If you have ever locked down a Windows 2003 or Vista machine you have probably run across the Application Experience Lookup Service, also known as Application Experience or AeLookupSvc. The documentation on this service is pretty vague and sometimes contradictory, so people often ask me whether they should keep this service enabled or to disable it. I thought I would clarify exactly what this service does.
Application experience ensures that third-party applications run properly on Windows. I don’t know exactly how what groups or teams are involved or any other details of this process at Microsoft, but they do extensive testing on third party applications to ensure Windows compatibility. They build a database of incompatibilities and actually build the fixes right in to Windows. I didn’t count them, but there are tens of thousands of application fixes in this database. The Application Experience Lookup Service handles the database lookups for every program run and implements any compatibility shims necessary to make that program work.

In other words, Windows will modify its own behavior for certain applications just to make the whole Windows experience consistent. For example, one program has an installer that incorrectly reports the amount of disk space. When that program runs, Windows will recognize it and actually lie to it so it reports the disk space correctly. Another program doesn’t properly redraw the background if you move the Save As dialog box, so Windows handles that itself. Yet another program’s window shrinks to almost nothing if you size it past a certain point. Again, Windows fixes that.

What surprised me the most is the sheer number of fixes it implements and the wide variety of programs it addresses. Apparently, no program is too obscure to make it to the database. Needless to say, it is pretty impressive that Microsoft would dedicate so many resources and so much money into fixing other peoples’ bugs.

If you have a tightly controlled, well-tested environment and your software is kept up-to-date you could probably disable this service for a slight reduction of overhead and possible reduction of attack surface.

Nevertheless, the service overhead is pretty small, and it doesn’t really take direct user input so the risk is likely minimal. And although I didn’t notice and security-related fixes, there’s no reason they couldn’t implement fixes to address unpatched holes in other products. Yes that sounds a bit ironic, but the capability is certainly there.

So what is my advice? I generally tell people to leave the service running in all but the most tightly controlled environments.

Sponsored Link: Google AdSense Click Abuse - http://click-abu.zers.net

Related posts

• No related posts.