Comparing running processes in Windows Server 2008 in Full and Core installs
Windows Server 2008 Server Core installation is a minimal install of the upcoming Windows Server OS that can run specific roles (like DNS, Active Directory or File Server) with a much smaller footprint and attack surface. In a previous blog post I looked into overall image sizes for both and also discussed some of the details about the differences between these Full and the Core installs. I later discussed which files are on disk for each one. Now I am looking at the processes running in the the two types of install.
This time I opted to install a couple of components on the servers before comparing them. I loaded the Virtual PC 2007 virtual machine extensions and the DNS Server role (which is available for both). I then used the systeminfo.exe and tasklist.exe (which also exists in both install) to compare the differences in loaded process, physical memory and pagefile memory used. A third test included running the LoadOrder tool from SysInternals to check for drivers and services loaded.
My goal here is not to have very precise lists, but to get a feeling for how the Full and Core installs compare. Also note that Windows Server 2008 is in pre-release format today (there is a public Beta 3 and an MSDN-and-TechNet-subscribers-only release called June CTP or IDS3). Keep in mind that this will most likely change before final release. The information here is based on an Enterprise edition, June CTP bits.
Here are the results:
SystemInfo Output
| Host Name: | WS2008CORE | WS2008FULL |
| OS Name: | Microsoftr Windows Serverr 2008 Enterprise | Microsoftr Windows Serverr 2008 Enterprise |
| OS Version: | 6.0.6001 Service Pack 1, v.222 Build 6001 | 6.0.6001 Service Pack 1, v.222 Build 6001 |
| OS Manufacturer: | Microsoft Corporation | Microsoft Corporation |
| OS Configuration: | Standalone Server | Standalone Server |
| OS Build Type: | Multiprocessor Free | Multiprocessor Free |
| Original Install Date: | 8/1/2007, 10:34:02 AM | 8/1/2007, 10:59:24 AM |
| System Boot Time: | 8/1/2007, 4:35:49 PM | 8/1/2007, 4:35:41 PM |
| System Manufacturer: | Microsoft Corporation | Microsoft Corporation |
| System Model: | Virtual Machine | Virtual Machine |
| System Type: | X86-based PC | X86-based PC |
| Processor(s): | [01]: x64 Family 6 Model 15 Stepping 6 GenuineIntel ~5 Mhz | [01]: x64 Family 6 Model 15 Stepping 6 GenuineIntel ~5 Mhz |
| BIOS Version: | American Megatrends Inc. 080002 , 2/22/2006 | American Megatrends Inc. 080002 , 2/22/2006 |
| Windows Directory: | C:Windows | C:Windows |
| System Directory: | C:Windowssystem32 | C:Windowssystem32 |
| Boot Device: | DeviceHarddiskVolume1 | DeviceHarddiskVolume1 |
| System Locale: | en-us;English (United States) | en-us;English (United States) |
| Input Locale: | en-us;English (United States) | en-us;English (United States) |
| Time Zone: | (GMT-08:00) Pacific Time (US & Canada) | (GMT-08:00) Pacific Time (US & Canada) |
| Total Physical Memory: | 1,023 MB | 1,023 MB |
| Available Physical Memory: | 821 MB | 766 MB |
| Page File: Max Size: | 2,298 MB | 2,297 MB |
| Page File: Available: | 2,137 MB | 2,093 MB |
| Page File: In Use: | 161 MB | 204 MB |
| Page File Location(s): | C:pagefile.sys | C:pagefile.sys |
| Domain: | WORKGROUP | WORKGROUP |
| Logon Server: | \WS2008CORE | \WS2008FULL |
| Hotfix(s): | N/A | N/A |
| Network Card(s): | N/A * | [01]: Intel 21140-Based PCI Fast Ethernet Adapter (Emulated) |
* The Core install did have the same network card and I confirmed it was enable by acessing the system remotely. For some reason systeminfo.exe could not gather that information in the Core install.
TaskList Output
| Image Name | Core | Full | Services (shown in parenthesis=Only in Full) |
| System Idle Process | 16 | 16 | |
| System | 1,696 | 2,864 | |
| smss.exe | 704 | 708 | |
| csrss.exe | 5,108 | 5,212 | |
| csrss.exe | 5,420 | 5,664 | |
| wininit.exe | 3,936 | 3,972 | |
| winlogon.exe | 4,364 | 4,436 | |
| services.exe | 4,724 | 4,924 | |
| lsass.exe | 7,716 | 7,808 | SamSs |
| lsm.exe | 3,836 | 3,824 | |
| svchost.exe | 4,852 | 5,452 | DcomLaunch, PlugPlay |
| svchost.exe | 5,296 | 5,328 | RpcSs |
| svchost.exe | 6,776 | 7,176 | Dhcp, Eventlog, lmhosts |
| svchost.exe | 21,052 | 23,284 | AeLookupSvc, BITS, gpsvc, IKEEXT, iphlpsvc, LanmanServer, ProfSvc, Schedule, seclogon, SENS, Winmgmt, wuauserv, (ShellHWDetection) |
| SLsvc.exe | 7,496 | 7,912 | slsvc |
| svchost.exe | 6,696 | 6,796 | EventSystem, LanmanWorkstation, netprofm, nsi, W32Time |
| svchost.exe | 7,920 | (Netman), (TrkWks), (UxSms) | |
| svchost.exe | 12,464 | 12,808 | CryptSvc, Dnscache, KtmRm, NlaSvc, TermService, WinRM |
| svchost.exe | 8,784 | 8,828 | BFE, DPS, MpsSvc |
| spoolsv.exe | 8,960 | (Spooler) | |
| vmsrvc.exe | 6,576 | 6,332 | 1-vmsrvc |
| taskeng.exe | 5,476 | 5,612 | |
| dns.exe | 5,988 | 5,940 | DNS |
| svchost.exe | 4,480 | 4,480 | PolicyAgent |
| svchost.exe | 2,876 | 2,880 | RemoteRegistry |
| vpcmap.exe | 1,724 | 1,732 | VPCMap |
| svchost.exe | 2,408 | (WerSvc) | |
| msdtc.exe | 6,212 | 6,192 | MSDTC |
| dwm.exe | 4,140 | ||
| explorer.exe | 19,140 | ||
| taskeng.exe | 6,200 | 7,004 | |
| vmusrvc.exe | 4,272 | 4,276 | |
| WmiPrvSE.exe | 5,408 | 5,516 | |
| cmd.exe | 2,168 | 2,024 | |
| TrustedInstaller.exe | 8,656 | 10,232 | TrustedInstaller |
| WmiPrvSE.exe | 9,356 | 10,308 | |
| WmiPrvSE.exe | 5,328 | 5,332 | |
| tasklist.exe | 4,700 | 4,712 | |
| Total | 190,356 | 242,152 |
I combined the output of a simple "tasklist.exe" and "tasklist.exe /svc" to produce the list. Services shown in () appeared only in the Full install. Since I ran tasklist.exe on a command line, cmd.exe shows in both sides.
LoadOrder Output
Last by not least, I captured the output of the LoadOrder tool from TechNet (part of the tools coming from SysInternals). This tool shows the order on which all drivers and services loaded. I used this output to find out which drivers and services do not load on a Server Core install. Here it is (items marked with an X on the first column do not load on a Server Core install):
| Group name | Tag | Service/Device | Display Name | |
| profsvc_group | n/a* | ProfSvc | @%systemroot%system32profsvc.dll,-300 | |
| ProfSvc_Group | n/a* | SENS | @%SystemRoot%system32Sens.dll,-200 | |
| ProfSvc_Group | n/a* | slsvc | @%SystemRoot%system32SLsvc.exe,-101 | |
| X | UIGroup | n/a* | UxSms | @%SystemRoot%system32dwm.exe,-2000 |
| PlugPlay | n/a* | PlugPlay | @%SystemRoot%system32umpnpmgr.dll,-100 | |
| NDIS | 14 | rspndr | Link-Layer Topology Discovery Responder | |
| NDIS | 15 | lltdio | Link-Layer Topology Discovery Mapper I/O Driver | |
| TDI | n/a* | Dhcp | @%SystemRoot%system32dhcpcsvc.dll,-100 | |
| TDI | n/a* | Dnscache | @%SystemRoot%System32dnsapi.dll,-101 | |
| TDI | n/a* | lmhosts | @%SystemRoot%system32lmhsvc.dll,-101 | |
| X | ShellSvcGroup | n/a* | ShellHWDetection | @%SystemRoot%System32shsvcs.dll,-12288 |
| SchedulerGroup | n/a* | Schedule | @%SystemRoot%system32schedsvc.dll,-100 | |
| NetworkProvider | n/a* | BFE | @%SystemRoot%system32bfe.dll,-1001 | |
| NetworkProvider | n/a* | LanmanWorkstation | @%systemroot%system32wkssvc.dll,-100 | |
| NetworkProvider | n/a* | MpsSvc | @%SystemRoot%system32FirewallAPI.dll,-23090 | |
| MS_WindowsLocalValidation | n/a* | SamSs | @%SystemRoot%system32samsrv.dll,-1 | |
| X | SpoolerGroup | n/a* | Spooler | @%systemroot%system32spoolsv.exe,-1 |
| Extended Base | 13 | Parvdm | ||
| n/a* | n/a* | 1-vmsrvc | Virtual Machine Additions Services Application | |
| n/a* | n/a* | AeLookupSvc | @%SystemRoot%system32aelupsvc.dll,-1 | |
| n/a* | n/a* | BITS | @%SystemRoot%system32qmgr.dll,-1000 | |
| n/a* | n/a* | CryptSvc | @%SystemRoot%system32cryptsvc.dll,-1001 | |
| n/a* | n/a* | DNS | @%systemroot%system32dns.exe,-49157 | |
| n/a* | n/a* | DPS | @%systemroot%system32dps.dll,-500 | |
| n/a* | n/a* | EventSystem | @comres.dll,-2450 | |
| n/a* | n/a* | IKEEXT | @%SystemRoot%system32ikeext.dll,-501 | |
| n/a* | n/a* | iphlpsvc | @%SystemRoot%system32iphlpsvc.dll,-200 | |
| n/a* | n/a* | KtmRm | @comres.dll,-2946 | |
| n/a* | n/a* | LanmanServer | @%systemroot%system32srvsvc.dll,-100 | |
| n/a* | n/a* | MRxVPC | Virtual Machine Additions Folder Sharing Driver | |
| n/a* | n/a* | MSDTC | @comres.dll,-2797 | |
| n/a* | n/a* | netprofm | @%SystemRoot%system32netprof.dll,-246 | |
| n/a* | n/a* | NlaSvc | @%SystemRoot%System32nlasvc.dll,-1 | |
| n/a* | n/a* | nsi | @%SystemRoot%system32nsisvc.dll,-200 | |
| X | n/a* | n/a* | PEAUTH | PEAUTH |
| n/a* | n/a* | PolicyAgent | @%SystemRoot%System32polstore.dll,-5010 | |
| n/a* | n/a* | RemoteRegistry | @regsvc.dll,-1 | |
| X | n/a* | n/a* | secdrv | Security Driver |
| n/a* | n/a* | seclogon | @%SystemRoot%system32seclogon.dll,-7001 | |
| n/a* | n/a* | tcpipreg | TCP/IP Registry Compatibility | |
| n/a* | n/a* | TermService | @%SystemRoot%System32termsrv.dll,-268 | |
| X | n/a* | n/a* | TrkWks | @%SystemRoot%system32trkwks.dll,-1 |
| n/a* | n/a* | VPCMap | Virtual Machine Additions Shared Folder Service | |
| n/a* | n/a* | W32Time | @%SystemRoot%system32w32time.dll,-200 | |
| X | n/a* | n/a* | WerSvc | @%SystemRoot%System32wersvc.dll,-100 |
| n/a* | n/a* | Winmgmt | @%Systemroot%system32wbemwmisvc.dll,-205 | |
| n/a* | n/a* | WinRM | @%Systemroot%system32wsmsvc.dll,-101 | |
| n/a* | n/a* | wuauserv | @%systemroot%system32wuaueng.dll,-105 |
So the items not loaded in Server Core does are components related to User Interface, Shell, Spooler, peauth, secdrv, Distributed Link Tracking Client Service (TrkWks) and Windows Error Reporting Service (WerSvc).