Optimizing Windows 10 Services for increased

performance

gilius #1 February 22, 2019, 5:56am

18836 (latest Insider) uses more services and RAM than 17134 (1803), which in turn uses more
resources than 16299 (1709).

Despite disabling Windows Defender and running the optimization and decrapifier scripts (see: WOA for
RPi3B+ manual install method using command prompt (MicroSD + SSD USB)), we are still left with
a number of services that are eating up 80% of the RAM in the case of 18836, so we need figure out
which ones can be disabled and the implications of doing so. Some services may be stoppable through
methods other than via services.msc.

StartTy Statu CanSto

ServiceName DisplayName
pe s p

Runnin
Appinfo Application Information Manual TRUE
g
 StartTy Statu CanSto
ServiceName DisplayName
pe s p
Runnin
AppXSvc AppX Deployment Service (AppXSVC) Manual TRUE
g
Runnin
AudioEndpointBuilder Windows Audio Endpoint Builder Automatic TRUE
g
Runnin
Audiosrv Windows Audio Automatic TRUE
g
Runnin
BFE Base Filtering Engine Automatic TRUE
g
Runnin
BrokerInfrastructure Background Tasks Infrastructure Service Automatic FALSE
g
Runnin
cbdhsvc_1cf55 Clipboard User Service_1cf55 Manual TRUE
g
Runnin
CDPSvc Connected Devices Platform Service Automatic TRUE
g
Connected Devices Platform User Runnin
CDPUserSvc_1cf55 Automatic TRUE
Service_1cf55 g
Runnin
CertPropSvc Certificate Propagation Manual TRUE
g
Runnin
CoreMessagingRegistrar CoreMessaging Automatic FALSE
g
Runnin
CryptSvc Cryptographic Services Automatic TRUE
g
Runnin
DcomLaunch DCOM Server Process Launcher Automatic FALSE
g
Runnin
Dhcp DHCP Client Automatic TRUE
g
Runnin
DispBrokerDesktopSvc Display Policy Service Automatic TRUE
g
Runnin
Dnscache DNS Client Automatic FALSE
g
Runnin
DusmSvc Data Usage Automatic TRUE
g
Runnin
EventLog Windows Event Log Automatic TRUE
g
Runnin
EventSystem COM+ Event System Automatic TRUE
g
Runnin
FontCache Windows Font Cache Service Automatic TRUE
g
Runnin
hidserv Human Interface Device Service Manual TRUE
g
Runnin
iphlpsvc IP Helper Automatic TRUE
g
 StartTy Statu CanSto
ServiceName DisplayName
pe s p
Runnin
KeyIso CNG Key Isolation Manual TRUE
g
Runnin
LanmanServer Server Automatic TRUE
g
Runnin
LanmanWorkstation Workstation Automatic TRUE
g
Runnin
LicenseManager Windows License Manager Service Manual TRUE
g
Runnin
lmhosts TCP/IP NetBIOS Helper Manual TRUE
g
Runnin
LSM Local Session Manager Automatic FALSE
g
Runnin
mpssvc Windows Defender Firewall Automatic FALSE
g
Runnin
NcbService Network Connection Broker Manual TRUE
g
Runnin
netprofm Network List Service Manual TRUE
g
Runnin
NlaSvc Network Location Awareness Automatic TRUE
g
Runnin
nsi Network Store Interface Service Automatic TRUE
g
Runnin
OneSyncSvc_1cf55 Sync Host_1cf55 Automatic TRUE
g
Runnin
PcaSvc Program Compatibility Assistant Service Manual TRUE
g
PimIndexMaintenanceSvc_1 Runnin
Contact Data_1cf55 Manual TRUE
cf55 g
Runnin
Power Power Automatic FALSE
g
Runnin
ProfSvc User Profile Service Automatic TRUE
g
Runnin
RpcEptMapper RPC Endpoint Mapper Automatic FALSE
g
Runnin
RpcSs Remote Procedure Call (RPC) Automatic FALSE
g
Runnin
SamSs Security Accounts Manager Automatic FALSE
g
Runnin
Schedule Task Scheduler Automatic TRUE
g
Runnin
SecurityHealthService Windows Security Service Manual FALSE
g
 StartTy Statu CanSto
ServiceName DisplayName
pe s p
Runnin
SENS System Event Notification Service Automatic TRUE
g
Runnin
SessionEnv Remote Desktop Configuration Manual TRUE
g
Runnin
ShellHWDetection Shell Hardware Detection Automatic TRUE
g
Runnin
Spooler Print Spooler Automatic TRUE
g
Runnin
StateRepository State Repository Service Manual TRUE
g
Runnin
StorSvc Storage Service Manual TRUE
g
Runnin
SystemEventsBroker System Events Broker Automatic TRUE
g
Touch Keyboard and Handwriting Panel Runnin
TabletInputService Manual FALSE
Service g
Runnin
TermService Remote Desktop Services Manual TRUE
g
Runnin
Themes Themes Automatic TRUE
g
Runnin
TimeBrokerSvc Time Broker Manual TRUE
g
Runnin
TokenBroker Web Account Manager Manual TRUE
g
Remote Desktop Services UserMode Port Runnin
UmRdpService Manual TRUE
Redirector g
Runnin
UnistoreSvc_1cf55 User Data Storage_1cf55 Manual TRUE
g
Runnin
UserDataSvc_1cf55 User Data Access_1cf55 Manual TRUE
g
Runnin
UserManager User Manager Automatic TRUE
g
Runnin
UsoSvc Update Orchestrator Service Automatic TRUE
g
Runnin
VaultSvc Credential Manager Manual TRUE
g
Runnin
WarpJITSvc WarpJITSvc Manual TRUE
g
Runnin
Wcmsvc Windows Connection Manager Automatic TRUE
g
Runnin
WinHttpAutoProxySvc WinHTTP Web Proxy Auto-Discovery Service Manual FALSE
g
 StartTy Statu CanSto
ServiceName DisplayName
pe s p
Runnin
winmgmt Windows Management Instrumentation Automatic TRUE
g
Runnin
WpnService Windows Push Notifications System Service Automatic TRUE
g
Windows Push Notifications User Runnin
WpnUserService_1cf55 Automatic TRUE
Service_1cf55 g
Runnin
wscsvc Security Center Automatic TRUE
g
Runnin
WSearch Windows Search Automatic TRUE
g
Runnin
XtaCache XtaCache Automatic TRUE
g

gilius #2 February 22, 2019, 11:44pm

PROCESSES - CANNOT DISABLE

Registry/Ntoskrnl: new process since 17063 - used to hold Software and User Registry hive data to
utilize memory management capabilities and, in the future will reduce the memory usage of the Registry.
System/Ntoskrnl: something to do with the above; cannot disable.
Desktop Windows Manager (DWM): cannot be disabled since Windows 8, as it manages the desktop,
desktop background, and the icons on the desktop as well as the taskbar and the Start Screen / Menu. It
is literally a part of Explorer.exe (Backbone of the UI).
START / Windows Shell Experience Host: visual manager for apps, start menu, taskbar transparency,
background slideshow, calendar, clock, visuals and other things. Cannot disable. Restarts immediately
after ending task.
Host Process for Windows Tasks - cannot disable. Loads DLL files and has many instances that can be
viewed using Process Explorer app.
Shell Infrastructure Host = sihost.exe: for start menu, action center, volume changer - cannot disable
COM Surrogate/dllhost.exe: sacrificial process for a COM object that is run outside of the process that
requested it. Cannot disable.
Services and Controller app: service management. Cannot disable.
Runtime Broker = to do with apps and connected to time broker server; cannot disable former only latter.
Windows Logon Application: critical; cannot disable
Windows Start-Up Application: to allow uninstallers to run and an app launcher; cannot disable
Usermode Font Driver Host: core system file
Client Server Runtime Process: responsible for console windows and shutdown process; cannot disable
Windows Session Manager/Session Manager Subsystem/smss.exe: starts user session; cannot disable
Cortana: doesn’t use any RAM except during windows search
System Interrupts: reports on CPU usage; cannot disable, but doesn’t use any RAM hardly
SERVICES GROUPED BY PROCESS

appmodel = State Repository Service and Capability Acccess Manager Service

ClipboardSvcGroup = Clipboard User Service_1d6fe
Local Security Authority Process: 3 services - Credential Manager, Security Accounts Manager, CNG
Key Isolation
LocalServiceNoNetworkFilewall: a group of 2 services - Windows Defender Firewall and Base Filtering
Engine
Microsoft Software Protection Platform Service = Software Protection
Service Host: DCOM Server Process Launcher: a group of 5 services - System Events Broker, Power,
Local Session Manager, DCOM Server Process Launcher, Background Tasks Infrastructure Service
Service Host: Local Service (Network Restricted): a group of 7 services - AVCTP service, Network Store
Interface Service, Network List Service, Windows Font Cache Service, COM+ Event System, Display
Policy Service, Connected Devices Platform Service.
Service Host: Local Service (Network Restricted): a group of 5 services - WinHTTP Web Proxy Auto-
Discovery Service, Time Broker, TCP/IP NetBIOS Helper, Windows Event Log, DHCP Client
Service Host: Local Service (Network Restricted): Windows Audio
Service Host: Local Service (Network Restricted): Windows Connection Manager
Service Host: Local Service (Network Restricted): Security Center
Service Host: Local Service (Network Restricted): Data Usage
Service Host: Local Service (No Network) = CoreMessaging
Service Host: Local System: a group of 15 services - Group Policy Client, Update Orchestrator Service,
Windows Management Instrumentation, User Manager, Web Account Manager, Themes, Shell
Hardware Detection, Remote Desktop Configuration, System Event Notification Service, Task
Scheduler, User Profile Service, Server, IP Helper, Application Information
Service Host: Local System = Certificate Propagation
Service Host: Local System (Network Restricted): 6-7 services - Storage Service, Program Compatibility
Assistant Service, Remote Desktop Services UserMode Port Redirection, Network Connection Broker,
Human Interface Device Service, Windows Audio Endpoint Builder, Display Enhancement Service
Service Host: Network Service: a group of 6 services - Network Location Awareness, Workstation, DNS
Client, Crytopgrahic Services
Service Host: Network Service: Remote Desktop Services
Service Host: Remote Procedure Call: 2 services - Remote Procedure Call (RPC) and RPC Endpoint
Mapper
Service Host: Unistack Service Group: a group of 6 services - Sync Host_1d6e4, Windows Push
Notifcations User Service_1d6e4, User Data Access_1d6e4, User Data Storage_1d6e4, Contact
Data_1d6e4, Connected Devices Platform User Services_1d6e4
Windows Security Health Service = Windows Security Service
wsappx: 2 services, including AppX Deployment Service (AppXSVC)
XTA Cache Service = XtaCache service: WOW64 emulator for running 32-bit apps

PROCESSES / SERVICES THAT CAN BE DISABLED (WIP - MORE TO COME!)

Windows Explorer - cannot disable except temporarily if watching a video or something that doesn’t
involve browsing files and folders.
Application Frame Host: displays store apps in frames - ending task will close all UWP apps. Blocking it
prevents Calc, Photos and Settings from working.

Windows Defender Smart Screen: stuck since 1809 - run this twice to kill and delete:
takeown /f “%WinDir%\System32\smartscreen.exe” /a
icacls “%WinDir%\System32\smartscreen.exe” /grant:r Administrators:F /c
taskkill /im smartscreen.exe /f
del “%WinDir%\System32\smartscreen.exe” /s /f /q

Microsoft Text Input Application = ghost keyboard - disable as follows:

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe” /v Debugger /d
“%SystemRoot%\system32\systray.exe” /f
taskkill /im “WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe” /t /f
echo done

Time Broker service: Manages app permissions and ensures they are behaving themselves. Disable as
follows:
HKLM\System\CurrentControlSet\Services\TimeBrokerSvc\Start - change from 3 to 4 = disabled instead
of manual.

Windows Search - can disable but then cannot search using the built-in windows search and indexing
(need a 3rd party search tool like AgentRansack)

TabletInputService = Touch Keyboard and Handwriting Panel service - safe to disable (restart needed).

gilius #3 February 24, 2019, 1:21am

Here are what appear to be absolute core services that always need to be running for the latest Insider
build at the time of writing (18836) running on bare bones, albeit without the ability to run Store Apps:

1) Appinfo/Application Information: Facilitates the running of interactive applications with additional

administrative privileges. If this service is stopped, users will be unable to launch applications with the
additional administrative privileges they may require to perform desired user tasks.

2) BrokerInfrastructure/Background Tasks Infrastructure Service: controls which background tasks

can run on the system.

3) CoreMessagingRegistrar/CoreMessaging: basic system component, which is used on the

communication with other components inside same computer such as a process, program, utility, or
another part of a computer’s operating system that helps to manage different areas of the computer.

4) CryptSvc/Cryptographic Services: browse and monitor connected computers on a network. NOTE:

Disabled but still runs.

5) DcomLaunch/DCOM Server Process Launcher: launches COM and DCOM servers in response to
object activation requests. If this service is stopped or disabled, programs using COM or DCOM will not
function properly. It is strongly recommended that you have the DCOMLAUNCH service running.
Apparently breaks Microsoft Access if disabled. NOTE: could not disable it anyway.

6) gpsvc/Group Policy Client: The service is responsible for applying settings configured by
administrators for the computer and users through the Group Policy component. If the service is
disabled, the settings will not be applied and applications and components will not be manageable
through Group Policy. Any components or applications that depend on the Group Policy component
might not be functional if the service is disabled. NOTE: Access denied when trying to disable.

7) LSM/Local Session Manager: Core Windows Service that manages local user sessions.

8) ProfSvc/User Profile Service: responsible for loading and unloading user profiles. If this service is
stopped or disabled, users will no longer be able to successfully sign in or sign out, apps might have
problems getting to users’ data, and components registered to receive profile event notifications won’t
receive them.

9) RpcEptMapper/RPC Endpoint Mapper: interfaces identifiers to transport endpoints. If this service is

stopped or disabled, programs using Remote Procedure Call (RPC) services will not function properly.
NOTE: needed to get past the login screen.

10) RpcSs/Remote Procedure Call (RPC): is the Service Control Manager for COM and DCOM
servers. It performs object activations requests, object exporter resolutions and distributed garbage
collection for COM and DCOM servers. If this service is stopped or disabled, programs using COM or
DCOM will not function properly. NOTE: unable to disable - access denied.

11) SamSs/SecurityAccountsManager: signals other services that the Security Accounts Manager
(SAM) is ready to accept requests. NOTE: unable to disable - access denied.

12) StateRepository/State Repository Service: Provides required infrastructure support for the
application model. NOTE: display settings (and possible other settings) won’t load when this is disabled.

13) UserManager/User Manager: provides the runtime components required for multi-user interaction.
If this service is stopped, some applications may not operate correctly.

If you know how to disable any of the above without breaking the system then let me know! This feat
was achieved using a blank password (haven’t tried setting a password yet for the default user account)
together with the following script to disable all the processes and services that can be switched off
without completely breaking this build of Windows 10:
takeown /f “%WinDir%\System32\smartscreen.exe” /a
icacls “%WinDir%\System32\smartscreen.exe” /grant:r Administrators:F /c
taskkill /im smartscreen.exe /f
del “%WinDir%\System32\smartscreen.exe” /s /f /q

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution

Options\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe” /v Debugger /d
“%SystemRoot%\system32\systray.exe” /f
taskkill /im “WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe” /t /f
echo done
del “%WinDir%\System32\smartscreen.exe” /s /f /q
reg add “HKLM\SYSTEM\CurrentControlSet\Services\TimeBrokerSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\TabletInputService” /v Start /t REG_DWORD /d 4
/f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\WSearch” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\AppXSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\ClipSVC” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\BFE” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\BthAvctpSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\WpnUserService_18f50” /v Start /t REG_DWORD
/d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\WpnService” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\CertPropSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\cbdhsvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\cbdhsvc_1850e” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\KeyIso” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\XtaCache” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\CDPUserSvc_18ab6” /v Start /t REG_DWORD /d
4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\CDPSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\sppsvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\camsvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\wscsvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\winmgmt” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc” /v Start /t REG_DWORD
/d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\Wcmsvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\VaultSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\DusmSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\DispBrokerDesktopSvc” /v Start /t REG_DWORD
/d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\Dnscache” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\hidserv” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\NcbService” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\netprofm” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\DoSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\EventLog” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\EventSystem” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\FontCache” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation” /v Start /t REG_DWORD /d
4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\lmhosts” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\NgcCtnrSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\PcaSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\Power” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\Spooler” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\TermService” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\Themes” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\TokenBroker” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker” /v Start /t REG_DWORD /d
4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\Audiosrv” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\AudioEndpointBuilder” /v Start /t REG_DWORD /d
4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection” /v Start /t REG_DWORD /d 4
/f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\nsi” /v Start /t REG_DWORD /d 4 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\dhcp” /v Start /t REG_DWORD /d 4 /f
As you can see from the screenshots I’ve managed to get the RAM down into the 50s percentage mark,
but the lion’s share is taken up by the new Registry process, which is unnecessary and only in recent
builds; £5 reward to anyone who can figure out how to disable it without deleting the EXE file that is
needed to start other processes and will break the system without it.

To add Internet access (LAN) to the above you need to re-enable the following 3 services, which
also allows Firefox Nightly to fit the screen resolution:
reg add “HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection” /v Start /t REG_DWORD /d 2
/f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\nsi” /v Start /t REG_DWORD /d 2 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\dhcp” /v Start /t REG_DWORD /d 2 /f

nsi/Network Store Interface Service: delivers network notifications (e.g. interface addition/deleting etc) to
user mode clients. Stopping this service will cause loss of network connectivity. NOTE: needed for
Internet.

dhcp: needed for Internet connection.

ShellHWDetection/Shell Hardware Detection: Provides notifications for AutoPlay hardware events.

NOTE: Firefox Nightly will not properly fit screen resolution if disabled.

To add Audio back in you must enable the following 2 services:

reg add “HKLM\SYSTEM\CurrentControlSet\Services\Audiosrv” /v Start /t REG_DWORD /d 2 /f
reg add “HKLM\SYSTEM\CurrentControlSet\Services\AudioEndpointBuilder” /v Start /t REG_DWORD /d
2 /f

AudioEndpointBuilder/Windows Audio Endpoint Builder: Manages audio devices for the Windows Audio
service. If this service is stopped, audio devices and effects will not function properly. If this service is
disabled, any services that explicitly depend on it will fail to start.

Audiosrv/Windows Audio: see above

To add the Start Menu back you need the following service:
reg add “HKLM\SYSTEM\CurrentControlSet\Services\SystemEventsBroker” /v Start /t REG_DWORD /d
2 /f

SystemEventsBroker/System Events Broker: Coordinates execution of background work for WinRT

application. If this service is stopped or disabled, then background work might not be triggered. NOTE:
disabling breaks the Start Menu, though right-click menu still works.

APPS/MICROSOFT STORE
AppXSvc/AppX Deployment Service: deploys Store apps. Those “Universal Windows Platform” apps are
distributed in .AppX packages, hence the name.

ClipSVC/Client License Service (ClipSVC): Provides infrastructure support for the Microsoft Store. This
service is started on demand and if disabled applications bought using Windows Store will not behave
correctly.

XtaCache: caches the result of XTAJIT on Windows ARM64

camsvc/Capability Access Manager Service: for managing UWP apps access to app capabilities as well
as checking an app’s access to specific app capabilities.

NcbService/Network Connection Broker: Brokers connections that allow Windows Store Apps to receive
notifications from the internet.

Time Broker service: Manages app permissions and ensures they are behaving themselves.

NETWORK
BFE/Base Filtering Engine: manages firewall and Internet Protocol security (IPsec) policies and
implements user mode filtering. Stopping or disabling the BFE service will significantly reduce the
security of the system. It will also result in unpredictable behavior in IPsec management and firewall
applications.

iphlpsvc/IP Helper: assists network administration of the local computer by enabling applications to
retrieve information about the network configuration of the local computer, and to modify that
configuration. IP Helper also provides notification mechanisms to ensure that an application is notified
when certain aspects of the local computer network configuration change.

WinHttpAutoProxySvc/WinHTTP Web Proxy Auto-Discovery Service: Web Proxy Autodiscovery (WPAD)

is a proposed Internet protocol that allows a client, such as a Web browser or a streaming media
application, to automatically locate and interface with cache services in a network so that information
can be delivered more quickly to the user.
Wcmsvc/Windows Connection Manager: Makes automatic connect/disconnect decisions based on the
network connectivity options currently available to the PC and enables management of network
connectivity based on Group Policy settings.

DusmSvc/Data Usage: Network data usage, data limit, restrict background data, metered networks.

Dnscache/DNS Client: responsible for resolving and caching domain names. When you are browsing
the Internet and type www.google.com the Dnscache service finds (also known as resolving) the exact
location (IP address) of google.com and then keeps a copy of its location for a short time. NOTE: can
still browse “google.com”, etc.

netprofm/Network List Service: Identifies the networks to which the computer has connected, collects
and stores properties for these networks, and notifies applications when these properties change.
NOTE: disabling hides Internet connected icon near the system tray.

NlaSvc/Network Location Awareness: a system for detecting internet connectivity known as Network
Location Awareness (NLA). It controls many aspects of how Windows categorizes internet connections,
such as whether to assign networks as private or public. NOTE: disabling hides Internet connected icon
near the system tray.

LanmanServer/Server: allows a server to share file and print resources with clients over the network.

LanmanWorkstation/Workstation: Added in Windows 10, version 1803. This policy setting determines if
the SMB client will allow insecure guest logons to an SMB server.

lmhosts/TCP/IP NetBIOS Helper: Provides support for the NetBIOS over TCP/IP (NetBT) service and
NetBIOS name resolution for clients on the network, therefore enabling users to share files, print, and
log on to the network.

TermService/Remote Desktop Services: for RDP.

DEVICES
BthAvctpSvc/AVCTP service: new since 1803 - the Audio/Video Control Transport Protocol (AVCTP),
which is used to transport command and response messages for controlling Audio Video features in
conformant devices. NOTE: affects Bluetooth.

CDPUserSvc_18ab6: associated with Bluetooth, or Printers & Scanners as well as music players,
storage devices, mobile phones, cameras, and many other types of connected devices.
CDPUserSvc: see above
CDPSvc: see above

hidserv/Human Interface Device Service: Activates and maintains the use of hot buttons on keyboards,
remote controls, and other multimedia devices.

Spooler/Printer Spooler: for print jobs.

TabletInputService

SECURITY
CertPropSvc/Certificate Propagation: The certificate propagation service activates when a signed-in
user inserts a smart card in a reader that is attached to the computer. This action causes the certificate
to be read from the smart card. The certificates are then added to the user’s Personal store.

KeyIso/CNG Key Isolation:The Windows CNG key isolation service is hosted in the LSA process. The
service provides key process isolation to private keys and associated cryptographic operations as
required by the Common Criteria. The service stores and uses long-lived keys in a secure process
complying with Common Criteria requirements.

sppsvc/Software Protection: Enables the download, installation and enforcement of digital licenses for
Windows and Windows applications. If the service is disabled, the operating system and licensed
applications may run in a notification mode.

wscsvc/Security Center: part of Windows Defender.

VaultSvc/Credential Manager: stores passwords

NgcCtnrSvc/Microsoft Passport Container: Manages local user identity keys used to authenticate user to
identity providers as well as TPM virtual smart cards. If this service is disabled, local user identity keys
and TPM virtual smart cards will not be accessible.

TokenBroker/Web Account Manager: This service is used by Web Account Manager to provide single-
sign-on to apps and services.

SETTINGS / FEATURES
cbdhsvc/Clipboard User Service: new Clipboard service
cbdhsvc_1850e/Clipboard User Service: see above

winmgmt/Windows Management Instrumentation: the infrastructure for management data and

operations on Windows-based operating systems. You can write WMI scripts or applications to automate
administrative tasks on remote computers but WMI also supplies management data to other parts of the
operating system and products, for example System Center Operations Manager, formerly Microsoft
Operations Manager (MOM), or Windows Remote Management (WinRM).

EventLog/Windows Event Log: This service manages events and event logs. It supports logging events,
querying events, subscribing to events, archiving event logs, and managing event metadata. It can
display events in both XML and plain text format. Stopping this service may compromise security and
reliability of the system.

EventSystem/COM+ Event System: Supports System Event Notification Service (SENS), which
provides automatic distribution of events to subscribing Component Object Model (COM) components. If
the service is stopped, SENS will close and will not be able to provide logon and logoff notifications.

WpnUserService_18f50/Windows Push Notifications User Service_18f50: provides support for local and
push notifications. Disable under settings > system > notifications and actions first.
WpnUserService: see above
WpnService: see above

FontCache/Windows Font Cache Service: The font cache is a file or set of files used by your computer’s
operating system to manage and display the fonts that are installed on your computer. NOTE: disabling
said to improve Adobe’s program loading time.
PcaSvc/Program Compatibility Assistant Service: PCA monitors programs installed and run by the user
and detects known compatibility problems.

Power: Manages power policy and power policy notification delivery.

Themes: Provides user experience theme management.

DispBrokerDesktopSvc/Display Policy Service: ?

WSearch: Windows Search

WINDOWS UPDATES
DoSvc/Delivery Optimization: Windows updates, upgrades, and applications can contain packages with
very large files. Downloading and distributing updates can consume quite a bit of network resources on
the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by
sharing the work of downloading these packages among multiple devices in your deployment.

UsoSvc/Update Orchestrator Service: Manages Windows Updates. If stopped, your devices will not be
able download and install latest udpates.

Any probs with a given function in Windows then you should refer to those sets of services. Also
consider deleting the paging file, as that’s what actually became corrupt for me between changes
- not Andrei’s UEFI files! And make sure you use 1024x768 for the ultimate speed boost.

Final note: there are literally HUNDREDS of settings in Windows 10 that could be turned off via Settings
and Control Panel; doing so may reduce the RAM taken up by the 13 or so services that must always be
running.

gilius #4 February 24, 2019, 2:42pm

Same procedure for 17763 - 7% gains compared to the latest Insider, and this was with audio + Internet
this time:
gilius #5 February 24, 2019, 9:57pm

17134 has one extra service called SecurityHealthService - part of Windows Defender - that needs to be
included in the list. Cortana also takes up RAM in this earlier build, but the following registry fix may be
effective at suppressing it at zero RAM:
HKLM\Software\Policies\Microsoft\Windows > new DWORD AllowCortana 0
No gains in this build compared to 17763 - but it might run a little bit faster. NOTE: I am installing full
cumulative updates on all these test builds - but by omitting them it might run faster.