How to run windows with minimum memory usage!

How to run windows with minimum memory usage!

Sep 04

Running Windows with No Services

A Windows service provides functionality to the operating system and user accounts regardless of whether anyone is logged into a system. Windows XP comes with around four dozen services enabled by default, including ones that many people consider superfluous like Remote Registry, Alerter, and SSDP Discovery (Universal Plug and Play). A question many Windows administrators commonly have is therefore, which services can I safely disable? What if I told you that for at least basic functionality like Web surfing and application execution, Windows doesn’t need any services? In fact, you can also do those things without system processes like Winlogon.exe, the interactive logon manager, and Lsass, the local security authority subsystem.

The following steps, which you must follow carefully to achieve a minimal Windows system, were derived by Dave Solomon through experimentation, and when he discovered that Windows was usable without all the core system processes we were dumbfounded. After figuring this out he and I polled senior Windows experts like the vice president of the Core Operating Systems Division, the technical lead of the Virtual PC team, and a lead Windows security architect to see if they thought that Windows would function at all, much less if Internet Explorer would work, without the support of Winlogon, Lsass, and services, and the unanimous answer was ‘no’. Even after we showed them the demonstration I’m about to share with you they all thought that we’d staged some kind of trick.

The first step to achieving a minimal Windows configration is to kill the system processes I’ve mentioned. You can’t use Task Manager for the job, however, because it has an internal list of processes that it considers critical and that it won’t terminate. Try to kill Smss.exe, Winlogon.exe, Services.exe, Lsass.exe or Csrss.exe and you’ll see this dialog:

So if you don’t have it already download Process Explorer. To make things go more quickly uncheck the Confirm Kill entry in the Process Explorer Options menu. Then kill Smss.exe, the Session Manager process. The reason we start with Smss.exe is that Smss.exe watches the back of Winlogon, the process it creates during the boot, so if you terminate Winlogon first Smss.exe gets upset and blue screens the machine with an error indicating that the Windows logon process terminated unexpectedly. And if you kill Lsass or Services without killing Winlogon you’ll see this dialog that Winlogon shows before it shuts down the system (you can abort the shutdown by running “shutdown -a”):

Once Smss.exe is out of the way select Winlogon and choose Kill Process Tree from in the Process menu. This terminates Winlogon.exe, Lsass.exe, Services.exe, and all the Windows service processes. We’re almost done.

The next step is to kill all other standard processes except for Csrss.exe (and of course Process Explorer). Csrss.exe is the only process in the system that has the “critical process” bit set in its kernel process structure (EPROCESS) flags field. On the termination of a process with the flag set the kernel halts with a CRITICAL_PROCESS_DIED blue screen. Note that you won’t be able to terminate the System Idle Process, System, Interrupts, or DPC processes. The Idle process isn’t a real process and simply tracks the time when no thread is executing. The System process holds operating system kernel threads and device driver threads, and Interrupts and DPCs are artificial processes that Process Explorer uses to display interrupt and Deferred Procedure Call (DPC) activity.

Because Process Explorer shows the Interrupts and DPCs artifical processes switch to Task Manager at this point to get a real idea of what’s actually running by activating the Run command in Process Explorer’s File menu and entering “taskmgr”. Then exit Process Explorer and look to Task Manager’s Process tab. This is what you should see (themes disappear when the Svchost.exe process hosting the theming service terminates):

You have achieved minimal Windows: the only two processes, not including Task Manager, are System and Csrss.exe. You’re now ready to start experimenting. Verify that you can surf the Internet by launching “iexplore” from Task Manager’s Run command in its File menu. Then restart Explorer by running “explorer”. You’re done with Task Manager so you can exit it.

There will be a delay before Explorer redraws the desktop because it waits for the Service Control Manager (SCM) to signal the ScmCreatedEvent, which Services signals during its initialization. Below is the stack of the main Explorer thread waiting. The second parameter to WaitForSingleObject is a timeout value that’s interpreted as milliseconds and 0xEA60 is 60,000 – 60 seconds:

Once Explorer starts it clips the task bar off the bottom of the display so get it back by right-clicking on the barely visible task bar and applying the ‘Show Quick Launch” option. Notice that even though the task bar is fully visible it doesn’t show the active windows.

With Explorer, the start menu and desktop back you can wander your system, trying various applications and utilities to see how they respond when there are no services running. There are many things that will work, but of course also many things that won’t. For example, here’s the Services node of the Computer Management MMC snapin displaying an expected error message:

What are the real limitations of running like this? Some will become obvious during your exploration, but a major one is that you won’t be able to logoff (or shutdown) since neither Lsass nor Winlogon are running. Networking is also crippled, especially in a LAN, since accessing other computers requires the participation of Lsass in the cross-machine domain authentication process.

The bottom line is that this stripped-down Windows configuration is not practical, but makes a cool demonstration of just how little of Windows is required for basic functionality.

Related posts:

  1. Jokes: CIA Opening

17 comments

  1. Bill

    Hello

    Interesting topic.

    Is there any manual way to kill Smss.exe without installing Process Explorer ?

  2. I don't think so.
    An alternative to process explorer would be to download the Windows NT 4.0 Resource Kit and use the tlist.exe

  3. Don

    However, Bill, Process Explorer doesn't require an installation. It is just a compressed executable file that can be downloaded and extracted easily from the Microsoft website.

  4. Slain

    Was using this go to a randomly blog feature on randomizer and ended up here, a terrific way to read something new like this. Thanks for taking your time and energy to post this blogpost.

  5. Thanks for finding the time to share this with us, just loved it.

  6. I was looking for dvr related tips, this was helpful – bookmarked your site!

  7. Been looking for some good comment suggestions for a while now. This is perfect!

  8. Bob Klahn

    Just found this site looking up minimal windows. Very interesting. I’ll be looking further into it.

    Thanks for all the work.

  9. I was trying to find the minimum services for HomeGroup usage, but then came here.

    Thanks for the post, I will definitely try this. I have succeeded in getting down to 6 services with XP without losing much of anything when it came to usage. This is EXTREME! But I like it.

    Thanks

  10. you can set the memory usage by your own do…subscribe to my site and you will find some interesting tricks and tweaks

  11. thanks for sharing this tip.

  12. nice infomation
    Thanks

  13. That’s really nice one way to run windows with less memory usage. The way you present this information with the help of screen shot make us easy to understand the whole concept.

  14. Thank you so much for sharing this information. I am going to use this trick when i install my windows 8.

  15. Oliver

    Hmm. I can disable winlogon.exe without a hitch, but it seems at least one service is vital on my computer for the ability to switch between applications. When I terminated the tree, I was still able to move my mouse and use the Alt-Tab shortcut, but most of the programs I had running ceased to respond or draw to VGA.

    Thanks for the guide though; I actually needed to disable winlogon.exe for practical purposes, so it came in handy.

  16. Dominick Serna

    I hae a question will this boost processing speed.

  17. The reason for this is that there is so much information available on the Web that search engines are always looking for ways to
    make the search results as specific as possible. Don’t let your clients go
    to your competitors website because you have a slow one. You
    pay nothing up front, get a percentage of sales on every sale,
    create a passive income that grows from year to year, as you work less and less and you can promote anything
    you have an interest in.

    Feel free to visit my weblog :: fast best web hosting sites

Leave a Reply


eight * = 16