RPCSS.exe disable and NT/2000/XP?

Discussion in 'other security issues & news' started by Justin Smith, Sep 2, 2003.

Thread Status:
Not open for further replies.
  1. Justin Smith

    Justin Smith Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    13
    Location:
    New York
    I would like to disable RPCSS.exe to close port 135.

    I understand (from the Avast! thread) that renaming the file rpcltscm.dll to a .txt extnesion *may* lobotomize the server functionality of RPCSS.exe (and hence close pesky port 135).

    But has anyone actually successfully done this on an NT/2000/XP machine? I understand NT systems rely heavily on RPC, and may not boot if RPC functions are modified or switched off.

    Can anyone confirm this workaround works on NT systems with no ill effects?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,282
    Location:
    New England
    Hello Justin,

    I myself have not disabled this or attempted to close port 135 on my XP system because I've seen a great many posts by people who've had significant trouble with their systems after attempting to do so.

    If I had to guess based upon the information I've seen posted about this, it's about a 50%/50% chance for problems, especially problems connecting back on to the network following this. Many people say it works fine and many don't.

    So, rather than attempting to do this I choose simply to run a software firewall and not disable this aspect of the OS. Opinions will vary, so, hopefully you'll here from people who've done it successfully, if that is what you really intend to do. Just be sure that what you do is reversible in case it causes you a problem.
     
  3. Justin Smith

    Justin Smith Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    13
    Location:
    New York
    Heh heh heh, yeah, that's what they said over at Microsoft. "Hey, what's 135 open for?" "(cough, cough, spitting up their coffee)...just use a firewall, Okay?" Uh-huh. ;) I guess it's something to try disabling next time I'm re-building my machine anyway.

    Securing Windows XP Inside Out, a Microsoft book, indicates there are two RPC services, 'RPC' and 'RPC locator', but XP Pro shows only RPC (I'm guessing 'locator' was integrated into 'RPC'), which of course you can't disable without making the system unusable. I understand more or less what RPC does generally, I think it's just too bad that a 'server' portion of it has 135 open, for unspecified reasons, at all times...

    I have Port Explorer logging it now, I wonder if I'll see anything. Probably not!

    Ah, well, maybe time to start using Linux...

    I don't think what you said was funny, but I do think it is sort of funny coming from them. Thank you for your input!

    P.S.: I was just checking this out with Faber Toys, and among the many imported modules associated with the particular Svchost process (pid 764 on my machine), that keeps port 135 open, and more specifically with RPCSS.dll, is some sort of function call called "impersonateloggedonuser". I'm not a programmer, but that sounds just lovely. At least the calling thread needs 'privileges'. Discussed here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/impersonateloggedonuser.asp

    Incidentally, I cannot even find rpcltscm.dll on my machine.
     
  4. Khaine

    Khaine Registered Member

    Joined:
    Oct 2, 2002
    Posts:
    127
    Well actually their is a registry hack which will stop it from listening on port 135, and I haven't expirenced any side effects :)

    http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html
     
  5. controler

    controler Guest

    LOLOLOL

    Welcome Justin :)

    I had to look twice at this thread , thinking that was me posting.
    Foghorn Icon

    I am a very newbi Linux user and been trying Cookers 9.2 without any luck at all. So I am now taking the Mandrake users advice and downloading 9.1

    Here is what the Linux users tell me about Windows and Microsoft.

    "The first thing you will notice between xp and linux, is that mandrake is not reporting your movements and activities to France, where as windex is reporting anything it can about you to Redmond. No, it didn't ask for your permission, it just does it. You see, you don't own xp. You paid to be allowed to use it and microblast figures you owe them something. No, your money wasn't enough! "

    I am sure MS would not Use port 135 to keep tabs on people.
    I also don't think there is a Magic Lantern? What ever happened to that government worm anyways? I don't hear much talk about that anymore.

    con
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.