The table below contains the differences:
·
Difference between a Service and an Application
Sr. no.
|
Service
|
Application
|
1
|
Started in Session 0
|
Applications Run in sessions above 0, this also
applies to background silent applications.
|
2
|
Does not interact with user
|
Interacts with user
|
3
|
Does not
(need to) display a desktop
|
Displays the desktop on Window Station ‘Winsta0’
|
4
|
Runs, usually, with system integrity level
|
Runs, usually, in the integrity level of user that launches the
application
|
5
|
Can run with one of the three built-in logon account
permissions:
1 - Local System 2 - Local Service 3 - Network Service Customized permission sets are also possible. |
Can run with one the three possible integrity levels
a user (member of the local admin group) can assign to an application
1 - Medium (Default) 2 – High (Using Runas Administrator 3 – Low (Using psexec –l <exec file name>) |
6
|
Run with Data Execution Prevention enabled
|
|
7
|
Run with the SERVICE SID (S-1-5-6)
|
Run with the INTERACTIVE SID (S-1-5-4)
|
8
|
Keep running once started, as long as the OS is running, they can be
stopped manually using Service Control
Manager.
|
Exit when the user logs off.
|
9
|
Has a ‘ServiceMain’ function from where the
processor control is passed to the service.
|
Has a ‘main’ or a ‘WinMain’ function where the
processor control is passed to the service.
|
10
|
Can be automatically started when the computer boots, and runs continuously.
|
Can be automatically started using scheduled tasks. The application
will run once before any user logs on.
|
11
|
Only one instance of a service can run at a time.
|
Multiple instances of an application can run as
instances
|
12
|
Need to be registered with Service Control manager as services.
|
Can be just ‘clicked on’ by the logged on user to start.
|
13
|
They can and usually do exist within other
processes. The most popular example is the svchost.exe. The ‘svchost’ process
loads services as .dll files. ’svchost’ is short for service host.
The dll’s loaded by svchost.exe for difference services can be seen using ‘Process Explorer’ of the SysInternals Suite. |
There is a at least one process per application.
There can be more than one process associated with an application. There is
always a .exe file used to launch the application file.
|
14
|
Are used to implement a great deal of the operating system. There
cannot be a system with no services.
|
Are mostly user land entities.
|
15
|
On a network based server, all work will be done by
services.
|
On a network based server, it is possible that a
user never logs on to the server and not a single application is launched.
There can be systems with no applications.
|
16
|
Can only access the drives if they have been started after the network
drives have been loaded. If started before the network drives are loaded the
service will not be able to access the hard drives.
|
Since they are run after a user logs in, they will always have access
to network drives. The only issue will be when a network share is loaded by a
user using the privileged token but accessed using explorer.exe running with
filtered token, in which explorer (or any application for that matter) will
not be able to access the network drive.
|
17
|
Uses the %SYSTEM%/System32 as the default working
directory.
|
Uses the user’s home folder as the working
directory.
|
18
|
During development a service installation components need to be
created that install the service and register it with the Service Control
Manager.
|
Can be developed to run as a standalone application.
|
19
|
Cannot raise errors on the user interface, only
writes error messages to the Windows Event Log. An attempt to create a window
object may cause the service to break.
|
Can write error messages to the user interface in
the form of pop-up windows or alerts.
|
20
|
If a service needs to communicate with the user, it only happen via
an application on the desktop which communicates with the service via network
ports or other method.
|
If an application needs to have a service running in the background,
in order to use the printer the print spool service must be running.
Antivirus applications take input from the user, but the constant scanning
and real-time threat monitoring is done by a process. Installer applications
need the windows installer service to be running.
|
21
|
Always run in ‘the background’.
|
Silent applications or background applications are
the application that have just not created a window on the desktop. They have
all characteristics, permissions and privileges of an application started by
the logged in user.
|
22
|
From a development perspective the services are implemented as ‘Windows
Service’ application project. They contain installation components that install
the service.
|
Applications do not need any installation components and can run on
Windows as standalone applications.
|
23
|
In msconfig the items under ‘services’ are as the
name implies….services.
|
In msconfig the items under ‘Startup’ are background
applications.
|
*: To learn about sessions and related concepts check out this article: http://securityinternals.blogspot.ae/2014/01/on-sesssion-windows-and-desktops.html
In order to submit corrections or additions to this list, please leave a comment. Thanks
About the Author: Saquib Farooq Malik, is a senior
Information Security Specialist .
Saquib Specializes in Vulnerability Assessment and Penetration Testing,
implementations of ISO 27001 in different corporate environments in the Middle
East.
He is a CISSP, an ITILv3 Foundation certified professional,
ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension
Certified Engineer.
No comments:
Post a Comment