Windows network services internals

老文重发,RPC相关的,在这里找吧!
Windows network services internals


Jean-Baptiste Marchand
Jean-Baptiste.Marchand@hsc.fr
Copyright Hervé Schauer Consultants 2003


Table of Contents
1 Introduction
2 TCIP/IP stack
2.1 General architecture
2.2 No privileged ports
2.3 Dynamic ports allocation
2.4 Identifying opened ports
2.4.1 netstat command
2.4.2 Identifying processes behind sockets
2.5 Sockets binding and hijacking
2.5.1 SO_EXCLUSIVEADDRUSE socket option
2.5.2 Example of multiple bindings: NetBT driver in Windows NT 4.0 SP6a
2.5.3 Multiple sockets bindings
2.5.4 What happens when SO_EXCLUSIVEADDRUSE is not used?
2.5.5 Windows services and drivers protected against socket hijacking
2.5.6 Global protection against socket hijacking
2.5.7 Diagnosing socket binding problems
2.6 The missing network loopback interface
3 SMB/CIFS
3.1 SMB/CIFS protocol
3.2 NetBIOS over TCP/IP
3.3 SMB transports
4 MSRPC, a.k.a. Microsoft implementation of DCE RPC
4.1 Introduction
4.2 DCE RPC Interface
4.3 DCE RPC transports
4.4 RPC services registration
4.5 DCE RPC over named pipes, a.k.a DCE RPC over SMB
4.5.1 Named pipes
4.5.2 Named pipes used as DCE RPC endpoints
4.5.3 Well-known DCE RPC named pipes endpoints
4.6 NULL sessions
4.6.1 Introduction
4.6.2 NULL sessions and infrastructure-level restrictions
4.6.3 NULL sessions - system-level restrictions
4.6.4 How NULL sessions restrictions are implemented
4.6.5 NULL sessions restrictions in Windows XP and Windows Server 2003
4.7 RPC services listening on named pipes
4.7.1 lsarpc interface
4.7.2 samr interface
4.7.3 netlogon interface
4.7.4 browser interface
4.7.5 netdfs interface
4.7.6 srvsvc interface
4.7.7 svcctl interface
4.7.8 winreg interface
4.7.9 wkssvc interface
4.8 RPC services over TCP/IP
4.8.1 Portmapper RPC service
4.8.2 RPC services running in the rpcss service
4.8.3 orPC services running in the rpcss service
4.9 Windows services running RPC services over TCP/IP
4.9.1 Messenger service
4.9.2 Scheduler service
4.9.3 WINS service
4.9.4 IIS 5 services
4.9.5 Message Queuing and Distributed Transaction Coordinator services
4.9.6 Active Directory related RPC services
4.9.7 File Replication service
4.9.8 Inter-site Messaging service
4.9.9 Windows DNS server
4.9.10 Exchange RPC services
4.9.11 Exchange RPC services in an Active Directory domain
4.10 Other RPC services
4.10.1 Plug and Play service
4.10.2 RPC locator service
4.10.3 DNS Client service - Windows 2000
4.10.4 DNS Client service - Windows XP and Windows Server 2003
4.10.5 EFS
4.10.6 Cryptographic Services service
4.10.7 Security Configuration Editor Engine
4.10.8 Windows Time service
4.10.9 Windows Audio service
4.10.10 Certificate service
4.10.11 DHCP Server service
4.10.12 Terminal Server service
4.10.13 License Logging service
4.10.14 Secondary Logon service
4.10.15 Protected storage service
4.10.16 Telephony service
4.10.17 Remote Access service
4.10.18 IPsec Policy Agent service - Windows 2000
4.10.19 IPsec Services service - Windows XP and Windows Server 2003
4.10.20 Distributed Link Tracking Client service
4.10.21 Distributed Link Tracking Server service
4.10.22 WebClient service
4.10.23 Windows File Protection
4.10.24 System Event Notification service
4.10.25 Wireless Configuration service
4.10.26 Winlogon process - Windows 2000
4.10.27 Winlogon process - Windows Server 2003
4.10.28 Application Management service
4.11 Implication of multiple RPC services in one process
4.11.1 Win32 services hosting
4.11.2 Example of multiple RPC services in one process
4.11.3 Implications of running multiple RPC services in one process
4.12 RPC services protection
4.13 DCOM
4.13.1 COM interfaces
5 Conclusion




1 Introduction
The aim of this paper is to document some not well-known characteristics of Windows systems (based on the NT kernel, i.e Windows NT, Windows 2000, Windows XP and Windows Server 2003) TCP/IP stack and network services.

The first section of the paper focuses on Windows systems TCP/IP stack, highlighting some specificities that are not well known.

The second section briefly mentions the SMB/CIFS protocol, which is probably the most important network protocol on Windows systems (not to be confused with NetBIOS over TCP/IP, as frequently seen, which is just a transport protocol for SMB/CIFS). The reference documentation for SMB/CIFS is Christopher Hertel's book, Implementing CIFS ([1])

The third section deals with MSRPC, a core Windows subsystem that implements a remote procedure call method, used for local processes communication as well as remote procedures calls.

A presentation entitled Windows network services internals and based on this paper was given at the HiverCon03 security conference ([2]). Slides of the presentation are available at http://www.hsc.fr/ressources/presentations/hivercon03/ and contain demonstration screenshots of the different subjects discussed in this paper.


2 TCIP/IP stack
2.1 General architecture
The Windows systems network architecture reference schema is available on the http://www.ndis.com/ website [3].

As usual in Windows systems, the network architecture is very modular but consequently also very complex. This explains why it is, for example, difficult to properly implement an IP filtering software on Windows systems.


2.2 No privileged ports
Unix systems implement privileged ports: ports lower than 1024 can only be used by the system administrator (root user). Considering that typical internet servers run on a low TCP port (for example, 25/tcp for an SMTP server or 80/tcp for an HTTP server), this limitation ensures that only the system administrator can run such servers.

Windows systems do not implement privileged ports. As a consequence, anybody can bind a TCP or UDP server on a low port. As explained later, this has some serious security implications.


2.3 Dynamic ports allocation
In the TCP/IP model, dynamic ports are typically used as source port by a TCP or UDP client, to communicate with a remote TCP or UDP server, using a well-known port as destination port. In Windows systems, dynamic ports are also used by RPC services (in that case, a portmapper service is needed to find the appropriate RPC service).

When an application or driver requests a dynamic TCP or UDP port from the TCP/IP driver, the allocated port belongs by default to the 1025-5000 range (port 1024 is apparently never used on Windows systems).

The upper limit of this range can be changed, modifying the following registry value:
Key: HKLM\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\Value: MaxUserPort (REG_DWORD)
Default value: 5000 (decimal)

This range is shared for TCP and UDP ports. Moreover, dynamic ports are allocated incrementally. For example, if an application requests a TCP port and obtains TCP port 1025, the next application requesting a UDP port will obtain port 1026.

Exclusion from the dynamic port range can be configured with the ReservedPorts registry value:
Key: HKLM\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\Value: ReservedPorts (REG_MULTI_SZ)

Configuring this value can be necessary when some services need a fixed port in the lower part of the dynamic range, like 1080/tcp for a SOCKS proxy or 1433/tcp and 1434/udp for MS SQL Server. Otherwise, such ports may be dynamically allocated before services startup, which would cause the service start failure.

However, it seems that the ReservedPorts registry value is also used by the Windows 2000 IPv4 NAT driver [4], to determine which range can be used for source ports of NATed connections.


2.4 Identifying opened ports
2.4.1 netstat command
Systems implementing the TCP/IP protocol typically include the netstat utility, which can be used, among other things, to list opened sockets.

The netstat command of Windows systems is known to be buggy:
Before Windows NT 4.0 SP3, netstat does not display listening TCP ports ([5])
On Windows NT 4.0, netstat displays TCP ports as listening, when sockets are only bound to UDP ports ([6])
The second bug can lead to suprising netstat outputs on Windows NT 4.0 systems. One particularly odd result is that TCP port 135 (used by the rpcss service, as explained later) is displayed twice in netstat outputs:
C:WINNT>netstat -anp tcp | find ":135 "
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*

This is because the rpcss service opens both ports 135/tcp and 135/udp. But, with the bug aforementionned, 135/tcp is displayed a second time. This explains why 135/tcp appears twice.

Another serious bug exists in all versions of Windows NT systems before Windows Server 2003: for each outgoing TCP connection established from a Windows system, the local source port is displayed as LISTENING ([7]).

In the following example, a TCP connection was established to port 22 of a remote server. The TCP/IP driver allocated port 1367 as source port for the connection. In the netstat output, the port appears in the LISTENING state:
C:WINDOWS>netstat -anp tcp | find ":1367"
TCP 0.0.0.0:1367 0.0.0.0:0 LISTENING
TCP 192.70.106.142:1367 192.70.106.76:22 ESTABLISHED

However, this port is not really in the LISTENING state, i.e, it is not possible to establish a new TCP connection on port 1367. Using hping [8] to send a TCP segment with the SYN flag set, a TCP segment with the RST-ACK flags set is returned:
jbm@garbarek ~> sudo hping -S -c 1 192.70.106.142 -p 1367
HPING 192.70.106.142 (ep1 192.70.106.142): S set, 40 headers + 0 data bytes
len=46 ip=192.70.106.142 flags=RA seq=0 ttl=127 id=47511 win=0 rtt=3.7 ms

--- 192.70.106.142 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 3.7/3.7/3.7 ms

It turns out that this bug comes from an incorrect mapping between TDI objects and TCP sockets.

The Winsock API (implementation of BSD sockets API on Windows systems) is implemented on TCP/IP using the Afd driver, which uses the TDI (Transport Driver Interface) API to communicate with the TCP/IP driver.

To implement an outgoing TCP connection, the Afd driver creates two TDI objets:
a TDI address object
a TDI connection object
Using a simple TCP client (nc.exe, [9]) to establish a TCP connection to port 22 of a remote server:
C:WINNT>nc -z 192.168.1.254 22

the implementation at the TDI level can be monitored, using the TDIMon tool [10]:
1 8246D3F0 IRP_MJ_Create TCP:0.0.0.0:0 SUCCESS Address Open
2 8246D3F0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1038 SUCCESS Error Event
3 8246D3F0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1038 SUCCESS Disconnect Event
4 8246D3F0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1038 SUCCESS Receive Event
5 8246D3F0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1038 SUCCESS Expedited Receive Event
6 8246D3F0 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:1038 SUCCESS Chained Receive Event
7 8246D3F0 TDI_QUERY_INFORMATION TCP:0.0.0.0:1038 SUCCESS Query Address
8 824C1AE0 IRP_MJ_Create TCP:Connection obj SUCCESS Context:0x822CF9B8
9 824C1AE0 TDI_ASSOCIATE_ADDRES TCP:Connection obj SUCCESS TCP:0.0.0.0:1038
10 824C1AE0 TDI_CONNECT TCP:0.0.0.0:1038 192.168.1.254:22 SUCCESS

The output can be interpreted as follow:
line 1, a create request (IRP_MJ_Create) for a TDI address object is sent to the TCP/IP driver. The drivers returns an object with 0x8246D3F0 address.
from line 2 to line 6, handlers are associated with the object, for the different events that can occur. In particular, line 4 associates a handler to receive notifications when data arrive on port 1038.
line 8, 9 and 10 show the creation of the TDI object used to represent the outgoing TCP connection. On line 10, the TDI_CONNECT command establishes the TCP connection to port 22 of the machine with 192.168.1.254 as IP address.
Thus, it appears that at the TDI level, a TCP connection is implemented using two TDI objects:
one object representing the TCP connection itself
one object used to receive data sent to the local port
The problem is that the GetTcpTable() API retrieving the content of the current TCP connections table incorrectly translates the second TDI object as a TCP listening socket. As a consequence, the port is displayed as LISTENING by the netstat command.

Note that any tools using this API will report incorrect results. Thus, results of such tools must be analyzed carefully, to filter ports reported as LISTENING.

This bug has been fixed in Windows Server 2003.


2.4.2 Identifying processes behind sockets
Starting with Windows XP, the netstat command can be used to identify which process uses a given socket [11]. Before Windows XP, the following tools can be used:
TCPView [12]
Fport [13]
These tools will give the PID (Process Identifier) of processes using sockets.

However, knowing the PID is not always enough to identify precisely which system component opened a given socket, particularly in the following cases:
Standard Windows services run in a few shared processes (services.exe, svchost.exe). The aforementionned tools return the PID of the process but can not idenfity which service in a shared process opened a given socket. It is then necessary to stop services inside the shared process, to determine which service owns a given socket.
Some sockets are reported as owned by the System process.
On a default Windows system, some sockets will be reported as owned by the System process (pid 8 on Windows 2000, pid 4 on Windows XP and Windows Server 2003): these sockets are opened by drivers communicating directly with the TCP/IP driver in kernel-mode.

It is not possible to statically identify which driver opened a given port. Thus, it is sometimes hard to figure out why a port is opened when it has been opened by a driver. For example, on some Windows systems, port 1025 (the first dynamic port) seems to be opened by an unknown driver at system startup.

The following well-known ports are opened by the following drivers:
137/udp, 138/udp, 139/tcp, 445/tcp, 445/udp: netbt.sys
source ports used for outgoing SMB sessions (with a TCP destination port equal to 139/tcp or 445/tcp): netbts.sys
1701/udp, 1723/tcp: raspptp.sys


2.5 Sockets binding and hijacking
As explained earlier, Windows TCP/IP stack does not implement privileged ports. More precisely, any process can bind a socket to any port, even when a socket is already bound to a port. Thus, it becomes possible to hijack a TCP server.

This kind of vulnerability was published for the first time in february 1998, in the security advisory NT port binding security [14].

This advisory showed how, for example, any user could hijack the Windows NT 4 SMB server, binding a TCP server on port TCP 139 using a specific IP address in the bind() call.

Microsoft released knowledge base article 194431 [18], mentionning the problem and stating that it was fixed in Windows NT 4.0 Service Pack 4.

Actually, Microsoft introduced in NT 4.0 Service Pack 4 a new socket option, SO_EXCLUSIVEADDRUSE, that can be used by an application to protect itself from this vulnerability. However:
it seems that Microsoft itself did not use this socket option in its servers (particularly, IIS 4 and IIS 5)
this socket option can not be used by drivers, which directly communicate with the TCP/IP driver, without using the Winsock API.

2.5.1 SO_EXCLUSIVEADDRUSE socket option
The SO_EXCLUSIVEADDRUSE socket option is documented as follow in MSDN [19]:
The SO_EXCLUSIVEADDRUSE option prevents other sockets from being forcibly bound to the same address and port, a practice enabled by the SO_REUSEADDR option; such reuse can be executed by malicious applications to disrupt the application.
Thus, when this socket option is used by an application before using the bind() function, no other application will be able to bind to the same local address, even when the SO_REUSEADDR is used, as does nc.exe.

As said earlier, the Winsock API is implemented by the Afd driver, which interacts with the TCP/IP driver using the TDI interface. At the TDI level, TCP and UDP ports are represented by file objects.

The implementation of the SO_EXCLUSIVEADDRUSE socket option opens file objects in exclusive mode, setting the ShareAccess parameter of the ZwCreateFile() function to 0. Thus, file objects representing TCP and UDP ports can only be opened in exclusive mode, which correspond to exclusive binding at the Winsock level.


2.5.2 Example of multiple bindings: NetBT driver in Windows NT 4.0 SP6a
Follows a demonstration of multiple bindings on a Windows NT 4.0 SP6a system. As NetBIOS over TCP/IP is active on the system, TCP Port 139 is opened by the NetBT driver and bound to IP address 192.70.106.143:
C:>netstat -an | find "139"
TCP 192.70.106.143:139 0.0.0.0:0 LISTENING

Then, a nc.exe process is bound to the same port and same IP address:
C:>nc -l -p 139 -s 192.70.106.143

C:>netstat -an | find "139"
TCP 192.70.106.143:139 0.0.0.0:0 LISTENING
TCP 192.70.106.143:139 0.0.0.0:0 LISTENING

The next TCP connection will be routed to the nc.exe process, hijacking the SMB server.

Using socat [15] to establish a TCP connection to port 139 of IP address 192.70.106.143, the blah string is sent:
jbm@garbarek ~> socat - tcp4:192.70.106.143:139
blah

The blah string is received by the nc.exe process.
C:>nc -l -p 139 -s 192.70.106.143
blah

C:>

An interesting way to exploit this vulnerability would be to setup an SMB redirector, that would redirect all SMB trafic to another machine [16].

When Microsoft introduced the SO_EXCLUSIVEADDRUSE socket option in Windows NT 4.0 Service Pack 4, it did not fixed that problem because the NetBT driver was not modified to set the ShareAccess parameter of ZwCreateFile() functions calls to 0.

A fix for the NetBT driver was finally introduced in the C2 Update Post-SP6a hotfix, because one TCSEC C2 requirement mandates that an unprivileged user-mode program should not be able to listen to ports used by Windows NT services [17].

This fix is also available in the Windows NT 4.0 Security Rollup Package. To enable it, the following registry value must be configured:
Key: HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Value: EnablePortLocking (REG_DWORD)
Content: 0 to disable protection (default), 1 to enable protection

2.5.3 Multiple sockets bindings
Considering TCP servers, there are different case of multiple sockets bindings, that can occur when the first server did not specify SO_EXCLUSIVEADDRUSE and when the second server specifies SO_REUSEADDR is used by the second server
One TCP server bound to all interfaces (INADDR_ANY or 0.0.0.0) and then, a second TCP server bound to a specific interface
One TCP server bound to a specific interface and then, a second TCP server bound to all interfaces
One TCP server bound to a specific interface and then, a second TCP server to another specific interface
One TCP server bound to a specific interface and then, a second TCP server bound to the same specific interface
The first case is a serious security problem. This means that if a TCP server is bound to all interfaces, it is later possible to start a TCP server bound to the same port but on a specific interface. The second TCP server will receive all TCP connection segments sent to the IP adress of the specific interface.

As the TCP/IP stack does not implement privileged ports, it is possible to disrupt any TCP servers using this technique.

The second case is not a security problem. The second server will receive TCP connection segments sent to any IP address different from the IP address of the specific interface.

The third case is not a security problem, as the two servers are listening on different specific interfaces.

The fourth case is problematic because two TCP servers are bound to exactly the same local address (same port and same IP address). The MSDN documentation [19] explains that in that case, the behavior is undefined as to which sockets will receive incoming connection requests.

However, it seems that on Windows NT 4.0, the second server will receive packets, which is the worst case because this means that the first server is hijacked. This is what happens with the NeBT driver on Windows NT 4.0 SP6a, as seen earlier.

As a conclusion, it seems important to use the SO_EXCLUSIVEADDRUSE socket option to prevent sockets hijacking.


2.5.4 What happens when SO_EXCLUSIVEADDRUSE is not used?
Even if Microsoft introduced the SO_EXCLUSIVEADDRUSE socket option in Windows NT 4.0 Service Pack 4, it seems that it was not used in some Microsoft application servers.

For example, the http server part of Microsoft IIS 5 listens by default on all interfaces on port 80 and 443. It is possible to hijack the IIS 5 server with a TCP server bound to the IP address of a specific interface.

Even more interesting, when a TCP server listens on all interfaces, it is possible to silently intercept TCP traffic, binding a second TCP server to intercept trafic and redirecting to the loopback address, to finally deliver date to the hijacked server (thanks to Franck Davy for suggesting this).

On a Windows 2000 server with IIS 5, the HTTP service listens on all interfaces:
C:WINNT>netstat -an | find "80"
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING

Using fpipe, a second TCP server is bound to IPv4 address 192.70.106.142 and configured to redirect traffic to the loopback address (127.0.0.1), with TCP port 80 as destination:
C:WINNT>fpipe -l 80 -r 80 -i 192.70.106.142 127.0.0.1 -v
FPipe v2.1 - TCP/UDP port redirector.
Copyright 2000
3 SMB/CIFS
3.1 SMB/CIFS protocol
The SMB (Server Message Block) protocol, renamed at some point CIFS (Common Internet File System), is the protocol behind resource sharing and remote administration functionnalities in Windows systems.

For a thorough explanation of the SMB/CIFS protocol, see the SMB chapter [23] of Christopher Hertel's book, Implementing CIFS.


3.2 NetBIOS over TCP/IP
NetBIOS over TCP/IP uses 3 ports:
137/UDP, for NetBIOS name resolution, using broadcast or a WINS server
138/UDP, for session-less NetBIOS
139/TCP, for session-oriented NetBIOS
The NetBIOS API uses names to identify network ressources. The nbtstat command can be used to examine and configure NetBIOS names on a Windows system.

NetBIOS over TCP/IP in itself is just a transport protocol. However, as it is the typical transport protocol for the SMB/CIFS protocol in Windows systems, it is often confused with the SMB/CIFS protocol, which does the dirty work on Windows systems.

For technical details about NetBIOS over TCP/IP, the reference documentation is the NBT chapter [24] of Christopher Hertel's book, Implementing CIFS.


3.3 SMB transports
Before Windows 2000, the typical transport protocol of SMB/CIFS was NetBIOS over TCP/IP. Starting with Windows 2000, SMB/CIFS can be carried directly into TCP (445/tcp), without an intermediary NetBT layer.

To identify which SMB transports are active on a Windows system, the net config rdr and net config srv commands can be used. These commands use the NetWkstaTransportEnum() and NetServerTransportEnum() Win32 API:
C:WINNT>net config rdr

[...]

Workstation active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{33227EBB-55A3-49EA-823D-51836B978EFD} (000102A495B2)

[...]

C:WINNT>net config srv

[...]

Server is active on
NetBT_Tcpip_{33227EBB-55A3-49EA-823D-51836B978EFD} (000102a495b2)
NetBT_Tcpip_{33227EBB-55A3-49EA-823D-51836B978EFD} (000102a495b2)
NetbiosSmb (000000000000)
NetbiosSmb (000000000000)

[...]


The NetWkstaTransportEnum() and NetServerTransportEnum() Win32 API are implemented by two RPC calls, NetrWkstaTransportEnum() and NetrServerTransportEnum(). Samba-TNG [25] rpcclient utility supports the srvtransports command, that can be used to retrieve server-side transports.

Note: Windows NT 4.0 and Windows 2000 systems apparently have a bug in the NetServerTransportEnum() API, which retrieves server-side transports: each transport appears twice.

Active transports are:
NetbiosSmb is the raw SMB transport (445/tcp) [26].
NetBT_Tcpip_{...} is the NetBT SMB transport, bound on a per-adapter basis
The raw SMB transport can not be disabled on a per-adapter basis. To completely disable it, the NetBT driver must be stopped.

A Windows system with both SMB transports active tries to connect to 445/tcp and 139/tcp at the same time. If the connection to 445/tcp is accepted, the connection to port 139 is closed (sending a TCP segment with the RST flag set), i.e., raw SMB transport is preferred over NetBT transport [27].


4 MSRPC, a.k.a. Microsoft implementation of DCE RPC
4.1 Introduction
The RPC (Remote Procedure Call) mechanism allows an application to seamlessly invoke remote procedures, as if these procedures were executed locally.

There are two main implementations of the RPC mechanism:
ONC RPC [28]
DCE RPC [29]
MSRPC is the Microsoft implementation of the DCE RPC mechanism. In particular, Microsoft added new transport protocols for DCE RPC, in particular the ncacn_np transport, which use named pipes carried into the SMB protocol.

For an interesting story of Windows and how Microsoft choose to implement DCE RPC, see the A brief history of Windows article [30].


4.2 DCE RPC Interface
An interface is a set of related operations (procedures) that can be invoked remotely. Each interface is distinguished by an interface identifier (ifid) and an interface version number.

For a detailed explanation of DCE RPC interface, see figure 2.2 [31] in the DCE RPC 1.1 documentation.
4.3 DCE RPC transports
The RPC mechanism has been designed to be transport-independant: different protocols can be used to transport remote procedure parameters and execution results.

More precisely, transport protocols are identified with protocol sequences identifiers. Windows systems typically use the following protocol sequences:
ncacn_ip_tcp: TCP/IP transport
ncadg_ip_udp: UDP/IP transport
ncacn_np: named pipes transport, using SMB
ncalrpc: local RPC
ncacn_http: HTTP transport, using IIS
An endpoint is the entity used at the transport level to invoke remotely a RPC service. Endpoint nature is specific to each protocol sequences:
ncacn_ip_tcp: TCP port
ncadg_ip_udp: UDP port
ncacn_np: named pipe
ncalrpc: LPC port
ncacn_http: 593/tcp
Most LPC ports are DCE RPC endpoints. Using the Winobj tool [32], you can see a list of LPC ports used as DCE RPC endpoints on a running system, under the RPC Control subdirectory of the NT kernel Object Manager namespace.

However, not all TCP or UDP ports are DCE RPC endpoints, as well as not all named pipes.

One method to identify if a TCP port, UDP port or named pipe is a DCE RPC endpoint is to try to bind to the RPC service supposedly listening on the supposed endpoint. If the bind operation fails or blocks, then the tested endpoint is probably not a DCE RPC endpoint.

The ifids tool, part of Todd Sabin's RPC Tools [33] can be used to identify RPC services endpoints. A demonstration of this tool is given in [36].


4.4 RPC services registration
When a RPC service starts, it can register its endpoints along with the interface identifier and version of the service. A special RPC service, the portmapper service, maintains a database, the endpoint map, that can be queried to find out endpoints that can be used to invoke a given RPC service.

When a RPC service listens on a TCP or UDP endpoint, it must register itself in the endpoint map because TCP and UDP ports are dynamically allocated to RPC services.

To query the portmapper RPC service, the rpcdump tool [33] can be used. In the output of that command, ncacn_ip_tcp and ncadg_ip_udp correspond to dynamically allocated ports.


4.5 DCE RPC over named pipes, a.k.a DCE RPC over SMB
4.5.1 Named pipes
In Windows systems, named pipes in one of the avalailable IPC (Inter-Process Communication) mechanism. It can be used either locally or remotely.

Accesses to remote named pipes, contained in the IPC$ share, are carried into the SMB protocol.

Named pipes are implemented by a file system driver, npfs.sys. The PipeList [34] tool can be used to enumerate the npfs namespace, to show which named pipes are opened on a local system.

Some named pipes are implemented as aliases [35], i.e, they don't really exist in the npfs namespace. Aliases names are stored in the registry:
Key: HKLM\SYSTEM\CurrentControlSet\Services\Npfs\Aliases\Values: lsass, ntsvcs

Named pipes are protected by security descriptors, just like any Windows NT objects. The pipeacl tool ([37] or [38]) be used to examine the content of security descriptors protecting named pipes.


4.5.2 Named pipes used as DCE RPC endpoints
Some named pipes are used as DCE RPC endpoints, i.e, they are used to carry DCE RPC PDU (Protocol Data Units). Compared to other RPC transports, the ncacn_np is different because it is authenticated (at the SMB layer, except when NULL sessions are used, as explained later).

Also, contrary to RPC services listening on ncacn_ip_tcp or ncadg_ip_udp, a portmapper service is not necessary for RPC services using named pipes, as the name of the named pipe identifies the RPC service.


4.5.3 Well-known DCE RPC named pipes endpoints
The following table gives a list of named pipes that are used as endpoints by Windows RPC services. The interface identifier associated to each named pipe represents the service typically accessed when a given named pipe is used.

However, due to the fact that any endpoint in a given process can be used to reach any RPC service, it is possible to use multiple RPC services using a single named pipe endpoint.

Named pipe Description Win32 service or process Interface identifier
atsvc Scheduler service mstask.exe 1ff70682-0a51-30e8-076d-740be8cee98b v1.0
AudioSrv Windows Audio service AudioSrv 3faf4738-3a21-4307-b46c-fdda9bb8c0d5 v1.0
browser(ntsvcs alias) Computer Browser Browser 6bffd098-a112-3610-9833-012892020162 v0.0
cert Certificate service certsrv.exe 91ae6020-9e3c-11cf-8d7c-00aa00c091be v0.0
Ctx_WinStation_API_service Terminal Services remote management termsrv.exe 5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0
DAV RPC SERVICE WebDAV client WebClient c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0
dnsserver DNS Server dns.exe 50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0
epmapper RPC endpoint mapper RpcSs e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
eventlog(ntsvcs alias) Eventlog service Eventlog 82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
HydraLsPipe Terminal Server Licensing lserver.exe 3d267954-eeb7-11d1-b94e-00c04fa3080d v1.0
InitShutdown (Remote) system shutdown winlogon.exe 894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0
keysvc Cryptographic services CryptSvc 8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
keysvc Cryptographic services CryptSvc 0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
locator RPC Locator service locator.exe d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0
llsrpc License Logging service llssrv.exe 342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0
lsarpc(lsass alias) LSA access lsass.exe 12345778-1234-abcd-ef00-0123456789ab v0.0
lsarpc(lsass alias) LSA DS access lsass.exe 3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0
msgsvc(ntsvcs alias) Messenger service messenger 5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
netdfs Distributed File System service Dfssvc 4fc742e0-4a10-11cf-8273-00aa004ae673 v3.0
netlogon(lsass alias) Net Logon service Netlogon 12345678-1234-abcd-ef00-01234567cffb v1.0
ntsvcs Plug and Play service services.exe 8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
policyagent IPSEC Policy Agent(Windows 2000) PolicyAgent d335b8f6-cb31-11d0-b0f9-006097ba4e54 v1.5
ipsec IPsec Services PolicyAgent 12345678-1234-abcd-ef00-0123456789ab v1.0
ProfMapApi Userenv winlogon.exe 369ce4f0-0fdc-11d3-bde8-00c04f8eee78 v1.0
protected_storage Protected Storage lsass.exe c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
ROUTER Remote Access mprdim.dll 8f09f000-b7ed-11ce-bbd2-00001a181cad v0.0
samr(lsass alias) SAM access lsass.exe 12345778-1234-abcd-ef00-0123456789ac v1.0
scerpc Security Configuration Editor (SCE) services.exe 93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
SECLOGON Secondary logon service seclogon 12b81e99-f207-4a4c-85d3-77b42f76fd14 v1.0
SfcApi Windows File Protection winlogon.exe 83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0
spoolss Spooler service spoolsv.exe 12345678-1234-abcd-ef00-0123456789ab v1.0
srvsvc(ntsvcs alias) Server service lsass.exe 4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
ssdpsrv SSDP service ssdpsrv 4b112204-0e19-11d3-b42b-0000f81feb9f v1.0
svcct(ntsvcs alias) Services control manager services.exe 367aeb81-9844-35f1-ad32-98f038001003 v2.0
tapsrv Telephony service Tapisrv 2f5f6520-ca46-1067-b319-00dd010662da v1.0
trkwks Distributed Link Tracking Client Trkwks 300f3532-38cc-11d0-a3f0-0020af6b0add v1.2
W32TIME(ntsvcs alias) Windows Time(Windows 2000 and XP) w32time 8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1
W32TIME_ALT Windows Time(Windows Server 2003) w32time 8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1
winlogonrpc Winlogon winlogon.exe a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0
winreg Remote registry service RemoteRegistry 338cd001-2244-31f1-aaaa-900038001003 v1.0
winspipe WINS service wins.exe 45f52c28-7f9f-101a-b52b-08002b2efabe v1.0
wkssvc(ntsvcs alias) Workstation service lsass.exe 6bffd098-a112-3610-9833-46c3f87e345a v1.0

4.6 NULL sessions
4.6.1 Introduction
NULL sessions refer to the possibility to use unauthenticated SMB sessions to the IPC$ share to gather information anonymously, using RPC function calls carried into SMB.

SMB sessions are typically authenticated. However, it is possible to use an empty username and password, which results in a NULL session, i.e an anonymous SMB session.


4.6.2 NULL sessions and infrastructure-level restrictions
The NT security token (impersonation token) associated to an anonymous network logon session (NULL session) contains the EVERYONE SID. Thus, if the DACL (Discretionnary Access Control List) of a share allows the EVERYONE SID, it should be possible to connect to it.

Actually, this was the case until Microsoft added NULL sessions restrictions in WIndows NT 3.5. These restrictions are enabled by the following registry value, which is enabled by default starting with NT 3.5:
Key: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Value: RestrictNullSessAccess (REG_DWORD)
Content: 1 to enable NULL sessions restrictions (default value)

The first category of restrictions allows the administrator to configure which shares can be used anonymously:
Key: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Value: NullSessionShares (REG_SZ)

This registry value is also set by a security option, starting with Windows XP:
Network access: Shares that can be accessed anonymously
On default Windows systems, this value contains the COMCFG and DFS$ shares.

The IPC$ share does not appear in this registry value. However, it is always possible to connect anonymously to it. Restrictions for the IPC$ share are implemented at the named pipes level:
Key: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Value: NullSessionPipes (REG_SZ)

On default Windows NT 4.0 systems, the following named pipes can be opened in the context of a NULL session:
Key: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Value: NullSessionPipes (REG_SZ)
Default value: COMNAP COMNODE SQLQUERY SPOOLSS LLSRPC EPMAPPER LOCATOR WINREG

On default Windows 2000 systems, there are two more named pipes (TrkWks and TrkSvr, opened by the Distributed Link Tracking Client and Distributed Link Tracking Server services):
Key: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Value: NullSessionPipes (REG_SZ)
Default value: COMNAP COMNODE SQLQUERY SPOOLSS LLSRPC EPMAPPER LOCATOR TrkWks TrkSvr

Starting with Windows XP, this registry value can be set via a security option:
Network access: Pipes that can be accessed anonymously
However, just like IPC$ does not appear in the NullSessionShares value, it is always possible to anonymously connect to the following pipes, which are hardcoded in the npfs.sys driver:
pipelsarpc, pipesamr, pipenetlogon (pipelsass aliases)
pipewkssvc, pipesrvsvc, pipebrowser (pipentsvcs aliases)

Thus, it is possible to open the lsarpc named pipe in the context of a NULL session (but not the lsass named pipe, even if the first one is an alias of the second one, as explained earlier).

As for named pipes permissions, it is possible to use the pipeacl tool mentionned earlier to examine security descriptors set on named pipes.

In Windows 2000, named pipes DACL seem to grant permissions to the EVERYONE group and Administrators builtin. In Windows Server 2003, the DACL grant permissions to EVERYONE, ANONYMOUS LOGON and Administrator, because in Windows XP and Windows Server 2003, the following registry value is set to 0:
Key: HKLM\SYSTEM\CurrentControlSet\Control\LSA Value: EveryoneIncludesAnonymous
Content: 0 (default value)

The counterpart security option is:
Network access: Let Everyone permissions apply to anonymous users (disabled by default)
4.6.3 NULL sessions - system-level restrictions
Actually, NULL sessions have security implications because the security context of a NULL session contains the EVERYONE SID. Thus, the EVERYONE group includes anonymous users and, if a DACL allows some accesses for the EVERYONE group, such accesses can be executed in the context of a NULL session. Microsoft introduced the AUTHENTICATED USERS group in Windows NT 4.0 SP3, that contains only authenticated users. This group can be used to grant permissions instead of EVERYONE.

Also, starting with Windows NT 4.0 SP3, the LSA (Local Security Authority) can be configured to restrict the capabilities of a NULL session, with the following registry value:
Key: HKLMSYSTEMCurrentControlSetControlLSAValue: RestrictAnonymous
Content: 0 (no restriction), 1 (some restrictions), 2 (only valid in Windows 2000 and later)

This registry value is also a group policy security option, starting with Windows 2000:
Additional restrictions for anonymous connections
Setting RestrictAnonymous to 2 completely disables NULL session, because, in that case, the NT security token of a NULL session no longer contains the EVERYONE SID. Thus, connection to the IPC$ share fails, as the share permissions are set for the EVERYONE SID.

When RestrictAnonymous is set to 1 in Windows NT or Windows 2000, it is still possible to gather some interesting information anonymously [39], using the appropriate functions calls and tools [40].


4.6.4 How NULL sessions restrictions are implemented
NULL sessions restrictions for the LSA RPC service (lsarpc named pipe) and SAM RPC service (samr named pipe) are implemented with:
ACL on the LSA policy objects
ACL on the SAM objects hierarchy
The ACL tools package [41] contains the lsasacl and samacl tools, which can be used to examine DACL on these objects. As a side note, you can also examine SACL on these objects and understand why 560 and 565 events appear in the Windows Security eventlog once you enable object access auditing, as described in [42].

Restrictions for the lanmanserver and lanmanworkstation RPC services calls (srvsvc and wkssvc named pipes) are apparently hardcoded and documented in MSDN, under the Security requirements section. Sometimes, depending on the requested information level, it is necessary (or not) to be a member of the Administrators or Account Operators local group.

For some functions, the Security requirements section mentions the Pre-Windows 2000 Compatible Access, which exists on domain controllers. When this group contains the Everyone SID, it is possible to anonymously retrieve information on a domain controller. Thus, when possible, the Everyone SID must be removed from this group.

On workstations or member servers, only authenticated users can retrieve information (except when anonymous restrictions are disabled with RestrictAnonymous set to 0).


4.6.5 NULL sessions restrictions in Windows XP and Windows Server 2003
Windows XP and Windows Server 2003 have security options that can be used to specify more precisely which restrictions are enabled:
Network access: Allow anonymous SID/Name translation (Disabled by default)
Network access: Do not allow anonymous enumeration of SAM accounts (Enabled by default)
Network access: Do not allow anonymous enumeration of SAM accounts and shares (Disabled by default)
When the first security option is enabled, the DACL on the LSA policy object is modified, as shown with the lsaacl tool:
When the option is disabled, an ACE explicitly denies anonymous the Lookup Names access for the ANONYMOUS LOGON SID
When it is set, this ACE is modified, to allow the View Local Info and Lookup Names accesses for the ANONYMOUS LOGON SID.
The second security option modifies the ACE on SAM hierarchy objects, replacing the EVERYONE SID by the AUTHENTICATED USERS SID. This change is not dynamic and requires a reboot, unlike the previous security option.

The third security option sets the RestrictAnonymous registry value to 1.

The equivalent of RestrictAnonymous set to 2 in Windows XP and Windows Server 2003 is the security option mentionned earlier, which sets the EveryoneIncludesAnonymous registry value:
Network access: Let Everyone permissions apply to anonymous users (disabled by default)
4.7 RPC services listening on named pipes
This section gives a list of RPC services that are typically reached using named pipes. Some of this RPC services are dissected by Ethereal ([43]), the best network analyzer, including for Windows network protocols.

The Ethereal network analyzer properly dissects the following RPC interfaces, used by Windows administration tools:
atsvc: Scheduler service management
browser: Browser service management
dnsserver: DNS service management
netdfs: Dfs service management
spoolss : Spooler service management
srvsvc: Server service management
svcctl: services management
winreg: remote registry access
wkssvc: Workstation service management
Also, Windows NT and Active Directory domains are built on the following RPC interfaces:
lsarpc: Local Security Authority (LSA) RPC service
samr: Security Account Manager RPC service
netlogon: Netlogon service


4.7.1 lsarpc interface
The lsarpc interface is used to communicate with the LSA (Local Security Authority) subsystem.

Interface Operation number Operation name
12345778-1234-abcd-ef00-0123456789ab v0.0: lsarpc
0x00 LsarClose
0x01 LsarDelete
0x02 LsarEnumeratePrivileges
0x03 LsarQuerySecurityObject
0x04 LsarSetSecurityObject
0x05 LsarChangePassword
0x06 LsarOpenPolicy
0x07 LsarQueryInformationPolicy
0x08 LsarSetInformationPolicy
0x09 LsarClearAuditLog
0x0a LsarCreateAccount
0x0b LsarEnumerateAccounts
0x0c LsarCreateTrustedDomain
0x0d LsarEnumerateTrustedDomains
0x0e LsarLookupNames
0x0f LsarLookupSids
0x10 LsarCreateSecret
0x11 LsarOpenAccount
0x12 LsarEnumeratePrivilegesAccount
0x13 LsarAddPrivilegesToAccount
0x14 LsarRemovePrivilegesFromAccount
0x15 LsarGetQuotasForAccount
0x16 LsarSetQuotasForAccount
0x17 LsarGetSystemAccessAccount
0x18 LsarSetSystemAccessAccount
0x19 LsarOpenTrustedDomain
0x1a LsarQueryInfoTrustedDomain
0x1b LsarSetInformationTrustedDomain
0x1c LsarOpenSecret
0x1d LsarSetSecret
0x1e LsarQuerySecret
0x1f LsarLookupPrivilegeValue
0x20 LsarLookupPrivilegeName
0x21 LsarLookupPrivilegeDisplayName
0x22 LsarDeleteObject
0x23 LsarEnumerateAccountsWithUserRight
0x24 LsarEnumerateAccountRights
0x25 LsarAddAccountRights
0x26 LsarRemoveAccountRights
0x27 LsarQueryTrustedDomainInfo
0x28 LsarSetTrustedDomainInfo
0x29 LsarDeleteTrustedDomain
0x2a LsarStorePrivateData
0x2b LsarRetrievePrivateData
0x2c LsarOpenPolicy2
0x2d LsarGetUserName
0x2e LsarQueryInformationPolicy2
0x2f LsarSetInformationPolicy2
0x30 LsarQueryTrustedDomainInfoByName
0x31 LsarSetTrustedDomainInfoByName
0x32 LsarEnumerateTrustedDomainsEx
0x33 LsarCreateTrustedDomainEx
0x34 LsarCloseTrustedDomainEx
0x35 LsarQueryDomainInformationPolicy
0x36 LsarSetDomainInformationPolicy
0x37 LsarOpenTrustedDomainByName
0x38 LsarTestCall
0x39 LsarLookupSids2
0x3a LsarLookupNames2
0x3b LsarCreateTrustedDomainEx2
0x3c CredrWrite
0x3d CredrRead
0x3e CredrEnumerate
0x3f CredrWriteDomainCredentials
0x40 CredrReadDomainCredentials
0x41 CredrDelete
0x42 CredrGetTargetInfo
0x43 CredrProfileLoaded
0x44 LsarLookupNames3
0x45 CredrGetSessionTypes
0x46 LsarRegisterAuditEvent
0x47 LsarGenAuditEvent
0x48 LsarUnregisterAuditEvent
0x49 LsarQueryForestTrustInformation
0x4a LsarSetForestTrustInformation
0x4b CredrRename
0x4c LsarLookupSids3
0x4d LsarLookupNames4
0x4e LsarOpenPolicySce
0x4f LsarAdtRegisterSecurityEventSource
0x50 LsarAdtUnregisterSecurityEventSource
0x51 LsarAdtReportSecurityEvent

4.7.2 samr interface
The samr interface is used to communicate with the SAM (Security Account Manager) subsystem.

Interface Operation number Operation name
12345778-1234-abcd-ef00-0123456789ac v1.0: samr
0x00 SamrConnect
0x01 SamrCloseHandle
0x02 SamrSetSecurityObject
0x03 SamrQuerySecurityObject
0x04 SamrShutdownSamServer
0x05 SamrLookupDomainInSamServer
0x06 SamrEnumerateDomainsInSamServer
0x07 SamrOpenDomain
0x08 SamrQueryInformationDomain
0x09 SamrSetInformationDomain
0x0a SamrCreateGroupInDomain
0x0b SamrEnumerateGroupsInDomain
0x0c SamrCreateUserInDomain
0x0d SamrEnumerateUsersInDomain
0x0e SamrCreateAliasInDomain
0x0f SamrEnumerateAliasesInDomain
0x10 SamrGetAliasMembership
0x11 SamrLookupNamesInDomain
0x12 SamrLookupIdsInDomain
0x13 SamrOpenGroup
0x14 SamrQueryInformationGroup
0x15 SamrSetInformationGroup
0x16 SamrAddMemberToGroup
0x17 SamrDeleteGroup
0x18 SamrRemoveMemberFromGroup
0x19 SamrGetMembersInGroup
0x1a SamrSetMemberAttributesOfGroup
0x1b SamrOpenAlias
0x1c SamrQueryInformationAlias
0x1d SamrSetInformationAlias
0x1e SamrDeleteAlias
0x1f SamrAddMemberToAlias
0x20 SamrRemoveMemberFromAlias
0x21 SamrGetMembersInAlias
0x22 SamrOpenUser
0x23 SamrDeleteUser
0x24 SamrQueryInformationUser
0x25 SamrSetInformationUser
0x26 SamrChangePasswordUser
0x27 SamrGetGroupsForUser
0x28 SamrQueryDisplayInformation
0x29 SamrGetDisplayEnumerationIndex
0x2a SamrTestPrivateFunctionsDomain
0x2b SamrTestPrivateFunctionsUser
0x2c SamrGetUserDomainPasswordInformation
0x2d SamrRemoveMemberFromForeignDomain
0x2e SamrQueryInformationDomain2
0x2f SamrQueryInformationUser2
0x30 SamrQueryDisplayInformation2
0x31 SamrGetDisplayEnumerationIndex2
0x32 SamrCreateUser2InDomain
0x33 SamrQueryDisplayInformation3
0x34 SamrAddMultipleMembersToAlias
0x35 SamrRemoveMultipleMembersFromAlias
0x36 SamrOemChangePasswordUser2
0x37 SamrUnicodeChangePasswordUser2
0x38 SamrGetDomainPasswordInformation
0x39 SamrConnect2
0x3a SamrSetInformationUser2
0x3b SamrSetBootKeyInformation
0x3c SamrGetBootKeyInformation
0x3d SamrConnect3
0x3e SamrConnect4
0x3f SamrUnicodeChangePasswordUser3
0x40 SamrConnect5
0x41 SamrRidToSid
0x42 SamrSetDSRMPassword
0x43 SamrValidatePassword

4.7.3 netlogon interface
The netlogon interface is used to communicate with the netlogon service, that typically run on member servers and domain controllers.

Interface Operation number Operation name
12345678-1234-abcd-ef00-01234567cffb v1.0: netlogon
0x00 NetrLogonUasLogon
0x01 NetrLogonUasLogoff
0x02 NetrLogonSamLogon
0x03 NetrLogonSamLogoff
0x04 NetrServerReqChallenge
0x05 NetrServerAuthenticate
0x06 NetrServerPasswordSet
0x07 NetrDatabaseDeltas
0x08 NetrDatabaseSync
0x09 NetrAccountDeltas
0x0a NetrAccountSync
0x0b NetrGetDCName
0x0c NetrLogonControl
0x0d NetrGetAnyDCName
0x0e NetrLogonControl2
0x0f NetrServerAuthenticate2
0x10 NetrDatabaseSync2
0x11 NetrDatabaseRedo
0x12 NetrLogonControl2Ex
0x13 NetrEnumerateTrustedDomains
0x14 DsrGetDcName
0x15 NetrLogonDummyRoutine1
0x16 NetrLogonSetServiceBits
0x17 NetrLogonGetTrustRid
0x18 NetrLogonComputeServerDigest
0x19 NetrLogonComputeClientDigest
0x1a NetrServerAuthenticate3
0x1b DsrGetDcNameEx
0x1c DsrGetSiteName
0x1d NetrLogonGetDomainInfo
0x1e NetrServerPasswordSet2
0x1f NetrServerPasswordGet
0x20 NetrLogonSendToSam
0x21 DsrAddressToSiteNamesW
0x22 DsrGetDcNameEx2
0x23 NetrLogonGetTimeServiceParentDomain
0x24 NetrEnumerateTrustedDomainsEx
0x25 DsrAddressToSiteNamesExW
0x26 DsrGetDcSiteCoverageW
0x27 NetrLogonSamLogonEx
0x28 DsrEnumerateDomainTrusts
0x29 DsrDeregisterDnsHostRecords
0x2a NetrServerTrustPasswordsGet
0x2b DsrGetForestTrustInformation
0x2c NetrGetForestTrustInformation
0x2d NetrLogonSamLogonWithFlags
0x2e NetrServerGetTrustInfo


--------------------------------------------------------------------------------

4.7.4 browser interface
The browser interface is used to manage the browser service.

--------------------------------------------------------------------------------

Interface Operation number Operation name
6bffd098-a112-3610-9833-012892020162 v0.0: browser
0x00 BrowserrServerEnum
0x01 BrowserrDebugCall
0x02 BrowserrQueryOtherDomains
0x03 BrowserrResetNetlogonState
0x04 BrowserrDebugTrace
0x05 BrowserrQueryStatistics
0x06 BrowserrResetStatistics
0x07 NetrBrowserStatisticsClear
0x08 NetrBrowserStatisticsGet
0x09 BrowserrSetNetlogonState
0x0a BrowserrQueryEmulatedDomains
0x0b BrowserrServerEnumEx


--------------------------------------------------------------------------------

4.7.5 netdfs interface
The netdfs interface is used to manage the DFS (Distributed File System) Windows component.

--------------------------------------------------------------------------------

Interface Operation number Operation name
4fc742e0-4a10-11cf-8273-00aa004ae673 v3.0: netdfs
0x00 NetrDfsManagerGetVersion
0x01 NetrDfsAdd
0x02 NetrDfsRemove
0x03 NetrDfsSetInfo
0x04 NetrDfsGetInfo
0x05 NetrDfsEnum
0x06 NetrDfsRename
0x07 NetrDfsMove
0x08 NetrDfsManagerGetConfigInfo
0x09 NetrDfsManagerSendSiteInfo
0x0a NetrDfsAddFtRoot
0x0b NetrDfsRemoveFtRoot
0x0c NetrDfsAddStdRoot
0x0d NetrDfsRemoveStdRoot
0x0e NetrDfsManagerInitialize
0x0f NetrDfsAddStdRootForced
0x10 NetrDfsGetDcAddress
0x11 NetrDfsSetDcAddress
0x12 NetrDfsFlushFtTable
0x13 NetrDfsAdd2
0x14 NetrDfsRemove2
0x15 NetrDfsEnumEx
0x16 NetrDfsSetInfo2


--------------------------------------------------------------------------------

4.7.6 srvsvc interface
The srvsvc interface is used to manage the lanmanserver service.

--------------------------------------------------------------------------------

Interface Operation number Operation name
4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0: srvsvc
0x00 NetrCharDevEnum
0x01 NetrCharDevGetInfo
0x02 NetrCharDevControl
0x03 NetrCharDevQEnum
0x04 NetrCharDevQGetInfo
0x05 NetrCharDevQSetInfo
0x06 NetrCharDevQPurge
0x07 NetrCharDevQPurgeSelf
0x08 NetrConnectionEnum
0x09 NetrFileEnum
0x0a NetrFileGetInfo
0x0b NetrFileClose
0x0c NetrSessionEnum
0x0d NetrSessionDel
0x0e NetrShareAdd
0x0f NetrShareEnum
0x10 NetrShareGetInfo
0x11 NetrShareSetInfo
0x12 NetrShareDel
0x13 NetrShareDelSticky
0x14 NetrShareCheck
0x15 NetrServerGetInfo
0x16 NetrServerSetInfo
0x17 NetrServerDiskEnum
0x18 NetrServerStatisticsGet
0x19 NetrServerTransportAdd
0x1a NetrServerTransportEnum
0x1b NetrServerTransportDel
0x1c NetrRemoteTOD
0x1d NetrServerSetServiceBits
0x1e NetprPathType
0x1f NetprPathCanonicalize
0x20 NetprPathCompare
0x21 NetprNameValidate
0x22 NetprNameCanonicalize
0x23 NetprNameCompare
0x24 NetrShareEnumSticky
0x25 NetrShareDelStart
0x26 NetrShareDelCommit
0x27 NetrpGetFileSecurity
0x28 NetrpSetFileSecurity
0x29 NetrServerTransportAddEx
0x2a NetrServerSetServiceBitsEx
0x2b NetrDfsGetVersion
0x2c NetrDfsCreateLocalPartition
0x2d NetrDfsDeleteLocalPartition
0x2e NetrDfsSetLocalVolumeState
0x2f NetrDfsSetServerInfo
0x30 NetrDfsCreateExitPoint
0x31 NetrDfsDeleteExitPoint
0x32 NetrDfsModifyPrefix
0x33 NetrDfsFixLocalVolume
0x34 NetrDfsManagerReportSiteInfo
0x35 NetrServerTransportDelEx


--------------------------------------------------------------------------------

4.7.7 svcctl interface
The svcctl interface is used to manage Windows services via the SCM (Service Control Manager).

--------------------------------------------------------------------------------

Interface Operation number Operation name
367aeb81-9844-35f1-ad32-98f038001003 v2.0: svcctl
0x00 CloseServiceHandle
0x01 ControlService
0x02 DeleteService
0x03 LockServiceDatabase
0x04 QueryServiceObjectSecurity
0x05 SetServiceObjectSecurity
0x06 QueryServiceStatus
0x07 SetServiceStatus
0x08 UnlockServiceDatabase
0x09 NotifyBootConfigStatus
0x0a ScSetServiceBitsW
0x0b ChangeServiceConfigW
0x0c CreateServiceW
0x0d EnumDependentServicesW
0x0e EnumServicesStatusW
0x0f OpenSCManagerW
0x10 OpenServiceW
0x11 QueryServiceConfigW
0x12 QueryServiceLockStatusW
0x13 StartServiceW
0x14 GetServiceDisplayNameW
0x15 GetServiceKeyNameW
0x16 ScSetServiceBitsA
0x17 ChangeServiceConfigA
0x18 CreateServiceA
0x19 EnumDependentServicesA
0x1a EnumServicesStatusA
0x1b OpenSCManagerA
0x1c OpenServiceA
0x1d QueryServiceConfigA
0x1e QueryServiceLockStatusA
0x1f StartServiceA
0x20 GetServiceDisplayNameA
0x21 GetServiceKeyNameA
0x22 ScGetCurrentGroupStateW
0x23 EnumServiceGroupW
0x24 ChangeServiceConfig2A
0x25 ChangeServiceConfig2W
0x26 QueryServiceConfig2A
0x27 QueryServiceConfig2W
0x28 QueryServiceStatusEx
0x29 EnumServicesStatusExA
0x2a EnumServicesStatusExW
0x2b ScSendTSMessage


--------------------------------------------------------------------------------

4.7.8 winreg interface
The winreg interface is used to access to the registry, either locally or remotely. The interface also contains 3 operations related to systems shutdown.

--------------------------------------------------------------------------------

Interface Operation number Operation name
338cd001-2244-31f1-aaaa-900038001003 v1.0: winreg
0x00 OpenClassesRoot
0x01 OpenCurrentUser
0x02 OpenLocalMachine
0x03 OpenPerformanceData
0x04 OpenUsers
0x05 BaseRegCloseKey
0x06 BaseRegCreateKey
0x07 BaseRegDeleteKey
0x08 BaseRegDeleteValue
0x09 BaseRegEnumKey
0x0a BaseRegEnumValue
0x0b BaseRegFlushKey
0x0c BaseRegGetKeySecurity
0x0d BaseRegLoadKey
0x0e BaseRegNotifyChangeKeyValue
0x0f BaseRegOpenKey
0x10 BaseRegQueryInfoKey
0x11 BaseRegQueryValue
0x12 BaseRegReplaceKey
0x13 BaseRegRestoreKey
0x14 BaseRegSaveKey
0x15 BaseRegSetKeySecurity
0x16 BaseRegSetValue
0x17 BaseRegUnLoadKey
0x18 BaseInitiateSystemShutdown
0x19 BaseAbortSystemShutdown
0x1a BaseRegGetVersion
0x1b OpenCurrentConfig
0x1c OpenDynData
0x1d BaseRegQueryMultipleValues
0x1e BaseInitiateSystemShutdownEx
0x1f BaseRegSaveKeyEx
0x20 OpenPerformanceText
0x21 OpenPerformanceNlsText
0x22 BaseRegQueryMultipleValues2


--------------------------------------------------------------------------------

4.7.9 wkssvc interface
The wkssvc interface is used to manage the lanmanworkstation service.

--------------------------------------------------------------------------------

Interface Operation number Operation name
6bffd098-a112-3610-9833-46c3f87e345a v1.0: wkssvc
0x00 NetrWkstaGetInfo
0x01 NetrWkstaSetInfo
0x02 NetrWkstaUserEnum
0x03 NetrWkstaUserGetInfo
0x04 NetrWkstaUserSetInfo
0x05 NetrWkstaTransportEnum
0x06 NetrWkstaTransportAdd
0x07 NetrWkstaTransportDel
0x08 NetrUseAdd
0x09 NetrUseGetInfo
0x0a NetrUseDel
0x0b NetrUseEnum
0x0c NetrMessageBufferSend
0x0d NetrWorkstationStatisticsGet
0x0e NetrLogonDomainNameAdd
0x0f NetrLogonDomainNameDel
0x10 NetrJoinDomain
0x11 NetrUnjoinDomain
0x12 NetrValidateName
0x13 NetrRenameMachineInDomain
0x14 NetrGetJoinInformation
0x15 NetrGetJoinableOUs
0x16 NetrJoinDomain2
0x17 NetrUnjoinDomain2
0x18 NetrRenameMachineInDomain2
0x19 NetrValidateName2
0x1a NetrGetJoinableOUs2
0x1b NetrAddAlternateComputerName
0x1c NetrRemoveAlternateComputerName
0x1d NetrSetPrimaryComputerName
0x1e NetrEnumerateComputerNames


--------------------------------------------------------------------------------

A vulnerability in the workstation service was published in November 2003 by Yuji Ukai, working for eEye ([45]). It can be exploited anonymously because it is always possible to open the wkssvc named pipe in the context of a NULL session, as explained earlier.


4.8 RPC services over TCP/IP
Windows RPC services are typically invoked using DCE RPC over SMB. However, some network services offer RPC services listening on TCP/IP.


4.8.1 Portmapper RPC service
TCP/IP RPC services listen on dynamic TCP or UDP ports. Thus, to reach a given RPC service, identified by its interface identifier (UUID), a port mapping service is necessary.

The portmapper service is an RPC service listening on different endpoints:
ncalrpc: epmapper LPC port
ncacn_np: epmapper named pipe
ncacn_ip_tcp: 135/tcp
ncadg_ip_udp: 135/udp
ncacn_http: 593/tcp
Typically, to discover the port on which a given RPC service can be reached, a client will establish a TCP connection to port 135, asking for the port allocated to a given RPC service. Then, the client closes the connection to port 135 and opens a new connection to the port returned by the portmapper service.

To register itself in the endpoint database maintained by the portmapper service, a service calls the RpcEpRegister() function.

By default, TCP/IP ports for RPC services are allocated in the range of dynamic ports, which starts at 1025. This explains why on most Windows systems, ports immediately higher than 1024 are used by RPC services. It is possible to configure a specific ports range for RPC services, using the rpccfg tool, as described in another document [46].

To query the portmapper service, it is possible to use a tool typically named rpcdump. Microsoft resource kit contains a Windows version of rpcdump. There is also a Windows version in Todd Sabin's RPC Tools [33], whereas Dave Aitel's SPIKE toolkit contains dcedump [47], a version running on Unix.

Using ifids on one of the portmapper RPC service endpoints, it appears that different RPC interfaces are supported on a Windows 2000 machine:
C:> ifids -p ncacn_np -e pipeepmapper \.
Interfaces: 11
e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.1
975201b0-59ca-11d0-a8d5-00a0c90d8051 v1.0
e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0
99fcfec4-5260-101b-bbcb-00aa0021347a v0.0
b9e79e60-3d52-11ce-aaa1-00006901293f v0.2
412f241e-c12a-11ce-abff-0020af6e7a17 v0.2
00000136-0000-0000-c000-000000000046 v0.0
c6f3ee72-ce7e-11d1-b71e-00c04fc3111a v1.0
4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 v0.0
000001a0-0000-0000-c000-000000000046 v0.0

On a Windows XP or Windows Server 2003 system, the result is:
C:WINDOWS> ifids -p ncacn_ip_tcp -e 135 127.0.0.1
Interfaces: 11
e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.1
1d55b526-c137-46c5-ab79-638f2a68e869 v1.0
e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0
99fcfec4-5260-101b-bbcb-00aa0021347a v0.0
b9e79e60-3d52-11ce-aaa1-00006901293f v0.2
412f241e-c12a-11ce-abff-0020af6e7a17 v0.2
00000136-0000-0000-c000-000000000046 v0.0
c6f3ee72-ce7e-11d1-b71e-00c04fc3111a v1.0
4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 v0.0
000001a0-0000-0000-c000-000000000046 v0.0

As explained later, some of these interfaces are supposed to be only used locally whereas some are designed to be used remotely. However, because all these RPC services run in the same process, they appear when querying one endpoint of the rpcss service such as TCP port 135 or epmapper named pipe.

In the next two sections, these RPC interface identifiers are classified and explained.


4.8.2 RPC services running in the rpcss service
Note: names and purposes of some of the interfaces described in the two following sections have been documented by Microsoft France technical departments.

The first RPC interface is the DCE RPC endpoint portmapper interface [48]:
e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0: epm


--------------------------------------------------------------------------------

Interface Operation number Operation name
e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0: epm
0x00 ept_insert
0x01 ept_delete
0x02 ept_lookup
0x03 ept_map
0x04 ept_lookup_handle_free
0x05 ept_inq_object
0x06 ept_mgmt_delete
0x07 ept_map_auth


--------------------------------------------------------------------------------

The ept_map_auth operation is apparently specific to Microsoft implementation of the epmapper interface.

The second RPC interface is used by local processes to reach the local endpoint mapper:
0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.1: localepm


--------------------------------------------------------------------------------

Interface Operation number Operation name
0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.1: localepm
0x00 OpenEndpointMapper
0x01 AllocateReservedIPPort
0x02 ept_insert_ex
0x03 ept_delete_ex


--------------------------------------------------------------------------------

Remaining interfaces are used by the COM/DCOM implementation. The rpcss service not only runs the RPC subsystem but also the COM Service Control Manager (SCM), which is at the core of the COM/DCOM infrastructure. As a result, some RPC services are available in the rpcss service, as well as some orPC services, as explained in the next section.

The IActivation interface is an RPC interface implemented by the COM SCM (Services Control Manager) to handle COM objects activation requests :
4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 v0.0: IActivation

This RPC interface has exactly one operation, RemoteActivation(), as described in section 6.2 of the DCOM specification ([49]).

--------------------------------------------------------------------------------

Interface Operation number Operation name
4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 v0.0: IActivation
0x00 RemoteActivation


--------------------------------------------------------------------------------

The IOXIDResolver RPC interface (formerly known as IObjectExporter) is remotely used to reach the local object resolver (OR). The Object Resolver component is in charge to:
return protocol sequences, string bindings and machine id for an object server, given its OXID (ResolveOXID() and ResolveOXID2() (only supported by DCOM version 5.2 and above))
respond to ping requests (SimplePing() and ComplexPing() functions)
respond to ServerAlive() and ServerAlive2() functions requests
The interface identifier of IOXIDResolver is:
99fcfec4-5260-101b-bbcb-00aa0021347a v0.0: IOXIDResolver


--------------------------------------------------------------------------------

Interface Operation number Operation name
99fcfec4-5260-101b-bbcb-00aa0021347a v0.0: IOXIDResolver
0x00 ResolveOxid
0x01 SimplePing
0x02 ComplexPing
0x03 ServerAlive
0x04 ResolveOxid2
0x05 ServerAlive2


--------------------------------------------------------------------------------

There is also a local version of the IOXIDResolver:
e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0: ILocalObjectExporter


--------------------------------------------------------------------------------

Interface Operation number Operation name
e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0: ILocalObjectExporter
0x00 Connect
0x01 AllocateReservedIds
0x02 BulkUpdateOIDs
0x03 ClientResolveOXID
0x04 ServerAllocateOXIDandOIDs
0x05 ServerAllocateOIDs
0x06 ServerFreeOXIDAndOIDs
0x07 Disconnect


--------------------------------------------------------------------------------

For more information about the DCOM transport into DCE RPC, see [51].

The ISCM RPC interface is a local interface used by local applications to communicate with the local COM SCM:
412f241e-c12a-11ce-abff-0020af6e7a17 v0.2: ISCM


--------------------------------------------------------------------------------

Interface Operation number Operation name
412f241e-c12a-11ce-abff-0020af6e7a17 v0.2: ISCM
0x00 ServerRegisterClsid
0x01 ServerRevokeClsid
0x02 GetThreadID
0x03 UpdateActivationSettings
0x04 RegisterWindowPropInterface
0x05 GetWindowPropInterface
0x06 EnableDisableDynamicIPTracking
0x07 GetCurrentAddrExclusionList
0x08 SetAddrExclusionList
0x09 FlushSCMBindings
0x0a RetireServer


--------------------------------------------------------------------------------

The IROT RPC interface is used by local processes to access the Running Object Table (ROT), to register or unregister COM objects:
b9e79e60-3d52-11ce-aaa1-00006901293f v0.2


--------------------------------------------------------------------------------

Interface Operation number Operation name
b9e79e60-3d52-11ce-aaa1-00006901293f v0.2: IROT
0x00 IrotRegister
0x01 IRotRevoke
0x02 IrotIsRunning
0x03 IrotGetObject
0x04 IrotNoteChangeTime
0x05 IrotGetTimeOfLastChange
0x06 IrotEnumRunning


--------------------------------------------------------------------------------

The IMachineActivatorControl is also a local interface used to notify the COM SCM when COM surrogates start or stop:
c6f3ee72-ce7e-11d1-b71e-00c04fc3111a v1.0: IMachineActivatorControl


--------------------------------------------------------------------------------

Interface Operation number Operation name
c6f3ee72-ce7e-11d1-b71e-00c04fc3111a v1.0: IMachineActivatorControl
0x00 ProcessActivatorStarted
0x01 ProcessActivatorInitializing
0x02 ProcessActivatorReady
0x03 ProcessActivatorStopped
0x04 ProcessActivatorPaused
0x05 ProcessActivatorResumed
0x06 ProcessActivatorUserInitializing


--------------------------------------------------------------------------------

Starting with Windows XP, a new RPC interface is available, DbgIdl, to help debugging of RPC services:
1d55b526-c137-46c5-ab79-638f2a68e869 v1.0: DbgIdl


--------------------------------------------------------------------------------

Interface Operation number Operation name
1d55b526-c137-46c5-ab79-638f2a68e869 v1.0: DbgIdl
0x00 RemoteGetCellByDebugCellID
0x01 RemoteOpenRPCDebugCallInfoEnumeration
0x02 RemoteGetNextRPCDebugCallInfo
0x03 RemoteFinishRPCDebugCallInfoEnumeration
0x04 RemoteOpenRPCDebugEndpointInfoEnumeration
0x05 RemoteGetNextRPCDebugEndpointInfo
0x06 RemoteFinishRPCDebugEndpointInfoEnumeration
0x07 RemoteOpenRPCDebugThreadInfoEnumeration
0x08 RemoteGetNextRPCDebugThreadInfo
0x09 RemoteFinishRPCDebugThreadInfoEnumeration
0x0a RemoteOpenRPCDebugClientCallInfoEnumeration
0x0b RemoteGetNextRPCDebugClientCallInfo
0x0c RemoteFinishRPCDebugClientCallInfoEnumeration


--------------------------------------------------------------------------------

More information about this interface is available in the RPC Debugging section of the Microsoft Debugging Tools package documentation ([50]).


4.8.3 orPC services running in the rpcss service
orPC (Object RPC) services are used by DCOM (Distributed COM). orPC calls can be distinguished from RPC calls because, on the wire, they always have an implicit parameter, either of type orPCTHIS or orPCTHAT (see section 3.2 of [49]).

Also, versions of orPC services interface identifiers is always 0.0, as explained in [51] :
Finally, the interface version number (named if_vers) must always be 0.0. This is because a COM interface may never be modified after it is published. COM interfaces are not versioned; a new interface is defined instead.
The following orPC services are running in the rpcss service:
00000136-0000-0000-c000-000000000046 v0.0: ISCMActivator
000001a0-0000-0000-c000-000000000046 v0.0: ISystemActivator

ISCMActivator is an orPC interface implemented by the COM SCM to handle remote activation requests (CoCreateInstance(), CoGetClassObject(), ...) :

--------------------------------------------------------------------------------

Interface Operation number Operation name
00000136-0000-0000-c000-000000000046 v0.0: ISCMActivator
0x00 QueryInterfaceSCMActivator
0x01 AddRefISCMActivator
0x02 ReleaseISCMActivator
0x03 SCMActivatorGetClassObject
0x04 SCMActivatorCreateInstance


--------------------------------------------------------------------------------

ISystemActivator is an orPC base interface that must be implemented by servers supporting object activation. In the specific case of the COM SCM, running inside the rpcss service, this interface is used when the activation process is looking for an object, asking to the local or a remote SCM to activate a given object.

--------------------------------------------------------------------------------

Interface Operation number Operation name
000001a0-0000-0000-c000-000000000046 v0.0: ISystemActivator
0x00 QueryInterfaceIRemoteSCMActivator
0x01 AddRefIRemoteISCMActivator
0x02 ReleaseIRemoteISCMActivator
0x03 RemoteGetClassObject
0x04 RemoteCreateInstance


--------------------------------------------------------------------------------

On 2003/07/21, a vulnerability affecting the ISystemActivator interface has been published [52]. This vulnerability affects any Windows 2000 system and can be used to, at least, crash the rpcss service. It can be exploited anonymously because the interface does not require authentication.
4.9 Windows services running RPC services over TCP/IP
4.9.1 Messenger service
The messenger service runs two RPC services, available on two endpoints:
msgsvc named pipe
a dynamic UDP port
Y:>ifids -p ncacn_np -e pipemsgsvc \.
Interfaces: 42

[...]

17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0

Y:>ifids -p ncadg_ip_udp -e 4870 127.0.0.1
Interfaces: 42

[...]

17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0


The UDP transport of these services has been recently exploited to massively send popup windows containing advertisement messages [55].

The two RPC services run by the messenger service have the following interfaces identifiers:
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0: msgsvc
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0: msgsvcsend

The msgsvc RPC service supports 4 operations that manipulate NetBIOS names on a local or remote system:

--------------------------------------------------------------------------------

Interface Operation number Operation name
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0: msgsvc
0x00 NetrMessageNameAdd
0x01 NetrMessageNameEnum
0x02 NetrMessageNameGetInfo
0x03 NetrMessageNameDel


--------------------------------------------------------------------------------

The msgsvcsend RPC service supports one operation, to send a message to a registered NetBIOS name using MSRPC:

--------------------------------------------------------------------------------

Interface Operation number Operation name
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0: msgsvcsend
0x00 NetrSendMessage


--------------------------------------------------------------------------------

The msgsvcsend interface has been used to send advertisement messages, using the NetrSendMessage operation.

A vulnerability affecting the msgsvcsend interface was recently published by the LSD research group [56]. The MS03-043 ([57]) Microsoft security bulletin contains a patch that completely removes support for the msgsvcsend interface of the Messenger service (both server-side function in msgsvc.dll and client-side function in wkssvc.dll are removed in patched versions of these two DLL).

Note: if the messenger service receives a message using the UDP port, a new (dynamic) UDP port is opened by the process hosting the messenger service (services.exe). This UDP port is used to send a conv_who_are_you request, which is necessary when the original request containing the message was sent to UDP port 135 instead of the dynamic UDP port opened by the RPC service.


4.9.2 Scheduler service
The scheduler service runs RPC services allowing remote configuration of scheduled tasks. These RPC services are available on two endpoints:
atsvc named pipe
A dynamic TCP port
Before Windows XP the Scheduler service was implemented in a single process, mstask.exe. Starting with Windows XP, the Scheduler service runs in a svchost.exe instance process (schedsvc.dll) and runs an additional RPC service (the third one in the list below).

The interfaces identifiers of these RPC services are:
X:>ifids -p ncacn_np -e pipeatsvc \.
Interfaces: 51

[...]

1ff70682-0a51-30e8-076d-740be8cee98b v1.0
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0

X:>ifids -p ncacn_ip_tcp -e 3136 127.0.0.1
Interfaces: 51

[...]

1ff70682-0a51-30e8-076d-740be8cee98b v1.0
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0

X:>



--------------------------------------------------------------------------------

Interface Operation number Operation name
1ff70682-0a51-30e8-076d-740be8cee98b v1.0: atsvc
0x00 NetrJobAdd
0x01 NetrJobDel
0x02 NetrJobEnum
0x03 NetrJobGetInfo


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0: sasec
0x00 SASetAccountInformation
0x01 SASetNSAccountInformation
0x02 SAGetNSAccountInformation
0x03 SAGetAccountInformation


--------------------------------------------------------------------------------

The following RPC service has been added in Windows XP:

--------------------------------------------------------------------------------

Interface Operation number Operation name
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0
0x00 ItSrvRegisterIdleTask
0x01 ItSrvUnregisterIdleTask
0x02 ItSrvProcessIdleTasks
0x03 ItSrvSetDetectionParameters


--------------------------------------------------------------------------------

4.9.3 WINS service
The WINS service (wins.exe process) runs two RPC services, available on two endpoints:
A dynamic TCP port
WinsPipe named pipe
The two RPC services identifiers are:
45f52c28-7f9f-101a-b52b-08002b2efabe v1.0
811109bf-a4e1-11d1-ab54-00a0c91e9b45 v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
45f52c28-7f9f-101a-b52b-08002b2efabe v1.0
0x00 R_WinsRecordAction
0x01 R_WinsStatus
0x02 R_WinsTrigger
0x03 R_WinsDoStaticInit
0x04 R_WinsDoScavenging
0x05 R_WinsGetDbRecs
0x06 R_WinsTerm
0x07 R_WinsBackup
0x08 R_WinsDelDbRecs
0x09 R_WinsPullRange
0x0a R_WinsSetPriorityClass
0x0b R_WinsResetCounters
0x0c R_WinsWorkerThdUpd
0x0d R_WinsGetNameAndAdd
0x0e R_WinsGetBrowserNames_Old
0x0f R_WinsDeleteWins
0x10 R_WinsSetFlags
0x11 R_WinsGetDbRecsByName
0x12 R_WinsStatusWHdl
0x13 R_WinsDoScavengingNew


--------------------------------------------------------------------------------

The WINS service also opens a dynamic UDP port, which does not seem to be used by a RPC service.


4.9.4 IIS 5 services
In Windows 2000, IIS (Internet Information Server) 5 services (HTTP, SMTP, FTP, NNTP) run in a single process, inetinfo.exe.

The inetinfo.exe (IIS 5) process runs RPC services on the following endpoints:
INETINFO_LPC LPC port
INETINFO named pipe
one dynamic TCP port and one dynamic UDP port
The following RPC service is registered by the IISAdmin service (infocomm.dll):
82ad4280-036b-11cf-972c-00aa006887b0 v2.0: inetinfo


--------------------------------------------------------------------------------

Interface Operation number Operation name
82ad4280-036b-11cf-972c-00aa006887b0 v2.0: inetinfo
0x00 _R_InetInfoGetVersion
0x01 _R_InetInfoGetAdminInformation
0x02 _R_InetInfoGetSites
0x03 _R_InetInfoSetAdminInformation
0x04 _R_InetInfoGetGlobalAdminInformation
0x05 _R_InetInfoSetGlobalAdminInformation
0x06 _R_InetInfoQueryStatistics
0x07 _R_InetInfoClearStatistics
0x08 _R_InetInfoFlushMemoryCache
0x09 _R_InetInfoGetServerCapabilities
0x0a _R_W3QueryStatistics2
0x0b _R_W3ClearStatistics2
0x0c _R_FtpQueryStatistics2
0x0d _R_FtpClearStatistics2
0x10 _R_IISEnumerateUsers
0x11 _R_IISDisconnectUser
0x12 _R_InitW3CounterStructure
0x13 _R_CollectW3PerfData


--------------------------------------------------------------------------------

The SMTP service (smtpsvc.dll) runs the following RPC service:
8cfb5d70-31a4-11cf-a7d8-00805f48a135 v3.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
8cfb5d70-31a4-11cf-a7d8-00805f48a135 v3.0
0x00 SmtprGetAdminInformation
0x01 SmtprSetAdminInformation
0x02 SmtprQueryStatistics
0x03 SmtprClearStatistics
0x04 SmtprGetConnectedUserList
0x05 SmtprDisconnectUser
0x06 SmtprCreateUser
0x07 SmtprDeleteUser
0x08 SmtprGetUserProps
0x09 SmtprSetUserProps
0x0a SmtprCreateDistList
0x0b SmtprDeleteDistList
0x0c SmtprCreateDistListMember
0x0d SmtprDeleteDistListMember
0x0e SmtprGetNameList
0x0f SmtprGetNameListFromList
0x10 SmtprGetVRootSize
0x11 SmtprBackupRoutingTable


--------------------------------------------------------------------------------

The NNTP service (nntpsvc.dll) runs the following RPC service:
4f82f460-0e21-11cf-909e-00805f48a135 v4.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
4f82f460-0e21-11cf-909e-00805f48a135 v4.0
0x00 NntprQueryStatistic
0x01 NntprClearStatistics
0x02 NntprEnumerateFeeds
0x03 NntprGetFeedInformation
0x04 NntprSetFeedInformation
0x05 NntprAddFeed
0x06 NntprDeleteFeed
0x07 NntprEnableFeed
0x08 NntprEnumerateSessions
0x09 NntprTerminateSession
0x0a NntprEnumerateExpires
0x0b NntprAddExpire
0x0c NntprDeleteExpire
0x0d NntprGetExpireInformation
0x0e NntprSetExpireInformation
0x0f NntprGetNewsgroup
0x10 NntprSetNewsgroup
0x11 NntprCreateNewsgroup
0x12 NntprDeleteNewsgroup
0x13 NntprFindNewsgroup
0x14 NntprGetAdminInformation
0x15 NntprSetAdminInformation
0x16 NntprStartRebuild
0x17 NntprGetBuildStatus
0x18 NntprCancelMessageID
0x19 NntprGetVRootWin32Error


--------------------------------------------------------------------------------

The IMAP4 service (imap4svc.dll), installed by Exchange, runs the following RPC service:
2465e9e0-a873-11d0-930b-00a0c90ab17c v3.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
2465e9e0-a873-11d0-930b-00a0c90ab17c v3.0
0x00 ImaprQueryStatistics
0x01 ImaprClearStatistics
0x02 ImaprGetConnectedUserList
0x03 ImaprDisconnectUser


--------------------------------------------------------------------------------

The POP3 service (pop3svc.dll), installed by Exchange, runs the following RPC service:
1be617c0-31a5-11cf-a7d8-00805f48a135 v3.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
1be617c0-31a5-11cf-a7d8-00805f48a135 v3.0
0x00 Pop3rQueryStatistics
0x01 Pop3rClearStatistics
0x02 Pop3rGetConnectedUserList
0x03 Pop3rDisconnectUser


--------------------------------------------------------------------------------

The following interface identifiers correspond to the GUID of the COM components activated to handle IIS management :
70b51430-b6ca-11d0-b9b9-00a0c922e750 v0.0: IMSAdminBaseW
a9e69612-b80d-11d0-b9b9-00a0c922e750 v0.0



4.9.5 Message Queuing and Distributed Transaction Coordinator services
This service runs RPC services, listening on the ncacn_ip_tcp transport. On a Windows 2000 Server system, 4 TCP ports were opened by the mqsvc.exe process.

The mqqm.dll (Windows NT MQ Queue Manager) DLL, loaded in the mqsvc.exe process, contains the following RPC services:
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
76d12b80-3467-11d3-91ff-0090272f9ea3 v1.0
1088a980-eae5-11d0-8d9b-00a02453c337 v1.0
5b5b3580-b0e0-11d1-b92d-0060081e87f0 v1.0
41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
0x00 QMOpenQueue
0x01 QMGetRemoteQueueName
0x02 QMOpenRemoteQueue
0x03 QMCloseRemoteQueueContext
0x04 QMCreateRemoteCursor
0x05 QMSendMessageInternal
0x06 QMCreateObjectInternal
0x07 QMSetObjectSecurityInternal
0x08 QMGetObjectSecurityInternal
0x09 QMDeleteObject
0x0a QMGetObjectProperties
0x0b QMSetObjectProperties
0x0c QMObjectPathToObjectFormat
0x0d QMAttachProcess
0x0e QMGetTmWhereabouts
0x0f QMEnlistTransation
0x10 QMEnlistInternalTransaction
0x11 QMCommitTransaction
0x12 QMAbortTransaction
0x13 QMOpenQueueInternal
0x14 ACCloseHandle
0x15 ACCreateCursor
0x16 ACCloseCursor
0x17 ACSetCursorProperties
0x18 ACSendMessage
0x19 ACReceiveMessage
0x1a ACHandleToFormatName
0x1b ACPurgeQueue
0x1c QMQueryQMRegistryInternal
0x1d QMListInternalQueues
0x1e QMCorrectOutSequence
0x1f QMGetRemoteQMServerPort
0x20 QMGetMsmqServiceName
0x21 QMCreateDSObjectInternal


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
76d12b80-3467-11d3-91ff-0090272f9ea3 v1.0
0x00 QMSendMessageInternalEx
0x01 ACSendMessageEx
0x02 ACReceiveMessageEx
0x03 ACCreateCursorEx


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
1088a980-eae5-11d0-8d9b-00a02453c337 v1.0
0x00 RemoteQMStartReceive
0x01 RemoteQMEndReceive
0x02 RemoteQMOpenQueue
0x03 RemoteQMCloseQueue
0x04 RemoteQMCloseCursor
0x05 RemoteQMCancelReceive
0x06 RemoteQMPurgeQueue
0x07 RemoteQMGetQMQMServerPort
0x08 RemoteQmGetVersion
0x09 RemoteQMStartReceive2
0x0a RemoteQMStartReceiveByLookupId


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
5b5b3580-b0e0-11d1-b92d-0060081e87f0 v1.0
0x00 QMSendReplMsg


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0
0x00 QMMgmtGetInfo
0x01 QMMgmtAction


--------------------------------------------------------------------------------

The msdtcprx.dll (MS DTC OLE Transactions interface proxy) DLL, also loaded in the mqsvc.exe process, also contains one RPC service:
906b0ce0-c70b-1067-b317-00dd010662da v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
906b0ce0-c70b-1067-b317-00dd010662da v1.0
0x00 Poke
0x01 BuildContext
0x02 NegotiateResources
0x03 SendReceive
0x04 TearDownContext
0x05 BeginTearDown
0x06 PokeW
0x07 BuildContextW


--------------------------------------------------------------------------------

This RPC service also runs in the Distributed Transaction Coordinator service process (msdtc.exe), which opens a dynamic port, as well as TCP port 3372 (at least on Windows 2000)


4.9.6 Active Directory related RPC services
The first important RPC service of Active Directory is the drsuapi interface, identified as follows:
Active Directory replication interface: e3514235-4b06-11d1-ab04-00c04fc2dcd2 v4.0

It supports the following operations:

--------------------------------------------------------------------------------

Interface Operation number Operation name
e3514235-4b06-11d1-ab04-00c04fc2dcd2 v4.0: drsuapi
0x00 DRSBind
0x01 DRSUnbind
0x02 DRSReplicaSync
0x03 DRSGetNCChanges
0x04 DRSUpdateRefs
0x05 DRSReplicaAdd
0x06 DRSReplicaDel
0x07 DRSReplicaModify
0x08 DRSVerifyNames
0x09 DRSGetMemberships
0x0a DRSInterDomainMove
0x0b DRSGetNT4ChangeLog
0x0c DRSCrackNames
0x0d DRSWriteSPN
0x0e DRSRemoveDsServer
0x0f DRSRemoveDsDomain
0x10 DRSDomainControllerInfo
0x11 DRSAddEntry
0x12 DRSExecuteKCC
0x13 DRSGetReplInfo
0x14 DRSAddSidHistory
0x15 DRSGetMemberships2
0x16 DRSReplicaVerifyObjects
0x17 DRSGetObjectExistence
0x18 DRSQuerySitesByCost


--------------------------------------------------------------------------------

Ethereal has a dissector for this interface [58] but currently, it only displays the operation names, as all these operations are encrypted.

The dssetup RPC interface, which contain only one operation, is used in Active Directory domains:

--------------------------------------------------------------------------------

Interface Operation number Operation name
3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0: dssetup
0x00 DsRolerGetPrimaryDomainInformation


--------------------------------------------------------------------------------

The following RPC interfaces are supported on a Windows 2000 domain controller to handle backup and restore of Active Directory:
Active Directory backup interface: ecec0d70-a603-11d0-96b1-00a0c91ece30 v1.0
Active Directory restore interface: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
ecec0d70-a603-11d0-96b1-00a0c91ece30 v1.0
0x00 HrRBackupPrepare
0x01 HrRBackupEnd
0x02 HrRBackupGetAttachmentInformation
0x03 HrRBackupOpenFile
0x04 HrRBackupRead
0x05 HrRBackupClose
0x06 HrRBackupGetBackupLogs
0x07 HrRBackupTruncateLogs
0x08 HrRBackupPing


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
16e0cf3a-a604-11d0-96b1-00a0c91ece30 v1.0
0x00 HrRIsNTDSOnline
0x01 HrRRestorePrepare
0x02 HrRRestoreRegister
0x03 HrRRestoreRegisterComplete
0x04 HrRRestoreGetDatabaseLocations
0x05 HrRRestoreEnd
0x06 HrRRestoreSetCurrentLogNumber
0x07 HrRRestoreCheckLogsForBackup


--------------------------------------------------------------------------------

By default, these RPC services are registered in the endpoint mapper database on a dynamic TCP port. However, it is possible to set a registry value to configure these services to listen on a fixed port [59]. Once this value is configured, the portmapper service will always return this fixed port when asked for one of these interfaces.

Windows Server 2003 supports the dsrole interface, available on the following endpoint:
dsrole LPC port
Y:>ifids -p ncalrpc -e dsrole serveur
Interfaces: 18

[...]

1cbcad78-df0b-4934-b558-87839ea501c9 v0.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
1cbcad78-df0b-4934-b558-87839ea501c9 v0.0: dsrole
0x00 DsRolerDnsNameToFlatName
0x01 DsRolerDcAsDc
0x02 DsRolerDcAsReplica
0x03 DsRolerDemoteDc
0x04 DsRolerGetDcOperationProgress
0x05 DsRolerGetDcOperationResults
0x06 DsRolerCancel
0x07 DsRolerIfmHandleFree
0x08 DsRolerServerSaveStateForUpgrade
0x09 DsRolerUpgradeDownlevelServer
0x0a DsRolerAbortDownlevelServerUpgrade
0x0b DsRolerGetDatabaseFacts


--------------------------------------------------------------------------------

This interface can only be used locally (it is registered using the RpcServerRegisterIfEx() API, specifying a security-callback function that verifies that the protocol sequence used is ncalrpc and that the LPC port is the dsrole LPC port).

There is another interface in the ntdsa.dll DLL, which contains only two operations:

--------------------------------------------------------------------------------

Interface Operation number Operation name
7c44d7d4-31d5-424c-bd5e-2b3e1f323d22 v1.0 0x00 DSAPrepareScript
0x01 DSAExecuteScript


--------------------------------------------------------------------------------

4.9.7 File Replication service
The File Replication Service (ntfrs.exe process) runs 3 RPC services on one TCP port:
f5cc59b4-4264-101a-8c59-08002b2f8426 v1.1
d049b186-814f-11d1-9a3c-00c04fc9b232 v1.1
a00c021c-2be2-11d2-b678-0000f87a8f8e v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
f5cc59b4-4264-101a-8c59-08002b2f8426 v1.1
0x00 FrsRpcSendCommPkt
0x02 FrsRpcStartPromotionParent
0x0x FrsRpcInitialize
0x0x FrsRpcCheckAuthIfEnabled
0x0x FrsRpcSecurityCallback
0x0x FrsRpcInitializeAccessChecks
0x0x FrsRpcBindToServerNotService
0x0x FrsRpcUnBindFromServer
0x0x FrsRpcBindToServerGuid
0x0x FrsRpcUnInitialize
0x0x FrsRpcAccessChecks
0x0x FrsRpcSecurityCallbackForPerfmonAPIs
0x0x FrsRpcBindToServer
0x0x FrsRpcCheckAuthIfEnabledForCommitDemotion


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
d049b186-814f-11d1-9a3c-00c04fc9b232 v1.1
0x00 StartDemotion
0x03 CommitDemotion
0x04 Set_DsPollingIntervalW
0x05 Get_DsPollingIntervalW
0x07 InfoW
0x08 IsPathReplicated
0x09 WriterCommand


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
a00c021c-2be2-11d2-b678-0000f87a8f8e v1.0
0x00 GetIndicesOfInterfacesFromServer
0x01 GetCounterDataOfInstancesFromServer


--------------------------------------------------------------------------------

4.9.8 Inter-site Messaging service
The Inter-site Messaging service (ismserv.exe process) runs one RPC service, available on the following endpoints:
ISMSERV_LPC LPC port
Y:>ifids -p ncalrpc -e ISMSERV_LPC serveur
Interfaces: 1
68dcd486-669e-11d1-ab0c-00c04fc2dcd2 v2.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
68dcd486-669e-11d1-ab0c-00c04fc2dcd2 v1.0
0x00 ISMSend
0x01 ISMReceive
0x02 ISMGetConnectivity
0x03 ISMGetTransportServers
0x04 ISMGetConnectionSchedule
0x05 ISMQuerySitesByCost


--------------------------------------------------------------------------------

The following RPC service runs in the ismip.dll DLL, loaded in the ismserv.exe process context:
Active Directory ISM IP Transport: 130ceefb-e466-11d1-b78b-00c04fa32883 v2.1

This interface contains only one operation:

--------------------------------------------------------------------------------

Interface Operation number Operation name
130ceefb-e466-11d1-b78b-00c04fa32883 v2.1
0x00 ISMXXX


--------------------------------------------------------------------------------

4.9.9 Windows DNS server
Windows DNS server (dns.exe process) runs one RPC service, listening on the following endpoints:
DNSSERVERLPC LPC port
dnsserver named pipe
a dynamic TCP port
Y:>ifids -p ncalrpc -e DNSSERVERLPC serveur
Interfaces: 1
50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0

Y:>ifids -p ncacn_np -e pipednsserver \.
Interfaces: 1
50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0

Y:>ifids -p ncacn_ip_tcp -e 3009 127.0.0.1
Interfaces: 1
50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0
0x00 DnssrvOperation
0x01 DnssrvQuery
0x02 DnssrvComplexOperation
0x03 DnssrvEnumRecords
0x04 DnssrvUpdateRecord
0x05 DnssrvOperation2
0x06 DnssrvQuery2
0x07 DnssrvComplexOperation2
0x08 DnssrvEnumRecords2
0x09 DnssrvUpdateRecord2


--------------------------------------------------------------------------------

4.9.10 Exchange RPC services
The MAPI interface (also known as Exchange Server Store EMSMDB Interface) is identified as follows:
a4f1db00-ca47-1067-b31f-00dd010662da v0.81


--------------------------------------------------------------------------------

Interface Operation number Operation name
a4f1db00-ca47-1067-b31f-00dd010662da v0.81
0x00 EcDoConnect
0x01 EcDoDisconnect
0x02 EcDoRpc
0x03 EcGetMoreRpc
0x04 EcRRegisterPushNotification
0x05 EcRUnregisterPushNotification
0x06 EcDummyRpc
0x07 EcRGetDCName
0x08 EcRNetGetDCName
0x09 EcDoRpcExt


--------------------------------------------------------------------------------

[60] lists identifiers of Exchange RPC interfaces exposed when the Secure Mail Publishing feature of ISA Server 2000 is used.

The following interface identifiers are registered in the endpoint mapper database of an Exchange 2000 server:

Annotation=Exchange Server STORE ADMIN Interface
uuid=99e64010-b032-11d0-97a4-00c04fd6551d , version=3

annotation=Exchange Server STORE ADMIN Interface
uuid=89742ace-a9ed-11cf-9c0c-08002be7ae86 , version=2

annotation=Exchange Server STORE ADMIN Interface
uuid=a4f1db00-ca47-1067-b31e-00dd010662da , version=1

annotation=Exchange Server STORE EMSMDB Interface
uuid=a4f1db00-ca47-1067-b31f-00dd010662da , version=0

annotation=MS Exchange MTA 'Mta' Interface
uuid=9e8ee830-4459-11ce-979b-00aa005ffebe , version=2

annotation=MS Exchange Directory NSPI Proxy
uuid=f5cc5a18-4264-101a-8c59-08002b2f8426 , version=56

annotation=MS Exchange MTA 'QAdmin' Interface
uuid=38a94e72-a9bc-11d2-8faf-00c04fa378ff , version=1

annotation=Microsoft Information Store
uuid=0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde , version=1

annotation=Microsoft Information Store
uuid=1453c42c-0fa6-11d2-a910-00c04f990f3b , version=1

annotation=Microsoft Information Store
uuid=10f24e8e-0fa6-11d2-a910-00c04f990f3b , version=1

annotation=MS Exchange Directory RFR Interface
uuid=1544f5e0-613c-11d1-93df-00c04fd7bd09 , version=1

annotation=MS Exchange System Attendant Cluster Interface
uuid=f930c514-1215-11d3-99a5-00a0c9b61b04 , version=1

annotation=MS Exchange System Attendant Private Interface
uuid=83d72bf0-0d89-11ce-b13f-00aa003bac6c , version=6

annotation=MS Exchange System Attendant Public Interface
uuid=469d6ec0-0d87-11ce-b13f-00aa003bac6c , version=16



--------------------------------------------------------------------------------

Interface Operation number Operation name
1544f5e0-613c-11d1-93df-00c04fd7bd09 v1.0
0x00 RfrGetNewDSA
0x01 RfrGetFQDNFromLegacyDN


--------------------------------------------------------------------------------

4.9.11 Exchange RPC services in an Active Directory domain
Active Directory domain controllers that have the Global Catalog server roles register the following RPC services, which are used by MAPI clients to access the Directory Service that was previously integrated in Exchange before Exchange 2000:
Active Directory Extended Directory Service (XDS): f5cc5a7c-4264-101a-8c59-08002b2f8426 v21.0
Active Directory Name Service Provider (NSP) interface: f5cc5a18-4264-101a-8c59-08002b2f8426 v56.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
f5cc5a7c-4264-101a-8c59-08002b2f8426 v21.0: rxds
0x00 ds_abandon
0x01 ds_add_entry
0x02 ds_bind
0x03 ds_compare
0x04 ds_list
0x05 ds_modify_entry
0x06 ds_modify_rdn
0x07 ds_read
0x08 ds_receive_result
0x09 ds_remove_entry
0x0a ds_search
0x0b ds_unbind
0x0c ds_wait
0x0d dra_replica_add
0x0e dra_replica_delete
0x0f dra_replica_synchronize
0x10 dra_reference_update
0x11 dra_authorize_replica
0x12 dra_unauthorize_replica
0x13 dra_adopt
0x14 dra_set_status
0x15 dra_modify_entry
0x16 dra_delete_subref


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
f5cc5a18-4264-101a-8c59-08002b2f8426 v56.0: nspi
0x00 NspiBind
0x01 NspiUnbind
0x02 NspiUpdateStat
0x03 NspiQueryRows
0x04 NspiSeekEntries
0x05 NspiGetMatches
0x06 NspiResortRestriction
0x07 NspiDNToEph
0x08 NspiGetPropList
0x09 NspiGetProps
0x0a NspiCompareDNTs
0x0b NspiModProps
0x0c NspiGetHierarchyInfo
0x0d NspiGetTemplateInfo
0x0e NspiModLinkAtt
0x0f NspiDeleteEntries
0x10 NspiQueryColumns
0x11 NspiGetNamesFromIDs
0x12 NspiGetIDsFromNames
0x13 NspiResolveNames
0x14 NspiResolveNamesW


--------------------------------------------------------------------------------

NSPI operations offered by an Global Catalog Active Directory domain controller are either called directly (Outlook 2000 and later MAPI clients) or through a proxy run by the Exchange server, as described in [61].

An Exchange server integrated in an Active Directory domain registers the NSPI interface, to proxy NSPI requests to Global Catalog Active Directory domain controllers:
annotation=MS Exchange Directory NSPI Proxy
uuid=f5cc5a18-4264-101a-8c59-08002b2f8426 , version=56
ncacn_ip_tcp:172.16.1.238[1112]

annotation=MS Exchange Directory NSPI Proxy
uuid=f5cc5a18-4264-101a-8c59-08002b2f8426 , version=56
ncacn_http:172.16.1.238[1113]

The rxds interface is also registered on an Exchange 2000 server but is not registered in the endpoint mapper:
f5cc5a7c-4264-101a-8c59-08002b2f8426 v21.0

4.10 Other RPC services
4.10.1 Plug and Play service
The Plug and Play service runs one RPC service, pnp:
Z:>ifids -p ncalrpc -e ntsvcs serveur
Interfaces: 7

[...]

8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp
0x00 PNP_Disconnect
0x01 PNP_Connect
0x02 PNP_GetVersion
0x03 PNP_GetGlobalState
0x04 PNP_InitDetection
0x05 PNP_ReportLogOn
0x06 PNP_ValidateDeviceInstance
0x07 PNP_GetRootDeviceInstance
0x08 PNP_GetRelatedDeviceInstance
0x09 PNP_EnumerateSubKeys
0x0a PNP_GetDeviceList
0x0b PNP_GetDeviceListSize
0x0c PNP_GetDepth
0x0d PNP_GetDeviceRegProp
0x0e PNP_SetDeviceRegProp
0x0f PNP_GetClassInstance
0x10 PNP_CreateKey
0x11 PNP_DeleteRegistryKey
0x12 PNP_GetClassCount
0x13 PNP_GetClassName
0x14 PNP_DeleteClassKey
0x15 PNP_GetInterfaceDeviceAlias
0x16 PNP_GetInterfaceDeviceList
0x17 PNP_GetInterfaceDeviceListSize
0x18 PNP_RegisterDeviceClassAssociation
0x19 PNP_UnregisterDeviceClassAssociation
0x1a PNP_GetClassRegProp
0x1b PNP_SetClassRegProp
0x1c PNP_CreateDevInst
0x1d PNP_DeviceInstanceAction
0x1e PNP_GetDeviceStatus
0x1f PNP_SetDeviceProblem
0x20 PNP_DisableDevInst
0x21 PNP_UninstallDevInst
0x22 PNP_AddID
0x23 PNP_RegisterDriver
0x24 PNP_QueryRemove
0x25 PNP_RequestDeviceEject
0x26 PNP_IsDockStationPresent
0x27 PNP_RequestEjectPC
0x28 PNP_HwProfFlags
0x29 PNP_GetHwProfInfo
0x2a PNP_AddEmptyLogConf
0x2b PNP_FreeLogConf
0x2c PNP_GetFirstLogConf
0x2d PNP_GetNextLogConf
0x2e PNP_GetLogConfPriority
0x2f PNP_AddResDes
0x30 PNP_FreeResDes
0x31 PNP_GetNextResDes
0x32 PNP_GetResDesData
0x33 PNP_GetResDesDataSize
0x34 PNP_ModifyResDes
0x35 PNP_DetectResourceConflict
0x36 PNP_QueryResConfList
0x37 PNP_SetHwProf
0x38 PNP_QueryArbitratorFreeData
0x39 PNP_QueryArbitratorFreeSize
0x3a PNP_RunDetection
0x3b PNP_RegisterNotification
0x3c PNP_UnregisterNotification
0x3d PNP_GetCustomDevProp
0x3e PNP_GetVersionInternal
0x3f PNP_GetBlockedDriverInfo
0x40 PNP_GetServerSideDeviceInstallFlags


--------------------------------------------------------------------------------

4.10.2 RPC locator service
The RPC locator service runs one RPC service, available on the following endpoint:
locator named pipe
Y:>ifids -p ncacn_np -e pipelocator \.
Interfaces: 3
d6d70ef0-0e3b-11cb-acc3-08002b1d29c3 v1.0
d3fbb514-0e3b-11cb-8fad-08002b1d29c3 v1.0
d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
d6d70ef0-0e3b-11cb-acc3-08002b1d29c3 v1.0
0x00 nsi_binding_export
0x01 nsi_binding_unexport


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
d3fbb514-0e3b-11cb-8fad-08002b1d29c3 v1.0
0x00 nsi_binding_lookup_begin
0x01 nsi_binding_lookup_done
0x02 nsi_binding_lookup_next
0x03 nsi_mgmt_handle_set_exp_age


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0
0x00 nsi_group_delete
0x01 nsi_group_mbr_add
0x02 nsi_group_mbr_remove
0x03 nsi_group_mbr_inq_begin
0x04 nsi_group_mbr_inq_next
0x05 nsi_group_mbr_inq_done
0x06 nsi_profile_delete
0x07 nsi_profile_elt_add
0x08 nsi_profile_elt_remove
0x09 nsi_profile_elt_inq_begin
0x0a nsi_profile_elt_inq_next
0x0b nsi_profile_elt_inq_done
0x0c nsi_entry_object_inq_begin
0x0d nsi_entry_object_inq_next
0x0e nsi_entry_object_inq_done
0x0f nsi_entry_expand_name
0x10 nsi_mgmt_binding_unexport
0x11 nsi_mgmt_entry_delete
0x12 nsi_mgmt_entry_create
0x13 nsi_mgmt_entry_inq_if_ids
0x14 nsi_mgmt_inq_exp_age
0x15 nsi_mgmt_inq_set_age


--------------------------------------------------------------------------------

A vulnerability in the locator service was published by David Litchfield in January 2003 [53]. It was fixed by the MS03-001 Microsoft security patch [54].

As the locator named pipe is one of the named pipe that can be accessed in the context of a NULL session, this vulnerability can be exploited remotely without any authentication.


4.10.3 DNS Client service - Windows 2000
0n Windows 2000, the DNS Client service (caching DNS resolver) runs one RPC service.

--------------------------------------------------------------------------------

Interface Operation number Operation name
65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
0x00 CRrFlushCache
0x01 CRrFlushCacheEntry
0x02 CRrFlushCacheEntryForType
0x03 CRrTrimCache
0x04 CRrReadCache
0x05 CRrReadCacheEntry
0x06 CRrQuery
0x07 CRrGetAdapterInfo
0x08 CRrGetSearchList
0x09 CRrGetPrimaryDomainName
0x0a CRrGetIpAddressList
0x0b CRrGetHashTableStats
0x0c CRrRegisterParamChange
0x0d CRrDeregisterParamChange
0x0e CRrUpdateTest
0x0f CRrCacheRecordSet


--------------------------------------------------------------------------------

4.10.4 DNS Client service - Windows XP and Windows Server 2003
Starting with Windows XP, the DNS Client service runs one RPC service, available on the following endpoint:
DNSResolver LPC port
Y:>ifids -p ncalrpc -e DNSResolver serveur
Interfaces: 1
45776b01-5956-4485-9f80-f428f7d60129 v2.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
45776b01-5956-4485-9f80-f428f7d60129 v2.0
0x00 CRrReadCache
0x01 CRrReadCacheEntry
0x02 CRrGetHashTableStats
0x03 R_ResolverGetConfig
0x04 R_ResolverFlushCache
0x05 R_ResolverFlushCacheEntry
0x06 R_ResolverRegisterCluster
0x07 R_ResolverQuery
0x08 R_ResolverEnumCache
0x09 R_ResolverPoke


--------------------------------------------------------------------------------

4.10.5 EFS
The EFS (Encrypted FileSystem) subsystem runs one RPC service, efsrpc, used to communicate with the service that implement cryptographic operations on the local system.

--------------------------------------------------------------------------------

Interface Operation number Operation name
c681d488-d850-11d0-8c52-00c04fd90f7e v1.0: efsrpc
0x00 EfsRpcOpenFileRaw
0x01 EfsRpcReadFileRaw
0x02 EfsRpcWriteFileRaw
0x03 EfsRpcCloseRaw
0x04 EfsRpcEncryptFileSrv
0x05 EfsRpcDecryptFileSrv
0x06 EfsRpcQueryUserOnFile
0x07 EfsRpcQueryRecoveryAgents
0x08 EfsRpcRemoveUsersFromFile
0x09 EfsRpcAddUsersToFile
0x0a EfsRpcSetFileEncryptionKey
0x0b EfsRpcNotSupported
0x0c EfsRpcFileKeyInfo
0x0d EfsRpcDuplicateEncryptionInfoFile


--------------------------------------------------------------------------------

4.10.6 Cryptographic Services service
The Cryptographic Services service runs three RPC services, available on the following endpoints:
keysvc LPC port
keysvc named pipe
Y:>ifids -p ncalrpc -e keysvc serveur
Interfaces: 40

[...]

8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
a3b749b1-e3d0-4967-a521-124055d1c37d v1.0
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0

[...]

Y:>ifids -p ncacn_np -e pipekeysvc \.
Interfaces: 40

[...]

8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
a3b749b1-e3d0-4967-a521-124055d1c37d v1.0
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0: ICertPassage
0x00 KeyrOpenKeyService
0x01 KeyrEnumerateProviders
0x02 KeyrCloseKeyService
0x03 KeyrGetDefaultProvider
0x04 KeyrEnroll
0x05 KeyrEnumerateAvailableCertTypes
0x06 KeyrEnumerateCAs
0x07 KeyrEnroll_V2
0x08 KeyrQueryRequestStatus


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
a3b749b1-e3d0-4967-a521-124055d1c37d v1.0: IKeySvcR
0x00 RKeyrOpenKeyService
0x01 RKeyrCloseKeyService
0x02 RKeyrPFXInstall


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
0x00 SSCertProtectFunction


--------------------------------------------------------------------------------

An additional RPC service exists:

--------------------------------------------------------------------------------

Interface Operation number Operation name
8ec70aac-a042-a622-b71b-fb9d43010000 v0.4 0x00 SSCatDBAddCatalog
0x01 SSCatDBDeleteCatalog
0x02 SSCatDBEnumCatalogs
0x03 SSCatDBRegisterForChangeNotification
0x04 SSCatDBPauseResumeService


--------------------------------------------------------------------------------

4.10.7 Security Configuration Editor Engine
The Security Configuration Editor Engine runs in the services.exe process context. It runs one RPC service on the following endpoint:
scerpc named pipe
Y:>ifids -p ncacn_np -e pipescerpc \.
Interfaces: 7

[...]

93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
0x00 SceSvcRpcQueryInfo
0x01 SceSvcRpcSetInfo
0x02 SceRpcSetupUpdateObject
0x03 SceRpcSetupMoveFile
0x04 SceRpcGenerateTemplate
0x05 SceRpcConfigureSystem
0x06 SceRpcGetDatabaseInfo
0x07 SceRpcGetObjectChildren
0x08 SceRpcOpenDatabase
0x09 SceRpcCloseDatabase
0x0a SceRpcGetDatabaseDescription
0x0b SceRpcGetDBTimeStamp
0x0c SceRpcGetObjectSecurity
0x0d SceRpcGetAnalysisSummary
0x0e SceRpcAnalyzeSystem
0x0f SceRpcUpdateDatabaseInfo
0x10 SceRpcUpdateObjectInfo
0x11 SceRpcStartTransaction
0x12 SceRpcCommitTransaction
0x13 SceRpcRollbackTransaction
0x14 SceRpcGetServerProductType
0x15 SceSvcRpcUpdateInfo
0x16 SceRpcCopyObjects
0x17 SceRpcSetupResetLocalPolicy
0x18 SceRpcNotifySaveChangesInGP
0x19 SceRpcControlNotificationQProcess
0x1a SceRpcBrowseDatabaseTable
0x1b SceRpcGetSystemSecurity
0x1c SceRpcGetSystemSecurityFromHandle
0x1d SceRpcSetSystemSecurity
0x1e SceRpcSetSystemSecurityFromHandle
0x1f SceRpcSetDatabaseSetting
0x20 SceRpcGetDatabaseSetting
0x21 SceRpcConfigureConvertedFileSecurityImmediately


--------------------------------------------------------------------------------

4.10.8 Windows Time service
The Windows Time service runs one RPC service on the following endpoints:
W32TIME LPC port (Windows 2000 and Windows XP) and W32TIME_ALT LPC port (Windows Server 2003)
W32TIME named pipe (Windows 2000 and Windows XP) and W32TIME_ALT named pipe (Windows Server 2003)
Y:>ifids -p ncalrpc -e W32TIME_ALT serveur
Interfaces: 40

[...]

8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1

[...]

Y:>ifids -p ncacn_np -e pipeW32TIME_ALT \.
Interfaces: 40

[...]

8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1: w32time
0x00 W32TimeSync
0x01 W32TimeGetNetLogonServiceBits
0x02 W32TimeQueryProviderStatus


--------------------------------------------------------------------------------

4.10.9 Windows Audio service
The Windows Audio service runs one RPC service, avalailable on the following endpoints:
AudioSrv LPC port
AudioSrv named pipe (Windows XP only)
Y:>ifids -p ncalrpc -e AudioSrv serveur
Interfaces: 40

[...]

3faf4738-3a21-4307-b46c-fdda9bb8c0d5 v1.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
3faf4738-3a21-4307-b46c-fdda9bb8c0d5 v1.0
0x00 gfxCreateZoneFactoriesList
0x01 gfxCreateGfxFactoriesList
0x02 gfxCreateGfxList
0x03 gfxRemoveGfx
0x04 gfxAddGfx
0x05 gfxModifyGx
0x06 gfxOpenGfx
0x07 gfxLogon
0x08 gfxLogoff
0x09 winmmRegisterSessionNotificationEvent
0x0a winmmUnregisterSessionNotification
0x0b winmmSessionConnectState
0x0c wdmDriverOpenDrvRegKey
0x0d winmmAdvisePreferredDeviceChange
0x0e winmmGetPnpInfo


--------------------------------------------------------------------------------

4.10.10 Certificate service
The certificate services runs one RPC service on the following endpoint:
cert named pipe
Y:>ifids -p ncacn_np -e pipecert \.
Interfaces: 6

[...]

91ae6020-9e3c-11cf-8d7c-00aa00c091be v0.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
91ae6020-9e3c-11cf-8d7c-00aa00c091be v0.0
0x00 CertServerRequest


--------------------------------------------------------------------------------

4.10.11 DHCP Server service
The DHCP Server service runs two RPC services, available on the following endpoint:
DHCPSERVERLPC LPC port
Z:>ifids -p ncalrpc -e DHCPSERVERLPC serveur
Interfaces: 6
00000134-0000-0000-c000-000000000046 v0.0
18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0
00000131-0000-0000-c000-000000000046 v0.0
00000143-0000-0000-c000-000000000046 v0.0
6bffd098-a112-3610-9833-46c3f874532d v1.0
5b821720-f63b-11d0-aad2-00c04fc324db v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
6bffd098-a112-3610-9833-46c3f874532d v1.0
0x00 R_DhcpCreateSubnet
0x01 R_DhcpSetSubnetInfo
0x02 R_DhcpGetSubnetInfo
0x03 R_DhcpEnumSubnets
0x04 R_DhcpAddSubnetElement
0x05 R_DhcpEnumSubnetElements
0x06 R_DhcpRemoveSubnetElement
0x07 R_DhcpDeleteSubnet
0x08 R_DhcpCreateOption
0x09 R_DhcpSetOptionInfo
0x0a R_DhcpGetOptionInfo
0x0b R_DhcpRemoveOption
0x0c R_DhcpSetOptionValue
0x0d R_DhcpGetOptionValue
0x0e R_DhcpEnumOptionValues
0x0f R_DhcpRemoveOptionValue
0x10 R_DhcpCreateClientInfo
0x11 R_DhcpSetClientInfo
0x12 R_DhcpGetClientInfo
0x13 R_DhcpDeleteClientInfo
0x14 R_DhcpEnumSubnetClients
0x15 R_DhcpGetClientOptions
0x16 R_DhcpGetMibInfo
0x17 R_DhcpEnumOptions
0x18 R_DhcpSetOptionValues
0x19 R_DhcpServerSetConfig
0x1a R_DhcpServerGetConfig
0x1b R_DhcpScanDatabase
0x1c R_DhcpGetVersion
0x1d R_DhcpAddSubnetElementV4
0x1e R_DhcpEnumSubnetElementsV4
0x1f R_DhcpRemoveSubnetElementV4
0x20 R_DhcpCreateClientInfoV4
0x21 R_DhcpSetClientInfoV4
0x22 R_DhcpGetClientInfoV4
0x23 R_DhcpEnumSubnetClientsV4
0x24 R_DhcpSetSuperScopeV4
0x25 R_DhcpGetSuperScopeInfoV4
0x26 R_DhcpDeleteSuperScopeV4
0x27 R_DhcpServerSetConfigV4
0x28 R_DhcpServerGetConfigV4


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
5b821720-f63b-11d0-aad2-00c04fc324db v1.0
0x00 R_DhcpEnumSubnetClientsV5
0x01 R_DhcpSetMScopeInfo
0x02 R_DhcpGetMScopeInfo
0x03 R_DhcpEnumMScopes
0x04 R_DhcpAddMScopeElement
0x05 R_DhcpEnumMScopeElements
0x06 R_DhcpRemoveMScopeElement
0x07 R_DhcpDeleteMScope
0x08 R_DhcpScanMDatabase
0x09 R_DhcpCreateMClientInfo
0x0a R_DhcpSetMClientInfo
0x0b R_DhcpGetMClientInfo
0x0c R_DhcpDeleteMClientInfo
0x0d R_DhcpEnumMScopeClients
0x0e R_DhcpCreateOptionV5
0x0f R_DhcpSetOptionInfoV5
0x10 R_DhcpGetOptionInfoV5
0x11 R_DhcpEnumOptionsV5
0x12 R_DhcpRemoveOptionV5
0x13 R_DhcpSetOptionValueV5
0x14 R_DhcpSetOptionValuesV5
0x15 R_DhcpGetOptionValueV5
0x16 R_DhcpEnumOptionValuesV5
0x17 R_DhcpRemoveOptionValueV5
0x18 R_DhcpCreateClass
0x19 R_DhcpModifyClass
0x1a R_DhcpDeleteClass
0x1b R_DhcpGetClassInfo
0x1c R_DhcpEnumClasses
0x1d R_DhcpGetAllOptions
0x1e R_DhcpGetAllOptionValues
0x1f R_DhcpGetMCastMibInfo
0x20 R_DhcpAuditLogSetParams
0x21 R_DhcpAuditLogGetParams
0x22 R_DhcpServerQueryAttribute
0x23 R_DhcpServerQueryAttributes
0x24 R_DhcpServerRedoAuthorization
0x25 R_DhcpAddSubnetElementV5
0x26 R_DhcpEnumSubnetElementsV5
0x27 R_DhcpRemoveSubnetElementV5
0x28 R_DhcpGetServerBindingInfo
0x29 R_DhcpSetServerBindingInfo
0x2a R_DhcpQueryDnsRegCredentials
0x2b R_DhcpSetDnsRegCredentials
0x2c R_DhcpBackupDatabase
0x2d R_DhcpRestoreDatabase
  

4.10.12 Terminal Server service
The Terminal Server service runs two RPC services, available on the following endpoints:
IcaApi LPC port
LcRpc LPC port
Ctx_WinStation_API_service named pipe
Y:>ifids -p ncalrpc -e IcaApi serveur
Interfaces: 2
2f59a331-bf7d-48cb-9e5c-7c090d76e8b8 v1.0
5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0

Y:>ifids -p ncalrpc -e LcRpc serveur
Interfaces: 2
2f59a331-bf7d-48cb-9e5c-7c090d76e8b8 v1.0
5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0

Y:>ifids -p ncacn_np -e pipeCtx_Winstation_API_Service \.
Interfaces: 2
2f59a331-bf7d-48cb-9e5c-7c090d76e8b8 v1.0
5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0

The following interface is used for Terminal Services licensing:

--------------------------------------------------------------------------------

Interface Operation number Operation name
2f59a331-bf7d-48cb-9ec5-7c090d76e8b8 v1.0
0x00 RpcLicensingOpenServer
0x01 RpcLicensingCloseServer
0x02 RpcLicensingLoadPolicy
0x03 RpcLicensingUnloadPolicy
0x04 RpcLicensingSetPolicy
0x05 RpcLicensingGetAvailablePolicyIds
0x06 RpcLicensingGetPolicy
0x07 RpcLicensingGetPolicyInformation
0x08 RpcLicensingDeactivateCurrentPolicy


--------------------------------------------------------------------------------

The following interface is used for Terminal Services remote management:

--------------------------------------------------------------------------------

Interface Operation number Operation name
5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0 0x00 RpcWinStationOpenServer
0x01 RpcWinStationCloseServer
0x02 RpcIcaServerPing
0x03 RpcWinStationEnumerate
0x04 RpcWinStationRename
0x05 RpcWinStationQueryInformation
0x06 RpcWinStationSetInformation
0x07 RpcWinStationSendMessage
0x08 RpcLogonIdFromWinStationName
0x09 RpcWinStationNameFromLogonId
0x0a RpcWinStationConnect
0x0b RpcWinStationVirtualOpen
0x0c RpcWinStationBeepOpen
0x0d RpcWinStationDisconnect
0x0e RpcWinStationReset
0x0f RpcWinStationShutdownSystem
0x10 RpcWinStationWaitSystemEvent
0x11 RpcWinStationShadow
0x12 RpcWinStationShadowTargetSetup
0x13 RpcWinStationShadowTarget
0x14 RpcWinStationGenerateLicense
0x15 RpcWinStationInstallLicense
0x16 RpcWinStationEnumerateLicenses
0x17 RpcWinStationActivateLicense
0x18 RpcWinStationRemoveLicense
0x19 RpcWinStationQueryLicense
0x1a RpcWinStationSetPoolCount
0x1b RpcWinStationQueryUpdateRequired
0x1c RpcWinStationCallback
0x1d RpcWinStationGetApplicationInfo
0x1e RpcWinStationReadRegistry
0x1f RpcWinStationWaitForConnect
0x20 RpcWinStationNotifyLogon
0x21 RpcWinStationNotifyLogoff
0x22 RpcWinStationEnumerateProcesses
0x23 RpcWinStationAnnoyancePopup
0x24 RpcWinStationEnumerateProcesses
0x25 RpcWinStationTerminateProcess
0x26 RpcServerNWLogonSetAdmin
0x27 RpcServerNWLogonQueryAdmin
0x28 RpcWinStationNtsdDebug ?
0x29 RpcWinStationBreakPoint ?
0x2a RpcWinStationCheckForApplicationName ?
0x2b RpcWinStationGetAllProcesses
0x2c RpcWinStationGetProcessSid
0x2d RpcWinStationGetTermSrvCountersValue
0x2e RpcWinStationReInitializeSecurity
0x2f RpcWinStationBroadcastSystemMessage
0x30 RpcWinStationSendWindowMessage
0x31 RpcWinStationNotifyNewSession
0x32 RpcServerGetInternetConnectorStatus
0x33 RpcServerSetInternetConnectorStatus
0x34 RpcServerQueryInetConnectorInformation
0x35 RpcWinStationGetLanAdapterName
0x36 RpcWinStationUpdateUserConfig
0x37 RpcWinStationQueryLogonCredentials
0x38 RpcWinStationRegisterConsoleNotification
0x39 RpcWinStationUnRegisterConsoleNotification
0x3a RpcWinStationUpdateSettings
0x3b RpcWinStationShadowStop
0x3c RpcWinStationCloseServerEx
0x3d RpcWinStationIsHelpAssistantSession
0x3e RpcWinStationGetMachinePolicy
0x3f RpcWinStationUpdateClientCachedCredentials
0x40 RpcWinStationFUSCanRemoteUserDisconnect
0x41 RpcWinStationCheckLoopBack
0x42 RpcConnectCallback
0x43 RpcWinStationNotifyDisconnectPipe
0x44 RpcWinStationSessionInitialized
0x45 RpcRemoteAssistancePrepareSystemRestore
0x46 RpcWinStationGetAllProcesses_NT6
0x47 RpcWinStationRegisterNotificationEvent
0x48 RpcWinStationUnRegisterNotificationEvent
0x49 RpcWinStationAutoReconnect
0x4a RpcWinStationCheckAccess
0x4b RpcWinStationOpenSessionDirectory


--------------------------------------------------------------------------------

4.10.13 License Logging service
The License Logging service runs two RPC services, available on the following endpoints:
llslpc LPC port
llsrpc named pipe
Y:>ifids -p ncalrpc -e llslpc serveur
Interfaces: 2
342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0
57674cd0-5200-11ce-a897-08002b2e9c6d v1.0

Y:>ifids -p ncacn_np -e pipellsrpc \.
Interfaces: 2
342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0
57674cd0-5200-11ce-a897-08002b2e9c6d v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
57674cd0-5200-11ce-a897-08002b2e9c6d v1.0
0x00 LlsrLicenseRequestW
0x01 LlsrLicenseFree


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0
0x00 LlsrConnect
0x01 LlsrClose
0x02 LlsrLicenseEnumW
0x03 LlsrLicenseEnumA
0x04 LlsrLicenseAddW
0x05 LlsrLicenseAddA
0x06 LlsrProductEnumW
0x07 LlsrProductEnumA
0x08 LlsrProductAddW
0x09 LlsrProductAddA
0x0a LlsrProductUserEnumW
0x0b LlsrProductUserEnumA
0x0c LlsrProductServerEnumW
0x0d LlsrProductServerEnumA
0x0e LlsrProductLicenseEnumW
0x0f LlsrProductLicenseEnumA
0x10 LlsrUserEnumW
0x11 LlsrUserEnumA
0x12 LlsrUserInfoGetW
0x13 LlsrUserInfoGetA
0x14 LlsrUserInfoSetW
0x15 LlsrUserInfoSetA
0x16 LlsrUserDeleteW
0x17 LlsrUserDeleteA
0x18 LlsrUserProductEnumW
0x19 LlsrUserProductEnumA
0x1a LlsrUserProductDeleteW
0x1b LlsrUserProductDeleteA
0x1c LlsrMappingEnumW
0x1d LlsrMappingEnumA
0x1e LlsrMappingInfoGetW
0x1f LlsrMappingInfoGetA
0x20 LlsrMappingInfoSetW
0x21 LlsrMappingInfoSetA
0x22 LlsrMappingUserEnumW
0x23 LlsrMappingUserEnumA
0x24 LlsrMappingUserAddW
0x25 LlsrMappingUserAddA
0x26 LlsrMappingUserDeleteW
0x27 LlsrMappingUserDeleteA
0x28 LlsrMappingAddW
0x29 LlsrMappingAddA
0x2a LlsrMappingDeleteW
0x2b LlsrMappingDeleteA
0x2c LlsrServerEnumW
0x2d LlsrServerEnumA
0x2e LlsrServerProductEnumW
0x2f LlsrServerProductEnumA
0x30 LlsrLocalProductEnumW
0x32 LlsrLocalProductInfoGetW
0x33 LlsrLocalProductInfoGetA
0x34 LlsrLocalProductInfoSetW
0x35 LlsrLocalProductInfoSetA
0x36 LlsrServiceInfoGetW
0x37 LlsrServiceInfoGetA
0x38 LlsrServiceInfoSetW
0x39 LlsrServiceInfoSetA
0x3a LlsrReplConnect
0x3b LlsrReplClose
0x3c LlsrReplicationRequestW
0x3d LlsrReplicationServerAddW
0x3e LlsrReplicationServerServiceAddW
0x3f LlsrReplicationServiceAddW
0x40 LlsrReplicationUserAddW
0x41 LlsrProductSecurityGetW
0x42 LlsrProductSecurityGetA
0x43 LlsrProductSecuritySetW
0x44 LlsrProductSecuritySetA
0x45 LlsrProductLicensesGetA
0x46 LlsrProductLicensesGetW
0x47 LlsrCertificateClaimEnumA
0x48 LlsrCertificateClaimEnumW
0x49 LlsrCertificateClaimAddCheckA
0x4a LlsrCertificateClaimAddCheckW
0x4b LlsrCertificateClaimAddA
0x4c LlsrCertificateClaimAddW
0x4d LlsrReplicationCertDbAddW
0x4e LlsrReplicationProductSecurityAddW
0x4f LlsrReplicationUserAddExW
0x50 LlsrCapabilityGet
0x51 LlsrLocalServiceEnumW
0x52 LlsrLocalServiceEnumA
0x53 LlsrLocalServiceAddA
0x54 LlsrLocalServiceAddW
0x55 LlsrLocalServiceInfoSetW
0x56 LlsrLocalServiceInfoSetA
0x57 LlsrLocalServiceInfoGetW
0x58 LlsrLocalServiceInfoGetA
0x59 LlsrCloseEx


--------------------------------------------------------------------------------

4.10.14 Secondary Logon service
The Secondary Logon service runs one RPC service, available on the following endpoints:
SECLOGON LPC port (Windows XP and Windows Server 2003)
SecondaryLogon named pipe (Windows 2000), SECLOGON named pipe (Windows XP)
Y:>ifids -p ncalrpc -e SECLOGON serveur
Interfaces: 40

[...]

12b81e99-f207-4a4c-85d3-77b42f76fd14 v1.0



--------------------------------------------------------------------------------

Interface Operation number Operation name
12b81e99-f207-4a4c-85d3-77b42f76fd14 v1.0
0x01 SeclCreateProcessWithLogonW


--------------------------------------------------------------------------------

4.10.15 Protected storage service
The Protected Storage service runs one RPC service, available on the following endpoints:
protected_storage LPC port
protected_storage named pipe
Y:>ifids -p ncalrpc -e protected_storage serveur
Interfaces: 18

[...]

c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0

[...]


Y:>ifids -p ncacn_np -e pipeprotected_storage \.
Interfaces: 18

[...]

c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
0x00 SSPStoreEnumProviders
0x01 SSGetProvInfo
0x02 SSGetProvParam
0x03 SSetProvParam
0x04 SSAcquireContext
0x05 SSReleaseContext
0x06 SSPasswordInterface
0x07 SSEnumTypes
0x08 SSEnumSubtypes
0x09 SSEnumItems
0x0a SSGetTypeInfo
0x0b SSGetSubtypeInfo
0x0c SSCreateType
0x0d SSCreateSubtype
0x0e SSDeleteType
0x0f SSDeleteSubtype
0x10 SSDeleteItem
0x11 SSReadItem
0x12 SSWriteItem
0x13 SSOpenItem
0x14 SSCloseItem
0x15 SSReadAccessRuleset
0x16 SSWriteAccessRuleset


--------------------------------------------------------------------------------

On Windows 2000, the two following RPC services run in the LSA:

--------------------------------------------------------------------------------

Interface Operation number Operation name
11220835-5b26-4d94-ae86-c3e475a809de v1.0
0x00 SSCryptProtectData
0x01 SSCryptUnprotectData


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
5cbe92cb-f4be-45c9-9fc9-33e73e557b20 v1.0
0x00 SSRecoveryQueryStatus
0x01 SSRecoveryImportRecoveryKey
0x02 SSRecoverPassword


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
3dde7c30-165d-11d1-ab8f-00805f14db40 v1.0
0x00 BackuprKey


--------------------------------------------------------------------------------

4.10.16 Telephony service
The Telephony service runs two RPC services on the following endpoints:
tapsrvlpc LPC port
tapsrv named pipe
Y:>ifids -p ncalrpc -e tapsrvlpc serveur
Interfaces: 1
2f5f6520-ca46-1067-b319-00dd010662da v1.0

Y:>ifids -p ncacn_np -e pipetapsrv \.
Interfaces: 1
2f5f6520-ca46-1067-b319-00dd010662da v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
2f5f6520-ca46-1067-b319-00dd010662da v1.0
0x00 ClientAttach
0x01 ClientRequest
0x02 ClientDetach


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
2f5f6521-ca47-1068-b319-00dd010662db v1.0
0x00 SPAttach
0x01 SPEventProc
0x02 SPDetach


--------------------------------------------------------------------------------

4.10.17 Remote Access service
The Remote Access service runs one RPC service, available on the following endpoint:
ROUTER named pipe
Y:>ifids -p ncacn_np -e pipeROUTER \.
Interfaces: 43

[...]

8f09f000-b7ed-11ce-bbd2-00001a181cad v0.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
8f09f000-b7ed-11ce-bbd2-00001a181cad v0.0
0x00 RMprAdminServerGetInfo
0x01 RRasAdminConnectionEnum
0x02 RRasAdminConnectionGetInfo
0x03 RRasAdminConnectionClearStats
0x04 RRasAdminPortEnum
0x05 RRasAdminPortGetInfo
0x06 RRasAdminPortClearStats
0x07 RRasAdminPortReset
0x08 RRasAdminPortDisconnect
0x09 RRouterInterfaceTransportSetGlobalInfo
0x0a RRouterInterfaceTransportGetGlobalInfo
0x0b RRouterInterfaceGetHandle
0x0c RRouterInterfaceCreate
0x0d RRouterInterfaceGetInfo
0x0e RRouterInterfaceSetInfo
0x0f RRouterInterfaceDelete
0x10 RRouterInterfaceTransportRemove
0x11 RRouterInterfaceTransportAdd
0x12 RRouterInterfaceTransportGetInfo
0x13 RRouterInterfaceTransportSetInfo
0x14 RRouterInterfaceEnum
0x15 RRouterInterfaceConnect
0x16 RRouterInterfaceDisconnect
0x17 RRouterInterfaceUpdateRoutes
0x18 RRouterInterfaceQueryUpdateResult
0x19 RRouterInterfaceUpdatePhonebookInfo
0x1a RMIBEntryCreate
0x1b RMIBEntryDelete
0x1c RMIBEntrySet
0x1d RMIBEntryGet
0x1e RMIBEntryGetFirst
0x1f RMIBEntryGetNext
0x20 RMIBGetTrapInfo
0x21 RMIBSetTrapInfo
0x22 RRasAdminConnectionNotification
0x23 RRasAdminSendUserMessage
0x24 RRouterDeviceEnum
0x25 RRouterInterfaceTransportCreate
0x26 RRouterInterfaceDeviceGetInfo
0x27 RRouterInterfaceDeviceSetInfo
0x28 RRouterInterfaceSetCredentialsEx
0x29 RRouterInterfaceGetCredentialsEx
0x2a RRasAdminConnectionRemoveQuarantine


--------------------------------------------------------------------------------

4.10.18 IPsec Policy Agent service - Windows 2000
On Windows 2000, the IPsec Policy Agent service runs one RPC service, available on the following endpoints:
policyagent LPC port
POLICYAGENT named pipe
C:>ifids -p ncalrpc -e policyagent fenetre
Interfaces: 5

[...]

d335b8f6-cb31-11d0-b0f9-006097ba4e54 v1.5

C:>ifids -p ncacn_np -e pipepolicyagent \.
Interfaces: 5

[...]

d335b8f6-cb31-11d0-b0f9-006097ba4e54 v1.5


--------------------------------------------------------------------------------

Interface Operation number Operation name
d335b8f6-cb31-11d0-b0f9-006097ba4e54 v1.5
0x00 PAAddPolicyRule
0x01 PAUpdatePolicyRule
0x02 PADeletePolicy
0x03 PAQueryIsakmpPolicy
0x04 PAAddIsakmpPolicy
0x05 PARefreshPolicies
0x06 PAAddFilter
0x07 PAMatchFilter
0x08 PAQueryIpsecPolicy
0x09 PAQueryFilters
0x0a PADeleteFilter
0x0b PAQueryStatistics
0x0c PAQueryAssociations
0x0d PAQueryIsakmpAssociations
0x0e PADeleteIsakmpAssociation
0x0f IsakmpInitiateNegotiation
0x10 IsakmpQueryNegotiationStatus
0x11 IsakmpCloseNegotiationStatusHandle
0x12 IsakmpQuerySpiChange
0x13 IsakmpRegisterNotifyClient
0x14 IsakmpDeregisterNotifyClient
0x15 IsakmpQuerySpi


--------------------------------------------------------------------------------

4.10.19 IPsec Services service - Windows XP and Windows Server 2003
On Windows XP, the IPsec Services service runs one RPC service on the following endpoints:
ipsec LPC port
ipsec named pipe
E:>ifids -p ncalrpc -e ipsec jamal
Interfaces: 8

[...]

12345678-1234-abcd-ef00-0123456789ab v1.0


E:>ifids -p ncacn_np -e pipeipsec \.

Interfaces: 8

[...]

12345678-1234-abcd-ef00-0123456789ab v1.0


On Windows Server 2003, the RPC service does not seem to set a specific endpoint.

--------------------------------------------------------------------------------

Interface Operation number Operation name
12345678-1234-abcd-ef00-0123456789ab v1.0
0x00 RpcAddTransportFilter
0x01 RpcDeleteTransportFilter
0x02 RpcEnumTransportFilters
0x03 RpcSetTransportFilter
0x04 RpcGetTransportFilter
0x05 RpcAddQMPolicy
0x06 RpcDeleteQMPolicy
0x07 RpcEnumQMPolicies
0x08 RpcSetQMPolicy
0x09 RpcGetQMPolicy
0x0a RpcAddMMPolicy
0x0b RpcDeleteMMPolicy
0x0c RpcEnumMMPolicies
0x0d RpcSetMMPolicy
0x0e RpcGetMMPolicy
0x0f RpcAddMMFilter
0x10 RpcDeleteMMFilter
0x11 RpcEnumMMFilters
0x12 RpcSetMMFilter
0x13 RpcGetMMFilter
0x14 RpcMatchMMFilter
0x15 RpcMatchTransportFilter
0x16 RpcGetQMPolicyByID
0x17 RpcGetMMPolicyByID
0x18 RpcAddMMAuthMethods
0x19 RpcDeleteMMAuthMethods
0x1a RpcEnumMMAuthMethods
0x1b RpcSetMMAuthMethods
0x1c RpcGetMMAuthMethods
0x1d RpcInitiateIKENegotiation
0x1e RpcQueryIKENegotiationStatus
0x1f RpcCloseIKENegotiationHandle
0x20 RpcEnumMMSAs
0x21 RpcDeleteMMSAs
0x22 RpcDeleteQMSAs
0x23 RpcQueryIKEStatistics
0x24 RpcRegisterIKENotifyClient
0x25 RpcQueryIKENotifyData
0x26 RpcCloseIKENotifyHandle
0x27 RpcQueryIPSecStatistics
0x28 RpcEnumQMSAs
0x29 RpcAddTunnelFilter
0x2a RpcDeleteTunnelFilter
0x2b RpcEnumTunnelFilters
0x2c RpcSetTunnelFilter
0x2d RpcGetTunnelFilter
0x2e RpcMatchTunnelFilter
0x2f RpcOpenMMFilterHandle
0x30 RpcCloseMMFilterHandle
0x31 RpcOpenTransportFilterHandle
0x32 RpcCloseTransportFilterHandle
0x33 RpcOpenTransportFilterHandle
0x34 RpcCloseTransportFilterHandle
0x35 RpcOpenTunnelFilterHandle
0x36 RpcCloseTunnelFilterHandle
0x37 RpcEnumIpsecInterfaces
0x38 RpcAddSAs
0x39 RpcSetConfigurationVariables
0x3a RpcGetConfigurationVariables
0x3b RpcQuerySpdPolicyState


--------------------------------------------------------------------------------

4.10.20 Distributed Link Tracking Client service
The Distributed Link Tracking Client service, implemented in the trkwks.dll DLL, runs one RPC service, available on the following endpoints:
trkwks LPC port
trkwks named pipe
Y:>ifids -p ncalrpc -e trkwks serveur
Interfaces: 40

[...]

300f3532-38cc-11d0-a3f0-0020af6b0add v1.2

Y:>ifids -p ncacn_np -e pipetrkwks \.
Interfaces: 40

[...]

300f3532-38cc-11d0-a3f0-0020af6b0add v1.2



--------------------------------------------------------------------------------

Interface Operation number Operation name
300f3532-38cc-11d0-a3f0-0020af6b0add v1.2: trkwks
0x00 LnkMendLink
0x01 LnkSearchMachine
0x02 LnkCallSvrMessage
0x03 LnkSetVolumeId
0x04 LnkRestartDcSynchronization
0x05 GetVolumeTrackingInformation
0x06 GetFileTrackingInformation
0x07 TriggerVolumeClaims
0x08 LnkOnRestore
0x09 LnkMendLink
0x0a LnkSearchMachine
0x0b LnkCallSvrMessage
0x0c LnkSearchMachine


--------------------------------------------------------------------------------

4.10.21 Distributed Link Tracking Server service

--------------------------------------------------------------------------------

Interface Operation number Operation name
4da1c422-943d-11d1-acae-00c04fc2aa3f v1.0: trksvr
0x00 LnkSvrMessage


--------------------------------------------------------------------------------

4.10.22 WebClient service
The WebClient service runs one RPC service, available on the following endpoint:
DAV RPC SERVICE named pipe
Y:>ifids -p ncacn_np -e "pipeDAV RPC SERVICE" \.
Interfaces: 1
c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0
0x00 DavrCreateConnection
0x01 DavrDoesServerDoDav
0x02 DavrIsValidShare
0x03 DavrEnumNetUses
0x04 DavrEnumShares
0x05 DavrEnumServers
0x06 DavrGetConnection
0x07 DavrDeleteConnection
0x08 DavrGetUser
0x09 DavrConnectionExist
0x0a DavrWinlogonLogonEvent
0x0b DavrWinlogonLogoffEvent
0x0c DavrGetDiskSpaceUsage
0x0d DavrFreeUsedDiskSpace
0x0e DavrGetTheLockOwnerOfTheFile


--------------------------------------------------------------------------------

4.10.23 Windows File Protection
The Windows File Protection subsystem runs one RPC service, available on the following endpoints:
SfcApi LPC port
SfcApi named pipe (Windows 2000 and Windows XP, not Windows Server 2003)
Y:>ifids -p ncalrpc -e SfcApi serveur
Interfaces: 9

[...]

83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0
0x00 SfcSrv_GetNextProtectedFile
0x01 SfcSrv_IsFileProtected
0x02 SfcSrv_FileException
0x03 SfcSrv_InitiateScan
0x04 SfcSrv_PurgeCache
0x05 SfcSrv_SetCacheSize
0x06 SfcSrv_SetDisable
0x07 SfcSrv_InstallProtectedFiles


--------------------------------------------------------------------------------

4.10.24 System Event Notification service
The System Event Notification Service runs two RPC service, listening on the following endpoint:
senssvc LPC port
Y:>ifids -p ncalrpc -e senssvc serveur
Interfaces: 43

[...]

63fbe424-2029-11d1-8db8-00aa004abd5e v1.0
629b9f66-556c-11d1-8dd2-00aa004abd5e v3.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
63fbe424-2029-11d1-8db8-00aa004abd5e v1.0
0x00 Rpc_IsNetworkAlive
0x01 Rpc_IsDestinationReachableW
0x02 Rpc_IsDestinationReachableA


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
629b9f66-556c-11d1-8dd2-00aa004abd5e v3.0
0x00 Rpc_SensNotifyWinlogonEvent
0x01 Rpc_SensNotifyRasEvent
0x02 Rpc_SensNotifyNetconEvent
0x03 Rpc_SyncMgrExecCmd


--------------------------------------------------------------------------------

4.10.25 Wireless Configuration service
The Wireless Configuration service runs one RPC service, available on the following endpoint:
wzcsvc LPC port
X:>ifids -p ncalrpc -e wzcsvc serveur
Interfaces: 37
621dff68-3c39-4c6c-aae3-e68e2c6503ad v1.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
621dff68-3c39-4c6c-aae3-e68e2c6503ad v1.0
0x00 RpcEnumInterfaces
0x01 RpcQueryInterface
0x02 RpcSetInterface
0x03 RpcRefreshInterface
0x04 RpcQueryContext
0x05 RpcSetContext
0x06 RpcEapolUIResponse
0x07 RpcEapolGetCustomAuthData
0x08 RpcEapolSetCustomAuthData
0x09 RpcEapolGetInterfaceParams
0x0a RpcEapolSetInterfaceParams
0x0b RpcEapolReAuthenticateInterface
0x0c RpcEapolQueryInterfaceState
0x0d RpcOpenWZCDbLogSession
0x0e RpcCloseWZCDbLogSession
0x0f RpcEnumWZCDbLogRecords
0x10 RpcFlushWZCDbLog
0x11 RpcGetWZCDbLogRecord


--------------------------------------------------------------------------------

This interface can only be used locally (it is registered with RpcServerRegisterIfEx(), with a security-callback function that verifies that the protocol sequence used is ncalrpc).


4.10.26 Winlogon process - Windows 2000
Different RPC services runs in the Winlogon process and are available on the following endpoints:
winlogonrpc named pipe
InitShutdown named pipe
C:>ifids -p ncacn_np -e pipewinlogonrpc \.
Interfaces: 4
894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0
369ce4f0-0fdc-11d3-bde8-00c04f8eee78 v1.0
a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0
83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0

C:>ifids -p ncacn_np -e pipeInitShutdown \.
Interfaces: 4
894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0
369ce4f0-0fdc-11d3-bde8-00c04f8eee78 v1.0
a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0
83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0


winlogon.exe RPC service:

--------------------------------------------------------------------------------

Interface Operation number Operation name
894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0
0x00 BaseInitiateShutdown
0x01 BaseAbortShutdown
0x02 BaseInitiateShutdownEx


--------------------------------------------------------------------------------

profmap.dll DLL RPC service:

--------------------------------------------------------------------------------

Interface Operation number Operation name
369ce4f0-0fdc-11d3-bde8-00c04f8eee78 v1.0
0x00 ProfMapSrv_RemoteRemapUserProfile
0x01 ProfMapSrv_RemoteRemapAndMoveUser


--------------------------------------------------------------------------------

wlnotify.dll DLL RPC service:

--------------------------------------------------------------------------------

Interface Operation number Operation name
a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0
0x00 SecpGetCurrentUserToken


--------------------------------------------------------------------------------

4.10.27 Winlogon process - Windows Server 2003
Different RPC services runs in the Winlogon process and are available on the following endpoints:
sclogonrpc LPC port
InitShutdown named pipe
Z:>ifids -p ncalrpc -e sclogonrpc serveur
Interfaces: 9
326731e3-c1c0-4a69-ae20-7d9044a4ea5c v1.0
95958c94-a424-4055-b62b-b7f4d5c47770 v1.0
894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0
83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0
a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0
00000134-0000-0000-c000-000000000046 v0.0
18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0
00000131-0000-0000-c000-000000000046 v0.0
00000143-0000-0000-c000-000000000046 v0.0

Z:>ifids -p ncacn_np -e pipeInitShutdown \.
Interfaces: 9
326731e3-c1c0-4a69-ae20-7d9044a4ea5c v1.0
95958c94-a424-4055-b62b-b7f4d5c47770 v1.0
894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0
83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0
a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0
00000134-0000-0000-c000-000000000046 v0.0
18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0
00000131-0000-0000-c000-000000000046 v0.0
00000143-0000-0000-c000-000000000046 v0.0


userenv.dll DLL RPC service:

--------------------------------------------------------------------------------

Interface Operation number Operation name
326731e3-c1c0-4a69-ae20-7d9044a4ea5c v1.0
0x00 DropClientContext
0x01 LoadUserProfileI
0x02 UnloadUserProfileI
0x03 ReleaseClientContext
0x04 EnterUserProfileLockRemote
0x05 LeaveUserProfileLockRemote


--------------------------------------------------------------------------------

kerberos.dll DLL RPC service:

--------------------------------------------------------------------------------

Interface Operation number Operation name
95958c94-a424-4055-b62b-b7f4d5c47770 v1.0
0x00 RPC_ScHelperInitializeContext
0x01 RPC_ScHelperRelease
0x02 RPC_ScHelperGetCertFromLogonInfo
0x03 RPC_ScHelperGetProvParam
0x04 RPC_ScHelperGenRandBits
0x05 RPC_ScHelperVerifyCardAndCreds
0x06 RPC_ScHelperEncryptCredentials
0x07 RPC_ScHelperSignPkcsMessage
0x08 RPC_ScHelperDecryptMessage
0x09 RPC_ScHelper_CryptAcquireCertificatePrivateKey
0x0a RPC_ScHelper_CryptSetProvParam
0x0b RPC_ScHelper_CryptReleaseContext


--------------------------------------------------------------------------------

4.10.28 Application Management service
The Application Management service runs one RPC service, available on the following endpoint:
appmgmt LPC port
Z:>ifids -p ncalrpc -e appmgmt serveur
Interfaces: 47

[...]

8c7daf44-b6dc-11d1-9a4c-0020af6e7c57 v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
8c7daf44-b6dc-11d1-9a4c-0020af6e7c57 v1.0
0x00 PINSTALLCONTEXT_rundown
0x01 InstallBegin
0x02 InstallManageApp
0x03 InstallUnmanageApp
0x04 InstallEnd
0x05 ARPRemoveApp
0x06 GetManagedApps
0x07 RsopReportInstallFailure
0x08 GetManagedAppCategories


--------------------------------------------------------------------------------

4.11 Implication of multiple RPC services in one process
One important thing to know about the MSRPC implementation is that, inside a given process, any RPC services listening on any protocol sequences can be reached using any opened endpoints.

As most Win32 services are implemented in a few processes, hosting many Win32 services (lsass.exe, services.exe, svchost.exe), a direct consequence is that all RPC services started by any Win32 service in a given process can be invoked using any opened endpoint in the process context.


4.11.1 Win32 services hosting
The services.exe process host many services, which can be identified looking for services.exe in the following registry value of each service service_name:
Key: HKLM\SYSTEM\CurrentControlSet\Services\service_name Value: ImagePath

Three instances of svchost.exe processes can be found on a Windows 2000 system. Among them, one instance (netsvcs instance) typically hosts different services. Services hosted in svchost.exe processes appear in the registry:
Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost Values: netsvcs, rpcss, tapisrv

More precisely, on Windows 2000 systems, the following Win32 services run in the following processes:
lsass.exe: kdc, netlogon, NtLmSsp, PolicyAgent, SamSs
services.exe: Alerter, AppMgmt, Browser, Dhcp, dmserver, Dnscache, Eventlog, lanmanserver, lanmanworkstation, LmHosts, Messenger, PlugPlay, ProtectedStorage, seclogon, TrkSvr, TrkWks, W32Time, Wmi
svchost.exe (netsvcs instance): EventSystem, Ias, Iprip, Irmon, Netman, Nwsapagent, Rasauto, Rasman, Remoteaccess, SENS, Sharedaccess, Ntmssvc
svchost.exe (rpcss instance): rpcss
svchost.exe (tapisrv instance): Tapisrv

On Windows XP systems, Win32 services run in the following processes:
lsass.exe: Netlogon, NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
services.exe: Eventlog, PlugPlay
svchost.exe (LocalService instance, running as LocalService): Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
svchost.exe (NetworkService instance, running as NetworkService): DnsCache
svchost.exe (netsvcs instance): 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, TermService, wuauserv, BITS, ShellHWDetection, helpsvc, uploadmgr
svchost.exe (rpcss instance): rpcss
svchost.exe (termsvcs instance): TermService
svchost.exe (imgsvc instance); StiSvc

On Windows Server 2003 systems, Win32 services are organized as follow:
lsass.exe: HTTPFilter, kdc, Netlogon, NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
services.exe: Eventlog, PlugPlay
svchost.exe (LocalService instance, running as LocalService): Alerter, WebClient, LmHosts, WinHttpAutoProxySvc
svchost.exe (NetworkService instance, running as NetworkService): 6to4, DHCP, DnsCache
svchost.exe (netsvcs instance): AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, EventSystem, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Sacsvr, Schedule, Seclogon, SENS, Sharedaccess, Themes, TrkWks, TrkSvr, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wuauserv, BITS, ShellHWDetection, helpsvc, uploadmgr, WmdmPmSN
svchost.exe (rpcss instance): rpcss
svchost.exe (regsvc instance): RemoteRegistry
svchost.exe (swprv instance): swprv
svchost.exe (tapisrv instance): Tapisrv
svchost.exe (termsrv instance): TermService
svchost.exe (WinErr instance): ERsvc
svchost.exe (imgsvc instance): StiSvc
To determine which services are hosted by which services on a running system, the following tools can be used:
the Process Explorer tool [62]
option /s of the tlist utility (part of Windows 2000 support tools)
option /svc of the tasklist utility (available in Windows XP and later)


4.11.2 Example of multiple RPC services in one process
Using ifids with the eventlog named pipe endpoint, opened by the Eventlog service running in the services.exe process, the list of interface identifiers is:
C:WINNT>ifids -p ncacn_np -e pipeeventlog \.
Interfaces: 13
367abb81-9844-35f1-ad32-98f038001003 v2.0
93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
6bffd098-a112-3610-9833-46c3f87e345a v1.0
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1

Using another endpoint, for example, the dynamic UDP port opened by the messenger service (also running in the services.exe process), the result is identical:
C:WINNT>ifids -p ncadg_ip_udp -e 1026 127.0.0.1
Interfaces: 13
367abb81-9844-35f1-ad32-98f038001003 v2.0
93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
6bffd098-a112-3610-9833-46c3f87e345a v1.0
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1

These results show that all RPC services in the services.exe process can be reached using any opened endpoint on any transport.

Using our knowledge of RPC interface identifiers, we can identify some of the Win32 services currently running in the services.exe process:
C:WINNT>ifids -p ncadg_ip_udp -e 1026 127.0.0.1
Interfaces: 13
367abb81-9844-35f1-ad32-98f038001003 v2.0 Services Control Manager (SCM)
93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0 Security Configuration Editor (SCE)
82273fdc-e32a-18c3-3f78-827929dc23ea v0.0 Eventlog service
65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0 DNS Client service (Windows 2000)
8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0 Plug and Play service
8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0 |
c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0 |__ Protected Storage service
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0 |
4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0 Server service
6bffd098-a112-3610-9833-46c3f87e345a v1.0 Workstation service
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0 |__ Messenger service
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 |
8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1 Windows Time service

Thus, the following Win32 services are running:
Eventlog
Dnscache
ProtectedStorage
lanmanserver
lanmanworkstation
Messenger
PlugPlay
W32Time
Actually, the complete list of Win32 services running inside the services.exe process is:
C:WINNT>tlist /s

[...]

256 SERVICES.EXE Svcs: Alerter,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,W32Time

[...]


4.11.3 Implications of running multiple RPC services in one process
The direct consequence of running multiple RPC services in one process is that, if one RPC service is listening on an endpoint like a TCP port or a named pipe, all RPC services can be reached using that particular endpoint.

Thus, even if a RPC service listens only on the ncalrpc protocol (in order to accept only local procedure calls), it can be used remotely as long as another RPC service in the same process listens on a TCP port or a named pipe.

Another consequence is that it allows to anonymously identify some Win32 services remotely, as shown in the previous section:
Services running in the lsass.exe process can be identified, using the lsarpc, samr, netlogon named pipes as DCE RPC endpoint (these named pipes can always be opened in the context of a SMB NULL session)
Some services in the services.exe process can be identified, using either the dynamic UDP port opened by the messenger service as DCE RPC endpoint or the wkssvc, srvsvc or browser named pipes (they can always be opened in the context of a SMB NULL session).
Identifying Win32 services running in svchost.exe instances can be more difficult, in particular when RPC services contained in that processes do not open endpoints that can be used remotely.
Note: this also explains why one RPC interface identifier can appear more than once in the rpcdump output, with different endpoints on different protocol sequences: these correspond to endpoints opened by RPC services in the same process.


4.12 RPC services protection
Developpers of RPC services can protect their applications against the problem described in the previous section using two new API, RpcServerRegisterIfEx() and RpcServerRegisterIf2(). These new API allow the specification of a security-callback function, on a per-interface basis.

Typically, a security-callback function verifies that the protocol sequence used by a client is legal. For instance, it is thus possible to forbid access to RPC services that are supposed to be used only locally, even if the process that hosts RPC services also runs RPC services listening on named pipes or TCP or UDP sockets.

This technique is used at least for some RPC services in Windows Server 2003. For instance, 3 of the LSA RPC services implemented in lsasrv.dll use RpcServerRegisterIfEx() with a security-callback function that verifies the protocol sequence used. This is the case for the dsrole RPC interface, that can only be used using the ncalrpc protocol sequence, using the dsrole LPC port.

To conclude, even if multiple RPC interface identifiers appear in the output of the ifids command, this does no longer mean that all RPC services can be reached using any opened endpoints.


4.13 DCOM
4.13.1 COM interfaces
A process that hosts COM objects will typically support interfaces among the following ones:
00000001-0000-0000-c000-000000000046 v0.0 (IUnknown)
00000131-0000-0000-c000-000000000046 v0.0 (IRemUnknown)
00000132-0000-0000-c000-000000000046 v0.0 (ILocalSystemActivator)
00000134-0000-0000-c000-000000000046 v0.0 (IRunDown)
00000143-0000-0000-c000-000000000046 v0.0 (IRemUnknown2)
18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0 ??


--------------------------------------------------------------------------------

Interface Operation number Operation name
18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0
0x00 UseProtSeq
0x01 GetCustomProtseqInfo
0x02 UpdateResolverBindings


--------------------------------------------------------------------------------

5 Conclusion
Because of the proprietary nature of the Windows operating system, Windows network services internals have been progressively discovered by independent researchers.

In the past, many vulnerabilities have been discovered in the Windows SMB and DCE RPC implementations. Recently, multiple vulnerabilities in the MSRPC implementation have been published.

Thus, Windows systems must be properly protected, using appropriate IP filtering, to mitigate these risks.


References
[1] Implementing CIFS: http://www.ubiqx.org/cifs/
[2] HiverCon 2003 - Corporate Security Conference http://www.hivercon.com/
[3] Windows Network Data and Packet Filtering: http://www.ndis.com/papers/winpktfilter.htm
[4] NAT Clients Cannot View Web Sites After You Install SQL 2000 SP2 or SP3 on an RRAS Server: http://support.microsoft.com/?kbid=324288
[5] Netstat Does Not Display Listening TCP Ports: http://support.microsoft.com/?kbid=131482
[6] App Request UDP Only, "Netstat -an" Displays TCP and UDP: http://support.microsoft.com/?kbid=194171
[7] The NETSTAT Command Incorrectly Shows Ports in Listening States: http://support.microsoft.com/?kbid=331078
[8] hping: http://www.hping.org/
[9] Netcat 1.1 for Windows: http://www.atstake.com/research/tools/netw...work_utilities/
[10] TDImon: http://wwww.sysinternals.com/ntw2k/freewar...re/tdimon.shtml
[11] HOW TO: Determine Which Program Uses or Blocks Specific Transmission Control Protocol Ports in Windows http://support.microsoft.com/?kbid=281336
[12] TCPView: http://www.sysinternals.com/ntw2k/source/tcpview.shtml
[13] fport: http://www.foundstone.com/knowledge/prodde...desc/fport.html
[14] NT port binding insecurity: http://www.insecure.org/sploits/NT.port-bi...nerability.html
[15] socat - Multipurpose relay: http://www.dest-unreach.org/socat/
[16] NT needs privileged ports: http://discuss.microsoft.com/SCR ... mp;L=cifs&P=738
[17] Enabling NetBT to Open IP Ports Exclusively http://support.microsoft.com/?kbid=241041
[18] Applications May Be Able To "Listen" on TCP or UDP Ports: http://support.microsoft.com/?kbid=194431
[19] Using SO_EXCLUSIVEADDRUSE: http://msdn.microsoft.com/library/en-us/wi...siveaddruse.asp
[20] Windows Packet Capture Library: http://winpcap.polito.it/
[21] Atelier Web Ports Traffic Analyzer: http://www.atelierweb.com/pta/index.htm
[22] HOW TO: Install Microsoft Loopback Adapter in Windows 2000: http://support.microsoft.com/?kbid=236869
[23] SMB: The Server Message Block Protocol http://www.ubiqx.org/cifs/SMB.html
[24] NBT: NetBIOS over TCP/IP: http://www.ubiqx.org/cifs/NetBIOS.html
[25] Samba-TNG: http://www.samba-tng.org/
[26] Direct Hosting of SMB Over TCP/IP (Q204279): http://support.microsoft.com/?kbid=204279
[27] NetBT and raw SMB transport: http://www.hsc.fr/ressources/presentations...003/slide6.html
[28] RPC: Remote Procedure Call Control Specification Version 2: http://www.ietf.org/rfc/rfc1831.txt
[29] DCE 1.1: Remote Procedure Call: http://www.opengroup.org/onlinepubs/9629399/
[30] A brief history of Windows: http://www.advogato.org/article/596.html
[31] DCE 1.1: Remote Procedure Call - Introduction to the RPC API: http://www.opengroup.org/onlinepubs/962939...2.htm#tagfcjh_2
[32] WinObj: http://www.sysinternals.com/ntw2k/freeware...re/winobj.shtml
[33] RPC tools: http://razor.bindview.com/tools/desc/rpcto...1.0-readme.html
[34] PipeList: http://www.sysinternals.com/ntw2k/info/tips.shtml
[35] npfs aliases: http://www.hsc.fr/ressources/presentations...03/slide21.html
[36] ifids: named pipes endpoints: http://www.hsc.fr/ressources/presentations...03/slide24.html
[37] PipeACL tools v1.0: http://razor.bindview.com/tools/desc/pipea...1.0-readme.html
[38] Win32 Pipe Security Editor Windows NT/2000/XP: http://www.beyondlogic.org/consulting/pipe...sec/pipesec.htm
[39] Windows 2000, Null Sessions and MSRPC: http://razor.bindview.com/publish/presenta...s/nullsess.html
[40] UserInfo and UserDump tools: http://www.hammerofgod.com/HaxorCons.htm
[41] ACL tools v1.0: http://razor.bindview.com/tools/desc/aclto...1.0-readme.html
[42] Private objects security auditing (LogAnalysis mailing list): http://sisyphus.iocaine.com/pipermail/loga...uly/002104.html
[43] The Ethereal Network Analyzer: http://www.ethereal.com/
[44] Ethereal CVS repository: http://www.ethereal.com/cgi-bin/viewcvs.cgi/ethereal/
[45] Windows Workstation Service Remote Buffer Overflow: http://www.eeye.com/html/Research/Advisori...AD20031111.html
[46] Minimizing Windows network services: http://www.hsc.fr/ressources/breves/min_sr...res_win.en.html
[47] dcedump (part of the SPIKE toolkit): http://www.immunitysec.com/spike.html
[48] Endpoint Mapper Interface Definition: http://www.opengroup.org/onlinepubs/009629...o.htm#tagcjh_35
[49] Distributed Component Object Model Protocol -- DCOM/1.0: http://www.globecom.net/ietf/draft/draft-b...v1-spec-03.html
[50] Microsoft Debugging Tools: http://www.microsoft.com/whdc/ddk/debuggin...ng/default.mspx
[51] Understanding the DCOM Wire Protocol by Analyzing Network Data Packets: http://www.microsoft.com/msj/0398/dcom.aspx
[52] Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability: http://www.securiteam.com/exploits/5CP0N0KAKK.html
[53] Locator Service Buffer Overflow Vulnerability: http://www.nextgenss.com/advisories/ms-rpc-loc.txt
[54] Unchecked Buffer in Locator Service Could Lead to Code Execution (810833): http://www.microsoft.com/technet/security/...in/MS03-001.asp
[55] Windows PopUP SPAM: http://www.mynetwatchman.com/kb/security/a...cles/popupspam/
[56] LSD: http://www.lsd-pl.net/
[57] Buffer Overrun in Messenger Service Could Allow Code Execution (828035): http://www.microsoft.com/technet/security/...in/MS03-043.asp
[58] drsuapi MSRPC interface Ethereal dissector: http://www.ethereal.com/cgi-bin/viewcvs.cg...cerpc-drsuapi.c
[59] XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls http://support.microsoft.com/?kbid=280132
[60] RPC Interfaces That Are Exposed by Secure Mail Publishing in ISA Server 2000: http://support.microsoft.com/?kbid=304948
[61] How MAPI Clients Access Active Directory: http://support.microsoft.com/?kbid=256976
[62] Process Explorer: http://www.sysinternals.com/ntw2k/freeware...re/procexp.html
[63] services.exe RPC services: http://www.hsc.fr/ressources/presentations...03/slide26.html
[64] DCE/RPC over SMB: Samba and Windows NT Domain Internals. Luke Kenneth Casson Leighton. Macmillan Technical Publishing, 2000.


文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags:
评论: 103 | 引用: 0 | 查看次数: 21052
回复回复Cleta[2017-06-07 03:35 AM | del]
Thanks regarding delivering these types of superb data.
回复回复Rosetta[2017-05-08 00:53 AM | del]
I take pleasure in, result in I discovered just what I was looking for.
You have ended my four day long hunt! God Bless you man. Have a nice day. Bye
回复回复Marko[2017-03-19 07:19 PM | del]
Thanks with regard to supplying such great subject matter.
回复回复Verena[2017-03-14 08:07 PM | del]
You have wonderful knowlwdge listed here.
回复回复Janessa[2017-02-09 03:55 AM | del]
Simply just had to say Now i'm lucky I stumbled onto your website page!
回复回复Nancy[2017-01-06 11:28 AM | del]
thank so considerably for your web site it assists a great deal.
回复回复Yasmin[2016-12-14 03:54 PM | del]
Great internet site! It looks really expert! Sustain the great job!
回复回复Angeline[2016-11-25 10:13 AM | del]
Incredibly beneficial, look forth to returning.
回复回复Ashly[2016-11-24 10:06 AM | del]
Thanks a lot! It is an very good web-site!
回复回复Mai[2016-11-20 05:12 AM | del]
Maintain the helpful work and delivering in the group!
发表评论
昵 称:
密 码: 游客发言不需要密码.
内 容:
验证码: 验证码
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭