services.exe "double entry" in Computer Security Policy

Tonight I had a more careful view in my settings and I found out that services.exe appeared twice in “Computer Security policy”
I don’t know why ???

Which one is to be deleted?
See screenshot taken from my netbook (clean installation)

[attachment deleted by admin]

Good catch. It is fixed in v5.8 beta.


I have a screenshot for Computer Security policy for CIS 5 and there is no Services.exe under Windows System Application. So I imagine that is the one that is left over.

Could EricJH or any one else confirm if it can be deleted ?


[attachment deleted by admin]

There are two instances of services.exe and they are subject to different security policies, one policy applies to the Windows System Applications group and the other directly to services.exe. I assume the policies will be applied based on priority and request made.

[attachment deleted by admin]

Rules get read top down. So the second rule would never be hit. The second rule is the one where you would be asked if a service would be installed.

OK. I am not the OP, but now I am curious.

Why is there only one rule in Cis v. 5.0 (like in my screenshot) ?

I suppose that v. 4 and v. 3 also had one Services.exe rule, and now I understand that having the second rule give more security to other complements.

[at] EricJH.

You said: " It is fixed in v. 5.8 beta " It sounded like it was a mistake or error in v. 5.5 and there was going to be only one Services.exe for future CIS versions, and my reason for posting my screenshot and asking which of the “services” could be deleted.

Thank you both.


And so…? Do we have to delete the first one? (The one under Windows System Applications)?

Under 5.5 they serve different purposes, which you can test by modifying the permissions of the individual services.exe. Also, the Windows System Applications group, is used in the firewall component.

So (in your opinion) it is not true what EricJH says about the fact that, being the rules read from top to bottom, the “second rule would never be hit” ???

I thought I had seen this before not very easy to find with search.

Please read here.


Thanks :-TU
But reading what egemen says

Yes we changed some behaviors. Now it is part of system applications. So the other rule is actually redundant right now. t will be removed with the next versions.
it seems that "services.exe" proper place is among "Windows System Applications"

Do you confirm?
Is this the new 5.8 setting? Among “Windows System Applications”?

Is it safer with that policy than with its own “custom policy”?

What does it change from a “normal user” point of view?

i confirm.

[attachment deleted by admin]

Eric also said:

The second rule is the one where you would be asked if a service would be installed.

Services and drivers are what I was referring to when I said it could be tested. Even though it may now be redundant - as already mentioned, the isolated instance of services.exe is no longer in 5.8 - it’s still quite easy to trigger the rule by changing it’s permissions and installing a driver. However, the same alerts may be generated if one changes the permissions on the Windows System Applications group. Of course, this affects all processes in the group.

I forgot to say that in another PC, where I imported old version 5 settings, services.exe has only “custom policy”

The only explanation is that, importing old settings the “new” ones (= services.exe in “Windows System Applications”) are over-written

Once again default settings have changed and no one has made them public :-[

Or if you want the control of the older rule simply move it up to a place above the Windows System Applications rule.

What’s the way to move “up” or “down” a rule?
There are no such buttons ???

Left click and drag

Thanks :-TU