The Services MMC shows the service names, their current status, and startup type. Most of you know about the Automatic, Automatic (Delayed Start), and Manual startup types.
Automatic –Starts the services at system startup. Automatic (Delayed start) –Starts the service after the system has finished booting and after initial demanding operations have completed, so that the system boots up faster. Manual –Starts the service as required (defined by dependencies to other services) or when called from an application using the relevant API. Disabled– Completely disables the service and prevents it and its dependencies from running.
But what are those “Trigger start” services?
And what’s the difference between Automatic (Trigger Start) and Manual (Trigger Start) Differences?
What are Trigger start Services?
A trigger-start service is a regular service that’s configured to run (or stop running) only when it is triggered, that is, only when certain criteria and conditions that you define are met (for example, when the first network IP address becomes available, or when the last network IP is lost).
Here is a list of the available triggers that can be used to configure the startup mode of a given service:
- Device interface arrival or departure
- Joining or leaving a domain
- Opening or closing a firewall port
- Group policy change
- First IP address available or last IP address leaving
- Custom event – Event Tracing for Windows (ETW)
Example 1: Windows Time service
The Windows Time service is configured to start when the device is connected to a domain. You can run the following command to view the triggers for this service:
sc qtriggerinfo w32time
You’ll see the following output:
[SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: W32Time START SERVICE DOMAIN JOINED STATUS : 1ce20aba-9851-4421-9430-1ddeb766e809 [DOMAIN JOINED]
In Windows 7 and earlier, you see two triggers for this service.
START SERVICE DOMAIN JOINED STATUS : 1ce20aba-9851-4421-9430-1ddeb766e809 [DOMAIN JOINED] STOP SERVICE DOMAIN JOINED STATUS : ddaf516e-58c2-4866-9574-c3b615d42ea1 [NOT DOMAIN JOINED]
As you can see from the queried trigger information of the W32Time service, this service is configured to start when the computer is joined to a domain and stop when the computer leaves the domain.
Example 2: Windows Update service
The Windows Update service (
wuauserv) is set to Manual by default, and is configured to trigger start in Windows 10.
Run the following command to see the triggers for the Windows Update service:
sc qtriggerinfo wuauserv
You can see that the service is triggered when the group policy configuration is changed.
[SC] QueryServiceConfig2 SUCCESS SERVICE_NAME: wuauserv START SERVICE GROUP POLICY : 659fcae6-5bdb-4da9-b1ff-ca2a178d46e0 [MACHINE POLICY PRESENT] START SERVICE GROUP POLICY : 54fb46c8-f089-464c-b1fd-59d1b62c3b50 [USER POLICY PRESENT]
The Windows Update service will be triggered when the group policy (machine or user policy) configuration changes. The GUID
659FCAE6-5BDB-4DA9-B1FF-CA2A178D46E0 represents MACHINE_POLICY_PRESENT_GUID, and
54FB46C8-F089-464C-B1FD-59D1B62C3B50 represents USER_POLICY_PRESENT_GUID.
Stopped state. After you load the Group Policy Editor and change the configuration (not necessarily the “Windows Update” related setting), it will trigger the Windows Update service to start and show up as
Example 3: Display Enhancement service
The Display Enhancement service (
DisplayEnhancementService) in Windows 10 is set to
Manual (Trigger Start). This service turns on only when the display ambiance changes. The adaptive brightness feature in Windows 10 tracks ambient light sensors, identifying changes in ambient light, trigger starts the Display Enhancement service.
The Display Enhancement service automatically adjusts the brightness of the display based on the surrounding lighting conditions. This service is started only when triggered by the ambient light sensor hardware interface.
The following command shows the list of triggers used by this service:
sc qtriggerinfo DisplayEnhancementService
The output contains the list of triggers (there can be more than one trigger for each service) and the device interfaces it’s linked to.
Advantages of Trigger Starting services
You may be wondering why not simply set it to Automatic, and what’s the need for triggers?
There are several issues with having services run all the time:
a) System resources
First, what’s the need to run a program or service (even in the background) when there is no need for it to run? For example, think of an update service that checks for new application updates. If the computer is not connected to a network and has no IP available, why should the service be running 24×7? If no Bluetooth devices are connected, why should the service be running all the time?
Service Triggers eliminate the need for services to start when the system starts, or for services to poll or actively wait for an event; a service can start when needed, instead of starting automatically whether or not there is work to do.
Any running process (services included) uses valuable memory and CPU resources. If a hundred services are running at any given time, they add up to quite a lot of memory, handles, threads, and plenty of CPU usage. These wasted resources reduce the overall computer performance and decrease its responsiveness.
b) Boot-up time
The Automatic start services have a big impact on the device’s boot-up time, and that’s why Automatic (Delayed start) was introduced in the first place. More system resources (CPU, memory, etc.) usage means more power consumption. This can be critical for laptop computers and could reduce battery life considerably.
c) Security point of view
Many services are network-facing and run under Local System or Local Service accounts, contributing to the potential attack surface. Service triggers let services run only when required, thus reducing the ability of an attacker to probe the service easily. These trigger-starting network services help reduce the system attack surface against potential vulnerabilities.
Automatic (Trigger Start) Vs. Manual (Trigger Start)
You may be wondering what’s the difference between Automatic (Trigger Start) and Manual (Trigger Start). If triggers can be added to either Manual or Automatic services, why can’t they be set to Manual?
A service can be set to Automatic so that it starts when Windows loads. But the service can also stop gracefully on its own when it has completed its task and has no more work to do. You may have seen the following message when starting a service:
The [servicename] service on local computer started and then stopped. Some services stop automatically if they are not in use by other services or programs.
The service may have gracefully stopped after it has completed its work. But, if you assign triggers to it, it can still be started when required — e.g., when particular hardware is connected, firewall port is opened, or when a custom event occurs. Automatic (Trigger Start) is preferred if that service needs to be run at startup, and also be able to be trigger started when required.
Both Automatic and Manual services can have triggers that manually start them. The only difference between the two is that the Automatic services start as soon as the operating system loads. After the Automatic service has stopped, a trigger can start it again at any time.
Likewise, the only difference between
Automatic (Triggered) and
Automatic (Delayed, Triggered) is that the latter ones begin to load after all the Automatic (non-delayed) services have finished loading, and trigger events can start both.
- Trigger Started Services | philpenn | Channel 9
- Trigger Started Services on Windows | Channel 9
- [MS-SCMR]: SERVICE_TRIGGER | Microsoft Docs
- Automatic vs. Automatic (Delayed start) Service Startup types
- Windows 10 Default Services Configuration – Startup type, Permissions, etc.
I hope the above information was a little bit helpful!
One small request: If you liked this post, please share this?One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
- Pin it!
- Share it to your favorite blog + Facebook, Reddit
- Tweet it!