Admittedly, turning off Windows services is a touchy topic. Some people think it's worthless, other people swear by it. I'm one of the people that swears by it. Not to save CPU cycles, but a) to reduce RAM usage, and b) to reduce attack surface. Good security practice involves eliminating all possible attack vectors. I've had no problems with this.
This script disables Windows services (XP, Vista, and 7, 32-bit and 64-bit special services) that don't need to be running. It has four "aggressiveness" profiles to let you select the number of services you want disabled.
It has the option to completely undo everything and return Windows to the "out of the box" settings.
This is my magnum opus, I spent about a week writing this guy and debugging it!
batch file:
CODE
:: Purpose: Locks down/turns off unnecessary Windows services. Can also undo this lockdown operation. :: Requirements: Administrator access. Some services may not exist if a Service Pack is missing, but this :: is okay, they'll just be skipped. :: Author: hgate73 at gmail or yahoo :: Version: 2.0 Master (Windows XP/Vista/7) :: History: 2.0 Massive re-write. New menus, new logic and flow, new services, new :: Operating Systems added (Vista/7/XP x64), Windows XP updated to SP3. :: 1.0 Original script (Windows XP SP2 only)
:: NOTES :: --------------------------------- :: Well, here it is! I wrote this script over about three days working non-stop (except for sleep :: and the gym...). I owe a BIG debt to www.blackviper.com. It has detailed service information :: and a tool to generate custom service configuration files. He came up with the four levels of :: "aggressiveness" for locking down services (he calls them default/safe/tweaked/bare-bones). :: So big thanks to him for his hard work. My profiles are identical to his with the exception of :: two things: 1. The "moderate" profile deviates from his to suite my tastes, and 2. I retained :: network functionality in the "aggressive" profiles.
:: MISC :: --------------------------------- :: I use the "main block of code plus add-on block of code" method for the service Profiles, to cut :: down on the size of the script. Behind the scenes, for each OS, there are two "base" profiles :: and two "add-on" profiles. First one is run, then (if selected) the other block is run :: afterwards. Rather than create an entire service configuration script for each profile, I just :: have the "add-on" profile run as an addendum to the "base" profile. An example are the "Default" :: and "Minor" profiles. "Default" forms the base for "Minor", since they are so similar. This adds :: some craziness to the logic...but I managed to solve it by using two variables, basePROFILE and :: PROFILE. basePROFILE sets our start point and PROFILE sets our overall profile. "If" statements :: evaluate those two variables at the end of each Profile code block and act accordingly.
:: USER FLOW :: --------------------------------- :: The user sees these screens in order: :: 1. Warning/welcome :: 2. Operating System choice menu :: 3. "Profile" choice menu :: 4. "Apply Now or later?" menu :: 5. Confirmation menu :: - execution :: 6. End screen.
:: Console prep and variable load @echo off cls set WINDOZE=-- set namePROFILE=-- set WHEN_TO_APPLY=--
:: Initial Welcome / Warning screen :warning color 0c title Windows Services Lockdown cls echo. echo ********************************* WARNING ********************************* echo * * echo * HEY!! Read this! It's important. * echo * * echo * This script disables unnecessary Windows services (hidden programs). * echo * This is a good thing - it reduces RAM usage and attack surface. However,* echo * sometimes it disables a service that you were using and didn't know * echo * about, causing errors, program crashes, and/or explosions in Italy. * echo * * echo * GOOD NEWS! This is easy to fix. If you have *ANY* problems after using * echo * this script, just run it again and choose option 1: "defaults" for your * echo * operating system. Everything will be restored to the default state. * echo * * echo * One last thing - you have to run this script as an ADMINISTRATOR. * echo * * echo * Ready? Press any key to go to the main menu... * echo * * echo *************************************************************************** echo. pause
:: Welcome screen :os_menu ::color 07 ::color 17 (white on blue) ::color 1f (bright white on blue) color 17 cls echo. echo WINDOWS SERVICES LOCKDOWN - STEP 1/3 echo. echo Step 1: Choose OS: %WINDOZE% echo Step 2: Choose Profile: %namePROFILE% echo Step 3: Confirm echo. echo. echo Select the operating system you are using echo. echo ----------------------------------------------------------------------- echo Operating System Architecture Service Pack echo ----------------------------------------------------------------------- echo 1. Windows XP 32-bit up to SP3 echo 2. Windows XP 64-bit up to SP2 echo 3. Windows Vista 32-bit/64-bit up to SP2 echo 4. Windows 7 32-bit/64-bit up to SP1 echo. echo 5. Exit echo. echo. :: menu: Setup menu processing :os_menuChoice set /p choice=Choice: if not '%choice%'=='' set choice=%Choice:~0,1% if '%choice%'=='1' goto XP_32_menu_profile if '%choice%'=='2' goto XP_64_menu_profile if '%choice%'=='3' goto Vista_32_menu_profile if '%choice%'=='4' goto 7_32_menu_profile if '%choice%'=='5' goto quit :: Else, go back and re-draw the menu echo. echo "%choice%" is not valid, please try again echo. goto os_menuChoice
:XP_32_menu_profile :: This is where the user selects the lockdown profile to use. Pretty self-explanatory. set WINDOZE=Windows XP 32-bit title Services Lockdown - %WINDOZE% cls echo. echo WINDOWS SERVICES LOCKDOWN - STEP 2/3 echo. echo Step 1: Choose OS: %WINDOZE% echo Step 2: Choose Profile: %namePROFILE% echo Step 3: Confirm echo. echo. echo Select the lockdown profile to apply to 87 services echo ----------------------------------------------------------------------- echo PROFILE Disabled On-demand Running Total echo ----------------------------------------------------------------------- echo 1. Windows Defaults 6 36 39 81 echo 2. Minor 26 29 26 81 echo 3. Moderate (recommended) 52 19 16 87 echo 4. Aggressive 72 5 10 87 echo. echo 5. Go back to Operating System choices echo. echo. :XP_32_menu_profileChoice set /p choice=Choice: if not '%choice%'=='' set choice=%Choice:~0,1% if '%choice%'=='1' set PROFILE=XP_32_default && set basePROFILE=XP_32_default && set namePROFILE=Default&& goto XP_32_menu_confirm if '%choice%'=='2' set PROFILE=XP_32_minor && set basePROFILE=XP_32_default && set namePROFILE=Minor&& goto XP_32_menu_confirm if '%choice%'=='3' set PROFILE=XP_32_moderate && set basePROFILE=XP_32_moderate && set namePROFILE=Moderate&& goto XP_32_menu_confirm if '%choice%'=='4' set PROFILE=XP_32_aggressive && set basePROFILE=XP_32_moderate && set namePROFILE=Aggressive&& goto XP_32_menu_confirm if '%choice%'=='5' set WINDOZE=-- && echo. && cls && goto os_menu :: Else, go back and re-draw the menu echo. echo "%choice%" is not valid, please try again echo. goto XP_32_menu_profileChoice
:XP_32_menu_confirm :: Confirm the profile and execute set WINDOZE=Windows XP 32-bit title Services Lockdown - %WINDOZE% cls echo. echo WINDOWS SERVICES LOCKDOWN - STEP 3/3 echo. echo Step 1: Choose OS: %WINDOZE% echo Step 2: Choose Profile: %namePROFILE% echo Step 3: Confirm echo. echo. echo ABOUT TO APPLY THE %WINDOZE% "%namePROFILE%" CONFIGURATION! echo. echo. echo CONFIRM? echo. echo 1. Yes - changes take effect immediately echo 2. Yes - changes take effect at next reboot (coward! do it now!) echo. echo 3. No, go back to profile selection echo. echo. :XP_32_menu_confirmChoice set /p choice=Choice: if not '%choice%'=='' set choice=%Choice:~0,1% if '%choice%'=='1' set WHEN_TO_APPLY=Now && goto %basePROFILE% if '%choice%'=='2' set WHEN_TO_APPLY=reboot && goto %basePROFILE% if '%choice%'=='3' set namePROFILE=-- && goto XP_32_menu_profile echo. echo "%choice%" is not valid, please try again echo. goto XP_32_menu_confirmChoice
:XP_32_default :: Operating system defaults. Default also forms the base for the Minor profile. cls title Resetting to defaults... echo. echo Now resetting all services to the %WINDOZE% defaults, please wait... echo. sc config Alerter start= disabled sc config ALG start= demand sc config AppMgmt start= demand sc config AudioSrv start= auto sc config BITS start= demand sc config Browser start= auto sc config cisvc start= demand sc config ClipSrv start= disabled sc config COMSysApp start= demand sc config CryptSvc start= auto sc config DcomLaunch start= auto sc config Dhcp start= auto sc config dmadmin start= demand sc config dmserver start= auto sc config Dnscache start= auto sc config Dot3svc start= demand sc config EapHost start= demand sc config ERSvc start= auto sc config Eventlog start= auto sc config EventSystem start= demand sc config FastUserSwitchingCompatibility start= demand sc config helpsvc start= auto sc config HidServ start= disabled sc config hkmsvc start= demand sc config HTTPFilter start= demand sc config ImapiService start= demand sc config lanmanserver start= auto sc config lanmanworkstation start= auto sc config LmHosts start= auto sc config Messenger start= disabled sc config mnmsrvc start= demand sc config MSDTC start= demand sc config MSIServer start= demand sc config napagent start= demand sc config NetDDE start= disabled sc config NetDDEdsdm start= disabled sc config Netlogon start= demand sc config Netman start= demand sc config Nla start= demand sc config NtLmSsp start= demand sc config NtmsSvc start= demand sc config PlugPlay start= auto sc config PolicyAgent start= auto sc config ProtectedStorage start= auto sc config RasAuto start= demand sc config RasMan start= demand sc config RDSessMgr start= demand sc config RemoteAccess start= disabled sc config RemoteRegistry start= auto sc config RpcLocator start= demand sc config RpcSs start= auto sc config RSVP start= demand sc config SamSs start= auto sc config SCardSvr start= demand sc config Schedule start= auto sc config seclogon start= auto sc config SENS start= auto sc config SharedAccess start= auto sc config ShellHWDetection start= auto sc config Spooler start= auto sc config srservice start= auto sc config SSDPSRV start= demand sc config stisvc start= demand sc config SwPrv start= demand sc config SysmonLog start= demand sc config TapiSrv start= demand sc config TermService start= demand sc config Themes start= auto sc config TlntSvr start= demand sc config TrkWks start= auto sc config upnphost start= demand sc config UPS start= demand sc config VSS start= demand sc config W32Time start= auto sc config WebClient start= auto sc config winmgmt start= auto sc config WmdmPmSN start= demand sc config Wmi start= demand sc config WmiApSrv start= demand sc config wscsvc start= auto sc config wuauserv start= auto sc config WZCSVC start= auto sc config xmlprov start= demand
:: testing time! if %WHEN_TO_APPLY%==Now goto XP_32_default_Now if %PROFILE%==XP_32_minor goto XP_32_minor goto end
:XP_32_default_Now :: This section runs after the profile above, if selected. It applies changes immediately. net stop Alerter net stop ALG net stop AppMgmt net start AudioSrv net stop BITS net start Browser net stop cisvc net stop ClipSrv net stop COMSysApp net start CryptSvc net start DcomLaunch net start Dhcp net stop dmadmin net start dmserver net start Dnscache net stop Dot3svc net stop EapHost net start ERSvc net start Eventlog net stop EventSystem net start FastUserSwitchingCompatibility net start helpsvc net start HidServ net stop hkmsvc net stop HTTPFilter net stop ImapiService net start lanmanserver net start lanmanworkstation net start LmHosts net stop Messenger net start mnmsrvc net stop MSDTC net stop MSIServer net stop napagent net stop NetDDE net stop NetDDEdsdm net start Netlogon net stop Netman net stop Nla net stop NtLmSsp net stop NtmsSvc net start PlugPlay net start PolicyAgent net start ProtectedStorage net stop RasAuto net stop RasMan net stop RDSessMgr net stop RemoteAccess net start RemoteRegistry net stop RpcLocator net start RpcSs net stop RSVP net start SamSs net stop SCardSvr net start Schedule net start seclogon net start SENS net start SharedAccess net start ShellHWDetection net start Spooler net start srservice net start SSDPSRV net stop stisvc net stop SwPrv net stop SysmonLog net stop TapiSrv net stop TermService net start Themes net stop TlntSvr net start TrkWks net stop upnphost net stop UPS net stop VSS net start W32Time net start WebClient net start winmgmt net stop WmdmPmSN net stop Wmi net stop WmiApSrv net start wscsvc net start wuauserv net start WZCSVC net stop xmlprov
:: testing time! if %PROFILE%==XP_32_minor goto XP_32_minor goto end
:: testing time! if %WHEN_TO_APPLY%==Now goto XP_32_minor_Now goto end
:XP_32_minor_Now :: This section runs after the profile above, if selected. It applies changes immediately. net stop cisvc net stop dmserver net stop ERSvc net stop helpsvc net stop LmHosts net stop mnmsrvc net stop RDSessMgr net stop RemoteRegistry net stop RSVP net stop SCardSvr net stop seclogon net stop TlntSvr net stop TrkWks net stop UPS net stop W32Time net stop WebClient net stop WmdmPmSN net stop WmiApSrv net stop xmlprov
:: testing time! If we executed this block then there's nothing left to do, so we go to the end. whew! goto end
:: testing time! if %WHEN_TO_APPLY%==Now goto XP_32_moderate_Now if %PROFILE%==XP_32_aggressive goto XP_32_aggressive goto end
:XP_32_moderate_Now :: This section runs after the profile above, if selected. It applies changes immediately. net stop Alerter net stop ALG net stop AppMgmt net start AudioSrv net stop BITS net stop Browser net stop cisvc net stop ClipSrv net stop COMSysApp net start CryptSvc net start DcomLaunch net start Dhcp net stop dmadmin net stop dmserver net stop Dnscache net stop Dot3svc net stop EapHost net stop ERSvc net start Eventlog net stop EventSystem net stop FastUserSwitchingCompatibility net stop helpsvc net stop HidServ net stop hkmsvc net stop HTTPFilter net stop ImapiService net start lanmanserver net start lanmanworkstation net stop LmHosts net stop Messenger net stop mnmsrvc net stop MSDTC net stop MSIServer net stop napagent net stop NetDDE net stop NetDDEdsdm net stop Netlogon net stop Netman net stop Nla net stop NtLmSsp net stop NtmsSvc net start PlugPlay net stop PolicyAgent net stop ProtectedStorage net stop RasAuto net stop RasMan net stop RDSessMgr net stop RemoteAccess net stop RemoteRegistry net stop RpcLocator net start RpcSs net stop RSVP net start SamSs net stop SCardSvr net stop Schedule net stop seclogon net stop SENS net start SharedAccess net stop ShellHWDetection net start Spooler net stop srservice net stop SSDPSRV net stop stisvc net stop SwPrv net stop SysmonLog net stop TapiSrv net stop TermService net stop Themes net stop TlntSvr net stop TrkWks net stop upnphost net stop UPS net stop VSS net stop W32Time net stop WebClient net start winmgmt net stop WmdmPmSN net stop Wmi net stop WmiApSrv net stop wscsvc net start wuauserv net start WZCSVC net stop xmlprov
:: Testing time! if %PROFILE%==XP_32_aggressive goto XP_32_aggressive goto end
:: Testing time! if %WHEN_TO_APPLY%==Now goto XP_32_aggressive_Now goto end
:XP_32_aggressive_Now :: This section runs after the profile above, if selected. It applies changes immediately. net stop AppMgmt net stop Browser net stop COMSysApp net stop CryptSvc net stop dmadmin net stop dmserver net stop Dnscache net stop EventSystem net stop FastUserSwitchingCompatibility net stop ImapiService net stop lanmanserver net stop Nla net stop NtLmSsp net stop RpcLocator net stop SCardSvr net stop Schedule net stop seclogon net stop ShellHWDetection net stop Spooler net stop TapiSrv net stop TermService net stop TrkWks net stop wuauserv
:: testing time! If we executed this block then there's nothing left to do, so we go to the end. Yahtzee! goto end
:Vista_32_menu_profile :: This is where the user selects the lockdown profile to use. Pretty self-explanatory. set WINDOZE=Windows Vista 32/64-bit title Services Lockdown - %WINDOZE% cls echo. echo WINDOWS SERVICES LOCKDOWN - STEP 2/3 echo. echo Step 1: Choose OS: %WINDOZE% echo Step 2: Choose Profile: %namePROFILE% echo Step 3: Confirm echo. echo. echo Select the lockdown profile to apply to 121 services echo ----------------------------------------------------------------------- echo PROFILE Disabled On-demand Running Total echo ----------------------------------------------------------------------- echo 1. Windows Defaults 4 64 53 121 echo 2. Minor 20 54 47 121 echo 3. Moderate (recommended) 52 35 34 121 echo 4. Aggressive 72 24 25 121 echo. echo 5. Go back to Operating System choices echo. echo. :Vista_32_menu_profileChoice set /p choice=Choice: if not '%choice%'=='' set choice=%Choice:~0,1% if '%choice%'=='1' set PROFILE=Vista_32_default && set basePROFILE=Vista_32_default && set namePROFILE=Default && goto Vista_32_menu_confirm if '%choice%'=='2' set PROFILE=Vista_32_minor && set basePROFILE=Vista_32_default && set namePROFILE=Minor && goto Vista_32_menu_confirm if '%choice%'=='3' set PROFILE=Vista_32_moderate && set basePROFILE=Vista_32_moderate && set namePROFILE=Moderate && goto Vista_32_menu_confirm if '%choice%'=='4' set PROFILE=Vista_32_aggressive && set basePROFILE=Vista_32_moderate && set namePROFILE=Aggressive && goto Vista_32_menu_confirm if '%choice%'=='5' set WINDOZE=-- && echo. && cls && goto os_menu :: Else, go back and re-draw the menu echo. echo "%choice%" is not valid, please try again echo. goto Vista_32_menu_profileChoice
:Vista_32_menu_confirm :: Confirm the profile and execute set WINDOZE=Windows Vista 32/64-bit title Services Lockdown - %WINDOZE% cls echo. echo WINDOWS SERVICES LOCKDOWN - STEP 3/3 echo. echo Step 1: Choose OS: %WINDOZE% echo Step 2: Choose Profile: %namePROFILE% echo Step 3: Confirm echo. echo. echo ABOUT TO APPLY THE %WINDOZE% "%namePROFILE%" CONFIGURATION! echo. echo. echo CONFIRM? echo. echo 1. Yes - changes take effect immediately echo 2. Yes - changes take effect at next reboot echo. echo 3. No, go back to profile selection echo. echo. :Vista_32_menu_confirmChoice set /p choice=Choice: if not '%choice%'=='' set choice=%Choice:~0,1% if '%choice%'=='1' set WHEN_TO_APPLY=Now && goto %basePROFILE% if '%choice%'=='2' set WHEN_TO_APPLY=reboot && goto %basePROFILE% if '%choice%'=='3' set namePROFILE=-- && goto Vista_32_menu_profile echo. echo "%choice%" is not valid, please try again echo. goto Vista_32_menu_confirmChoice
:Vista_32_default :: Operating system defaults. Default also forms the base for the Minor profile. cls title Resetting to defaults... echo. echo Now resetting all services to the %WINDOZE% defaults, please wait... echo. sc config AeLookupSvc start= auto sc config Appinfo start= demand sc config ALG start= demand sc config AppMgmt start= demand sc config BITS start= auto sc config BITS start= delayed-auto sc config BFE start= auto sc config wbengine start= demand sc config CertPropSvc start= demand sc config KeyIso start= demand sc config EventSystem start= auto sc config COMSysApp start= demand sc config Browser start= auto sc config CryptSvc start= auto sc config UxSms start= auto sc config DFSR start= demand sc config Dhcp start= auto sc config MSDTC start= demand sc config Dnscache start= auto sc config EapHost start= demand sc config Fax start= demand sc config fdPHost start= demand sc config FDResPub start= auto sc config hkmsvc start= demand sc config hidserv start= demand sc config IKEEXT start= auto sc config UI0Detect start= demand sc config SharedAccess start= disabled sc config iphlpsvc start= auto sc config PolicyAgent start= auto sc config KtmRm start= auto sc config KtmRm start= delayed-auto sc config lltdsvc start= demand sc config clr_optimization_v2.0.50727_32 start= demand sc config MSiSCSI start= demand sc config swprv start= demand sc config MMCSS start= auto sc config NetTcpPortSharing start= disabled sc config Netlogon start= demand sc config napagent start= demand sc config Netman start= demand sc config netprofm start= auto sc config NlaSvc start= auto sc config nsi start= auto sc config CscService start= auto sc config WPCSvc start= demand sc config PNRPsvc start= demand sc config p2psvc start= demand sc config p2pimsvc start= demand sc config pla start= demand sc config PlugPlay start= auto sc config IPBusEnum start= demand sc config PNRPAutoReg start= demand sc config WPDBusEnum start= auto sc config Spooler start= auto sc config wercplsupport start= demand sc config PcaSvc start= auto sc config ProtectedStorage start= demand sc config QWAVE start= demand sc config EMDMgmt start= auto sc config RasAuto start= demand sc config RasMan start= demand sc config RpcLocator start= demand sc config RemoteRegistry start= demand sc config RemoteAccess start= disabled sc config seclogon start= auto sc config SstpSvc start= demand sc config wscsvc start= auto sc config wscsvc start= delayed-auto sc config LanmanServer start= auto sc config ShellHWDetection start= auto sc config SLUINotify start= demand sc config SCardSvr start= demand sc config SCPolicySvc start= demand sc config SNMPTRAP start= demand sc config slsvc start= auto sc config SSDPSRV start= demand sc config SysMain start= auto sc config SENS start= auto sc config TabletInputService start= auto sc config Schedule start= auto sc config lmhosts start= auto sc config TapiSrv start= demand sc config TermService start= auto sc config SessionEnv start= demand sc config UmRdpService start= demand sc config Themes start= auto sc config THREADORDER start= demand sc config TBS start= auto sc config TBS start= delayed-auto sc config upnphost start= auto sc config ProfSvc start= auto sc config vds start= demand sc config VSS start= demand sc config WebClient start= auto sc config AudioSrv start= auto sc config AudioEndpointBuilder start= auto sc config SDRSVC start= demand sc config idsvc start= demand sc config WcsPlugInService start= demand sc config wcncsvc start= demand sc config WinDefend start= auto sc config wudfsvc start= demand sc config WerSvc start= auto sc config Wecsvc start= demand sc config Eventlog start= auto sc config MpsSvc start= auto sc config stisvc start= demand sc config msiserver start= demand sc config Winmgmt start= auto sc config Mcx2Svc start= disabled sc config ehRecvr start= demand sc config ehSched start= demand sc config ehstart start= auto sc config ehstart start= delayed-auto sc config WMPNetworkSvc start= demand sc config FontCache3.0.0.0 start= demand sc config WinRM start= demand sc config WSearch start= auto sc config W32Time start= auto sc config wuauserv start= auto sc config wuauserv start= delayed-auto sc config WinHttpAutoProxySvc start= demand sc config dot3svc start= demand sc config Wlansvc start= auto sc config wmiApSrv start= demand sc config LanmanWorkstation start= auto
:: testing time! if %WHEN_TO_APPLY%==Now goto Vista_32_default_Now if %PROFILE%==Vista_32_minor goto Vista_32_minor goto end
:Vista_32_default_Now :: This section runs after the Default profile, if selected. It applies changes immediately. net start AeLookupSvc net stop Appinfo net stop ALG net stop AppMgmt net start BITS net start BFE net stop wbengine net stop CertPropSvc net stop KeyIso net start EventSystem net stop COMSysApp net start Browser net start CryptSvc net start UxSms net stop DFSR net start Dhcp net stop MSDTC net start Dnscache net stop EapHost net stop Fax net stop fdPHost net start FDResPub net stop hkmsvc net stop hidserv net start IKEEXT net stop UI0Detect net stop SharedAccess net start iphlpsvc net start PolicyAgent net start KtmRm net stop lltdsvc net stop clr_optimization_v2.0.50727_32 net stop MSiSCSI net stop swprv net start MMCSS net stop NetTcpPortSharing net start Netlogon net stop napagent net stop Netman net start netprofm net start NlaSvc net start nsi net start CscService net stop WPCSvc net stop PNRPsvc net stop p2psvc net stop p2pimsvc net stop pla net start PlugPlay net stop IPBusEnum net stop PNRPAutoReg net start WPDBusEnum net start Spooler net stop wercplsupport net start PcaSvc net stop ProtectedStorage net stop QWAVE net start EMDMgmt net stop RasAuto net stop RasMan net stop RpcLocator net stop RemoteRegistry net stop RemoteAccess net start seclogon net stop SstpSvc net start wscsvc net start LanmanServer net start ShellHWDetection net stop SLUINotify net stop SCardSvr net stop SCPolicySvc net stop SNMPTRAP net start slsvc net stop SSDPSRV net start SysMain net start SENS net start TabletInputService net start Schedule net start lmhosts net stop TapiSrv net start TermService net stop SessionEnv net stop UmRdpService net start Themes net stop THREADORDER net start TBS net start upnphost net start ProfSvc net stop vds net stop VSS net start WebClient net start AudioSrv net start AudioEndpointBuilder net stop SDRSVC net stop idsvc net stop WcsPlugInService net stop wcncsvc net start WinDefend net stop wudfsvc net start WerSvc net stop Wecsvc net start Eventlog net start MpsSvc net stop stisvc net stop msiserver net start Winmgmt net stop Mcx2Svc net stop ehRecvr net stop ehSched net start ehstart net stop WMPNetworkSvc net stop FontCache3.0.0.0 net stop WinRM net start WSearch net start W32Time net start wuauserv net stop WinHttpAutoProxySvc net stop dot3svc net start Wlansvc net stop wmiApSrv net start LanmanWorkstation :: testing time! if %PROFILE%==Vista_32_minor goto Vista_32_minor goto end
:: testing time! if %WHEN_TO_APPLY%==Now goto Vista_32_minor_Now goto end
:Vista_32_minor_Now :: If it was selected, this section runs after the profile above. It applies changes immediately. net stop CertPropSvc net stop Fax net stop iphlpsvc net stop MSiSCSI net stop Netlogon net stop CscService net stop RemoteRegistry net stop SCardSvr net stop SCPolicySvc net stop SNMPTRAP net stop TabletInputService net stop UmRdpService net stop TBS net stop WebClient net stop WinRM net stop WSearch net stop WinHttpAutoProxySvc
:: testing time! If we executed this block then there's nothing left to do, so we go to the end. whew! goto end
:Vista_32_moderate_Now :: This section runs after the profile above, if selected. It applies changes immediately. net stop AeLookupSvc net stop Appinfo net stop ALG net stop AppMgmt net start BITS net start BFE net stop wbengine net stop CertPropSvc net stop KeyIso net start EventSystem net stop COMSysApp net stop Browser net start CryptSvc net stop UxSms net stop DFSR net start Dhcp net stop MSDTC net start Dnscache net stop EapHost net stop Fax net stop fdPHost net stop FDResPub net stop hkmsvc net stop hidserv net stop IKEEXT net stop UI0Detect net stop SharedAccess net stop iphlpsvc net start PolicyAgent net start KtmRm net stop lltdsvc net stop clr_optimization_v2.0.50727_32 net stop MSiSCSI net stop swprv net start MMCSS net stop NetTcpPortSharing net stop Netlogon net stop napagent net stop Netman net start netprofm net start NlaSvc net start nsi net stop CscService net stop WPCSvc net stop PNRPsvc net stop p2psvc net stop p2pimsvc net stop pla net start PlugPlay net stop IPBusEnum net stop PNRPAutoReg net stop WPDBusEnum net start Spooler net stop wercplsupport net start PcaSvc net stop ProtectedStorage net stop QWAVE net start EMDMgmt net stop RasAuto net stop RasMan net stop RpcLocator net stop RemoteRegistry net stop RemoteAccess net stop seclogon net stop SstpSvc net start wscsvc net start LanmanServer net start ShellHWDetection net stop SLUINotify net stop SCardSvr net stop SCPolicySvc net stop SNMPTRAP net start slsvc net stop SSDPSRV net start SysMain net start SENS net stop TabletInputService net start Schedule net stop lmhosts net stop TapiSrv net stop TermService net stop SessionEnv net stop UmRdpService net stop Themes net stop THREADORDER net stop TBS net stop upnphost net start ProfSvc net stop vds net stop VSS net stop WebClient net start AudioSrv net start AudioEndpointBuilder net stop SDRSVC net stop idsvc net stop WcsPlugInService net stop wcncsvc net start WinDefend net stop wudfsvc net stop WerSvc net stop Wecsvc net start Eventlog net start MpsSvc net stop stisvc net stop msiserver net start Winmgmt net stop Mcx2Svc net stop ehRecvr net stop ehSched net stop ehstart net stop WMPNetworkSvc net stop FontCache3.0.0.0 net stop WinRM net stop WSearch net start W32Time net start wuauserv net stop WinHttpAutoProxySvc net stop dot3svc net start Wlansvc net stop wmiApSrv net start LanmanWorkstation
:: testing time! if %PROFILE%==Vista_32_aggressive goto Vista_32_aggressive goto end
:: testing time! if %WHEN_TO_APPLY%==Now goto Vista_32_aggressive_Now goto end
:Vista_32_aggressive_Now :: This section runs after the profile above, if selected. It applies changes immediately. net stop ALG net stop AppMgmt net stop BFE net stop wbengine net stop KeyIso net stop IKEEXT net stop UI0Detect net stop PolicyAgent net stop KtmRm net stop clr_optimization_v2.0.50727_32 net stop swprv net stop pla net stop PcaSvc net stop EMDMgmt net stop wscsvc net stop ShellHWDetection net stop TermService net stop upnphost net stop WcsPlugInService net stop WinDefend net stop FontCache3.0.0.0 net stop W32Time
:: testing time! If we executed this block then there's nothing left to do, so we go to the end. Yahtzee! goto end
:7_32_menu_profile :: This is where the user selects the lockdown profile to use. Pretty self-explanatory. set WINDOZE=Windows 7 32/64-bit title Services Lockdown - %WINDOZE% cls echo. echo WINDOWS SERVICES LOCKDOWN - STEP 2/3 echo. echo Step 1: Choose OS: %WINDOZE% echo Step 2: Choose Profile: %namePROFILE% echo Step 3: Confirm echo. echo. echo Select the lockdown profile to apply to 136 services echo ----------------------------------------------------------------------- echo PROFILE Disabled On-demand Running Total echo ----------------------------------------------------------------------- echo 1. Windows Defaults 2 85 36 123 echo 2. Minor 18 72 34 124 echo 3. Moderate (recommended) 61 42 33 136 echo 4. Aggressive 82 32 24 138 echo. echo 5. Go back to Operating System choices echo. echo. :7_32_menu_profileChoice set /p choice=Choice: if not '%choice%'=='' set choice=%Choice:~0,1% if '%choice%'=='1' set PROFILE=7_32_default && set basePROFILE=7_32_default && set namePROFILE=Default&& goto 7_32_menu_confirm if '%choice%'=='2' set PROFILE=7_32_minor && set basePROFILE=7_32_default && set namePROFILE=Minor&& goto 7_32_menu_confirm if '%choice%'=='3' set PROFILE=7_32_moderate && set basePROFILE=7_32_moderate && set namePROFILE=Moderate&& goto 7_32_menu_confirm if '%choice%'=='4' set PROFILE=7_32_aggressive && set basePROFILE=7_32_moderate && set namePROFILE=Aggressive&& goto 7_32_menu_confirm if '%choice%'=='5' set WINDOZE=-- && echo. && cls && goto os_menu :: Else, go back and re-draw the menu echo. echo "%choice%" is not valid, please try again echo. goto 7_32_menu_choice
:7_32_menu_confirm :: Confirm the profile and execute set WINDOZE=Windows 7 32/64-bit title Services Lockdown - %WINDOZE% cls echo. echo WINDOWS SERVICES LOCKDOWN - STEP 3/3 echo. echo Step 1: Choose OS: %WINDOZE% echo Step 2: Choose Profile: %namePROFILE% echo Step 3: Confirm echo. echo. echo ABOUT TO APPLY THE %WINDOZE% "%namePROFILE%" CONFIGURATION! echo. echo. echo CONFIRM? echo. echo 1. Yes - changes take effect immediately echo 2. Yes - changes take effect at next reboot echo. echo 3. No, go back to profile selection echo. echo. :7_32_menu_confirmChoice set /p choice=Choice: if not '%choice%'=='' set choice=%Choice:~0,1% if '%choice%'=='1' set WHEN_TO_APPLY=Now && goto %basePROFILE% if '%choice%'=='2' set WHEN_TO_APPLY=reboot && goto %basePROFILE% if '%choice%'=='3' set namePROFILE=-- && goto 7_32_menu_profile echo. echo "%choice%" is not valid, please try again echo. goto 7_32_menu_confirmChoice
:: testing time! if %WHEN_TO_APPLY%==Now goto 7_32_default_Now if %PROFILE%==7_32_minor goto 7_32_minor goto end
:7_32_default_Now :: This section runs after the profile above, if selected. It applies changes immediately. net stop AxInstSV net stop SensrSvc net stop AeLookupSvc net stop AppIDSvc net stop Appinfo net stop ALG net stop AppMgmt net stop BITS net start BFE net start BDESVC net stop wbengine net stop bthserv net stop PeerDistSvc net stop CertPropSvc net stop KeyIso net start EventSystem net stop COMSysApp net stop Browser net stop VaultSvc net start CryptSvc net start UxSms net start Dhcp net stop defragsvc net stop MSDTC net start Dnscache net stop EFS net stop EapHost net stop fdPHost net start FDResPub net stop hkmsvc net stop HomeGroupListener net stop HomeGroupProvider net stop hidserv net stop IKEEXT net stop UI0Detect net stop SharedAccess net start iphlpsvc net stop PolicyAgent net stop KtmRm net stop lltdsvc net start clr_optimization_v2.0.50727_32 net stop MSiSCSI net stop swprv net start MMCSS net start Netlogon net stop napagent net stop Netman net stop netprofm net start NlaSvc net start nsi net start CscService net stop WPCSvc net stop PNRPsvc net stop p2psvc net stop p2pimsvc net stop pla net start PlugPlay net stop IPBusEnum net stop PNRPAutoReg net stop WPDBusEnum net start Power net start Spooler net stop wercplsupport net stop PcaSvc net stop ProtectedStorage net stop QWAVE net stop RasAuto net stop RasMan net stop TermService net stop UmRdpService net stop RpcLocator net stop RemoteRegistry net stop RemoteAccess net start RpcEptMapper net stop seclogon net stop SstpSvc net start wscsvc net start LanmanServer net start ShellHWDetection net stop SCardSvr net stop SCPolicySvc net stop SNMPTRAP net start sppsvc net stop sppuinotify net stop SSDPSRV net start SysMain net start SENS net stop TabletInputService net start Schedule net start lmhosts net stop TapiSrv net start Themes net stop THREADORDER net stop TBS net stop upnphost net start ProfSvc net stop vds net stop VSS net stop WebClient net start AudioSrv net start AudioEndpointBuilder net stop SDRSVC net stop WbioSrvc net stop WcsPlugInService net stop wcncsvc net start WinDefend net stop wudfsvc net stop WerSvc net stop Wecsvc net start Eventlog net start MpsSvc net stop FontCache net stop StiSvc net stop msiserver net start Winmgmt net stop WinRM net stop W32Time net start wuauserv net stop WinHttpAutoProxySvc net stop dot3svc net start Wlansvc net stop wmiApSrv net start LanmanWorkstation net stop WwanSvc
:: testing time! if %PROFILE%==7_32_minor goto 7_32_minor goto end
:: testing time! if %WHEN_TO_APPLY%==Now goto 7_32_minor_Now goto end
:7_32_minor_Now :: If it was selected, this section runs after the profile above. It applies changes immediately. net stop AppMgmt net stop bthserv net stop PeerDistSvc net stop CertPropSvc net stop iphlpsvc net stop clr_optimization_v2.0.50727_32 net stop MSiSCSI net stop Netlogon net stop napagent net stop CscService net stop WPCSvc net stop RpcLocator net stop RemoteRegistry net stop SCardSvr net stop SCPolicySvc net stop SNMPTRAP net stop wcncsvc :: testing time! If we executed this block then there's nothing left to do, so we go to the end. Yahtzee! goto end
:: These services were missing from the config tool and manually added by me sc config DPS start= disabled sc config WdiServiceHost start= disabled sc config WdiSystemHost start= disabled sc config TrkWks start= disabled sc config SessionEnv start= disabled sc config StorSvc start= disabled
:: This is a major annoyance to me but potentially wanted by people. Shell Hardware Detection :: does auto-insert notification and detection of the type of DVD/CD drive that is installed. :: This does not affect actual functionality, only Windows' ability to detect its features. Meh. sc config ShellHWDetection start= disabled
::These are services added by Windows Live Essentials REM Windows Card Service & Windows Search sc config idsvc start= disabled sc config WSearch start= disabled
:: These are services added by Windows Media Center sc config ehRecvr start= disabled sc config ehSched start= disabled sc config WMPNetworkSvc start= disabled
:: Test if we are also applying the Aggressive profile :: testing time! if %WHEN_TO_APPLY%==Now goto 7_32_moderate_Now if %PROFILE%==7_32_aggressive goto 7_32_aggressive goto end
:7_32_moderate_Now :: This section runs after the profile above, if selected. It applies changes immediately. net stop AxInstSV net stop SensrSvc net stop AeLookupSvc net stop AppIDSvc net stop Appinfo net stop ALG net stop AppMgmt net stop BITS net start BFE net start BDESVC net stop wbengine net stop bthserv net stop PeerDistSvc net stop CertPropSvc net stop KeyIso net start EventSystem net stop COMSysApp net stop Browser net stop VaultSvc net start CryptSvc net start UxSms net start Dhcp net stop defragsvc net stop MSDTC net start Dnscache net stop EFS net stop EapHost net stop fdPHost net stop FDResPub net stop hkmsvc net stop HomeGroupListener net stop HomeGroupProvider net stop hidserv net stop IKEEXT net stop UI0Detect net stop SharedAccess net stop iphlpsvc net stop PolicyAgent net stop KtmRm net stop lltdsvc net start clr_optimization_v2.0.50727_32 net stop MSiSCSI net stop swprv net start MMCSS net stop Netlogon net stop napagent net stop Netman net stop netprofm net start NlaSvc net start nsi net stop CscService net stop WPCSvc net stop PNRPsvc net stop p2psvc net stop p2pimsvc net stop pla net start PlugPlay net stop IPBusEnum net stop PNRPAutoReg net stop WPDBusEnum net start Power net start Spooler net stop wercplsupport net stop PcaSvc net stop ProtectedStorage net stop QWAVE net stop RasAuto net stop RasMan net stop TermService net stop UmRdpService net stop RpcLocator net stop RemoteRegistry net stop RemoteAccess net start RpcEptMapper net stop seclogon net stop SstpSvc net start wscsvc net start LanmanServer net start ShellHWDetection net stop SCardSvr net stop SCPolicySvc net stop SNMPTRAP net start sppsvc net stop sppuinotify net stop SSDPSRV net start SysMain net start SENS net stop TabletInputService net start Schedule net start lmhosts net stop TapiSrv net start Themes net stop THREADORDER net stop TBS net stop upnphost net start ProfSvc net stop vds net stop VSS net stop WebClient net start AudioSrv net start AudioEndpointBuilder net stop SDRSVC net stop WbioSrvc net stop WcsPlugInService net stop wcncsvc net start WinDefend net stop wudfsvc net stop WerSvc net stop Wecsvc net start Eventlog net start MpsSvc net stop FontCache net stop StiSvc net stop msiserver net start Winmgmt net stop WinRM net stop W32Time net start wuauserv net stop WinHttpAutoProxySvc net stop dot3svc net start Wlansvc net stop wmiApSrv net start LanmanWorkstation net stop WwanSvc net stop DPS net stop WdiServiceHost net stop WdiSystemHost net stop TrkWks net stop SessionEnv net stop StorSvc net stop ShellHWDetection net stop idsvc net stop WSearch net stop ehRecvr net stop ehSched net stop WMPNetworkSvc :: testing time! if %PROFILE%==7_32_aggressive goto 7_32_aggressive goto end
:: These services were missing from the config tool and manually added by me sc config NetTcpPortSharing start= disabled sc config RpcLocator start= disabled
:: This is another service from our lovely Media Center edition. Goodbye. REM Windows Presentation Foundation Font sc config FontCache3.0.0.0 start= disabled
:: testing time! if %WHEN_TO_APPLY%==Now goto 7_32_aggressive_Now goto end
:7_32_aggressive_Now net stop BITS net stop BFE net stop BDESVC net stop wbengine net stop KeyIso net stop UxSms net stop Dnscache net stop EapHost net stop HomeGroupListener net stop HomeGroupProvider net stop PolicyAgent net stop SstpSvc net stop wscsvc net stop lmhosts net stop TapiSrv net stop Themes net stop WinDefend net stop W32Time net stop wuauserv net stop dot3svc net stop NetTcpPortSharing net stop RpcLocator net stop FontCache3.0.0.0
:: testing time! If we executed this block then there's nothing left to do, so we go to the end. Yahtzee! goto end
:XP_64_menu_profile :: This is where the user selects the lockdown profile to use. Pretty self-explanatory. set WINDOZE=Windows XP 64-bit title Services Lockdown - %WINDOZE% cls echo. echo WINDOWS SERVICES LOCKDOWN - STEP 2/3 echo. echo Step 1: Choose OS: %WINDOZE% echo Step 2: Choose Profile: %namePROFILE% echo Step 3: Confirm echo. echo. echo Select the lockdown profile to apply to 87 services echo ----------------------------------------------------------------------- echo PROFILE Disabled On-demand Running Total echo ----------------------------------------------------------------------- echo 1. Windows Defaults 6 36 39 81 echo 2. Minor 26 29 26 81 echo 3. Moderate (recommended) 52 19 16 87 echo 4. Aggressive 72 5 10 87 echo. echo 5. Go back to Operating System choices echo. echo. :XP_64_menu_profileChoice set /p choice=Choice: if not '%choice%'=='' set choice=%Choice:~0,1% if '%choice%'=='1' set PROFILE=XP_64_default && set basePROFILE=XP_64_default && set namePROFILE=Default&& goto XP_64_menu_confirm if '%choice%'=='2' set PROFILE=XP_64_minor && set basePROFILE=XP_64_default && set namePROFILE=Minor&& goto XP_64_menu_confirm if '%choice%'=='3' set PROFILE=XP_64_moderate && set basePROFILE=XP_64_moderate && set namePROFILE=Moderate&& goto XP_64_menu_confirm if '%choice%'=='4' set PROFILE=XP_64_aggressive && set basePROFILE=XP_64_moderate && set namePROFILE=Aggressive&& goto XP_64_menu_confirm if '%choice%'=='5' set WINDOZE=-- && echo. && cls && goto os_menu :: Else, go back and re-draw the menu echo. echo "%choice%" is not valid, please try again echo. goto XP_64_menu_profileChoice
:XP_64_menu_confirm :: Confirm the profile and execute set WINDOZE=Windows XP 64-bit title Services Lockdown - %WINDOZE% cls echo. echo WINDOWS SERVICES LOCKDOWN - STEP 3/3 echo. echo Step 1: Choose OS: %WINDOZE% echo Step 2: Choose Profile: %namePROFILE% echo Step 3: Confirm echo. echo. echo ABOUT TO APPLY THE %WINDOZE% "%namePROFILE%" CONFIGURATION! echo. echo. echo CONFIRM? echo. echo 1. Yes - changes take effect immediately echo 2. Yes - changes take effect at next reboot echo. echo 3. No, go back to profile selection echo. echo. :XP_64_menu_confirmChoice set /p choice=Choice: if not '%choice%'=='' set choice=%Choice:~0,1% if '%choice%'=='1' set WHEN_TO_APPLY=Now && goto %basePROFILE% if '%choice%'=='2' set WHEN_TO_APPLY=reboot && goto %basePROFILE% if '%choice%'=='3' set namePROFILE=-- && goto XP_64_menu_profile echo. echo "%choice%" is not valid, please try again echo. goto XP_64_menu_confirmChoice
:XP_64_default :: Operating system defaults. Default also forms the base for the Minor profile. cls title Resetting to defaults... echo. echo Now resetting all services to the %WINDOZE% defaults, please wait... echo. sc config Alerter start= disabled sc config AeLookupSvc start= auto sc config ALG start= demand sc config AppMgmt start= demand sc config AudioSrv start= auto sc config BITS start= demand sc config Browser start= auto sc config cisvc start= disabled sc config ClipSrv start= demand sc config COMSysApp start= demand sc config CryptSvc start= auto sc config DcomLaunch start= auto sc config Dhcp start= auto sc config dmadmin start= demand sc config dmserver start= auto sc config Dnscache start= auto sc config ERSvc start= auto sc config Eventlog start= auto sc config EventSystem start= auto sc config helpsvc start= auto sc config HidServ start= disabled sc config HTTPFilter start= demand sc config IASJet start= demand sc config ImapiService start= demand sc config lanmanserver start= auto sc config lanmanworkstation start= auto sc config LmHosts start= auto sc config Messenger start= disabled sc config mnmsrvc start= demand sc config MSDTC start= demand sc config MSIServer start= demand sc config NetDDE start= demand sc config NetDDEdsdm start= demand sc config Netlogon start= demand sc config Netman start= demand sc config Nla start= demand sc config NtLmSsp start= demand sc config NtmsSvc start= demand sc config PlugPlay start= auto sc config PolicyAgent start= auto sc config ProtectedStorage start= auto sc config RasAuto start= demand sc config RasMan start= demand sc config RDSessMgr start= demand sc config RemoteAccess start= disabled sc config RemoteRegistry start= auto sc config RpcLocator start= demand sc config RpcSs start= auto sc config SamSs start= auto sc config SCardSvr start= demand sc config Schedule start= auto sc config seclogon start= auto sc config SENS start= auto sc config SharedAccess start= auto sc config ShellHWDetection start= auto sc config Spooler start= auto sc config srservice start= auto sc config SSDPSRV start= demand sc config stisvc start= auto sc config SysmonLog start= auto sc config TapiSrv start= demand sc config TermService start= demand sc config Themes start= auto sc config TlntSvr start= disabled sc config TrkWks start= auto sc config UMWdf start= demand sc config upnphost start= auto sc config UPS start= demand sc config vds start= demand sc config VSS start= demand sc config W32Time start= auto sc config WebClient start= auto sc config WinHttpAutoProxySvc start= demand sc config winmgmt start= auto sc config WmdmPmSN start= demand sc config Wmi start= demand sc config WmiApSrv start= demand sc config wscsvc start= auto sc config wuauserv start= auto sc config WZCSVC start= auto sc config xmlprov start= demand
:: testing time! if %WHEN_TO_APPLY%==Now goto XP_64_default_Now if %PROFILE%==XP_64_minor goto XP_64_minor goto end
:XP_64_default_Now :: This section runs after the profile above, if selected. It applies changes immediately. net stop Alerter net start AeLookupSvc net stop ALG net stop AppMgmt net start AudioSrv net stop BITS net start Browser net stop cisvc net stop ClipSrv net stop COMSysApp net start CryptSvc net start DcomLaunch net start Dhcp net stop dmadmin net start dmserver net start Dnscache net start ERSvc net start Eventlog net start EventSystem net start helpsvc net stop HidServ net stop HTTPFilter net stop IASJet net stop ImapiService net start lanmanserver net start lanmanworkstation net start LmHosts net stop Messenger net stop mnmsrvc net stop MSDTC net stop MSIServer net stop NetDDE net stop NetDDEdsdm net start Netlogon net stop Netman net stop Nla net stop NtLmSsp net stop NtmsSvc net start PlugPlay net start PolicyAgent net start ProtectedStorage net stop RasAuto net stop RasMan net stop RDSessMgr net stop RemoteAccess net start RemoteRegistry net stop RpcLocator net start RpcSs net start SamSs net stop SCardSvr net start Schedule net start seclogon net start SENS net start SharedAccess net start ShellHWDetection net start Spooler net start srservice net stop SSDPSRV net start stisvc net start SysmonLog net stop TapiSrv net stop TermService net start Themes net stop TlntSvr net start TrkWks net stop UMWdf net start upnphost net stop UPS net stop vds net stop VSS net start W32Time net start WebClient net stop WinHttpAutoProxySvc net start winmgmt net stop WmdmPmSN net stop Wmi net stop WmiApSrv net start wscsvc net start wuauserv net start WZCSVC net stop xmlprov
:: testing time! if %PROFILE%==XP_64_minor goto XP_64_minor goto end
:: testing time! if %WHEN_TO_APPLY%==Now goto XP_64_minor_Now goto end
:XP_64_minor_Now :: If it was selected, this section runs after the profile above. It applies changes immediately. net stop ClipSrv net stop dmserver net stop ERSvc net stop EventSystem net stop helpsvc net stop IASJet net stop LmHosts net stop mnmsrvc net stop NetDDE net stop NetDDEdsdm net stop Netlogon net stop RDSessMgr net stop RemoteRegistry net stop SCardSvr net stop seclogon net stop SSDPSRV net stop stisvc net stop SysmonLog net stop TrkWks net stop upnphost net stop UPS net stop vds net stop W32Time net stop WebClient net stop WinHttpAutoProxySvc net stop WmdmPmSN net stop WmiApSrv net stop xmlprov
:: testing time! If we executed this block then there's nothing left to do, so we go to the end. whew! goto end
:: World Wide Web Publishing...whatever...nuke it. sc config w3svc start= disabled
:: testing time! if %WHEN_TO_APPLY%==Now goto XP_64_moderate_Now if %PROFILE%==XP_64_aggressive goto XP_64_aggressive goto end
:XP_64_moderate_Now :: This section runs after the profile above, if selected. It applies changes immediately. net stop Alerter net stop AeLookupSvc net stop ALG net stop AppMgmt net start AudioSrv net stop BITS net start Browser net stop cisvc net stop ClipSrv net stop COMSysApp net start CryptSvc net start DcomLaunch net start Dhcp net stop dmadmin net stop dmserver net stop Dnscache net stop ERSvc net start Eventlog net stop EventSystem net stop helpsvc net stop HidServ net stop HTTPFilter net stop IASJet net stop ImapiService net start lanmanserver net start lanmanworkstation net stop LmHosts net stop Messenger net stop mnmsrvc net stop MSDTC net stop MSIServer net stop NetDDE net stop NetDDEdsdm net stop Netlogon net stop Netman net stop Nla net stop NtLmSsp net stop NtmsSvc net start PlugPlay net stop PolicyAgent net stop ProtectedStorage net stop RasAuto net stop RasMan net stop RDSessMgr net stop RemoteAccess net stop RemoteRegistry net stop RpcLocator net start RpcSs net start SamSs net stop SCardSvr net stop Schedule net stop seclogon net stop SENS net start SharedAccess net stop ShellHWDetection net start Spooler net stop srservice net stop SSDPSRV net stop stisvc net stop SysmonLog net stop TapiSrv net stop TermService net stop Themes net stop TlntSvr net stop TrkWks net stop UMWdf net stop upnphost net stop UPS net stop vds net stop VSS net stop W32Time net stop WebClient net stop WinHttpAutoProxySvc net start winmgmt net stop WmdmPmSN net stop Wmi net stop WmiApSrv net stop wscsvc net start wuauserv net start WZCSVC net stop xmlprov net stop 6to4 net stop PNRPSvc net stop p2psvc net stop p2pgasvc net stop p2pimsvc net stop w3svc :: Testing time! if %PROFILE%==XP_64_aggressive goto XP_64_aggressive goto end
:: Testing time! if %WHEN_TO_APPLY%==Now goto XP_64_aggressive_Now goto end
:XP_64_aggressive_Now :: This section runs after the profile above, if selected. It applies changes immediately. net stop BITS net stop Browser net stop CryptSvc net stop dmadmin net stop dmserver net stop Dnscache net stop ImapiService net stop lanmanserver net stop Nla net stop NtLmSsp net stop RpcLocator net stop Spooler net stop TermService net stop Wmi net stop wuauserv net stop WZCSVC net stop PNRPSvc net stop p2psvc net stop p2pgasvc net stop p2pimsvc
:: testing time! If we executed this block then there's nothing left to do, so we go to the end. Yahtzee! goto end
:end title Lockdown Complete echo. echo. echo LOCKDOWN COMPLETE echo. echo. echo The following configuration was applied: echo. echo. echo Operating System: %WINDOZE% echo Profile: %PROFILE% echo Changes Effective: %WHEN_TO_APPLY% echo. if WHEN_TO_APPLY==reboot echo. && echo Changes will take effect at next reboot. echo. echo. echo Press any key to quit... echo. pause
Talk To Other Members