×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Security

Script: Windows services lockdown by hgate73
Posted: 17 Apr 10

Admittedly, turning off Windows services is a touchy topic. Some people think it's worthless, other people swear by it. I'm one of the people that swears by it. Not to save CPU cycles, but a) to reduce RAM usage, and b) to reduce attack surface. Good security practice involves eliminating all possible attack vectors. I've had no problems with this.

This script disables Windows services (XP, Vista, and 7, 32-bit and 64-bit special services) that don't need to be running. It has four "aggressiveness" profiles to let you select the number of services you want disabled.

It has the option to completely undo everything and return Windows to the "out of the box" settings.

This is my magnum opus, I spent about a week writing this guy and debugging it!

batch file:

CODE

:: Purpose:            Locks down/turns off unnecessary Windows services. Can also undo this lockdown operation.
:: Requirements:       Administrator access. Some services may not exist if a Service Pack is missing, but this
::                     is okay, they'll just be skipped.
:: Author:             hgate73 at gmail or yahoo
:: Version:            2.0 Master   (Windows XP/Vista/7)
:: History:            2.0 Massive re-write. New menus, new logic and flow, new services, new
::                         Operating Systems added (Vista/7/XP x64), Windows XP updated to SP3.
::                     1.0 Original script (Windows XP SP2 only)

:: NOTES
:: ---------------------------------
:: Well, here it is! I wrote this script over about three days working non-stop (except for sleep
:: and the gym...). I owe a BIG debt to www.blackviper.com. It has detailed service information
:: and a tool to generate custom service configuration files. He came up with the four levels of
:: "aggressiveness" for locking down services (he calls them default/safe/tweaked/bare-bones).
:: So big thanks to him for his hard work. My profiles are identical to his with the exception of
:: two things: 1. The "moderate" profile deviates from his to suite my tastes, and 2. I retained
:: network functionality in the "aggressive" profiles.

:: MISC
:: ---------------------------------
:: I use the "main block of code plus add-on block of code" method for the service Profiles, to cut
:: down on the size of the script. Behind the scenes, for each OS, there are two "base" profiles
:: and two "add-on" profiles. First one is run, then (if selected) the other block is run
:: afterwards. Rather than create an entire service configuration script for each profile, I just
:: have the "add-on" profile run as an addendum to the "base" profile. An example are the "Default"
:: and "Minor" profiles. "Default" forms the base for "Minor", since they are so similar. This adds
:: some craziness to the logic...but I managed to solve it by using two variables, basePROFILE and
:: PROFILE. basePROFILE sets our start point and PROFILE sets our overall profile. "If" statements
:: evaluate those two variables at the end of each Profile code block and act accordingly.

:: USER FLOW
:: ---------------------------------
:: The user sees these screens in order:
::     1. Warning/welcome
::     2. Operating System choice menu
::     3. "Profile" choice menu
::     4. "Apply Now or later?" menu
::     5. Confirmation menu
::          - execution
::     6. End screen.

:: CODE INDEX (top-to-bottom layout)
:: ---------------------------------
:: 1. Warning screen
:: 2. Operating System menu
:: 3. Windows XP 32-bit, Profile menu
::     - Code block - Default
::     - Code block - Default    ("apply Now" supplement)
::     - Code block - Minor
::     - Code block - Minor      ("apply Now" supplement)
::     - Code block - Moderate
::     - Code block - Moderate   ("apply Now" supplement)
::     - Code block - Aggressive
::     - Code block - Aggressive ("apply Now" supplement)
:: 4. Windows Vista 32-bit, Profile menu
::     - Code block - Default
::     - Code block - Default    ("apply Now" supplement)
::     - Code block - Minor
::     - Code block - Minor      ("apply Now" supplement)
::     - Code block - Moderate
::     - Code block - Moderate   ("apply Now" supplement)
::     - Code block - Aggressive
::     - Code block - Aggressive ("apply Now" supplement)
:: 5. Windows 7 32-bit, Profile menu
::     - Code block - Default
::     - Code block - Default    ("apply Now" supplement)
::     - Code block - Minor
::     - Code block - Minor      ("apply Now" supplement)
::     - Code block - Moderate
::     - Code block - Moderate   ("apply Now" supplement)
::     - Code block - Aggressive
::     - Code block - Aggressive ("apply Now" supplement)
:: 6. Windows XP 64-bit, Profile menu
::     - Code block - Default
::     - Code block - Default    ("apply Now" supplement)
::     - Code block - Minor
::     - Code block - Minor      ("apply Now" supplement)
::     - Code block - Moderate
::     - Code block - Moderate   ("apply Now" supplement)
::     - Code block - Aggressive
::     - Code block - Aggressive ("apply Now" supplement)
:: 7. End screen


:: Console prep and variable load
@echo off
cls
set WINDOZE=--
set namePROFILE=--
set WHEN_TO_APPLY=--

:: Initial Welcome / Warning screen
:warning
color 0c
title Windows Services Lockdown
cls
echo.
echo  ********************************* WARNING *********************************
echo  *                                                                         *
echo  *                    HEY!! Read this! It's important.                     *
echo  *                                                                         *
echo  * This script disables unnecessary Windows services (hidden programs).    *
echo  * This is a good thing - it reduces RAM usage and attack surface. However,*
echo  * sometimes it disables a service that you were using and didn't know     *
echo  * about, causing errors, program crashes, and/or explosions in Italy.     *
echo  *                                                                         *
echo  * GOOD NEWS! This is easy to fix. If you have *ANY* problems after using  *
echo  * this script, just run it again and choose option 1: "defaults" for your *
echo  * operating system. Everything will be restored to the default state.     *
echo  *                                                                         *
echo  * One last thing - you have to run this script as an ADMINISTRATOR.       *
echo  *                                                                         *
echo  * Ready? Press any key to go to the main menu...                          *
echo  *                                                                         *
echo  ***************************************************************************
echo.
pause


:: Welcome screen
:os_menu
::color 07
::color 17 (white on blue)
::color 1f (bright white on blue)
color 17
cls
echo.
echo                      WINDOWS SERVICES LOCKDOWN - STEP 1/3
echo.
echo    Step 1: Choose OS:            %WINDOZE%
echo    Step 2: Choose Profile:       %namePROFILE%
echo    Step 3: Confirm
echo.
echo.
echo                 Select the operating system you are using
echo.
echo    -----------------------------------------------------------------------
echo       Operating System       Architecture       Service Pack
echo    -----------------------------------------------------------------------
echo    1. Windows XP             32-bit                up to SP3
echo    2. Windows XP             64-bit                up to SP2
echo    3. Windows Vista          32-bit/64-bit         up to SP2
echo    4. Windows 7              32-bit/64-bit         up to SP1
echo.
echo    5. Exit
echo.
echo.
:: menu: Setup menu processing
:os_menuChoice
set /p choice=Choice:
if not '%choice%'=='' set choice=%Choice:~0,1%
    if '%choice%'=='1' goto XP_32_menu_profile
    if '%choice%'=='2' goto XP_64_menu_profile   
    if '%choice%'=='3' goto Vista_32_menu_profile
    if '%choice%'=='4' goto 7_32_menu_profile
    if '%choice%'=='5' goto quit
:: Else, go back and re-draw the menu
echo.
echo  "%choice%" is not valid, please try again
echo.
goto os_menuChoice


:XP_32_menu_profile
:: This is where the user selects the lockdown profile to use. Pretty self-explanatory.
set WINDOZE=Windows XP 32-bit
title Services Lockdown - %WINDOZE%
cls
echo.
echo                       WINDOWS SERVICES LOCKDOWN - STEP 2/3
echo.
echo    Step 1: Choose OS:            %WINDOZE%
echo    Step 2: Choose Profile:       %namePROFILE%
echo    Step 3: Confirm
echo.
echo.
echo              Select the lockdown profile to apply to 87 services           
echo    -----------------------------------------------------------------------
echo       PROFILE                   Disabled    On-demand    Running    Total        
echo    -----------------------------------------------------------------------
echo    1. Windows Defaults                 6          36          39       81
echo    2. Minor                           26          29          26       81  
echo    3. Moderate (recommended)          52          19          16       87
echo    4. Aggressive                      72           5          10       87
echo.
echo    5. Go back to Operating System choices                                  
echo.
echo.
:XP_32_menu_profileChoice
set /p choice=Choice:
if not '%choice%'=='' set choice=%Choice:~0,1%
    if '%choice%'=='1' set PROFILE=XP_32_default && set basePROFILE=XP_32_default && set namePROFILE=Default&& goto XP_32_menu_confirm
    if '%choice%'=='2' set PROFILE=XP_32_minor && set basePROFILE=XP_32_default && set namePROFILE=Minor&& goto XP_32_menu_confirm
    if '%choice%'=='3' set PROFILE=XP_32_moderate && set basePROFILE=XP_32_moderate && set namePROFILE=Moderate&& goto XP_32_menu_confirm
    if '%choice%'=='4' set PROFILE=XP_32_aggressive && set basePROFILE=XP_32_moderate && set namePROFILE=Aggressive&& goto XP_32_menu_confirm
    if '%choice%'=='5' set WINDOZE=-- && echo. && cls && goto os_menu
:: Else, go back and re-draw the menu
echo.
echo  "%choice%" is not valid, please try again
echo.
goto XP_32_menu_profileChoice


:XP_32_menu_confirm
:: Confirm the profile and execute
set WINDOZE=Windows XP 32-bit
title Services Lockdown - %WINDOZE%
cls
echo.
echo                      WINDOWS SERVICES LOCKDOWN - STEP 3/3
echo.
echo    Step 1: Choose OS:            %WINDOZE%
echo    Step 2: Choose Profile:       %namePROFILE%
echo    Step 3: Confirm
echo.
echo.
echo    ABOUT TO APPLY THE %WINDOZE% "%namePROFILE%" CONFIGURATION!
echo.
echo.
echo                                CONFIRM?
echo.
echo    1. Yes - changes take effect immediately
echo    2. Yes - changes take effect at next reboot (coward! do it now!)
echo.
echo    3. No, go back to profile selection
echo.
echo.
:XP_32_menu_confirmChoice
set /p choice=Choice:
if not '%choice%'=='' set choice=%Choice:~0,1%
    if '%choice%'=='1' set WHEN_TO_APPLY=Now && goto %basePROFILE%
    if '%choice%'=='2' set WHEN_TO_APPLY=reboot && goto %basePROFILE%
    if '%choice%'=='3' set namePROFILE=-- && goto XP_32_menu_profile
echo.
echo  "%choice%" is not valid, please try again
echo.
goto XP_32_menu_confirmChoice


:XP_32_default
:: Operating system defaults. Default also forms the base for the Minor profile.
cls
title Resetting to defaults...
echo.
echo Now resetting all services to the %WINDOZE% defaults, please wait...
echo.
sc config Alerter start= disabled
sc config ALG start= demand
sc config AppMgmt start= demand
sc config AudioSrv start= auto
sc config BITS start= demand
sc config Browser start= auto
sc config cisvc start= demand
sc config ClipSrv start= disabled
sc config COMSysApp start= demand
sc config CryptSvc start= auto
sc config DcomLaunch start= auto
sc config Dhcp start= auto
sc config dmadmin start= demand
sc config dmserver start= auto
sc config Dnscache start= auto
sc config Dot3svc start= demand
sc config EapHost start= demand
sc config ERSvc start= auto
sc config Eventlog start= auto
sc config EventSystem start= demand
sc config FastUserSwitchingCompatibility start= demand
sc config helpsvc start= auto
sc config HidServ start= disabled
sc config hkmsvc start= demand
sc config HTTPFilter start= demand
sc config ImapiService start= demand
sc config lanmanserver start= auto
sc config lanmanworkstation start= auto
sc config LmHosts start= auto
sc config Messenger start= disabled
sc config mnmsrvc start= demand
sc config MSDTC start= demand
sc config MSIServer start= demand
sc config napagent start= demand
sc config NetDDE start= disabled
sc config NetDDEdsdm start= disabled
sc config Netlogon start= demand
sc config Netman start= demand
sc config Nla start= demand
sc config NtLmSsp start= demand
sc config NtmsSvc start= demand
sc config PlugPlay start= auto
sc config PolicyAgent start= auto
sc config ProtectedStorage start= auto
sc config RasAuto start= demand
sc config RasMan start= demand
sc config RDSessMgr start= demand
sc config RemoteAccess start= disabled
sc config RemoteRegistry start= auto
sc config RpcLocator start= demand
sc config RpcSs start= auto
sc config RSVP start= demand
sc config SamSs start= auto
sc config SCardSvr start= demand
sc config Schedule start= auto
sc config seclogon start= auto
sc config SENS start= auto
sc config SharedAccess start= auto
sc config ShellHWDetection start= auto
sc config Spooler start= auto
sc config srservice start= auto
sc config SSDPSRV start= demand
sc config stisvc start= demand
sc config SwPrv start= demand
sc config SysmonLog start= demand
sc config TapiSrv start= demand
sc config TermService start= demand
sc config Themes start= auto
sc config TlntSvr start= demand
sc config TrkWks start= auto
sc config upnphost start= demand
sc config UPS start= demand
sc config VSS start= demand
sc config W32Time start= auto
sc config WebClient start= auto
sc config winmgmt start= auto
sc config WmdmPmSN start= demand
sc config Wmi start= demand
sc config WmiApSrv start= demand
sc config wscsvc start= auto
sc config wuauserv start= auto
sc config WZCSVC start= auto
sc config xmlprov start= demand

:: testing time!
if %WHEN_TO_APPLY%==Now goto XP_32_default_Now
if %PROFILE%==XP_32_minor goto XP_32_minor
goto end

:XP_32_default_Now
:: This section runs after the profile above, if selected. It applies changes immediately.
net stop Alerter
net stop ALG
net stop AppMgmt
net start AudioSrv
net stop BITS
net start Browser
net stop cisvc
net stop ClipSrv
net stop COMSysApp
net start CryptSvc
net start DcomLaunch
net start Dhcp
net stop dmadmin
net start dmserver
net start Dnscache
net stop Dot3svc
net stop EapHost
net start ERSvc
net start Eventlog
net stop EventSystem
net start FastUserSwitchingCompatibility
net start helpsvc
net start HidServ
net stop hkmsvc
net stop HTTPFilter
net stop ImapiService
net start lanmanserver
net start lanmanworkstation
net start LmHosts
net stop Messenger
net start mnmsrvc
net stop MSDTC
net stop MSIServer
net stop napagent
net stop NetDDE
net stop NetDDEdsdm
net start Netlogon
net stop Netman
net stop Nla
net stop NtLmSsp
net stop NtmsSvc
net start PlugPlay
net start PolicyAgent
net start ProtectedStorage
net stop RasAuto
net stop RasMan
net stop RDSessMgr
net stop RemoteAccess
net start RemoteRegistry
net stop RpcLocator
net start RpcSs
net stop RSVP
net start SamSs
net stop SCardSvr
net start Schedule
net start seclogon
net start SENS
net start SharedAccess
net start ShellHWDetection
net start Spooler
net start srservice
net start SSDPSRV
net stop stisvc
net stop SwPrv
net stop SysmonLog
net stop TapiSrv
net stop TermService
net start Themes
net stop TlntSvr
net start TrkWks
net stop upnphost
net stop UPS
net stop VSS
net start W32Time
net start WebClient
net start winmgmt
net stop WmdmPmSN
net stop Wmi
net stop WmiApSrv
net start wscsvc
net start wuauserv
net start WZCSVC
net stop xmlprov

:: testing time!
if %PROFILE%==XP_32_minor goto XP_32_minor
goto end


:XP_32_minor
:: If it was selected, the Minor profile runs after Default as addendum.
cls
title Applying %PROFILE% settings...
echo.
echo Now applying %PROFILE% settings, please wait...
echo.
sc config cisvc start= disabled
sc config dmserver start= demand
sc config ERSvc start= disabled
sc config helpsvc start= disabled
sc config LmHosts start= disabled
sc config mnmsrvc start= disabled
sc config RDSessMgr start= disabled
sc config RemoteRegistry start= disabled
sc config RSVP start= disabled
sc config SCardSvr start= disabled
sc config seclogon start= disabled
sc config TlntSvr start= disabled
sc config TrkWks start= demand
sc config UPS start= disabled
sc config W32Time start= demand
sc config WebClient start= disabled
sc config WmdmPmSN start= disabled
sc config WmiApSrv start= disabled
sc config xmlprov start= disabled

:: testing time!
if %WHEN_TO_APPLY%==Now goto XP_32_minor_Now
goto end


:XP_32_minor_Now
:: This section runs after the profile above, if selected. It applies changes immediately.
net stop cisvc
net stop dmserver
net stop ERSvc
net stop helpsvc
net stop LmHosts
net stop mnmsrvc
net stop RDSessMgr
net stop RemoteRegistry
net stop RSVP
net stop SCardSvr
net stop seclogon
net stop TlntSvr
net stop TrkWks
net stop UPS
net stop W32Time
net stop WebClient
net stop WmdmPmSN
net stop WmiApSrv
net stop xmlprov

:: testing time! If we executed this block then there's nothing left to do, so we go to the end. whew!
goto end


:XP_32_moderate
:: The Moderate profile forms the base for the Aggressive profile
cls
title Applying %PROFILE% settings...
echo.
echo Now applying %PROFILE% settings, please wait...
echo.
sc config Alerter start= disabled
sc config ALG start= disabled
sc config AppMgmt start= demand
sc config AudioSrv start= auto
sc config BITS start= demand
sc config Browser start= demand
sc config cisvc start= disabled
sc config ClipSrv start= disabled
sc config COMSysApp start= demand
sc config CryptSvc start= auto
sc config DcomLaunch start= auto
sc config Dhcp start= auto
sc config dmadmin start= demand
sc config dmserver start= demand
sc config Dnscache start= demand
sc config Dot3svc start= disabled
sc config EapHost start= disabled
sc config ERSvc start= disabled
sc config Eventlog start= auto
sc config EventSystem start= demand
sc config FastUserSwitchingCompatibility start= demand
sc config helpsvc start= disabled
sc config HidServ start= disabled
sc config hkmsvc start= disabled
sc config HTTPFilter start= disabled
sc config ImapiService start= demand
sc config lanmanserver start= auto
sc config lanmanworkstation start= auto
sc config LmHosts start= disabled
sc config Messenger start= disabled
sc config mnmsrvc start= disabled
sc config MSDTC start= disabled
sc config MSIServer start= demand
sc config napagent start= demand
sc config NetDDE start= disabled
sc config NetDDEdsdm start= disabled
sc config Netlogon start= disabled
sc config Netman start= demand
sc config Nla start= demand
sc config NtLmSsp start= demand
sc config NtmsSvc start= disabled
sc config PlugPlay start= auto
sc config PolicyAgent start= disabled
sc config ProtectedStorage start= disabled
sc config RasAuto start= disabled
sc config RasMan start= disabled
sc config RDSessMgr start= disabled
sc config RemoteAccess start= disabled
sc config RemoteRegistry start= disabled
sc config RpcLocator start= demand
sc config RpcSs start= auto
sc config RSVP start= disabled
sc config SamSs start= auto
sc config SCardSvr start= demand
sc config Schedule start= demand
sc config seclogon start= demand
sc config SENS start= disabled
sc config SharedAccess start= auto
sc config ShellHWDetection start= demand
sc config Spooler start= auto
sc config srservice start= disabled
sc config SSDPSRV start= disabled
sc config stisvc start= disabled
sc config SwPrv start= disabled
sc config SysmonLog start= disabled
sc config TapiSrv start= demand
sc config TermService start= demand
sc config Themes start= disabled
sc config TlntSvr start= disabled
sc config TrkWks start= demand
sc config upnphost start= disabled
sc config UPS start= disabled
sc config VSS start= disabled
sc config W32Time start= disabled
sc config WebClient start= disabled
sc config winmgmt start= auto
sc config WmdmPmSN start= disabled
sc config Wmi start= demand
sc config WmiApSrv start= disabled
sc config wscsvc start= disabled
sc config wuauserv start= auto
sc config WZCSVC start= auto
sc config xmlprov start= disabled

:: testing time!
if %WHEN_TO_APPLY%==Now goto XP_32_moderate_Now
if %PROFILE%==XP_32_aggressive goto XP_32_aggressive
goto end


:XP_32_moderate_Now
:: This section runs after the profile above, if selected. It applies changes immediately.
net stop Alerter
net stop ALG
net stop AppMgmt
net start AudioSrv
net stop BITS
net stop Browser
net stop cisvc
net stop ClipSrv
net stop COMSysApp
net start CryptSvc
net start DcomLaunch
net start Dhcp
net stop dmadmin
net stop dmserver
net stop Dnscache
net stop Dot3svc
net stop EapHost
net stop ERSvc
net start Eventlog
net stop EventSystem
net stop FastUserSwitchingCompatibility
net stop helpsvc
net stop HidServ
net stop hkmsvc
net stop HTTPFilter
net stop ImapiService
net start lanmanserver
net start lanmanworkstation
net stop LmHosts
net stop Messenger
net stop mnmsrvc
net stop MSDTC
net stop MSIServer
net stop napagent
net stop NetDDE
net stop NetDDEdsdm
net stop Netlogon
net stop Netman
net stop Nla
net stop NtLmSsp
net stop NtmsSvc
net start PlugPlay
net stop PolicyAgent
net stop ProtectedStorage
net stop RasAuto
net stop RasMan
net stop RDSessMgr
net stop RemoteAccess
net stop RemoteRegistry
net stop RpcLocator
net start RpcSs
net stop RSVP
net start SamSs
net stop SCardSvr
net stop Schedule
net stop seclogon
net stop SENS
net start SharedAccess
net stop ShellHWDetection
net start Spooler
net stop srservice
net stop SSDPSRV
net stop stisvc
net stop SwPrv
net stop SysmonLog
net stop TapiSrv
net stop TermService
net stop Themes
net stop TlntSvr
net stop TrkWks
net stop upnphost
net stop UPS
net stop VSS
net stop W32Time
net stop WebClient
net start winmgmt
net stop WmdmPmSN
net stop Wmi
net stop WmiApSrv
net stop wscsvc
net start wuauserv
net start WZCSVC
net stop xmlprov

:: Testing time!
if %PROFILE%==XP_32_aggressive goto XP_32_aggressive
goto end


:XP_32_aggressive
:: If it was selected, the Aggressive profile runs after the Moderate profile, as an addendum.
cls
title Applying %PROFILE% settings...
echo.
echo Now applying %PROFILE% settings, please wait...
echo.
echo Now applying Aggressive profile...
sc config AppMgmt start= disabled
sc config Browser start= disabled
sc config COMSysApp start= disabled
sc config CryptSvc start= disabled
sc config dmadmin start= disabled
sc config dmserver start= disabled
sc config Dnscache start= disabled
sc config EventSystem start= disabled
sc config FastUserSwitchingCompatibility start= disabled
sc config ImapiService start= disabled
sc config lanmanserver start= disabled
sc config Nla start= disabled
sc config NtLmSsp start= disabled
sc config RpcLocator start= disabled
sc config SCardSvr start= disabled
sc config Schedule start= disabled
sc config seclogon start= disabled
sc config ShellHWDetection start= disabled
sc config Spooler start= demand
sc config TapiSrv start= disabled
sc config TermService start= disabled
sc config TrkWks start= disabled
sc config wuauserv start= demand

:: Testing time!
if %WHEN_TO_APPLY%==Now goto XP_32_aggressive_Now
goto end


:XP_32_aggressive_Now
:: This section runs after the profile above, if selected. It applies changes immediately.
net stop AppMgmt
net stop Browser
net stop COMSysApp
net stop CryptSvc
net stop dmadmin
net stop dmserver
net stop Dnscache
net stop EventSystem
net stop FastUserSwitchingCompatibility
net stop ImapiService
net stop lanmanserver
net stop Nla
net stop NtLmSsp
net stop RpcLocator
net stop SCardSvr
net stop Schedule
net stop seclogon
net stop ShellHWDetection
net stop Spooler
net stop TapiSrv
net stop TermService
net stop TrkWks
net stop wuauserv

:: testing time! If we executed this block then there's nothing left to do, so we go to the end. Yahtzee!
goto end


:Vista_32_menu_profile
:: This is where the user selects the lockdown profile to use. Pretty self-explanatory.
set WINDOZE=Windows Vista 32/64-bit
title Services Lockdown - %WINDOZE%
cls
echo.
echo                       WINDOWS SERVICES LOCKDOWN - STEP 2/3
echo.
echo    Step 1: Choose OS:            %WINDOZE%
echo    Step 2: Choose Profile:       %namePROFILE%
echo    Step 3: Confirm
echo.
echo.
echo              Select the lockdown profile to apply to 121 services           
echo    -----------------------------------------------------------------------
echo       PROFILE                   Disabled    On-demand    Running    Total        
echo    -----------------------------------------------------------------------
echo    1. Windows Defaults                 4          64          53      121
echo    2. Minor                           20          54          47      121
echo    3. Moderate (recommended)          52          35          34      121
echo    4. Aggressive                      72          24          25      121
echo.
echo    5. Go back to Operating System choices                                  
echo.
echo.
:Vista_32_menu_profileChoice
set /p choice=Choice:
if not '%choice%'=='' set choice=%Choice:~0,1%
    if '%choice%'=='1' set PROFILE=Vista_32_default && set basePROFILE=Vista_32_default && set namePROFILE=Default && goto Vista_32_menu_confirm
    if '%choice%'=='2' set PROFILE=Vista_32_minor && set basePROFILE=Vista_32_default && set namePROFILE=Minor && goto Vista_32_menu_confirm
    if '%choice%'=='3' set PROFILE=Vista_32_moderate && set basePROFILE=Vista_32_moderate && set namePROFILE=Moderate && goto Vista_32_menu_confirm
    if '%choice%'=='4' set PROFILE=Vista_32_aggressive && set basePROFILE=Vista_32_moderate && set namePROFILE=Aggressive && goto Vista_32_menu_confirm
    if '%choice%'=='5' set WINDOZE=-- && echo. && cls && goto os_menu
:: Else, go back and re-draw the menu
echo.
echo  "%choice%" is not valid, please try again
echo.
goto Vista_32_menu_profileChoice


:Vista_32_menu_confirm
:: Confirm the profile and execute
set WINDOZE=Windows Vista 32/64-bit
title Services Lockdown - %WINDOZE%
cls
echo.
echo                      WINDOWS SERVICES LOCKDOWN - STEP 3/3
echo.
echo    Step 1: Choose OS:            %WINDOZE%
echo    Step 2: Choose Profile:       %namePROFILE%
echo    Step 3: Confirm
echo.
echo.
echo    ABOUT TO APPLY THE %WINDOZE% "%namePROFILE%" CONFIGURATION!
echo.
echo.
echo                                CONFIRM?
echo.
echo    1. Yes - changes take effect immediately
echo    2. Yes - changes take effect at next reboot
echo.
echo    3. No, go back to profile selection
echo.
echo.
:Vista_32_menu_confirmChoice
set /p choice=Choice:
if not '%choice%'=='' set choice=%Choice:~0,1%
    if '%choice%'=='1' set WHEN_TO_APPLY=Now && goto %basePROFILE%
    if '%choice%'=='2' set WHEN_TO_APPLY=reboot && goto %basePROFILE%
    if '%choice%'=='3' set namePROFILE=-- && goto Vista_32_menu_profile
echo.
echo  "%choice%" is not valid, please try again
echo.
goto Vista_32_menu_confirmChoice


:Vista_32_default
:: Operating system defaults. Default also forms the base for the Minor profile.
cls
title Resetting to defaults...
echo.
echo Now resetting all services to the %WINDOZE% defaults, please wait...
echo.
sc config AeLookupSvc start= auto
sc config Appinfo start= demand
sc config ALG start= demand
sc config AppMgmt start= demand
sc config BITS start= auto
sc config BITS start= delayed-auto
sc config BFE start= auto
sc config wbengine start= demand
sc config CertPropSvc start= demand
sc config KeyIso start= demand
sc config EventSystem start= auto
sc config COMSysApp start= demand
sc config Browser start= auto
sc config CryptSvc start= auto
sc config UxSms start= auto
sc config DFSR start= demand
sc config Dhcp start= auto
sc config MSDTC start= demand
sc config Dnscache start= auto
sc config EapHost start= demand
sc config Fax start= demand
sc config fdPHost start= demand
sc config FDResPub start= auto
sc config hkmsvc start= demand
sc config hidserv start= demand
sc config IKEEXT start= auto
sc config UI0Detect start= demand
sc config SharedAccess start= disabled
sc config iphlpsvc start= auto
sc config PolicyAgent start= auto
sc config KtmRm start= auto
sc config KtmRm start= delayed-auto
sc config lltdsvc start= demand
sc config clr_optimization_v2.0.50727_32 start= demand
sc config MSiSCSI start= demand
sc config swprv start= demand
sc config MMCSS start= auto
sc config NetTcpPortSharing start= disabled
sc config Netlogon start= demand
sc config napagent start= demand
sc config Netman start= demand
sc config netprofm start= auto
sc config NlaSvc start= auto
sc config nsi start= auto
sc config CscService start= auto
sc config WPCSvc start= demand
sc config PNRPsvc start= demand
sc config p2psvc start= demand
sc config p2pimsvc start= demand
sc config pla start= demand
sc config PlugPlay start= auto
sc config IPBusEnum start= demand
sc config PNRPAutoReg start= demand
sc config WPDBusEnum start= auto
sc config Spooler start= auto
sc config wercplsupport start= demand
sc config PcaSvc start= auto
sc config ProtectedStorage start= demand
sc config QWAVE start= demand
sc config EMDMgmt start= auto
sc config RasAuto start= demand
sc config RasMan start= demand
sc config RpcLocator start= demand
sc config RemoteRegistry start= demand
sc config RemoteAccess start= disabled
sc config seclogon start= auto
sc config SstpSvc start= demand
sc config wscsvc start= auto
sc config wscsvc start= delayed-auto
sc config LanmanServer start= auto
sc config ShellHWDetection start= auto
sc config SLUINotify start= demand
sc config SCardSvr start= demand
sc config SCPolicySvc start= demand
sc config SNMPTRAP start= demand
sc config slsvc start= auto
sc config SSDPSRV start= demand
sc config SysMain start= auto
sc config SENS start= auto
sc config TabletInputService start= auto
sc config Schedule start= auto
sc config lmhosts start= auto
sc config TapiSrv start= demand
sc config TermService start= auto
sc config SessionEnv start= demand
sc config UmRdpService start= demand
sc config Themes start= auto
sc config THREADORDER start= demand
sc config TBS start= auto
sc config TBS start= delayed-auto
sc config upnphost start= auto
sc config ProfSvc start= auto
sc config vds start= demand
sc config VSS start= demand
sc config WebClient start= auto
sc config AudioSrv start= auto
sc config AudioEndpointBuilder start= auto
sc config SDRSVC start= demand
sc config idsvc start= demand
sc config WcsPlugInService start= demand
sc config wcncsvc start= demand
sc config WinDefend start= auto
sc config wudfsvc start= demand
sc config WerSvc start= auto
sc config Wecsvc start= demand
sc config Eventlog start= auto
sc config MpsSvc start= auto
sc config stisvc start= demand
sc config msiserver start= demand
sc config Winmgmt start= auto
sc config Mcx2Svc start= disabled
sc config ehRecvr start= demand
sc config ehSched start= demand
sc config ehstart start= auto
sc config ehstart start= delayed-auto
sc config WMPNetworkSvc start= demand
sc config FontCache3.0.0.0 start= demand
sc config WinRM start= demand
sc config WSearch start= auto
sc config W32Time start= auto
sc config wuauserv start= auto
sc config wuauserv start= delayed-auto
sc config WinHttpAutoProxySvc start= demand
sc config dot3svc start= demand
sc config Wlansvc start= auto
sc config wmiApSrv start= demand
sc config LanmanWorkstation start= auto

:: testing time!
if %WHEN_TO_APPLY%==Now goto Vista_32_default_Now
if %PROFILE%==Vista_32_minor goto Vista_32_minor
goto end


:Vista_32_default_Now
:: This section runs after the Default profile, if selected. It applies changes immediately.
net start AeLookupSvc
net stop Appinfo
net stop ALG
net stop AppMgmt
net start BITS
net start BFE
net stop wbengine
net stop CertPropSvc
net stop KeyIso
net start EventSystem
net stop COMSysApp
net start Browser
net start CryptSvc
net start UxSms
net stop DFSR
net start Dhcp
net stop MSDTC
net start Dnscache
net stop EapHost
net stop Fax
net stop fdPHost
net start FDResPub
net stop hkmsvc
net stop hidserv
net start IKEEXT
net stop UI0Detect
net stop SharedAccess
net start iphlpsvc
net start PolicyAgent
net start KtmRm
net stop lltdsvc
net stop clr_optimization_v2.0.50727_32
net stop MSiSCSI
net stop swprv
net start MMCSS
net stop NetTcpPortSharing
net start Netlogon
net stop napagent
net stop Netman
net start netprofm
net start NlaSvc
net start nsi
net start CscService
net stop WPCSvc
net stop PNRPsvc
net stop p2psvc
net stop p2pimsvc
net stop pla
net start PlugPlay
net stop IPBusEnum
net stop PNRPAutoReg
net start WPDBusEnum
net start Spooler
net stop wercplsupport
net start PcaSvc
net stop ProtectedStorage
net stop QWAVE
net start EMDMgmt
net stop RasAuto
net stop RasMan
net stop RpcLocator
net stop RemoteRegistry
net stop RemoteAccess
net start seclogon
net stop SstpSvc
net start wscsvc
net start LanmanServer
net start ShellHWDetection
net stop SLUINotify
net stop SCardSvr
net stop SCPolicySvc
net stop SNMPTRAP
net start slsvc
net stop SSDPSRV
net start SysMain
net start SENS
net start TabletInputService
net start Schedule
net start lmhosts
net stop TapiSrv
net start TermService
net stop SessionEnv
net stop UmRdpService
net start Themes
net stop THREADORDER
net start TBS
net start upnphost
net start ProfSvc
net stop vds
net stop VSS
net start WebClient
net start AudioSrv
net start AudioEndpointBuilder
net stop SDRSVC
net stop idsvc
net stop WcsPlugInService
net stop wcncsvc
net start WinDefend
net stop wudfsvc
net start WerSvc
net stop Wecsvc
net start Eventlog
net start MpsSvc
net stop stisvc
net stop msiserver
net start Winmgmt
net stop Mcx2Svc
net stop ehRecvr
net stop ehSched
net start ehstart
net stop WMPNetworkSvc
net stop FontCache3.0.0.0
net stop WinRM
net start WSearch
net start W32Time
net start wuauserv
net stop WinHttpAutoProxySvc
net stop dot3svc
net start Wlansvc
net stop wmiApSrv
net start LanmanWorkstation
:: testing time!
if %PROFILE%==Vista_32_minor goto Vista_32_minor
goto end


:Vista_32_minor
:: If it was selected, the Minor profile runs after Default as addendum.
cls
title Applying %PROFILE% settings...
echo.
echo Now applying %PROFILE% settings, please wait...
echo.
sc config CertPropSvc start= disabled
sc config Fax start= disabled
sc config iphlpsvc start= disabled
sc config MSiSCSI start= disabled
sc config Netlogon start= disabled
sc config CscService start= disabled
sc config RemoteRegistry start= disabled
sc config SCardSvr start= disabled
sc config SCPolicySvc start= disabled
sc config SNMPTRAP start= disabled
sc config TabletInputService start= disabled
sc config UmRdpService start= disabled
sc config TBS start= delayed-auto
sc config TBS start= demand
sc config WebClient start= disabled
sc config WinRM start= disabled
sc config WSearch start= disabled
sc config WinHttpAutoProxySvc start= disabled

:: testing time!
if %WHEN_TO_APPLY%==Now goto Vista_32_minor_Now
goto end


:Vista_32_minor_Now
:: If it was selected, this section runs after the profile above. It applies changes immediately.
net stop CertPropSvc
net stop Fax
net stop iphlpsvc
net stop MSiSCSI
net stop Netlogon
net stop CscService
net stop RemoteRegistry
net stop SCardSvr
net stop SCPolicySvc
net stop SNMPTRAP
net stop TabletInputService
net stop UmRdpService
net stop TBS
net stop WebClient
net stop WinRM
net stop WSearch
net stop WinHttpAutoProxySvc

:: testing time! If we executed this block then there's nothing left to do, so we go to the end. whew!
goto end


:Vista_32_moderate
:: The Moderate profile forms the base for the Aggressive profile
cls
title Applying %PROFILE% settings...
echo.
echo Now applying %PROFILE% settings, please wait...
echo.
sc config AeLookupSvc start= disabled
sc config Appinfo start= demand
sc config ALG start= demand
sc config AppMgmt start= demand
sc config BITS start= auto
sc config BITS start= delayed-auto
sc config BFE start= auto
sc config wbengine start= demand
sc config CertPropSvc start= disabled
sc config KeyIso start= demand
sc config EventSystem start= auto
sc config COMSysApp start= demand
sc config Browser start= demand
sc config CryptSvc start= auto
sc config UxSms start= disabled
sc config DFSR start= disabled
sc config Dhcp start= auto
sc config MSDTC start= disabled
sc config Dnscache start= auto
sc config EapHost start= disabled
sc config Fax start= disabled
sc config fdPHost start= disabled
sc config FDResPub start= disabled
sc config hkmsvc start= disabled
sc config hidserv start= disabled
sc config IKEEXT start= demand
sc config UI0Detect start= demand
sc config SharedAccess start= disabled
sc config iphlpsvc start= disabled
sc config PolicyAgent start= auto
sc config KtmRm start= auto
sc config KtmRm start= delayed-auto
sc config lltdsvc start= disabled
sc config clr_optimization_v2.0.50727_32 start= demand
sc config MSiSCSI start= disabled
sc config swprv start= demand
sc config MMCSS start= auto
sc config NetTcpPortSharing start= disabled
sc config Netlogon start= disabled
sc config napagent start= disabled
sc config Netman start= demand
sc config netprofm start= auto
sc config NlaSvc start= auto
sc config nsi start= auto
sc config CscService start= disabled
sc config WPCSvc start= disabled
sc config PNRPsvc start= disabled
sc config p2psvc start= disabled
sc config p2pimsvc start= disabled
sc config pla start= demand
sc config PlugPlay start= auto
sc config IPBusEnum start= disabled
sc config PNRPAutoReg start= disabled
sc config WPDBusEnum start= disabled
sc config Spooler start= auto
sc config wercplsupport start= disabled
sc config PcaSvc start= auto
sc config ProtectedStorage start= demand
sc config QWAVE start= disabled
sc config EMDMgmt start= auto
sc config RasAuto start= demand
sc config RasMan start= demand
sc config RpcLocator start= demand
sc config RemoteRegistry start= disabled
sc config RemoteAccess start= disabled
sc config seclogon start= demand
sc config SstpSvc start= demand
sc config wscsvc start= auto
sc config wscsvc start= delayed-auto
sc config LanmanServer start= auto
sc config ShellHWDetection start= auto
sc config SLUINotify start= demand
sc config SCardSvr start= disabled
sc config SCPolicySvc start= disabled
sc config SNMPTRAP start= disabled
sc config slsvc start= auto
sc config SSDPSRV start= demand
sc config SysMain start= auto
sc config SENS start= auto
sc config TabletInputService start= disabled
sc config Schedule start= auto
sc config lmhosts start= disabled
sc config TapiSrv start= disabled
sc config TermService start= demand
sc config SessionEnv start= demand
sc config UmRdpService start= disabled
sc config Themes start= disabled
sc config THREADORDER start= demand
sc config TBS start= demand
sc config TBS start= delayed-auto
sc config upnphost start= demand
sc config ProfSvc start= auto
sc config vds start= disabled
sc config VSS start= demand
sc config WebClient start= disabled
sc config AudioSrv start= auto
sc config AudioEndpointBuilder start= auto
sc config SDRSVC start= demand
sc config idsvc start= disabled
sc config WcsPlugInService start= demand
sc config wcncsvc start= disabled
sc config WinDefend start= auto
sc config wudfsvc start= demand
sc config WerSvc start= disabled
sc config Wecsvc start= demand
sc config Eventlog start= auto
sc config MpsSvc start= auto
sc config stisvc start= disabled
sc config msiserver start= demand
sc config Winmgmt start= auto
sc config Mcx2Svc start= disabled
sc config ehRecvr start= disabled
sc config ehSched start= disabled
sc config ehstart start= disabled
sc config WMPNetworkSvc start= disabled
sc config FontCache3.0.0.0 start= demand
sc config WinRM start= disabled
sc config WSearch start= disabled
sc config W32Time start= auto
sc config wuauserv start= auto
sc config wuauserv start= delayed-auto
sc config WinHttpAutoProxySvc start= disabled
sc config dot3svc start= demand
sc config Wlansvc start= auto
sc config wmiApSrv start= demand
sc config LanmanWorkstation start= auto
:: Moderate end
:: testing time!
if %WHEN_TO_APPLY%==Now goto Vista_32_moderate_Now
if %PROFILE%==Vista_32_aggressive goto Vista_32_aggressive
goto end


:Vista_32_moderate_Now
:: This section runs after the profile above, if selected. It applies changes immediately.
net stop AeLookupSvc
net stop Appinfo
net stop ALG
net stop AppMgmt
net start BITS
net start BFE
net stop wbengine
net stop CertPropSvc
net stop KeyIso
net start EventSystem
net stop COMSysApp
net stop Browser
net start CryptSvc
net stop UxSms
net stop DFSR
net start Dhcp
net stop MSDTC
net start Dnscache
net stop EapHost
net stop Fax
net stop fdPHost
net stop FDResPub
net stop hkmsvc
net stop hidserv
net stop IKEEXT
net stop UI0Detect
net stop SharedAccess
net stop iphlpsvc
net start PolicyAgent
net start KtmRm
net stop lltdsvc
net stop clr_optimization_v2.0.50727_32
net stop MSiSCSI
net stop swprv
net start MMCSS
net stop NetTcpPortSharing
net stop Netlogon
net stop napagent
net stop Netman
net start netprofm
net start NlaSvc
net start nsi
net stop CscService
net stop WPCSvc
net stop PNRPsvc
net stop p2psvc
net stop p2pimsvc
net stop pla
net start PlugPlay
net stop IPBusEnum
net stop PNRPAutoReg
net stop WPDBusEnum
net start Spooler
net stop wercplsupport
net start PcaSvc
net stop ProtectedStorage
net stop QWAVE
net start EMDMgmt
net stop RasAuto
net stop RasMan
net stop RpcLocator
net stop RemoteRegistry
net stop RemoteAccess
net stop seclogon
net stop SstpSvc
net start wscsvc
net start LanmanServer
net start ShellHWDetection
net stop SLUINotify
net stop SCardSvr
net stop SCPolicySvc
net stop SNMPTRAP
net start slsvc
net stop SSDPSRV
net start SysMain
net start SENS
net stop TabletInputService
net start Schedule
net stop lmhosts
net stop TapiSrv
net stop TermService
net stop SessionEnv
net stop UmRdpService
net stop Themes
net stop THREADORDER
net stop TBS
net stop upnphost
net start ProfSvc
net stop vds
net stop VSS
net stop WebClient
net start AudioSrv
net start AudioEndpointBuilder
net stop SDRSVC
net stop idsvc
net stop WcsPlugInService
net stop wcncsvc
net start WinDefend
net stop wudfsvc
net stop WerSvc
net stop Wecsvc
net start Eventlog
net start MpsSvc
net stop stisvc
net stop msiserver
net start Winmgmt
net stop Mcx2Svc
net stop ehRecvr
net stop ehSched
net stop ehstart
net stop WMPNetworkSvc
net stop FontCache3.0.0.0
net stop WinRM
net stop WSearch
net start W32Time
net start wuauserv
net stop WinHttpAutoProxySvc
net stop dot3svc
net start Wlansvc
net stop wmiApSrv
net start LanmanWorkstation

:: testing time!
if %PROFILE%==Vista_32_aggressive goto Vista_32_aggressive
goto end


:Vista_32_aggressive
:: If it was selected, the Aggressive profile runs after the Moderate profile as an addendum.
cls
title Applying %PROFILE% settings...
echo.
echo Now applying %PROFILE% settings, please wait...
echo.
echo Now applying Aggressive profile...
sc config ALG start= disabled
sc config AppMgmt start= disabled
sc config BFE start= disabled
sc config wbengine start= disabled
sc config KeyIso start= disabled
sc config IKEEXT start= disabled
sc config UI0Detect start= disabled
sc config PolicyAgent start= disabled
sc config KtmRm start= disabled
sc config clr_optimization_v2.0.50727_32 start= disabled
sc config swprv start= disabled
sc config pla start= disabled
sc config PcaSvc start= demand
sc config EMDMgmt start= disabled
sc config wscsvc start= disabled
sc config ShellHWDetection start= disabled
sc config TermService start= disabled
sc config upnphost start= disabled
sc config WcsPlugInService start= disabled
sc config WinDefend start= disabled
sc config FontCache3.0.0.0 start= disabled
sc config W32Time start= demand

:: testing time!
if %WHEN_TO_APPLY%==Now goto Vista_32_aggressive_Now
goto end


:Vista_32_aggressive_Now
:: This section runs after the profile above, if selected. It applies changes immediately.
net stop ALG
net stop AppMgmt
net stop BFE
net stop wbengine
net stop KeyIso
net stop IKEEXT
net stop UI0Detect
net stop PolicyAgent
net stop KtmRm
net stop clr_optimization_v2.0.50727_32
net stop swprv
net stop pla
net stop PcaSvc
net stop EMDMgmt
net stop wscsvc
net stop ShellHWDetection
net stop TermService
net stop upnphost
net stop WcsPlugInService
net stop WinDefend
net stop FontCache3.0.0.0
net stop W32Time

:: testing time! If we executed this block then there's nothing left to do, so we go to the end. Yahtzee!
goto end



:7_32_menu_profile
:: This is where the user selects the lockdown profile to use. Pretty self-explanatory.
set WINDOZE=Windows 7 32/64-bit
title Services Lockdown - %WINDOZE%
cls
echo.
echo                       WINDOWS SERVICES LOCKDOWN - STEP 2/3
echo.
echo    Step 1: Choose OS:            %WINDOZE%
echo    Step 2: Choose Profile:       %namePROFILE%
echo    Step 3: Confirm
echo.
echo.
echo              Select the lockdown profile to apply to 136 services           
echo    -----------------------------------------------------------------------
echo       PROFILE                   Disabled    On-demand    Running    Total        
echo    -----------------------------------------------------------------------
echo    1. Windows Defaults                 2          85          36      123
echo    2. Minor                           18          72          34      124
echo    3. Moderate (recommended)          61          42          33      136
echo    4. Aggressive                      82          32          24      138
echo.
echo    5. Go back to Operating System choices                                  
echo.
echo.
:7_32_menu_profileChoice
set /p choice=Choice:
if not '%choice%'=='' set choice=%Choice:~0,1%
    if '%choice%'=='1' set PROFILE=7_32_default && set basePROFILE=7_32_default && set namePROFILE=Default&& goto 7_32_menu_confirm
    if '%choice%'=='2' set PROFILE=7_32_minor && set basePROFILE=7_32_default && set namePROFILE=Minor&& goto 7_32_menu_confirm
    if '%choice%'=='3' set PROFILE=7_32_moderate && set basePROFILE=7_32_moderate && set namePROFILE=Moderate&& goto 7_32_menu_confirm
    if '%choice%'=='4' set PROFILE=7_32_aggressive && set basePROFILE=7_32_moderate && set namePROFILE=Aggressive&& goto 7_32_menu_confirm
    if '%choice%'=='5' set WINDOZE=-- && echo. && cls && goto os_menu
:: Else, go back and re-draw the menu
echo.
echo  "%choice%" is not valid, please try again
echo.
goto 7_32_menu_choice


:7_32_menu_confirm
:: Confirm the profile and execute
set WINDOZE=Windows 7 32/64-bit
title Services Lockdown - %WINDOZE%
cls
echo.
echo                      WINDOWS SERVICES LOCKDOWN - STEP 3/3
echo.
echo    Step 1: Choose OS:            %WINDOZE%
echo    Step 2: Choose Profile:       %namePROFILE%
echo    Step 3: Confirm
echo.
echo.
echo    ABOUT TO APPLY THE %WINDOZE% "%namePROFILE%" CONFIGURATION!
echo.
echo.
echo                                CONFIRM?
echo.
echo    1. Yes - changes take effect immediately
echo    2. Yes - changes take effect at next reboot
echo.
echo    3. No, go back to profile selection
echo.
echo.
:7_32_menu_confirmChoice
set /p choice=Choice:
if not '%choice%'=='' set choice=%Choice:~0,1%
    if '%choice%'=='1' set WHEN_TO_APPLY=Now && goto %basePROFILE%
    if '%choice%'=='2' set WHEN_TO_APPLY=reboot && goto %basePROFILE%
    if '%choice%'=='3' set namePROFILE=-- && goto 7_32_menu_profile
echo.
echo  "%choice%" is not valid, please try again
echo.
goto 7_32_menu_confirmChoice


:7_32_default
:: Operating system defaults. Default also forms the base for the Minor profile.
cls
title Resetting to defaults...
echo.
echo Now resetting all services to the %WINDOZE% defaults, please wait...
echo.
sc config AxInstSV start= demand
sc config SensrSvc start= demand
sc config AeLookupSvc start= demand
sc config AppIDSvc start= demand
sc config Appinfo start= demand
sc config ALG start= demand
sc config AppMgmt start= demand
sc config BITS start= demand
sc config BFE start= auto
sc config BDESVC start= auto
sc config wbengine start= demand
sc config bthserv start= demand
sc config PeerDistSvc start= demand
sc config CertPropSvc start= demand
sc config KeyIso start= demand
sc config EventSystem start= auto
sc config COMSysApp start= demand
sc config Browser start= demand
sc config VaultSvc start= demand
sc config CryptSvc start= auto
sc config UxSms start= auto
sc config Dhcp start= auto
sc config defragsvc start= demand
sc config MSDTC start= demand
sc config Dnscache start= auto
sc config EFS start= demand
sc config EapHost start= demand
sc config fdPHost start= demand
sc config FDResPub start= auto
sc config hkmsvc start= demand
sc config HomeGroupListener start= demand
sc config HomeGroupProvider start= demand
sc config hidserv start= demand
sc config IKEEXT start= demand
sc config UI0Detect start= demand
sc config SharedAccess start= disabled
sc config iphlpsvc start= auto
sc config PolicyAgent start= demand
sc config KtmRm start= demand
sc config lltdsvc start= demand
sc config clr_optimization_v2.0.50727_32 start= delayed-auto
sc config MSiSCSI start= demand
sc config swprv start= demand
sc config MMCSS start= auto
sc config Netlogon start= demand
sc config napagent start= demand
sc config Netman start= demand
sc config netprofm start= demand
sc config NlaSvc start= auto
sc config nsi start= auto
sc config CscService start= auto
sc config WPCSvc start= demand
sc config PNRPsvc start= demand
sc config p2psvc start= demand
sc config p2pimsvc start= demand
sc config pla start= demand
sc config PlugPlay start= auto
sc config IPBusEnum start= demand
sc config PNRPAutoReg start= demand
sc config WPDBusEnum start= demand
sc config Power start= auto
sc config Spooler start= auto
sc config wercplsupport start= demand
sc config PcaSvc start= demand
sc config ProtectedStorage start= demand
sc config QWAVE start= demand
sc config RasAuto start= demand
sc config RasMan start= demand
sc config TermService start= demand
sc config UmRdpService start= demand
sc config RpcLocator start= demand
sc config RemoteRegistry start= demand
sc config RemoteAccess start= disabled
sc config RpcEptMapper start= auto
sc config seclogon start= demand
sc config SstpSvc start= demand
sc config wscsvc start= auto
sc config wscsvc start= delayed-auto
sc config LanmanServer start= auto
sc config ShellHWDetection start= auto
sc config SCardSvr start= demand
sc config SCPolicySvc start= demand
sc config SNMPTRAP start= demand
sc config sppsvc start= auto
sc config sppsvc start= delayed-auto
sc config sppuinotify start= demand
sc config SSDPSRV start= demand
sc config SysMain start= auto
sc config SENS start= auto
sc config TabletInputService start= demand
sc config Schedule start= auto
sc config lmhosts start= auto
sc config TapiSrv start= demand
sc config Themes start= auto
sc config THREADORDER start= demand
sc config TBS start= demand
sc config upnphost start= demand
sc config ProfSvc start= auto
sc config vds start= demand
sc config VSS start= demand
sc config WebClient start= demand
sc config AudioSrv start= auto
sc config AudioEndpointBuilder start= auto
sc config SDRSVC start= demand
sc config WbioSrvc start= demand
sc config WcsPlugInService start= demand
sc config wcncsvc start= demand
sc config WinDefend start= auto
sc config WinDefend start= delayed-auto
sc config wudfsvc start= demand
sc config WerSvc start= demand
sc config Wecsvc start= demand
sc config Eventlog start= auto
sc config MpsSvc start= auto
sc config FontCache start= demand
sc config StiSvc start= demand
sc config msiserver start= demand
sc config Winmgmt start= auto
sc config WinRM start= demand
sc config W32Time start= demand
sc config wuauserv start= auto
sc config wuauserv start= delayed-auto
sc config WinHttpAutoProxySvc start= demand
sc config dot3svc start= demand
sc config Wlansvc start= auto
sc config wmiApSrv start= demand
sc config LanmanWorkstation start= auto
sc config WwanSvc start= demand

:: testing time!
if %WHEN_TO_APPLY%==Now goto 7_32_default_Now
if %PROFILE%==7_32_minor goto 7_32_minor
goto end

:7_32_default_Now
:: This section runs after the profile above, if selected. It applies changes immediately.
net stop AxInstSV
net stop SensrSvc
net stop AeLookupSvc
net stop AppIDSvc
net stop Appinfo
net stop ALG
net stop AppMgmt
net stop BITS
net start BFE
net start BDESVC
net stop wbengine
net stop bthserv
net stop PeerDistSvc
net stop CertPropSvc
net stop KeyIso
net start EventSystem
net stop COMSysApp
net stop Browser
net stop VaultSvc
net start CryptSvc
net start UxSms
net start Dhcp
net stop defragsvc
net stop MSDTC
net start Dnscache
net stop EFS
net stop EapHost
net stop fdPHost
net start FDResPub
net stop hkmsvc
net stop HomeGroupListener
net stop HomeGroupProvider
net stop hidserv
net stop IKEEXT
net stop UI0Detect
net stop SharedAccess
net start iphlpsvc
net stop PolicyAgent
net stop KtmRm
net stop lltdsvc
net start clr_optimization_v2.0.50727_32
net stop MSiSCSI
net stop swprv
net start MMCSS
net start Netlogon
net stop napagent
net stop Netman
net stop netprofm
net start NlaSvc
net start nsi
net start CscService
net stop WPCSvc
net stop PNRPsvc
net stop p2psvc
net stop p2pimsvc
net stop pla
net start PlugPlay
net stop IPBusEnum
net stop PNRPAutoReg
net stop WPDBusEnum
net start Power
net start Spooler
net stop wercplsupport
net stop PcaSvc
net stop ProtectedStorage
net stop QWAVE
net stop RasAuto
net stop RasMan
net stop TermService
net stop UmRdpService
net stop RpcLocator
net stop RemoteRegistry
net stop RemoteAccess
net start RpcEptMapper
net stop seclogon
net stop SstpSvc
net start wscsvc
net start LanmanServer
net start ShellHWDetection
net stop SCardSvr
net stop SCPolicySvc
net stop SNMPTRAP
net start sppsvc
net stop sppuinotify
net stop SSDPSRV
net start SysMain
net start SENS
net stop TabletInputService
net start Schedule
net start lmhosts
net stop TapiSrv
net start Themes
net stop THREADORDER
net stop TBS
net stop upnphost
net start ProfSvc
net stop vds
net stop VSS
net stop WebClient
net start AudioSrv
net start AudioEndpointBuilder
net stop SDRSVC
net stop WbioSrvc
net stop WcsPlugInService
net stop wcncsvc
net start WinDefend
net stop wudfsvc
net stop WerSvc
net stop Wecsvc
net start Eventlog
net start MpsSvc
net stop FontCache
net stop StiSvc
net stop msiserver
net start Winmgmt
net stop WinRM
net stop W32Time
net start wuauserv
net stop WinHttpAutoProxySvc
net stop dot3svc
net start Wlansvc
net stop wmiApSrv
net start LanmanWorkstation
net stop WwanSvc

:: testing time!
if %PROFILE%==7_32_minor goto 7_32_minor
goto end


:7_32_minor
:: If it was selected, the Minor profile runs after Default as addendum.
cls
title Applying %PROFILE% settings...
echo.
echo Now applying %PROFILE% settings, please wait...
echo.
sc config AppMgmt start= disabled
sc config bthserv start= disabled
sc config PeerDistSvc start= disabled
sc config CertPropSvc start= disabled
sc config iphlpsvc start= disabled
sc config clr_optimization_v2.0.50727_32 start= demand
sc config MSiSCSI start= disabled
sc config Netlogon start= disabled
sc config napagent start= disabled
sc config CscService start= disabled
sc config WPCSvc start= disabled
sc config RpcLocator start= disabled
sc config RemoteRegistry start= disabled
sc config SCardSvr start= disabled
sc config SCPolicySvc start= disabled
sc config SNMPTRAP start= disabled
sc config wcncsvc start= disabled

:: testing time!
if %WHEN_TO_APPLY%==Now goto 7_32_minor_Now
goto end


:7_32_minor_Now
:: If it was selected, this section runs after the profile above. It applies changes immediately.
net stop AppMgmt
net stop bthserv
net stop PeerDistSvc
net stop CertPropSvc
net stop iphlpsvc
net stop clr_optimization_v2.0.50727_32
net stop MSiSCSI
net stop Netlogon
net stop napagent
net stop CscService
net stop WPCSvc
net stop RpcLocator
net stop RemoteRegistry
net stop SCardSvr
net stop SCPolicySvc
net stop SNMPTRAP
net stop wcncsvc
:: testing time! If we executed this block then there's nothing left to do, so we go to the end. Yahtzee!
goto end


:7_32_moderate
:: The Moderate profile forms the base for the Aggressive profile
cls
title Applying %PROFILE% settings...
echo.
echo Now applying %PROFILE% settings, please wait...
echo.
sc config AxInstSV start= disabled
sc config SensrSvc start= disabled
sc config AeLookupSvc start= demand
sc config AppIDSvc start= demand
sc config Appinfo start= demand
sc config ALG start= disabled
sc config AppMgmt start= disabled
sc config BITS start= demand
sc config BFE start= auto
sc config BDESVC start= auto
sc config wbengine start= demand
sc config bthserv start= disabled
sc config PeerDistSvc start= disabled
sc config CertPropSvc start= disabled
sc config KeyIso start= demand
sc config EventSystem start= auto
sc config COMSysApp start= demand
sc config Browser start= demand
sc config VaultSvc start= disabled
sc config CryptSvc start= auto
sc config UxSms start= auto
sc config Dhcp start= auto
sc config defragsvc start= demand
sc config MSDTC start= demand
sc config Dnscache start= auto
sc config EFS start= disabled
sc config EapHost start= demand
sc config fdPHost start= disabled
sc config FDResPub start= disabled
sc config hkmsvc start= disabled
sc config HomeGroupListener start= demand
sc config HomeGroupProvider start= demand
sc config hidserv start= disabled
sc config IKEEXT start= demand
sc config UI0Detect start= disabled
sc config SharedAccess start= disabled
sc config iphlpsvc start= disabled
sc config PolicyAgent start= demand
sc config KtmRm start= demand
sc config lltdsvc start= disabled
sc config clr_optimization_v2.0.50727_32 start= demand
::sc config clr_optimization_v2.0.50727_32 start= delayed-auto
sc config MSiSCSI start= disabled
sc config swprv start= demand
sc config MMCSS start= auto
sc config Netlogon start= disabled
sc config napagent start= disabled
sc config Netman start= demand
sc config netprofm start= demand
sc config NlaSvc start= auto
sc config nsi start= auto
sc config CscService start= disabled
sc config WPCSvc start= disabled
sc config PNRPsvc start= disabled
sc config p2psvc start= disabled
sc config p2pimsvc start= disabled
sc config pla start= demand
sc config PlugPlay start= auto
sc config IPBusEnum start= disabled
sc config PNRPAutoReg start= disabled
sc config WPDBusEnum start= disabled
sc config Power start= auto
sc config Spooler start= auto
sc config wercplsupport start= disabled
sc config PcaSvc start= disabled
sc config ProtectedStorage start= demand
sc config QWAVE start= disabled
sc config RasAuto start= demand
sc config RasMan start= demand
sc config TermService start= disabled
sc config UmRdpService start= disabled
sc config RpcLocator start= disabled
sc config RemoteRegistry start= disabled
sc config RemoteAccess start= disabled
sc config RpcEptMapper start= auto
sc config seclogon start= demand
sc config SstpSvc start= demand
sc config wscsvc start= auto
sc config wscsvc start= delayed-auto
sc config LanmanServer start= auto
sc config ShellHWDetection start= auto
sc config SCardSvr start= disabled
sc config SCPolicySvc start= disabled
sc config SNMPTRAP start= disabled
sc config sppsvc start= auto
sc config sppsvc start= delayed-auto
sc config sppuinotify start= demand
sc config SSDPSRV start= demand
sc config SysMain start= auto
sc config SENS start= auto
sc config TabletInputService start= disabled
sc config Schedule start= auto
sc config lmhosts start= auto
sc config TapiSrv start= demand
sc config Themes start= auto
sc config THREADORDER start= demand
sc config TBS start= disabled
sc config upnphost start= demand
sc config ProfSvc start= auto
sc config vds start= demand
sc config VSS start= demand
sc config WebClient start= disabled
sc config AudioSrv start= auto
sc config AudioEndpointBuilder start= auto
sc config SDRSVC start= demand
sc config WbioSrvc start= disabled
sc config WcsPlugInService start= disabled
sc config wcncsvc start= disabled
sc config WinDefend start= auto
sc config WinDefend start= delayed-auto
sc config wudfsvc start= demand
sc config WerSvc start= disabled
sc config Wecsvc start= demand
sc config Eventlog start= auto
sc config MpsSvc start= auto
sc config FontCache start= demand
sc config StiSvc start= demand
sc config msiserver start= demand
sc config Winmgmt start= auto
sc config WinRM start= disabled
sc config W32Time start= demand
sc config wuauserv start= auto
sc config wuauserv start= delayed-auto
sc config WinHttpAutoProxySvc start= disabled
sc config dot3svc start= demand
sc config Wlansvc start= auto
sc config wmiApSrv start= demand
sc config LanmanWorkstation start= auto
sc config WwanSvc start= disabled
  
:: These services were missing from the config tool and manually added by me
sc config DPS start= disabled
sc config WdiServiceHost start= disabled
sc config WdiSystemHost start= disabled
sc config TrkWks start= disabled
sc config SessionEnv start= disabled
sc config StorSvc start= disabled

:: This is a major annoyance to me but potentially wanted by people. Shell Hardware Detection
:: does auto-insert notification and detection of the type of DVD/CD drive that is installed.
:: This does not affect actual functionality, only Windows' ability to detect its features. Meh.
sc config ShellHWDetection start= disabled

::These are services added by Windows Live Essentials
REM Windows Card Service & Windows Search
sc config idsvc start= disabled
sc config WSearch start= disabled

:: These are services added by Windows Media Center
sc config ehRecvr start= disabled
sc config ehSched start= disabled
sc config WMPNetworkSvc start= disabled

:: Test if we are also applying the Aggressive profile
:: testing time!
if %WHEN_TO_APPLY%==Now goto 7_32_moderate_Now
if %PROFILE%==7_32_aggressive goto 7_32_aggressive
goto end


:7_32_moderate_Now
:: This section runs after the profile above, if selected. It applies changes immediately.
net stop AxInstSV
net stop SensrSvc
net stop AeLookupSvc
net stop AppIDSvc
net stop Appinfo
net stop ALG
net stop AppMgmt
net stop BITS
net start BFE
net start BDESVC
net stop wbengine
net stop bthserv
net stop PeerDistSvc
net stop CertPropSvc
net stop KeyIso
net start EventSystem
net stop COMSysApp
net stop Browser
net stop VaultSvc
net start CryptSvc
net start UxSms
net start Dhcp
net stop defragsvc
net stop MSDTC
net start Dnscache
net stop EFS
net stop EapHost
net stop fdPHost
net stop FDResPub
net stop hkmsvc
net stop HomeGroupListener
net stop HomeGroupProvider
net stop hidserv
net stop IKEEXT
net stop UI0Detect
net stop SharedAccess
net stop iphlpsvc
net stop PolicyAgent
net stop KtmRm
net stop lltdsvc
net start clr_optimization_v2.0.50727_32
net stop MSiSCSI
net stop swprv
net start MMCSS
net stop Netlogon
net stop napagent
net stop Netman
net stop netprofm
net start NlaSvc
net start nsi
net stop CscService
net stop WPCSvc
net stop PNRPsvc
net stop p2psvc
net stop p2pimsvc
net stop pla
net start PlugPlay
net stop IPBusEnum
net stop PNRPAutoReg
net stop WPDBusEnum
net start Power
net start Spooler
net stop wercplsupport
net stop PcaSvc
net stop ProtectedStorage
net stop QWAVE
net stop RasAuto
net stop RasMan
net stop TermService
net stop UmRdpService
net stop RpcLocator
net stop RemoteRegistry
net stop RemoteAccess
net start RpcEptMapper
net stop seclogon
net stop SstpSvc
net start wscsvc
net start LanmanServer
net start ShellHWDetection
net stop SCardSvr
net stop SCPolicySvc
net stop SNMPTRAP
net start sppsvc
net stop sppuinotify
net stop SSDPSRV
net start SysMain
net start SENS
net stop TabletInputService
net start Schedule
net start lmhosts
net stop TapiSrv
net start Themes
net stop THREADORDER
net stop TBS
net stop upnphost
net start ProfSvc
net stop vds
net stop VSS
net stop WebClient
net start AudioSrv
net start AudioEndpointBuilder
net stop SDRSVC
net stop WbioSrvc
net stop WcsPlugInService
net stop wcncsvc
net start WinDefend
net stop wudfsvc
net stop WerSvc
net stop Wecsvc
net start Eventlog
net start MpsSvc
net stop FontCache
net stop StiSvc
net stop msiserver
net start Winmgmt
net stop WinRM
net stop W32Time
net start wuauserv
net stop WinHttpAutoProxySvc
net stop dot3svc
net start Wlansvc
net stop wmiApSrv
net start LanmanWorkstation
net stop WwanSvc
net stop DPS
net stop WdiServiceHost
net stop WdiSystemHost
net stop TrkWks
net stop SessionEnv
net stop StorSvc
net stop ShellHWDetection
net stop idsvc
net stop WSearch
net stop ehRecvr
net stop ehSched
net stop WMPNetworkSvc
:: testing time!
if %PROFILE%==7_32_aggressive goto 7_32_aggressive
goto end


:7_32_aggressive
:: If it was selected, the Aggressive profile runs after the Moderate profile as an addendum.
cls
title Applying %PROFILE% settings...
echo.
echo Now applying %PROFILE% settings, please wait...
echo.
sc config BITS start= disabled
sc config BFE start= disabled
sc config BDESVC start= disabled
sc config wbengine start= disabled
sc config KeyIso start= disabled
sc config UxSms start= disabled
sc config Dnscache start= disabled
sc config EapHost start= disabled
sc config HomeGroupListener start= disabled
sc config HomeGroupProvider start= disabled
sc config PolicyAgent start= disabled
sc config SstpSvc start= disabled
sc config wscsvc start= disabled
sc config lmhosts start= disabled
sc config TapiSrv start= disabled
sc config Themes start= disabled
sc config WinDefend start= disabled
sc config W32Time start= disabled
sc config wuauserv start= demand
sc config dot3svc start= disabled

:: These services were missing from the config tool and manually added by me
sc config NetTcpPortSharing start= disabled
sc config RpcLocator start= disabled

:: This is another service from our lovely Media Center edition. Goodbye.
REM Windows Presentation Foundation Font
sc config FontCache3.0.0.0 start= disabled

:: testing time!
if %WHEN_TO_APPLY%==Now goto 7_32_aggressive_Now
goto end


:7_32_aggressive_Now
net stop BITS
net stop BFE
net stop BDESVC
net stop wbengine
net stop KeyIso
net stop UxSms
net stop Dnscache
net stop EapHost
net stop HomeGroupListener
net stop HomeGroupProvider
net stop PolicyAgent
net stop SstpSvc
net stop wscsvc
net stop lmhosts
net stop TapiSrv
net stop Themes
net stop WinDefend
net stop W32Time
net stop wuauserv
net stop dot3svc
net stop NetTcpPortSharing
net stop RpcLocator
net stop FontCache3.0.0.0

:: testing time! If we executed this block then there's nothing left to do, so we go to the end. Yahtzee!
goto end


::::::::::::::::::::::::::::::::::
::                              ::
:: Beginning of 64-bit Sections ::
::                              ::
::::::::::::::::::::::::::::::::::


:XP_64_menu_profile
:: This is where the user selects the lockdown profile to use. Pretty self-explanatory.
set WINDOZE=Windows XP 64-bit
title Services Lockdown - %WINDOZE%
cls
echo.
echo                       WINDOWS SERVICES LOCKDOWN - STEP 2/3
echo.
echo    Step 1: Choose OS:            %WINDOZE%
echo    Step 2: Choose Profile:       %namePROFILE%
echo    Step 3: Confirm
echo.
echo.
echo              Select the lockdown profile to apply to 87 services
echo    -----------------------------------------------------------------------
echo       PROFILE                   Disabled    On-demand    Running    Total        
echo    -----------------------------------------------------------------------
echo    1. Windows Defaults                 6          36          39       81
echo    2. Minor                           26          29          26       81
echo    3. Moderate (recommended)          52          19          16       87
echo    4. Aggressive                      72           5          10       87
echo.
echo    5. Go back to Operating System choices                                  
echo.
echo.
:XP_64_menu_profileChoice
set /p choice=Choice:
if not '%choice%'=='' set choice=%Choice:~0,1%
    if '%choice%'=='1' set PROFILE=XP_64_default && set basePROFILE=XP_64_default && set namePROFILE=Default&& goto XP_64_menu_confirm
    if '%choice%'=='2' set PROFILE=XP_64_minor && set basePROFILE=XP_64_default && set namePROFILE=Minor&& goto XP_64_menu_confirm
    if '%choice%'=='3' set PROFILE=XP_64_moderate && set basePROFILE=XP_64_moderate && set namePROFILE=Moderate&& goto XP_64_menu_confirm
    if '%choice%'=='4' set PROFILE=XP_64_aggressive && set basePROFILE=XP_64_moderate && set namePROFILE=Aggressive&& goto XP_64_menu_confirm
    if '%choice%'=='5' set WINDOZE=-- && echo. && cls && goto os_menu
:: Else, go back and re-draw the menu
echo.
echo  "%choice%" is not valid, please try again
echo.
goto XP_64_menu_profileChoice


:XP_64_menu_confirm
:: Confirm the profile and execute
set WINDOZE=Windows XP 64-bit
title Services Lockdown - %WINDOZE%
cls
echo.
echo                      WINDOWS SERVICES LOCKDOWN - STEP 3/3
echo.
echo    Step 1: Choose OS:            %WINDOZE%
echo    Step 2: Choose Profile:       %namePROFILE%
echo    Step 3: Confirm
echo.
echo.
echo    ABOUT TO APPLY THE %WINDOZE% "%namePROFILE%" CONFIGURATION!
echo.
echo.
echo                                CONFIRM?
echo.
echo    1. Yes - changes take effect immediately
echo    2. Yes - changes take effect at next reboot
echo.
echo    3. No, go back to profile selection
echo.
echo.
:XP_64_menu_confirmChoice
set /p choice=Choice:
if not '%choice%'=='' set choice=%Choice:~0,1%
    if '%choice%'=='1' set WHEN_TO_APPLY=Now && goto %basePROFILE%
    if '%choice%'=='2' set WHEN_TO_APPLY=reboot && goto %basePROFILE%
    if '%choice%'=='3' set namePROFILE=-- && goto XP_64_menu_profile
echo.
echo  "%choice%" is not valid, please try again
echo.
goto XP_64_menu_confirmChoice


:XP_64_default
:: Operating system defaults. Default also forms the base for the Minor profile.
cls
title Resetting to defaults...
echo.
echo Now resetting all services to the %WINDOZE% defaults, please wait...
echo.
sc config Alerter start= disabled
sc config AeLookupSvc start= auto
sc config ALG start= demand
sc config AppMgmt start= demand
sc config AudioSrv start= auto
sc config BITS start= demand
sc config Browser start= auto
sc config cisvc start= disabled
sc config ClipSrv start= demand
sc config COMSysApp start= demand
sc config CryptSvc start= auto
sc config DcomLaunch start= auto
sc config Dhcp start= auto
sc config dmadmin start= demand
sc config dmserver start= auto
sc config Dnscache start= auto
sc config ERSvc start= auto
sc config Eventlog start= auto
sc config EventSystem start= auto
sc config helpsvc start= auto
sc config HidServ start= disabled
sc config HTTPFilter start= demand
sc config IASJet start= demand
sc config ImapiService start= demand
sc config lanmanserver start= auto
sc config lanmanworkstation start= auto
sc config LmHosts start= auto
sc config Messenger start= disabled
sc config mnmsrvc start= demand
sc config MSDTC start= demand
sc config MSIServer start= demand
sc config NetDDE start= demand
sc config NetDDEdsdm start= demand
sc config Netlogon start= demand
sc config Netman start= demand
sc config Nla start= demand
sc config NtLmSsp start= demand
sc config NtmsSvc start= demand
sc config PlugPlay start= auto
sc config PolicyAgent start= auto
sc config ProtectedStorage start= auto
sc config RasAuto start= demand
sc config RasMan start= demand
sc config RDSessMgr start= demand
sc config RemoteAccess start= disabled
sc config RemoteRegistry start= auto
sc config RpcLocator start= demand
sc config RpcSs start= auto
sc config SamSs start= auto
sc config SCardSvr start= demand
sc config Schedule start= auto
sc config seclogon start= auto
sc config SENS start= auto
sc config SharedAccess start= auto
sc config ShellHWDetection start= auto
sc config Spooler start= auto
sc config srservice start= auto
sc config SSDPSRV start= demand
sc config stisvc start= auto
sc config SysmonLog start= auto
sc config TapiSrv start= demand
sc config TermService start= demand
sc config Themes start= auto
sc config TlntSvr start= disabled
sc config TrkWks start= auto
sc config UMWdf start= demand
sc config upnphost start= auto
sc config UPS start= demand
sc config vds start= demand
sc config VSS start= demand
sc config W32Time start= auto
sc config WebClient start= auto
sc config WinHttpAutoProxySvc start= demand
sc config winmgmt start= auto
sc config WmdmPmSN start= demand
sc config Wmi start= demand
sc config WmiApSrv start= demand
sc config wscsvc start= auto
sc config wuauserv start= auto
sc config WZCSVC start= auto
sc config xmlprov start= demand

:: testing time!
if %WHEN_TO_APPLY%==Now goto XP_64_default_Now
if %PROFILE%==XP_64_minor goto XP_64_minor
goto end

:XP_64_default_Now
:: This section runs after the profile above, if selected. It applies changes immediately.
net stop Alerter
net start AeLookupSvc
net stop ALG
net stop AppMgmt
net start AudioSrv
net stop BITS
net start Browser
net stop cisvc
net stop ClipSrv
net stop COMSysApp
net start CryptSvc
net start DcomLaunch
net start Dhcp
net stop dmadmin
net start dmserver
net start Dnscache
net start ERSvc
net start Eventlog
net start EventSystem
net start helpsvc
net stop HidServ
net stop HTTPFilter
net stop IASJet
net stop ImapiService
net start lanmanserver
net start lanmanworkstation
net start LmHosts
net stop Messenger
net stop mnmsrvc
net stop MSDTC
net stop MSIServer
net stop NetDDE
net stop NetDDEdsdm
net start Netlogon
net stop Netman
net stop Nla
net stop NtLmSsp
net stop NtmsSvc
net start PlugPlay
net start PolicyAgent
net start ProtectedStorage
net stop RasAuto
net stop RasMan
net stop RDSessMgr
net stop RemoteAccess
net start RemoteRegistry
net stop RpcLocator
net start RpcSs
net start SamSs
net stop SCardSvr
net start Schedule
net start seclogon
net start SENS
net start SharedAccess
net start ShellHWDetection
net start Spooler
net start srservice
net stop SSDPSRV
net start stisvc
net start SysmonLog
net stop TapiSrv
net stop TermService
net start Themes
net stop TlntSvr
net start TrkWks
net stop UMWdf
net start upnphost
net stop UPS
net stop vds
net stop VSS
net start W32Time
net start WebClient
net stop WinHttpAutoProxySvc
net start winmgmt
net stop WmdmPmSN
net stop Wmi
net stop WmiApSrv
net start wscsvc
net start wuauserv
net start WZCSVC
net stop xmlprov

:: testing time!
if %PROFILE%==XP_64_minor goto XP_64_minor
goto end


:XP_64_minor
:: If it was selected, the Minor profile runs after Default as addendum.
cls
title Applying %PROFILE% settings...
echo.
echo Now applying %PROFILE% settings, please wait...
echo.
sc config ClipSrv start= disabled
sc config dmserver start= demand
sc config ERSvc start= disabled
sc config EventSystem start= demand
sc config helpsvc start= demand
sc config IASJet start= disabled
sc config LmHosts start= disabled
sc config mnmsrvc start= disabled
sc config NetDDE start= disabled
sc config NetDDEdsdm start= disabled
sc config Netlogon start= disabled
sc config RDSessMgr start= disabled
sc config RemoteRegistry start= disabled
sc config SCardSvr start= disabled
sc config seclogon start= demand
sc config stisvc start= demand
sc config SysmonLog start= demand
sc config TrkWks start= demand
sc config upnphost start= demand
sc config UPS start= disabled
sc config vds start= disabled
sc config W32Time start= disabled
sc config WebClient start= disabled
sc config WinHttpAutoProxySvc start= disabled
sc config WmdmPmSN start= disabled
sc config WmiApSrv start= disabled
sc config xmlprov start= disabled

:: testing time!
if %WHEN_TO_APPLY%==Now goto XP_64_minor_Now
goto end


:XP_64_minor_Now
:: If it was selected, this section runs after the profile above. It applies changes immediately.
net stop ClipSrv
net stop dmserver
net stop ERSvc
net stop EventSystem
net stop helpsvc
net stop IASJet
net stop LmHosts
net stop mnmsrvc
net stop NetDDE
net stop NetDDEdsdm
net stop Netlogon
net stop RDSessMgr
net stop RemoteRegistry
net stop SCardSvr
net stop seclogon
net stop SSDPSRV
net stop stisvc
net stop SysmonLog
net stop TrkWks
net stop upnphost
net stop UPS
net stop vds
net stop W32Time
net stop WebClient
net stop WinHttpAutoProxySvc
net stop WmdmPmSN
net stop WmiApSrv
net stop xmlprov

:: testing time! If we executed this block then there's nothing left to do, so we go to the end. whew!
goto end


:XP_64_moderate
:: The Moderate profile forms the base for the Aggressive profile
cls
title Applying %PROFILE% settings...
echo.
echo Now applying %PROFILE% settings, please wait...
echo.
sc config Alerter start= disabled
sc config AeLookupSvc start= disabled
sc config ALG start= disabled
sc config AppMgmt start= disabled
sc config AudioSrv start= auto
sc config BITS start= demand
sc config Browser start= auto
sc config cisvc start= disabled
sc config ClipSrv start= disabled
sc config COMSysApp start= disabled
sc config CryptSvc start= auto
sc config DcomLaunch start= auto
sc config Dhcp start= auto
sc config dmadmin start= demand
sc config dmserver start= demand
sc config Dnscache start= demand
sc config ERSvc start= disabled
sc config Eventlog start= auto
sc config EventSystem start= disabled
sc config helpsvc start= disabled
sc config HidServ start= disabled
sc config HTTPFilter start= demand
sc config IASJet start= disabled
sc config ImapiService start= demand
sc config lanmanserver start= auto
sc config lanmanworkstation start= auto
sc config LmHosts start= disabled
sc config Messenger start= disabled
sc config mnmsrvc start= disabled
sc config MSDTC start= disabled
sc config MSIServer start= demand
sc config NetDDE start= disabled
sc config NetDDEdsdm start= disabled
sc config Netlogon start= disabled
sc config Netman start= demand
sc config Nla start= demand
sc config NtLmSsp start= demand
sc config NtmsSvc start= disabled
sc config PlugPlay start= auto
sc config PolicyAgent start= demand
sc config ProtectedStorage start= disabled
sc config RasAuto start= disabled
sc config RasMan start= disabled
sc config RDSessMgr start= disabled
sc config RemoteAccess start= disabled
sc config RemoteRegistry start= disabled
sc config RpcLocator start= demand
sc config RpcSs start= auto
sc config SamSs start= auto
sc config SCardSvr start= disabled
sc config Schedule start= disabled
sc config seclogon start= disabled
sc config SENS start= disabled
sc config SharedAccess start= auto
sc config ShellHWDetection start= disabled
sc config Spooler start= auto
sc config srservice start= disabled
sc config SSDPSRV start= disabled
sc config stisvc start= disabled
sc config SysmonLog start= disabled
sc config TapiSrv start= disabled
sc config TermService start= demand
sc config Themes start= disabled
sc config TlntSvr start= disabled
sc config TrkWks start= disabled
sc config UMWdf start= disabled
sc config upnphost start= disabled
sc config UPS start= disabled
sc config vds start= disabled
sc config VSS start= disabled
sc config W32Time start= disabled
sc config WebClient start= disabled
sc config WinHttpAutoProxySvc start= disabled
sc config winmgmt start= auto
sc config WmdmPmSN start= disabled
sc config Wmi start= demand
sc config WmiApSrv start= demand
sc config wscsvc start= disabled
sc config wuauserv start= auto
sc config WZCSVC start= auto
sc config xmlprov start= disabled

:: These services were not in the config tool and were added by me
sc config 6to4 start= disabled

::Peer Name Resolution Protocol, Peer Networking, Peer Networking Group Authentication, and Peer Networking Identity Manager, respectively.
sc config PNRPSvc start= demand
sc config p2psvc start= demand
sc config p2pgasvc start= demand
sc config p2pimsvc start= demand

:: World Wide Web Publishing...whatever...nuke it.
sc config w3svc start= disabled

:: testing time!
if %WHEN_TO_APPLY%==Now goto XP_64_moderate_Now
if %PROFILE%==XP_64_aggressive goto XP_64_aggressive
goto end


:XP_64_moderate_Now
:: This section runs after the profile above, if selected. It applies changes immediately.
net stop Alerter
net stop AeLookupSvc
net stop ALG
net stop AppMgmt
net start AudioSrv
net stop BITS
net start Browser
net stop cisvc
net stop ClipSrv
net stop COMSysApp
net start CryptSvc
net start DcomLaunch
net start Dhcp
net stop dmadmin
net stop dmserver
net stop Dnscache
net stop ERSvc
net start Eventlog
net stop EventSystem
net stop helpsvc
net stop HidServ
net stop HTTPFilter
net stop IASJet
net stop ImapiService
net start lanmanserver
net start lanmanworkstation
net stop LmHosts
net stop Messenger
net stop mnmsrvc
net stop MSDTC
net stop MSIServer
net stop NetDDE
net stop NetDDEdsdm
net stop Netlogon
net stop Netman
net stop Nla
net stop NtLmSsp
net stop NtmsSvc
net start PlugPlay
net stop PolicyAgent
net stop ProtectedStorage
net stop RasAuto
net stop RasMan
net stop RDSessMgr
net stop RemoteAccess
net stop RemoteRegistry
net stop RpcLocator
net start RpcSs
net start SamSs
net stop SCardSvr
net stop Schedule
net stop seclogon
net stop SENS
net start SharedAccess
net stop ShellHWDetection
net start Spooler
net stop srservice
net stop SSDPSRV
net stop stisvc
net stop SysmonLog
net stop TapiSrv
net stop TermService
net stop Themes
net stop TlntSvr
net stop TrkWks
net stop UMWdf
net stop upnphost
net stop UPS
net stop vds
net stop VSS
net stop W32Time
net stop WebClient
net stop WinHttpAutoProxySvc
net start winmgmt
net stop WmdmPmSN
net stop Wmi
net stop WmiApSrv
net stop wscsvc
net start wuauserv
net start WZCSVC
net stop xmlprov
net stop 6to4
net stop PNRPSvc
net stop p2psvc
net stop p2pgasvc
net stop p2pimsvc
net stop w3svc
:: Testing time!
if %PROFILE%==XP_64_aggressive goto XP_64_aggressive
goto end


:XP_64_aggressive
:: If it was selected, the Aggressive profile runs after the Moderate profile as an addendum.
cls
title Applying %PROFILE% settings...
echo.
echo Now applying %PROFILE% settings, please wait...
echo.
sc config BITS start= disabled
sc config Browser start= disabled
sc config CryptSvc start= disabled
sc config dmadmin start= disabled
sc config dmserver start= disabled
sc config Dnscache start= disabled
sc config ImapiService start= disabled
sc config lanmanserver start= disabled
sc config Nla start= disabled
sc config NtLmSsp start= disabled
sc config RpcLocator start= disabled
sc config Spooler start= disabled
sc config TermService start= disabled
sc config Wmi start= disabled
sc config wuauserv start= disabled
sc config WZCSVC start= disabled

::Peer Name Resolution Protocol, Peer Networking, Peer Networking Group Authentication, and Peer Networking Identity Manager, respectively.
sc config PNRPSvc start= disabled
sc config p2psvc start= disabled
sc config p2pgasvc start= disabled
sc config p2pimsvc start= disabled

:: Testing time!
if %WHEN_TO_APPLY%==Now goto XP_64_aggressive_Now
goto end


:XP_64_aggressive_Now
:: This section runs after the profile above, if selected. It applies changes immediately.
net stop BITS
net stop Browser
net stop CryptSvc
net stop dmadmin
net stop dmserver
net stop Dnscache
net stop ImapiService
net stop lanmanserver
net stop Nla
net stop NtLmSsp
net stop RpcLocator
net stop Spooler
net stop TermService
net stop Wmi
net stop wuauserv
net stop WZCSVC
net stop PNRPSvc
net stop p2psvc
net stop p2pgasvc
net stop p2pimsvc

:: testing time! If we executed this block then there's nothing left to do, so we go to the end. Yahtzee!
goto end


:end
title Lockdown Complete
echo.
echo.
echo                      LOCKDOWN COMPLETE
echo.
echo.
echo    The following configuration was applied:
echo.
echo.
echo    Operating System:  %WINDOZE%
echo    Profile:           %PROFILE%
echo    Changes Effective: %WHEN_TO_APPLY%
echo.
if WHEN_TO_APPLY==reboot echo. && echo    Changes will take effect at next reboot.
echo.
echo.
echo    Press any key to quit...
echo.
pause

Back to Microsoft: Windows FAQ Index
Back to Microsoft: Windows Forum

My Archive

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close