February 6, 2012

Lockdown Windows 7 with Simple Scripts

Back in 2007, I published a script for locking down Windows XP and Windows 2003 services, using the sc command. Recently I had need to lockdown a fresh Windows 7 image and realized the list of services needed to be updated. The below list works on my laptop. For a complete list of what each of these services does, or why you do/do not need them, please refer to Microsoft Technet.

The script could not be simpler. Take the below script and save it as a batch file on your desktop.

for /f %%b in (services.txt) do sc config %%b start= disabled
for /f %%c in (services.txt) do sc stop %%c
:eom

The list of services then goes into a text file in the same directory as the batch file, named “services.txt”. You can modify the list of services at will, based upon your unique needs.

AeLookupSvc
AERTFilters
ALG
AMPPALR3
AppIDSvc
aspnet_state
AxInstSV
BDESVC
BluetoothDeviceMonitor
BluetoothMediaService
BluetoothOBEXService
bthserv
BTHSSecurityMgr
CertPropSvc
COMSysApp
defragsvc
dot3svc
DPS
EFS
ehRecvr
ehSched
Fax
fdPHost
FDResPub
FontCache3.0.0.0
hidserv
hkmsvc
HomeGroupListener
HomeGroupProvider
idsvc
IPBusEnum
KtmRm
LiveUpdate
lltdsvc
Mcx2Svc
MSDTC
MSiSCSI
msiserver
MyWiFiDHCPDNS
napagent
NetMsmqActivator
NetPipeActivator
NetTcpActivator
NetTcpPortSharing
NVSvc
odserv
ose
p2pimsvc
p2psvc
PeerDistSvc
PerfHost
pla
PNRPAutoReg
PNRPsvc
QWAVE
RasAuto
RemoteAccess
RemoteRegistry
RoxMediaDB12OEM
RoxWatch12
RpcLocator
SCardSvr
SCPolicySvc
SDRSVC
SensrSvc
SessionEnv
SharedAccess
SNAC
SNMPTRAP
sppsvc
sppuinotify
SSDPSRV
stisvc
stllssvr
StorSvc
swprv
SysMain
TabletInputService
TBS
TermService
Themes
THREADORDER
TrkWks
TrustedInstaller
TurboBoost
UI0Detect
UmRdpService
upnphost
VaultSvc
vds
VSS
wbengine
WbioSrvc
wcncsvc
WcsPlugInService
WdiServiceHost
WdiSystemHost
Wecsvc
wercplsupport
WerSvc
WinDefend
WinHttpAutoProxySvc
WinRM
wmiApSrv
WMPNetworkSvc
WPCSvc
WPDBusEnum
WwanSvc

I hope this list is helpful. Please use at your own risk. IT IS EASY TO SCREW UP YOUR SYSTEM IF YOU DISABLE THE WRONG SERVICES. When working to update this list, I accidentally disabled the Application Information service, and the Secondary Logon service. Doing so was a major screw-up, because it prevented me from running any MMC, including the services.msc. It also prevented me from running a command prompt as administrator, which prevented me from fixing the problem. I ended up needing to log in as a domain admin to get enough privileges to fix my system. When in doubt, experiment on a test system and go slow. Do one service at a time and make sure you are happy with the results before you roll this out to your users.

As always, if this article is helpful to you, please drop me a comment.

Thanks for stopping by.
If you found this article useful, please leave a tip.

Leave a Comment