Windows Services are special applications designed to run unattended on your PC. A service an do virtually anything its programmer demands, such as reading files, sending email, checking for viruses — whatever.
Yet in the midst of that tremendous diversity, the vast majority of services have a lot in common. With inspiration from Professional NT Services, it is our observation that the majority of windows services can be placed in one of four categories: Server, Agent, Processor or Canary.
Server: Accept and fulfill requests for services and/or resources
The majority of Windows services implement the Server pattern. They typically act as the proxy/gatekeeper to a well-defined area of the operating system, fulfilling requests as they come in.
For example:
Spooler implements the Print Spooler API. It accepts print requests from desktop applications and negotiates with printers to ensure that they all documents are (eventually) printed.
User Profile Service is responsible for loading and unloading user information on behalf of all applications.
Windows Event Log records application, system and security events through the Event Log API.
Agent: Perform a task regularly on behalf of a person
Many services implement the Agent pattern. They run in the background, performing requested tasks at pre-defined times.
For example:
Google Update Service keeps your Google software up to date, applying security patches and other improvements as they become available.
The Schedule service works in conjunction with the Windows Task Scheduler, launching each scheduled task at its appointed date and time.
Windows Update automatically detects, downloads, and installs of updates for Windows and other Microsoft programs.
Processor: Watches for important events then takes action
A Processor springs to life in response to a triggering event. It has the autonomy to take action and resolve the issue at hand.
For example:
Windows Time ensures that your PC’s clock is correct, synchronizing it with clients and servers in the network.
Background Intelligent Transfer Service opportunistically transfers files in the background when network traffic is low.
Bluetooth Support Service supports the discovery and pairing of nearby Bluetooth devices.
Canary: Notify a person (or application) when something important happens
A Canary is a special kind of Processor. It too watches for important events, but its primary task is to shout loudly instead of taking definitive action.
For example:
Windows Defender Advanced Threat Protection Service helps protect against advanced threats by monitoring and reporting security events that happen on the computer.
System Event Notification Service monitors system events and notifies subscribers to COM+ Event System of these events.
Connected User Experiences and Telemetry enables features that support in-application and connected user experiences. The service manages the event driven collection and transmission of diagnostic and usage information (used to improve the experience and quality of the Windows Platform) when the diagnostics and usage privacy option settings are enabled under Feedback and Diagnostics.
Many desktop applications follow a Windows Service pattern too!
Those four patterns apply to regular desktop applications as well. Most notably:
iTunes enables your Apple devices to play any track from your media library. iTunes is a Server.
SyncToy will synchronize two file systems on demand. SyncToy is an Agent.
Dropbox watches your file system and copies updated files to the server. Dropbox is a Processor.
SpeedFan monitors your computer’s voltage, fan speeds and temperatures and lets you know when something is wrong. SpeedFan is a Canary.
If you are responsible for a legacy/desktop application that aligns with one of the four service patterns, you should consider installing it as a Windows Service. It probably should have been built as a service in the first place!
I have installed Service Security Editor and accidentally DENY one particular service for all users, including local administrator on my laptop. Now I am not able to start the service although I have tried to open from Service Security Editor.
Is there a way to grant the permission again in order to allow me to start the service again? I’m on Windows Server 2012 R2, if that matters.
— Charles
Hi Charles, sorry to hear that!
You won’t be able to access the service from any account or group where you applied the Deny permission. As Microsoft mentions in the confirmation window, the Deny directive is at the “top of the heap” and always takes precedence over Allow:
Here are a couple of ways to fix your problem:
Solution #1: Restore your Windows Service permissions from a new Administrator account
Did you deny access to the Administrators group?
If not, you can restore your permissions from a new administrator account in a few steps:
Create a new user account — best done from the Control Panel:
Change the account type to Administrator:
Login as the new user.
Start Service Security Editor and open your service. Select the account in the top panel, remove all the Deny entries and replace with Allow rights.
For example:
After applying those changes, you should be able to access the service when you next log into your regular account.
Don’t forget to delete the new administrator account you created for this purpose!
Solution #2: Restore your Windows Service permissions from the SYSTEM account
The first solution will not work if you denied access to all administrators. No admin will be able to open the service.
Fortunately the all-powerful SYSTEM account will still be able to manipulate the service. But since you can’t simply sign in as the SYSTEM user and update the service’s permissions, you must take a less than direct approach using our popular AlwaysUp application:
Even though the software costs $49.99, you can use it for completely free for 30 days — more than enough time for you to restore the rights to your Windows Service.
Setup the command prompt to run as the SYSTEM user in AlwaysUp. To do so:
Select Application > Add to open the “Add Application” window.
In the Application field, enter the full path to the Windows command prompt executable, cmd.exe. On Windows Server 2012 R2 (and almost all other versions of Windows), this is:
c:\windows\system32\cmd.exe
Click the Save button to record your settings. An entry for Cmd should appear in the AlwaysUp window:
Select Application > Start “Cmd” in this session. In a second or two, a black command prompt window will appear on your desktop. It will be running in the context of the SYSTEM user.
From the command prompt window, type the full path to the Service Security Editor executable and hit enter. This will start a new instance of Service Security Editor on your desktop:
Open your service in Service Security Editor. Select the Administrators group in the top panel, remove all the Deny entries and add Allow rights.
How about giving full control to all administrators?
Click the OK button to save the updated access rights.
And finally, now that your service is once again accessible, clean up:
Close Service Security Editor.
Switch to AlwaysUp and select Application > Stop”Cmd” to shut down the command prompt.
Hopefully one of these methods will get you back on your feet Charles. If not, please don’t hesitate to get in touch again. There may be another trick or two up our sleeves. 🙂
The Power service implements your computer’s power schemes, policies and notifications as configured in the Control Panel:
The service’s name (and display name) is Power and it runs inside the shared services host process, svchost.exe:
Is it safe to disable the Power service?
In their guidance on disabling system services on Windows Server 2016, Microsoft does not indicate that it is OK to disable the Power service. Indeed, they punt on specific guidance altogether, commenting that “the impact of disabling the service has not been fully evaluated”.
Their ultimate recommendation is to stick with the default configuration — automatic start at boot.
The “Stop” button is disabled. How can I stop the Power service?
If you examine the service’s screenshot, you will notice that the Stop button is disabled — indicating that the service cannot be stopped.
And even the versatile NET STOP command run as an administrator will fail, complaining that the service isn’t in the right “state”:
This is different from the typical permission/rights problem seen when attempting to stop other important services. Here, the Power service is actively refusing to be stopped under any condition and there is no way around it.
What will happen if I kill the Power service’s process?
Your computer will shut down, immediately.
This is because the Power service is hosted by an instance of the shared service host process (svchost.exe) also running these core services:
Background Tasks Infrastructure Service / BrokerInfrastructure: Responsible for background tasks.
Local Session Manager / LSM: Manages local user sessions.
Task Manager will confirm that all four services have the same PID (process identifier):
So killing that svchost process will stop all four services.
If you choose to press on and try to end the process, Task Manager will warn you of the dire consequences:
And that is no idle threat! We were greeted with this delightful blue screen of death after terminating the process on our Windows Server 2019 machine:
Be careful!
The Power service isn’t starting. Help!
We suggest the following:
Reboot your computer. Hopefully you have fallen victim to a temporary glitch and sanity will be restored when the operating system next starts.
Manually run Windows Update. If you’re lucky, the Microsoft Windows engineers have already found and fixed the problem with their software.
Seek expert help. Start with a google search for a quick fix; move on to your local administrator if no resolution is forthcoming.
Reinstall Windows. You may have to start over from scratch if nothing else works… 🙁
Questions? Problems?
If you would like to know more about the Windows Power service, or you have a specific problem, please feel free to get in touch. We will do our best to help you!
I’m wanting to know what permissions a user is required to have in order to stop and start AlwaysUp services. Is there a way to grant access to specific users as I don’t want to have to give them full Admin rights? I’ve created shortcuts but getting the “access denied” message. Thanks in advance.
— Bryant, Wide Bay Water
Hi Bryant.
Typically, only administrators have the power to control Windows Services. That is an appropriate stance, as most services are administrative in nature.
Indeed, it would be a huge mistake to allow non-privileged persons to stop any of the important tasks servicing the computer in the background. Think of the chaos it could cause!
But there are always exceptions. And the good news is that Microsoft provides the ability to set granular permissions on each Windows Service. You can leverage that API/functionality from command-line tools like Microsoft’s SubInACL but your best option is to work directly with AlwaysUp (which is much easier to use).
How to adjust the rights of an AlwaysUp Windows Service
Follow these steps to grant a non-admin user the ability to start and/or stop your service:
Start AlwaysUp.
Highlight/select the application you wish to grant access to. Stop it if necessary.
Select Application > Advanced > Service Security Settings from the menu.
In the Service Security Settings window that comes up, select the user in the top pane. You will have to add the account if it’s not there.
In lower pane, choose the permissions you wish the user to have.
Here you see us permitting user “Mike Jones” to read/access and start (but not stop) the Plex Media Server service:
Remember: The user must work with the full, quoted name of the service, with the “managed by AlwaysUp” suffix. For example, if your application entry is named “VirtualBox” in AlwaysUp, the service will be named:
“VirtualBox (managed by AlwaysUp)”
Easily adjust the rights of non-AlwaysUp Windows Services too!
The instructions above will work for AlwaysUp services, but our free Service Security Editor tool can adjust the permissions of any service. Check it out if you need a general, portable solution for all your Windows Services.
I’ve download the trial version of AlwaysUp and installed it on a Server 2016 standard machine. I’ve created a Windows service for Plex Media Server and all is working well except for shutting the service down (or restarting).
Every time I restart or shut down the service I’m getting this error:
The application has failed to stop gracefully and may be forcibly terminated. The following processes may be terminated: Plex Media Server.exe, PlexScriptHost.exe, conhost.exe, PlexScriptHost.exe, conhost.exe, Plex Tuner Service.exe, conhost.exe
Can you please let me know what’s wrong?
— Panja
Hi Panja. We can fix this 🙂
But first, a brief explanation of what is going on…
Plex Media Server (PMS) launches several processes
When you start PMS (either normally on your desktop or as a service from AlwaysUp), the main executable (Plex Media Server.exe) spawns a family of processes. Those processes work together, invisibly in the background, to share your files with hungry devices.
You can see the “tree” of up to 8 processes with Microsoft’s Process Explorer:
Exiting PMS from the tray icon closes all the processes
When Plex is running normally on your desktop, you close it by selecting “Exit” from the tray icon menu. The main process receives the signal and quietly closes the other 7 processes. You never witness the behind-the-scenes coordination.
AlwaysUp tries several methods to exit PMS and close all its processes
When you are running Plex Media Server as a background service, there is no tray icon. You must rely on AlwaysUp to shut down PMS and its family of processes.
AlwaysUp tries up to four methods to close the media server properly. The error message you see is reported because the first two methods are unsuccessful and AlwaysUp must move on to the last two, more “aggressive” tactics.
However, looking at the logs, the third stop-method works for Plex. The server isn’t actually being “forcibly terminated”. So though annoying, you can safely ignore the error — it is a false alarm.
But who likes to see a useless error message, right? Here are a couple of ways to eliminate it entirely. Choose one or the other; no need to do both:
Solution #1: Remove the “nointeractive” flag from the arguments passed to Plex
In our step-by-step tutorial, we recommend running Plex Media Server.exe with the -nointeractive flag. This tells Plex that it should not create a tray icon because we cannot access it when PMS is running in the background (in Session 0).
However, when the flag is specified, Plex doesn’t create a main window either. And without a main window, AlwaysUp cannot send Plex the “default” signal to close.
Without the flag, AlwaysUp is able to close Plex smoothly — sans error messages.
To remove the nointeractive flag, edit your PMS entry in AlwaysUp and clear the Arguments field:
There is only one (minor) downside to this solution. Without the flag, Plex will print a warning to its log file every few seconds. This won’t be a problem — unless you are a techie digging into the Plex internals — but it deserves to be mentioned.
To configure AlwaysUp to shut down Plex with taskkill:
Create a batch file with this line:
taskkill /t /f /im “Plex Media Server.exe”
As you can see from the taskkill documentation, this command will terminate PMS and all its child processes.
Start AlwaysUp and edit your Plex Media Server entry
Switch to the Extras tab.
Enter the full path to the batch file you created in step 1 in the Use this special command to stop the application field. And you might as well give taskkill up to 30 seconds to do its work by completing the field below that:
Save your settings
With this solution in place, the next time you stop PMS from AlwaysUp:
AlwaysUp will run the batch file
The batch file will run taskkill
taskkill will close all the PMS processes
AlwaysUp will see that PMS has closed and will set the state of the Plex Media Server entry to “Stopped”.