Managing System Services
Services provide key functions to workstations and servers.
To manage system services on local and remote systems, you’ll use the service
controller command SC, which has several subcommands, only some of which are
explored here. The sections that follow discuss each of these subcommands:
-
SC config Configures service startup and logon accounts
-
SC query Displays the list of all services configured on the computer
-
SC qc Displays the configuration of a specific service
-
SC start Starts services
-
SC stop Stops services
-
SC pause Pauses services
-
SC continue Resumes services
-
SC failure Sets the actions to take upon failure of a service
-
SC qfailure Views the actions to take upon failure of a service
With all commands, you can specify the name of the remote computer
whose services you want to work with. To do this, insert the UNC name or IP
address of the computer before the subcommand you want to use. This makes the
syntax
sc ServerName Subcommand
Viewing Configured Services
To get a list of all services configured on a system, type
the following command at the command prompt:
sc query type= service state= all
or
sc ServerName query type= service state= all
where ServerName is the UNC name or IP
address of the remote computer, such as \\Mailer1 or \\192.168.1.100, as shown
in the following examples:
sc \\Mailer1 query type= service state= allsc \\192.168.1.100 query type= service state= all
| Note |
There must be a space after the equal sign (=) as used with
type= service and state= all. If you
don’t use a space, the command will fail.
|
With the state flag, you can also use the
value active (to show running services only) or inactive (to show all paused or stopped services). Consider
the following examples:
sc \\Mailer1 query type= service state= activesc \\Mailer1 query type= service state= inactive
In the first example, you query MAILER1 for a list of all services
that are running. In the second example, you query MAILER1 for a list of all
services that are stopped.
The output of SC query shows the services and their
configurations. Each service entry is formatted as follows:
SERVICE_NAME: W3SVCDISPLAY_NAME: World Wide Web Publishing ServiceTYPE : 20 WIN32_SHARE_PROCESSSTATE : 4 RUNNING(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)WIN32_EXIT_CODE : 0 (0x0)SERVICE_EXIT_CODE : 0 (0x0)CHECKPOINT : 0x0WAIT_HINT : 0x0
As an administrator, the fields you will work with the most
are
-
Service Name The abbreviated name of the service. Only services installed on the system are listed here. If a service you need isn’t listed, you’ll need to install it.
-
Display Name The descriptive name of the service.
-
State The state of the service as Running, Paused, or Stopped.
As you’ll see if you run the SC query command, the output is very
long and is best used with a filter to get only the information you want to see.
For example, if you use the following command, you clean up the output to show
only the most important fields:
sc query type= service | find /v "x0"
Here you pipe the output of SC query through the FIND command and
clean up the output so the service entries appear, as shown in this example:
SERVICE_NAME: W3SVCDISPLAY_NAME: World Wide Web Publishing ServiceTYPE : 20 WIN32_SHARE_PROCESSSTATE : 4 RUNNING(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
| Note |
The parameter /V “x0” tells the FIND command to display only
lines of output that do not contain the text x0, which is
the common text on WIN32_Exit_Code, Service_Exit_Code, Checkpoint, and Wait_Hint
fields. By specifying that you don’t want to see lines of output that contain
this value, you therefore remove these unwanted fields from the
display.
|
If you know the name of a service you want to work with, you can
use SC qc to display its configuration information. The syntax is
sc qc ServiceName
where ServiceName is the name of the service
you want to examine. The output for individual services looks like this:
SERVICE_NAME: w3svcTYPE : 20 WIN32_SHARE_PROCESSSTART_TYPE : 2 AUTO_STARTERROR_CONTROL : 1 NORMALBINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -kiissvcsLOAD_ORDER_GROUP :TAG : 0DISPLAY_NAME : World Wide Web Publishing ServiceDEPENDENCIES : RPCSS: HTTPFilter: IISADMINSERVICE_START_NAME : LocalSystem
Note that the output doesn’t tell you the current status of the
service. It does, however, tell you the following:
-
Binary Path Name The file path to the executable for the service
-
Dependencies Services that cannot run unless the specified service is running
-
Display Name The descriptive name of the service
-
Service Start Name The name of the user account the service logs on as
-
Note Services that are configured to start automatically are listed as AUTO_START. Services that are configured to start manually are listed as DEMAND_START. Services that are disabled are listed as DISABLED. -
Type The type of service and whether it is a shared process
Note When you are configuring a service logon, it is sometimes important to know whether a process runs in its own context or is shared. Shared processes are listed as WIN32_SHARE_PROCESS. Processes that run in their own context are listed as WIN32_OWN_PROCESS.
Starting, Stopping, and Pausing Services
As an administrator, you’ll often have to start, stop, or
pause Windows services. The related SC commands and their syntaxes are
Start a service:
sc start ServiceName
Pause a service:
sc pause ServiceName
Resume a paused service:
sc continue ServiceName
Stop a service:
sc stop ServiceName
where ServiceName in each case is the
abbreviated name of the service you want to work with, such as
sc start w3svc
As with all SC commands, you can also specify the name of the
remote computer whose services you want to work with. For example, to start the
w3svc on MAILER1, you would use the following command:
sc \\Mailer1 start w3svc
The state listed in the results should show START_PENDING. With
stop, pause, and continue you’ll see STOP_PENDING, PAUSE_PENDING, and
CONTINUE_PENDING respectively as well. If an error results, the output states
FAILED and error text is provided to describe the reason for the failure in more
detail. If you are trying to start a service that is already started, you’ll see
the error
An instance of the service is already running.
If you are trying to stop a service that is already stopped,
you’ll see the error
The service has not been started.
Configuring Service Startup
You can set Windows services to start manually or
automatically. You can also turn them off permanently by disabling them. You
configure service startup using
sc config ServiceName start= flag
where ServiceName is the abbreviated name of
the service you want to work with and flag is the startup
type to use. For services, valid flag values are
-
Auto Start service at system startup
-
Demand Allow the services to be started manually
-
Disabled Turns off the service
Following this, you can configure a service to start automatically
by using:
sc config w3svc start= auto
or
sc \\Mailer1 config w3svc start= auto
| Note |
There must be a space after the equal sign (=) as used with
start= auto. If you don’t use a space, the command will
fail. Note also the command only reports SUCCESS or FAILURE. It won’t tell you
that the service was already configured in the startup mode you’ve
specified.
|
| Security Alert |
Disabling a service doesn’t stop a running service. It only
prevents it from being started the next time the computer is booted. To ensure
the service is disabled and stopped, run SC stop and then SC
config.
|
Configuring Service Logon
You can configure Windows services to log on as a system
account or as a specific user. To ensure a service log on as the LocalSystem
account, use
sc config ServiceName obj= LocalSystem
where ServiceName is the name of the service
you are configuring to use the LocalSystem account. If the service provides a
user interface that can be manipulated, add the flags type=
interact type= own, as shown in the following example:
sc config w3svc obj= LocalSystem type= interact type= own
The type= interact flag specifies that the
service is allowed to interact with the Windows desktop. The type= own flag specifies that the service runs in its own
process. In the case of a service that shares its executable files with other
services, you would use the type= share flag, as shown in
this example:
sc config w3svc obj= LocalSystem type= interact type= share
| Tip |
If you don’t know whether a service runs as a shared process
or in its own context, use SC qc to determine the service’s start type. This
command is discussed in the section of this chapter titled “Viewing Configured
Services.”
|
Services can also log on using named accounts. To do this, use
sc config ServiceName obj= [Domain\]User password= Password
where Domain is the optional domain name in
which the user account is located, User is the name of the
user account whose permissions you want to use, and Password is the password of that account. Consider the
following example:
sc config w3svc obj= adatum\webbies password= blue5!CraZy
Here, you configure W3svc to use the Webbies account in the Adatum
domain. The output of the command should state SUCCESS or FAILED. The change
will fail if the account name is invalid or doesn’t exist, or if the password
for the account is invalid.
| Note |
If a service has been previously configured to interact with
the desktop under the LocalSystem account, you cannot change the service to run
under a domain account without using the type= own flag.
The syntax therefore becomes sc config ServiceName obj=
[Domain\]User password= Password type=
own.
|
Configuring Service Recovery
Using the SC failure command, you can configure Windows
services to take specific actions when a service fails. For example, you can
attempt to restart the service or run an application.
You can configure recovery options for the first, second, and
subsequent recovery attempts. The current failure count is incremented each time
a failure occurs. You can also set a parameter that specifies the time that must
elapse before the failure counter is reset. For example, you could specify that
if 24 hours have passed since the last failure, the failure counter should be
reset.
Before you try to configure service recovery, check the current
recovery settings using SC qfailure. The syntax is
sc qfailure ServiceName
where ServiceName is the name of the service
you want to work with, such as
sc qfailure w3svc
You can of course specify a remote computer as well, such as
sc \\Mailer1 qfailure w3svc
or
sc \\192.168.1.100 qfailure w3svc
In the output, the failure actions are listed in the order they
are performed. In the following example output, W3svc is configured to attempt
to restart the service the first and second time the service fails and to
restart the computer if the service fails a third time:
[SC] QueryServiceConfig2 SUCCESSSERVICE_NAME: w3svcRESET_PERIOD (in seconds) : 86400REBOOT_MESSAGE :COMMAND_LINE :FAILURE_ACTIONS : RESTART -- Delay = 1 milliseconds.RESTART -- Delay = 1 milliseconds.REBOOT -- Delay = 1000 milliseconds.
The command you use to configure service recovery is SC failure
and its basic syntax is
sc failure ServiceName reset= FailureResetPeriod actions=RecoveryActions
where ServiceName is the name of the service
you are configuring, FailureResetPeriod specifies the
time, in seconds, that must elapse without failure in order to reset the failure
counter, and RecoveryActions are the actions to take when
failure occurs plus the delay time (in milliseconds) before that action is
initiated. The available recovery actions are
-
Take No Action The operating system won’t attempt recovery for this failure but might still attempt recovery of previous or subsequent failures.
-
Restart The Service Stops and then starts the service after a brief pause.
-
Run A Program Allows you to run a program or a script in case of failure. The script can be a batch program or a Windows script. If you select this option, set the full file path to the program you want to run and then set any necessary command-line parameters to pass in to the program when it starts.
-
Reboot The Computer Shuts down and then restarts the computer after the specified delay time is elapsed.
| Best Practices |
When you configure recovery options for critical services,
you might want to try to restart the service on the first and second attempts
and then reboot the server on the third attempt.
|
When you work with SC failure, keep the following in mind:
-
The reset period is set in seconds. Reset periods are commonly set in multiples of hours or days. An hour is 3,600 seconds and a day is 86,400 seconds. For a two-hour reset period, for example, you’d use the value 7,200.
-
Each recovery action must be followed by the time to wait (in milliseconds) before performing the action. For a service restart you’ll probably want to use a short delay, such as 1 millisecond (no delay), 1 second (1,000 milliseconds), or 5 seconds (5,000 milliseconds). For a restart of the computer, you’ll probably want to use a longer delay, such as 15 seconds (15,000 milliseconds) or 30 seconds (30,000 milliseconds).
-
Enter the actions and their delay times as a single text entry with each value separated by a forward slash (/). For example, you could use the value: restart/1000/restart/1000/reboot/15000. Here, on the first and second attempts the service is restarted after a 1-second delay, and on the third attempt the computer is rebooted after a 15-second delay.
Consider the following examples:
sc failure w3svc reset= 86400 actions= restart/1/restart/1/reboot/30000
Here, on the first and second attempts the service is restarted
almost immediately, and on the third attempt the computer is rebooted after a
30-second delay. In addition, the failure counter is reset if no failures occur
in a 24-hour period (86,400 seconds). You can also specify a remote computer by
inserting the UNC name or IP address as shown in previous examples.
If you use the Run action, you specify the command or program to
run using the Command= parameter. Follow the Command= parameter with the full file path to the command to
run and any arguments to pass to the command. Be sure to enclose the command
path and text in double quotation marks, as in the following example:
sc failure w3svc reset= 86400 actions= restart/1/restart/1/run/30000command= "c:\restart_w3svc.exe 15"
No comments:
Post a Comment