What does "Manual (Trigger Start)" mean for a Windows Service?
There's a selection of different startup types that can be assigned to a Windows Service, at least as seen in the Services MMC snap-in, such as:
- Automatic (Delayed Start)
- Manual (Trigger Start)
- Automatic (Trigger Start)
The bit in brackets (Trigger Start / Delayed Start) is actually a "sub-startup-type" (that's my name, not Microsofts!) although obviously "Delayed Start" wouldn't have much/any meaning for a service set to the Manual startup type. The "base" startup type (Disabled / Manual / Automatic) is set when you call the Win32 API CreateService, "Delayed Start" and "Trigger Start" are set by calling ChangeServiceConfig2 for an already extant service, passing in an SERVICE_DELAYED_AUTO_START_INFO structure or a SERVICE_TRIGGER_INFO structure respectively.
Why is this even vaguely interesting?
It's a bit of preamble to get to talking about triggered services. These can be on both Manual and Automatic services, so you can have an automatic service that starts when Windows loads, does its stuff then stops until it's triggered as well as a service that's only started when it's triggered. Picking on the Windows Time (w32time) service on Windows Server 2012, you can run sc qtriggerinfo w32time to see what triggers are present:
[SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: w32time START SERVICE DOMAIN JOINED STATUS : 1ce20aba-9851-4421-9430-1ddeb766e809 [DOMAIN JOINED] STOP SERVICE DOMAIN JOINED STATUS : ddaf516e-58c2-4866-9574-c3b615d42ea1 [NOT DOMAIN JOINED]
The output shows the service will be started when the machine is domain joined, but not when it isn't. There are also Scheduled Tasks that are responsible for starting w32time as well, but they're more readily visible via the GUI.
Another example of a service with a startup type of Manual (Trigger Start) is the Remote Registry service. Rather than this being present and running at all times, it has a trigger present:
[SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: RemoteRegistry START SERVICE NETWORK EVENT : 1f81d131-3fac-4537-9e0c-7e7b0c2f4b55 [NAMED PIPE EVENT] DATA : winreg
This one means that when a request is made to open the named pipe 'winreg', the Remote Registry service gets started in order to service the request. You can see this in action (with the Remote Registry service not running!), by spinning up PowerShell and running this snippet of code:
PS D:\> $pipe = New-Object System.IO.Pipes.NamedPipeClientStream '.', 'winreg', 'In' PS D:\> $pipe.Connect() PS D:\> $pipe.Close()
Hitting F5 in the Services snap-in should now show the Remote Registry service as running which is a quick way of showing a service reacting to a trigger in action.
My skillset has matured somewhat since then, which you'll probably see from the posts here. You can read a bit more about me on the about page of the site, or check out some of the other posts on my areas of interest.