4.11.16. License Logging service

The License Logging service runs two RPC services, available on the following endpoints:

Y:\>ifids -p ncalrpc -e llslpc serveur
Interfaces: 2
  342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0
  57674cd0-5200-11ce-a897-08002b2e9c6d v1.0

Y:\>ifids -p ncacn_np -e \pipe\llsrpc \\.
Interfaces: 2
  342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0
  57674cd0-5200-11ce-a897-08002b2e9c6d v1.0

Table 4.88. lls_license operations

InterfaceOperation numberOperation name
57674cd0-5200-11ce-a897-08002b2e9c6d v1.0  
 0x00LlsrLicenseRequestW
 0x01LlsrLicenseFree

Table 4.89. llsrpc operations

InterfaceOperation numberOperation name
342cfd40-3c6c-11ce-a893-08002b2e9c6d v0.0  
 0x00LlsrConnect
 0x01LlsrClose
 0x02LlsrLicenseEnumW
 0x03LlsrLicenseEnumA
 0x04LlsrLicenseAddW
 0x05LlsrLicenseAddA
 0x06LlsrProductEnumW
 0x07LlsrProductEnumA
 0x08LlsrProductAddW
 0x09LlsrProductAddA
 0x0aLlsrProductUserEnumW
 0x0bLlsrProductUserEnumA
 0x0cLlsrProductServerEnumW
 0x0dLlsrProductServerEnumA
 0x0eLlsrProductLicenseEnumW
 0x0fLlsrProductLicenseEnumA
 0x10LlsrUserEnumW
 0x11LlsrUserEnumA
 0x12LlsrUserInfoGetW
 0x13LlsrUserInfoGetA
 0x14LlsrUserInfoSetW
 0x15LlsrUserInfoSetA
 0x16LlsrUserDeleteW
 0x17LlsrUserDeleteA
 0x18LlsrUserProductEnumW
 0x19LlsrUserProductEnumA
 0x1aLlsrUserProductDeleteW
 0x1bLlsrUserProductDeleteA
 0x1cLlsrMappingEnumW
 0x1dLlsrMappingEnumA
 0x1eLlsrMappingInfoGetW
 0x1fLlsrMappingInfoGetA
 0x20LlsrMappingInfoSetW
 0x21LlsrMappingInfoSetA
 0x22LlsrMappingUserEnumW
 0x23LlsrMappingUserEnumA
 0x24LlsrMappingUserAddW
 0x25LlsrMappingUserAddA
 0x26LlsrMappingUserDeleteW
 0x27LlsrMappingUserDeleteA
 0x28LlsrMappingAddW
 0x29LlsrMappingAddA
 0x2aLlsrMappingDeleteW
 0x2bLlsrMappingDeleteA
 0x2cLlsrServerEnumW
 0x2dLlsrServerEnumA
 0x2eLlsrServerProductEnumW
 0x2fLlsrServerProductEnumA
 0x30LlsrLocalProductEnumW
 0x31LlsrLocalProductEnumA
 0x32LlsrLocalProductInfoGetW
 0x33LlsrLocalProductInfoGetA
 0x34LlsrLocalProductInfoSetW
 0x35LlsrLocalProductInfoSetA
 0x36LlsrServiceInfoGetW
 0x37LlsrServiceInfoGetA
 0x38LlsrServiceInfoSetW
 0x39LlsrServiceInfoSetA
 0x3aLlsrReplConnect
 0x3bLlsrReplClose
 0x3cLlsrReplicationRequestW
 0x3dLlsrReplicationServerAddW
 0x3eLlsrReplicationServerServiceAddW
 0x3fLlsrReplicationServiceAddW
 0x40LlsrReplicationUserAddW
 0x41LlsrProductSecurityGetW
 0x42LlsrProductSecurityGetA
 0x43LlsrProductSecuritySetW
 0x44LlsrProductSecuritySetA
 0x45LlsrProductLicensesGetA
 0x46LlsrProductLicensesGetW
 0x47LlsrCertificateClaimEnumA
 0x48LlsrCertificateClaimEnumW
 0x49LlsrCertificateClaimAddCheckA
 0x4aLlsrCertificateClaimAddCheckW
 0x4bLlsrCertificateClaimAddA
 0x4cLlsrCertificateClaimAddW
 0x4dLlsrReplicationCertDbAddW
 0x4eLlsrReplicationProductSecurityAddW
 0x4fLlsrReplicationUserAddExW
 0x50LlsrCapabilityGet
 0x51LlsrLocalServiceEnumW
 0x52LlsrLocalServiceEnumA
 0x53LlsrLocalServiceAddA
 0x54LlsrLocalServiceAddW
 0x55LlsrLocalServiceInfoSetW
 0x56LlsrLocalServiceInfoSetA
 0x57LlsrLocalServiceInfoGetW
 0x58LlsrLocalServiceInfoGetA
 0x59LlsrCloseEx

A vulnerability in one of the llsrpc interface operations was discovered by Kostya Kortchinsky and fixed by the MS05-010 security bulletin [46] in February 2005.

This vulnerability can be exploited anonymously in Windows NT 4.0 and Windows 2000 SP3 because it is possible to connect anonymously to the llsrpc named pipe on these systems.