RPC service - port 135 - epmap

Discussion in 'other software & services' started by Seer, Jul 18, 2007.

Thread Status:
Not open for further replies.
  1. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello.

    I have a question that's been bugging me for some time.
    Please take a look - a screenshot from PortExplorer -

    epmap.jpg

    Why does XP's RPC service need to listen on TCP port 135? It's essential service, and cannot be disabled. Can this be stopped? Should it be stopped? What are the consequences? Can someone enlighten me on this one?

    Thank you. :)
     
  2. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi, I don't know the details, but check WWDC out. http://www.firewallleaktester.com/wwdc.htm Here is also a link to Stems setup, it's a bit old though. https://www.wilderssecurity.com/showpost.php?p=896115&postcount=44
    It mentions the port and WWDC and what it does. Scroll to the bottom for a pic of WWDC.

    edit to add Stems quote from the above link:
     
    Last edited: Jul 18, 2007
  3. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hi innerpeace.

    Thanks for the reply.:)

    I have it like this (always had) -

    wwdc.jpg

    As for the Stem's post, I tried that already. Even when I completely disable DCOM SPL service (which kills my internet connection BTW) and Task Scheduler, End-Point Mapper (epmap) still listens on port 135.

    That's exactly what I'd like to know - what this "listening" feature does...
    Thank you again.

    Cheers.
     
  4. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    No problem, I didn't figure I could provide anything useful as I know your a fairly advanced user. Your wise like your avatar :). Anyways, that is weird what is happening. Not sure if this helps, but do you have anything scheduled that task scheduler would need? You might give Stem a PM and see if he can help.

    Cheers
     
  5. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello again innerpeace.:)

    Well I found a few useful links here (on Wilders) -

    https://www.wilderssecurity.com/showthread.php?t=4194

    https://www.wilderssecurity.com/showthread.php?t=6078

    especially the link provided by Paul Wilders in post #1 in the first thread, and LowWaterMark's posts from the second.

    It seems that epmap cannot be stopped without serious ill effects on your system - like me loosing my internet connection. Paul Wilders' link is really very interesting. Although dated, I recommend it to anyone who's interested in Windows network services. I'll quote just a snip that concerns my question -

    and

    This solution is for Windows2000, it won't work for XP.

    And, by LowWaterMark

    I think I'll settle with that.
    Problem solved.

    Or maybe not... any replies still welcomed.
     
    Last edited: Jul 18, 2007
  6. eniqmah

    eniqmah Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    391
    You can disable the port with your FW if you don't like it being opened all the time. As far As I can tell, nothing is open on mine except my FW. I had seen emap open before, along with the Netbios ports and such. After using secondfig, my FW is the only thing listening on startup.
    SeconfigXP.
     
  7. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello eniqmah.

    Did you specifically block TCP port 135 with your firewall?
    Would you care to try TCPview from Sysinternals? It's small, requires no installation, and can show if epmap port is being listened on. It should look like this -

    tcpv.jpg

    Please report back if you try it...

    Cheers.

    EDIT: I am sorry, but Sysinternals' page don't have a download link (at the moment). Very strange. You can get TCPview from here: http://www.snapfiles.com/get/tcpview.html
     
    Last edited: Jul 18, 2007
  8. eniqmah

    eniqmah Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    391
    Hi,
    The only thing showing is my FireSVc.exe on port x

    Using Nirsoft's Currports.
    http://www.nirsoft.net/utils/cports.html

    Edit: Wasn't able to dl from Mark's page. Will run TCPView when I reboot.
     
  9. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hi. :)

    cp.jpg

    My firewall (Jetico) is not listening on any port. A firewall should not do that without a good reason. Perhaps listens for updates? Does it have remote control features?

    You don't have to. CurrPorts is practically the same.
     
  10. coolbluewater

    coolbluewater Registered Member

    Joined:
    Feb 10, 2007
    Posts:
    268
    Location:
    next door to Redmond
    Maybe it's listening for BlasterWorm II :cool:
     
  11. eniqmah

    eniqmah Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    391
    My FW has autoupdate feature.
    McAfee Desktop 8.5
     
  12. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    I guess, that 135 is listening only locally, well at least I get 135 stealthed without the firewall, but the other listening ports like 49152 are really opened and they are listening the same way, that 135 does, but I guess, that 135 is something special, when I disabled 135, it also closed the ports 49152 and up, but the task scheduler and the other system services were not working, neither did some software, well it does not seem to be a good idea to do, but it is a user's choise.

    You can try, is it is really opened via https://www.grc.com/port_135.htm - just temporarily disable the firewall and give it a try.
     
  13. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello TheTOM_SK. :)

    Most routers (if not all) will stealth port 135 by default, as there is a well known issue with that port, as coolbluewater pointed out. ;) I have no problems with stealthing.

    Yes, that can be seen from a screenshots. I was not concerned with the security aspect of this issue, I was rather curious as to why does RPC need to llisten localy.
    From LWM's explanation, it seems that RPC uses port 135 do do inquiries for other network service requirements. That actually makes a lot of sense.

    high ports 49152-65535 are dynamic, and are used by client software (such as P2P), so they are also used by Windows client services (WebClient i.e.). That is also OK (if needed).
    As you can also see from screenshots, I have everything else disabled, except End-Point Mapper on port 135.

    I have come to the conclusion that it is not possible to safely disable this, on Windows XP Pro, without seriously crippling your OS. I am not sure about Home edition though...

    Cheers. :)
     
  14. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    As far as I can remember, I had NetBIOS ports opened or closed on XP and when I used WWDC I got it stealthed, so I do not think, that I am behind the router, maybe those ports are stealthed by some registry settings, because they are unacceasable, no idea. Those high TCP ports are opened Vista services permanentlly, I was able to shut them down only by disabling port 135, so it is not really a safe thing to do. You might want to try this:
    Code:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
    "EnableDCOM"="N"
    "EnableDCOMHTTP"="N"
    "EnableRemoteConnect"="N"
     
  15. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Yes, this is also a possibility. WWDC applies a couple of registry tweaks, like the one you quoted. This is for DCOM.
    These tweaks are all in place on my system, for DCOM too, but RPC still needs to listen locally. Of course, I can stop this if I disable DCOM service completely, but it breaks my connection, as necessary network services fail to start. I have done some more research, and it seems that on XP Home, your registry tweak stops listening on port 135. It doesn't work for XP Pro.
     
  16. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    You are right. BTW, sorry for offtopic, but would you mind to share your reg tweaks, I am allways looking forward to increase my little colections. Here are mine.
     
  17. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hi TheTOM_SK.

    I'm not quite sure what you mean. I don't apply manual registry tweaks, or use any tweaking software (like TweakUI or X-Setup). I am actually not sure if posting the contents of your registry out in the public is such a good idea, security/privacy-wise. There are all kinds of (private) information in the registry, including serial numbers of your software and whatnot.

    What do you actually collect? Other people's registries? :D

    EDIT: LOL, there's an owl and a wolf, talking to each other.:D
     
  18. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    I just try to find out the way to secure my PC as much possible using pasive tweaks, which does not influence usablity ("too much"), eg disabling CMD, batch files and WSH does increase security much more than most anti-soft, but PC's usability drops to its knees as I have found out, since I used it for months, that it was quite uncomfortable to enable/disable it all day long criplling software and Vista is already quite uncompatibile, so I do not need other tweaks to disable aplications. I have also decided to use reg tweaks only, because it applies in a sec unlike a security template.

    My reg tweaks does not include any personal information expect a username and that does not bother, since I revelead my IP on the screens and since I use no security software to block browser headers and etc and I generously share my PC with Google and MS by enabled error and user experience reporting, so it is obvious, that it does not bother me that much. Well, if someone wants to know, what I do, he can simply ask me, he does not have to hack me to find out, that I do nothing at PC all day and there is nothing valuable in my PC, well expect my reg tweaks. :D

    I thought, that you are refferring to reg tweaks, well a little misunderstanding, my bad, I have a problem to concentrate in this heat.
    There is 36C outside and I have to go to the work right now, just great. Well cya and I hope, that you will find answer to your q. ;)
     
  19. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    I really tend to avoid any manual tweaking, it's tedious and pretty geekish. I do have better things to do in my life.;)

    Yes, I have noticed, this is not the entire registry. Sorry.

    It's 38 here at the moment. :D Are you in Bratislava? My dad was ambassador for my country there for 4 years. I visited him frequently, so I somehow became very fond of Slovakia. :)

    This is now so OT...
     
  20. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Hi Nick, I have XP home and after disabling many services months ago and running WWDC, the only thing I show as listening with TCP view is Avasts' WebShield. I also have WWDC setup like Stems. So, you could be correct about XP home and pro editions being different. I hope this helps :).
     
  21. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hi innerpeace. :)

    Hmm... I have never used avast!, but I wonder why does it do that... o_O
    That shouldn't be necessary. My NOD (IMON) listens to nothing. On which ports is that occuring, if you don't mind my inquiry? You can PM me if you find this question/your answer a security concern.

    Cheers.

    EDIT: I found this on Alwil site:

    That should be it. :)
     
    Last edited: Jul 19, 2007
  22. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Sorry Nick, I should have mentioned the WebShield was a HTTP scanner/filter. The port it listens on should be 80 and I think it works like a proxy. Take care, innerpeace
     
  23. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    :thumb:
     
Loading...
Thread Status:
Not open for further replies.