rpcss.exe Wut u didn't Know !

Discussion in 'other security issues & news' started by Spanner intheWorks, Dec 31, 2004.

Thread Status:
Not open for further replies.
  1. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Spanner,

    Cut away the hushed tones and unsupported extrapolation, and you're talking about Microsoft product activation. Nothing else, except you seem to have some details wrong, at least if one believes any of Microsoft's own public statements.

    Aside from pointing to some vague anonymous statements that seem to be freely floating out there - do you have any firm and direct evidence of the charge that you've raised?

    Blue
     
  2. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Not that old is always bad info....but do you have any further links that's just a tad more up to date or any other further proof to this quite bazaar and almost comical statement ?

    Response Number 88
    Name: anon
    Date: January 07, 2001 at 00:00:49 Pacific
    Subject: rpcss.exe
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Spanner,

    According to your post, you state
    You made this statement without attribution or reference. It is your claim as it stands now.

    As I said, "pointing to some vague anonymous statements". Repeating something over and over does not render it true. Your post contains potentially serious charges. You are responsible for placing them in front of us now. They are your responsibility. Yes, people can read the link you provided, but as I note above, the statements are vague, anonymously made (and I recognize that is not an immediate disqualifier), and virtually without direct evidence regarding the more sinister implications of your post and the associated links. With respect to the link to cexx.org, the more relevant link at this site is Other: RPCSS.EXE, mdm.exe. This page references the link you provided as "it has nonetheless been cited for numerous stability problems as well as security concerns. (Not to mention the unverified, but fairly wide-spread, other allegations...)" Your points are not the centerpiece of their page.

    Blue
     
  4. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Spanner,

    You can wrap your convoluted logic in any manner of liguistic gymnastics you choose, my (meaning me, Blue, not Bubba) points remain....

    1. When you make statements, you should be ready to stand by them. Either believe them or not. My question to you - do you have faith that the information you posted is correct or not? If you believe it's correct, could you please explain why? I'm asking because I, frankly, think the innuendo pointed to is ludicrous.

    2. You have something to learn of the mechanics of referencing, that much is obvious. I realize the words you write are a verbatim lift, my comment remains.

    3. I read the thread you mentioned, along with a reasonable volume of additional hits that any reasonable search would uncover. Let's just say the conclusions drawn are, to put a charitable face on it, not empirically supported at this time. At least as far as I can see.

    4. Your extrapolation of my comments are completely irrational. I have no problem with anyone quoting information they uncover. When the information uncovered is confrontationally accusative, I would ask that they take some time to investigate the quality of the comments and either add appropriate qualifiers to the information or refrain from posting yet additional unsubstantiated noise to the Internet.

    5. As far as I'm concerned, things are cleared up. You have yet to post what I would call corroborating support for the comments made in your original post or a direct refutation of Microsofts statement on the matter - read the details that they post regarding activation, they are explicit regarding what the information can and can not be used for.

    I suppose we'll have to agree to disagree on the nature of your report for now.

    Thanks for your Kind Regards, and yes, my New Year is absolutely outstanding thus far!

    Blue
     
  5. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Me too. I usually disable services unrelated to my PC operating correctly for the functions I require of it. For me that also includes things like Remote Registy and Web Client among others - I'm not being administered remotely and i don't use WWA or OWA etc from this machine.....
    I really don't care what it does exactly. The description was Remote Procedure whatever - that was enough to explain to me it was a security risk....
    The description for the service running on port 135 provided by Sygate Person Firewall is 'EPMAP - Location Service - Dynamically assign ports for RPC'
    I hope you can understand Spanner what the mods are saying. I can see that its not you making the claim after reading the entire info and reference you provided. The thing is if I correctly understand is that the way you originally presented the quote it didn't make it clear enough for the mods that you were reporting somebody elses claim and not making your own. But thanks for posting anyway. It was interesting reading.
     
    Last edited: Jan 26, 2005
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
  7. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    Well, I didn't read everything written here, but what I did read seemed a little bit misinformed. RPCSS.exe is, as a few have pointed out, the Remote Procedure Call SubSystem. Now, what is a "Remote Procedure Call" and what does this RPCSS do? Contrary to what some of the above may lead you to believe, the RPCSS is not some nefarious application that records and broadcasts serial numbers. A Remote Procedure Call is a network programming standard created by The Open Group as a means to allow an application to make a function call into another application irregardless of whether that other application resides on the same, local machine or a completely separate, remote machine. Simply it is just a means for interprocess communication... a type of data pipe if you will (don't confuse it with something called "Named Pipes", though, which is another form of interprocess communication).

    So, basically, an RPC is just a way for two machines to talk to one another. The talking, in and of itself, is not necessarily a bad thing. The bad thing comes in what is being communicated, right? It turns out that many core services and other core functional items (like DCOM) are built around RPC. Most of these other services are clearly harmless. However, some may have a questionable purpose (like Windows Activation), or some may have programming errors that present an opportunity for a security vulnerability.

    So, the point is this, RPCSS is not really the culprit here... if there is information being communicated that you don't wish communicated than it is some other executable that is the one actually responsible. Technically, I believe, RPCSS is specifically responsible for what is called the "endpoint mapper" portion of the RPC protocol. Windows will not normally allow you to disable this service because RPC is considered an integral part of the operating system since so many other services (even local ones) will not function without it. Even if you log on with Administrator privileges and go to the Properties page for the RPC service, you will note that the Startup Type option is greyed out and cannot be changed by normal means. Manually changing the startup type through the registry itself will result, I'm told, in an incomplete and largely unstable operating system.

    However, the RPC functionality is a security risk, and should not be exposed to the public internet. The best way to avoid inbound RPC threats is to make use of a hardware firewall or NAT router that will not forward on unsolicited inbound RPC requests. Alternatively, you can make use of a software-based, host firewall application. As for outbound RPC threats, regarding privacy issues and the like, then you really need to identify the actual underlying source of the problem. It will be some other exectuable that makes use of RPC simply as a communication mechanism. As an analogy, if a terrorist makes a bomb threat via a phone call... is the problem really the phone system or is it the terrorist him or herself?
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    For an interesting read in this debate, see HERE. It seems on Windows NT based systems this is a required service for your system to work properly.
    And the following attachment is from Black Viper's SITE where even he is recommending that you not disable it......
     

    Attached Files:

  9. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    And another quote from Black Viper's SITE:
    Note: Rpcss.exe is launched through the svchost.exe service and will be listed as running under it...
     
  10. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Thats a whole lot of info !!
    I probably should make it sufficiently clear that when I said I disabled it, in this case it just means no external traffic permitted. Most of the other unrequired services are set to not load at all but I haven't found a successfull way to terminate RPC completely on XP......yet !!
    lol
     
  11. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Any decision made by choice is no accident.....
     
  12. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Spanner,
    If you (or anybody else affected by this issue) are so worried about programs phoning home wouldn't it be easier and simper to simply run a hardware firewall (either a separate box or in your router) and block the network ranges of concern. For that matter you could just use one of the personal firewalls or even something like ProtoWall on your workstation

    Whether a program on your computer makes use of RPC calls to phone home (or not) then becomes a moot point, as the connection will not succeed

    I can understand the phone home concern from a privacy point of view, but why would you bother running a copy of windows without a license.
    If you really object to paying them money for an O/S why not just use Linux ?

    NB: Protowall is quite useful if you get Bluetack's block list manager and use it to download the Ad-Trackers, DShield blocklist, Spyware and Trojans lists.... it is a useful addition to your favourite browser ad-blocker.
    See http://www.bluetack.co.uk/modules.php?name=Downloads

    If anyone wants to give protowall a try, I'd suggest using 2.0Beta, but make sure you don't accept the default install path (or the driver probably won't load) , install it in a directory path with no spaces in any of the directory components.
     
    Last edited: Jan 28, 2005
Loading...
Thread Status:
Not open for further replies.