Service Control Manager
Encyclopedia
Service Control Manager is a special system process
under Windows NT
family of operating system
s, which starts, stops and interacts with Windows service
processes. It is located in
, and the same API interface is used internally by the interactive Windows service management tools such as the MMC
snap-in
. Its main function,
In the next step, SCM's main function
interface between the SCM and the SCPs (Service Control Processes) that interact with specific services.
Next, it calls the
For each service it wants to start, the SCM calls the
function
Next, the
, in order to solve the problem of a prolonged system startup, as well as to speed-up the start of critical services that cannot be delayed. Originally the auto-start method of service initialization was designed for essential system services upon which other applications and services depend. The SCM initializes the delayed services only after handling all the non-delayed auto-start services, by invoking the
is invoked, and the
applications such as the Windows Explorer
when a network drive-letter connection has been created or deleted, by broadcasting Windows messages
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
under Windows NT
Windows NT
Windows NT is a family of operating systems produced by Microsoft, the first version of which was released in July 1993. It was a powerful high-level-language-based, processor-independent, multiprocessing, multiuser operating system with features comparable to Unix. It was intended to complement...
family of operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s, which starts, stops and interacts with Windows service
Windows Service
On Microsoft Windows operating systems, a Windows service is a long-running executable that performs specific functions and which is designed not to require user intervention. Windows services can be configured to start when the operating system is booted and run in the background as long as...
processes. It is located in
%SystemRoot%\services.exe executable. Service processes interact with SCM through a well-defined APIApplication programming interface
An application programming interface is a source code based specification intended to be used as an interface by software components to communicate with each other...
, and the same API interface is used internally by the interactive Windows service management tools such as the MMC
Microsoft Management Console
Microsoft Management Console is a component of Windows 2000 and its successors that provides system administrators and advanced users an interface for configuring and monitoring the system.- Snap-ins and consoles :...
snap-in
Services.msc and the command-line Service Control utility sc.exe.Implementation
The SCM executable,Services.exe, runs as a Windows console program, and is launched by the Wininit process early during the system startupWindows Vista Startup Process
The startup process of Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 is different from any previous versions of Windows. For Windows Vista, the boot sector loads the Windows Boot Manager , which first looks for an active partition, then accesses the Boot Configuration...
. Its main function,
SvcCtrlMain, launches all the services configured for automatic startup. First an internal database of installed services is initialized by reading the following two registry keys:
-
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List, containing the names and order of service groups. Each service's registry key contains an optionalGroupvalue which governs the order of initialization of a respective service or a device driverDevice driverIn computing, a device driver or software driver is a computer program allowing higher-level computer programs to interact with a hardware device....
, with respect to other service groups. -
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services, which contains the actual database of services and device drivers and is read into SCM's internal database. SCM reads every service'sGroupvalue as well as load-order dependencies from theirDependOnGroupandDependOnServiceregistry keys.
In the next step, SCM's main function
SvcCtrlMain calls the function ScGetBootAndSystemDriverState function which checks whether the device drivers that should be started during the boot or system startup were successfully loaded, and those that have failed to do so are stored in a list called ScFailedDrivers. Then a named pipeNamed pipe
In computing, a named pipe is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of inter-process communication. The concept is also found in Microsoft Windows, although the semantics differ substantially...
\Pipe\Ntsvcs is created as a remote procedure callRemote procedure call
In computer science, a remote procedure call is an inter-process communication that allows a computer program to cause a subroutine or procedure to execute in another address space without the programmer explicitly coding the details for this remote interaction...
interface between the SCM and the SCPs (Service Control Processes) that interact with specific services.
Next, it calls the
ScAutoStartServices function which loops through all the services marked as auto-start, paying attention to the calculated load-order dependencies. In case of a circular dependency an error is noted and the service depending on a service that belongs to a group coming later in the load order is skipped. For delayed auto-start services, grouping has no effect, and those are loaded at a later stage of system startup.For each service it wants to start, the SCM calls the
ScStartService function which checks the name of the file that runs the service's process, ensuring that the account specified for the service is same as the account that the service process runs in. Every service that does not run in the System account is logged in by calling the LSASSLocal Security Authority Subsystem Service
Local Security Authority Subsystem Service , is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens...
function
LogonUserEx, for which LSASS process looks up "secret" passwords stored in the HKLM\SECURITY\Policy\Secrets\ registry key, which were stored by the SCP using the LsaStorePrivateData API, when the service was originally configured.Next, the
ScLogonAndStartImage function is called for every service whose service process has not been already launched. Service processes are created in a suspended state via the CreateProcessAsUser API. Before the service process' execution is resumed, a named pipe \Pipe\Net\NtControlPipeX (where X is a number incremented for each service iteration) is created which serves as a communication channel between the SCM and the service process. Service process connects to the pipe by calling the StartServiceCtrlDispatcher function, after which the SCM sends the service a "start" command.Delayed auto-start services
Delayed auto-start services have been added in Windows VistaWindows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, in order to solve the problem of a prolonged system startup, as well as to speed-up the start of critical services that cannot be delayed. Originally the auto-start method of service initialization was designed for essential system services upon which other applications and services depend. The SCM initializes the delayed services only after handling all the non-delayed auto-start services, by invoking the
ScInitDelayStart function. This function queues a delayed (120 seconds by default) work item associated with a corresponding worker thread. Other than being initialized after a delay, there are no other differences between delayed and non-delayed services.Device drivers
Services whoseType registry value is SERVICE_KERNEL_DRIVER or SERVICE_FILE_SYSTEM_DRIVER are handled specially: these represent device drivers for which ScStartService calls the ScLoadDeviceDriver function which loads the appropriate driver (usually a file with an extension .sys) which must be located in the %SystemRoot%\System32\Drivers\ directory. For that purpose, the NtLoadDriver system callSystem call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
is invoked, and the
SeLoadDriverPrivilege is added to the SCM's process.Network drive letters
SCM provides an additional functionality completely unrelated to Windows services: it notifies GUIGraphical user interface
In computing, a graphical user interface is a type of user interface that allows users to interact with electronic devices with images rather than text commands. GUIs can be used in computers, hand-held devices such as MP3 players, portable media players or gaming devices, household appliances and...
applications such as the Windows Explorer
Windows Explorer
This article is about the Windows file system browser. For the similarly named web browser, see Internet ExplorerWindows Explorer is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface...
when a network drive-letter connection has been created or deleted, by broadcasting Windows messages
Message passing
Message passing in computer science is a form of communication used in parallel computing, object-oriented programming, and interprocess communication. In this model, processes or objects can send and receive messages to other processes...
WM_DEVICECHANGE.See also
- Windows serviceWindows ServiceOn Microsoft Windows operating systems, a Windows service is a long-running executable that performs specific functions and which is designed not to require user intervention. Windows services can be configured to start when the operating system is booted and run in the background as long as...
- List of Windows Services
- Operating system service managementOperating system service managementIn computing, mechanisms and techniques for managing services often differ by operating system. Operating system service management can refer to the following:...
- svchost.exeSvchost.exeIn the Windows NT family of operating systems, svchost.exe is a system process which hosts multiple Windows services. Its executable image, %SystemRoot%\System32\Svchost.exe or %SystemRoot%\SysWOW64\Svchost.exe runs in multiple instances, each hosting one or more services...