4.13.2. Example of multiple RPC services in one process

Using ifids with the eventlog named pipe endpoint, opened by the Eventlog service running in the services.exe process, the list of interface identifiers is:

C:\WINNT>ifids -p ncacn_np -e \pipe\eventlog \\. 
Interfaces: 13
  367abb81-9844-35f1-ad32-98f038001003 v2.0
  93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
  82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
  65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
  8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
  8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
  c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
  0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
  4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
  6bffd098-a112-3610-9833-46c3f87e345a v1.0
  17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
  5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1

Using another endpoint, for example, the dynamic UDP port opened by the messenger service (also running in the services.exe process), the result is identical:

C:\WINNT>ifids -p ncadg_ip_udp -e 1026 127.0.0.1 
Interfaces: 13
  367abb81-9844-35f1-ad32-98f038001003 v2.0
  93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0
  82273fdc-e32a-18c3-3f78-827929dc23ea v0.0
  65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0
  8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0
  8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0
  c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0
  0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0
  4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0
  6bffd098-a112-3610-9833-46c3f87e345a v1.0
  17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0
  5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0
  8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1

These results show that all RPC services in the services.exe process can be reached using any opened endpoint on any transport.

Using our knowledge of RPC interface identifiers, we can identify some of the Win32 services currently running in the services.exe process:

C:\WINNT>ifids -p ncadg_ip_udp -e 1026 127.0.0.1 
Interfaces: 13
  367abb81-9844-35f1-ad32-98f038001003 v2.0  Services Control Manager (SCM) 
  93149ca2-973b-11d1-8c39-00c04fb984f9 v0.0  Security Configuration Editor (SCE) 
  82273fdc-e32a-18c3-3f78-827929dc23ea v0.0  Eventlog service 
  65a93890-fab9-43a3-b2a5-1e330ac28f11 v2.0  DNS Client service (Windows 2000)
  8d9f4e40-a03d-11ce-8f69-08003e30051b v1.0  Plug and Play service 
  8d0ffe72-d252-11d0-bf8f-00c04fd9126b v1.0  | 
  c9378ff1-16f7-11d0-a0b2-00aa0061426a v1.0  |__ Protected Storage service 
  0d72a7d4-6148-11d1-b4aa-00c04fb66ea0 v1.0  | 
  4b324fc8-1670-01d3-1278-5a47bf6ee188 v3.0  Server service  
  6bffd098-a112-3610-9833-46c3f87e345a v1.0  Workstation service 
  17fdd703-1827-4e34-79d4-24a55c53bb37 v1.0  |__ Messenger service 
  5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc v1.0  |
  8fb6d884-2388-11d0-8c35-00c04fda2795 v4.1  Windows Time service 

Thus, the following Win32 services are running:

Actually, the complete list of Win32 services running inside the services.exe process is:

C:\WINNT>tlist /s

[...]

 256 SERVICES.EXE    Svcs:  Alerter,Dnscache,Eventlog,lanmanserver,lanmanworkstation,LmHosts,Messenger,PlugPlay,ProtectedStorage,seclogon,W32Time

[...]