Thursday, January 30, 2014

Difference between a Windows Service and an Application

This article/blog is an effort to provide an exhaustive list of differences between a service and an application.
The table below contains the differences:

Difference between a Service and an Application

Sr. no.
Started in Session 0
Applications Run in sessions above 0, this also applies to background silent applications.
Does not interact with user
Interacts with user
Does not  (need to) display a desktop
Displays the desktop on Window Station ‘Winsta0’
Runs, usually, with system integrity level
Runs, usually, in the integrity level of user that launches the application
Can run with one of the three built-in logon account permissions:
1 - Local System
2 - Local Service
3 - Network Service
Customized permission sets are also possible.
Can run with one the three possible integrity levels a user (member of the local admin group) can assign to an application
1 - Medium (Default)
2 – High (Using Runas Administrator
3 – Low (Using psexec –l  <exec file name>)
Run with Data Execution Prevention enabled

Run with the SERVICE SID (S-1-5-6)
Run with the INTERACTIVE SID (S-1-5-4)
Keep running once started, as long as the OS is running, they can be stopped manually using Service Control Manager.
Exit when the user logs off.
Has a ‘ServiceMain’ function from where the processor control is passed to the service.
Has a ‘main’ or a ‘WinMain’ function where the processor control is passed to the service.
Can be automatically started when the computer boots, and runs continuously.
Can be automatically started using scheduled tasks. The application will run once before any user logs on.

Only one instance of a service can run at a time.
Multiple instances of an application can run as instances
Need to be registered with Service Control manager as services.
Can be just ‘clicked on’ by the logged on user to start.
They can and usually do exist within other processes. The most popular example is the svchost.exe. The ‘svchost’ process loads services as .dll files. ’svchost’ is short for service host.
The dll’s loaded by svchost.exe for difference services can be seen using ‘Process Explorer’ of the SysInternals Suite.
There is a at least one process per application. There can be more than one process associated with an application. There is always a .exe file used to launch the application file.
Are used to implement a great deal of the operating system. There cannot be a system with no services.
Are mostly user land entities.
On a network based server, all work will be done by services.
On a network based server, it is possible that a user never logs on to the server and not a single application is launched. There can be systems with no applications.
Can only access the drives if they have been started after the network drives have been loaded. If started before the network drives are loaded the service will not be able to access the hard drives.
Since they are run after a user logs in, they will always have access to network drives. The only issue will be when a network share is loaded by a user using the privileged token but accessed using explorer.exe running with filtered token, in which explorer (or any application for that matter) will not be able to access the network drive.
Uses the %SYSTEM%/System32 as the default working directory.
Uses the user’s home folder as the working directory.
During development a service installation components need to be created that install the service and register it with the Service Control Manager.
Can be developed to run as a standalone application.
Cannot raise errors on the user interface, only writes error messages to the Windows Event Log. An attempt to create a window object may cause the service to break.
Can write error messages to the user interface in the form of pop-up windows or alerts.
If a service needs to communicate with the user, it only happen via an application on the desktop which communicates with the service via network ports or other method.
If an application needs to have a service running in the background, in order to use the printer the print spool service must be running. Antivirus applications take input from the user, but the constant scanning and real-time threat monitoring is done by a process. Installer applications need the windows installer service to be running.
Always run in ‘the background’.
Silent applications or background applications are the application that have just not created a window on the desktop. They have all characteristics, permissions and privileges of an application started by the logged in user.
From a development perspective the services are implemented as ‘Windows Service’ application project. They contain installation components that install the service.
Applications do not need any installation components and can run on Windows as standalone applications.
In msconfig the items under ‘services’ are as the name implies….services.
In msconfig the items under ‘Startup’ are background applications.

 *: To learn about sessions and related concepts check out this article:

In order to submit corrections or additions to this list, please leave a comment. Thanks

About the Author: Saquib Farooq Malik, is a senior Information Security Specialist . Saquib Specializes in Vulnerability Assessment and Penetration Testing, implementations of ISO 27001 in different corporate environments in the Middle East.
He is a CISSP, an ITILv3 Foundation certified professional, ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension Certified Engineer.

No comments:

Post a Comment