accessible from the Internet. Of course, there are several ways to do that, but for our situation we:

  1. Set up a port forwarding rule in our router to map port 443 to port 8585 on the machine where AlwaysUp Web Service is running:

    Port forwarding configured
  2. Created a DNS A Record for auws.coretechnologies.com that points to the IP address of our router:

    DNS A record created

Those adjustments created a “tunnel” from the Internet to AlwaysUp Web Service. Afterwards, we were able to connect to the site from a web browser:

Connected to AlwaysUp Web Service

Almost there!

Step 5: Plugged AlwaysUp Web Service into ChatGPT

Next, we switched context to ChatGPT and deployed a new general purpose Custom GPT to interact with AlwaysUp. Even though that wasn’t necessary — using an existing GPT would have been fine — we thought it best to test in an isolated environment.

New Custom GPT created

To tell the GPT how to call AlwaysUp Web Service, we added a new Action. As shown in the next screenshot, we specified:

  • No authentication (we’ll handle that later)

  • The OpenAI schema for AlwaysUp Web Service (which was generated by ChatGPT itself from our published documentation!)

  • The URL of our privacy policy (required for publicly accessible GPT’s)

New GPT action added

You can see that the GPT discovered three endpoints — used to start, stop or get the status AlwaysUp applications.

However, when we tested the integration with the buttons at the bottom of the form, the operation failed because the password that ChatGPT used was incorrect. In any event, the GPT recognized the problem and was smart enough to request the password:

ChatGPT failed to get application status

Fortunately, the request succeeded once we supplied the MD5 hash of the password:

Get application status succeeded

At this point, it looked like we were all set. We confidently deployed the GPT to make it available to our team.

In the next section, we’ll take a look at how we’re using the integration today.


Examples of working with our AlwaysUp applications from ChatGPT

With ChatGPT involved, it’s now super easy to check what applications are running in AlwaysUp:

Checking running applications from ChatGPT

You can see that stopping an application is just as straightforward:

Stopping an AlwaysUp application from ChatGPT

As is starting an application:

Starting an AlwaysUp application from ChatGPT

Furthermore, the AI is smart enough to string together a stop and a start when asked to restart:

Restarting an AlwaysUp application from ChatGPT

To our delight, the new assistant is able to provide interesting information too. For example, it can tell us when an application was last started:

ChatGPT checking application start time

And with a little more information, it will happily compute application uptime:

ChatGPT computes application uptime

Apparently the GPT can also interrogate AlwaysUp’s settings because it’s able to report the correct Windows user account hosting an application:

ChatGPT reports user account information

So far, we’ve very, very impressed!


Your thoughts?

So what do you think about using AI with our products? Do you look forward to improvements and should we be pushing more aggressively in that direction? Or do you plan to limit your encounters with machine learning for as long as possible?

And if you’re on board with AI, what engines do you favor? At this point, neither Google Gemini nor Meta Llama offer the flexible integration points to make the work above possible, but that will surely change as the technologies evolve.

We’d love to hear your thoughts, so please share your impressions in the comment section below.

Posted in AlwaysUp Web Service | Tagged , , , , , , | Leave a comment

Q&A: Can I Group My Applications in AlwaysUp?

Can I Group My Applications in AlwaysUp?
  We are a licensed customer of AlwaysUp and its a great help to our services.

However one of the things I want to be able to do is “group” services into a logical set. That way you can see which services belong together visually in AlwaysUp, and more importantly you can start or stop all services in a group either through user interaction or through the AlwaysUp CLT. Also, when defining services through the CLT or XML, we’d like to set the group to fit into.

Do you think this is something that can be accommodated in a future release or something that may be even there right now and I can use? It will be useful for our product because it has a number of different services that need to start up together and shutdown together seamlessly.

Let me know. Thanks.

— Mac B

Hi Mac. Great question! It’s easy to see how being able to group your applications and operate on them as a unit is a very powerful capability.

The good news is that AlwaysUp already supports application grouping. It’s implemented through the use of tags, which work in the user interface and behind the scenes in the APIs as well.


What’s a tag in AlwaysUp?

A tag is simply a word or phrase that you assign to an AlwaysUp application. It can be anything you like. The only restriction is that spaces and semi-colons are not allowed.

For instance:

  • group1 is OK

  • group-1 is OK (dashes are recommended for readability)

  • group_1 is OK (underscores work great too)

  • group 1 is NOT OK (spaces aren’t allowed)

  • Group1 is OK (same as group1 because case is ignored)

  • onelongnamethatsnotveryreadable is OK (but long names are discouraged because they’re difficult to work with visually)

  • trading-apps is OK

  • trading;apps is NOT OK (semi-colons aren’t allowed because they’re used to separate multiple tags)

Hopefully you get the idea!

How do I use tags to create groups?

You create groups of applications by assigning tags.

For example, let’s say you’re running four Java applications as Windows Services with AlwaysUp — two for production and two pre-release versions for testing. In that case, tagging the production applications with “production” and the others with “testing” creates two groups, where:

  • The first group contains the two application tagged “production”

  • The second group holds the two applications tagged “testing”

Here’s what that arrangement looks like in AlwaysUp. Notice the Tags column, which shows the values associated with each application:

Java applications tagged in AlwaysUp

To show only the production applications, you would:

  1. Choose View > Filter Pane to show the filter controls

  2. In the Show only applications with tag dropdown, choose production.

The testing applications will fall away to leave the two production entries by themselves:

Applications tagged with production

From there, it’s easy to work with the production applications as a set. For example, you can select them all and restart them together.

Similarly, you can select the testing tag to show only the beta applications:

Applications tagged with testing

This way, it’s easy to handle them as a group — instead of dealing with them mixed in with the production applications.


How to tag an application in AlwaysUp

There are a couple of ways to tag an application in AlwaysUp.

Method #1: Add tags from the Application menu entry

After selecting the services you want to update, choose Application > Tags > Add from the menu:

Add tags to your AlwaysUp applications

In the Add Tags window, type in the tags you want to add. For example, we’re adding the “v2” tag to our production instances here:

Enter the new tags

You can add as many tags as you like there.

Click Next and complete the process. Afterwards, the new tags will show up on your applications, as they did for us:

New tags added

That’s the best way to update multiple applications at once.

Method #2: Add tags by editing your application

If you prefer to update each application individually, you can do so by editing the application. You’ll find the Tags field at the bottom of the General tab, where you can add whatever tags you like:

Edit your application's tags in AlwaysUp

You can edit the field to remove tags there as well.


Tags create groups in AlwaysUp Web Service and AlwaysUp CLT too

Indeed, tags and groups show up throughout the AlwaysUp family of products.

For example, AlwaysUp Web Service prominently displays the tags associated with your applications:

AlwaysUp Web Service shows your tags

(A future version will enable filtering by one or more values.)

Furthermore, to manipulate groups of AlwaysUp applications from third-party applications, developers can employ the AlwaysUp Web Service API. Several of the API methods — including the popular “Get Application Status” function — accept one or more tags as input, as described in the documentation:

The Get Application Status function accepts tags

Since you’re working from the command line with AlwaysUp CLT, you can add tags to your applications using the -tg parameter. That capability is described on page 9 of the user manual.

But if you prefer to work with XML, you can specify tags when installing your applications that way instead:

AlwaysUp XML: The tags node

Whatever works best for you!

Posted in AlwaysUp | Tagged , , , , , | Leave a comment

ServiceCommander 7: Larger Icons, More Services

ServiceCommander 7: Larger Icons, More Services

Hi everyone. This week, our team decided to give our free ServiceCommander utility some love. Here’s a quick roundup of the improvements.


ServiceCommander displays larger icons on the taskbar menu

Previous versions of ServiceCommander displayed 16×16 icons in the tray menu. That made for a very compact display — ideal to fit many Windows Services on-screen.

But the feedback from folks using the software was that the menu was too small. Apparently most users manage only two to five services and a more spacious user interface would make ServiceCommander easier to use.

Taking that feedback on board, we switched the icon size to 32×32. You can see what the new, roomier taskbar menu looks like in this screenshot:

ServiceCommander 7 screenshot

But you can switch back to small icons if you like

The new interface should be better for most users but what if you’re working with lots of services? The reality is that your screen may not be able to fit the longer taskbar menu if it contains more than twenty entries.

For users who want to pack in the pixels — and those who don’t need glasses just yet — we added a new option to use small icons on the menu.

To switch to the more compact menu display:

  1. Click the ServiceCommander icon to open the menu.

  2. Select Configure.

  3. In the Configure ServiceCommander window, switch to the Options tab.

  4. Check the Show small icons on the taskbar menu box:

    Show small icons on the taskbar
  5. Click the Done button to save your change.


ServiceCommander shows more services in the taskbar menu

When managing many services, the taskbar menu would only show up to 30 services. Any more than 30 would “overflow” into a “More Services” menu, which required an extra click to access.

ServiceCommander 7 removes that hard cap of 30 services and computes the limit based on the resolution of your screen. The end result is that you’ll see as many menu entries as your screen will hold.

ServiceCommander overflows to the More Services entry

For example, on our 2560×1440 display, we can fit 29 services without overflowing. However, if we switch to small icons, the more compact menu will accommodate up to 50 services:

ServiceCommander fits more services in the menu

ServiceCommander 7 is fully compatible with Windows Server 2025

This new release works flawlessly on Windows Server 2025. Fortunately we didn’t even have to change much code to support the new operating system — just a few behind-the-scenes routines.

Enjoy!

Posted in ServiceCommander | Tagged , , | Leave a comment