RPC service - port 135 - epmap

Hello.

I have a question that's been bugging me for some time.
Please take a look - a screenshot from PortExplorer -



Why does XP's RPC service need to listen on TCP port 135? It's essential service, and cannot be disabled. Can this be stopped? Should it be stopped? What are the consequences? Can someone enlighten me on this one?

Thank you.

 

Hi, I don't know the details, but check WWDC out. http://www.firewallleaktester.com/wwdc.htm Here is also a link to Stems setup, it's a bit old though. https://www.wilderssecurity.com/showpost.php?p=896115&postcount=44
It mentions the port and WWDC and what it does. Scroll to the bottom for a pic of WWDC.

edit to add Stems quote from the above link:

 

Hi innerpeace.

Thanks for the reply.

I have it like this (always had) -



As for the Stem's post, I tried that already. Even when I completely disable DCOM SPL service (which kills my internet connection BTW) and Task Scheduler, End-Point Mapper (epmap) still listens on port 135.

That's exactly what I'd like to know - what this "listening" feature does...
Thank you again.

Cheers.

 

No problem, I didn't figure I could provide anything useful as I know your a fairly advanced user. Your wise like your avatar . Anyways, that is weird what is happening. Not sure if this helps, but do you have anything scheduled that task scheduler would need? You might give Stem a PM and see if he can help.

Cheers

 

Hello again innerpeace.

Well I found a few useful links here (on Wilders) -

https://www.wilderssecurity.com/showthread.php?t=4194

https://www.wilderssecurity.com/showthread.php?t=6078

especially the link provided by Paul Wilders in post #1 in the first thread, and LowWaterMark's posts from the second.

It seems that epmap cannot be stopped without serious ill effects on your system - like me loosing my internet connection. Paul Wilders' link is really very interesting. Although dated, I recommend it to anyone who's interested in Windows network services. I'll quote just a snip that concerns my question -

and

This solution is for Windows2000, it won't work for XP.

And, by LowWaterMark

I think I'll settle with that.
Problem solved.

Or maybe not... any replies still welcomed.

 

You can disable the port with your FW if you don't like it being opened all the time. As far As I can tell, nothing is open on mine except my FW. I had seen emap open before, along with the Netbios ports and such. After using secondfig, my FW is the only thing listening on startup.
SeconfigXP.

 

Hello eniqmah.

Did you specifically block TCP port 135 with your firewall?
Would you care to try TCPview from Sysinternals? It's small, requires no installation, and can show if epmap port is being listened on. It should look like this -



Please report back if you try it...

Cheers.

EDIT: I am sorry, but Sysinternals' page don't have a download link (at the moment). Very strange. You can get TCPview from here: http://www.snapfiles.com/get/tcpview.html

 

Hi,
The only thing showing is my FireSVc.exe on port x

Using Nirsoft's Currports.
http://www.nirsoft.net/utils/cports.html

Edit: Wasn't able to dl from Mark's page. Will run TCPView when I reboot.

 

Hi.



My firewall (Jetico) is not listening on any port. A firewall should not do that without a good reason. Perhaps listens for updates? Does it have remote control features?

You don't have to. CurrPorts is practically the same.

 

Maybe it's listening for BlasterWorm II

 

My FW has autoupdate feature.
McAfee Desktop 8.5

 

I guess, that 135 is listening only locally, well at least I get 135 stealthed without the firewall, but the other listening ports like 49152 are really opened and they are listening the same way, that 135 does, but I guess, that 135 is something special, when I disabled 135, it also closed the ports 49152 and up, but the task scheduler and the other system services were not working, neither did some software, well it does not seem to be a good idea to do, but it is a user's choise.

You can try, is it is really opened via https://www.grc.com/port_135.htm - just temporarily disable the firewall and give it a try.

 

Hello TheTOM_SK.

Most routers (if not all) will stealth port 135 by default, as there is a well known issue with that port, as coolbluewater pointed out. I have no problems with stealthing.

Yes, that can be seen from a screenshots. I was not concerned with the security aspect of this issue, I was rather curious as to why does RPC need to llisten localy.
From LWM's explanation, it seems that RPC uses port 135 do do inquiries for other network service requirements. That actually makes a lot of sense.

high ports 49152-65535 are dynamic, and are used by client software (such as P2P), so they are also used by Windows client services (WebClient i.e.). That is also OK (if needed).
As you can also see from screenshots, I have everything else disabled, except End-Point Mapper on port 135.

I have come to the conclusion that it is not possible to safely disable this, on Windows XP Pro, without seriously crippling your OS. I am not sure about Home edition though...

Cheers.

 

As far as I can remember, I had NetBIOS ports opened or closed on XP and when I used WWDC I got it stealthed, so I do not think, that I am behind the router, maybe those ports are stealthed by some registry settings, because they are unacceasable, no idea. Those high TCP ports are opened Vista services permanentlly, I was able to shut them down only by disabling port 135, so it is not really a safe thing to do. You might want to try this:

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="N"
"EnableDCOMHTTP"="N"
"EnableRemoteConnect"="N"

 

Yes, this is also a possibility. WWDC applies a couple of registry tweaks, like the one you quoted. This is for DCOM.
These tweaks are all in place on my system, for DCOM too, but RPC still needs to listen locally. Of course, I can stop this if I disable DCOM service completely, but it breaks my connection, as necessary network services fail to start. I have done some more research, and it seems that on XP Home, your registry tweak stops listening on port 135. It doesn't work for XP Pro.

 

You are right. BTW, sorry for offtopic, but would you mind to share your reg tweaks, I am allways looking forward to increase my little colections. Here are mine.

 

Hi TheTOM_SK.

I'm not quite sure what you mean. I don't apply manual registry tweaks, or use any tweaking software (like TweakUI or X-Setup). I am actually not sure if posting the contents of your registry out in the public is such a good idea, security/privacy-wise. There are all kinds of (private) information in the registry, including serial numbers of your software and whatnot.

What do you actually collect? Other people's registries?

EDIT: LOL, there's an owl and a wolf, talking to each other.

 

I just try to find out the way to secure my PC as much possible using pasive tweaks, which does not influence usablity ("too much"), eg disabling CMD, batch files and WSH does increase security much more than most anti-soft, but PC's usability drops to its knees as I have found out, since I used it for months, that it was quite uncomfortable to enable/disable it all day long criplling software and Vista is already quite uncompatibile, so I do not need other tweaks to disable aplications. I have also decided to use reg tweaks only, because it applies in a sec unlike a security template.

My reg tweaks does not include any personal information expect a username and that does not bother, since I revelead my IP on the screens and since I use no security software to block browser headers and etc and I generously share my PC with Google and MS by enabled error and user experience reporting, so it is obvious, that it does not bother me that much. Well, if someone wants to know, what I do, he can simply ask me, he does not have to hack me to find out, that I do nothing at PC all day and there is nothing valuable in my PC, well expect my reg tweaks.

I thought, that you are refferring to reg tweaks, well a little misunderstanding, my bad, I have a problem to concentrate in this heat.
There is 36C outside and I have to go to the work right now, just great. Well cya and I hope, that you will find answer to your q.

 

I really tend to avoid any manual tweaking, it's tedious and pretty geekish. I do have better things to do in my life.

Yes, I have noticed, this is not the entire registry. Sorry.

It's 38 here at the moment. Are you in Bratislava? My dad was ambassador for my country there for 4 years. I visited him frequently, so I somehow became very fond of Slovakia.

This is now so OT...

 

Hi Nick, I have XP home and after disabling many services months ago and running WWDC, the only thing I show as listening with TCP view is Avasts' WebShield. I also have WWDC setup like Stems. So, you could be correct about XP home and pro editions being different. I hope this helps .

 

Hi innerpeace.

Hmm... I have never used avast!, but I wonder why does it do that...
That shouldn't be necessary. My NOD (IMON) listens to nothing. On which ports is that occuring, if you don't mind my inquiry? You can PM me if you find this question/your answer a security concern.

Cheers.

EDIT: I found this on Alwil site:

That should be it.

 

Sorry Nick, I should have mentioned the WebShield was a HTTP scanner/filter. The port it listens on should be 80 and I think it works like a proxy. Take care, innerpeace