Server Solver

What's That Service For?

Spyware or necessary? How to find out what the services running on a Windows XP machine are really used for.

• By Zubair Alexander
• 12/19/2005

Zubair: I've noticed a service called C-DillaSrv on my Windows XP computer. I didn’t install this service and was wondering if it’s spyware. How can I remove this service if it’s not needed? I looked in the Services console and discovered that it has no dependencies. Is there a simple way to find out what files/DLLs are used by a particular service?
— Maria

Tech Help—Just An E-Mail Away Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap. When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Maria, let me first address C-DillaSrv service and its dependencies, then I will talk about files that are used by a specific service.

C-DillaSrv is not considered by security experts to be a security risk or spyware. It's license management software from MacroVision that offers copy protection. This service is usually installed by another program, such as 3D Studio Max, AutoDesk, or a PC game. The CDANTSRV.EXE file associated with this service is located in the C:\WINDOWS\system32\DRIVERS folder.

If you run Task Manager you will see the CDANTSRV.EXE as a system process. This process offers anti-piracy protection for software products such as AutoCad and TurboTax, so people won’t copy or distribute software illegally. Unfortunately, the service has no description at all in the Services Microsoft Management Console (MMC) which raises suspicions (see Figure 1).

Figure 1. C-DillaSrv has no information for us to determine what it does, at least when we look in the Services MMC.

You can disable a service in Services console but it will not delete the service. To manage Windows services you can use a resource kit utility called SC, which I believe is installed by default in Windows XP. The SC tool (sc.exe) is a command-line utility used for communicating with the NT Service Controller and services. Among other things, you can use SC to remotely create and start a service from the command line, delete a service from the registry, stop, pause, or query the status of a service. Check out Microsoft’s KB article 251192, "How to Create a Windows Service Using Sc.exe," for more information.

One thing I don’t like about the Services MMC is that it only shows three service states: started, stopped, and paused. What it doesn’t show you is other service states such as start pending, stop pending, pause pending, and continue pending. You may have noticed that sometimes when you try to stop a service, it hangs. The Services console may show you that the service is stopped, but if you run “net start” at the command prompt the service will be shown as running. To avoid any confusion, use the SC tool to determine the true status of a service.

So, to document the status of all the services running on your computer in a file called svcstatus.txt, type:

sc query > svcstatus.txt

To delete a service, type:

sc delete service_name

where service_name is the name of the service you want to delete. Keep in mind; this will completely remove the service from the registry. If you want to temporarily disable a service, use the Services console.

As far as figuring out all the DLLs that are associated with a particular service, you might want to use the following batch file written by Mark Burnett. Save the following text in Notepad as svcdep.bat:

@set imagepath=
@FOR /F "tokens=3" %%a in ('reg query
HKLM\system\currentcontrolset\services\%1
  /v imagepath 2^> nul ^| find "imagepath" ') DO @set imagepath=%%a
@if defined imagepath (
@echo Dependencies for %imagepath%:
@call depends /a0f1c /oc:~svcdep.tmp "%imagepath%"
@FOR /F "tokens=1 delims=, skip=1" %%b in ('type ~svcdep.tmp ^|
findstr /B /c:"," ^|
  findstr /V /c:"?" ^| sort') do @echo %%b
@del ~svcdep.tmp 2>nul
) else (
@Echo '%1' is not installed or is not a valid service
)

To run the batch file, use svcdep.bat with the short file name of the service. The short file name for Remote Access Connection Manager is RasMan (see Figure 2).

Figure 2. It's the Remote Access Connection Manager, but you can call it RasMan for short.

To view the dependencies for C-DillaSrv service, type this:

svcdep.bat c-dillasrv

Your result may look something like this:

C:\Batch> svcdep.bat c-dillasrv
Dependencies for C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE:
"c:\windows\system32\drivers\CDANTSRV.EXE"
"c:\windows\system32\GDI32.DLL"
"c:\windows\system32\KERNEL32.DLL"
"c:\windows\system32\NTDLL.DLL"
"c:\windows\system32\RPCRT4.DLL"
"c:\windows\system32\USER32.DLL"

There are a couple of interesting things here that I should point out. First, you had pointed out that Services MMC didn’t show any dependencies. This is because Services console only shows you other services that a service is dependent upon. The batch file above gives you a complete listing of all the files used by the service, which you were interested in. Also, even if the service is disabled, that batch file would still show you all the files that are used by the service. The list can be useful if you want to delete files that are no longer needed. With svcdep.bat file you can find out all the files used by all the services and ensure that you are not accidentally deleting a file that was required by a service.