February 6, 2012
Back in 2007, I published a script for locking down Windows XP and Windows 2003 services, using the sc command. Recently I had need to lockdown a fresh Windows 7 image and realized the list of services needed to be updated. The below list works on my laptop. For a complete list of what each of these services does, or why you do/do not need them, please refer to Microsoft Technet.
The script could not be simpler. Take the below script and save it as a batch file on your desktop.
for /f %%b in (services.txt) do sc config %%b start= disabled
for /f %%c in (services.txt) do sc stop %%c
The list of services then goes into a text file in the same directory as the batch file, named “services.txt”. You can modify the list of services at will, based upon your unique needs.
I hope this list is helpful. Please use at your own risk. IT IS EASY TO SCREW UP YOUR SYSTEM IF YOU DISABLE THE WRONG SERVICES. When working to update this list, I accidentally disabled the Application Information service, and the Secondary Logon service. Doing so was a major screw-up, because it prevented me from running any MMC, including the services.msc. It also prevented me from running a command prompt as administrator, which prevented me from fixing the problem. I ended up needing to log in as a domain admin to get enough privileges to fix my system. When in doubt, experiment on a test system and go slow. Do one service at a time and make sure you are happy with the results before you roll this out to your users.
As always, if this article is helpful to you, please drop me a comment.