This article is mainly for those who have computers/tablets at home. The steps described here disable remote administration capabilities and therefore are not suitable for business environments. Please keep in mind that www.winhelp.us is primarily meant for home users.
Disabling some of these services also helps to decrease boot time, and enhance the overall performance of Windows a bit.
If you have a home network and you share files and folders between devices, or you share printer(s) connected to a computer (not to a network switch), you should skip the disabling file and printer sharing part.
Although Windows Firewall tries hard to keep hackers at bay, it is best to minimize the possible attack surface by turning off services that are not required. The firewall service is basically a simple port blocker, not an application-aware modern security tool.
Please keep in mind that no firewall is a magic bullet, you still need anti-virus and anti-malware utilities, such as Windows Defender in Windows 8/8.1/10, or Microsoft Security Essentials in Windows 7.
In all versions of Windows, open Run dialog using the keyboard shortcut Windows Key+R.
Type services.msc and click OK.
Scroll down in the list to find the Remote Registry service. Right-click or tap and hold it and select Properties. Alternatively, you can double-click the service.
This service is not available in Windows XP Home, use the following as a guide for disabling other services that you do not need.
Note that after clicking on a service name, its description appears on the left.
Select Disabled from Startup type list. If the service is running, click the Stop button. Then click OK to close the Remote Registry Properties window.
This service enables viewing and changing Windows Registry (the place where all settings and information about your Windows, installed programs, and users' settings are kept) from a remote computer (including hackers' computers) - so it is best to keep the service shut down at all times. On home networks, Windows Registry should be accessed from the local computer only.
Here's a list of services you might want to disable in Windows. Some of them are set to start manually but might be misused for remote data gathering, or cause other potential privacy and security risks.
- ClipBook - only in Windows XP, shares Clipboard contents over a network.
- dmwappushsvc - only in Windows 10, used for receiving WAP Push messages that redirect to web pages: for example, a shop may send you ads or discount codes when you pass by. Not really used (yet) and often considered a privacy risk.
- Connected User Experiences and Telemetry / Diagnostics Tracking Service - only in Windows 10 Anniversary Update / original release, collects and transmits diagnostic and usage information to Microsoft. This anonymous data is used for enhancing Windows features. Some of these functions can be managed or turned off in the Settings app, Privacy, Feedback & diagnostics. If you need more privacy than a typical user, disable this service.
- Function Discovery Resource Publication - only in Windows Vista, 7, 8/8.1 and 10, publishes shared resources (printers, libraries, etc) on this computer over a network. This service's startup is set to Manual, but it often runs whenever Windows starts. Disable it to decrease Windows boot time. Other computers and devices on the same network will not be able to detect your device's shared resources automatically after turning this service off.
- Microsoft Windows SMS Router Service - only in Windows 10, routes messages based on rules. Not needed on home devices.
- Net Logon - this is only required in the business environment with NT or Active Directory domains. Disabling this does not affect file or printer sharing on local/home networks.
- Offline Files - only in Windows Professional/Business/Ultimate editions, caches selected folders and files from file servers so that the items are always available. Not needed for most home users.
- Remote Desktop Services / Terminal Services - enables remote access to GUI (Graphical User Interface) on the computer over a network. This service is always under heavy attack, so if you are not using it, turn it off ASAP.
- SSDP Discovery - detects and publishes Simple Services, such as UPnP devices (home entertainment systems, media streaming, printers, some Wi-Fi routers, etc). This service's startup is set to Manual, but it runs whenever Windows starts. Disable it to speed up Windows boot. UPnP devices are not affected by this, but in Windows 8.1 and 10, the UPnP Device Host service will not start if SSDP Discovery is disabled.
- Superfetch (only when Windows is installed on an SSD) - available since Windows Vista, a caching service that is supposed to improve hard drive performance. It makes Windows and program startup on traditional drives faster, but it might wear down SSD-s or decreases their throughput.
- Telnet - only in Windows XP, enables remote access to the command-line interface over a network. Certainly not needed on home PC-s.
- WebClient - enables creating, accessing, and modifying files on special Internet-connected servers/services using Windows-based programs. This does not affect FTP, SSH, SCP, or browser-based connections. Only a few programs use this service, so it can be safely turned off.
- Windows Error Reporting Service / Error Reporting - sends diagnostics data about errors and crashes to Microsoft if you allow it to. Because the data is not encrypted, it poses potential privacy and security risks. You should disable this service.
- Windows Media Player Network Sharing Service - enables streaming music and video to home entertainment systems and other computers/devices over a network. Turn this off only when not using the streaming feature.
- Windows Remote Management (WS-Management) - only in Windows Vista and newer, used for remote software and hardware management. This is not necessary for home networks.
- WMI Performance Adapter - enables viewing performance data over the local network. Usually not needed on home networks.
You can feel a tad more secure - you just made it harder for bots and hackers to attack your computer while your computer is connected to the Internet.
Windows Vista and newer have profiles for Network Locations, hiding or showing your computer and its shared resources on the current network by configuring Windows Firewall.
You can use different profiles on the same device: for example, your home network might be set to the Private profile to share files, but any public Wi-Fi network should use the Public profile to protect your device and personal files.
If your computer is connected to the Internet directly or via a modem and you have no home network (just one computer at home), always choose Public for Network Location (Windows Vista and 7) or disable sharing/network discovery (Windows 8 and newer).
Guest or Public is the suggested setting for all Wi-Fi (wireless), dial-up, and VPN connections you create. This network profile disables the visibility of your device on the current network and also turns off file and printer sharing.
If you do have a home network and you want to share printers and files with other computers in your home, select Private (in Windows Vista, 8, 8.1, and 10) or Home (in Windows 7) network profile. This is the configuration with the lowest security level - please be aware of this! If you do not need or want to share anything, select the Public profile instead.
In Windows 7, if you are connecting at your workplace, select Work. This will also enable File and Printer Sharing and make your PC visible on the network.
Windows device that is a member of Active Directory, uses the Domain profile. This is used on business/corporate networks only.
In Windows 7, 8/8.1 and 10, more detailed network discovery and sharing options for all profiles are available in Control Panel, Network and Sharing Center. Click or touch the Change advanced sharing settings link on the left.
In Windows 10, click or tap the Network icon in the Taskbar Notification area (aka System Tray) to open the list of networks. Then click a connected network: ethernet connections open automatically in the Settings app; for other types, use the Properties link.
Alternatively, use the keyboard shortcut WINDOWS KEY+I to launch the Settings app. Open Network & Internet and choose the connection type (Wi-Fi, Ethernet, Dial-up, or VPN). Then click or tap on a connected network.
Flip the Make this PC discoverable switch to turn the visibility of your device to other computers on the same network on or off. The Off position activates the Guest or Public network profile that also disables file and printer sharing by default. The On position enables both.
If you need to be even more secure, please see how to turn off file and printer sharing for a network adapter.
In Windows 8 and 8.1, click or tap the Network icon in the Taskbar Notification area (aka System Tray) to open the list of networks.
Another way is to use the keyboard shortcut WINDOWS KEY+I (or to swipe in from the right on touchscreen devices) to reveal Settings charm. Then click or tap Network in the lower part of the Charms bar.
A list of all configured networks appears.
In Windows 8, right-click the network you want to change and then click Turn sharing on or off.
Windows 8.1 Update (available since 8th of April, 2014) users can click View Connection Settings on the top of the network list bar to open the PC Settings app. Further Windows 8.1 and 8.1 Update instructions follow a bit later in this tutorial.
Next, Windows 8 asks if you want to turn on sharing between PCs and connect to devices on this network.
Click No, don't turn on sharing or connect to devices if you want to set Network Location profile to Public.
Click Yes, turn on sharing and connect to devices in case you want to set Network Location profile to Private.
Windows 8.1 makes modifying the network location profile harder to find. In Settings charm, click or tap Change PC Settings (instead of the Network icon in Windows 8). Please note that Windows 8.1 Update users can still click or tap the Network icon in System Tray and then use the View Connection Settings command to open PC Settings.
In the PC Settings app, open the Network tab (this opens automatically in Windows 8.1 Update after clicking View Connection Settings) and then open the Connections tab. Click the connection you want to modify on the right.
Set the Find devices and content slider to Off if you want to set Network Location to Public and disable both network discovery and file and printer sharing.
If you need to be even more secure, please see how to turn off file and printer sharing for a network adapter.
In case you want to double-check or change Network Location for the current connection in Windows Vista or 7, right-click the Network icon in the Taskbar Notification area and select (Open) Network and Sharing Center.
In Windows Vista, click Customize on the right side of an active network connection.
In Windows 7, find the View your active networks section and click the existing network type (Home network, Work network, or Public network).
The Set Network Location window opens. Click the network type you want for this network connection.
In Windows Vista, you can change the connection title in the Network name field and connection icon using the Change button to the right of Network Icon. Click Next to continue.
In Windows 7, if you know you will never set up a home network for this computer and you will be using public networks (wireless, dial-up, direct connections to the Internet) only, you can activate the Treat all future networks that I connect to as public, and don't ask me again option. This will disable the Set Network Location wizard and automatically set the highest security level for all future networks you connect your computer to. You can still change any network's location by opening the Network and Sharing Center.
Just click Close in the summary window. Windows Firewall and sharing settings have been reconfigured.
Do not close the Network and Sharing Center window in Windows Vista and 7 yet!
If you want to change a connection's name and icon in Windows 7, click the network's icon in Network and Sharing Center.
In the Set Network Properties window, fill the Network name field and use the Change button to select a different icon.
Click OK to apply changes.
If you never want to share your files or printer with other computers on your home or work network (or if you have no home network at all), it is best to make sure that no one sees your files and printers even when Windows Firewall fails for some reason.
Right-click or touch and hold the Network icon in the Taskbar Notification area (aka System Tray) and select Open Network Connections (Windows XP) or (Open) Network and Sharing Center (Windows Vista and newer) from the menu.
In Windows Vista, click Manage network connections on the left side of the Network and Sharing Center window.
In Windows 7, 8/8.1 and 10, the command is entitled Change adapter settings.
Click the first network adapter in the list to make it active. Then right-click on it and select Properties.
Now clear the File and Printer Sharing for Microsoft Networks checkbox. Then click OK to close the connection properties window and apply the settings.
Please do not mess with other settings, they can disable your Internet connection or local network connection.
Repeat the above procedure for each and every connection (including wireless, dial-up, Bluetooth, and IEEE1394/Firewire) on the list if you have more than one network adapter.