How to disable legacy services in Windows: Fax, XPS, and SMB1

On many Windows computers we are still dragging along legacy functions that almost nobody uses but they continue to consume resources and can even create security vulnerabilities. We're talking about services like Fax, XPS or the old SMB1 protocolIn addition to a good number of optional features that Microsoft maintains for compatibility but which, on a modern home or office PC, are completely unnecessary.

With a little care in the settings, it's possible disable these legacy services, reduce attack surface against threats of this type ransomware and lighten the system somewhat. However, before touching anything, it's advisable to understand the purpose of each component, its dependencies, and how to manage it correctlywhether from the graphical interface, PowerShell, the Registry, or even Group policy in business environments.

What is SMB (SMB1, SMB2 and SMB3) and why does it matter so much?

The protocol Server Message Block (SMB) It is the foundation for sharing files, printers, and other resources on Windows networks. It allows one computer to act as a file server and other computers to access that data as if it were local, as well as manage remote operations such as reading, writing, or locking files.

Over the years, Windows has incorporated successive versions of the protocolSMB1, SMB2, and SMB3. Each step has brought improvements in performance, security, and scalability, so that today the recommended version is SMB3while SMB1 is considered completely obsolete and dangerous.

SMB1 was used exclusively in systems such as Windows XP and Windows Server 2003, which no longer have support or patches. Many older devices (old NAS devices, network printers, computers) Linux (poorly configured) also continue to use this version for compatibility, which sometimes forces us to keep it active on modern servers or clients.

The problem is that SMB1 carries critical vulnerabilities that have been exploited by malware well known, such as ransomware WannaCrypt/WannaCryThis family took advantage of a flaw in the SMBv1 implementation to spread from one device to another within the network, without requiring user interaction.

For this reason, Microsoft has been removing SMB1 from modern installations: Windows 11 Windows Server 2019 and later versions do not include it by default.In Windows 10, it's only maintained in some Home and Pro editions if certain applications require it. Even so, it remains installed or even active in many environments, and is highly recommended. remove or disable it whenever possible.

What do we lose (and what do we gain) by disabling SMB1, SMB2, or SMB3?

The general recommendation is clear: disable SMB1 on all computers those who don't strictly need it, and leave the modern SMB2 and SMB3 versions active. Even so, sometimes it may be useful temporarily disable SMB2/3 to diagnose a compatibility, performance, or strange behavior problem on the network.

Disabling SMBv3 results in the loss of several advanced functions quite important in high availability environmentssince many are specific to modern versions of Windows Server and file clusters. For example, the following are disabled:

• Transparent failover: allows clients to reconnect to another node in a cluster without the user noticing the failure.
• Horizontal scalability: simultaneous access to the same shared data from multiple nodes in the cluster.
• Multichannel SMB: simultaneous use of multiple network paths to aggregate bandwidth and gain fault tolerance.
• SMB Direct (RDMA): support for very high-speed RDMA networks, with low latency and low CPU usage.
• End-to-end encryption: protection against eavesdropping and attacks on untrusted networks.
• Directory leasing and other optimizations to improve latency and performance in remote branches.

If instead of SMB3 we disable SMB2The impact is also significant. SMB2 introduced key improvements over SMB1:

• Grouping of petitions (batching) to send multiple requests in a single network packet.
• Larger readings and writings that take advantage of Gigabit and higher links.
• Storage cached properties of files and folders to reduce access to the server.
• Durable identifiers that allow reconnection without losing sessions after brief interruptions.
• Reinforced message signature with HMAC SHA-256 instead of MD5.
• Greater scalability in number of users, shared resources and files opened per server.
• Support of symbolic links and a concession model that improves performance in high-latency networks.
• Large MTU to take full advantage of 10 GbE links.
• optimizations of Energy Efficiency to suspend clients with open files.

In other words, disabling SMB2 or SMB3 only makes sense as temporary diagnostic measureWhat is advisable to do permanently is remove SMB1always checking beforehand if there are any older devices that might lose access.

How to check, enable, or disable SMB1 from PowerShell

In modern systems such as Windows 10, Windows 11 or Windows Server 2016/2019The cleanest way to manage SMB1 is by using PowerShell with administrator privileges, relying on the system's optional features.

To view the current status of the SMB1 client/server in Windows, you can use the cmdlet Get-WindowsOptionalFeature pointing to the specific characteristic:

Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

If the goal is Disable SMB1 (the recommended case), simply launch:

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

And if, for compatibility reasons, there is no other option, turn it back onIt can be done with:

Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

In server editions such as Windows Server 2012 R2 and 2016SMB1 is packaged as a role feature. In those cases, it can be removed directly from PowerShell with:

Remove-WindowsFeature FS-SMB1

It's important to remember that many changes regarding optional features and roles are coming. They need to restart the computer to be fully implemented, so it is advisable to plan the maintenance window, especially on production servers.

Managing SMB1, SMB2, and SMB3 from the Registry (server and client)

In older versions of Windows or when very fine control is needed, it is possible enable or disable SMB from the RegistryThis technique applies to both Windows Server (SMB server role) such as workstations that act as clients.

For SMB serverThe main configuration key is:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters

In that path you can create (if they don't already exist) the next values:

• SMB1 (REG_DWORD):
  Value 0 = protocol disabled
  Value 1 = protocol enabled (default)
• SMB2 (REG_DWORD):
  Value 0 = disables SMB2 and SMB3, since they share an internal stack
  Value 1 = enables SMB2/3 (default)

These values ​​can be manipulated from PowerShell using cmdlets such as: Set-ItemProperty

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB2 -Type DWORD -Value 0 -Force

In the case of SMB client on WindowsThings change because it mainly depends on the service. Lanman Workstation and the mrxsmb10 (SMB1) and mrxsmb20 (SMB2/3) controllers. Here, the following is commonly used: command line tool sc.exe to adjust dependencies and startup mode.

To manage SMB1 on the client can be used commands on the table:

sc.exe qc lanmanworkstation

With it check the current configuration of the service. To disable the SMB1 client portion, the dependency is updated and the corresponding driver is deactivated:

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled

If it becomes necessary later reactivate the SMB1 clientIt would be enough to restore the dependency and the automatic startup of the controller:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb10 start= auto

A similar pattern applies when what is desired is Leave SMB1 operational but disable SMB2/3 on the client, modifying in this case the behavior of mrxsmb20.

Disable SMB1 using Group Policy (GPO)

In corporate networks with many devices, going machine by machine is impractical. The most efficient approach is to leverage existing networks. Group Policy (GPO) to deploy Registry changes that disable SMB1 centrally on member workstations and servers.

The trick is to touch two main keys:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mrxsmb10
  Value: Start (REG_DWORD) = 4 → service disabled.
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation
  Value: DependOnService (REG_MULTI_SZ) = Bowser, MRxSmb20, NSI (without MRxSMB10).

A new policy is created in the policy management console Registration Element within the Computer Configuration > Preferences > Windows Settings > Registry branch. The first is configured as Action = Update, pointing to the Start value of mrxsmb10 and setting data to 4. The second is created as Action = Replace, defining the multi-SZ DependOnService with the strings Bowser, MRxSmb20 and NSI.

After applying the GPO and restarting the target computers, the client will no longer load MRxSMB10 nor will it depend on it, effectively leaving SMB1 out of the game. To force a refresh during testing, the following can be launched on the clients:

gpupdate /force

It is advisable to validate afterwards that SMB2 and SMB3 continue to function correctly in the rest of the systems and that connectivity with critical shared resources has not been broken.

Audit which teams are still using SMB1

Before taking drastic measures, it is very useful Audit who is trying to connect via SMB1This way we avoid problems with old printers, outdated NAS devices, poorly configured Linux systems, or even Windows machines forgotten in a corner.

In modern versions of Windows Server, it is possible to activate a specific audit using cmdlets Set-SmbServerConfiguration y Get-SmbServerConfigurationTo start logging SMB1 accesses, run:

Set-SmbServerConfiguration -AuditSmb1Access $true

If at any point you want to Disable auditing, simply change the value to false:

Set-SmbServerConfiguration -AuditSmb1Access $false

To check the current status This configuration can be viewed:

Get-SmbServerConfiguration | Select AuditSmb1Access

Once auditing is enabled, each attempt to connect via SMB1 generates an event in the Microsoft-Windows-SMBServer\Audit registry with event identifier 3000. Reviewing these events yields a fairly reliable list of customers who still rely on SMB1This allows for planning its migration or replacement before permanently deactivating the protocol.

Enable or disable SMB 1.0 from the graphical interface

In some versions of Windows it is possible to configure SMB 1.0 directly from the GUI without touching PowerShell or the Registry. This mainly applies to:

• Windows 8.1 and Windows 10 (client editions).
• Windows Server 2012 R2 and Windows Server 2016.

On client equipment, the typical route is to go to Control Panel > Programs and Features (or run) appwiz.cpl), and then go to the "Turn Windows features on or off" option. The entry appears within the list. “Compatibility with the SMB 1.0/CIFS file sharing protocol”, which can be unchecked to deactivate SMB1.

In server editions such as Windows Server 2012 R2 or 2016, the path goes through the server administratorThe "Remove roles and features" option provides access to the section of Specifications: The option “Compatibility with the SMB 1.0/CIFS file sharing protocol” is also unchecked. Once the wizard has been run, the server will need to be restarted to complete the uninstallation.

Deactivate other legacy services: Fax, XPS, and others

In addition to SMB1, Windows comes loaded with optional features which in practice most users don't need. We won't always gain huge performance improvements, but it is possible to reduce some complexity, memory consumption, and above all, attack surface by having fewer exposed components.

Some of the most common features that can be reviewed in “Turn Windows features on or off” are:

• XPS Services and XPS ViewerThe XPS format was proposed as an alternative to PDFBut it never really caught on. Windows 10 and 11 already integrate PDF printing and reading, so maintaining XPS is usually unnecessary.
• Windows Fax and Scan: useful only if a physical fax machine or integrated scanner Managed through Windows tools. If you use the manufacturer's own scanner or don't use fax, you can safely disable it.
• Windows Media Player and player network sharingThe popular WMPNetworkSvc service allows you to share media libraries over a network. If alternative players are used, or if no media is shared, the system will function correctly. streaming internal, is another clear candidate to be disabled.
• Legacy components (DirectPlay): only necessary for very old games that depend on this DirectX network API. If you don't play classic titles online, you can usually disable it.

It's also advisable to review services that load in the background and are of little use on a home computer. Some typical examples in Windows 7/10 are: Fax, Bluetooth compatibility service (if you don't use Bluetooth), net Logon on off-domain computers, or SNMPdesigned for monitoring corporate networks.

Other Windows services that can usually be disabled

In scenarios where the goal is to maximize performance (for example, a PC dedicated to gaming), it is common to review the list of Windows services and deactivate anything that is never usedHowever, it should be done carefully, ideally after creating a restore point so you can go back if something goes wrong.

Among the services that are often considered dispensable in a domestic environment (provided their specific functions are not needed) are:

• Windows Search (WSearch)It maintains an index of files, emails, and other content to speed up searches. If you rarely use the built-in search engine, you might consider disabling it.
• Windows Media Player Network Sharing Service (WMPNetworkSvc): responsible for sharing multimedia libraries on the local network.
• SNMP Capture (SNMPTRAP) y Simple Network Management Protocol (SNMP): geared towards advanced network monitoring. Unnecessary in most homes.
• Services related to smart cards (SCPolicySvc, SCardSvr, Certificate Propagation): provide support for environments that use smartcard authentication.
• Remote Registry (RemoteRegistry): allows modifying the Registry from other computers, which is risky in uncontrolled environments.
• Offline Files (CscService): useful only if you use the feature of offline files in corporate networks.
• Network Access Protection Agent (napagent): old part of Microsoft's NAP infrastructure.
• Net Logon (Netlogon): essential in domain-joined systems, but completely unnecessary in home PCs.
• iSCSI Initiator Service (MSiSCSI): only if you connect to remote iSCSI devices.
• Distributed Link Tracking Client (TrkWks): maintains links NTFS between equipment and volumes.
• BranchCache (PeerDistSvc): designed to optimize WAN traffic in company branches.
• Bluetooth Compatibility Service (bthserv): only necessary if you use Bluetooth devices.
• Adaptive brightness (SensrSvc): automatically adjusts brightness based on ambient light sensors.
• WinHTTP Auto Proxy (WinHttpAutoProxySvc): detects automatic proxies; in simple networks it is usually unnecessary.
• Windows Remote Management (WinRM): used for remote management via PowerShell and other tools.
• Windows Error Reporting Service (WerSvc): sends crash reports to Microsoft.
• Windows Color System (WcsPlugInService): focused on advanced color profile management.
• Application-Level Gateway (ALG) Service: related to Internet Connection Sharing (ICS).
• BitLocker Drive Encryption Service (BDESVC) y Encrypting File System (EFS): redundant if these encryption methods are not used.
• Access to human interface device (hidserv): provides extra functions to special keyboards and controllers.
• Remote Desktop Services (TermService, UmRdpService, SessionEnv) and Remote Desktop Configuration: only required if you connect via Remote Desktop or host other machines.
• Tablet PC Input Service (TabletInputService): stylus support and touch writing.
• Windows Biometric Service (WbioSrvc): for fingerprint readers, facial recognition, etc.

The list is long, and not all services will be available in all versions of Windows. The key thing to understand is that Any changes should be made knowing which services you shouldn't disable.especially in equipment used for work or that is part of a larger network.

Advanced optional features: when to have them enabled

The Windows optional features panel also houses components designed for professional or development environmentswhich most home users will never touch. Disabling them doesn't always provide significant benefits, but it does help to "clean" the system of unnecessary things.

Some typical examples are:

• .NET Framework 3.5 (includes 2.0 and 3.0) y Advanced services of .NET Framework 4.xThese are necessary if you run applications that depend on these versions. If you disable them and later install a program that requires .NET, Windows usually offers to install it on demand.
• Active Directory Lightweight Directory Services y Windows Identity Foundation: technologies focused on authentication and directories, especially in business environments.
• Internet Information Services (IIS) and hostable web core: they only make sense if you're going to set up a web or FTP server local for development or testing.
• Hyper-VMicrosoft's virtualization solution. It's very powerful, but not essential if you already use alternatives like VirtualBox o VMware for specific tests.
• Telnet Client, TFTP Client, Connection Manager Administration Kit o Microsoft Message Queue: inherited from other eras or intended for very specific uses of remote administration and development.
• Printing and document services Advanced features (LPR, LPD, scan management, internet print client): these are usually unnecessary on computers that only print to one printer USB or conventional home WiFi.
• Simple TCPIP Services, Listen to RIP and similar utilities: they belong to complex network scenarios and are usually disabled in most installations.

The key is to review the list calmly, always considering whether you really need each item. If in doubt, it's best to... leave it activated or do some more research before touching it, especially when we're talking about production equipment or daily work equipment.

Leaving SMB1 behind, disabling legacy services like Fax or XPS, and adjusting optional features to what you actually use is a simple way to have a Windows is more secure, lighter, and adapted to your needs.avoiding ransomware scares and reducing features that are only there "just in case" but which, on most current PCs, no longer provide anything useful.