Okay, let's discuss how to get rid of these processes...

[MTDirector]

As far as I know, the ShellExperienceHost.exe process is all the taskbar related XAML elements (Jump Listes, Tray, Action Center, "Sart menu" and notifications) so if you close it you will lose all those elements (wich was win32 based before Windows 10)
For the tray, you can replace them with the old win32 parts in registry (the win32 based Action Center is a bit buggy)

Edited September 15, 2015 by MTDirector

[ptd163]

Don't try and remove ShellExperienceHost. I've tried removing it already. It completely breaks any kind of context menu, the native start menu, and Cortana. Not sure what else is breaks though. It's also probably needed for Settings.

 

An application called Process Lasso has an "always terminate" feature so that might be useful. It's a got a free and paid version.

Edited September 15, 2015 by ptd163

[NoelC]

Well, to be fair I want nothing to do with Cortana or the native Start Menu, so that's kind of a plus - as long as it doesn't break things like Settings or the Notification Center.  Wouldn't even want those if there were alternatives.

 

-Noel

[Techie007]

    The autorun entry for sihost.exe is in "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellInfrastructure", and I believe that it is started by the Application Information service at the request of either Winlogon.exe or Explorer.exe.  As others have stated, it is now a critical component for Explorer to work, now that the taskbar and everything associated with it is Metro.

 

    taskhostw.exe is launched by the Task Scheduler service, which also uses a similarly named process, taskeng.exe as a task shim for non-task processes that need managed by the scheduler.  Like you, I have not yet found any information on the specific ClassID that it is being asked to run.

 

    svchost -k UnistackSvcGroup is running several super-hidden services (you can find them in the registry, but they do not show up in Computer Management or Process Hacker):

• Contact Data (manual start, PimIndexMaintenanceSvc, PimIndexMaintenance.dll)
• Sync Host (auto start, OneSyncSvc, APHostService.dll)
• User Data Storage (manual start, UnistoreSvc, unistore.dll)
• User Data Access (manual start, UserDataSvc, userdataservice.dll)

[maxXPsoft]

I guess you found that {222A245B-E637-4AE9-A93F-A59CA119A75E} in system32\ubpm.dll. Unified Background Process monitor

Only place I see it in contents

[NoelC]

Thanks for the additional info, guys.  I haven't had much time lately to follow-up on this thread and advance the cause, since I've just been through the process of advancing our development environment here to use Visual Studio 2015.

 

No, my search does not turn up ubpm.dll initially for some reason.  Having re-run it just now to confirm your finding, maxXPsoft, I still did not see the string in there.  However, the SysInternals "strings" tool DOES extract it, implying my search tool (Stephen Kung's grepWin) clearly fails for this kind of work, which is a disappointment.  I'll ask him about that.

 

At the moment, I have a quite stable Win 10 "desktop only" config that passes an SFC check and settles a few minutes after bootup to about 1 GB used (of 8 GB) and processes numbering in the low 40s.  Of the original processes I listed above, I still have:

 

• InstallAgent.exe
• RunTimeBroker.exe
• ShellExperienceHost.exe
• sihost.exe
• svchost running UnistackSvcGroup
• taskhostw.exe running {222A245B-E637-4AE9-A93F-A59CA119A75E} (presumably UBPM)

I believe I'll concentrate on one of these at a time from here forward, getting to the bottom of what starts it and whether the system can survive without it.

 

It's already become clear by my own experiments that the system needs sihost.exe to function viably, and ptd163 has said ShellExperienceHost.exe is needed, so I'll eliminate them from the list of candidates to trim moving forward.  That leaves this list:
 

• InstallAgent.exe
• RunTimeBroker.exe
• svchost running UnistackSvcGroup
• taskhostw.exe running {222A245B-E637-4AE9-A93F-A59CA119A75E} (presumably UBPM)

Since I hate the idea that Microsoft is trying to hide things from us, and I don't want several of the things implied by the listing in the UnistackSvcGroup list, I think I'll start with that.

 

The command line appears to be listed in conjunction with just the four services Techie007 listed above.  As noted, there are "Start" entries listed in the following registry keys:

 

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OneSyncSvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OneSyncSvc_Session1
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PimIndexMaintenanceSvc_Session1
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnistoreSvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnistoreSvc_Session1
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UserDataSvc
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UserDataSvc_Session1

 

I'll start by changing them all to Start type 4 ("Disabled") and report back on what does or doesn't work.

 

-Noel

[NoelC]

For what it's worth, with the above services disabled I of course have the one less svchost.exe running.

 

I can still boot Win 10, run Settings / Notification Center (the only Modern stuff I need I think), and can check successfully for Windows Updates (it didn't find any).

 

I'll keep an eye on it, but if you don't want synchronization of settings or OneDrive running, it seems these services really can be disabled.

 

Next focus:  What the heck is the "Unified Background Process Manager" good for? 

 

Initial reading implies it might be needed.  It's been around a long time.

 

-Noel

[abbodi1406]

Unified Background Process Manager = Unified Scheduling Engine = Scheduled Task Process Manager

you can export some task from taskschd to see that setting: UseUnifiedSchedulingEngine

 

 

UBPM include System Events Broker and Time Broker services

[NoelC]

Thanks abbodi1406, so the Unified Background Process Manager pretty much has to stay.  That's the conclusion I've come to as well on further reading.

 

Remaining tasks to investigate:

• InstallAgent.exe
• RunTimeBroker.exe

 

Starting at the bottom of the list, let's discuss RunTimeBroker next.

 

Some observations...

 

RunTimeBroker gets started on my Win 8.1 system only when I close Internet Explorer and it executes "self cleanup" logic to delete temporary files (owing to a setting I've changed).  And it exits on its own sometimes after a timeout, while other times it just remains running.  I've never figured out why it's started during that phase.  Killing it seems to do nothing bad.  That's on Win 8.1.  In the context of Win 8.1 it's described as being involved with permissions for Metro/Modern Apps.

 

Now on Win 10 I see it start always.  Looks like initially it's started right at logon, and sometimes it exits on its own.   Perhaps this is because some parts of the system - e.g., the Notifications / ACTION CENTER pull-out appears to be a Modern App.  HOWEVER...  I can kill the process and am still able to open the Notifications / ACTION CENTER and Settings App.  The only time it comes back (and slightly later disappears again usually) is when I exit Internet Explorer.

 

Since RunTimeBroker doesn't seem to have any useful function, not running it would fit well with my UAC-disabled, run no Modern Apps strategy.  Now the thing to do is to figure out how to keep it from starting at all, on the assumption that it takes some resources that could be put to good use for other things.

 

 

Edit:  More info:  Disabling Execute permission on the file does in fact cause it not to run, BUT...  Now an Error is logged in the Windows System Error Log, and WmiPrvSE.exe is started, so that's not a net gain.

 

The error says:

 

Unable to start a DCOM Server: {D63B10C5-BB46-4990-A94F-E40B9D520160} as Unavailable/Unavailable. The error:

"5"

Happened while starting this command:

C:\Windows\System32\RuntimeBroker.exe -Embedding

 

-Noel

Edited September 25, 2015 by NoelC

[vinifera]

there is much to read this which I didn't in detail

but this is how i do dirty jobs

 

- replace non removable services with "dud"

OR

- replace them from nearest beta or RC version that didn't call the crap like that notification error baloon

 

- then trace registry - which you did

 

- "uninstall" IE, yes some dll's will stay, use dependancy walker to see what calls them // aka for what they are needed

 

- then go manual removal, both direct links and winsxs

[maxXPsoft]

(Stephen Kung's grepWin) clearly fails

I use FileLocator Lite

Pro may do better for these things you are doing but lite has served me long time

[NoelC]

Thanks, I think you mentioned FileLocator Lite before.  I'm going to have to check it out as Stephen Kung has responded that not finding Unicode text in binary files is by design in grepWin.  I've appealed that decision but he may have a basic limitation in his design.

 

-Noel

[NoelC]

- "uninstall" IE, yes some dll's will stay, use dependancy walker to see what calls them // aka for what they are needed

 

That doesn't fit with my desire to use IE.  Its security model suits me.

 

-Noel

[vinifera]

err you want to use IE ?

[NoelC]

Yes, because I know exactly how it works and the security model - while not set up well out of the box - is arguably the best of all the browsers when reconfigured to be much less promiscuous.

 

I have been using IE since the beginning.  For me it's been and still is the best choice.  It shows me what I want to see online very quickly, and I've never had an infection.  Is there something not to like?  I'm not seeing it.

 

-Noel