It is far from clear what is going on, but here’s what I think I know:
- Lots of services are being created in Windows 10, 2016, and 2019 fitting the descriptions below.
- Many of these, but not all, have names with “_a1b2c” at their right-hand ends, where the characters and numbers are what look like non-random machine-readable strings, five characters long so far.
- Many of these, but not all, have been svchost.exe items, not standalone services.
- There are a variety of service names associated, including (on just this one machine) CaptureService_b8bc7, “Clipboard User Service_b8bc7”, “Connected Devices Platform Service”, “Connected Devices Platform Service_b8bc7”, “CredentialEnrollmentManagerUserSvc_b8bc7”, and many more. Of the list in this item, only the last is a standalone service, not a svchost item.
- There are a variety of svchost item names associated, including BthAppGroup, LocalService, and UnistackSvcGroup. In particular, the UnistackSvcGroup items can be googled, but thus far, it appears not known for what they are used.
Some of these services cannot be deleted with the SC command; some can. If one changes permissions in registry items, they all probably could. But the question remains, what are they for, what are our valuable computing resources being taken for? Thus far, no one has reported anything not working when they are stopped and/or deleted. We may be looking at infrastructure Microsoft is laying in our own machines before our eyes, for new software they will send.