The Core Technologies Blog

Professional Software for Windows Services / 24×7 Operation



Get Enhanced Authentication Controls & Improved Security with AlwaysUp Web Service 14.7

AlwaysUp Web Service 14.7: Session Controls & Improved Security

AlwaysUp Web Service version 14.7 was released on October 1 2023.

This time around, our team focused on improving the software in a couple of areas — to give you greater control over authentication and to improve security.

New authentication and session timeout options

Authentication was mandatory in previous versions of AlwaysUp Web Service. You were forced to enter a password before interacting with your AlwaysUp applications in the browser.

But while protecting the web service is the right approach for the vast majority of our customers, we also heard that having to constantly log in was a nuisance. And introducing an additional layer of authentication was unnecessary when access to the web service URL was already restricted by another gating mechanism (such as network isolation or IP filtering).

So, to help customers who weren’t happy with the current system, we introduced the following enhancements.

  1. Authentication is optional.

    You can now avoid logging in to access the web service.

  2. The session timeout is configurable.

    You can now set the web session timeout value to up to 24 hours, to have the web service keep you logged in even when you’ve been idle for a long time.

The new options are available on the Settings page in AlwaysUp Web Service Control Panel:

AlwaysUp Web Service Control Panel: Authentication Settings

Of course, please think carefully before relaxing security in your environment. We recommend sticking with the defaults (password required; session timeout of 30 minutes) unless you have good reasons to change them. Caveat emptor!

Protection against known vulnerabilities

As a web application that might be available on the Internet, it’s important for AlwaysUp Web Service to be as secure as possible. Indeed, it must resist the thousands of malicious actors and bots that are constantly probing network ports, trying to hijack computers.

We apply security updates regularly, to keep AlwaysUp Web Service ahead of the attackers. In this release, we:

  1. Introduced support for TLS 1.3.

    The latest version of the TLS protocol — which strengthens encrypted SSL connections — ensures that your data is always secure in transit.

  2. Dropped support for TLS 1.1 and earlier.

    Unfortunately those older protocols are no longer secure. Even Microsoft started disabling them in September 2023.

And with those improvements in place, AlwaysUp Web Service received an A+ grade from ImmuniWeb’s popular SSL Security test:

ImmuniWeb SSL Security test results

The full report (PDF) is available here.

Additional enhancements

As usual, please review the release notes for the full list of features, fixes and improvements included in AlwaysUp Web Service version 14.7.

Enjoy!

Posted in AlwaysUp Web Service | Tagged , , , , | Leave a comment

Windows Services Startup Types Explained

Windows Services Startup Types Explained

What is a service’s Startup Type? Where do I find it?

A Windows Service is a special application whose lifecycle is managed by the operating system. That is, unlike a “normal” application that relies on a person to start or stop it, Windows itself is responsible for starting, stopping or restarting a service.

To give you some control over how things work, each Windows Service has a startup type property that dictates how Windows should manage it. The options range from “start it as soon as you can” to “don’t run the service at all”. There’s even the ability to start a service when certain conditions are met. But more on those later as we dig into each of the startup types below.

The built-in Services application shows the startup type for each service. You can launch the application by typing “services” into the search bar and clicking its icon:

Start Services from the search bar

The Services window lists all the Windows Services running on your computer. The “Startup Type” column indicates how each service is configured to start:

Services: The Startup Type column

Double-click a row to reveal the details of that service in the Properties window. You’ll see the “Startup type” field about half-way down:

Service properties: The startup type field

If permissions allow, you can change the startup type right there as well. Simply choose a new value from the list and click OK (or Apply) to record your change:

Changing the Startup Type

And now that you know how to find the startup type of any service, let’s review the values available and what each of them means.


Automatic

When a service is set to “Automatic”, Windows will start it as soon as possible whenever the system boots.

Because of that early start, all critical Windows Services — like those supporting networking, security and user management — are set to start automatically. That enables them to come to life quickly, to support key functionality across your computer.

When to set startup type to “Automatic”

Automatic start is best for services that:

  • Implement technical functions that are vital for the operation of your PC;

  • Are needed to support other services or applications;

  • Must run all the time.

Examples of “Automatic” services

Many of the built-in Windows Services are set to start automatically. Here are a few examples:

  • Windows Defender Firewall — helps protect your computer by preventing unauthorized users from gaining access to your computer through the Internet or a network. This service must be ready by the time the network is up.

  • Local Session Manager — a core Windows Service that manages local user sessions. Stopping or disabling this service will result in system instability.

  • Windows Event Log — manages events and event logs for other services. Stopping this service may compromise the security and reliability of the system.


Automatic (Delayed Start)

Windows launches “Automatic (Delayed Start)” services about 1-2 minutes after your computer boots — after Automatic services have started.

You can think of Windows launching services in two rounds at boot. Automatic services go in the first round while “Automatic (Delayed Start)” services are kicked off in the second round.

As such, the “Automatic (Delayed Start)” setting is most useful in lessening the mad rush for resources when your computer starts up.

For example, suppose that there are 20 services all being started at the same time. In reality, they will all be competing for slices of the machine’s precious resources (CPU/RAM/Disk/Network). The inevitable result is that each service will take longer to become available.

If you have a few services that are critical, then you may want to set those few to “Automatic” and set as many of the others as you can to “Automatic (Delayed Start)”. This will ensure that the critical services get the most resources early and become available sooner, while the non-critical services start a bit later (which by definition is OK).

When to set startup type to “Automatic (Delayed Start)”

“Automatic (Delayed Start)” is best for services that:

  • Should start at boot but don’t perform mission-critical activities;

  • Are best started after supporting services are up and running;

  • Should run all the time.

Examples of “Automatic (Delayed Start)” services

On Windows 11, less than a dozen of the built-in Windows Services are set to start delayed. Here are a few examples:

  • Security Center — monitors and reports security health settings on the computer. This service should run all the time but there is no need to start it ASAP because it’s focused on reporting.

  • Update Orchestrator Service — manages Windows Updates. If stopped, your computer will not be able to download and install the latest updates. Since it’s not a critical service, Windows starts it in the second round.

  • Dropbox Update Service — keeps your Dropbox installations up to date. The service is certainly helpful but it doesn’t need to start the instant your PC reboots.


Manual

A “Manual” service isn’t automatically started by Windows at boot. Instead, it will be started on demand — either by a user or by an application.

For the most part, “Manual” services sit idle until they’re needed. And often, they return to an idle state once they’ve performed the work they were summoned to do. As such, they tend to be the most efficient group of services, only running when they need to.

Note that in previous versions of Windows, the vast majority of services were set to “Automatic” and only a handful were “Manual”. But over the years, as Microsoft focused on streamlining the boot process, the situation has fully reversed. Most of the built-in Windows Services are now started on demand!

When to set startup type to “Manual”

The “Manual” startup type is appropriate for services that:

  • Don’t need to run 24/7;

  • Are only used occasionally;

  • Provide uncommon functionality that only some devices (or users) will need;

  • Aim to achieve maximum efficiency, only running when necessary;

Examples of “Manual” services

Many of the built-in Windows Services are set to “Manual”. Here are a few examples:

  • Windows Backup — provides backup and restore capabilities, which are only necessary at defined times.

  • Fax Service — enables you to send and receive faxes. Who uses that anymore? 🙂

  • Microsoft Edge Elevation Service — keeps Microsoft Edge up to date. This service only comes to life a few times per day.


Disabled

Setting the startup type to “Disabled” tells Windows don’t allow the service to start — under any circumstances. You cannot run a disabled service.

If you wish to start a disabled service, you must first change its startup type to another value. Setting to “Manual” usually makes the most sense.

When to set startup type to “Disabled”

You should disable services that:

  • Shouldn’t (or cannot) run;

  • Are responsible for unused functionality;

  • Are insecure and may compromise the system in some fashion.

Examples of “Disabled” services

Here are a few examples of services with startup type set to “Disabled”:

  • Shared PC Account Manager — Manages profiles and accounts on a SharedPC configured device. It’s disabled on our machine because we’re not using the SharedPC feature.

  • OpenSSH Authentication Agent — holds private keys used for public key authentication. Citing security concerns, Microsoft disables this rarely used service in new installations of Windows 10 & 11.

  • Remote Registry — enables remote users to modify registry settings on this computer. Certainly not for everyone!


Intermission: What does “Trigger Start” mean?

Because the remaining startup types all mention “Trigger Start”, we thought this would be a good time to explain what that means. Here goes…

In older versions of Windows, the only startup types available were the ones we’ve already reviewed — Automatic, Automatic (Delayed Start), Manual and Disabled. Each service was assigned one of those values. (Incidentally, most were set to “Automatic”, which made for utter chaos as they all scrambled to start at boot.)

However, in Windows 7 (circa 2009), Microsoft introduced a new capability — the ability to start (or stop) a service when a key operating system event occurs. They called those events triggers and services that react to the events trigger start services.

Putting it all together, a service has “Trigger Start” in its startup type if it has at least one trigger.

But why did Microsoft introduce trigger start services?

Well, by offering trigger start as an option, Microsoft made it easier for Windows Services to avoid starting at boot and running 24/7. For example, if your service works with USB drives, you can configure it to start whenever someone inserts a USB drive. Similarly, a network-monitoring service may choose to run only when your computer signs out of a domain or leaves the network. Options abound, and you can read about the technical details in the Developing Efficient Background Processes for Windows white paper.

So service triggers are great. But there is one major inconvenience…

You can’t view or edit triggers with the Services application

Until Microsoft updates the Services application to manage triggers, you either have to:

  1. rely on the Windows SC command-line program, or

  2. use our free Service Trigger Editor GUI utility, which shows you all the trigger start services on your system:

Service Trigger Editor managing trigger start services

Anyway, back to startup types…


Automatic (Trigger Start)

“Automatic (Trigger Start)” means start the service immediately at boot — and also restart it whenever specific operating system events (triggers) occur.

It’s the same as Automatic, plus with one or more triggers too.

As a result, an “Automatic (Trigger Start)” service can be very efficient. Even though Windows starts it as soon as possible, the service can do its initial work and quickly exit — secure in the knowledge that Windows will fire it up again whenever it’s needed.

When to set startup type to “Automatic (Trigger Start)”

“Automatic (Trigger Start)” start works best for services that:

  • Should to start as soon as possible after boot;

  • Don’t need to run all the time;

  • Can be reactivated by a triggering event.

Examples of “Automatic (Trigger Start)” services

On our Windows 11 computer, only six services are set to “Automatic (Trigger Start)”. Here are a few of them:

  • Server — supports file, print, and named-pipe sharing over the network. As you might expect, the two triggers are network-related:

    Triggers for the Server Windows Service
  • Windows Connection Manager — makes automatic connect/disconnect decisions based on the network connectivity options currently available to the PC and enables management of network connectivity based on Group Policy settings.

  • Group Policy Client — responsible for applying settings configured by administrators for the computer and users through the Group Policy component.


Automatic (Delayed Start, Trigger Start)

An “Automatic (Delayed Start, Trigger Start)” service starts a few minutes after boot — and also in response to a trigger.

As you may have guessed, “Automatic (Delayed Start, Trigger Start)” is similar to Automatic (Trigger Start), except that the service starts 1-2 minutes after boot (instead of ASAP).

When to set startup type to “Automatic (Delayed Start, Trigger Start)”

“Automatic (Delayed Start, Trigger Start)” can apply to services that:

  • Should to start at boot but can wait for a couple of minutes;

  • Don’t need to run all the time;

  • Can be reactivated by a triggering event.

Examples of “Automatic (Delayed Start, Trigger Start)” services

Few of the built-in Windows Services use this startup type. Here are three examples:

  • Microsoft Edge Update Service — keeps your Microsoft software up to date.

  • Software Protection — enables the download, installation and enforcement of digital licenses for Windows and Windows applications.

  • Windows Time — maintains date and time synchronization on all clients and servers in the network. Because it’s all about networking, the service will trigger-start when your computer joins a domain:

    The Windows Time domain service trigger

Manual (Trigger Start)

Windows never starts a “Manual (Trigger Start)” service at boot. It only starts the service in response to a trigger.

This is the most efficient startup type of them all. Windows only starts the service when its needed.

When to set startup type to Manual (Trigger Start)

“Manual (Trigger Start)” is a fine choice for services that:

  • Don’t need to start at boot;

  • Don’t need to run all the time;

  • Can be reactivated by a triggering event.

Examples of Manual (Trigger Start) services

“Manual (Trigger Start)” is the most popular startup type on our Windows 11 computer. That’s a testament to the work that Microsoft has put in to ensure that its services don’t hog resources by running when they don’t need to.

Example services include:

  • BitLocker Drive Encryption Service — provides secure startup for the operating system, as well as full volume encryption for OS, fixed or removable volumes. It only needs to run under special conditions (when a custom event is triggered).

  • Windows Update — enables the detection, download, and installation of updates for Windows and other programs. As you can see, the service will spring to life whenever a policy changes:

    Windows Update service policy triggers
  • Portable Device Enumerator Service — enforces group policy for removable mass-storage devices. It employs a dozen triggers!

    Portable Device Enumerator Service triggers

Windows Service startup types: Summary

To recap, the startup type tells Windows how it should start your service.

Here is what each value communicates to the operating system:

  • Automatic: “Start this service at boot, early in the cycle.”

  • Automatic (Delayed Start): “Start this service at boot, but delay it by a couple of minutes.”

  • Manual: “Don’t start this service at boot.”

  • Disabled: “Don’t start this service at boot, and don’t allow anyone (or any program) to start it either.”

  • Automatic (Trigger Start): “Start this service early in the boot cycle and start/stop it when specific events occur.”

  • Automatic (Delayed Start, Trigger Start): “Start this service a couple of minutes after boot and start/stop it when specific events occur.”

  • Manual (Trigger Start): “Don’t start this service at boot, only start/stop it when specific events occur.”

Posted in Windows Services | Tagged , , , , , , , , , , , | Leave a comment

OneDrive Doesn’t Sync Directory Junctions

OneDrive Doesn't Sync Linked Folders

What is a directory junction?

A directory junction is an alias of one folder to another.

Put another way, a directory junction allows you seamlessly access the contents of a folder from another directory, with a different path.

For example, let’s say that you have folder “C:\Users\Username\Documents\Media\All Movies” on your computer. However, you find that directory too long to type when working with it from the command line. You dream of entering a shorter path — such as “C:\Movies” — but you don’t want to copy the files to a new location.

To solve the problem, you would create a directory junction mapping “C:\Movies” to “C:\Users\Username\Documents\Media\All Movies”. After doing that, all your movies will be accessible from “C:\Movies” too. For all practical purposes, “C:\Movies” becomes a synonym for the longer path.

Directory junctions can be created with the with the mklink command. For example, this command creates the alias for the scenario above:

mklink /j "C:\Movies" "C:\Users\Username\Documents\Media\All Movies"

Why use a directory junction with OneDrive?

A directory junction provides convenience and flexibility when designing your cloud synchronization strategy. In theory, by allowing you to place any arbitrary folder inside your OneDrive folder, you can extend the scope of your OneDrive backup without having to duplicate large folders and files.

Let’s illustrate with a practical example.

Say you’ve installed OneDrive to synchronize your OneDrive folder (“C:\OneDrive”) with the cloud. Everything is working well.

However, you also want OneDrive to backup “C:\Shared\CustomerSuccess\Templates” — a shared folder with important company files. How do we instruct OneDrive to sync that folder as well?

Well, this is where folder linking comes in. You can create a directory junction in your OneDrive folder that points to the Templates folder, like this:

Create a directory junction with mklink

Doing so places an alias of the Templates folder right inside the OneDrive folder, as illustrated here:

The directory junction in the OneDrive folder

And soon after you’ve created the directory junction, OneDrive will notice the new linked folder and sync it to the cloud:

OneDrive has synced the linked folder

Problem solved, right? Unfortunately, not so fast…

OneDrive doesn’t detect changes to the files in directory junction

While OneDrive synced the contents of the new linked folder when the directory junction was first established, it didn’t re-sync the folder when something changed.

For example, when we created a new file called “evaluation-2023.docx” in the linked folder, OneDrive didn’t copy the file to the cloud:

OneDrive doesn't sync a new file in the linked folder

It’s as if OneDrive didn’t realize that the new file was there at all.

And the same was true for other changes too. OneDrive missed all deletes, renames and updates to the files in the linked folder. None made it to the cloud.

In fact, the only time OneDrive synced the linked folder was when the application started. Afterwards, OneDrive completely ignored the linked folder.

Needless to say, this unusual behavior renders the directory junction we created in the OneDrive folder useless. If we can’t rely on OneDrive to recognize changes to our files, why bother linking the folder at all?

But… why?

The reason is likely very technical — rooted in the low-level file system services provided by the Windows Operating System.

OneDrive probably calls FindFirstChangeNotification to monitor the OneDrive folder. And whenever a file is changed:

  1. FindFirstChangeNotification lets OneDrive know that something in the folder has been updated

  2. OneDrive figures out what’s changed and copies the new file up to the cloud.

However, FindFirstChangeNotification treats directory junctions and other links specially. From the Symbolic Link Effects on File Systems Functions documentation:

 If the path points to a symbolic link, the notification handle is created for the target. If an application has registered to receive change notifications for a directory that contains symbolic links, the application is only notified when the symbolic links have been changed, not the target files.

Translation: FindFirstChangeNotification won’t shout when a file inside a directory junction changes. And unfortunately, that leaves OneDrive in the dark. 🙁

Posted in OneDrive | Tagged , , , , | 2 Comments

Essential Windows Services: SysMain

SysMain Service

What is SysMain?

SysMain is a Windows Service that monitors the applications running on your computer and tries to improve their performance over time.

For example, if SysMain notices that you run Microsoft Excel frequently, it may automatically place Excel in your computer’s memory. And with Excel already loaded into RAM, the program will come up on your desktop much faster when you actually open it.

The end result is that by anticipating what you’re likely to do soon, SysMain can make your computer seem faster than it is.

The service’s display name is SysMain and it runs as LocalSystem inside the service host process, svchost.exe. By default, the service is set to start automatically when your computer boots:

SysMain Windows Service

Note that in previous version of Windows (before Windows 10 18H2), SysMain was called Superfetch. Microsoft changed the name because future versions of the service will likely do much more than simply caching frequently used programs in memory.

Why is SysMain using so much CPU and RAM?

As mentioned, SysMain’s goal is to speed things up by preparing key applications before you actually need them. Doing so makes your applications load faster.

But the downside of that approach is that SysMain uses system resources before necessary — without your explicit consent/request.

Let’s go back to our Excel example, where SysMain loads Excel into memory before you launch the program. The truth is that when SysMain loads Excel, the service uses CPU and memory to complete that task. And if you happen to be using another application when SysMain is doing its work, your PC may appear sluggish — or even unresponsive.

Fortunately, SysMain won’t bog down most modern PC’s. When there are ample amounts of CPU and RAM, you won’t even notice the Windows Service helping you in the background.

The trouble comes up when your RAM and CPU are limited. In those situations, SysMain is constantly competing with the interactive user for precious resources, and that can make your machine appear slower than it is!

Is it OK to disable the SysMain Windows Service?

Yes. SysMain isn’t an essential system process and you can safely disable it.

Indeed, if your PC suffers from “random spikes” in CPU or RAM, you should see if turning off SysMain reduces or eliminates the problems.

Furthermore, a common bit of advice is to disable SysMain whenever your computer has a fast hard drive. In that situation, pre-loading applications into RAM only saves you a few milliseconds. For example, you probably won’t even notice the small speedup that SysMain provides if you’ve got a speedy solid-state drive (SSD).

However, one bit of advice if you disable SysMain. Because it’s possible that SysMain will deliver significant speedups in future versions of Windows, be sure to reevaluate the service as Microsoft improves its operating systems.

Questions? Problems?

If you would like to know more about the SysMain service, or you have a specific problem, please feel free to get in touch. We will do our best to help you!

Posted in Windows Services | Tagged , , , , | Leave a comment