4.7.6. Hardcoded named pipes

In addition to named pipes that appear in the NullSessionPipes registry value, some additional named pipes are hardcoded in the SMB server driver (srv.sys).

The following named pipes are hardcoded:

\pipe\lsarpc, \pipe\samr, \pipe\netlogon (\pipe\lsass aliases)
\pipe\wkssvc, \pipe\srvsvc, \pipe\browser (\pipe\ntsvcs aliases)

Thus, it is possible to open the lsarpc named pipe in the context of a NULL session (but not the lsass named pipe, even if the first one is an alias of the second one, as explained earlier).

These harcoded named pipes were removed in the SMB server driver of recent Windows systems, starting with Windows XP Service Pack 2 (SP2) and Windows Server 2003 Service Pack 1 (SP1).

On these systems, the NullSessionPipes registry value was updated.

On Windows XP SP2, browser (no longer hardcoded) was explicitely added:

Key: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
Value: NullSessionPipes (REG_SZ)
Default value: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, browser

As a consequence, it is no longer possible to open the following named pipes in the context of a NULL session in Windows XP SP2:

On Windows Server 2003 SP1, netlogon, lsarpc, samr and browser have been explicitely added:

Key: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\
Value: NullSessionPipes (REG_SZ)
Default value: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, netlogon, lsarpc, samr, browser

As a consequence, it is no longer to open the following named pipes in the context of a NULL session in Windows Server 2003 SP1: