Services and RPC/TCP
Starting with Windows Vista, the service control manager (SCM) supports remote procedure calls over both Transmission Control Protocol (RPC/TCP) and named pipes (RPC/NP). Client-side SCM functions use RPC/TCP by default.
RPC/TCP is appropriate for most applications that use SCM functions remotely, such as remote administration or monitoring tools. However, for compatibility and performance, some applications might need to disable RPC/TCP by setting the registry values described in this topic.
When a service calls a remote SCM function, the client-side SCM first attempts to use RPC/TCP to communicate with the server-side SCM. If the server is running a version of Windows that supports RPC/TCP and allows RPC/TCP traffic, the RPC/TCPP connection will succeed. If the server is running a version of Windows that does not support RPC/TCP, or supports RPC/TCP but is operating behind a firewall which allows only named pipe traffic, the RPC/TCP connection times out and the SCM retries the connection with RPC/NP. This will succeed eventually but can take some time (typically more than 20 seconds), causing the OpenSCManager function to appear blocked.
TCP does not carry user credentials specified with a net use command. Therefore, if RPC/TCP is enabled and sc.exe or an OpenSCManager function call is used to attempt to access the specified service, the command could fail with access denied. Disabling RPC/TCP on the client side causes the sc.exe command or OpenSCManager function to use a named pipe that does carry user credentials, so the command will succeed. For information about sc.exe, see Controlling a Service Using SC.
Note A service should not provide explicit credentials to a net use command, because those credentials might be inadvertently shared outside of the service boundaries. Instead, the service should use client impersonation to impersonate the user.
RPC/TCP is controlled by the SCMApiConnectionParam, DisableRPCOverTCP, and DisableRemoteScmEndpoints registry values, which are all under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control key. All of these values have a REG_DWORD data type. The following procedures show how to use these registry values to control RPC/TCP.
The following procedure describes how to disable RPC/TCP on the client side.
To disable RPC/TCP on the client side
- Combine the SCMApiConnectionParam registry value with the mask value 0x80000000.
- Restart the application that calls the OpenSCManager function.
The following procedure describes how to disable TCP on the server side.
To disable TCP on the server side
- Set the DisableRPCOverTCP registry value to 1.
- Restart the server.
The following procedure describes how to disable both RPC/TCP and RPC/NP on the server (for example, to reduce the attack surface).
To disable both RPC/TCP and RPC/NP on the server
- Set the DisableRemoteScmEndpoints registry value to 1.
- Restart the server.
The SCMApiConnectionParam registry value can also be used to specify the RPC/TCP time-out interval, in milliseconds. For example, a value of 30,000 specifies a time-out interval of 30 seconds. The default is 21,000 (21 seconds).
Build date: 10/26/2012