The Core Technologies Blog

Professional Software for Windows Services / 24×7 Operation


Q&A: How do I Restart a Windows Service on a Remote Computer?

How do I restart a Windows Service on a remote computer?
  What’s the best way to restart a Windows Service remotely from our central domain server?

— Sylvia W.

Hi Sylvia.

We know of at least five ways to restart a Windows Service on a remote machine. Let’s review each method, focusing on the pros and cons to help you select the approach that best fits your situation.

Note: If any of the methods fail with security related errors (such as “access denied”), you may need to update security settings on the remote machine.

Method #1: Use the Services application to connect to the remote PC

Did you know that the Services application works with remote computers? For some reason, Microsoft buried that feature in the interface, making it very easy to miss!

To view services on another computer:

  1. Start the Services application

  2. In the left panel, right-click Services (Local) and select Connect to another computer from the menu:

    Services: Connect to another computer
  3. In the Select Computer window, specify the computer hosting your Windows Service:

    Specify the remote computer
  4. Click OK to access the remote PC

  5. The Services application should refresh to list the services on your other computer. From there, you can start or stop any service you like:

    Services on the remote computer

If that didn’t work, you may need to update your security settings.

Pros

  • Services is a standard utility that is available on every Windows computer.

  • Services is very easy to use.

  • Besides starting or stopping the service, you can also update the service’s properties. For example, you can disable the service, setup failure actions or change the log on account.

Cons

  • Working with Services is interactive. You (or your tech) must log in, start Services, connect to the remote PC and start the service. You can’t call Services from a batch file. As a result, this approach is not suitable for non-interactive situations.

Method #2: Run SC with the “server” command line parameter

If you’re comfortable working from the command prompt, the SC utility should be in your toolbox.

To stop a Windows Service on another machine, run:

SC \\<SERVER-NAME> STOP <SERVICE-NAME>

For example, to stop the Spooler service on our file server (named “ctc-file-server”), we run:

SC \\ctc-file-server STOP Spooler

SC stopping a remote service

Be sure to run SC from an elevated command prompt — run as an administrator. If not, the command could fail because of insufficient permissions.

Pros

  • SC is a standard utility that is available on every Windows computer.

  • With SC, you can easily start or stop a service.

  • You can call SC from a batch file, which makes it suitable for non-interactive scenarios.

  • SC can do much more than start or stop a service. You can use it to change a service’s properties as well. In fact, it supports many more settings than the Services application does. Run SC /? to see the full set of options available.

Cons

  • When starting or stopping a service, SC simply makes a request and exits. It will not wait for the service to transition to the desired state. Unfortunately, that behavior can cause complications in batch files. For example, if you call “SC STOP” immediately followed by “SC START”, the start command will fail if the service takes a few seconds to stop.

Method #3: Install and run Microsoft’s PsService

If you’re familiar with the amazing (and free) tools from Microsoft’s SysInternals group, you should definitely check out their PsService utility.

Like SC, PsService allows you to start, stop or restart your service from the command line. And importantly, PsService works with remote computers.

In fact, PsService offers a rich set of command line options. Run PsService /? to see them:

PsService command line help

Look closely and you’ll see that PsService offers one important capability that neither SC nor Services does — the ability to specify the account to use on the remote computer. That feature comes in handy if your account doesn’t have enough rights or if you want to use a specific account to control the service.

For example, to start the Spooler service on our “ctc-file-server” computer, we run:

PsService \\ctc-file-server start Spooler

PsService starting a remote service

Pros

  • PsService is safe, free, reliable and endorsed by Microsoft.

  • With PsService, you can easily start or stop a service.

  • You can call PsService from a batch file, which makes it suitable for non-interactive scenarios.

  • With PsService, you can specify the username and password of an administrative account on the remote PC. As a result, your account doesn’t need to have administrative rights on the remote computer.

Cons

  • PsService does not come pre-installed on your computer. You will have to download and install/unzip the PSTools suite to use PsService. This may be an issue if you are operating in a “locked down” environment where adding new software is difficult.

  • When starting or stopping a service, PsService simply makes a request and exits. It will not wait for the service to transition to the desired state. Unfortunately, that behavior can cause complications in batch files. For example, if you call “PsService stop” immediately followed by “PsService start”, the start command will fail if the service takes a few seconds to stop.

Method #4: Use Microsoft’s PsExec to run NET

PsExec is another powerful tool in the SysInternals arsenal. It allows you to run arbitrary commands on a remote computer.

Running the NET command with PsExec produces a command that will start or stop your service and wait for it to complete. That may be an important improvement over SC and PsService, which simply put in a request and exit.

For example, this command stops the Spooler service on our “ctc-file-server” computer:

PsExec \\ctc-file-server NET STOP SPOOLER

Stopping a remote service with PSEXEC and NET

Pros

  • PsExec is safe, free, reliable and endorsed by Microsoft.

  • With PsExec and NET, you can easily start or stop a service.

  • You can call PsExec from a batch file, which makes it suitable for non-interactive scenarios.

  • With PsExec, you can specify the username and password of an administrative account on the remote PC. As a result, your account doesn’t need to have administrative rights on the remote computer.

  • PsExec with NET will wait for your service to start or stop before returning.

Cons

  • PsExec does not come pre-installed on your computer. You will have to download and install/unzip the PSTools suite to use PsExec. This may be an issue if you are operating in a “locked down” environment where adding new software is difficult.

  • NET waits up to 30 seconds for the service to start or stop. That may not be enough time for a service that takes a long time to transition.

Method #5: Use PsExec to run ServicePilot

If your service takes a while to start or stop, you may want to use our free ServicePilot utility instead of NET. With ServicePilot, you are not limited to a 30-second timeout.

ServicePilot is better than NET in other ways too. For example, ServicePilot can restart a service in one operation (instead of issuing a stop followed by a start) or forcibly terminate a misbehaving service.

This command uses ServicePilot to start the Spooler service on our “ctc-file-server” computer:

PsExec \\ctc-file-server C:\Apps\ServicePilot.exe -start Spooler

Stopping a remote service with PSEXEC and NET

Note that the command above assumes that the ServicePilot executable is available on the remote machine. If that is not the case and you only have ServicePilot on the local machine, you must instruct PsExec to copy the executable to the remote PC by specifying the -c parameter. Here is what that command looks like:

PsExec \\ctc-file-server -c "C:\Apps\ServicePilot.exe" ServicePilot.exe -start Spooler

Even though it’s less efficient, having PsExec copy the executable each time might be the better option for occasional (and unplanned) use cases.

Pros

  • ServicePilot is safe and free.

  • With PsExec and ServicePilot, you can easily start or stop a service.

  • You can call PsExec from a batch file, which makes it suitable for non-interactive scenarios.

  • With PsExec, you can specify the username and password of an administrative account on the remote PC. As a result, your account doesn’t need to have administrative rights on the remote computer.

  • PsExec with ServicePilot will wait for your service to start or stop before returning.

Cons

  • Neither PsExec nor ServicePilot come pre-installed on your computer. You will have to download them. This may be an issue if you are operating in a “locked down” environment where adding new software is difficult.

That’s it. Hopefully one of these five methods works for you.


Appendix: Update security settings to access your remote service

Windows does a great job of locking down services. As such, you may have to relax the rules if you want to start or stop a service remotely.

Ensure that your account has sufficient rights on the remote machine

Are you sure that your Windows account can update the service?

Can you log in to the remote machine and start or stop the service?

If not, you’re probably missing permissions. You may have to:

  • Make your account an administrator on the remote computer. By default, only administrators can manipulate Windows Services.

  • Give your account permission to access the service. Log in to the remote computer and use our free Service Security Editor utility to adjust the service’s permissions:

    Update service permissions

Disable UAC remote restrictions

If you are not in a domain, your requests may be blocked by User Account Control (UAC) remote restrictions. Essentially, to enforce the principle of least privilege, Windows may not respect your administrative rights on the remote computer.

But there is a simple fix. You can disable UAC remote restrictions by updating the registry as follows:

  1. Open the Windows Registry Editor (regedit)

  2. Navigate to this key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

    Regedit: Windows System Policies
  3. Look on the right side. If there is no value named LocalAccountTokenFilterPolicy, create it by selecting Edit > New > DWORD (32-Bit) Value and naming it.

  4. On the right side, right-click LocalAccountTokenFilterPolicy and select Modify. Enter a value of 1:

    Regedit: Update LocalAccountTokenFilterPolicy
  5. Click OK to save your changes.

  6. Close Registry Editor


Posted in Windows Services | Tagged , , , , , , , , | Leave a comment

Is AlwaysUp safe?

AlwaysUp runs any application as a Windows Service

Is our popular AlwaysUp software safe? To answer in one word — Yes!

AlwaysUp is free of viruses, trojans, advertising and malware of any kind.

That’s because the integrity of our software is our company’s highest priority. Indeed, we take the following steps to ensure that AlwaysUp is safe & secure.

AlwaysUp is digitally signed, for authenticity

The executable files distributed with AlwaysUp are all code signed. With that, you can rest assured that no one has compromised the files on your system since we created them.

For example, when you launch AlwaysUp, the embedded signature tells you that our company — Core Technologies Consulting, LLC — created the software:

AlwaysUp verified by User Account Control

Similarly, you can see the digital signatures when you open the executable file’s properties:

AlwaysUp Digital Signatures

Those digital signatures make it impossible to tamper with AlwaysUp.

Each release of AlwaysUp is scanned for viruses

We thoroughly test AlwaysUp before each release. Those tests include virus scanning.

And after release, independent third parties interrogate AlwaysUp as well. Here are the results from a few of their recent scans:

Download3K Antivirus Report
 AlwaysUp is clean of any form of malware (viruses, spyware, adware, etc.)

VirusTotal report
 VirusTotal inspected AlwaysUp with over 70 antivirus scanners

If your antivirus software suggests that an AlwaysUp executable is infected, it’s almost surely a false alarm. Please contact us with the details and we will work with the makers of your virus protection software to resolve the issue.

Hundreds of security-conscious companies & governments use AlwaysUp every day

Many companies use AlwaysUp

Customers have installed AlwaysUp more than 80,000 times over the past 15 years.

As a result, you will find AlwaysUp protecting applications all over the globe in:

  • Global financial institutions

  • Cruise line operators

  • Energy corporations

  • Aircraft manufacturers

  • Healthcare providers

  • Railroad companies

  • Top universities & research institutions

  • The US government

In fact, more than 20 companies in the Fortune 50 run AlwaysUp.

And all those companies care about security! They certainly wouldn’t embrace AlwaysUp if it wasn’t safe.

AlwaysUp is actively supported and regularly patched

We're Not Affected by the Apache Log4j Vulnerability

In a world of supply chain compromises (like the Solarwinds hack) and vicious ransomware attacks (like WannaCry), software vendors must remain hyper-vigilant about security.

In our case, we actively monitor Cybersecurity & Infrastructure Security Agency (CISA) alerts to discover critical flaws as they develop.

And once we identify an important flaw that could affect our software or systems, we move quickly to:

  1. Determine if we’re actually exposed to the problematic software, and if so

  2. Upgrade or patch our systems to remediate the problem.

For example, we responded swiftly to the recent Apache Log4 vulnerability. Thankfully, the problem did not affect AlwaysUp.

We built AlwaysUp with security in mind

Since day one, security has played an important role in the design and implementation of AlwaysUp. In fact, we architected the software to keep your information secure.

For example, AlwaysUp:

  • Hides your Windows password when you’re entering it on the Logon tab

  • Doesn’t store your Windows password

  • Omits your Windows password when you export an application to XML.

AlwaysUp obfuscates your Windows password

Please read How AlwaysUp Works to learn about the internals of AlwaysUp.

The US Department of Commerce has vetted AlwaysUp

Finally, we should point out that the US Department of Commerce Bureau of Industry and Security has evaluated AlwaysUp.

After going through the process with the examiners, AlwaysUp earned an export classification of EAR99:

AlwaysUp ECCN (PDF)

Please be sure to get in touch if you have any other questions about AlwaysUp security.

Stay safe!

Posted in AlwaysUp | Tagged , , , | Leave a comment

Q&A: How do I Automatically Restart my Windows Service when it Crashes?

How do I automatically restart my Windows service when it crashes?
  One of our Windows Services crashes a few times a month. When that happens, a tech has to log into the server and start the service again, which is a pain. Isn’t there a way to restart the service automatically after it crashes? Please help.

— Kirkland

Hi Kirkland.

A Windows Service is Microsoft’s technology of choice for mission-critical applications that must run 24/7/365. As such, it’s incredibly frustrating when a service crashes and fails to deliver on that primary task!

Not to worry though, we’ve got your back. Here are a couple of ways to ensure that your Windows Service rebounds quickly after a crash (or other failure).

Solution #1: Configure Service Recovery (Basic)

Good news! Windows Services come with a built-in recovery mechanism.

If you open your troublesome service in the Services application, you will notice the Recovery tab:

Services Recovery Tab

There, you can specify what happens the first, second and subsequent times that your service fails.

Windows can perform one of the following three actions in response to a failure:

  • Restart the service

  • Restart the computer

  • Run a program

Or you can select “Take no action” to do nothing at all. That is the default for new services.

If you choose to run a program, you must specify the full path to the program to run, along with any parameters required.

For your situation, we recommend that you set all failure actions to “Restart the Service”:

Recovery Tab: Restart the Service

Simple, right? Well, maybe not. While the actions are straightforward, exactly what defines a failure? Under what conditions will Windows invoke the actions you have specified (i.e. to restart the service)?

Let’s back up a bit and address that mystery.

Microsoft’s definition of service failure

From the technical documentation, a service fails if it:

  1. Terminates without reporting a status of SERVICE_STOPPED to the Service Control Manager, or

  2. Exits with a non-zero exit code.

Note that (b) applies only if the Enable actions for stops with errors box on the Recovery tab is checked. You should definitely enable that option because doing so will allow Windows to catch a wider range of failures of your misbehaving service.

To sum up, here is our final recommended recovery configuration:

Recovery Tab: Recommended settings

Next, let’s look at where Windows Service recovery does a great job and where it’s not quite up to the task.

What service interruptions are covered by the Recovery tab?

The recovery settings above will cover a wide array of interruptions of your service.

For example, Windows will restart your service if:

  • The service ends unexpectedly

  • The service’s process is terminated (e.g. someone kills it from Task Manager)

  • The service exits with a non-zero error code

What service interruptions are NOT covered by the Recovery tab?

Sadly, the following disruptions are not handled by the basic recovery settings:

  • The service fails to start at boot

  • Someone accidentally stops the service from Services (or using the NET or SC commands)

  • The service stops unexpectedly but exits with code 0 (e.g. due to a bug in the software)

  • An internal component of the service crashes but the service shuts down normally

  • The service has a memory leak and stops working after it runs for a while

Other ways that Service Recovery falls short

Besides the above:

  • Service failures will be silent. That’s because the recovery options do not include notification. As a result, you may not find out when your service fails to start.

  • There is no protection in “zombie” situations — where your service is running but isn’t working as expected. Unfortunately, the recovery options are not sophisticated enough to look beyond the service’s status.

Solution #2: Deploy Service Protector (Advanced)

For comprehensive protection against a wide range of problems — including the ones listed above — you should use our Service Protector software.

Service Protector keeps any Windows Service running 24/7/365. Whenever a service stops — no matter the reason — Service Protector will immediately restart it.

Here’s a look at Service Protector babysitting the Windows print spooler service on our Server 2022 machine:

The Print Spooler service is protected

But Service Protector is much more than automatic restarts. Here are some of its key features:

Stuck service detection

Service Protector will handle non-responsive services that become stuck in the “Stopping” or “Starting” states for too long.

CPU hog detection

You can tell Service Protector to restart your service if it “runs hot” for a long period.

Memory leak/hog detection

A Windows Service that constantly eats up RAM can lead to disaster. Service Protector will terminate and recycle leaky services, to free up accumulated memory and restore normal operation.

Email alerts when things go wrong

To ensure that you are kept in the loop, Service Protector can send you an email whenever your service fails.

Extensibility

Extend Service Protector with your own, customized failure detection plugins. Use them to detect and restart “zombie” Windows Services.

Workflow

Need to perform some housekeeping tasks before your service starts? Service Protector can run a batch file (or program) before restarting your Windows Service.

Scheduled restarts

Sometimes software that has been running for too long doesn’t work. Service Protector can restart your service (or reboot the PC) at specific times, to minimize the effects of memory leaks and keep your service “fresh”.

Daily/Weekly reports

Service Protector will email you summaries of restarts, crashes, etc.

Error control

Service Protector will automatically dismiss those annoying “I have crashed!” message boxes that can halt the action.

Restores disabled services

If some clever person disables your service from the Services application, Service Protector will automatically re-enable it.

Try Service Protector for Free

Best of all, you can setup your service with Service Protector and see how it works completely free for 30 days. No need to make a purchase, register your email or provide a credit card. Just download and install.

Finally, while the Recovery tab is free, a perpetual license of Service Protector costs $99.99.

Nevertheless, if you are operating in a commercial environment where downtime is costly, we recommend making that modest investment to bulletproof your servers.

Best of luck with your service!

Posted in Windows Services | Tagged , , , , , | 2 Comments

Windows Server 2022: A Few Improvements, but No Changes to Windows Services

Windows Server 2022

With surprisingly little fanfare, Microsoft released Windows Server 2022 in August 2021.

Don’t feel bad if you failed to notice — few people did! Clearly all the hype was focused on Windows 11, which debuted about six weeks later.

Anyway, here’s our technical take on the new operating system.

What’s new in Windows Server 2022

Server 2022 is more evolution than revolution. In fact, the most significant improvements are all under the hood.

Here are the top 3 enhancements, from our team’s perspective:

1. Tighter Security

  • Firmware attack prevention: When Server 2022 boots, it closely monitors boot processes to detect and block firmware-based viruses.

  • TLS 1.3 is enabled by default: The most advanced Transport Layer Security (TLS) protocol secures web traffic on Server 2022.

  • Encrypted DNS protects network conversations: The DNS Client now supports HTTPS, to keep your DNS traffic private.

Be sure to check out the full list of security improvements in the official documentation.

2. Better control through Windows Admin Center

Since its launch in 2019, Windows Admin Center (WAC) continues to get better in each version of Windows Server. We’re fans, and our team makes heavy use of WAC with our testing servers.

Besides controlling the new security features, WAC now includes automatic updates, automated extension lifecycle management and more.

3. Faster networking

TCP & UDP — the foundational communication protocols underpinning the Internet — received some overdue love and attention in Server 2022.

For example, TCP is more efficient on high-speed networks. That leads to smoother (and swifter) downloads.

Moreover, UDP packets can now go directly from the CPU to the network adapter’s specialized hardware. And on the receiving end, packets are coalesced to reduce CPU demands even more.

You should welcome these key performance upgrades — especially if you’re running a web server or other network-hungry software.

Windows Services: No new features or improvements

Microsoft didn’t alter any of the Windows Service functions in Server 2022. In fact, the Services API remains exactly the same as it is in Server 2019.

And because the underlying Windows Services functionality didn’t change, Server 2022 does not revise the popular service-related tools distributed with the operating system either.

The Services application (a.k.a. “services.msc”) looks exactly the same as it does in Server 2019:

Services on Windows Server 2022

Similarly, the command line options for the NET and SC utilities remain frozen in their 2019 state. Here you can see a comparison of SC’s output in Server 2022 and in Server 2019:

SC in Server 2022 vs 2019

AlwaysUp & Service Protector are fully compatible with Server 2022

We’ve been testing Windows Server 2022 every day for the past 3 months. In that time, we have not detected any incompatibilities with our software.

AlwaysUp launched Dropbox, OneDrive, Node.js and everything else we threw at it with zero problems.

To illustrate, here is AlwaysUp running NGINX as a Windows Service:

AlwaysUp running NGINX on Server 2022

Service Protector fared just as well. We tested Apache, PostgreSQL and MongoDB Windows Services, all without incident:

Service Protector on Server 2022

More information & resources

  • Watch this instructive video to learn even more about Windows Server 2022:

  • Did you know that you can try Windows Server 2022 for 180 days at no charge? Simply download and install. It’s a great way to test drive the new operating system before paying for an upgrade.

  • Mainstream support for Windows Server 2022 ends on October 13 2026. Extended support lasts for another 5 years and concludes on October 14, 2031. Mark your calendar!

Posted in Windows | Tagged , , , , , | Leave a comment

AlwaysUp Web Service Supports Reverse Proxy Servers

Reverse Proxy

AlwaysUp Web Service version 13.2 was published on February 4 2022.

This new release — which is fully certified for Windows 11 and Windows Server 2022 — includes a handful of improvements and fixes. Consequently, please upgrade at your earliest convenience.

But of all the new features, the ability to work with reverse proxy servers is the most impactful. So let’s dig into that capability today…

What is a Reverse Proxy? Why would I use one?

A reverse proxy is an application that sits in front of one or more back-end services and enables users to access those services from a single location. In doing so, the proxy “hides” the location and other details of the back-end services from the users.

For example, let’s take Acme Inc — an IT company that operates three web services. Acme hosts each web service on its own internal server, accessible at the following URLs:

  • http://10.0.0.104/get-menu

  • http://10.0.0.105/wsapi/v2/create-booking

  • http://10.0.0.106:8880/daily-report.php

Because the web services are deployed on the company’s private network (10.x.x.x), none of them are accessible from the Internet. Therefore, customers cannot get menus, create bookings or view reports. And Acme wants to change that.

To make the web services accessible to its customers, Acme introduces a reverse proxy. Their IT team deploys a new server and configures it securely at https://api.acme.com.

Now customers can visit all three services under the same umbrella, at:

  • https://api.acme.com/api/food/get-menu

  • https://api.acme.com/api/reservations/wsapi/v2/create-booking

  • https://api.acme.com/api/reports/daily-report.php

As a result, with the help of the reverse proxy, Acme has provided a valuable service to it’s customers — all with security, scalability and usability in mind!

Reverse Proxy configuration

In order for AlwaysUp Web Service to work with a reverse proxy, the proxy must pass the following headers in each request it forwards:

  1. X-Base-URL: The path/location where the proxy server serves AlwaysUp Web Service. For example, if AlwaysUp Web Service should be available at http://proxy.acme.com/alwaysup-web-service/, the X-Base-URL value should be /alwaysup-web-service/.

  2. X-Forwarded-For: The originating IP address of the client connecting the proxy server. This allows AlwaysUp Web Service to track the true source of the request.

Reverse Proxy setup with NGINX

Let’s review an example with NGINX — a popular web server that supports reverse proxy configuration.

Acme hosts AlwaysUp Web Service at http://10.10.0.1:8585. In addition, its Internet-facing proxy server is accessible at http://proxy.acme.com.

To make AlwaysUp Web Service available to users outside of Acme’s internal network, the server section of the proxy’s NGINX configuration file looks like this:

server {
      listen 80;
      location /alwaysup/ {
            proxy_set_header X-Base-URL /alwaysup-web-service/;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://10.10.0.1:8585/;
      }
}

With that setup in place, Acme’s users can access AlwaysUp Web Service at http://proxy-server/alwaysup-web-service.

SSL Configuration

Setup is a tad more complicated when working with HTTPS. Assuming the same conditions as above, here is Acme’s NGINX configuration for the SSL scenario:

server {
      listen 443 ssl;
      ssl_certificate "ssl/certificate.pem";
      ssl_certificate_key "ssl/certificate-key.pem";
      ssl_protocols TLSv1.2;
      location /alwaysup/ {
            proxy_set_header X-Base-URL /alwaysup/;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://10.10.0.1:8585/;
      }
}

Feel free to use the self-signed certificate files distributed with AlwaysUp Web Service. They are available in the “certificates” sub-folder of the installation directory.

A sample NGINX configuration file (with server sections for both the HTTP and HTTPS scenarios) is available at our website.

Enjoy!

Posted in AlwaysUp Web Service | Tagged , , , | Leave a comment