Language
Country/Area
No result found
The Secret Guardian of Windows: How Does the Service Control Manager Work Silently Behind the Scenes?
When you start your Windows system, many services are running silently in the background, which are important cornerstones of the operating system's stability. The startup and management of these services are mostly the responsibility of the Service Control Manager (SCM). SCM is a special system process located under the Windows NT series operating system, responsible for starting, stopping and interacting with Windows service processes.
The main functionality of the SCM begins with its main function SvcCtrlMain(), which starts all services configured to start automatically.
The SCM executable file services.exe is located in %SystemRoot%\System32\ and is started by the Wininit process early in the system startup. When the SCM starts working, it first initializes its internal database of installed services, which involves reading specific registry keys.
Specifically, it initializes the internal database by reading the following two registry keys:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder\List, this key contains the names of the service groups and their order.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, this key contains the actual service and device driver data.
SCM determines the loading order of services based on the Group value and dependencies of each service. During this process, if a circular dependency is found, the SCM will log an error and skip the service that depends on the late-loaded group.
The next step in the SCM is to check whether the device drivers that should be started during system startup successfully loaded and save the failed drivers in a list called ScFailedDrivers.
The SCM then calls the ScAutoStartServices() function, which loops through all services marked for automatic start and starts them accordingly. For each service, the SCM calls the ScStartService() function to ensure that the service's process runs under the correct account. If the service is not running under the System account, the SCM calls the LSASS function LogonUserEx() to obtain the "secret" password that was securely stored when the service was initially configured.
Not only that, there is also a special type of service - delayed automatic startup service. This type of service was introduced in Windows Vista to solve the problem of slow system startup. The SCM will not start initializing delayed automatic start services until all non-delayed automatic start services have been processed.
Although there is a delay in starting these services, they are not much different from other services except for the order in which they are started.
It is worth noting that the SCM also specifically handles device driver services. The Type registration value of these services is SERVICE_KERNEL_DRIVER or SERVICE_FILE_SYSTEM_DRIVER. When the SCM calls ScStartService(), it further calls the ScLoadDeviceDriver() function to load the corresponding driver.
Through the NtLoadDriver system call, the SCM ensures that the driver is loaded correctly. During the initial startup process, the SCM is even responsible for notifying other applications, such as Windows Explorer, when the connection status of a network drive changes by broadcasting the Windows message WM_DEVICECHANGE.
This design allows users to better manage their system resources and services, ensuring the smooth operation of the operating system.
However, despite the critical role that SCM plays in getting a system started, many users do not really understand how it works. Behind every operation of SCM, there is a complex and efficient technology. In fact, it allows users to use those seemingly ordinary applications and services without any obstacles.
In future versions of Windows, how will SCM evolve to meet increasingly diverse user needs?
