Service Control Manager (SCM) is a special systemprocess under theWindows NT family ofoperating systems, which starts, stops and interacts withWindows service processes.[1] It is located in the%SystemRoot%\System32\services.exe executable. Service processes interact with SCM through a well-definedAPI, and the same API is used internally by the interactive Windows service management tools such as theMMC snap-inServices.msc and the command-line Service Control utilitysc.exe.
The SCM executable,Services.exe, runs as a Windows console program and is launched by theWininit process early during thesystem startup.[2] Its main function,SvcCtrlMain(), launches all the services configured for automatic startup. First an internal database of installed services is initialized by reading the following two registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List, containing the names and order of service groups. Each service's registry key contains an optionalGroup value which governs the order of initialization of a respective service or adevice driver, with respect to other service groups.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, which contains the actual database of services and device drivers and is read into SCM's internal database.[3] SCM reads every service'sGroup value as well as load-order dependencies from theirDependOnGroup andDependOnService registry keys.[4]In the next step, SCM's main functionSvcCtrlMain() calls the functionScGetBootAndSystemDriverState() function which checks whether the device drivers that should be started during the boot or system startup were successfully loaded, and those that have failed to do so are stored in a list calledScFailedDrivers. Then anamed pipe\Pipe\Ntsvcs is created as aremote procedure call interface between the SCM and the SCPs (Service Control Processes) that interact with specific services.
Next, it calls theScAutoStartServices() function whichloops through all the services marked as auto-start, paying attention to the calculated load-order dependencies. In case of a circular dependency an error is noted and the service depending on a service that belongs to a group coming later in the load order is skipped. For delayed auto-start services, grouping has no effect, and those are loaded at a later stage of system startup.[5]
For each service it wants to start, the SCM calls theScStartService() function which checks the name of the file that runs the service's process, ensuring that the account specified for the service is same as the account that the service process runs in. Every service that does not run in theSystem account is logged in by calling theLSASS functionLogonUserEx(), for which LSASS process looks up "secret" passwords stored in theHKLM\SECURITY\Policy\Secrets\ registry key, which were stored by the SCP using theLsaStorePrivateData() API, when the service was originally configured.[6]
Next, theScLogonAndStartImage() function is called for every service whose service process has not been already launched. Service processes are created in asuspended state via theCreateProcessAsUser() API. Before the service process' execution is resumed, a named pipe\Pipe\Net\NtControlPipeX (where X is a number incremented for each service iteration) is created which serves as a communication channel between the SCM and the service process. Service process connects to the pipe by calling theStartServiceCtrlDispatcher() function, after which the SCM sends the service a "start" command.[7]
Delayed auto-start services have been added inWindows Vista, in order to solve the problem of a prolonged system startup, as well as to speed-up the start of critical services that cannot be delayed.[8] Originally the auto-start method of service initialization was designed for essential system services upon which other applications and services depend. The SCM initializes the delayed services only after handling all the non-delayed auto-start services, by invoking theScInitDelayStart() function. This function queues a delayed (120 seconds by default) work item associated with a corresponding worker thread. Other than being initialized after a delay, there are no other differences between delayed and non-delayed services.
Services whoseType registry value isSERVICE_KERNEL_DRIVER orSERVICE_FILE_SYSTEM_DRIVER are handled specially: these represent device drivers for whichScStartService() calls theScLoadDeviceDriver() function which loads the appropriate driver (usually a file with an extension.sys) which must be located in the%SystemRoot%\System32\Drivers\ directory. For that purpose, theNtLoadDriversystem call is invoked, and theSeLoadDriverPrivilege is added to the SCM's process.
SCM provides an additional functionality completely unrelated to Windows services: it notifiesGUI applications such as theWindows Explorer when a network drive-letter connection has been created or deleted, by broadcasting WindowsmessagesWM_DEVICECHANGE.
