The Core Technologies Blog

Professional Software for Windows Services / 24×7 Operation

Essential Windows Services: Security Center / wscsvc

Posted on July 4, 2022
Security Center Service (wscsvc)

What is the Security Center (wscsvc) service?

The Security Center service is an important “watchdog” focused on protecting your computer.

From the service’s description:

 The Security Center service monitors and reports security health settings on the computer.

Those health settings include:

  • Firewall (on/off)

  • Antivirus (on/off/out of date)

  • Antispyware (on/off/out of date)

  • Windows Update (automatically/manually download and install updates)

  • User Account Control (on/off)

  • Internet settings (recommended/not recommended)

In summary, Security Center’s purpose is to let you know when your computer’s defenses are down.

To illustrate how the service works, we turned off the Windows Firewall (which protects your PC from outside attackers). A couple of seconds later, Security Center raised a warning on our desktop, urging us to re-enable the firewall:

Security Center Windows Firewall alert

Technical information

The service’s name is wscsvc. It runs inside the shared services host process, svchost.exe:

wscsvc service

The service’s startup type is Automatic (Delayed Start). As a result, Windows launches the service a couple of minutes after your machine boots.

wscsvc runs in the built-in Local Service account:

wscsvc service: Log On

What happens if I stop Security Center?

Since Security Center safeguards your machine, stopping the service may leave you in the dark about your computer’s defenses. For that reason, Microsoft has made it very difficult for you to stop the Security Center service.

In fact, not even members of the powerful Administrators group can stop (or change) the service! If you open the Services application, you will notice that all the command buttons are disabled:

Security Center: Administrator permissions

In our research, we identified only three obscure, built-in Windows accounts that have enough rights to stop Security Center. Those accounts are DcomLaunch, SecurityHealthService and TrustedInstaller:

Security Center: Special user accounts

Clearly, Microsoft has taken great pains to “lock down” the Security Center service. Best to heed their advice; do not try to stop it.

Is it OK to disable the Security Center service?

Again, because of tight security settings, you will not be able to disable the service from the Services application. And the SC command won’t work either:

Disabling wscsvc with SC

However, if you are hell bent on hobbling the service, you can try hacking the registry. Setting the Start value in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc key to 4 should do the trick. You may have to reboot afterwards.

But don’t be surprised if that fails too. For example, Windows 11 restricts access to the registry key to a few built-in accounts. Not even an administrator can update the registry entry. And as you can see, Windows rebuffed our attempt to change the registry value:

Failed to disable wscsvc

Caveat emptor!

Questions? Problems?

If you would like to know more about the Security Center service — or if you have a specific problem with it — please feel free to get in touch. We will do our best to help you!

You may also like...

Q&A: Why can't AlwaysUp run my Batch File?

Q&A: Why can't AlwaysUp run my Batch File?

Why Does Windows SmartScreen Flag Our Software?

Why Does Windows SmartScreen Flag Our Software?

Essential Windows Services: Remote Procedure Call (RPC) / RpcSs

Essential Windows Services: Remote Procedure Call (RPC) / RpcSs

Posted in Windows Services | Tagged , , , , | Leave a comment

Q&A: Why can’t AlwaysUp Open the Netman Service?

Posted on June 6, 2022
Why can't AlwaysUp Open the Netman Service?
  Hi Team,

AlwaysUp can start Thunderbird as a Windows Service and it runs without any problems. But I always get the following warnings:


Unable to ensure that networking components are running: Netman: Unable to open the service: Zugriff verweigert. AlwaysUpService will pause for a few seconds and try again.

Unable to ensure that networking components are running: Netman: Unable to open the service: Zugriff verweigert.

(“Zugriff verweigert” means “Access denied” in English.)

Thunderbird is running as a NON-admin-user on this server.

Is there a way to stop these warnings, or should I just ignore them?

— Oliver

Hi Oliver, thanks for reaching out.

It’s your choice how to handle the warnings. You can ignore the messages because they don’t impact Thunderbird. Or with a few small changes, you can eliminate them altogether. Let’s dig into the details.

Why your Thunderbird service generates the “Access denied” warning

Windows reports the “access denied error” whenever someone tries to perform an operation that they are not allowed to. Think of it as Windows saying “no, you can’t do that”.

In your case, the message is reported because the account you have specified on the AlwaysUp Logon tab doesn’t have enough rights to open the Network Connections (Netman) Windows Service.

That is not a surprise. As you mentioned, you are running Thunderbird as a non-administrative user. And typically, only administrators have access to core services like Netman.

We have investigated this situation with other customers before. Each time, we concluded that the warning could be ignored. That’s because Netman — which handles client network configuration — was already running by the time AlwaysUp started.

However, we also have a couple of solutions for you if ignoring the warnings isn’t good enough.

Solution #1: Delay startup instead of checking the network

Since Thunderbird communicates over the network, it’s good to have AlwaysUp confirm that the network is up before it launches the application. If not, Thunderbird could start too soon and fail.

In those situations, we recommend checking the Ensure that the Windows networking components have started box on the Startup tab:

Ensure that the Windows networking components have started

However, when that box is checked, AlwaysUp tries to open the Netman service. And that is precisely what fails in your case!

So let’s think outside the box. Since AlwaysUp cannot directly wait for the network to start, instead let’s delay AlwaysUp to give the networking components enough time to start.

To do that:

  1. Uncheck the Ensure that the Windows networking components have started box on the Startup tab

  2. On the General tab, choose Automatically, but shortly after the computer boots in the Start the application field:

    Start your application shortly after boot

  3. Save your changes.

With that adjustment in place, Windows will start your Thunderbird Windows Service about 2 minutes after your computer boots. Netman (and other critical services) should definitely be running by then.

Solution #2: Grant your non-admin user rights to the Network Connections Windows Service

If delaying Thunderbird at boot is not acceptable, you can take direct action on the Netman service instead. By allowing your non-admin user to check the Netman service, you can avoid the annoying “access denied” message altogether.

To update Netman’s permissions:

  1. Download our free Service Security Editor utility

  2. Start Service Security Editor

  3. Select Network Connections from the drop-down list and click Open:

    Open Network Connections service

  4. In the Service Security Settings window, add the non-admin user and grant them the Read permission (at minimum):

    Update Netman service security settings

  5. Click OK to save your changes.

And now that your non-admin user has permission to check the state of the Network Connections service, you won’t see the warning anymore.

Happy emailing!

You may also like...

New Version

AlwaysUp Version 8.0 Released

How to Survive Automatic Updates when Running 24/7 with AlwaysUp

How to Survive Automatic Updates when Running 24/7 with AlwaysUp

Q & A: How do I Prevent Multiple Alpha Application Servers from Running?

Q & A: How do I Prevent Multiple Alpha Application Servers from Running?

Posted in AlwaysUp | Tagged , , , , , , | Leave a comment

Q&A: Why does AlwaysUp Think my Application Stopped?

Posted on May 23, 2022
Why does AlwaysUp Think my Application Stopped?
  Dear AlwaysUp support,

We frequently get the following warning:

AlwaysUpService has detected that the application has stopped.

However, in the logs of our application we can’t see anything pointing to the reason why the application stopped.

Why does AlwaysUp believe our application stopped? What is the criteria for the decision, that an application is considered as stopped?

Our application handles complex tasks. When it’s very busy, it might appear to hang. Could that be a reason for AlwaysUp to say it stopped?

I am pretty sure the process — normally visible in Task Manager — is not stopped, but I’m not 100% sure and I can not prove it. I am wondering if AlwaysUp might close the app by mistake.

— Adrian

Hi Adrian.

Don’t worry! With a little detective work, we should be able to figure out what’s going on.

But first, let’s review how AlwaysUp monitors your application.

How AlwaysUp determines that your application stopped

After AlwaysUp launches your application as a service, it’s primary task is to watch your application and ensure that it’s always running. As such, AlwaysUp performs a battery of tests every few seconds to detect if your application is in trouble.

The most important check involves the state of your application’s process. But what is a process?

When Windows runs your application, it creates a process to track that specific instance of your running application. That process has an identifier (ID) and is visible on the “Details” tab in the Task Manager.

For example, process 9088 was created after we opened Notepad on our desktop:

Task Manager: Notepad Process

And when we quit Notepad, process 9088 exited and disappeared from Task manager’s list.

Basically, a process tracks the lifetime of a running application. And everything running on your computer has at least one underlying process.

With that in mind, let’s return to AlwaysUp.

When AlwaysUp launches your application, Windows creates a process and returns it to AlwaysUp. Going forward, every two seconds, AlwaysUp asks Windows if the process is still alive or not. You can think of it like AlwaysUp opening the Task Manager and checking if the process is still on the list.

So when AlwaysUp says that your application has stopped, it’s because the application’s process is no longer active. In effect, the process has fallen off Task Manager’s list.

Investigate with Process Explorer

Have you ever used Microsoft’s free Process Explorer? It’s an amazing tool that can help you figure out what’s running on your machine — and why. Around here, we call it “Task Manager on steroids”. 🙂

Download Process Explorer and extract the zip file to your hard drive. We’ll need it for the next steps.

Dig into the tree of processes under AlwaysUp

Start Process Explorer. It will show all the applications running on your computer.

The leftmost Process column displays the hierarchical relationships between the processes. For example, if “Process A” started “Process B”, you will see “Process B” as a child of “Process A”. “Process B” will be displayed underneath “Process A”.

Now, let’s roll up our sleeves. If you haven’t already done so, please start your application in AlwaysUp. Afterwards, switch back to Process Explorer.

In the Process column, find AlwaysUpService.exe. That is the part of AlwaysUp that runs your application as a Windows Service. It will be a child of services.exe — the Windows Services Control Manager.

Your application should appear under AlwaysUpService.exe. For example, you can see that parent-child relationship when AlwaysUp is running Microsoft OneDrive as a service:

Process Explorer: AlwaysUp running OneDrive

Does your application appear as a child of AlwaysUpService.exe?

Are other processes displayed in the tree as well?

Is this a “launcher” situation, where the application you provided to AlwaysUp starts another program and exits?

Look for anything unusual that may trick AlwaysUp into thinking that your application has stopped even though it’s still running.

Find out when your application started

If you think that your application hasn’t stopped, you should confirm that hypothesis with Process Explorer. Double-click your application’s entry to bring up the Properties window and look for the Started field.

For example, Process Explorer tells us that AlwaysUp last started OneDrive at 12:21:32 PM on March 27 2022:

Process Explorer: OneDrive start time

If everything is working as expected, the start time should be close to the time reported in the AlwaysUp logs. Please be sure to let us know if the times are different because that would indicate a bug in AlwaysUp.

Best of luck with your application!

You may also like...

New Version

Running Multiple Windows Services? AlwaysUp 11 is Here to Help!

AlwaysUp Works Well on Windows 10

AlwaysUp Works Well on Windows 10 (but no keyboard or mouse in Session 0)

AlwaysUp not Working? Please Send us these Details so we can Help!

AlwaysUp not Working? Please Send us these Details so we can Help!

Posted in AlwaysUp | Tagged , , , | Leave a comment

Essential Windows Services: Security Accounts Manager / SamSs

Posted on May 9, 2022
Security Accounts Manager Service

What is the Security Accounts Manager (SamSs) service?

The Security Accounts Manager service administers the database of user and group account information stored on your computer. The service helps to authenticate local and remote users logging on to your PC.

The service’s display name is SamSs and it’s hosted in the LSA process, lsass.exe. By default, the service is set to start automatically when your computer boots:

Security Accounts Manager Windows Service

What happens if I stop SamSs?

The following services depend on SamSs:

SamSs Service dependencies

That means that if you stop SamSs, those services will stop as well. And that may cripple your computer.

For example, if the Server service stops, file and printer sharing won’t work. Are those features important to you?

In any case, you may find it next to impossible to stop the SamSs service!

You will notice that the stop button is disabled in the Services application:

SamSs stop button disabled

And the SC command informs us that the service is not stoppable, cannot be paused and ignores shutdown requests:

SC Query SamSs

Apparently Microsoft really doesn’t want anyone to disturb the Security Accounts Manager service!

Is it OK to disable the Security Accounts Manager service?

The service’s description states:

 Disabling this service will prevent other services in the system from being notified when the SAM is ready, which may in turn cause those services to fail to start correctly. This service should not be disabled.

Indeed, Microsoft reiterates their recommendation to keep the service enabled on Windows Server 2016 (with Desktop Experience).

What happens if I kill the SamSs process (lsass.exe)?

The Security Accounts Manager service runs inside the lsass.exe process, which multiple services may share.

For example, here you see three services — SamSs, VaultSvc (Credential Manager), and Keyslo (CNG Key Isolation) — all running in the same instance of lsass.exe (with PID 708):

lsass.exe is running multiple services

Because all three services are running in the same process, terminating the process will stop all three services.

That’s probably OK for the CNG Key Isolation service but Credential Manager is a building block for another three services. Be sure to understand the implication of terminating the Credential Manager service before killing the shared lsass process.

The SamSs service isn’t starting. Help!

If Security Accounts Manager failed to start, it is likely that the important Remote Procedure Call (RPC) service didn’t start either.

Open Services and check if someone has disabled the RPC service. If so, you should definitely re-enable it.

After that, try to start the RPC service. If that works, you can start SamSs next.

Questions? Problems?

If you would like to know more about the Security Accounts Manager service, or you have a specific problem, please feel free to get in touch. We will do our best to help you!

You may also like...

Essential Windows Services: Windows Update (wuauserv)

Essential Windows Services: Windows Update (wuauserv)

How to Survive Automatic Updates when Running 24/7 with AlwaysUp

How to Survive Automatic Updates when Running 24/7 with AlwaysUp

Use NET.EXE to start or stop your Windows Service

Essential Tools for Windows Services: The NET Command

Posted in Windows Services | Tagged , , , , | 2 Comments
 

Products

Topics/Tags

windows-8 q&a services.msc sanity-check support automatic-delayed interactive-services windows-services windows-11 essential-tools new-release windows-server-2012 session-0-isolation java service-protector onedrive troubleshooter alwaysup task-scheduler service-security-editor google-drive windows-service-auditor essential-windows-services powershell service-trigger-editor dropbox security event-viewer windows-10 net.exe

Categories

Archives

Search This Blog


Home  | Products  | Support  | Company  | Privacy Policy  | Site Map
Run Application as Windows Service  | Auto-restart Windows Services  | Srvany vs. AlwaysUp  | AlwaysUp FAQ
How to Run Popular Applications as Windows Services  | Windows Services FAQ

Copyright © 2004-2025 Core Technologies Consulting, LLC
7028-B Thornhill Drive, Oakland CA 94611, USA
Phone: +1 (510) 343-3565  |  FAX: +1 (208) 979-1109