Hello.

I have a question that's been bugging me for some time.
Please take a look - a screenshot from PortExplorer -

191848

Why does XP's RPC service need to listen on TCP port 135? It's essential service, and cannot be disabled. Can this be stopped? Should it be stopped? What are the consequences? Can someone enlighten me on this one?

Thank you. :)

Hi, I don't know the details, but check WWDC out. http://www.firewallleaktester.com/wwdc.htm Here is also a link to Stems setup, it's a bit old though. http://www.wilderssecurity.com/showpost.php?p=896115&postcount=44
It mentions the port and WWDC and what it does. Scroll to the bottom for a pic of WWDC.

edit to add Stems quote from the above link: -{ Quote: "DCOM RPC (port 135). If you disable this then the "Schedular" will fail to start. (So please take note of my warning shown for disabling the "Task Schedular" service)" }-

Hi innerpeace.

Thanks for the reply.:)

I have it like this (always had) -

191860

As for the Stem's post, I tried that already. Even when I completely disable DCOM SPL service (which kills my internet connection BTW) and Task Scheduler, End-Point Mapper (epmap) still listens on port 135.

-{ Quote: "I don't know the details" }-

That's exactly what I'd like to know - what this "listening" feature does...
Thank you again.

Cheers.

No problem, I didn't figure I could provide anything useful as I know your a fairly advanced user. Your wise like your avatar :). Anyways, that is weird what is happening. Not sure if this helps, but do you have anything scheduled that task scheduler would need? You might give Stem a PM and see if he can help.

Cheers

Hello again innerpeace.:)

Well I found a few useful links here (on Wilders) -

http://www.wilderssecurity.com/showthread.php?t=4194

http://www.wilderssecurity.com/showthread.php?t=6078

especially the link provided by Paul Wilders in post #1 in the first thread, and LowWaterMark's posts from the second.

It seems that epmap cannot be stopped without serious ill effects on your system - like me loosing my internet connection. Paul Wilders' link is really very interesting. Although dated, I recommend it to anyone who's interested in Windows network services. I'll quote just a snip that concerns my question -

-{ Quote: "The only remaining opened port is TCP port 135. It is opened by the Remote Procedure Call (RpcSs) service and it is not possible to disable it because this service contains the COM service control manager, used by local processes.
TCP port 135 remains opened because it is used to receive remote activation
requests of COM objects. A global setting exists to disable DCOM" }-

and

-{ Quote: "Disabling DCOM does not close TCP port 135. To close it, one solution is to remove IP-based RPC protocols sequences from the list that can be used by DCOM. In our case, the sequence ncacn_ip_tcp (transport on TCP/IP) can be removed.
The simplest solution for this is to use the dcomcnfg tool and to remove
'Connection-oriented TCP/IP' in the 'Default Protocols' tab. " }-

This solution is for Windows2000, it won't work for XP.

And, by LowWaterMark

-{ Quote: "Windows uses port 135 for the RPC end-point mapper (epmap), which is basically used as a "directory assistance" type service that allows network-aware processes to inquire regarding the address (port) upon which certain services are running on a system. Since these services can use different available ports, there had to be some mapper available to inform inquiring programs about which port is currently assigned to these services...

...it is not actually "impossible to close", but, arguably, you are really disabling a lot of your OS if you do take steps to close down the epmap. For information on how to close it, which I do not recommend and have not done myself." }-

I think I'll settle with that.
Problem solved.

Or maybe not... any replies still welcomed.

You can disable the port with your FW if you don't like it being opened all the time. As far As I can tell, nothing is open on mine except my FW. I had seen emap open before, along with the Netbios ports and such. After using secondfig, my FW is the only thing listening on startup.
SeconfigXP.

Hello eniqmah.

Did you specifically block TCP port 135 with your firewall?
Would you care to try TCPview (http://www.microsoft.com/technet/sysinternals/Utilities/TcpView.mspx) from Sysinternals? It's small, requires no installation, and can show if epmap port is being listened on. It should look like this -

191867

Please report back if you try it...

Cheers.

EDIT: I am sorry, but Sysinternals' page don't have a download link (at the moment). Very strange. You can get TCPview from here: http://www.snapfiles.com/get/tcpview.html

Hi,
The only thing showing is my FireSVc.exe on port x

Using Nirsoft's Currports.
http://www.nirsoft.net/utils/cports.html

Edit: Wasn't able to dl from Mark's page. Will run TCPView when I reboot.

Hi. :)

191869

My firewall (Jetico) is not listening on any port. A firewall should not do that without a good reason. Perhaps listens for updates? Does it have remote control features?

-{ Quote: "Will run TCPView when I reboot." }-

You don't have to. CurrPorts is practically the same.

Maybe it's listening for BlasterWorm II 8)

-{ Quote: "Hi. :)

191869

My firewall (Jetico) is not listening on any port. A firewall should not do that without a good reason. Perhaps listens for updates? Does it have remote control features?



You don't have to. CurrPorts is practically the same." }-

My FW has autoupdate feature.
McAfee Desktop 8.5

I guess, that 135 is listening (http://img300.imageshack.us/img300/5562/capture07192007123919gl1.jpg) only locally, well at least I get 135 stealthed (http://img300.imageshack.us/img300/3904/capture07192007123810xu5.jpg) without the firewall, but the other listening ports like 49152 are really opened (http://img300.imageshack.us/img300/417/capture07192007123813ca4.jpg) and they are listening the same way, that 135 does, but I guess, that 135 is something special, when I disabled 135, it also closed the ports 49152 and up, but the task scheduler and the other system services were not working, neither did some software, well it does not seem to be a good idea to do, but it is a user's choise.

You can try, is it is really opened via https://www.grc.com/port_135.htm - just temporarily disable the firewall and give it a try.

Hello TheTOM_SK. :)

-{ Quote: "well at least I get 135 stealthed" }-

Most routers (if not all) will stealth port 135 by default, as there is a well known issue with that port, as coolbluewater pointed out. ;) I have no problems with stealthing.

-{ Quote: "I guess, that 135 is listening only locally" }-

Yes, that can be seen from a screenshots. I was not concerned with the security aspect of this issue, I was rather curious as to why does RPC need to llisten localy.
From LWM's explanation, it seems that RPC uses port 135 do do inquiries for other network service requirements. That actually makes a lot of sense.

-{ Quote: "other listening ports like 49152 are really opened" }-

high ports 49152-65535 are dynamic, and are used by client software (such as P2P), so they are also used by Windows client services (WebClient i.e.). That is also OK (if needed).
As you can also see from screenshots, I have everything else disabled, except End-Point Mapper on port 135.

I have come to the conclusion that it is not possible to safely disable this, on Windows XP Pro, without seriously crippling your OS. I am not sure about Home edition though...

Cheers. :)

As far as I can remember, I had NetBIOS ports opened or closed on XP and when I used WWDC I got it stealthed, so I do not think, that I am behind the router, maybe those ports are stealthed by some registry settings, because they are unacceasable, no idea. Those high TCP ports are opened Vista services permanentlly, I was able to shut them down only by disabling port 135, so it is not really a safe thing to do. You might want to try this:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="N"
"EnableDCOMHTTP"="N"
"EnableRemoteConnect"="N"

-{ Quote: "maybe those ports are stealthed by some registry settings" }-

Yes, this is also a possibility. WWDC applies a couple of registry tweaks, like the one you quoted. This is for DCOM.
These tweaks are all in place on my system, for DCOM too, but RPC still needs to listen locally. Of course, I can stop this if I disable DCOM service completely, but it breaks my connection, as necessary network services fail to start. I have done some more research, and it seems that on XP Home, your registry tweak stops listening on port 135. It doesn't work for XP Pro.

You are right. BTW, sorry for offtopic, but would you mind to share your reg tweaks, I am allways looking forward to increase my little colections. Here are mine (http://www.sendspace.com/file/cmu10x).

Hi TheTOM_SK.

-{ Quote: "would you mind to share your reg tweaks" }-

I'm not quite sure what you mean. I don't apply manual registry tweaks, or use any tweaking software (like TweakUI or X-Setup). I am actually not sure if posting the contents of your registry out in the public is such a good idea, security/privacy-wise. There are all kinds of (private) information in the registry, including serial numbers of your software and whatnot.

-{ Quote: "my little colections." }-

What do you actually collect? Other people's registries? ;D

EDIT: LOL, there's an owl and a wolf, talking to each other.;D

I just try to find out the way to secure my PC as much possible using pasive tweaks, which does not influence usablity ("too much"), eg disabling CMD, batch files and WSH does increase security much more than most anti-soft, but PC's usability drops to its knees as I have found out, since I used it for months, that it was quite uncomfortable to enable/disable it all day long criplling software and Vista is already quite uncompatibile, so I do not need other tweaks to disable aplications. I have also decided to use reg tweaks only, because it applies in a sec unlike a security template.

My reg tweaks does not include any personal information expect a username and that does not bother, since I revelead my IP on the screens and since I use no security software to block browser headers and etc and I generously share my PC with Google and MS by enabled error and user experience reporting, so it is obvious, that it does not bother me that much. Well, if someone wants to know, what I do, he can simply ask me, he does not have to hack me to find out, that I do nothing at PC all day and there is nothing valuable in my PC, well expect my reg tweaks. ;D

-{ Quote: "These tweaks are all in place on my system,..." }-
I thought, that you are refferring to reg tweaks, well a little misunderstanding, my bad, I have a problem to concentrate in this heat.
There is 36C outside (http://www.heso-com.sk/) and I have to go to the work right now, just great. Well cya and I hope, that you will find answer to your q. ;)

I really tend to avoid any manual tweaking, it's tedious and pretty geekish. I do have better things to do in my life.;)

-{ Quote: "My reg tweaks does not include any personal information expect a username" }-

Yes, I have noticed, this is not the entire registry. Sorry.

-{ Quote: "There is 36C outside" }-

It's 38 here at the moment. ;D Are you in Bratislava? My dad was ambassador for my country there for 4 years. I visited him frequently, so I somehow became very fond of Slovakia. :)

This is now so OT...

Hi Nick, I have XP home and after disabling many services months ago and running WWDC, the only thing I show as listening with TCP view is Avasts' WebShield. I also have WWDC setup like Stems. So, you could be correct about XP home and pro editions being different. I hope this helps :).

Hi innerpeace. :)

-{ Quote: "the only thing I show as listening with TCP view is Avasts' WebShield." }-

Hmm... I have never used avast!, but I wonder why does it do that... ???
That shouldn't be necessary. My NOD (IMON) listens to nothing. On which ports is that occuring, if you don't mind my inquiry? You can PM me if you find this question/your answer a security concern.

Cheers.

EDIT: I found this on Alwil site (http://www.avast.com/eng/webshield_issues.html):

-{ Quote: "Starting from the version 4.6. avast! comes with a new on-access scanning provider - Web Shield. It is able to monitor and filter all HTTP traffic coming from the Web sites on the Internet. It’s implemented as a HTTP proxy running on your PC. Connections from your Web browser are redirected to the Web Shield module. Web Shield in turn connects to the requested web server and while downloading the content it scans it for viruses and Trojans. Only the clean data is delivered to the browser, every malware is stopped before it gets saved on your PC." }-

That should be it. :)

Sorry Nick, I should have mentioned the WebShield was a HTTP scanner/filter. The port it listens on should be 80 and I think it works like a proxy. Take care, innerpeace

-{ Quote: "works like a proxy" }-

:thumb: