In this article we’ll tell about a simple way to hide a certain Windows service from the list of services in Services.msc console. With this technique, a particular service can be hidden from all users of the computer (including administrators). Thus, we don’t allow anyone to stop / delete / run this Windows service. Usually it makes sense for antivirus services, access control systems to peripheral devices, user activity monitoring systems and other similar programs.
Open Services Management Console from the administrator account: Administrative Tools -> Services (or sevices.msc) and make sure that the service you want to hide is in the list of all services. In our example, it is SecretService. Our task is to hide this service from users on all computers of Active Directory domain.
- Run the Group Policy Management snap-in with the administrator privileges Administrative Tools -> Group Policy Management. You can do it on the domain controller (in this case you will have to temporary install the service you are going to hide on this DC) or directly on a computer running service (you need to install a appropriate version of Remote Server Administrative Tools ).
- Create the new group policy (or edit an existing one) and assign it to the OU, in which the computers you want to hide a Windows service on are located.
- Navigate to the following policy section: Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
- Find the name of the service (in our case it is SecretService) in the right pane and open its settings.
- Specify that this service is now set by the policy (Define this policy settings) and select the service startup mode (Automatic).
- Then click the Edit Security button and leave only System in the list of accounts with the rights to manage this service (remove Administrators and Interactive).
- Confirm the changes.
- Close the Group Policy Management Editor.
- Update group policies on the computer with the service instance (if any issues with using group policies occur, they can be diagnosed with gpresult or RSOP.mmc):
Gpupdate /force
- Refresh (F5) the console with the list of services and make sure that SecretServices is no longer exist in the list of services, however, its executable is launched and running.
So, in this article we showed how to hide a certain Windows service from users and administrators on all computers in Active Directory domain.
4 comments
You can’t really say this hides things from an administrator, as you need administrator privileges to modify the group policy option. An administrator could just as easily unhide the service as well as restore permission to control the service.
Not all Admins have the same privileges. You would need domain admin rights to change this GP. Sometimes users are local admin to there computers so they as Admins could not just as easily change it.
How would you visibly restore and/or terminate the service?
Net start & Net stop