Windows network services internals 3

 http://forum.eviloctal.com/thread-2724-1-40.html

4.9 Windows services running RPC services over TCP/IP
4.9.1 Messenger service
The messenger service runs two RPC services, available on two endpoints:
msgsvc named pipe
a dynamic UDP port
Y:>ifids -p ncacn_np -e pipemsgsvc /.
Interfaces: 42

[...]

17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0

Y:>ifids -p ncadg_ip_udp -e 4870 127.0.0.1
Interfaces: 42

[...]

17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0


The UDP transport of these services has been recently exploited to massively send popup windows containing advertisement messages [55].

The two RPC services run by the messenger service have the following interfaces identifiers:
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0: msgsvc
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0: msgsvcsend

The msgsvc RPC service supports 4 operations that manipulate NetBIOS names on a local or remote system:

--------------------------------------------------------------------------------

Interface Operation number Operation name
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0: msgsvc
0x00 NetrMessageNameAdd
0x01 NetrMessageNameEnum
0x02 NetrMessageNameGetInfo
0x03 NetrMessageNameDel


--------------------------------------------------------------------------------

The msgsvcsend RPC service supports one operation, to send a message to a registered NetBIOS name using MSRPC:

--------------------------------------------------------------------------------

Interface Operation number Operation name
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0: msgsvcsend
0x00 NetrSendMessage


--------------------------------------------------------------------------------

The msgsvcsend interface has been used to send advertisement messages, using the NetrSendMessage operation.

A vulnerability affecting the msgsvcsend interface was recently published by the LSD research group [56]. The MS03-043 ([57]) Microsoft security bulletin contains a patch that completely removes support for the msgsvcsend interface of the Messenger service (both server-side function in msgsvc.dll and client-side function in wkssvc.dll are removed in patched versions of these two DLL).

Note: if the messenger service receives a message using the UDP port, a new (dynamic) UDP port is opened by the process hosting the messenger service (services.exe). This UDP port is used to send a conv_who_are_you request, which is necessary when the original request containing the message was sent to UDP port 135 instead of the dynamic UDP port opened by the RPC service.


4.9.2 Scheduler service
The scheduler service runs RPC services allowing remote configuration of scheduled tasks. These RPC services are available on two endpoints:
atsvc named pipe
A dynamic TCP port
Before Windows XP the Scheduler service was implemented in a single process, mstask.exe. Starting with Windows XP, the Scheduler service runs in a svchost.exe instance process (schedsvc.dll) and runs an additional RPC service (the third one in the list below).

The interfaces identifiers of these RPC services are:
X:>ifids -p ncacn_np -e pipeatsvc /.
Interfaces: 51

[...]

1ff70682-0a51-30e8-076d-740be8cee98b v1.0
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0

X:>ifids -p ncacn_ip_tcp -e 3136 127.0.0.1
Interfaces: 51

[...]

1ff70682-0a51-30e8-076d-740be8cee98b v1.0
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0

X:>



--------------------------------------------------------------------------------

Interface Operation number Operation name
1ff70682-0a51-30e8-076d-740be8cee98b v1.0: atsvc
0x00 NetrJobAdd
0x01 NetrJobDel
0x02 NetrJobEnum
0x03 NetrJobGetInfo


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
378e52b0-c0a9-11cf-822d-00aa0051e40f v1.0: sasec
0x00 SASetAccountInformation
0x01 SASetNSAccountInformation
0x02 SAGetNSAccountInformation
0x03 SAGetAccountInformation


--------------------------------------------------------------------------------

The following RPC service has been added in Windows XP:

--------------------------------------------------------------------------------

Interface Operation number Operation name
0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53 v1.0
0x00 ItSrvRegisterIdleTask
0x01 ItSrvUnregisterIdleTask
0x02 ItSrvProcessIdleTasks
0x03 ItSrvSetDetectionParameters


--------------------------------------------------------------------------------

4.9.3 WINS service
The WINS service (wins.exe process) runs two RPC services, available on two endpoints:
A dynamic TCP port
WinsPipe named pipe
The two RPC services identifiers are:
45f52c28-7f9f-101a-b52b-08002b2efabe v1.0
811109bf-a4e1-11d1-ab54-00a0c91e9b45 v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
45f52c28-7f9f-101a-b52b-08002b2efabe v1.0
0x00 R_WinsRecordAction
0x01 R_WinsStatus
0x02 R_WinsTrigger
0x03 R_WinsDoStaticInit
0x04 R_WinsDoScavenging
0x05 R_WinsGetDbRecs
0x06 R_WinsTerm
0x07 R_WinsBackup
0x08 R_WinsDelDbRecs
0x09 R_WinsPullRange
0x0a R_WinsSetPriorityClass
0x0b R_WinsResetCounters
0x0c R_WinsWorkerThdUpd
0x0d R_WinsGetNameAndAdd
0x0e R_WinsGetBrowserNames_Old
0x0f R_WinsDeleteWins
0x10 R_WinsSetFlags
0x11 R_WinsGetDbRecsByName
0x12 R_WinsStatusWHdl
0x13 R_WinsDoScavengingNew


--------------------------------------------------------------------------------

The WINS service also opens a dynamic UDP port, which does not seem to be used by a RPC service.


4.9.4 IIS 5 services
In Windows 2000, IIS (Internet Information Server) 5 services (HTTP, SMTP, FTP, NNTP) run in a single process, inetinfo.exe.

The inetinfo.exe (IIS 5) process runs RPC services on the following endpoints:
INETINFO_LPC LPC port
INETINFO named pipe
one dynamic TCP port and one dynamic UDP port
The following RPC service is registered by the IISAdmin service (infocomm.dll):
82ad4280-036b-11cf-972c-00aa006887b0 v2.0: inetinfo


--------------------------------------------------------------------------------

Interface Operation number Operation name
82ad4280-036b-11cf-972c-00aa006887b0 v2.0: inetinfo
0x00 _R_InetInfoGetVersion
0x01 _R_InetInfoGetAdminInformation
0x02 _R_InetInfoGetSites
0x03 _R_InetInfoSetAdminInformation
0x04 _R_InetInfoGetGlobalAdminInformation
0x05 _R_InetInfoSetGlobalAdminInformation
0x06 _R_InetInfoQueryStatistics
0x07 _R_InetInfoClearStatistics
0x08 _R_InetInfoFlushMemoryCache
0x09 _R_InetInfoGetServerCapabilities
0x0a _R_W3QueryStatistics2
0x0b _R_W3ClearStatistics2
0x0c _R_FtpQueryStatistics2
0x0d _R_FtpClearStatistics2
0x10 _R_IISEnumerateUsers
0x11 _R_IISDisconnectUser
0x12 _R_InitW3CounterStructure
0x13 _R_CollectW3PerfData


--------------------------------------------------------------------------------

The SMTP service (smtpsvc.dll) runs the following RPC service:
8cfb5d70-31a4-11cf-a7d8-00805f48a135 v3.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
8cfb5d70-31a4-11cf-a7d8-00805f48a135 v3.0
0x00 SmtprGetAdminInformation
0x01 SmtprSetAdminInformation
0x02 SmtprQueryStatistics
0x03 SmtprClearStatistics
0x04 SmtprGetConnectedUserList
0x05 SmtprDisconnectUser
0x06 SmtprCreateUser
0x07 SmtprDeleteUser
0x08 SmtprGetUserProps
0x09 SmtprSetUserProps
0x0a SmtprCreateDistList
0x0b SmtprDeleteDistList
0x0c SmtprCreateDistListMember
0x0d SmtprDeleteDistListMember
0x0e SmtprGetNameList
0x0f SmtprGetNameListFromList
0x10 SmtprGetVRootSize
0x11 SmtprBackupRoutingTable


--------------------------------------------------------------------------------

The NNTP service (nntpsvc.dll) runs the following RPC service:
4f82f460-0e21-11cf-909e-00805f48a135 v4.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
4f82f460-0e21-11cf-909e-00805f48a135 v4.0
0x00 NntprQueryStatistic
0x01 NntprClearStatistics
0x02 NntprEnumerateFeeds
0x03 NntprGetFeedInformation
0x04 NntprSetFeedInformation
0x05 NntprAddFeed
0x06 NntprDeleteFeed
0x07 NntprEnableFeed
0x08 NntprEnumerateSessions
0x09 NntprTerminateSession
0x0a NntprEnumerateExpires
0x0b NntprAddExpire
0x0c NntprDeleteExpire
0x0d NntprGetExpireInformation
0x0e NntprSetExpireInformation
0x0f NntprGetNewsgroup
0x10 NntprSetNewsgroup
0x11 NntprCreateNewsgroup
0x12 NntprDeleteNewsgroup
0x13 NntprFindNewsgroup
0x14 NntprGetAdminInformation
0x15 NntprSetAdminInformation
0x16 NntprStartRebuild
0x17 NntprGetBuildStatus
0x18 NntprCancelMessageID
0x19 NntprGetVRootWin32Error


--------------------------------------------------------------------------------

The IMAP4 service (imap4svc.dll), installed by Exchange, runs the following RPC service:
2465e9e0-a873-11d0-930b-00a0c90ab17c v3.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
2465e9e0-a873-11d0-930b-00a0c90ab17c v3.0
0x00 ImaprQueryStatistics
0x01 ImaprClearStatistics
0x02 ImaprGetConnectedUserList
0x03 ImaprDisconnectUser


--------------------------------------------------------------------------------

The POP3 service (pop3svc.dll), installed by Exchange, runs the following RPC service:
1be617c0-31a5-11cf-a7d8-00805f48a135 v3.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
1be617c0-31a5-11cf-a7d8-00805f48a135 v3.0
0x00 Pop3rQueryStatistics
0x01 Pop3rClearStatistics
0x02 Pop3rGetConnectedUserList
0x03 Pop3rDisconnectUser


--------------------------------------------------------------------------------

The following interface identifiers correspond to the GUID of the COM components activated to handle IIS management :
70b51430-b6ca-11d0-b9b9-00a0c922e750 v0.0: IMSAdminBaseW
a9e69612-b80d-11d0-b9b9-00a0c922e750 v0.0



4.9.5 Message Queuing and Distributed Transaction Coordinator services
This service runs RPC services, listening on the ncacn_ip_tcp transport. On a Windows 2000 Server system, 4 TCP ports were opened by the mqsvc.exe process.

The mqqm.dll (Windows NT MQ Queue Manager) DLL, loaded in the mqsvc.exe process, contains the following RPC services:
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
76d12b80-3467-11d3-91ff-0090272f9ea3 v1.0
1088a980-eae5-11d0-8d9b-00a02453c337 v1.0
5b5b3580-b0e0-11d1-b92d-0060081e87f0 v1.0
41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
fdb3a030-065f-11d1-bb9b-00a024ea5525 v1.0
0x00 QMOpenQueue
0x01 QMGetRemoteQueueName
0x02 QMOpenRemoteQueue
0x03 QMCloseRemoteQueueContext
0x04 QMCreateRemoteCursor
0x05 QMSendMessageInternal
0x06 QMCreateObjectInternal
0x07 QMSetObjectSecurityInternal
0x08 QMGetObjectSecurityInternal
0x09 QMDeleteObject
0x0a QMGetObjectProperties
0x0b QMSetObjectProperties
0x0c QMObjectPathToObjectFormat
0x0d QMAttachProcess
0x0e QMGetTmWhereabouts
0x0f QMEnlistTransation
0x10 QMEnlistInternalTransaction
0x11 QMCommitTransaction
0x12 QMAbortTransaction
0x13 QMOpenQueueInternal
0x14 ACCloseHandle
0x15 ACCreateCursor
0x16 ACCloseCursor
0x17 ACSetCursorProperties
0x18 ACSendMessage
0x19 ACReceiveMessage
0x1a ACHandleToFormatName
0x1b ACPurgeQueue
0x1c QMQueryQMRegistryInternal
0x1d QMListInternalQueues
0x1e QMCorrectOutSequence
0x1f QMGetRemoteQMServerPort
0x20 QMGetMsmqServiceName
0x21 QMCreateDSObjectInternal


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
76d12b80-3467-11d3-91ff-0090272f9ea3 v1.0
0x00 QMSendMessageInternalEx
0x01 ACSendMessageEx
0x02 ACReceiveMessageEx
0x03 ACCreateCursorEx


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
1088a980-eae5-11d0-8d9b-00a02453c337 v1.0
0x00 RemoteQMStartReceive
0x01 RemoteQMEndReceive
0x02 RemoteQMOpenQueue
0x03 RemoteQMCloseQueue
0x04 RemoteQMCloseCursor
0x05 RemoteQMCancelReceive
0x06 RemoteQMPurgeQueue
0x07 RemoteQMGetQMQMServerPort
0x08 RemoteQmGetVersion
0x09 RemoteQMStartReceive2
0x0a RemoteQMStartReceiveByLookupId


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
5b5b3580-b0e0-11d1-b92d-0060081e87f0 v1.0
0x00 QMSendReplMsg


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
41208ee0-e970-11d1-9b9e-00e02c064c39 v1.0
0x00 QMMgmtGetInfo
0x01 QMMgmtAction


--------------------------------------------------------------------------------

The msdtcprx.dll (MS DTC OLE Transactions interface proxy) DLL, also loaded in the mqsvc.exe process, also contains one RPC service:
906b0ce0-c70b-1067-b317-00dd010662da v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
906b0ce0-c70b-1067-b317-00dd010662da v1.0
0x00 Poke
0x01 BuildContext
0x02 NegotiateResources
0x03 SendReceive
0x04 TearDownContext
0x05 BeginTearDown
0x06 PokeW
0x07 BuildContextW


--------------------------------------------------------------------------------

This RPC service also runs in the Distributed Transaction Coordinator service process (msdtc.exe), which opens a dynamic port, as well as TCP port 3372 (at least on Windows 2000)


4.9.6 Active Directory related RPC services
The first important RPC service of Active Directory is the drsuapi interface, identified as follows:
Active Directory replication interface: e3514235-4b06-11d1-ab04-00c04fc2dcd2 v4.0

It supports the following operations:

--------------------------------------------------------------------------------

Interface Operation number Operation name
e3514235-4b06-11d1-ab04-00c04fc2dcd2 v4.0: drsuapi
0x00 DRSBind
0x01 DRSUnbind
0x02 DRSReplicaSync
0x03 DRSGetNCChanges
0x04 DRSUpdateRefs
0x05 DRSReplicaAdd
0x06 DRSReplicaDel
0x07 DRSReplicaModify
0x08 DRSVerifyNames
0x09 DRSGetMemberships
0x0a DRSInterDomainMove
0x0b DRSGetNT4ChangeLog
0x0c DRSCrackNames
0x0d DRSWriteSPN
0x0e DRSRemoveDsServer
0x0f DRSRemoveDsDomain
0x10 DRSDomainControllerInfo
0x11 DRSAddEntry
0x12 DRSExecuteKCC
0x13 DRSGetReplInfo
0x14 DRSAddSidHistory
0x15 DRSGetMemberships2
0x16 DRSReplicaVerifyObjects
0x17 DRSGetObjectExistence
0x18 DRSQuerySitesByCost


--------------------------------------------------------------------------------

Ethereal has a dissector for this interface [58] but currently, it only displays the operation names, as all these operations are encrypted.

The dssetup RPC interface, which contain only one operation, is used in Active Directory domains:

--------------------------------------------------------------------------------

Interface Operation number Operation name
3919286a-b10c-11d0-9ba8-00c04fd92ef5 v0.0: dssetup
0x00 DsRolerGetPrimaryDomainInformation


--------------------------------------------------------------------------------

The following RPC interfaces are supported on a Windows 2000 domain controller to handle backup and restore of Active Directory:
Active Directory backup interface: ecec0d70-a603-11d0-96b1-00a0c91ece30 v1.0
Active Directory restore interface: 16e0cf3a-a604-11d0-96b1-00a0c91ece30 v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
ecec0d70-a603-11d0-96b1-00a0c91ece30 v1.0
0x00 HrRBackupPrepare
0x01 HrRBackupEnd
0x02 HrRBackupGetAttachmentInformation
0x03 HrRBackupOpenFile
0x04 HrRBackupRead
0x05 HrRBackupClose
0x06 HrRBackupGetBackupLogs
0x07 HrRBackupTruncateLogs
0x08 HrRBackupPing


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
16e0cf3a-a604-11d0-96b1-00a0c91ece30 v1.0
0x00 HrRIsNTDSOnline
0x01 HrRRestorePrepare
0x02 HrRRestoreRegister
0x03 HrRRestoreRegisterComplete
0x04 HrRRestoreGetDatabaseLocations
0x05 HrRRestoreEnd
0x06 HrRRestoreSetCurrentLogNumber
0x07 HrRRestoreCheckLogsForBackup


--------------------------------------------------------------------------------

By default, these RPC services are registered in the endpoint mapper database on a dynamic TCP port. However, it is possible to set a registry value to configure these services to listen on a fixed port [59]. Once this value is configured, the portmapper service will always return this fixed port when asked for one of these interfaces.

Windows Server 2003 supports the dsrole interface, available on the following endpoint:
dsrole LPC port
Y:>ifids -p ncalrpc -e dsrole serveur
Interfaces: 18

[...]

1cbcad78-df0b-4934-b558-87839ea501c9 v0.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
1cbcad78-df0b-4934-b558-87839ea501c9 v0.0: dsrole
0x00 DsRolerDnsNameToFlatName
0x01 DsRolerDcAsDc
0x02 DsRolerDcAsReplica
0x03 DsRolerDemoteDc
0x04 DsRolerGetDcOperationProgress
0x05 DsRolerGetDcOperationResults
0x06 DsRolerCancel
0x07 DsRolerIfmHandleFree
0x08 DsRolerServerSaveStateForUpgrade
0x09 DsRolerUpgradeDownlevelServer
0x0a DsRolerAbortDownlevelServerUpgrade
0x0b DsRolerGetDatabaseFacts


--------------------------------------------------------------------------------

This interface can only be used locally (it is registered using the RpcServerRegisterIfEx() API, specifying a security-callback function that verifies that the protocol sequence used is ncalrpc and that the LPC port is the dsrole LPC port).

There is another interface in the ntdsa.dll DLL, which contains only two operations:

--------------------------------------------------------------------------------

Interface Operation number Operation name
7c44d7d4-31d5-424c-bd5e-2b3e1f323d22 v1.0 0x00 DSAPrepareScript
0x01 DSAExecuteScript


--------------------------------------------------------------------------------

4.9.7 File Replication service
The File Replication Service (ntfrs.exe process) runs 3 RPC services on one TCP port:
f5cc59b4-4264-101a-8c59-08002b2f8426 v1.1
d049b186-814f-11d1-9a3c-00c04fc9b232 v1.1
a00c021c-2be2-11d2-b678-0000f87a8f8e v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
f5cc59b4-4264-101a-8c59-08002b2f8426 v1.1
0x00 FrsRpcSendCommPkt
0x02 FrsRpcStartPromotionParent
0x0x FrsRpcInitialize
0x0x FrsRpcCheckAuthIfEnabled
0x0x FrsRpcSecurityCallback
0x0x FrsRpcInitializeAccessChecks
0x0x FrsRpcBindToServerNotService
0x0x FrsRpcUnBindFromServer
0x0x FrsRpcBindToServerGuid
0x0x FrsRpcUnInitialize
0x0x FrsRpcAccessChecks
0x0x FrsRpcSecurityCallbackForPerfmonAPIs
0x0x FrsRpcBindToServer
0x0x FrsRpcCheckAuthIfEnabledForCommitDemotion


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
d049b186-814f-11d1-9a3c-00c04fc9b232 v1.1
0x00 StartDemotion
0x03 CommitDemotion
0x04 Set_DsPollingIntervalW
0x05 Get_DsPollingIntervalW
0x07 InfoW
0x08 IsPathReplicated
0x09 WriterCommand


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
a00c021c-2be2-11d2-b678-0000f87a8f8e v1.0
0x00 GetIndicesOfInterfacesFromServer
0x01 GetCounterDataOfInstancesFromServer


--------------------------------------------------------------------------------

4.9.8 Inter-site Messaging service
The Inter-site Messaging service (ismserv.exe process) runs one RPC service, available on the following endpoints:
ISMSERV_LPC LPC port
Y:>ifids -p ncalrpc -e ISMSERV_LPC serveur
Interfaces: 1
68dcd486-669e-11d1-ab0c-00c04fc2dcd2 v2.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
68dcd486-669e-11d1-ab0c-00c04fc2dcd2 v1.0
0x00 ISMSend
0x01 ISMReceive
0x02 ISMGetConnectivity
0x03 ISMGetTransportServers
0x04 ISMGetConnectionSchedule
0x05 ISMQuerySitesByCost


--------------------------------------------------------------------------------

The following RPC service runs in the ismip.dll DLL, loaded in the ismserv.exe process context:
Active Directory ISM IP Transport: 130ceefb-e466-11d1-b78b-00c04fa32883 v2.1

This interface contains only one operation:

--------------------------------------------------------------------------------

Interface Operation number Operation name
130ceefb-e466-11d1-b78b-00c04fa32883 v2.1
0x00 ISMXXX


--------------------------------------------------------------------------------

4.9.9 Windows DNS server
Windows DNS server (dns.exe process) runs one RPC service, listening on the following endpoints:
DNSSERVERLPC LPC port
dnsserver named pipe
a dynamic TCP port
Y:>ifids -p ncalrpc -e DNSSERVERLPC serveur
Interfaces: 1
50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0

Y:>ifids -p ncacn_np -e pipednsserver /.
Interfaces: 1
50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0

Y:>ifids -p ncacn_ip_tcp -e 3009 127.0.0.1
Interfaces: 1
50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
50abc2a4-574d-40b3-9d66-ee4fd5fba076 v5.0
0x00 DnssrvOperation
0x01 DnssrvQuery
0x02 DnssrvComplexOperation
0x03 DnssrvEnumRecords
0x04 DnssrvUpdateRecord
0x05 DnssrvOperation2
0x06 DnssrvQuery2
0x07 DnssrvComplexOperation2
0x08 DnssrvEnumRecords2
0x09 DnssrvUpdateRecord2


--------------------------------------------------------------------------------

4.9.10 Exchange RPC services
The MAPI interface (also known as Exchange Server Store EMSMDB Interface) is identified as follows:
a4f1db00-ca47-1067-b31f-00dd010662da v0.81


--------------------------------------------------------------------------------

Interface Operation number Operation name
a4f1db00-ca47-1067-b31f-00dd010662da v0.81
0x00 EcDoConnect
0x01 EcDoDisconnect
0x02 EcDoRpc
0x03 EcGetMoreRpc
0x04 EcRRegisterPushNotification
0x05 EcRUnregisterPushNotification
0x06 EcDummyRpc
0x07 EcRGetDCName
0x08 EcRNetGetDCName
0x09 EcDoRpcExt


--------------------------------------------------------------------------------

[60] lists identifiers of Exchange RPC interfaces exposed when the Secure Mail Publishing feature of ISA Server 2000 is used.

The following interface identifiers are registered in the endpoint mapper database of an Exchange 2000 server:

Annotation=Exchange Server STORE ADMIN Interface
uuid=99e64010-b032-11d0-97a4-00c04fd6551d , version=3

annotation=Exchange Server STORE ADMIN Interface
uuid=89742ace-a9ed-11cf-9c0c-08002be7ae86 , version=2

annotation=Exchange Server STORE ADMIN Interface
uuid=a4f1db00-ca47-1067-b31e-00dd010662da , version=1

annotation=Exchange Server STORE EMSMDB Interface
uuid=a4f1db00-ca47-1067-b31f-00dd010662da , version=0

annotation=MS Exchange MTA 'Mta' Interface
uuid=9e8ee830-4459-11ce-979b-00aa005ffebe , version=2

annotation=MS Exchange Directory NSPI Proxy
uuid=f5cc5a18-4264-101a-8c59-08002b2f8426 , version=56

annotation=MS Exchange MTA 'QAdmin' Interface
uuid=38a94e72-a9bc-11d2-8faf-00c04fa378ff , version=1

annotation=Microsoft Information Store
uuid=0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde , version=1

annotation=Microsoft Information Store
uuid=1453c42c-0fa6-11d2-a910-00c04f990f3b , version=1

annotation=Microsoft Information Store
uuid=10f24e8e-0fa6-11d2-a910-00c04f990f3b , version=1

annotation=MS Exchange Directory RFR Interface
uuid=1544f5e0-613c-11d1-93df-00c04fd7bd09 , version=1

annotation=MS Exchange System Attendant Cluster Interface
uuid=f930c514-1215-11d3-99a5-00a0c9b61b04 , version=1

annotation=MS Exchange System Attendant Private Interface
uuid=83d72bf0-0d89-11ce-b13f-00aa003bac6c , version=6

annotation=MS Exchange System Attendant Public Interface
uuid=469d6ec0-0d87-11ce-b13f-00aa003bac6c , version=16



--------------------------------------------------------------------------------

Interface Operation number Operation name
1544f5e0-613c-11d1-93df-00c04fd7bd09 v1.0
0x00 RfrGetNewDSA
0x01 RfrGetFQDNFromLegacyDN


--------------------------------------------------------------------------------

4.9.11 Exchange RPC services in an Active Directory domain
Active Directory domain controllers that have the Global Catalog server roles register the following RPC services, which are used by MAPI clients to access the Directory Service that was previously integrated in Exchange before Exchange 2000:
Active Directory Extended Directory Service (XDS): f5cc5a7c-4264-101a-8c59-08002b2f8426 v21.0
Active Directory Name Service Provider (NSP) interface: f5cc5a18-4264-101a-8c59-08002b2f8426 v56.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
f5cc5a7c-4264-101a-8c59-08002b2f8426 v21.0: rxds
0x00 ds_abandon
0x01 ds_add_entry
0x02 ds_bind
0x03 ds_compare
0x04 ds_list
0x05 ds_modify_entry
0x06 ds_modify_rdn
0x07 ds_read
0x08 ds_receive_result
0x09 ds_remove_entry
0x0a ds_search
0x0b ds_unbind
0x0c ds_wait
0x0d dra_replica_add
0x0e dra_replica_delete
0x0f dra_replica_synchronize
0x10 dra_reference_update
0x11 dra_authorize_replica
0x12 dra_unauthorize_replica
0x13 dra_adopt
0x14 dra_set_status
0x15 dra_modify_entry
0x16 dra_delete_subref


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
f5cc5a18-4264-101a-8c59-08002b2f8426 v56.0: nspi
0x00 NspiBind
0x01 NspiUnbind
0x02 NspiUpdateStat
0x03 NspiQueryRows
0x04 NspiSeekEntries
0x05 NspiGetMatches
0x06 NspiResortRestriction
0x07 NspiDNToEph
0x08 NspiGetPropList
0x09 NspiGetProps
0x0a NspiCompareDNTs
0x0b NspiModProps
0x0c NspiGetHierarchyInfo
0x0d NspiGetTemplateInfo
0x0e NspiModLinkAtt
0x0f NspiDeleteEntries
0x10 NspiQueryColumns
0x11 NspiGetNamesFromIDs
0x12 NspiGetIDsFromNames
0x13 NspiResolveNames
0x14 NspiResolveNamesW


--------------------------------------------------------------------------------

NSPI operations offered by an Global Catalog Active Directory domain controller are either called directly (Outlook 2000 and later MAPI clients) or through a proxy run by the Exchange server, as described in [61].

An Exchange server integrated in an Active Directory domain registers the NSPI interface, to proxy NSPI requests to Global Catalog Active Directory domain controllers:
annotation=MS Exchange Directory NSPI Proxy
uuid=f5cc5a18-4264-101a-8c59-08002b2f8426 , version=56
ncacn_ip_tcp:172.16.1.238[1112]

annotation=MS Exchange Directory NSPI Proxy
uuid=f5cc5a18-4264-101a-8c59-08002b2f8426 , version=56
ncacn_http:172.16.1.238[1113]

The rxds interface is also registered on an Exchange 2000 server but is not registered in the endpoint mapper:
f5cc5a7c-4264-101a-8c59-08002b2f8426 v21.0

4.10 Other RPC services
4.10.1 Plug and Play service
The Plug and Play service runs one RPC service, pnp:
Z:>ifids -p ncalrpc -e ntsvcs serveur
Interfaces: 7

[...]

8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0: pnp
0x00 PNP_Disconnect
0x01 PNP_Connect
0x02 PNP_GetVersion
0x03 PNP_GetGlobalState
0x04 PNP_InitDetection
0x05 PNP_ReportLogOn
0x06 PNP_ValidateDeviceInstance
0x07 PNP_GetRootDeviceInstance
0x08 PNP_GetRelatedDeviceInstance
0x09 PNP_EnumerateSubKeys
0x0a PNP_GetDeviceList
0x0b PNP_GetDeviceListSize
0x0c PNP_GetDepth
0x0d PNP_GetDeviceRegProp
0x0e PNP_SetDeviceRegProp
0x0f PNP_GetClassInstance
0x10 PNP_CreateKey
0x11 PNP_DeleteRegistryKey
0x12 PNP_GetClassCount
0x13 PNP_GetClassName
0x14 PNP_DeleteClassKey
0x15 PNP_GetInterfaceDeviceAlias
0x16 PNP_GetInterfaceDeviceList
0x17 PNP_GetInterfaceDeviceListSize
0x18 PNP_RegisterDeviceClassAssociation
0x19 PNP_UnregisterDeviceClassAssociation
0x1a PNP_GetClassRegProp
0x1b PNP_SetClassRegProp
0x1c PNP_CreateDevInst
0x1d PNP_DeviceInstanceAction
0x1e PNP_GetDeviceStatus
0x1f PNP_SetDeviceProblem
0x20 PNP_DisableDevInst
0x21 PNP_UninstallDevInst
0x22 PNP_AddID
0x23 PNP_RegisterDriver
0x24 PNP_QueryRemove
0x25 PNP_RequestDeviceEject
0x26 PNP_IsDockStationPresent
0x27 PNP_RequestEjectPC
0x28 PNP_HwProfFlags
0x29 PNP_GetHwProfInfo
0x2a PNP_AddEmptyLogConf
0x2b PNP_FreeLogConf
0x2c PNP_GetFirstLogConf
0x2d PNP_GetNextLogConf
0x2e PNP_GetLogConfPriority
0x2f PNP_AddResDes
0x30 PNP_FreeResDes
0x31 PNP_GetNextResDes
0x32 PNP_GetResDesData
0x33 PNP_GetResDesDataSize
0x34 PNP_ModifyResDes
0x35 PNP_DetectResourceConflict
0x36 PNP_QueryResConfList
0x37 PNP_SetHwProf
0x38 PNP_QueryArbitratorFreeData
0x39 PNP_QueryArbitratorFreeSize
0x3a PNP_RunDetection
0x3b PNP_RegisterNotification
0x3c PNP_UnregisterNotification
0x3d PNP_GetCustomDevProp
0x3e PNP_GetVersionInternal
0x3f PNP_GetBlockedDriverInfo
0x40 PNP_GetServerSideDeviceInstallFlags


--------------------------------------------------------------------------------

4.10.2 RPC locator service
The RPC locator service runs one RPC service, available on the following endpoint:
locator named pipe
Y:>ifids -p ncacn_np -e pipelocator /.
Interfaces: 3
d6d70ef0-0e3b-11cb-acc3-08002b1d29c3 v1.0
d3fbb514-0e3b-11cb-8fad-08002b1d29c3 v1.0
d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
d6d70ef0-0e3b-11cb-acc3-08002b1d29c3 v1.0
0x00 nsi_binding_export
0x01 nsi_binding_unexport


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
d3fbb514-0e3b-11cb-8fad-08002b1d29c3 v1.0
0x00 nsi_binding_lookup_begin
0x01 nsi_binding_lookup_done
0x02 nsi_binding_lookup_next
0x03 nsi_mgmt_handle_set_exp_age


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
d6d70ef0-0e3b-11cb-acc3-08002b1d29c4 v1.0
0x00 nsi_group_delete
0x01 nsi_group_mbr_add
0x02 nsi_group_mbr_remove
0x03 nsi_group_mbr_inq_begin
0x04 nsi_group_mbr_inq_next
0x05 nsi_group_mbr_inq_done
0x06 nsi_profile_delete
0x07 nsi_profile_elt_add
0x08 nsi_profile_elt_remove
0x09 nsi_profile_elt_inq_begin
0x0a nsi_profile_elt_inq_next
0x0b nsi_profile_elt_inq_done
0x0c nsi_entry_object_inq_begin
0x0d nsi_entry_object_inq_next
0x0e nsi_entry_object_inq_done
0x0f nsi_entry_expand_name
0x10 nsi_mgmt_binding_unexport
0x11 nsi_mgmt_entry_delete
0x12 nsi_mgmt_entry_create
0x13 nsi_mgmt_entry_inq_if_ids
0x14 nsi_mgmt_inq_exp_age
0x15 nsi_mgmt_inq_set_age


--------------------------------------------------------------------------------

A vulnerability in the locator service was published by David Litchfield in January 2003 [53]. It was fixed by the MS03-001 Microsoft security patch [54].

As the locator named pipe is one of the named pipe that can be accessed in the context of a NULL session, this vulnerability can be exploited remotely without any authentication.


4.10.3 DNS Client service - Windows 2000
0n Windows 2000, the DNS Client service (caching DNS resolver) runs one RPC service.

--------------------------------------------------------------------------------

Interface Operation number Operation name
65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
0x00 CRrFlushCache
0x01 CRrFlushCacheEntry
0x02 CRrFlushCacheEntryForType
0x03 CRrTrimCache
0x04 CRrReadCache
0x05 CRrReadCacheEntry
0x06 CRrQuery
0x07 CRrGetAdapterInfo
0x08 CRrGetSearchList
0x09 CRrGetPrimaryDomainName
0x0a CRrGetIpAddressList
0x0b CRrGetHashTableStats
0x0c CRrRegisterParamChange
0x0d CRrDeregisterParamChange
0x0e CRrUpdateTest
0x0f CRrCacheRecordSet


--------------------------------------------------------------------------------

4.10.4 DNS Client service - Windows XP and Windows Server 2003
Starting with Windows XP, the DNS Client service runs one RPC service, available on the following endpoint:
DNSResolver LPC port
Y:>ifids -p ncalrpc -e DNSResolver serveur
Interfaces: 1
45776b01-5956-4485-9f80-f428f7d60129 v2.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
45776b01-5956-4485-9f80-f428f7d60129 v2.0
0x00 CRrReadCache
0x01 CRrReadCacheEntry
0x02 CRrGetHashTableStats
0x03 R_ResolverGetConfig
0x04 R_ResolverFlushCache
0x05 R_ResolverFlushCacheEntry
0x06 R_ResolverRegisterCluster
0x07 R_ResolverQuery
0x08 R_ResolverEnumCache
0x09 R_ResolverPoke


--------------------------------------------------------------------------------

4.10.5 EFS
The EFS (Encrypted FileSystem) subsystem runs one RPC service, efsrpc, used to communicate with the service that implement cryptographic operations on the local system.

--------------------------------------------------------------------------------

Interface Operation number Operation name
c681d488-d850-11d0-8c52-00c04fd90f7e v1.0: efsrpc
0x00 EfsRpcOpenFileRaw
0x01 EfsRpcReadFileRaw
0x02 EfsRpcWriteFileRaw
0x03 EfsRpcCloseRaw
0x04 EfsRpcEncryptFileSrv
0x05 EfsRpcDecryptFileSrv
0x06 EfsRpcQueryUserOnFile
0x07 EfsRpcQueryRecoveryAgents
0x08 EfsRpcRemoveUsersFromFile
0x09 EfsRpcAddUsersToFile
0x0a EfsRpcSetFileEncryptionKey
0x0b EfsRpcNotSupported
0x0c EfsRpcFileKeyInfo
0x0d EfsRpcDuplicateEncryptionInfoFile


--------------------------------------------------------------------------------

4.10.6 Cryptographic Services service
The Cryptographic Services service runs three RPC services, available on the following endpoints:
keysvc LPC port
keysvc named pipe
Y:>ifids -p ncalrpc -e keysvc serveur
Interfaces: 40

[...]

8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
a3b749b1-e3d0-4967-a521-124055d1c37d v1.0
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0

[...]

Y:>ifids -p ncacn_np -e pipekeysvc /.
Interfaces: 40

[...]

8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
a3b749b1-e3d0-4967-a521-124055d1c37d v1.0
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0: ICertPassage
0x00 KeyrOpenKeyService
0x01 KeyrEnumerateProviders
0x02 KeyrCloseKeyService
0x03 KeyrGetDefaultProvider
0x04 KeyrEnroll
0x05 KeyrEnumerateAvailableCertTypes
0x06 KeyrEnumerateCAs
0x07 KeyrEnroll_V2
0x08 KeyrQueryRequestStatus


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
a3b749b1-e3d0-4967-a521-124055d1c37d v1.0: IKeySvcR
0x00 RKeyrOpenKeyService
0x01 RKeyrCloseKeyService
0x02 RKeyrPFXInstall


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
0x00 SSCertProtectFunction


--------------------------------------------------------------------------------

An additional RPC service exists:

--------------------------------------------------------------------------------

Interface Operation number Operation name
8ec70aac-a042-a622-b71b-fb9d43010000 v0.4 0x00 SSCatDBAddCatalog
0x01 SSCatDBDeleteCatalog
0x02 SSCatDBEnumCatalogs
0x03 SSCatDBRegisterForChangeNotification
0x04 SSCatDBPauseResumeService


--------------------------------------------------------------------------------

4.10.7 Security Configuration Editor Engine
The Security Configuration Editor Engine runs in the services.exe process context. It runs one RPC service on the following endpoint:
scerpc named pipe
Y:>ifids -p ncacn_np -e pipescerpc /.
Interfaces: 7

[...]

93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
0x00 SceSvcRpcQueryInfo
0x01 SceSvcRpcSetInfo
0x02 SceRpcSetupUpdateObject
0x03 SceRpcSetupMoveFile
0x04 SceRpcGenerateTemplate
0x05 SceRpcConfigureSystem
0x06 SceRpcGetDatabaseInfo
0x07 SceRpcGetObjectChildren
0x08 SceRpcOpenDatabase
0x09 SceRpcCloseDatabase
0x0a SceRpcGetDatabaseDescription
0x0b SceRpcGetDBTimeStamp
0x0c SceRpcGetObjectSecurity
0x0d SceRpcGetAnalysisSummary
0x0e SceRpcAnalyzeSystem
0x0f SceRpcUpdateDatabaseInfo
0x10 SceRpcUpdateObjectInfo
0x11 SceRpcStartTransaction
0x12 SceRpcCommitTransaction
0x13 SceRpcRollbackTransaction
0x14 SceRpcGetServerProductType
0x15 SceSvcRpcUpdateInfo
0x16 SceRpcCopyObjects
0x17 SceRpcSetupResetLocalPolicy
0x18 SceRpcNotifySaveChangesInGP
0x19 SceRpcControlNotificationQProcess
0x1a SceRpcBrowseDatabaseTable
0x1b SceRpcGetSystemSecurity
0x1c SceRpcGetSystemSecurityFromHandle
0x1d SceRpcSetSystemSecurity
0x1e SceRpcSetSystemSecurityFromHandle
0x1f SceRpcSetDatabaseSetting
0x20 SceRpcGetDatabaseSetting
0x21 SceRpcConfigureConvertedFileSecurityImmediately


--------------------------------------------------------------------------------

4.10.8 Windows Time service
The Windows Time service runs one RPC service on the following endpoints:
W32TIME LPC port (Windows 2000 and Windows XP) and W32TIME_ALT LPC port (Windows Server 2003)
W32TIME named pipe (Windows 2000 and Windows XP) and W32TIME_ALT named pipe (Windows Server 2003)
Y:>ifids -p ncalrpc -e W32TIME_ALT serveur
Interfaces: 40

[...]

8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1

[...]

Y:>ifids -p ncacn_np -e pipeW32TIME_ALT /.
Interfaces: 40

[...]

8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1: w32time
0x00 W32TimeSync
0x01 W32TimeGetNetLogonServiceBits
0x02 W32TimeQueryProviderStatus


--------------------------------------------------------------------------------

4.10.9 Windows Audio service
The Windows Audio service runs one RPC service, avalailable on the following endpoints:
AudioSrv LPC port
AudioSrv named pipe (Windows XP only)
Y:>ifids -p ncalrpc -e AudioSrv serveur
Interfaces: 40

[...]

3faf4738-3a21-4307-b46c-fdda9bb8c0d5 v1.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
3faf4738-3a21-4307-b46c-fdda9bb8c0d5 v1.0
0x00 gfxCreateZoneFactoriesList
0x01 gfxCreateGfxFactoriesList
0x02 gfxCreateGfxList
0x03 gfxRemoveGfx
0x04 gfxAddGfx
0x05 gfxModifyGx
0x06 gfxOpenGfx
0x07 gfxLogon
0x08 gfxLogoff
0x09 winmmRegisterSessionNotificationEvent
0x0a winmmUnregisterSessionNotification
0x0b winmmSessionConnectState
0x0c wdmDriverOpenDrvRegKey
0x0d winmmAdvisePreferredDeviceChange
0x0e winmmGetPnpInfo


--------------------------------------------------------------------------------

4.10.10 Certificate service
The certificate services runs one RPC service on the following endpoint:
cert named pipe
Y:>ifids -p ncacn_np -e pipecert /.
Interfaces: 6

[...]

91ae6020-9e3c-11cf-8d7c-00aa00c091be v0.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
91ae6020-9e3c-11cf-8d7c-00aa00c091be v0.0
0x00 CertServerRequest


--------------------------------------------------------------------------------

4.10.11 DHCP Server service
The DHCP Server service runs two RPC services, available on the following endpoint:
DHCPSERVERLPC LPC port
Z:>ifids -p ncalrpc -e DHCPSERVERLPC serveur
Interfaces: 6
00000134-0000-0000-c000-000000000046 v0.0
18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0
00000131-0000-0000-c000-000000000046 v0.0
00000143-0000-0000-c000-000000000046 v0.0
6bffd098-a112-3610-9833-46c3f874532d v1.0
5b821720-f63b-11d0-aad2-00c04fc324db v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
6bffd098-a112-3610-9833-46c3f874532d v1.0
0x00 R_DhcpCreateSubnet
0x01 R_DhcpSetSubnetInfo
0x02 R_DhcpGetSubnetInfo
0x03 R_DhcpEnumSubnets
0x04 R_DhcpAddSubnetElement
0x05 R_DhcpEnumSubnetElements
0x06 R_DhcpRemoveSubnetElement
0x07 R_DhcpDeleteSubnet
0x08 R_DhcpCreateOption
0x09 R_DhcpSetOptionInfo
0x0a R_DhcpGetOptionInfo
0x0b R_DhcpRemoveOption
0x0c R_DhcpSetOptionValue
0x0d R_DhcpGetOptionValue
0x0e R_DhcpEnumOptionValues
0x0f R_DhcpRemoveOptionValue
0x10 R_DhcpCreateClientInfo
0x11 R_DhcpSetClientInfo
0x12 R_DhcpGetClientInfo
0x13 R_DhcpDeleteClientInfo
0x14 R_DhcpEnumSubnetClients
0x15 R_DhcpGetClientOptions
0x16 R_DhcpGetMibInfo
0x17 R_DhcpEnumOptions
0x18 R_DhcpSetOptionValues
0x19 R_DhcpServerSetConfig
0x1a R_DhcpServerGetConfig
0x1b R_DhcpScanDatabase
0x1c R_DhcpGetVersion
0x1d R_DhcpAddSubnetElementV4
0x1e R_DhcpEnumSubnetElementsV4
0x1f R_DhcpRemoveSubnetElementV4
0x20 R_DhcpCreateClientInfoV4
0x21 R_DhcpSetClientInfoV4
0x22 R_DhcpGetClientInfoV4
0x23 R_DhcpEnumSubnetClientsV4
0x24 R_DhcpSetSuperScopeV4
0x25 R_DhcpGetSuperScopeInfoV4
0x26 R_DhcpDeleteSuperScopeV4
0x27 R_DhcpServerSetConfigV4
0x28 R_DhcpServerGetConfigV4


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
5b821720-f63b-11d0-aad2-00c04fc324db v1.0
0x00 R_DhcpEnumSubnetClientsV5
0x01 R_DhcpSetMScopeInfo
0x02 R_DhcpGetMScopeInfo
0x03 R_DhcpEnumMScopes
0x04 R_DhcpAddMScopeElement
0x05 R_DhcpEnumMScopeElements
0x06 R_DhcpRemoveMScopeElement
0x07 R_DhcpDeleteMScope
0x08 R_DhcpScanMDatabase
0x09 R_DhcpCreateMClientInfo
0x0a R_DhcpSetMClientInfo
0x0b R_DhcpGetMClientInfo
0x0c R_DhcpDeleteMClientInfo
0x0d R_DhcpEnumMScopeClients
0x0e R_DhcpCreateOptionV5
0x0f R_DhcpSetOptionInfoV5
0x10 R_DhcpGetOptionInfoV5
0x11 R_DhcpEnumOptionsV5
0x12 R_DhcpRemoveOptionV5
0x13 R_DhcpSetOptionValueV5
0x14 R_DhcpSetOptionValuesV5
0x15 R_DhcpGetOptionValueV5
0x16 R_DhcpEnumOptionValuesV5
0x17 R_DhcpRemoveOptionValueV5
0x18 R_DhcpCreateClass
0x19 R_DhcpModifyClass
0x1a R_DhcpDeleteClass
0x1b R_DhcpGetClassInfo
0x1c R_DhcpEnumClasses
0x1d R_DhcpGetAllOptions
0x1e R_DhcpGetAllOptionValues
0x1f R_DhcpGetMCastMibInfo
0x20 R_DhcpAuditLogSetParams
0x21 R_DhcpAuditLogGetParams
0x22 R_DhcpServerQueryAttribute
0x23 R_DhcpServerQueryAttributes
0x24 R_DhcpServerRedoAuthorization
0x25 R_DhcpAddSubnetElementV5
0x26 R_DhcpEnumSubnetElementsV5
0x27 R_DhcpRemoveSubnetElementV5
0x28 R_DhcpGetServerBindingInfo
0x29 R_DhcpSetServerBindingInfo
0x2a R_DhcpQueryDnsRegCredentials
0x2b R_DhcpSetDnsRegCredentials
0x2c R_DhcpBackupDatabase
0x2d R_DhcpRestoreDatabase

4.10.12 Terminal Server service
The Terminal Server service runs two RPC services, available on the following endpoints:
IcaApi LPC port
LcRpc LPC port
Ctx_WinStation_API_service named pipe
Y:>ifids -p ncalrpc -e IcaApi serveur
Interfaces: 2
2f59a331-bf7d-48cb-9e5c-7c090d76e8b8 v1.0
5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0

Y:>ifids -p ncalrpc -e LcRpc serveur
Interfaces: 2
2f59a331-bf7d-48cb-9e5c-7c090d76e8b8 v1.0
5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0

Y:>ifids -p ncacn_np -e pipeCtx_Winstation_API_Service /.
Interfaces: 2
2f59a331-bf7d-48cb-9e5c-7c090d76e8b8 v1.0
5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0

The following interface is used for Terminal Services licensing:

--------------------------------------------------------------------------------

Interface Operation number Operation name
2f59a331-bf7d-48cb-9ec5-7c090d76e8b8 v1.0
0x00 RpcLicensingOpenServer
0x01 RpcLicensingCloseServer
0x02 RpcLicensingLoadPolicy
0x03 RpcLicensingUnloadPolicy
0x04 RpcLicensingSetPolicy
0x05 RpcLicensingGetAvailablePolicyIds
0x06 RpcLicensingGetPolicy
0x07 RpcLicensingGetPolicyInformation
0x08 RpcLicensingDeactivateCurrentPolicy


--------------------------------------------------------------------------------

The following interface is used for Terminal Services remote management:

--------------------------------------------------------------------------------

Interface Operation number Operation name
5ca4a760-ebb1-11cf-8611-00a0245420ed v1.0 0x00 RpcWinStationOpenServer
0x01 RpcWinStationCloseServer
0x02 RpcIcaServerPing
0x03 RpcWinStationEnumerate
0x04 RpcWinStationRename
0x05 RpcWinStationQueryInformation
0x06 RpcWinStationSetInformation
0x07 RpcWinStationSendMessage
0x08 RpcLogonIdFromWinStationName
0x09 RpcWinStationNameFromLogonId
0x0a RpcWinStationConnect
0x0b RpcWinStationVirtualOpen
0x0c RpcWinStationBeepOpen
0x0d RpcWinStationDisconnect
0x0e RpcWinStationReset
0x0f RpcWinStationShutdownSystem
0x10 RpcWinStationWaitSystemEvent
0x11 RpcWinStationShadow
0x12 RpcWinStationShadowTargetSetup
0x13 RpcWinStationShadowTarget
0x14 RpcWinStationGenerateLicense
0x15 RpcWinStationInstallLicense
0x16 RpcWinStationEnumerateLicenses
0x17 RpcWinStationActivateLicense
0x18 RpcWinStationRemoveLicense
0x19 RpcWinStationQueryLicense
0x1a RpcWinStationSetPoolCount
0x1b RpcWinStationQueryUpdateRequired
0x1c RpcWinStationCallback
0x1d RpcWinStationGetApplicationInfo
0x1e RpcWinStationReadRegistry
0x1f RpcWinStationWaitForConnect
0x20 RpcWinStationNotifyLogon
0x21 RpcWinStationNotifyLogoff
0x22 RpcWinStationEnumerateProcesses
0x23 RpcWinStationAnnoyancePopup
0x24 RpcWinStationEnumerateProcesses
0x25 RpcWinStationTerminateProcess
0x26 RpcServerNWLogonSetAdmin
0x27 RpcServerNWLogonQueryAdmin
0x28 RpcWinStationNtsdDebug ?
0x29 RpcWinStationBreakPoint ?
0x2a RpcWinStationCheckForApplicationName ?
0x2b RpcWinStationGetAllProcesses
0x2c RpcWinStationGetProcessSid
0x2d RpcWinStationGetTermSrvCountersValue
0x2e RpcWinStationReInitializeSecurity
0x2f RpcWinStationBroadcastSystemMessage
0x30 RpcWinStationSendWindowMessage
0x31 RpcWinStationNotifyNewSession
0x32 RpcServerGetInternetConnectorStatus
0x33 RpcServerSetInternetConnectorStatus
0x34 RpcServerQueryInetConnectorInformation
0x35 RpcWinStationGetLanAdapterName
0x36 RpcWinStationUpdateUserConfig
0x37 RpcWinStationQueryLogonCredentials
0x38 RpcWinStationRegisterConsoleNotification
0x39 RpcWinStationUnRegisterConsoleNotification
0x3a RpcWinStationUpdateSettings
0x3b RpcWinStationShadowStop
0x3c RpcWinStationCloseServerEx
0x3d RpcWinStationIsHelpAssistantSession
0x3e RpcWinStationGetMachinePolicy
0x3f RpcWinStationUpdateClientCachedCredentials
0x40 RpcWinStationFUSCanRemoteUserDisconnect
0x41 RpcWinStationCheckLoopBack
0x42 RpcConnectCallback
0x43 RpcWinStationNotifyDisconnectPipe
0x44 RpcWinStationSessionInitialized
0x45 RpcRemoteAssistancePrepareSystemRestore
0x46 RpcWinStationGetAllProcesses_NT6
0x47 RpcWinStationRegisterNotificationEvent
0x48 RpcWinStationUnRegisterNotificationEvent
0x49 RpcWinStationAutoReconnect
0x4a RpcWinStationCheckAccess
0x4b RpcWinStationOpenSessionDirectory


--------------------------------------------------------------------------------

4.10.13 License Logging service
The License Logging service runs two RPC services, available on the following endpoints:
llslpc LPC port
llsrpc named pipe
Y:>ifids -p ncalrpc -e llslpc serveur
Interfaces: 2
342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0
57674cd0-5200-11ce-a897-08002b2e9c6d v1.0

Y:>ifids -p ncacn_np -e pipellsrpc /.
Interfaces: 2
342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0
57674cd0-5200-11ce-a897-08002b2e9c6d v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
57674cd0-5200-11ce-a897-08002b2e9c6d v1.0
0x00 LlsrLicenseRequestW
0x01 LlsrLicenseFree


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0
0x00 LlsrConnect
0x01 LlsrClose
0x02 LlsrLicenseEnumW
0x03 LlsrLicenseEnumA
0x04 LlsrLicenseAddW
0x05 LlsrLicenseAddA
0x06 LlsrProductEnumW
0x07 LlsrProductEnumA
0x08 LlsrProductAddW
0x09 LlsrProductAddA
0x0a LlsrProductUserEnumW
0x0b LlsrProductUserEnumA
0x0c LlsrProductServerEnumW
0x0d LlsrProductServerEnumA
0x0e LlsrProductLicenseEnumW
0x0f LlsrProductLicenseEnumA
0x10 LlsrUserEnumW
0x11 LlsrUserEnumA
0x12 LlsrUserInfoGetW
0x13 LlsrUserInfoGetA
0x14 LlsrUserInfoSetW
0x15 LlsrUserInfoSetA
0x16 LlsrUserDeleteW
0x17 LlsrUserDeleteA
0x18 LlsrUserProductEnumW
0x19 LlsrUserProductEnumA
0x1a LlsrUserProductDeleteW
0x1b LlsrUserProductDeleteA
0x1c LlsrMappingEnumW
0x1d LlsrMappingEnumA
0x1e LlsrMappingInfoGetW
0x1f LlsrMappingInfoGetA
0x20 LlsrMappingInfoSetW
0x21 LlsrMappingInfoSetA
0x22 LlsrMappingUserEnumW
0x23 LlsrMappingUserEnumA
0x24 LlsrMappingUserAddW
0x25 LlsrMappingUserAddA
0x26 LlsrMappingUserDeleteW
0x27 LlsrMappingUserDeleteA
0x28 LlsrMappingAddW
0x29 LlsrMappingAddA
0x2a LlsrMappingDeleteW
0x2b LlsrMappingDeleteA
0x2c LlsrServerEnumW
0x2d LlsrServerEnumA
0x2e LlsrServerProductEnumW
0x2f LlsrServerProductEnumA
0x30 LlsrLocalProductEnumW
0x32 LlsrLocalProductInfoGetW
0x33 LlsrLocalProductInfoGetA
0x34 LlsrLocalProductInfoSetW
0x35 LlsrLocalProductInfoSetA
0x36 LlsrServiceInfoGetW
0x37 LlsrServiceInfoGetA
0x38 LlsrServiceInfoSetW
0x39 LlsrServiceInfoSetA
0x3a LlsrReplConnect
0x3b LlsrReplClose
0x3c LlsrReplicationRequestW
0x3d LlsrReplicationServerAddW
0x3e LlsrReplicationServerServiceAddW
0x3f LlsrReplicationServiceAddW
0x40 LlsrReplicationUserAddW
0x41 LlsrProductSecurityGetW
0x42 LlsrProductSecurityGetA
0x43 LlsrProductSecuritySetW
0x44 LlsrProductSecuritySetA
0x45 LlsrProductLicensesGetA
0x46 LlsrProductLicensesGetW
0x47 LlsrCertificateClaimEnumA
0x48 LlsrCertificateClaimEnumW
0x49 LlsrCertificateClaimAddCheckA
0x4a LlsrCertificateClaimAddCheckW
0x4b LlsrCertificateClaimAddA
0x4c LlsrCertificateClaimAddW
0x4d LlsrReplicationCertDbAddW
0x4e LlsrReplicationProductSecurityAddW
0x4f LlsrReplicationUserAddExW
0x50 LlsrCapabilityGet
0x51 LlsrLocalServiceEnumW
0x52 LlsrLocalServiceEnumA
0x53 LlsrLocalServiceAddA
0x54 LlsrLocalServiceAddW
0x55 LlsrLocalServiceInfoSetW
0x56 LlsrLocalServiceInfoSetA
0x57 LlsrLocalServiceInfoGetW
0x58 LlsrLocalServiceInfoGetA
0x59 LlsrCloseEx


--------------------------------------------------------------------------------

4.10.14 Secondary Logon service
The Secondary Logon service runs one RPC service, available on the following endpoints:
SECLOGON LPC port (Windows XP and Windows Server 2003)
SecondaryLogon named pipe (Windows 2000), SECLOGON named pipe (Windows XP)
Y:>ifids -p ncalrpc -e SECLOGON serveur
Interfaces: 40

[...]

12b81e99-f207-4a4c-85d3-77b42f76fd14 v1.0



--------------------------------------------------------------------------------

Interface Operation number Operation name
12b81e99-f207-4a4c-85d3-77b42f76fd14 v1.0
0x01 SeclCreateProcessWithLogonW


--------------------------------------------------------------------------------

4.10.15 Protected storage service
The Protected Storage service runs one RPC service, available on the following endpoints:
protected_storage LPC port
protected_storage named pipe
Y:>ifids -p ncalrpc -e protected_storage serveur
Interfaces: 18

[...]

c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0

[...]


Y:>ifids -p ncacn_np -e pipeprotected_storage /.
Interfaces: 18

[...]

c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
0x00 SSPStoreEnumProviders
0x01 SSGetProvInfo
0x02 SSGetProvParam
0x03 SSetProvParam
0x04 SSAcquireContext
0x05 SSReleaseContext
0x06 SSPasswordInterface
0x07 SSEnumTypes
0x08 SSEnumSubtypes
0x09 SSEnumItems
0x0a SSGetTypeInfo
0x0b SSGetSubtypeInfo
0x0c SSCreateType
0x0d SSCreateSubtype
0x0e SSDeleteType
0x0f SSDeleteSubtype
0x10 SSDeleteItem
0x11 SSReadItem
0x12 SSWriteItem
0x13 SSOpenItem
0x14 SSCloseItem
0x15 SSReadAccessRuleset
0x16 SSWriteAccessRuleset


--------------------------------------------------------------------------------

On Windows 2000, the two following RPC services run in the LSA:

--------------------------------------------------------------------------------

Interface Operation number Operation name
11220835-5b26-4d94-ae86-c3e475a809de v1.0
0x00 SSCryptProtectData
0x01 SSCryptUnprotectData


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
5cbe92cb-f4be-45c9-9fc9-33e73e557b20 v1.0
0x00 SSRecoveryQueryStatus
0x01 SSRecoveryImportRecoveryKey
0x02 SSRecoverPassword


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
3dde7c30-165d-11d1-ab8f-00805f14db40 v1.0
0x00 BackuprKey


--------------------------------------------------------------------------------

4.10.16 Telephony service
The Telephony service runs two RPC services on the following endpoints:
tapsrvlpc LPC port
tapsrv named pipe
Y:>ifids -p ncalrpc -e tapsrvlpc serveur
Interfaces: 1
2f5f6520-ca46-1067-b319-00dd010662da v1.0

Y:>ifids -p ncacn_np -e pipetapsrv /.
Interfaces: 1
2f5f6520-ca46-1067-b319-00dd010662da v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
2f5f6520-ca46-1067-b319-00dd010662da v1.0
0x00 ClientAttach
0x01 ClientRequest
0x02 ClientDetach


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
2f5f6521-ca47-1068-b319-00dd010662db v1.0
0x00 SPAttach
0x01 SPEventProc
0x02 SPDetach


--------------------------------------------------------------------------------

4.10.17 Remote Access service
The Remote Access service runs one RPC service, available on the following endpoint:
ROUTER named pipe
Y:>ifids -p ncacn_np -e pipeROUTER /.
Interfaces: 43

[...]

8f09f000-b7ed-11ce-bbd2-00001a181cad v0.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
8f09f000-b7ed-11ce-bbd2-00001a181cad v0.0
0x00 RMprAdminServerGetInfo
0x01 RRasAdminConnectionEnum
0x02 RRasAdminConnectionGetInfo
0x03 RRasAdminConnectionClearStats
0x04 RRasAdminPortEnum
0x05 RRasAdminPortGetInfo
0x06 RRasAdminPortClearStats
0x07 RRasAdminPortReset
0x08 RRasAdminPortDisconnect
0x09 RRouterInterfaceTransportSetGlobalInfo
0x0a RRouterInterfaceTransportGetGlobalInfo
0x0b RRouterInterfaceGetHandle
0x0c RRouterInterfaceCreate
0x0d RRouterInterfaceGetInfo
0x0e RRouterInterfaceSetInfo
0x0f RRouterInterfaceDelete
0x10 RRouterInterfaceTransportRemove
0x11 RRouterInterfaceTransportAdd
0x12 RRouterInterfaceTransportGetInfo
0x13 RRouterInterfaceTransportSetInfo
0x14 RRouterInterfaceEnum
0x15 RRouterInterfaceConnect
0x16 RRouterInterfaceDisconnect
0x17 RRouterInterfaceUpdateRoutes
0x18 RRouterInterfaceQueryUpdateResult
0x19 RRouterInterfaceUpdatePhonebookInfo
0x1a RMIBEntryCreate
0x1b RMIBEntryDelete
0x1c RMIBEntrySet
0x1d RMIBEntryGet
0x1e RMIBEntryGetFirst
0x1f RMIBEntryGetNext
0x20 RMIBGetTrapInfo
0x21 RMIBSetTrapInfo
0x22 RRasAdminConnectionNotification
0x23 RRasAdminSendUserMessage
0x24 RRouterDeviceEnum
0x25 RRouterInterfaceTransportCreate
0x26 RRouterInterfaceDeviceGetInfo
0x27 RRouterInterfaceDeviceSetInfo
0x28 RRouterInterfaceSetCredentialsEx
0x29 RRouterInterfaceGetCredentialsEx
0x2a RRasAdminConnectionRemoveQuarantine


--------------------------------------------------------------------------------

4.10.18 IPsec Policy Agent service - Windows 2000
On Windows 2000, the IPsec Policy Agent service runs one RPC service, available on the following endpoints:
policyagent LPC port
POLICYAGENT named pipe
C:>ifids -p ncalrpc -e policyagent fenetre
Interfaces: 5

[...]

d335b8f6-cb31-11d0-b0f9-006097ba4e54 v1.5

C:>ifids -p ncacn_np -e pipepolicyagent /.
Interfaces: 5

[...]

d335b8f6-cb31-11d0-b0f9-006097ba4e54 v1.5


--------------------------------------------------------------------------------

Interface Operation number Operation name
d335b8f6-cb31-11d0-b0f9-006097ba4e54 v1.5
0x00 PAAddPolicyRule
0x01 PAUpdatePolicyRule
0x02 PADeletePolicy
0x03 PAQueryIsakmpPolicy
0x04 PAAddIsakmpPolicy
0x05 PARefreshPolicies
0x06 PAAddFilter
0x07 PAMatchFilter
0x08 PAQueryIpsecPolicy
0x09 PAQueryFilters
0x0a PADeleteFilter
0x0b PAQueryStatistics
0x0c PAQueryAssociations
0x0d PAQueryIsakmpAssociations
0x0e PADeleteIsakmpAssociation
0x0f IsakmpInitiateNegotiation
0x10 IsakmpQueryNegotiationStatus
0x11 IsakmpCloseNegotiationStatusHandle
0x12 IsakmpQuerySpiChange
0x13 IsakmpRegisterNotifyClient
0x14 IsakmpDeregisterNotifyClient
0x15 IsakmpQuerySpi


--------------------------------------------------------------------------------

4.10.19 IPsec Services service - Windows XP and Windows Server 2003
On Windows XP, the IPsec Services service runs one RPC service on the following endpoints:
ipsec LPC port
ipsec named pipe
E:>ifids -p ncalrpc -e ipsec jamal
Interfaces: 8

[...]

12345678-1234-abcd-ef00-0123456789ab v1.0


E:>ifids -p ncacn_np -e pipeipsec /.

Interfaces: 8

[...]

12345678-1234-abcd-ef00-0123456789ab v1.0


On Windows Server 2003, the RPC service does not seem to set a specific endpoint.

--------------------------------------------------------------------------------

Interface Operation number Operation name
12345678-1234-abcd-ef00-0123456789ab v1.0
0x00 RpcAddTransportFilter
0x01 RpcDeleteTransportFilter
0x02 RpcEnumTransportFilters
0x03 RpcSetTransportFilter
0x04 RpcGetTransportFilter
0x05 RpcAddQMPolicy
0x06 RpcDeleteQMPolicy
0x07 RpcEnumQMPolicies
0x08 RpcSetQMPolicy
0x09 RpcGetQMPolicy
0x0a RpcAddMMPolicy
0x0b RpcDeleteMMPolicy
0x0c RpcEnumMMPolicies
0x0d RpcSetMMPolicy
0x0e RpcGetMMPolicy
0x0f RpcAddMMFilter
0x10 RpcDeleteMMFilter
0x11 RpcEnumMMFilters
0x12 RpcSetMMFilter
0x13 RpcGetMMFilter
0x14 RpcMatchMMFilter
0x15 RpcMatchTransportFilter
0x16 RpcGetQMPolicyByID
0x17 RpcGetMMPolicyByID
0x18 RpcAddMMAuthMethods
0x19 RpcDeleteMMAuthMethods
0x1a RpcEnumMMAuthMethods
0x1b RpcSetMMAuthMethods
0x1c RpcGetMMAuthMethods
0x1d RpcInitiateIKENegotiation
0x1e RpcQueryIKENegotiationStatus
0x1f RpcCloseIKENegotiationHandle
0x20 RpcEnumMMSAs
0x21 RpcDeleteMMSAs
0x22 RpcDeleteQMSAs
0x23 RpcQueryIKEStatistics
0x24 RpcRegisterIKENotifyClient
0x25 RpcQueryIKENotifyData
0x26 RpcCloseIKENotifyHandle
0x27 RpcQueryIPSecStatistics
0x28 RpcEnumQMSAs
0x29 RpcAddTunnelFilter
0x2a RpcDeleteTunnelFilter
0x2b RpcEnumTunnelFilters
0x2c RpcSetTunnelFilter
0x2d RpcGetTunnelFilter
0x2e RpcMatchTunnelFilter
0x2f RpcOpenMMFilterHandle
0x30 RpcCloseMMFilterHandle
0x31 RpcOpenTransportFilterHandle
0x32 RpcCloseTransportFilterHandle
0x33 RpcOpenTransportFilterHandle
0x34 RpcCloseTransportFilterHandle
0x35 RpcOpenTunnelFilterHandle
0x36 RpcCloseTunnelFilterHandle
0x37 RpcEnumIpsecInterfaces
0x38 RpcAddSAs
0x39 RpcSetConfigurationVariables
0x3a RpcGetConfigurationVariables
0x3b RpcQuerySpdPolicyState


--------------------------------------------------------------------------------

4.10.20 Distributed Link Tracking Client service
The Distributed Link Tracking Client service, implemented in the trkwks.dll DLL, runs one RPC service, available on the following endpoints:
trkwks LPC port
trkwks named pipe
Y:>ifids -p ncalrpc -e trkwks serveur
Interfaces: 40

[...]

300f3532-38cc-11d0-a3f0-0020af6b0add v1.2

Y:>ifids -p ncacn_np -e pipetrkwks /.
Interfaces: 40

[...]

300f3532-38cc-11d0-a3f0-0020af6b0add v1.2



--------------------------------------------------------------------------------

Interface Operation number Operation name
300f3532-38cc-11d0-a3f0-0020af6b0add v1.2: trkwks
0x00 LnkMendLink
0x01 LnkSearchMachine
0x02 LnkCallSvrMessage
0x03 LnkSetVolumeId
0x04 LnkRestartDcSynchronization
0x05 GetVolumeTrackingInformation
0x06 GetFileTrackingInformation
0x07 TriggerVolumeClaims
0x08 LnkOnRestore
0x09 LnkMendLink
0x0a LnkSearchMachine
0x0b LnkCallSvrMessage
0x0c LnkSearchMachine


--------------------------------------------------------------------------------

4.10.21 Distributed Link Tracking Server service

--------------------------------------------------------------------------------

Interface Operation number Operation name
4da1c422-943d-11d1-acae-00c04fc2aa3f v1.0: trksvr
0x00 LnkSvrMessage


--------------------------------------------------------------------------------

4.10.22 WebClient service
The WebClient service runs one RPC service, available on the following endpoint:
DAV RPC SERVICE named pipe
Y:>ifids -p ncacn_np -e "pipeDAV RPC SERVICE" /.
Interfaces: 1
c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
c8cb7687-e6d3-11d2-a958-00c04f682e16 v1.0
0x00 DavrCreateConnection
0x01 DavrDoesServerDoDav
0x02 DavrIsValidShare
0x03 DavrEnumNetUses
0x04 DavrEnumShares
0x05 DavrEnumServers
0x06 DavrGetConnection
0x07 DavrDeleteConnection
0x08 DavrGetUser
0x09 DavrConnectionExist
0x0a DavrWinlogonLogonEvent
0x0b DavrWinlogonLogoffEvent
0x0c DavrGetDiskSpaceUsage
0x0d DavrFreeUsedDiskSpace
0x0e DavrGetTheLockOwnerOfTheFile


--------------------------------------------------------------------------------

4.10.23 Windows File Protection
The Windows File Protection subsystem runs one RPC service, available on the following endpoints:
SfcApi LPC port
SfcApi named pipe (Windows 2000 and Windows XP, not Windows Server 2003)
Y:>ifids -p ncalrpc -e SfcApi serveur
Interfaces: 9

[...]

83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0
0x00 SfcSrv_GetNextProtectedFile
0x01 SfcSrv_IsFileProtected
0x02 SfcSrv_FileException
0x03 SfcSrv_InitiateScan
0x04 SfcSrv_PurgeCache
0x05 SfcSrv_SetCacheSize
0x06 SfcSrv_SetDisable
0x07 SfcSrv_InstallProtectedFiles


--------------------------------------------------------------------------------

4.10.24 System Event Notification service
The System Event Notification Service runs two RPC service, listening on the following endpoint:
senssvc LPC port
Y:>ifids -p ncalrpc -e senssvc serveur
Interfaces: 43

[...]

63fbe424-2029-11d1-8db8-00aa004abd5e v1.0
629b9f66-556c-11d1-8dd2-00aa004abd5e v3.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
63fbe424-2029-11d1-8db8-00aa004abd5e v1.0
0x00 Rpc_IsNetworkAlive
0x01 Rpc_IsDestinationReachableW
0x02 Rpc_IsDestinationReachableA


--------------------------------------------------------------------------------


--------------------------------------------------------------------------------

Interface Operation number Operation name
629b9f66-556c-11d1-8dd2-00aa004abd5e v3.0
0x00 Rpc_SensNotifyWinlogonEvent
0x01 Rpc_SensNotifyRasEvent
0x02 Rpc_SensNotifyNetconEvent
0x03 Rpc_SyncMgrExecCmd


--------------------------------------------------------------------------------

4.10.25 Wireless Configuration service
The Wireless Configuration service runs one RPC service, available on the following endpoint:
wzcsvc LPC port
X:>ifids -p ncalrpc -e wzcsvc serveur
Interfaces: 37
621dff68-3c39-4c6c-aae3-e68e2c6503ad v1.0

[...]



--------------------------------------------------------------------------------

Interface Operation number Operation name
621dff68-3c39-4c6c-aae3-e68e2c6503ad v1.0
0x00 RpcEnumInterfaces
0x01 RpcQueryInterface
0x02 RpcSetInterface
0x03 RpcRefreshInterface
0x04 RpcQueryContext
0x05 RpcSetContext
0x06 RpcEapolUIResponse
0x07 RpcEapolGetCustomAuthData
0x08 RpcEapolSetCustomAuthData
0x09 RpcEapolGetInterfaceParams
0x0a RpcEapolSetInterfaceParams
0x0b RpcEapolReAuthenticateInterface
0x0c RpcEapolQueryInterfaceState
0x0d RpcOpenWZCDbLogSession
0x0e RpcCloseWZCDbLogSession
0x0f RpcEnumWZCDbLogRecords
0x10 RpcFlushWZCDbLog
0x11 RpcGetWZCDbLogRecord


--------------------------------------------------------------------------------

This interface can only be used locally (it is registered with RpcServerRegisterIfEx(), with a security-callback function that verifies that the protocol sequence used is ncalrpc).


4.10.26 Winlogon process - Windows 2000
Different RPC services runs in the Winlogon process and are available on the following endpoints:
winlogonrpc named pipe
InitShutdown named pipe
C:>ifids -p ncacn_np -e pipewinlogonrpc /.
Interfaces: 4
894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0
369ce4f0-0fdc-11d3-bde8-00c04f8eee78 v1.0
a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0
83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0

C:>ifids -p ncacn_np -e pipeInitShutdown /.
Interfaces: 4
894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0
369ce4f0-0fdc-11d3-bde8-00c04f8eee78 v1.0
a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0
83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0


winlogon.exe RPC service:

--------------------------------------------------------------------------------

Interface Operation number Operation name
894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0
0x00 BaseInitiateShutdown
0x01 BaseAbortShutdown
0x02 BaseInitiateShutdownEx


--------------------------------------------------------------------------------

profmap.dll DLL RPC service:

--------------------------------------------------------------------------------

Interface Operation number Operation name
369ce4f0-0fdc-11d3-bde8-00c04f8eee78 v1.0
0x00 ProfMapSrv_RemoteRemapUserProfile
0x01 ProfMapSrv_RemoteRemapAndMoveUser


--------------------------------------------------------------------------------

wlnotify.dll DLL RPC service:

--------------------------------------------------------------------------------

Interface Operation number Operation name
a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0
0x00 SecpGetCurrentUserToken


--------------------------------------------------------------------------------

4.10.27 Winlogon process - Windows Server 2003
Different RPC services runs in the Winlogon process and are available on the following endpoints:
sclogonrpc LPC port
InitShutdown named pipe
Z:>ifids -p ncalrpc -e sclogonrpc serveur
Interfaces: 9
326731e3-c1c0-4a69-ae20-7d9044a4ea5c v1.0
95958c94-a424-4055-b62b-b7f4d5c47770 v1.0
894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0
83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0
a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0
00000134-0000-0000-c000-000000000046 v0.0
18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0
00000131-0000-0000-c000-000000000046 v0.0
00000143-0000-0000-c000-000000000046 v0.0

Z:>ifids -p ncacn_np -e pipeInitShutdown /.
Interfaces: 9
326731e3-c1c0-4a69-ae20-7d9044a4ea5c v1.0
95958c94-a424-4055-b62b-b7f4d5c47770 v1.0
894de0c0-0d55-11d3-a322-00c04fa321a1 v1.0
83da7c00-e84f-11d2-9807-00c04f8ec850 v2.0
a002b3a0-c9b7-11d1-ae88-0080c75e4ec1 v1.0
00000134-0000-0000-c000-000000000046 v0.0
18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0
00000131-0000-0000-c000-000000000046 v0.0
00000143-0000-0000-c000-000000000046 v0.0


userenv.dll DLL RPC service:

--------------------------------------------------------------------------------

Interface Operation number Operation name
326731e3-c1c0-4a69-ae20-7d9044a4ea5c v1.0
0x00 DropClientContext
0x01 LoadUserProfileI
0x02 UnloadUserProfileI
0x03 ReleaseClientContext
0x04 EnterUserProfileLockRemote
0x05 LeaveUserProfileLockRemote


--------------------------------------------------------------------------------

kerberos.dll DLL RPC service:

--------------------------------------------------------------------------------

Interface Operation number Operation name
95958c94-a424-4055-b62b-b7f4d5c47770 v1.0
0x00 RPC_ScHelperInitializeContext
0x01 RPC_ScHelperRelease
0x02 RPC_ScHelperGetCertFromLogonInfo
0x03 RPC_ScHelperGetProvParam
0x04 RPC_ScHelperGenRandBits
0x05 RPC_ScHelperVerifyCardAndCreds
0x06 RPC_ScHelperEncryptCredentials
0x07 RPC_ScHelperSignPkcsMessage
0x08 RPC_ScHelperDecryptMessage
0x09 RPC_ScHelper_CryptAcquireCertificatePrivateKey
0x0a RPC_ScHelper_CryptSetProvParam
0x0b RPC_ScHelper_CryptReleaseContext


--------------------------------------------------------------------------------

4.10.28 Application Management service
The Application Management service runs one RPC service, available on the following endpoint:
appmgmt LPC port
Z:>ifids -p ncalrpc -e appmgmt serveur
Interfaces: 47

[...]

8c7daf44-b6dc-11d1-9a4c-0020af6e7c57 v1.0


--------------------------------------------------------------------------------

Interface Operation number Operation name
8c7daf44-b6dc-11d1-9a4c-0020af6e7c57 v1.0
0x00 PINSTALLCONTEXT_rundown
0x01 InstallBegin
0x02 InstallManageApp
0x03 InstallUnmanageApp
0x04 InstallEnd
0x05 ARPRemoveApp
0x06 GetManagedApps
0x07 RsopReportInstallFailure
0x08 GetManagedAppCategories


--------------------------------------------------------------------------------

4.11 Implication of multiple RPC services in one process
One important thing to know about the MSRPC implementation is that, inside a given process, any RPC services listening on any protocol sequences can be reached using any opened endpoints.

As most Win32 services are implemented in a few processes, hosting many Win32 services (lsass.exe, services.exe, svchost.exe), a direct consequence is that all RPC services started by any Win32 service in a given process can be invoked using any opened endpoint in the process context.


4.11.1 Win32 services hosting
The services.exe process host many services, which can be identified looking for services.exe in the following registry value of each service service_name:
Key: HKLM/SYSTEM/CurrentControlSet/Services/service_name Value: ImagePath

Three instances of svchost.exe processes can be found on a Windows 2000 system. Among them, one instance (netsvcs instance) typically hosts different services. Services hosted in svchost.exe processes appear in the registry:
Key: HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Svchost Values: netsvcs, rpcss, tapisrv

More precisely, on Windows 2000 systems, the following Win32 services run in the following processes:
lsass.exe: kdc, netlogon, NtLmSsp, PolicyAgent, SamSs
services.exe: Alerter, AppMgmt, Browser, Dhcp, dmserver, Dnscache, Eventlog, lanmanserver, lanmanworkstation, LmHosts, Messenger, PlugPlay, ProtectedStorage, seclogon, TrkSvr, TrkWks, W32Time, Wmi
svchost.exe (netsvcs instance): EventSystem, Ias, Iprip, Irmon, Netman, Nwsapagent, Rasauto, Rasman, Remoteaccess, SENS, Sharedaccess, Ntmssvc
svchost.exe (rpcss instance): rpcss
svchost.exe (tapisrv instance): Tapisrv

On Windows XP systems, Win32 services run in the following processes:
lsass.exe: Netlogon, NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
services.exe: Eventlog, PlugPlay
svchost.exe (LocalService instance, running as LocalService): Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
svchost.exe (NetworkService instance, running as NetworkService): DnsCache
svchost.exe (netsvcs instance): 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, TermService, wuauserv, BITS, ShellHWDetection, helpsvc, uploadmgr
svchost.exe (rpcss instance): rpcss
svchost.exe (termsvcs instance): TermService
svchost.exe (imgsvc instance); StiSvc

On Windows Server 2003 systems, Win32 services are organized as follow:
lsass.exe: HTTPFilter, kdc, Netlogon, NtLmSsp, PolicyAgent, ProtectedStorage, SamSs
services.exe: Eventlog, PlugPlay
svchost.exe (LocalService instance, running as LocalService): Alerter, WebClient, LmHosts, WinHttpAutoProxySvc
svchost.exe (NetworkService instance, running as NetworkService): 6to4, DHCP, DnsCache
svchost.exe (netsvcs instance): AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, EventSystem, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Sacsvr, Schedule, Seclogon, SENS, Sharedaccess, Themes, TrkWks, TrkSvr, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wuauserv, BITS, ShellHWDetection, helpsvc, uploadmgr, WmdmPmSN
svchost.exe (rpcss instance): rpcss
svchost.exe (regsvc instance): RemoteRegistry
svchost.exe (swprv instance): swprv
svchost.exe (tapisrv instance): Tapisrv
svchost.exe (termsrv instance): TermService
svchost.exe (WinErr instance): ERsvc
svchost.exe (imgsvc instance): StiSvc
To determine which services are hosted by which services on a running system, the following tools can be used:
the Process Explorer tool [62]
option /s of the tlist utility (part of Windows 2000 support tools)
option /svc of the tasklist utility (available in Windows XP and later)


4.11.2 Example of multiple RPC services in one process
Using ifids with the eventlog named pipe endpoint, opened by the Eventlog service running in the services.exe process, the list of interface identifiers is:
C:WINNT>ifids -p ncacn_np -e pipeeventlog /.
Interfaces: 13
367abb81-9844-35f1-ad32-98f038001003 v2.0
93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
6bffd098-a112-3610-9833-46c3f87e345a v1.0
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1

Using another endpoint, for example, the dynamic UDP port opened by the messenger service (also running in the services.exe process), the result is identical:
C:WINNT>ifids -p ncadg_ip_udp -e 1026 127.0.0.1
Interfaces: 13
367abb81-9844-35f1-ad32-98f038001003 v2.0
93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
6bffd098-a112-3610-9833-46c3f87e345a v1.0
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1

These results show that all RPC services in the services.exe process can be reached using any opened endpoint on any transport.

Using our knowledge of RPC interface identifiers, we can identify some of the Win32 services currently running in the services.exe process:
C:WINNT>ifids -p ncadg_ip_udp -e 1026 127.0.0.1
Interfaces: 13
367abb81-9844-35f1-ad32-98f038001003 v2.0 Services Control Manager (SCM)
93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0 Security Configuration Editor (SCE)
82273fdc-e32a-18c3-3f78-827929dc23ea v0.0 Eventlog service
65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0 DNS Client service (Windows 2000)
8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0 Plug and Play service
8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0 |
c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0 |__ Protected Storage service
0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0 |
4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0 Server service
6bffd098-a112-3610-9833-46c3f87e345a v1.0 Workstation service
17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0 |__ Messenger service
5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0 |
8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1 Windows Time service

Thus, the following Win32 services are running:
Eventlog
Dnscache
ProtectedStorage
lanmanserver
lanmanworkstation
Messenger
PlugPlay
W32Time
Actually, the complete list of Win32 services running inside the services.exe process is:
C:WINNT>tlist /s

[...]

256 SERVICES.EXE Svcs: Alerter,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,W32Time

[...]


4.11.3 Implications of running multiple RPC services in one process
The direct consequence of running multiple RPC services in one process is that, if one RPC service is listening on an endpoint like a TCP port or a named pipe, all RPC services can be reached using that particular endpoint.

Thus, even if a RPC service listens only on the ncalrpc protocol (in order to accept only local procedure calls), it can be used remotely as long as another RPC service in the same process listens on a TCP port or a named pipe.

Another consequence is that it allows to anonymously identify some Win32 services remotely, as shown in the previous section:
Services running in the lsass.exe process can be identified, using the lsarpc, samr, netlogon named pipes as DCE RPC endpoint (these named pipes can always be opened in the context of a SMB NULL session)
Some services in the services.exe process can be identified, using either the dynamic UDP port opened by the messenger service as DCE RPC endpoint or the wkssvc, srvsvc or browser named pipes (they can always be opened in the context of a SMB NULL session).
Identifying Win32 services running in svchost.exe instances can be more difficult, in particular when RPC services contained in that processes do not open endpoints that can be used remotely.
Note: this also explains why one RPC interface identifier can appear more than once in the rpcdump output, with different endpoints on different protocol sequences: these correspond to endpoints opened by RPC services in the same process.


4.12 RPC services protection
Developpers of RPC services can protect their applications against the problem described in the previous section using two new API, RpcServerRegisterIfEx() and RpcServerRegisterIf2(). These new API allow the specification of a security-callback function, on a per-interface basis.

Typically, a security-callback function verifies that the protocol sequence used by a client is legal. For instance, it is thus possible to forbid access to RPC services that are supposed to be used only locally, even if the process that hosts RPC services also runs RPC services listening on named pipes or TCP or UDP sockets.

This technique is used at least for some RPC services in Windows Server 2003. For instance, 3 of the LSA RPC services implemented in lsasrv.dll use RpcServerRegisterIfEx() with a security-callback function that verifies the protocol sequence used. This is the case for the dsrole RPC interface, that can only be used using the ncalrpc protocol sequence, using the dsrole LPC port.

To conclude, even if multiple RPC interface identifiers appear in the output of the ifids command, this does no longer mean that all RPC services can be reached using any opened endpoints.


4.13 DCOM
4.13.1 COM interfaces
A process that hosts COM objects will typically support interfaces among the following ones:
00000001-0000-0000-c000-000000000046 v0.0 (IUnknown)
00000131-0000-0000-c000-000000000046 v0.0 (IRemUnknown)
00000132-0000-0000-c000-000000000046 v0.0 (ILocalSystemActivator)
00000134-0000-0000-c000-000000000046 v0.0 (IRunDown)
00000143-0000-0000-c000-000000000046 v0.0 (IRemUnknown2)
18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0 ??


--------------------------------------------------------------------------------

Interface Operation number Operation name
18f70770-8e64-11cf-9af1-0020af6e72f4 v0.0
0x00 UseProtSeq
0x01 GetCustomProtseqInfo
0x02 UpdateResolverBindings


--------------------------------------------------------------------------------

5 Conclusion
Because of the proprietary nature of the Windows operating system, Windows network services internals have been progressively discovered by independent researchers.

In the past, many vulnerabilities have been discovered in the Windows SMB and DCE RPC implementations. Recently, multiple vulnerabilities in the MSRPC implementation have been published.

Thus, Windows systems must be properly protected, using appropriate IP filtering, to mitigate these risks.


References
[1] Implementing CIFS: http://www.ubiqx.org/cifs/
[2] HiverCon 2003 - Corporate Security Conference http://www.hivercon.com/
[3] Windows Network Data and Packet Filtering: http://www.ndis.com/papers/winpktfilter.htm
[4] NAT Clients Cannot View Web Sites After You Install SQL 2000 SP2 or SP3 on an RRAS Server: http://support.microsoft.com/?kbid=324288
[5] Netstat Does Not Display Listening TCP Ports: http://support.microsoft.com/?kbid=131482
[6] App Request UDP Only, "Netstat -an" Displays TCP and UDP: http://support.microsoft.com/?kbid=194171
[7] The NETSTAT Command Incorrectly Shows Ports in Listening States: http://support.microsoft.com/?kbid=331078
[8] hping: http://www.hping.org/
[9] Netcat 1.1 for Windows: http://www.atstake.com/research/tools/netw...work_utilities/
[10] TDImon: http://wwww.sysinternals.com/ntw2k/freewar...re/tdimon.shtml
[11] HOW TO: Determine Which Program Uses or Blocks Specific Transmission Control Protocol Ports in Windows http://support.microsoft.com/?kbid=281336
[12] TCPView: http://www.sysinternals.com/ntw2k/source/tcpview.shtml
[13] fport: http://www.foundstone.com/knowledge/prodde...desc/fport.html
[14] NT port binding insecurity: http://www.insecure.org/sploits/NT.port-bi...nerability.html
[15] socat - Multipurpose relay: http://www.dest-unreach.org/socat/
[16] NT needs privileged ports: http://discuss.microsoft.com/SCR ... mp;L=cifs&P=738
[17] Enabling NetBT to Open IP Ports Exclusively http://support.microsoft.com/?kbid=241041
[18] Applications May Be Able To "Listen" on TCP or UDP Ports: http://support.microsoft.com/?kbid=194431
[19] Using SO_EXCLUSIVEADDRUSE: http://msdn.microsoft.com/library/en-us/wi...siveaddruse.asp
[20] Windows Packet Capture Library: http://winpcap.polito.it/
[21] Atelier Web Ports Traffic Analyzer: http://www.atelierweb.com/pta/index.htm
[22] HOW TO: Install Microsoft Loopback Adapter in Windows 2000: http://support.microsoft.com/?kbid=236869
[23] SMB: The Server Message Block Protocol http://www.ubiqx.org/cifs/SMB.html
[24] NBT: NetBIOS over TCP/IP: http://www.ubiqx.org/cifs/NetBIOS.html
[25] Samba-TNG: http://www.samba-tng.org/
[26] Direct Hosting of SMB Over TCP/IP (Q204279): http://support.microsoft.com/?kbid=204279
[27] NetBT and raw SMB transport: http://www.hsc.fr/ressources/presentations...003/slide6.html
[28] RPC: Remote Procedure Call Control Specification Version 2: http://www.ietf.org/rfc/rfc1831.txt
[29] DCE 1.1: Remote Procedure Call: http://www.opengroup.org/onlinepubs/9629399/
[30] A brief history of Windows: http://www.advogato.org/article/596.html
[31] DCE 1.1: Remote Procedure Call - Introduction to the RPC API: http://www.opengroup.org/onlinepubs/962939...2.htm#tagfcjh_2
[32] WinObj: http://www.sysinternals.com/ntw2k/freeware...re/winobj.shtml
[33] RPC tools: http://razor.bindview.com/tools/desc/rpcto...1.0-readme.html
[34] PipeList: http://www.sysinternals.com/ntw2k/info/tips.shtml
[35] npfs aliases: http://www.hsc.fr/ressources/presentations...03/slide21.html
[36] ifids: named pipes endpoints: http://www.hsc.fr/ressources/presentations...03/slide24.html
[37] PipeACL tools v1.0: http://razor.bindview.com/tools/desc/pipea...1.0-readme.html
[38] Win32 Pipe Security Editor Windows NT/2000/XP: http://www.beyondlogic.org/consulting/pipe...sec/pipesec.htm
[39] Windows 2000, Null Sessions and MSRPC: http://razor.bindview.com/publish/presenta...s/nullsess.html
[40] UserInfo and UserDump tools: http://www.hammerofgod.com/HaxorCons.htm
[41] ACL tools v1.0: http://razor.bindview.com/tools/desc/aclto...1.0-readme.html
[42] Private objects security auditing (LogAnalysis mailing list): http://sisyphus.iocaine.com/pipermail/loga...uly/002104.html
[43] The Ethereal Network Analyzer: http://www.ethereal.com/
[44] Ethereal CVS repository: http://www.ethereal.com/cgi-bin/viewcvs.cgi/ethereal/
[45] Windows Workstation Service Remote Buffer Overflow: http://www.eeye.com/html/Research/Advisori...AD20031111.html
[46] Minimizing Windows network services: http://www.hsc.fr/ressources/breves/min_sr...res_win.en.html
[47] dcedump (part of the SPIKE toolkit): http://www.immunitysec.com/spike.html
[48] Endpoint Mapper Interface Definition: http://www.opengroup.org/onlinepubs/009629...o.htm#tagcjh_35
[49] Distributed Component Object Model Protocol -- DCOM/1.0: http://www.globecom.net/ietf/draft/draft-b...v1-spec-03.html
[50] Microsoft Debugging Tools: http://www.microsoft.com/whdc/ddk/debuggin...ng/default.mspx
[51] Understanding the DCOM Wire Protocol by Analyzing Network Data Packets: http://www.microsoft.com/msj/0398/dcom.aspx
[52] Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability: http://www.securiteam.com/exploits/5CP0N0KAKK.html
[53] Locator Service Buffer Overflow Vulnerability: http://www.nextgenss.com/advisories/ms-rpc-loc.txt
[54] Unchecked Buffer in Locator Service Could Lead to Code Execution (810833): http://www.microsoft.com/technet/security/...in/MS03-001.asp
[55] Windows PopUP SPAM: http://www.mynetwatchman.com/kb/security/a...cles/popupspam/
[56] LSD: http://www.lsd-pl.net/
[57] Buffer Overrun in Messenger Service Could Allow Code Execution (828035): http://www.microsoft.com/technet/security/...in/MS03-043.asp
[58] drsuapi MSRPC interface Ethereal dissector: http://www.ethereal.com/cgi-bin/viewcvs.cg...cerpc-drsuapi.c
[59] XCCC: Exchange 2000 Windows 2000 Connectivity Through Firewalls http://support.microsoft.com/?kbid=280132
[60] RPC Interfaces That Are Exposed by Secure Mail Publishing in ISA Server 2000: http://support.microsoft.com/?kbid=304948
[61] How MAPI Clients Access Active Directory: http://support.microsoft.com/?kbid=256976
[62] Process Explorer: http://www.sysinternals.com/ntw2k/freeware...re/procexp.html
[63] services.exe RPC services: http://www.hsc.fr/ressources/presentations...03/slide26.html
[64] DCE/RPC over SMB: Samba and Windows NT Domain Internals. Luke Kenneth Casson Leighton. Macmillan Technical Publishing, 2000.