Windows 7 Task Manager: Difference between applications, processes, and services

I would like to know the difference between Applications, Processes, and Services, as listed in the Windows 7 Task Manager. Under UNIX/Linux, these terms work as follows: processes refer to executable files which are running in the sense that they have been loaded in memory and are executing, and the same executable can be run several times to create multiple processes in memory running the same executable; applications usually are processes which have an associated graphical user interface; and services are usually headless processes which do not display a GUI but run in the background.

I would like to know whether the Windows 7 Task Manager application uses these terms in the same way as on UNIX/Linux as listed above.

Thanks.

John Sonderson

Posted 2014-12-13T19:24:29.130

Reputation: 2 816

Linux calls services deamons and doesn't have a notion of an application. The various window managers often do though. See also: http://superuser.com/questions/209654/whats-the-difference-between-an-application-process-and-services

– krowe – 2014-12-14T02:29:31.947

Interesting read. So services are also processes, and services on Windows run as svchost.exe, but not always. So, the one thing that was not explained in the above thread: for services that do not run as svchost.exe, what is it that differentiates them from other non-service processes? Thanks. – John Sonderson – 2014-12-14T11:20:56.587

Answers

Most of the question posed here are answered fine here so I'm not going to cover old ground now.

for services that do not run as svchost.exe, what is it that differentiates them from other non-service processes?

The only thing that makes a service different from any other process is that it remains open in order respond to something. There is nothing else different about them but this does mean that they often have certain characteristics. They are usually CLI apps because they generally don't need (or want) a GUI. They can also be DLLs if a host process is meant to manage them (such as svchost.exe); very generally speaking, a DLL is code which doesn't have an entry point (meaning it cannot be ran directly but a program can load it into memory and run the code).

In order to explain this better we need to introduce a new term, threads. A process can spawn new threads. The main thing to understand about threads is that each thread gets it's own execution pointer and acts like a process within the parent process. svchost.exe is a process which you can register a service with. When you do that, the service will be ran as a thread within the svchost.exe process. Another important thing to understand about threads is that they don't show up in Task Manager (only the parent process does).

There are actually two instances of svchost.exe on your system. One is a user mode process and the other is owned by SYSTEM. The SYSTEM copy allows services which run before anyone logs in (which is something that most services will want to be able to do).

In order for svchost.exe to know what to do with a service, it must be capable of acting like a DLL. This means that it needs to implement DLLMain. Additionally, it must also have a HandlerEx method which responds to the events which svchost.exe fires (SERVICE_CONTROL_STOP, SERVICE_CONTROL_SHUTDOWN, SERVICE_CONTROL_PAUSE, SERVICE_CONTROL_CONTINUE, SERVICE_CONTROL_INTERROGATE).

If the service has implemented those then it simply needs to be registered with svchost.exe so that it knows about it. This is done with the applications sc.exe and installutil.exe.

Now that I've explained how it all works I've got to mention that much of this is deprecated in newer versions of Windows. I believe that the current suggested approach is for service devs to also create their own host process (their own svchost.exe). This is because svchost.exe has been the perfect hiding place for malware since its inception. The majority of users have no idea how to reg\unreg services with svchost.exe and only sort of know how to even see them (the services manager).

By not allowing devs to attach to svchost.exe it means that they must create a new process for their services which means that this new process will show up in task manager. Still, I believe that even in the latest versions of Windows, the old method of using sc.exe will still work for backwards compatibility. Considering that Windows users are still dealing with bugs which have existed since DOS, I'd imagine that it'll still be possible for a long time to come. Officially, svchost.exe is only for Windows services now.

krowe

Posted 2014-12-13T19:24:29.130

Reputation: 5 031

Excellent answer. On my Windows 7 Home Premium (64-bit) I have the C:\Windows\System32\svchost.exe executable but when I bring up the Task Manager it does not show up under the Services tab at all (nor under the Processes tab), so there are no instances of this. Not sure what the reason for this is. Thanks. – John Sonderson – 2014-12-14T20:33:44.383

1Press the 'Show Processes from all users' button. They are in there. One is owned by SYSTEM and the other by NETWORK SERVICE. – krowe – 2014-12-14T20:37:23.220

1Actually, on mine, there are about 10 of them. Some are also owned by LOCAL SERVICE. But, at a minimum, you'll have two. – krowe – 2014-12-14T20:38:28.973

Thanks. Indeed, now I can see them. I've got 13 of them. 3 are owned by SYSTEM, 3 by NETWORK SERVICE, and 7 by LOCAL SERVICE. Thanks a lot for taking the time to explain this well!!! – John Sonderson – 2014-12-14T20:41:33.800

Your understanding of the different kinds of programs maps pretty well to Windows. You start executables to create a process, and applications are processes that show a window.

However, a service is more than just a windowless process. (I'm not an expert, but here's some more information from what's I've seen with Windows.)

A windowless process can bring up a window whenever it wants, but a service is isolated from the desktop.

You can easily set services to automatically start up with the computer. When you stop a service, it seems to take the time to shut down gracefully, as opposed to just killing the process.

If you go to Services, you'll see several services are listed, but with a Stopped status --Windows doesn't keep track of stopped applications like that!

If you open the Services program you can see that the properties for a service specify running an executable with certain command line arguments.

While you can have multiple processes running the same executable, I've never seen duplicate services. If you sort services by PID, you'll see that many services can be running from one process.

Carl Walsh

Posted 2014-12-13T19:24:29.130

Reputation: 151

Actually, there is not a lot of difference between a command line application and a service. In fact, you can use this tool to convert any app to a service: http://support.microsoft.com/kb/252340 The main distinguishing feature of a service is that it stays open and does something instead of closing after it finishes. To be listed in the services tab it must also be a child process of svchost.exe (which has additional requirements for the app).

– krowe – 2014-12-14T02:32:39.447

Thank you for your replies. But why is it that in the Task Manager, the PID (process ID) shown for services, and not for applications and processes? – John Sonderson – 2014-12-14T11:29:39.820

Also, under UNIX/Linux once an executable is loaded into memory its PID is unique. If one or more processes (which could be services for example) are spawned through a call to POSIX fork(), then each receives its own PID rather than running with the PID of the parent process. So in Windows, how could it be that two or more services have the same PID (which means PIDs are not unique for each running process on Windows)? This seems to be a place where Windows differs from UNIX. How is it possible that in Windows multiple services can have the same PID. How is this situation attained? Thanks. – John Sonderson – 2014-12-14T11:32:53.703