http://blogs.technet.com/markrussinovich/archive/2005/07/24/running-windows-with-no-services.aspx
Running Windows with No Services
A Windows service providesfunctionality to the operating system anduser accounts regardless ofwhether anyone is logged into a system.Windows XP comes with aroundfour dozen services enabled by default,including ones that many peopleconsider superfluous like RemoteRegistry, Alerter, and SSDP Discovery(Universal Plug and Play). Aquestion many Windows administratorscommonly have is therefore, whichservices can I safely disable? Whatif I told you that for at leastbasic functionality like Web surfingand application execution, Windowsdoesn’t need any services? In fact,you can also do those things withoutsystem processes likeWinlogon.exe, the interactive logon manager, andLsass, the localsecurity authority subsystem.
Thefollowingsteps, which you must follow carefully to achieve a minimalWindowssystem, were derived by Dave Solomon through experimentation,and whenhe discovered that Windows was usable without all the coresystemprocesses we were dumbfounded. After figuring this out he and Ipolledsenior Windows experts like the vice president of the CoreOperatingSystems Division, the technical lead of the Virtual PC team,and a leadWindows security architect to see if they thought thatWindows wouldfunction at all, much less if Internet Explorer wouldwork, without thesupport of Winlogon, Lsass, and services, and theunanimous answer was‘no’. Even after we showed them the demonstrationI’m about to sharewith you they all thought that we’d staged some kindof trick.
Thefirst step to achieving a minimal Windowsconfigration is to kill thesystem processes I’ve mentioned. You can’tuse Task Manager for the job,however, because it has an internal listof processes that it considerscritical and that it won’t terminate.Try to kill Smss.exe,Winlogon.exe, Services.exe, Lsass.exe orCsrss.exe and you’ll see thisdialog:
So if you don’t have it already download Process Explorer.Tomake things go more quickly uncheck the Confirm Kill entry intheProcess Explorer Options menu. Then kill Smss.exe, the SessionManagerprocess. The reason we start with Smss.exe is that Smss.exewatches theback of Winlogon, the process it creates during the boot, soif youterminate Winlogon first Smss.exe gets upset and blue screensthemachine with an error indicating that the Windows logonprocessterminated unexpectedly. And if you kill Lsass or Serviceswithoutkilling Winlogon you'll see this dialog that Winlogon showsbefore itshuts down the system (you can abort the shutdown by running"shutdown-a"):
OnceSmss.exeis out of the way select Winlogon and choose Kill Process Treefrom inthe Process menu. This terminates Winlogon.exe, Lsass.exe,Services.exe,and all the Windows service processes. We’re almost done.
Thenextstep is to kill all other standard processes except for Csrss.exe(andof course Process Explorer). Csrss.exe is the only process in thesystemthat has the “critical process” bit set in its kernel processstructure(EPROCESS) flags field. On the termination of a process withthe flagset the kernel halts with a CRITICAL_PROCESS_DIED blue screen.Note thatyou won’t be able to terminate the System Idle Process,System,Interrupts, or DPC processes. The Idle process isn’t a realprocess andsimply tracks the time when no thread is executing. TheSystem processholds operating system kernel threads and device driverthreads, andInterrupts and DPCs are artificial processes that ProcessExplorer usesto display interrupt and Deferred Procedure Call (DPC)activity.
BecauseProcess Explorer shows the Interrupts and DPCsartifical processesswitch to Task Manager at this point to get a realidea of what’sactually running by activating the Run command inProcess Explorer’sFile menu and entering “taskmgr”. Then exit ProcessExplorer and look toTask Manager’s Process tab. This is what youshould see (themesdisappear when the Svchost.exe process hosting thetheming serviceterminates):
Youhaveachieved minimal Windows: the only two processes, not includingTaskManager, are System and Csrss.exe. You’re now ready tostartexperimenting. Verify that you can surf the Internet bylaunching“iexplore” from Task Manager’s Run command in its File menu.Thenrestart Explorer by running “explorer”. You’re done with TaskManagerso you can exit it.
There will be a delay beforeExplorerredraws the desktop because it waits for the Service ControlManager(SCM) to signal the ScmCreatedEvent, which Services signalsduring itsinitialization. Below is the stack of the main Explorerthread waiting.The second parameter to WaitForSingleObject is a timeoutvalue that’sinterpreted as milliseconds and 0xEA60 is 60,000 – 60seconds:
OnceExplorerstarts it clips the task bar off the bottom of the display soget itback by right-clicking on the barely visible task bar andapplying the‘Show Quick Launch” option. Notice that even though thetask bar isfully visible it doesn’t show the active windows.
WithExplorer,the start menu and desktop back you can wander your system,tryingvarious applications and utilities to see how they respond whenthereare no services running. There are many things that will work,but ofcourse also many things that won’t. For example, here’s theServicesnode of the Computer Management MMC snapin displaying anexpected errormessage:
Whatarethe real limitations of running like this? Some will becomeobviousduring your exploration, but a major one is that you won’t beable tologoff (or shutdown) since neither Lsass nor Winlogon arerunning.Networking is also crippled, especially in a LAN, sinceaccessing othercomputers requires the participation of Lsass in thecross-machinedomain authentication process.
The bottom line isthat thisstripped-down Windows configuration is not practical, butmakes a cooldemonstration of just how little of Windows is required forbasicfunctionality.
On a more personal note, I’m going to be intheCape Canaveral area on Thursday, August 11, and so am calling outtoany NASA employee Sysinternals fans to see if you’d be willingtoarrange for a special tour of the space center. |
发表于 2007-11-3 21:13
|