Disabled services have been turned back ON again (after update?)

RedmondFanatic · 18 Nov 2017

I am running a host with Windows 10 Pro and multiple VMs (I am no longer using HyperV, that's a disaster, I'll save that discussion for another thread).

Because it's a host, I want as few running bits as possible. I disabled a week ago all services which I do not need running on the host. The system was perfectly stable and I was happy. Some really problematic services which open ports and which had critical vulnerabilities in the past, were now shut-down.

This morning, ALL disabled services are back and running again (a few are just back to Manual, as they previously were).

I strongly suspect the problem is the "Windows Creators Fall Update" which finished to install this morning.

The question: is there a way to disable the services and tell windows to please do not start them again every time there is a major update?

Thank you

dalchina · 18 Nov 2017

In my view, no as one of the features of an upgrade (or upgrade repair install indeed) is to help users by trying to return essential settings to a known state.

What you might consider doing is finding a way to establish your settings by way of a script or bat file, for example, that reasserts your particular settings on logging in. That way at least it's automated, although you may then need a subsequent restart as well.

A converse example would be the way such upgrades always disable System Restore.

RedmondFanatic · 18 Nov 2017

Thank you for the answer. These are not essential settings though. The system worked perfectly fine without the Print Spooler running again (to give one example).
Also, this was not a repair install either, where one would kind of expect the setup to return the system to initial state.
My concern is that this makes Windows impossible to harden, if they keep restarting features which have been disabled on purpose.

I mean, once down the path of "Disabled is not really disabled", writing a script to disable them every 5 minutes might not mean anything.

dalchina · 18 Nov 2017

You only need to deal with the case of an upgrade.. it's very unlikely anything else would change their state. So setting the state on logon should be sufficient, although as I said, you might then need one more restart.

A repair install is essentially the same process as an upgrade, hence the term 'in place upgrade repair install'. Some settings are returned to default in both cases.

TairikuOkami · 18 Nov 2017

Windows recovers essential services, but print spooler sure not being being one them. It is firmly disabled on mine.

Use the script as mentioned to set services at shutdown/restart.

Remove services using Sc delete, if you are sure, you will never need them.

Set restrictions to prevent changes, like for the key (deny access to everyone)

Code:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler

RedmondFanatic · 19 Nov 2017

I think you solved the question. Removing the service + Denying access to the regkey should probably be enough to deter the setup from re-installing them. Thank you!

To be clear, Print Spooler and all other non-essential services were firmly disabled on my machine too, before the upgrade. I also found out that the Wireless Adapter which used to be disabled, was enabled back by the upgrade. For this one, I can simply use the hardware switch, but I *still* think that upgrades should NOT UNDO my security settings.

The reason is very simple: when I install a system, I do so with the network cable unplugged, and without important documents on it. When the upgrade happens, it happens *with* the network cable plugged in, *and* with the documents loaded on it. System settings should not be "recovered" by any update.