4.6.1. Named pipes

In Windows systems, named pipes in one of the available IPC (Inter-Process Communication) mechanism. It can be used either locally or remotely.

Accesses to remote named pipes, contained in the IPC$ share, are carried into the SMB protocol.

Named pipes are implemented by a file system driver, npfs.sys. The PipeList [38] tool can be used to enumerate the npfs namespace, to show which named pipes are opened on a local system. The FileMon tool [39] is also able to monitor the named pipe filesystem activity, by selecting Named Pipes in the Drives menu.

Some named pipes are implemented as aliases [40], i.e, they don't really exist in the npfs namespace. Aliases names are stored in the registry:

Key: HKLM\SYSTEM\CurrentControlSet\Services\Npfs\Aliases\
Values: lsass, ntsvcs

Named pipes are protected by security descriptors, just like any Windows NT objects. The pipeacl tool ([42],[43]) be used to examine the content of security descriptors protecting named pipes.