4.8.1. Portmapper RPC service

TCP/IP RPC services listen on dynamic TCP or UDP ports. Thus, to reach a given RPC service, identified by its interface identifier (UUID), a port mapping service is necessary.

The portmapper service is an RPC service listening on different endpoints:

Typically, to discover the port on which a given RPC service can be reached, a client will establish a TCP connection to port 135, asking for the port allocated to a given RPC service. Then, the client closes the connection to port 135 and opens a new connection to the port returned by the portmapper service.

To register itself in the endpoint database maintained by the portmapper service, a service calls the RpcEpRegister() function.

By default, TCP/IP ports for RPC services are allocated in the range of dynamic ports, which starts at 1025. This explains why on most Windows systems, ports immediately higher than 1024 are used by RPC services. It is possible to configure a specific ports range for RPC services, using the rpccfg tool, as described in another document [68].

To query the portmapper service, it is possible to use a tool typically named rpcdump. Microsoft resource kit contains a Windows version of rpcdump. There is also a Windows version in Todd Sabin's RPC Tools [37], whereas Dave Aitel's SPIKE toolkit contains dcedump [69], a version running on Unix.

Using ifids on one of the portmapper RPC service endpoints, it appears that different RPC interfaces are supported on a Windows 2000 machine:

C:\> ifids -p ncacn_np -e \pipe\epmapper \\.
Interfaces: 11
  e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
  0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.1
  975201b0-59ca-11d0-a8d5-00a0c90d8051 v1.0
  e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0
  99fcfec4-5260-101b-bbcb-00aa0021347a v0.0
  b9e79e60-3d52-11ce-aaa1-00006901293f v0.2
  412f241e-c12a-11ce-abff-0020af6e7a17 v0.2
  00000136-0000-0000-c000-000000000046 v0.0
  c6f3ee72-ce7e-11d1-b71e-00c04fc3111a v1.0
  4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 v0.0
  000001a0-0000-0000-c000-000000000046 v0.0

On a Windows XP or Windows Server 2003 system, the result is:

C:\WINDOWS> ifids -p ncacn_ip_tcp -e 135 127.0.0.1
Interfaces: 11
  e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
  0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.1
  1d55b526-c137-46c5-ab79-638f2a68e869 v1.0
  e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0
  99fcfec4-5260-101b-bbcb-00aa0021347a v0.0
  b9e79e60-3d52-11ce-aaa1-00006901293f v0.2
  412f241e-c12a-11ce-abff-0020af6e7a17 v0.2
  00000136-0000-0000-c000-000000000046 v0.0
  c6f3ee72-ce7e-11d1-b71e-00c04fc3111a v1.0
  4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 v0.0
  000001a0-0000-0000-c000-000000000046 v0.0

On a Windows Vista system, there are 12 interfaces:

C:\WINDOWS> ifids -p ncacn_np -e epmapper \\.
Interfaces: 12
  e1af8308-5d1f-11c9-91a4-08002b14a0fa v3.0
  0b0a6584-9e0f-11cf-a3cf-00805f68cb1b v1.1
  1d55b526-c137-46c5-ab79-638f2a68e869 v1.0
  e60c73e6-88f9-11cf-9af1-0020af6e72f4 v2.0
  99fcfec4-5260-101b-bbcb-00aa0021347a v0.0
  b9e79e60-3d52-11ce-aaa1-00006901293f v0.2
  412f241e-c12a-11ce-abff-0020af6e7a17 v0.2
  00000136-0000-0000-c000-000000000046 v0.0
  c6f3ee72-ce7e-11d1-b71e-00c04fc3111a v1.0
  4d9f4ab8-7d1c-11cf-861e-0020af6e7c57 v0.0
  000001a0-0000-0000-c000-000000000046 v0.0
  64fe0b7f-9ef5-4553-a7db-9a1975777554 v1.0

As explained later, some of these interfaces are supposed to be only used locally whereas some are designed to be used remotely. However, because all these RPC services run in the same process, they appear when querying one endpoint of the rpcss service such as TCP port 135 or epmapper named pipe.

These RPC interface identifiers are classified and explained in the next sections.