Vous êtes sur la page 1sur 315

Windows Server® 2008 R2 SP1 Attack Surface Reference

Security Compliance Manager

Version 2.0
Published: September 2011

Solution Accelerators — Act faster. Go further.

For the latest information, please see


microsoft.com/securitycompliance

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web s
of using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intend
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy
You may modify this document for your internal, reference purposes.
The Microsoft Security Compliance Manager is intended to help organizations simplify and automate IT compliance and risk m
Manager is designed to facilitate compliance activities conducted by your organization’s IT experts, auditors, accountants, atto
replace those professionals. The Microsoft Security Compliance Manager includes some control objectives and authority docu
and associated product value settings. These objectives, citations, controls and settings do not verify or guarantee fulfillment o
responsibility of your organization to choose the objectives, citations, controls and settings to use, modify, add or remove base
professionals. Reports and any other information provided by or generated from the Tool do not constitute auditing, accountin
compliance professionals to confirm compliance with specific governance, risk and compliance authority documents.
© 2011 Microsoft.
Distributed under Creative Commons Attribution-Noncommercial 3.0 License http://creativecommons.org/licenses/by-nc/3.0
you would like to make of any of our Creative Commons-licensed content, please Contact us. We try hard to accommodate va
Microsoft and the Microsoft product names listed in this data file are trademarks of the Microsoft group of companies; the list
http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx. All other trademarks are property of their respective
AD DS Role
Service

Services
Display name
Active Directory Domain Services
Active Directory Web Services
DFS Namespace
DFS Replication
DNS Server
File Replication
Intersite Messaging
Kerberos Key Distribution Center
Net.Tcp Port Sharing Service
Windows CardSpace
Windows Presentation Foundation Font Cache 3.0.0.0

Running Processes
Image Name (PID)
dfsrs.exe (1336)

dfssvc.exe (1584)

dns.exe (2836)

Microsoft.ActiveDirectory.WebServices.exe (1288)

Registered COM Controls


CLSID
{E9F570A3-EA8F-4CE9-9D59-C6AC35B9F403}
{59B8AFA0-229E-46d9-B980-DDA2C817EC7E}

Ports
Port Name
53/UDP -- Unknown Protocol
53/UDP -- Unknown Protocol
Various high UDP ports -- Unknown Protocol
53/TCP -- DNS
53/TCP -- DNS
49206/TCP -- Dynamic RPC Port
88/UDP -- Unknown Protocol
389/UDP -- Unknown Protocol
464/UDP -- Unknown Protocol
389/TCP -- Kerberos
636/TCP -- Secure LDAP
3268/TCP -- LDAP Global Catalog
3269/TCP -- Secure LDAP Global Catalog
49156/TCP -- Unknown Protocol
49158/TCP -- Unknown Protocol
88/TCP -- KDC
464/TCP -- KDC PCR
1288/TCP -- AD WebServices

Named Pipes
Pipe Name
netdfs
RpcProxy\49158
RpcProxy\593
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-2dc-0
Winsock2\CatalogChangeListener-32c-0
Winsock2\CatalogChangeListener-358-0
Winsock2\CatalogChangeListener-3ac-0
Winsock2\CatalogChangeListener-538-0
Winsock2\CatalogChangeListener-558-0

RPC Endpoints
Interface UUID
{12345678-1234-abcd-ef00-01234567cffb}
{12345778-1234-abcd-ef00-0123456789ab}
{e3514235-4b06-11d1-ab04-00c04fc2dcd2}
{12345678-1234-abcd-ef00-01234567cffb}
{12345778-1234-abcd-ef00-0123456789ab}
{e3514235-4b06-11d1-ab04-00c04fc2dcd2}
{12345678-1234-abcd-ef00-01234567cffb}
{12345778-1234-abcd-ef00-0123456789ab}
{e3514235-4b06-11d1-ab04-00c04fc2dcd2}
{50abc2a4-574d-40b3-9d66-ee4fd5fba076}
{897e2e5f-93f3-4376-9c9c-fd2277495c27}

Firewall Rules
Name
Active Directory Domain Controller - LDAP (TCP-In)

Active Directory Domain Controller - LDAP (UDP-In)


Active Directory Domain Controller - LDAP for Global
Catalog (TCP-In)
Active Directory Domain Controller - NetBIOS name
resolution (UDP-In)
Active Directory Domain Controller - SAM/LSA (NP-TCP-
In)
Active Directory Domain Controller - SAM/LSA (NP-
UDP-In)
Active Directory Domain Controller - Secure LDAP (TCP-
In)
Active Directory Domain Controller - Secure LDAP for
Global Catalog (TCP-In)
Active Directory Domain Controller - W32Time (NTP-
UDP-In)
Active Directory Domain Controller (RPC)
Active Directory Domain Controller (RPC-EPMAP)
Active Directory Domain Controller - Echo Request
(ICMPv4-In)
Active Directory Domain Controller - Echo Request
(ICMPv6-In)
Active Directory Web Services (TCP-In)
DFS Replication (RPC-EPMAP)
DFS Replication (RPC-In)
File Replication (RPC)
File Replication (RPC-EPMAP)
Kerberos Key Distribution Center - PCR (TCP-In)
Kerberos Key Distribution Center - PCR (UDP-In)
Kerberos Key Distribution Center (TCP-In)
Kerberos Key Distribution Center (UDP-In)
RPC (TCP, Incoming)
RPC Endpoint Mapper (TCP, Incoming)
Active Directory Domain Controller (TCP-Out)
Active Directory Domain Controller (UDP-Out)
Active Directory Domain Controller - Echo Request
(ICMPv4-Out)
Active Directory Domain Controller - Echo Request
(ICMPv6-Out)
Active Directory Web Services (TCP-Out)
All Outgoing (TCP)
All Outgoing (UDP)

Network Shares
Name
NETLOGON
SYSVOL

Groups
Account Name
Account Operators
Administrators
Allowed RODC Password Replication Group
Backup Operators
Cert Publishers
Certificate Service DCOM Access
Cryptographic Operators
Denied RODC Password Replication Group
Distributed COM Users
DnsAdmins
DnsUpdateProxy
Domain Admins
Domain Computers
Domain Controllers
Domain Guests
Domain Users
Enterprise Admins
Enterprise Read-only Domain Controllers
Event Log Readers
Group Policy Creator Owners
Guests
IIS_IUSRS
Incoming Forest Trust Builders
Network Configuration Operators
Performance Log Users
Performance Monitor Users
Pre-Windows 2000 Compatible Access
Print Operators
RAS and IAS Servers
Read-only Domain Controllers
Remote Desktop Users
Replicator
Schema Admins
Server Operators
Terminal Server License Servers
Users
Windows Authorization Access Group

Role Dependency
Dependency
None

Identity
Management
for UNIX Role
Service

Server for Network Information Services


Administrative Tools
Password Synchronization
Account Startup Mode
NT AUTHORITY\SYSTEM Automatic
NT AUTHORITY\SYSTEM Automatic
NT AUTHORITY\SYSTEM Automatic
NT AUTHORITY\SYSTEM Automatic
NT AUTHORITY\SYSTEM Automatic
NT AUTHORITY\SYSTEM Disabled
NT AUTHORITY\SYSTEM Automatic
NT AUTHORITY\SYSTEM Automatic
NT AUTHORITY\SYSTEM Disabled
NT AUTHORITY\SYSTEM Manual
NT AUTHORITY\SYSTEM Manual

Command Line Account


C:\Windows\system32\DFSRs.exe

C:\Windows\system32\dfssvc.exe

C:\Windows\system32\dns.exe

C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServi
ces.exe

Friendly Name Binary Path


browser C:\Windows\System32\gpprefbr.dll
propshts C:\Windows\System32\propshts.dll

State Process
Unknown dns.exe (PID 2836)
Unknown dns.exe (PID 2836)
Unknown dns.exe (PID 2836)
Listen dns.exe (PID 2836)
Listen dns.exe (PID 2836)
Listen dns.exe (PID 2836)
Unknown lsass.exe (PID 472)
Unknown lsass.exe (PID 472)
Unknown lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen Microsoft.ActiveDirectory.WebServices.exe (1288)

Network Denied Null Sessions Allowed

0 0
0 0
0 0

0 0
0 0
0 0
0 0

Endpoint Binding(s)
ncacn_http:[49158]
ncacn_http:[49158]
ncacn_http:[49158]
ncacn_ip_tcp:[49155]
ncacn_ip_tcp:[49155]
ncacn_ip_tcp:[49155]
ncacn_ip_tcp:[49157]
ncacn_ip_tcp:[49157]
ncacn_ip_tcp:[49157]
ncacn_ip_tcp:[49167]
ncacn_ip_tcp:[5722]

Direction Protocol
In TCP

In UDP
In TCP

In UDP

In TCP

In UDP

In TCP

In TCP

In UDP

In TCP
In TCP
In ICMPv4

In ICMPv6

In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In UDP
In TCP
In UDP
In TCP
In TCP
Out TCP
Out UDP
Out ICMPv4

Out ICMPv6

Out TCP
Out TCP
Out UDP

Path ACL
C:\Windows\SYSVOL\sysvol\%fqdn%\SCRIPTS Everyone AccessAllowed
BUILTIN\Administrators AccessAllowed
C:\Windows\SYSVOL\sysvol\ Everyone AccessAllowed
Authenticated Users AccessAllowed
BUILTIN\Administrators AccessAllowed

SID Privileges
Description

Services
Display name Service name
Server For NIS NisSvc

Drivers
Name Startup Mode
Server for NFS Open RPC (ONCRPC) Portmapper Demand
(Portmap)
Server for NFS Open RPC (ONCRPC) (RpcXdr) Demand

Running Processes
Image Name (PID) Command Line
svchost.exe (836) C:\Windows\system32\svchost.exe -k netsvcs

svchost.exe (904) C:\Windows\system32\svchost.exe -k LocalService

svchost.exe (952) C:\Windows\System32\svchost.exe -k


LocalSystemNetworkRestricted
Microsoft.ActiveDirectory.WebServices.exe (1220) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServi
ces.exe

dllhost.exe (1252) C:\Windows\system32\DllHost.exe /Processid:


{7F9BBC82-BA5F-4448-8622-EF76B8D007E6}

svchost.exe (1884) C:\Windows\system32\svchost.exe -k NisSvc

Registered COM Controls


CLSID Friendly Name
{4C796C30-F96B-11D2-AC78-0008C7726CF7} ADsUnixAttributePropertyPage

{9A899A50-F96B-11D2-AC78-0008C7726CF7} ADsUnixAttributePropertyPage

{C7499700-F96B-11D2-AC78-0008C7726CF7}

Ports
Port Name State
111/TCP -- Unknown Protocol Listen
123/UDP -- NTP Unknown
3268/TCP -- Microsoft Global Catalog Established
49154/TCP -- Unknown Protocol Listen
49155/TCP -- Unknown Protocol Listen
49156/TCP -- Unknown Protocol Established
49159/TCP -- Unknown Protocol Established
49160/TCP -- Unknown Protocol Established
49161/TCP -- Unknown Protocol Established

49167/TCP -- Unknown Protocol Established

49169/TCP -- Dynamic RPC Port Listen


49169/TCP -- Dynamic RPC Port Listen
49178/TCP -- Unknown Protocol Established
49180/TCP -- Unknown Protocol Established
49181/TCP -- Unknown Protocol Established
49189/TCP -- Unknown Protocol Established
49204/TCP -- Unknown Protocol Established
49209/TCP -- Unknown Protocol Established
49214/TCP -- Unknown Protocol Established
49215/TCP -- Unknown Protocol Established
49216/TCP -- Unknown Protocol Established
49217/TCP -- Unknown Protocol Established
50662/UDP -- Unknown Protocol Unknown
53977/UDP -- Unknown Protocol Unknown
57792/UDP -- Unknown Protocol Unknown
792/UDP -- Unknown Protocol Unknown
793/UDP -- Unknown Protocol Unknown
794/TCP -- Unknown Protocol Listen
795/UDP -- Unknown Protocol Unknown
798/TCP -- Unknown Protocol Listen
9389/TCP -- Unknown Protocol Listen

9389/TCP -- Unknown Protocol Listen

Named Pipes
Pipe Name Network Denied
protected_storage 0

Winsock2\CatalogChangeListener-2c8-0 1

Winsock2\CatalogChangeListener-318-0 0
Winsock2\CatalogChangeListener-1d8-0 0
Winsock2\CatalogChangeListener-344-0 1

Winsock2\CatalogChangeListener-1d8-1 0
wbhstipmdde0ee1e-298f-4a78-a5e9-4adc66e69a20 0

wbhstipm5e0a98a8-52d8-4d0d-a9d2-628c319f2f8a 0

wbhstipmb9ddca35-b262-45f6-b657-e3b9e13b5c1d 0

wbhstipm567235ec-635b-46e8-9a9e-edf29ebd14a4 0
Winsock2\CatalogChangeListener-540-0 1

5c930e60-99f8-4e0a-90f6-8b1b7e0b22f5 1
a9f69662-2d7b-4b16-9394-f83c53fd6712 1

Winsock2\CatalogChangeListener-50c-0 0
Winsock2\CatalogChangeListener-3b8-0 0

Firewall Rules
Name Direction
Portmap for UNIX-based Software (TCP-In) In
Portmap for UNIX-based Software (UDP-In) In
Server for NIS (Open Portmapper-In) In
Server For NIS (UDP-In) In
Server For NIS (Unix-RPC) In

Path Entries
Binary Path
C:\Windows\idmu\common

Groups
Account Name SID
NT SERVICE\ADWS S-1-5-80-660584071-4121121593-1437107511-
3148243646-2105555040
NT SERVICE\NisSvc S-1-5-80-3651366176-1832982195-1003256308-
316140560-3486696329

Role Dependency
Dependency Description
Active Directory Domain Services Manages the credentials that are authenticated by the
Server for Network Information Services.

Running Processes
Image Name (PID) Command Line
svchost.exe (256) C:\Windows\system32\svchost.exe -k NetworkService

svchost.exe (2792) C:\Windows\system32\svchost.exe -k


LocalServiceAndNoImpersonation
msdtc.exe (2828) C:\Windows\System32\msdtc.exe

svchost.exe (2972) C:\Windows\system32\svchost.exe -k NisSvc

Ports
Port Name State
111/TCP -- Unknown Protocol Listen
111/TCP -- Unknown Protocol Listen
111/UDP -- Unknown Protocol Unknown
445/TCP -- SMB Established
47001/TCP -- Unknown Protocol Listen
47001/TCP -- Unknown Protocol Listen
49169/TCP -- Dynamic RPC Port Listen
49169/TCP -- Dynamic RPC Port Listen
49178/TCP -- Unknown Protocol Established
49185/TCP -- Unknown Protocol Established
49187/TCP -- Unknown Protocol Established
49188/TCP -- Unknown Protocol Established
49240/TCP -- Unknown Protocol Established
49261/TCP -- Unknown Protocol Established
5355/UDP -- Unknown Protocol Unknown
56196/UDP -- Unknown Protocol Unknown

611/UDP -- Unknown Protocol Unknown


612/UDP -- Unknown Protocol Unknown
613/TCP -- Unknown Protocol Listen
614/UDP -- Unknown Protocol Unknown
617/TCP -- Unknown Protocol Listen

Named Pipes
Pipe Name Network Denied
protected_storage 0

Winsock2\CatalogChangeListener-2d0-0 1
Winsock2\CatalogChangeListener-320-0 1

Winsock2\CatalogChangeListener-1d8-0 0
Winsock2\CatalogChangeListener-34c-0 1

Winsock2\CatalogChangeListener-1d8-1 0
wbhstipm2d2b8f22-b055-45c3-a412-db02e05be2e2 0

wbhstipmd1d3beb2-a839-4ce2-a191-db96ac61946e 0

wbhstipmbf954b8c-9140-4e94-b3d4-ca12fa39ed89 0

wbhstipmfcff5c4f-e690-446f-8ab2-0360d347dc64 0
27799880-dc05-4b68-91e1-acf0af566cbf 1

1553209f-8ac0-4aec-b57e-9b9ef2dcac0f 1

Winsock2\CatalogChangeListener-3ec-0 0

System Services
Account Name SID
NT SERVICE\NisSvc S-1-5-80-3651366176-1832982195-1003256308-
316140560-3486696329

Role Dependency
Dependency Description
Active Directory Domain Services Manages the credentials that are authenticated by the
Server for Network Information Services.

Running Processes
Image Name (PID) Command Line
svchost.exe (840) C:\Windows\system32\svchost.exe -k netsvcs

svchost.exe (1012) C:\Windows\system32\svchost.exe -k NetworkService

svchost.exe (2824) C:\Windows\System32\svchost.exe -k WerSvcGroup

Ports
Port Name State
49155/TCP -- Unknown Protocol Listen
49155/TCP -- Unknown Protocol Listen
49166/TCP -- Unknown Protocol Established

49168/TCP -- Unknown Protocol Established

49170/TCP -- Dynamic RPC Port Listen


49170/TCP -- Dynamic RPC Port Listen
49177/TCP -- Unknown Protocol Established
49179/TCP -- Unknown Protocol Established
49191/TCP -- Unknown Protocol Established
5355/UDP -- Unknown Protocol Unknown
54105/UDP -- Unknown Protocol Unknown
63048/UDP -- Unknown Protocol Unknown
63051/UDP -- Unknown Protocol Unknown

63054/UDP -- Unknown Protocol Unknown


6677/TCP -- Unknown Protocol Listen
6677/TCP -- Unknown Protocol Listen

Named Pipes
Pipe Name Network Denied
protected_storage 0
Winsock2\CatalogChangeListener-2cc-0 1
Winsock2\CatalogChangeListener-324-0 1

Winsock2\CatalogChangeListener-1d8-0 1

Winsock2\CatalogChangeListener-348-0 1

Winsock2\CatalogChangeListener-1d8-1 1

Winsock2\CatalogChangeListener-550-0 1

wbhstipmce88ee40-4535-4c6c-8812-1b6fafa0a6cb 0
wbhstipmf7cd54b7-ee88-4573-90df-8b61eb479a9f 0

wbhstipm7e5ef196-90d3-420e-b8da-db1263a549be 0
wbhstipm9a86b51a-f02b-4ab0-be7a-d2464c2b0eb7 0

d5fdcebc-16bf-419e-994c-30adc6b46906 1

9aeb97da-90ce-4711-8705-fb9fab37a8d6 1

Winsock2\CatalogChangeListener-51c-0 1

Winsock2\CatalogChangeListener-3cc-0 1

Firewall
Name Direction
Password Synchronization (TCP-In) In
Password Synchronization (TCP-In) In
Password Synchronization (TCP-In) In

Groups
Account Name SID
NT SERVICE\WerSvc S-1-5-80-3299868208-4286319593-1091140620-
3583751967-1732444380

Role Dependency
Dependency Description
Active Directory Domain Services Manages the credentials that are authenticated by the
Server for Network Information Services.
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 8.0.-1) (ASLR)


(Uses SafeSEH)(Uses /GS)

Account
DACL

Local Endpoint Remote Endpoint Enabled


*:389 *:* Yes

*:389 *:* Yes


*:3268 *:* Yes

*:138 *:* Yes

*:445 *:* Yes

*:445 *:* Yes

*:636 *:* Yes

*:3269 *:* Yes

*:123 *:* Yes

*:RPC *:* Yes


*:RPC-EPMap *:* Yes
*: *:* Yes

*: *:* Yes

*:9389 *:* Yes


*:RPC-EPMap *:* Yes
*:RPC *:* Yes
*:RPC *:* Yes
*:RPC-EPMap *:* Yes
464 *:* Yes
464 *:* Yes
88 *:* Yes
88 *:* Yes
*:RPC *:* Yes
*:RPC-EPMap *:* Yes
*:* *:* Yes
*:* *:* Yes
*: *:* Yes

*: *:* Yes

*:9389 *:* Yes


*:* *:* Yes
*:* *:* Yes
Executable path Type
%systemroot Disabled
%\system32\svchost.exe -k
NisSvc

Account Process Flags


(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 8.0.-1) (ASLR)


(Uses SafeSEH)(Uses /GS)

SASC\Administrator (Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

Binary Path
C:\Windows\idmu\common\ni
sprop.dll
C:\Windows\idmu\common\ni
sprop.dll
Process Account
System (PID 4)
svchost.exe (PID 904)
lsass.exe (PID 472)
lsass.exe (PID 472)
svchost.exe (PID 836)
lsass.exe (PID 472)
ismserv.exe (PID 1380)
ismserv.exe (PID 1380)
Microsoft.ActiveDirectory.Web
Services.exe (PID 1220)

Microsoft.ActiveDirectory.Web
Services.exe (PID 1220)

services.exe (PID 464)


services.exe (PID 464)
dfsrs.exe (PID 1292)
dfsrs.exe (PID 1292)
dfsrs.exe (PID 1292)
dfssvc.exe (PID 1672)
svchost.exe (PID 1884)
svchost.exe (PID 836)
svchost.exe (PID 836)
svchost.exe (PID 1016)
svchost.exe (PID 1016)
svchost.exe (PID 836)
svchost.exe (PID 1016)
dfsrs.exe (PID 1292)
ismserv.exe (PID 1380)
svchost.exe (PID 1884)
svchost.exe (PID 1884)
svchost.exe (PID 1884)
svchost.exe (PID 1884)
svchost.exe (PID 1884)
Microsoft.ActiveDirectory.Web
Services.exe (PID 1220)

Microsoft.ActiveDirectory.Web
Services.exe (PID 1220)

Null Sessions Allowed DACL


0 \Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
BUILTIN\Administrators
AccessAllowed

0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

0
0
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

0
0

0
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

0 NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed

0
0

Protocol Local Endpoint Remote Endpoint


TCP *:111 *:*
UDP *:111 *:*
TCP *:111 *:*
UDP *:* *:*
TCP *:RPC *:*

Privileges

Account Process Flags


(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

Process
System (PID 4)
System (PID 4)
System (PID 4)
System (PID 4)
System (PID 4)
System (PID 4)
services.exe (PID 464)
services.exe (PID 464)
dfssvc.exe (PID 1684)
dfsrs.exe (PID 1308)
dfsrs.exe (PID 1308)
dfsrs.exe (PID 1308)
lsass.exe (PID 472)
System (PID 4)
svchost.exe (PID 256)
Microsoft.ActiveDirectory.Web
Services.exe (PID 1240)

svchost.exe (PID 2972)


svchost.exe (PID 2972)
svchost.exe (PID 2972)
svchost.exe (PID 2972)
svchost.exe (PID 2972)

Null Sessions Allowed DACL


0 Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
BUILTIN\Administrators
AccessAllowed

0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

0
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

0
0

0
0 NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed

0 NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed

Privileges
Account Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

Process Account
svchost.exe (PID 840)
svchost.exe (PID 840)
Microsoft.ActiveDirectory.Web
Services.exe (PID 1240)

Microsoft.ActiveDirectory.Web
Services.exe (PID 1240)

services.exe (PID 464)


services.exe (PID 464)
dfsrs.exe (PID 1308)
dfsrs.exe (PID 1308)
lsass.exe (PID 472)
svchost.exe (PID 1012)
svchost.exe (PID 840)
ismserv.exe (PID 1412)
Microsoft.ActiveDirectory.Web
Services.exe (PID 1240)

dfsrs.exe (PID 1308)


lsass.exe (PID 472)
lsass.exe (PID 472)

Null Sessions Allowed DACL


0
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

0
0

0
0

0 NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed

0 NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed

0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Protocol Local Endpoint Remote Endpoint


TCP *:6677 *:*
TCP *:6677 *:*
TCP *:6677 *:*

Privileges
Enabled
1
1
1
1
1
Enabled
1
1
1
DHCP
Services
Name
DHCP Server (DHCPServer)

Running Processes
Image Name (PID)
svchost.exe (2112)
svchost.exe (3000)

Registered COM Controls


CLSID
{1CE57F61-A88A-11D0-AB86-00C04FC3357A}
{524CCE97-A886-11D0-AB86-00C04FC3357A}
{90901AF6-7A31-11D0-97E0-00C04FC3357A}
{F5E8DE96-7F4D-4A29-BE28-3943538D0340}

Ports
Port Name
67/UDP -- Unknown Protocol
68/UDP -- Unknown Protocol
2535/UDP -- Unknown Protocol
52464/UDP -- Unknown Protocol
49208/TCP -- Unknown Protocol
49208/TCP -- Unknown Protocol

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-300-0

wbhstipm960eee7a-4c95-4d9b-a999-231c4b9e1091

wbhstipm927e89ca-69c4-4760-8658-9c22f815e502
wbhstipma58478d8-c9f2-478a-846f-0f26ac2fa067
wbhstipmc05afb30-36be-459e-b146-4d7340f260e2
fd1a4754-6978-4e22-aabe-899fc12bfb79

37a722f7-3ba9-417b-8aeb-67e324dbb54e

Winsock2\CatalogChangeListener-840-0

RPC Endpoints
Interface UUID
{6bffd098-a112-3610-9833-46c3f874532d}
{5b821720-f63b-11d0-aad2-00c04fc324db}
{76f226c3-ec14-4325-8a99-6a46348418af}
{12e65dd8-887f-41ef-91bf-8d816c42c2e7}

Firewall Service Restriction Rules


Service Name
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer
DHCPServer

Firewall Rules
Name
DHCP Server - Remote Service Management using SCM
(RPC-in)
DHCP Server (RPCSS-In)
DHCP Server (RPC-In)
DHCP Server v6 (UDP-In)
DHCP Server v4 (UDP-In)
DHCP Server v6 (UDP-In)
DHCP Server v4 (UDP-In)
DHCP Server - Remote Service Management using SCM
(RPC-in)
DHCP Server (RPCSS-In)
DHCP Server (RPC-In)
DHCP Server v6 (UDP-In)
DHCP Server v4 (UDP-In)
DHCP Server v6 (UDP-In)
DHCP Server v4 (UDP-In)
DHCP Server - Remote Service Management using SCM
(RPC-in)
DHCP Server (RPCSS-In)
DHCP Server (RPC-In)
DHCP Server v6 (UDP-In)
DHCP Server v4 (UDP-In)
DHCP Server v6 (UDP-In)
DHCP Server v4 (UDP-In)

Groups
Account Name
DHCP Users

DHCP Administrators

NT SERVICE\swprv

NT SERVICE\VSS
NT SERVICE\DHCPServer

Role Dependency
Dependency
None
Account Startup Mode
NT AUTHORITY\NETWORK SERVICE Auto

Command Line Account


C:\Windows\system32\svchost.exe -k DHCPServer
C:\Windows\System32\svchost.exe -k swprv

Friendly Name Binary Path


DHCP C:\Windows\system32\dhcpsnap.dll
DHCP C:\Windows\system32\dhcpsnap.dll
DHCP C:\Windows\system32\dhcpsnap.dll
CMigrationPlugin Object C:\Windows\System32\DhcpSrvMigPlugin.dll

State Process
Unknown svchost.exe (PID 2112)
Unknown svchost.exe (PID 2112)
Unknown svchost.exe (PID 2112)
Unknown svchost.exe (PID 2112)
Listen svchost.exe (PID 2112)
Established svchost.exe (PID 2112)

Network Denied Null Sessions Allowed


1 0

0 0

0 0
0 0
0 0
1 0

1 0

1 0

Endpoint Binding(s)
ncalrpc:[OLEDECF07835F9E49B68504068D156D]
ncalrpc:[OLEDECF07835F9E49B68504068D156D]
ncalrpc:[WMsgKRpc08A761]
ncalrpc:[WMsgKRpc08A761]

Direction Protocol
In NET_FW_IP_PROTOCOL_ANY
In TCP
In UDP
In UDP
Out UDP
Out UDP
Out TCP
Out TCP
In UDP
In UDP
In TCP
In UDP
In TCP
In TCP
In UDP
In UDP
Out UDP
Out UDP
Out TCP
Out UDP
Out UDP
Out UDP
In TCP
Out NET_FW_IP_PROTOCOL_ANY
In UDP
Out UDP

Direction Protocol
In TCP

In TCP
In TCP
In UDP
In UDP
In UDP
In UDP
In TCP

In TCP
In TCP
In UDP
In UDP
In UDP
In UDP
In TCP

In TCP
In TCP
In UDP
In UDP
In UDP
In UDP

SID Privileges
S-1-5-21-3754447434-2954449996-2587011620-1000

S-1-5-21-3754447434-2954449996-2587011620-1001

S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-80-3195062495-2862850656-3724129271-
1847284719-4038691091
S-1-5-80-3273805168-4048181553-3172130058-
210131473-390205191

Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)
(Linker Version: 9.0.-1) (ASLR)

Account

DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Local Endpoint Remote Endpoint Enabled


*: *: 1
*:* *:636 1
*:547 *:* 1
*:67 *:* 1
*:* *:547 1
*:* *:67 1
*:* *:53 1
*:* *:636 1
*:547 *:546 1
*:67 *:68 1
*:* *:53 1
*:2535 *:* 1
*:RPC *:* 1
*:* *:389 1
*:546 *:547 1
*:68 *:67 1
*:* *:546 1
*:* *:68 1
*:* *:389 1
*:547 *:547 1
*:67 *:67 1
*:* *:53 1
*:RPC-EPMap *:* 1
*: *: 1
*:* *:53 1
*:2535 *:* 1

Local Endpoint Remote Endpoint Enabled


*:RPC *:* 1

*:RPC-EPMap *:* 1
*:RPC *:* 1
*:546 *:* 1
*:68 *:* 1
*:547 *:* 1
*:67 *:* 1
*:RPC *:* 1

*:RPC-EPMap *:* 1
*:RPC *:* 1
*:546 *:* 1
*:68 *:* 1
*:547 *:* 1
*:67 *:* 1
*:RPC *:* 1

*:RPC-EPMap *:* 1
*:RPC *:* 1
*:546 *:* 1
*:68 *:* 1
*:547 *:* 1
*:67 *:* 1
DNS
Services
Name
DNS Server (DNS)

Running Processes
Image Name (PID)
svchost.exe (1716)

dns.exe (2836)

Registered COM Controls


CLSID
{2FAEBFA2-3F1A-11D0-8C65-00C04FD8FECB}
{62269FEC-7B32-11D2-9AB7-0000F875C5D4}
{6C1303DC-BA00-11D1-B949-00A0C9A06D2D}
{6C1303DD-BA00-11D1-B949-00A0C9A06D2D}
{80105023-50B1-11D1-B930-00A0C9A06D2D}

Ports
Port Name
53/UDP -- Unknown Protocol
53/UDP -- Unknown Protocol
Various high UDP ports -- Unknown Protocol
53/TCP -- DNS
53/TCP -- DNS
49206/TCP -- Dynamic RPC Port

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-300-0

wbhstipm960eee7a-4c95-4d9b-a999-231c4b9e1091

wbhstipm927e89ca-69c4-4760-8658-9c22f815e502
wbhstipma58478d8-c9f2-478a-846f-0f26ac2fa067
wbhstipmc05afb30-36be-459e-b146-4d7340f260e2
fd1a4754-6978-4e22-aabe-899fc12bfb79

37a722f7-3ba9-417b-8aeb-67e324dbb54e

Winsock2\CatalogChangeListener-b14-0

RPC Endpoints
Interface UUID
{50abc2a4-574d-40b3-9d66-ee4fd5fba076}
{76f226c3-ec14-4325-8a99-6a46348418af}
{12e65dd8-887f-41ef-91bf-8d816c42c2e7}

Firewall Rules
All Outgoing (UDP)
All Outgoing (TCP)
RPC (TCP, Incoming)
DNS (UDP, Incoming)
DNS (TCP, Incoming)
RPC Endpoint Mapper (TCP, Incoming)
Windows Management Instrumentation (ASync-In)

Windows Management Instrumentation (WMI-Out)

Windows Management Instrumentation (WMI-In)

Windows Management Instrumentation (DCOM-In)

All Outgoing (UDP)


All Outgoing (TCP)
RPC (TCP, Incoming)
DNS (UDP, Incoming)
DNS (TCP, Incoming)
RPC Endpoint Mapper (TCP, Incoming)
Windows Management Instrumentation (ASync-In)

Windows Management Instrumentation (WMI-Out)


Windows Management Instrumentation (WMI-In)

Windows Management Instrumentation (DCOM-In)

All Outgoing (UDP)


All Outgoing (TCP)
RPC (TCP, Incoming)
DNS (UDP, Incoming)
DNS (TCP, Incoming)
RPC Endpoint Mapper (TCP, Incoming)
Windows Management Instrumentation (ASync-In)

Windows Management Instrumentation (WMI-Out)

Windows Management Instrumentation (WMI-In)

Windows Management Instrumentation (DCOM-In)

Groups
Account Name
NT SERVICE\swprv

NT SERVICE\DNS

Role Dependency
Dependency
None
Account Startup Mode
NT AUTHORITY\SYSTEM Auto

Command Line Account


C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\dns.exe

Friendly Name Binary Path


C:\Windows\system32\dnsmgr.dll
MS_NT_DNS_PROVIDER C:\Windows\system32\wbem\dnsprov.dll
C:\Windows\system32\dnsmgr.dll
C:\Windows\system32\dnsmgr.dll
C:\Windows\system32\dnsmgr.dll

State Process
Unknown dns.exe (PID 2836)
Unknown dns.exe (PID 2836)
Unknown dns.exe (PID 2836)
Listen dns.exe (PID 2836)
Listen dns.exe (PID 2836)
Listen dns.exe (PID 2836)

Network Denied Null Sessions Allowed


1 0

0 0

0 0
0 0
0 0
1 0

1 0

1 0

Endpoint Binding(s)
ncacn_ip_tcp:[49206]
ncalrpc:[WMsgKRpc08A761]
ncalrpc:[WMsgKRpc08A761]

Out UDP
Out TCP
In TCP
In UDP
In TCP
In TCP
In TCP

Out TCP

In TCP

In TCP

Out UDP
Out TCP
In TCP
In UDP
In TCP
In TCP
In TCP

Out TCP
In TCP

In TCP

Out UDP
Out TCP
In TCP
In UDP
In TCP
In TCP
In TCP

Out TCP

In TCP

In TCP

SID Privileges
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-80-3615928406-775414823-3337150244-
1678472394-1165027386

Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

Account

DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

*:* *:*2 TRUE


*:* *:* 1
*:RPC *:* 1
*:53 *:* 1
*:53 *:* 1
*:RPC-EPMap *:* 1
*:* *:* 1

*:* *:* 1

*:* *:* 1

*:135 *:* 1

*:* *:* 1
*:* *:* 1
*:RPC *:* 1
*:53 *:* 1
*:53 *:* 1
*:RPC-EPMap *:* 1
*:* *:* 1

*:* *:* 1
*:* *:* 1

*:135 *:* 1

*:* *:* 1
*:* *:* 1
*:RPC *:* 1
*:53 *:* 1
*:53 *:* 1
*:RPC-EPMap *:* 1
*:* *:* 1

*:* *:* 1

*:* *:* 1

*:135 *:* 1
Common HTTP
Features

Services
Name
World Wide Web Publishing Service (W3SVC)

Running Processes
Image Name (PID)
svchost.exe (816)
svchost.exe (1316)
mscorsvw.exe (1576)

mscorsvw.exe (2772)

Registered COM Controls


CLSID
{33AE0740-1E97-4BA0-BB54-838AF28C26D1}

{688EEEE5-6A7E-422F-B2E1-6AF00DC944A6}

{8453993C-F937-4B76-B0DA-948081ED5673}

{90873572-3128-48F3-BB1F-72FBADED669E}

Ports
Port Name
80/TCP -- HTTP
80/TCP -- HTTP

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-1d0-0

Firewall Rules
World Wide Web Services (HTTPS Traffic-In)
World Wide Web Services (HTTP Traffic-In)
World Wide Web Services (HTTPS Traffic-In)

Groups
Account Name
NT SERVICE\swprv

NT SERVICE\VSS

IIS APPPOOL\DefaultAppPool

Role Dependencies
Dependency
Web Server (IIS)

Application
Development
Running Processes
Image Name (PID)
svchost.exe (584)

VSSVC.exe (2136)

sppsvc.exe (2708)
Registered COM Controls
CLSID
{0ACE4881-8305-11CF-9427-444553540000}
{71EAF260-0CE0-11D0-A53E-00A0C90C2091}
{B3192190-1176-11D0-8CE8-00AA006C400C}
{D97A6DA0-A85D-11CF-83AE-00A0C90C2BD8}
{D97A6DA0-A85F-11DF-83AE-00A0C90C2BD8}
{D97A6DA0-A861-11CF-93AE-00A0C90C2BD8}
{D97A6DA0-A862-11CF-84AE-00A0C90C2BD8}
{D97A6DA0-A864-11CF-83BE-00A0C90C2BD8}
{D97A6DA0-A865-11CF-83AF-00A0C90C2BD8}
{D97A6DA0-A866-11CF-83AE-10A0C90C2BD8}
{D97A6DA0-A867-11CF-83AE-01A0C90C2BD8}
{D97A6DA0-A868-11CF-83AE-00B0C90C2BD8}

Groups
Account Name
NT SERVICE\swprv

IIS APPPOOL\Classic .NET AppPool

Role Dependencies
Dependency
Web Server (IIS)

Health and
Diagnostics
Registered COM Controls
CLSID
{26B9ED02-A3D8-11D1-8B9C-080009DCC2FA}
{FF160657-DE82-11CF-BC0A-00AA006111E0}
{FF16065B-DE82-11CF-BC0A-00AA006111E0}
{FF16065F-DE82-11CF-BC0A-00AA006111E0}
{FF160663-DE82-11CF-BC0A-00AA006111E0}
Role Dependencies
Dependency
Web Server (IIS)

Security
Running Processes
Image Name (PID)
svchost.exe (856)

iexplore.exe (2360)

RPC Endpoints
Interface UUID
{f1ec59ab-4ca9-4c30-b2d0-54ef1db441b7}

Role Dependencies
Dependency
Web Server (IIS)

Performance
Running Processes
Image Name (PID)
svchost.exe (2816)

Groups
Account Name
NT SERVICE\WerSvc

Role Dependencies
Dependency
Web Server (IIS)

Management
Tools
Services
Name
IIS Admin Service (IISADMIN)
Web Management Service (WMSvc)

Running Processes
Image Name (PID)
inetinfo.exe (2476)

VSSVC.exe (2712)

svchost.exe (2792)

Registered COM Controls


CLSID
{01A0F881-E44F-4C39-8775-1366848A5915}

{0BE3744F-8EFE-4416-9A2D-273F154BE203}

{250DA2EA-2FF4-465F-B8F2-BA760B050784}

{29822AB7-F302-11D0-9953-00C04FD919C1}
{29822AB8-F302-11D0-9953-00C04FD919C1}
{31DCAB85-BB3E-11D0-9299-00C04FB6678B}
{31DCAB86-BB3E-11D0-9299-00C04FB6678B}
{31DCAB87-BB3E-11D0-9299-00C04FB6678B}
{31DCAB88-BB3E-11D0-9299-00C04FB6678B}
{43892EEE-746C-46FB-95BB-AC7CFCB68C44}

{51395178-DFB0-4AD0-A725-7A30F10E858D}

{5871882F-2A0A-44F2-9420-4C10A31E538E}

{5FCDF49D-AF37-4788-B9E6-31C79E9DA1F4}

{61738644-F196-11D0-9953-00C04FD919C1}
{62B8CCBE-5A45-4372-8C4A-6A87DD3EDD60}
{634561FC-9513-4A1B-988B-2045AF55315B}

{7348E6F0-3ACA-4F34-849A-967958F1D7E8}
{763A6C86-F30F-11D0-9953-00C04FD919C1}
{7CE0D4E3-B022-4838-9584-B49116971CE6}
{84951D16-922E-4692-B4E9-90DD80426ECF}

{899689FA-2D0E-4D4A-AA7D-6FC5071D5445}

{8AD3DCF8-869E-4C0E-89C2-86D7710610AA}
{8C63861C-34A3-4C77-BFAA-686761ED10B4}

{901A70B2-0F7A-44EA-B97B-1E9299DEC8CA}

{9036B028-A780-11D0-9B3D-0080C710EF95}
{90BD4EE3-12CA-4D63-8B17-0A602D6259C7}

{9FF4531B-142E-4352-A385-32CF8039BC30}

{A1F89741-F619-11CF-BC0F-00AA006111E0}
{A841B6C2-7577-11D0-BB1F-00A0C922E79C}

{A841B6D2-7577-11D0-BB1F-00A0C922E79C}

{A8FD7759-B54A-4ED5-B77F-AE0A6723C6EF}

{A9E69610-B80D-11D0-B9B9-00A0C922E750}
{B56D9C1F-1B56-4F64-8213-012E9DA9F689}

{B8FB0B59-B5BF-42A2-8FDD-FB400E5F5883}

{BA4E57F0-FAB6-11CF-9D1A-00AA00A70D51}
{BA634603-B771-11D0-9296-00C04FB6678B}
{BA634604-B771-11D0-9296-00C04FB6678B}
{BA634607-B771-11D0-9296-00C04FB6678B}
{BA634608-B771-11D0-9296-00C04FB6678B}
{BC47120F-1612-4CA5-A89F-FDFF76C28AB6}
{D6BFA35E-89F2-11D0-8527-00C04FD8D503}
{D78F1796-E03B-4A81-AFE0-B3B6B0EEE091}
{D88966DE-89F2-11D0-8527-00C04FD8D503}
{DF0FF250-71E6-42A1-B736-4057545DBA98}

{E1ABF259-0C95-4201-A000-0F66D480D7CB}

{E6EC985C-A541-4DB0-97C7-4687E153943D}

{F3287520-BBA3-11D0-9BDC-00A0C922E703}
{FA27EEBB-8590-42E6-931E-E94D20F11898}

{FCC764A0-2A38-11D1-B9C6-00A0C922E750}
{FD2280A8-51A4-11D2-A601-3078302C2030}
{FFF56E5F-E42A-4082-9EC9-979BD74036E7}

Registered DCOM Servers


CLSID
{61738644-F196-11D0-9953-00C04FD919C1} (IIS
WAMREG Admin)
{62B8CCBE-5A45-4372-8C4A-6A87DD3EDD60} (IIS
CertObj)
{A9E69610-B80D-11D0-B9B9-00A0C922E750} (IIS
Admin Service)

Firewall Rules
Name
Web Management Service (HTTP Traffic-In)
Web Management Service (HTTP Traffic-In)
Web Management Service (HTTP Traffic-In)

Groups
Account Name
NT SERVICE\WMSvc

NT SERVICE\swprv

NT SERVICE\VSS

Role Dependency
Dependency
None

FTP Publishing
Service
Services
Name
Microsoft FTP Service (FTPSVC)

Running Processes
Image Name (PID)
svchost.exe (584)

svchost.exe (768)

mscorsvw.exe (1464)
dllhost.exe (2560)

mscorsvw.exe (2640)

mscorsvw.exe (3068)

Registered COM Controls


CLSID
{315FA593-3CF5-4310-887B-3977A578488A}
{75BE3767-9BAD-477C-A125-26379D3EDB4A}
{909C850D-8CA0-4674-96B8-CC2941535725}
{DF1E53EB-AC8D-44F3-8AE5-7CEC00A22A81}
{E18A7EB0-648C-4CBE-8309-9A583D2D4643}
{EE673F07-B5AB-4036-80AE-59C7B5D32D89}

Registered DCOM Servers


CLSID
{315FA593-3CF5-4310-887B-3977A578488A} (IIS
FtpHost)
{75BE3767-9BAD-477C-A125-26379D3EDB4A} (IIS Ftp
Control)

Ports
Port Name
53245/UDP -- Unknown Protocol
49154/TCP -- Unknown Protocol
49383/TCP -- Unknown Protocol
49384/TCP -- Unknown Protocol
49387/TCP -- Unknown Protocol
49154/TCP -- Unknown Protocol

Firewall Rules
Name
FTP Server Passive (FTP Passive Traffic-In)
FTP Server Secure (FTP SSL Traffic-Out)
FTP Server Secure (FTP SSL Traffic-In)
FTP Server (FTP Traffic-Out)
FTP Server (FTP Traffic-In)
FTP Server Passive (FTP Passive Traffic-In)
FTP Server Secure (FTP SSL Traffic-Out)
FTP Server Secure (FTP SSL Traffic-In)
FTP Server (FTP Traffic-Out)
FTP Server (FTP Traffic-In)
FTP Server Passive (FTP Passive Traffic-In)
FTP Server Secure (FTP SSL Traffic-Out)
FTP Server Secure (FTP SSL Traffic-In)
FTP Server (FTP Traffic-Out)
FTP Server (FTP Traffic-In)

Groups
Account Name
NT SERVICE\COMSysApp

Role Dependency
Dependency
None

IIS Hostable
Web Core
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-358-0

Role Dependency
Dependency
None
Account Startup Mode
NT AUTHORITY\SYSTEM Auto

Command Line Account


C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ms
corsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
mscorsvw.exe -UseCLSID {246987C1-7792-46D1-AD01-
20387661874B} -Comment "NGen Worker Process"

Friendly Name Binary Path


Microsoft.AppHostConfigNavigator C:\Windows\system32\inetsrv\AppHostNavigators.dll

Microsoft.AppHostQueryProcessor C:\Windows\system32\inetsrv\AppHostNavigators.dll

Microsoft.AppHostConfigPathNavigator C:\Windows\system32\inetsrv\AppHostNavigators.dll

Microsoft.XPathQueryStringCompiler C:\Windows\system32\inetsrv\XPath.dll

State Process
Listen System (PID 4)
Listen System (PID 4)

Network Denied Null Sessions Allowed


0 0
0 0
0 0
0 0

In TCP
In TCP
In TCP

SID Privileges
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-80-3195062495-2862850656-3724129271-
1847284719-4038691091
S-1-5-82-3006700770-424185619-1745488364-
794895919-4004696415

Description

This role services is a Web service that runs in IIS and as


such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Static Content
● Default Document
● Directory Browsing
● HTTP Errors
Health and Diagnostics
● HTTP Logging
● Request Monitor
Security
● Request Filtering
Performance
● Static Content Compression

Command Line Account


C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\vssvc.exe

C:\Windows\system32\sppsvc.exe
Friendly Name Binary Path
MSWC.BrowserType C:\Windows\SysWOW64\inetsrv\browscap.dll
ASP Read Cookie C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Certificate Object C:\Windows\SysWOW64\inetsrv\asp.dll
ASP String List Object C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Request Dictionary C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Request Object C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Write Cookie C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Response Object C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Session Object C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Application Object C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Server Object C:\Windows\SysWOW64\inetsrv\asp.dll

SID Privileges
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-82-1036420768-1044797643-1061213386-
2937092688-4282445334

Description

This role services is a Web service that runs in IIS and as


such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Default Document
Security
● Request Filtering

Friendly Name Binary Path


MSWC.IISLog C:\Windows\SysWOW64\inetsrv\logscrpt.dll
MSASCIILog Control C:\Windows\SysWOW64\inetsrv\iislog.dll
MSODBCLog Control C:\Windows\SysWOW64\inetsrv\iislog.dll
MSNCSALog Control C:\Windows\SysWOW64\inetsrv\iislog.dll
Description
This role services is a Web service that runs in IIS.

Command Line Account


C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SASC\administrator
SCODEF:2424 CREDAT:14337

Endpoint Binding(s)
ncalrpc:[LRPC-e17bc5c38016521b81], ncalrpc:
[OLE9E835DB7D4284A1B9B34DF96C29A]

Description
This role services is a Web service that runs in IIS.

Command Line Account


C:\Windows\System32\svchost.exe -k WerSvcGroup

SID Privileges
S-1-5-80-3299868208-4286319593-1091140620-
3583751967-1732444380

Description
This role services is a Web service that runs in IIS.
Account Startup Mode
NT AUTHORITY\SYSTEM Auto
NT AUTHORITY\LOCAL SERVICE Demand

Command Line Account


C:\Windows\system32\inetsrv\inetinfo.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\svchost.exe -k swprv

Friendly Name Binary Path


AppDomainFactory Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

ServerFactory Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

ObjectManager Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

PSFactoryBuffer C:\Windows\SysWOW64\WAMREGPS.DLL
PSFactoryBuffer C:\Windows\SysWOW64\WAMREGPS.DLL
LogUI ncsa C:\Windows\System32\inetsrv\logui.ocx
LogUI odbc C:\Windows\System32\inetsrv\logui.ocx
LogUI msft C:\Windows\System32\inetsrv\logui.ocx
LogUI extnd C:\Windows\System32\inetsrv\logui.ocx
Server Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

NameValueMap Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

AppDomain Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

SSLBinding Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

IIS WAMREG Admin


IIS CertObj C:\Windows\System32\inetsrv\certobj.dll
ApplicationPool Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

ImportExportConfig Class C:\Windows\SysWOW64\inetsrv\iisuiobj.dll


WAM REG COM LAYER C:\Windows\SysWOW64\inetsrv\wamreg.dll
ApplicationPoolFactory Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll
AppServer Instance Provider for WBEM C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

Site Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

MD COM2 Server C:\Windows\SysWOW64\inetsrv\metadata.dll


WorkerProcess Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

SectionBaseFactory Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

IIS Mimemap Object C:\Windows\SysWOW64\inetsrv\adsiis.dll


SectionBaseObject Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

WorkerProcessFactory Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

CLAPI.INETLOGINFORMATION C:\Windows\SysWOW64\inetsrv\iscomlog.dll
This snap-in administers the Microsoft Internet C:\Windows\System32\inetsrv\inetmgr.dll
Information Services (IIS) 6.0
This snap-in administers the Microsoft Internet C:\Windows\System32\inetsrv\inetmgr.dll
Information Services (IIS) 6.0
VirtualDirectory Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

IIS Admin Service


SiteFactory Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

ApplicationFactory Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

MD COM Server C:\Windows\SysWOW64\inetsrv\metadata.dll


LogUI Control C:\Windows\System32\inetsrv\cnfgprts.ocx
LogUI Property Page C:\Windows\System32\inetsrv\cnfgprts.ocx
Rat Control C:\Windows\System32\inetsrv\cnfgprts.ocx
Rat Property Page C:\Windows\System32\inetsrv\cnfgprts.ocx
IIS Script Helper C:\Windows\SysWOW64\scrobj.dll
IIS Namespace Object C:\Windows\SysWOW64\inetsrv\adsiis.dll
Microsoft Internet Information Server Provider C:\Windows\SysWOW64\inetsrv\iiswmi.dll
IIS Provider Object C:\Windows\SysWOW64\inetsrv\adsiis.dll
SSLBindingFactory Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

ObjectManager Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

Application Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

IIS IPSecurity Object C:\Windows\SysWOW64\inetsrv\adsiis.dll


VirtualDirectoryFactory Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

IIS Servers Extension C:\Windows\SysWOW64\inetsrv\svcext.dll


IIS PropertyAttribute Object C:\Windows\SysWOW64\inetsrv\adsiis.dll
Server Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll

AppID
{61738644-F196-11D0-9953-00C04FD919C1}

{62B8CCBE-5A45-4372-8C4A-6A87DD3EDD60}

{A9E69610-B80D-11D0-B9B9-00A0C922E750}

Direction Protocol
In TCP
In TCP
In TCP

SID Privileges
S-1-5-80-257763619-1023834443-750927789-
3464696139-1457670516
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-80-3195062495-2862850656-3724129271-
1847284719-4038691091

Description

Account Startup Mode


NT AUTHORITY\SYSTEM Auto
Command Line Account
C:\Windows\system32\svchost.exe -k ftpsvc

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\dllhost.exe /Processid:
{02D4B3F1-FD88-11D1-960D-00805FC79235}

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ms
corsvw.exe

Friendly Name Binary Path


IIS FtpHost C:\Windows\system32\inetsrv\ftphost.dll
IIS Ftp Control
PSFactoryBuffer C:\Windows\system32\inetsrv\ftpextps.dll
IIS Ftp Control Interface ProxyStub C:\Windows\system32\inetsrv\ftpctrlps.dll
Microsoft.ApplicationHostFtpConfigExtension C:\Windows\system32\inetsrv\ftpconfigext.dll
IIS Ftp Host Interface ProxyStub C:\Windows\system32\inetsrv\ftphost.dll

AppID
{315FA593-3CF5-4310-887B-3977A578488A}

{75BE3767-9BAD-477C-A125-26379D3EDB4A}

State Process
Unknown svchost.exe (PID 768)
Listen svchost.exe (PID 768)
Established svchost.exe (PID 768)
Established svchost.exe (PID 768)
Established svchost.exe (PID 768)
Listen svchost.exe (PID 768)

Direction Protocol
In TCP
Out TCP
In TCP
Out TCP
In TCP
In TCP
Out TCP
In TCP
Out TCP
In TCP
In TCP
Out TCP
In TCP
Out TCP
In TCP

SID Privileges
S-1-5-80-593875016-1044814911-1112741138-
2143646632-2690613739

Description

Network Denied Null Sessions Allowed


0 0

Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)
(Linker Version: 9.0.-1) (ASLR)
NX: Enabled (Linker Version:
10.0.-1) (ASLR)(Uses SafeSEH)
(Uses /GS)
(Linker Version: 10.0.-1) (ASLR)

Account

DACL

*:443 *:* TRUE


*:80 *:* 1
*:443 *:* 1

Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)


Process Flags
(Linker Version: 9.0.-1) (ASLR)

NX: Enabled (Linker Version:


9.0.-1) (ASLR)(Uses SafeSEH)
(Uses /GS)

Process Flags
(Linker Version: 9.0.-1) (ASLR)
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)


Local Endpoint Remote Endpoint Enabled
*:8172 *:* 1
*:8172 *:* 1
*:8172 *:* 1
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 10.0.-1) (ASLR)

NX: Enabled (Linker Version:


10.0.-1) (ASLR)(Uses SafeSEH)
(Uses /GS)

Account

Local Endpoint Remote Endpoint Enabled


*:1024-65535 *:* 1
*:989 *:* 1
*:990 *:* 1
*:20 *:* 1
*:21 *:* 1
*:1024-65535 *:* 1
*:989 *:* 1
*:990 *:* 1
*:20 *:* 1
*:21 *:* 1
*:1024-65535 *:* 1
*:989 *:* 1
*:990 *:* 1
*:20 *:* 1
*:21 *:* 1

DACL
Files Server
Services
Image Name (PID)
svchost.exe (768)

Ports
Port Name
49154/TCP -- Unknown Protocol

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-2d4-0
Winsock2\CatalogChangeListener-300-0

Winsock2\CatalogChangeListener-1d8-0
wbhstipm0648f693-1683-4afb-9e3e-b8d510298323

wbhstipm9de0438a-d22b-4014-b757-b2b0539bdef2

wbhstipm22e83c71-4158-4145-9909-8e2af4246f60
wbhstipm54520408-b42e-4969-9446-8826239d3748

d71d14b0-662d-421a-b3e6-afbf121d8993

50f98d16-218a-4d78-8f37-41a0a3e85347

Winsock2\CatalogChangeListener-358-0

RPC Endpoints
Interface UUID
{76f226c3-ec14-4325-8a99-6a46348418af}
{12e65dd8-887f-41ef-91bf-8d816c42c2e7}

Role Dependency
Dependency
None
Distributed
File System
Services
Name
DFS Namespace (dfs)
DFS Replication (DFSR)

Drivers
Name
DFS Namespace Server Filter Driver (dfsdriver)
DFS Replication ReadOnly Driver (Dfsrro)

Running Processes
Image Name (PID)
svchost.exe (768)

svchost.exe (856)

dfsrs.exe (1308)

svchost.exe (2516)

dfssvc.exe (2648)

vds.exe (2788)

Ports
Port Name
49950/UDP -- Unknown Protocol
49154/TCP -- Unknown Protocol
49327/TCP -- Unknown Protocol
49329/TCP -- Unknown Protocol
49154/TCP -- Unknown Protocol

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-2d4-0

Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-1d8-0

Winsock2\CatalogChangeListener-1d0-0
netdfs

Network Shares
Name
Namespace1

Firewall Rules
Name
DFS Replication (RPC-EPMAP)
DFS Replication (RPC-In)
File and Printer Sharing (Echo Request - ICMPv4-In)

File and Printer Sharing (Echo Request - ICMPv4-Out)

File and Printer Sharing (Echo Request - ICMPv6-In)

File and Printer Sharing (Echo Request - ICMPv6-Out)

File and Printer Sharing (LLMNR-UDP-In)


File and Printer Sharing (LLMNR-UDP-Out)
File and Printer Sharing (NB-Datagram-In)
File and Printer Sharing (NB-Datagram-Out)
File and Printer Sharing (NB-Name-In)
File and Printer Sharing (NB-Name-Out)
File and Printer Sharing (NB-Session-In)
File and Printer Sharing (NB-Session-Out)
File and Printer Sharing (SMB-In)
File and Printer Sharing (SMB-Out)
File and Printer Sharing (Spooler Service - RPC)
File and Printer Sharing (Spooler Service - RPC-EPMAP)

Groups
Account Name
NT SERVICE\DFSR

NT SERVICE\swprv

NT SERVICE\vds

NT SERVICE\VSS

NT SERVICE\dfs

Role Dependency
Dependency
None

Files Server
Resource
Manager
Services
Name
File Server Storage Reports Manager (srmreports)
File Server Resource Manager (srmsvc)

Drivers
Name
Datascrn (Datascrn)
quota (quota)

Running Processes
Image Name (PID)
svchost.exe (772)
svchost.exe (916)

mscorsvw.exe (1244)

svchost.exe (2364)

mscorsvw.exe (2520)

Registered COM Controls


CLSID
{0058EF37-AA66-4C48-BD5B-2FCE432AB0C8}
{1AB0A09F-2FE7-4AAA-AA80-EE3A4987E10C}
{1DEA3085-27E3-424B-BAC8-A1D7B367FAD2}
{20082091-F06D-4218-BA4C-25487D3ADEDE}

{243111DF-E474-46AA-A054-EAA33EDC292A}
{2FFBC541-7142-4B80-B48A-28A394DC5709}

{32FF7589-83D5-4E34-86FE-A2D5E27BDF3A}
{53E94FE8-9E5B-4ACD-B99D-E09BB87B149B}
{6C2C1D33-40EA-4941-908C-7DDF0864FFCA}
{8F1363F6-656F-4496-9226-13AECBD7718F}
{90DCAB7F-347C-4BFC-B543-540326305FBE}
{95941183-DB53-4C5F-B37B-7D0921CF9DC7}
{97D3D443-251C-4337-81E7-B32E8F4EE65E}
{AA226789-0134-433B-ACC1-2EDDA6806E9D}

{B15C0E47-C391-45B9-95C8-EB596C853F3A}
{EA25F1B8-1B8D-4290-8EE8-E17C12C2FE20}
{EB18F9B2-4C3A-4321-B203-205120CFF614}
{F3BE42BD-8AC2-409E-BBD8-FAF9B6B41FEB}
{F3C2DFED-E357-496D-923F-1D75EFCCAD3F}
{F556D708-6D4D-4594-9C61-7DBB0DAE2A46}
{FC7C4BEB-83FC-4622-A2A4-8713E399E796}

Ports
Port Name
60910/UDP -- Unknown Protocol
60912/UDP -- Unknown Protocol
49154/TCP -- Unknown Protocol
49155/TCP -- Unknown Protocol
49187/TCP -- Dynamic RPC Port
49254/TCP -- Unknown Protocol
49255/TCP -- Unknown Protocol
49256/TCP -- Unknown Protocol
49154/TCP -- Unknown Protocol
49155/TCP -- Unknown Protocol
49187/TCP -- Dynamic RPC Port

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0

Winsock2\CatalogChangeListener-170-0

Winsock2\CatalogChangeListener-304-0

wbhstipm68c6ea22-7780-47c0-8fde-d039b0cac061
wbhstipmbdcd33eb-c126-4bf9-8afc-41444615f8e1
wbhstipm33867462-e41e-422b-a8c9-336338fad973

wbhstipmdc24916c-dc58-4201-84bf-ed763e8631cc
57827edf-f325-496a-bd73-caee734173a7

3fbfd425-9e62-47f4-bffa-4a6be4e6b57a
Winsock2\CatalogChangeListener-1d0-0

Winsock2\CatalogChangeListener-394-0

RPC Endpoints
Interface UUID
{c9ac6db5-82b7-4e55-ae8a-e464ed7b4277}

Firewall Rules
Name
Remote File Server Resource Manager Management -
FSRM Reports Service (RPC-In)
Remote File Server Resource Manager Management -
FSRM Service (RPC-In)
Remote File Server Resource Manager Management -
Remote Registry (RPC-In)
Remote File Server Resource Manager Management -
RpcSs (RPC-EPMAP)
Remote File Server Resource Manager Management -
Task Scheduler (RPC-In)
Remote File Server Resource Manager Management -
Windows Management Instrumentation (Async-In)

Remote File Server Resource Manager Management -


Windows Management Instrumentation (WMI-In)

Remote File Server Resource Manager Management


(SMB-In)

Groups
Account Name
NT SERVICE\srmsvc
Role Dependency
Dependency
None

Services for
Network File
Systems
Services
Name
Client for NFS (NfsClnt)
Server for NFS (NfsService)

Drivers
Name
Server for NFS Filesystem Filter (msnfsflt)
Client for NFS Redirector (NfsRdr)
Server for NFS Driver (NfsServer)
Server for NFS Open RPC (ONCRPC) Portmapper
(Portmap)
Server for NFS Open RPC (ONCRPC) (RpcXdr)

Running Processes
Image Name (PID)
svchost.exe (776)

svchost.exe (856)

nfssvc.exe (2224)

nfsclnt.exe (2640)

svchost.exe (2768)

Registered COM Controls


CLSID
{04EA2470-913A-11D2-8CB8-0000F8083420}
{05E780B1-35BB-4450-AB46-34F25B63EA79}
{22FE0840-CB32-11CE-82B9-02608C8E4747}
{6C26B387-E3F7-4A7C-BD2A-DD4D596CDE86}
{97E65459-F1BF-473B-993E-1D72B054AC1A}
{9E6D45FD-C65D-4D1E-89A5-81E3A842F3AA}
{D16A5747-86A4-40B9-89A3-7A4C1C3A398B}
{FC131E1B-3A58-4CE4-AF8D-EA5813EBFD0F}

Registered DCOM Servers


CLSID
{05E780B1-35BB-4450-AB46-34F25B63EA79} (NFS
Advanced Sharing UI)

Ports
Port Name
123/UDP -- NTP
123/UDP -- NTP
49155/TCP -- Unknown Protocol
49155/TCP -- Unknown Protocol

RPC Endpoints
Interface UUID
{c9ac6db5-82b7-4e55-ae8a-e464ed7b4277}

Firewall Rules
Name
Client for NFS (TCP-Out)
Client for NFS (UDP-Out)
Portmap for UNIX-based Software (TCP-In)
Portmap for UNIX-based Software (UDP-In)
Server for NFS - Mount (TCP-In)
Server for NFS - Mount (UDP-In)
Server for NFS - NLM (TCP-In)
Server for NFS - NLM (UDP-In)
Server for NFS - NSM (TCP-In)
Server for NFS - NSM (UDP-In)
Server for NFS (NFS-TCP-In)
Server for NFS (NFS-TCP-Out)
Server for NFS (NFS-UDP-In)
Server for NFS (NFS-UDP-Out)

Groups
Account Name
NT SERVICE\NfsService

NT SERVICE\swprv
NT SERVICE\NfsClnt

Role Dependency
Dependency
None

Windows
Search Service
Services
Name
Windows Search (WSearch)

Running Processes
Image Name (PID)
SearchIndexer.exe (604)

svchost.exe (920)

mscorsvw.exe (1860)

mscorsvw.exe (1880)

SearchFilterHost.exe (2256)

SearchProtocolHost.exe (2556)

Registered COM Controls


CLSID
{01CBCF66-A9CA-4449-84DE-7F321232BBC7}
{9694E38A-E081-46AC-99A0-8743C909ACB6}
{1AF81E4E-FC45-48EE-B236-A2A663494390}
{1E1714A3-50B9-480B-A94A-636D9A9B56D1}
{20076C7E-4851-41ED-9EB8-F4E5F2BB0286}
{2A744BD8-158A-4BBF-9513-4A656F6C01D7}
{2ED326ED-C4C0-434A-B4CE-FB0318D725A7}
{2F2165FF-2C2D-4612-87B2-CC8E5002EF4C}
{30766BD2-EA1C-4F28-BF27-0B44E2F68DB7}
{317F3AA1-A5F5-4310-9401-BAE5DAC386C6}
{DD75716E-B42E-4978-BB60-1497B92E30C4}
{35C61CC2-5851-4F2D-89B6-4F9BB4B4193F}

{51653423-E62D-4FF7-894A-DABB2B8E21E2}
{53BEDF0B-4E5B-4183-8DC9-B844344FA104}
{5815ADD9-95C5-44F2-8262-3BCD56AA3147}
{602BDCE5-CA64-4E91-B27C-FFCA48978A00}
{6A68CC80-4337-4DBC-BD27-FBFB1053820B}
{6D3951EB-0B07-4FB8-B703-7C5CEE0DB578}
{70804ECC-7272-4DC8-AFFC-97CD66AAA282}
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
{87D66A43-7B11-4A28-9811-C86EE395ACF7}
{89D83576-6BD1-4C86-9454-BEB04E94C819}
{8DA6DB1C-8114-40C6-9D97-D2E7E9757D67}
{9D3C0751-A13F-46A6-B833-B46A43C30FE8}
{9E175B68-F52A-11D8-B9A5-505054503030}
{9E175B69-F52A-11D8-B9A5-505054503030}
{9E175B6C-F52A-11D8-B9A5-505054503030}
{9E175B6D-F52A-11D8-B9A5-505054503030}
{9E175B6E-F52A-11D8-B9A5-505054503030}

{9E175B70-F52A-11D8-B9A5-505054503030}
{9E175B74-F52A-11D8-B9A5-505054503030}
{9E175B76-F52A-11D8-B9A5-505054503030}
{9E175B7F-F52A-11D8-B9A5-505054503030}
{9E175B8A-F52A-11D8-B9A5-505054503030}
{9E175B8B-F52A-11D8-B9A5-505054503030}
{9E175B8D-F52A-11D8-B9A5-505054503030}
{9E175B8E-F52A-11D8-B9A5-505054503030}
{9E175B90-F52A-11D8-B9A5-505054503030}
{9E175B98-F52A-11D8-B9A5-505054503030}
{9E175BA8-F52A-11D8-B9A5-505054503030}
{9E175BA9-F52A-11D8-B9A5-505054503030}
{9E175BB7-F52A-11D8-B9A5-505054503030}
{9E175BB8-F52A-11D8-B9A5-505054503030}
{A373F500-7A87-11D3-B1C1-00C04F68155C}

{A5270F6C-19EC-4E17-9EA1-A7074276B9B9}
{A9B5F443-FE02-4C19-859D-E9B5C5A1B6C6}
{A9F738C8-6B96-41FA-A155-15ECD67275D0}

{B056521A-9B10-425E-B616-1FCD828DB3B1}
{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}
{D169C14A-5148-4322-92C8-754FC9D018D8}
{D16B87DE-029E-4C85-92C8-ED8BBC5E882C}

{D6F8EC75-A388-47DE-BA3A-903B12A38E86}
{DA67B8AD-E81B-4C70-9B91-B417B5E33527}
{DE3F3560-3032-41B4-B6CF-F703B1B95640}
{E20870E2-3AD1-4B64-87BE-5AD5F17A53F0}
{E63DE750-3BD7-4BE5-9C84-6B4281988C44}
{F37AFD4F-E736-4980-8650-A486B1F2DF25}
{9E175BAF-F52A-11D8-B9A5-505054503030}

{9E175BB4-F52A-11D8-B9A5-505054503030}

Registered DCOM Servers


CLSID
{1AF81E4E-FC45-48EE-B236-A2A663494390} (Out Of
Proc Mapi Handler)
{1E1714A3-50B9-480B-A94A-636D9A9B56D1} (Shell
Indexer Admin Object)
{2F2165FF-2C2D-4612-87B2-CC8E5002EF4C}
(Advanced Indexing Options Dialog Object)
{30766BD2-EA1C-4F28-BF27-0B44E2F68DB7}
(Windows Search Root)
{53BEDF0B-4E5B-4183-8DC9-B844344FA104} (MAPI
Mail Previewer)
{5815ADD9-95C5-44F2-8262-3BCD56AA3147}
(Windows Search Manager Event Sink)
{602BDCE5-CA64-4E91-B27C-FFCA48978A00}
(Windows Search Index Notification Sink)
{6D3951EB-0B07-4FB8-B703-7C5CEE0DB578}
(Advanced Indexing Options Dialog Object)
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
(Windows Search Manager)
{9E175B68-F52A-11D8-B9A5-505054503030} (Search
Gathering Manager)
{9E175B6D-F52A-11D8-B9A5-505054503030} (Search
Gatherer Notification)
{A5270F6C-19EC-4E17-9EA1-A7074276B9B9}
(Windows Search Items Changed Sink)
{A9B5F443-FE02-4C19-859D-E9B5C5A1B6C6} (Search
Gatherer Inline Notification)
{DE3F3560-3032-41B4-B6CF-F703B1B95640} (Windows
Search Service Profile Notify Handler)
{E63DE750-3BD7-4BE5-9C84-6B4281988C44}
(Windows Search Scope Rule)

Internet Explorer Pluggable Protocol Handlers


Protocol
mapi

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0

Winsock2\CatalogChangeListener-170-0

Winsock2\CatalogChangeListener-304-0

wbhstipm0b77fb69-87f4-467d-9813-663743fbe274
wbhstipmc768a67e-0c53-43b6-94b2-8bb9e78cf6c4

wbhstipm921da58c-6c38-4e0d-b962-1000415696fe

wbhstipm3f2e54f2-4fb7-4b2e-9113-61763070cbbf
e00704b5-3db8-48fd-ab41-3983cacd9627

521bad4e-a755-4300-a378-dd2bb46a6c1a

Winsock2\CatalogChangeListener-1d0-0

Winsock2\CatalogChangeListener-398-0

MsFteWds

RPC Endpoints
Interface UUID
{c9ac6db5-82b7-4e55-ae8a-e464ed7b4277}

Groups
Account Name
NT SERVICE\WSearch

Role Dependency
Dependency
None
Windows
Server 2003
File Services
Services
Name
Indexing Service (CISVC)

Running Processes
Image Name (PID)
svchost.exe (768)

svchost.exe (856)

CISVC.EXE (1624)

svchost.exe (2768)

Registered COM Controls


CLSID
{0C16C27E-A6E7-11D0-BFC3-0020F8008024}
{1E9685E6-DB6D-11D0-BB63-00C04FC2F410}
{2A488070-6FD9-11D0-A808-00A0C906241A}
{3BC4F3A1-652A-11D1-B4D4-00C04FC2DB8D}
{3BC4F3A3-652A-11D1-B4D4-00C04FC2DB8D}

{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}

{95AD72F0-44CE-11D0-AE29-00AA004B9986}
{A4463024-2B6F-11D0-BFBC-0020F8008024}
{AA205A4D-681F-11D0-A243-08002B36FCA4}
{C04EFA90-E221-11D2-985E-00C04F575153}
{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}

Registered ActiveX Controls


ActiveX Name and CLSID
IXSSO.Util.2 ({0C16C27E-A6E7-11D0-BFC3-
0020F8008024})
IXSSO.Query.2 ({A4463024-2B6F-11D0-BFBC-
0020F8008024})
IXSSO.Query.3 ({EAFDF8B3-3BE5-4E05-BF86-
1E486B2FEF9D})
Ports
Port Name
49154/TCP -- Unknown Protocol
49312/TCP -- Unknown Protocol
49313/TCP -- Unknown Protocol
49314/TCP -- Unknown Protocol
49154/TCP -- Unknown Protocol

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-2d4-0

Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-1d8-0

Winsock2\CatalogChangeListener-1d0-0
ci_skads

Groups
Account Name
NT SERVICE\swprv

Role Dependency
Dependency
None

BranchCache
for Network
Files
Running Processes
Image Name (PID)
svchost.exe (768)

Ports
Port Name
49154/TCP -- Unknown Protocol

Named Pipes
Pipe Name
50f98d16-218a-4d78-8f37-41a0a3e85347

d71d14b0-662d-421a-b3e6-afbf121d8993

wbhstipm0648f693-1683-4afb-9e3e-b8d510298323

wbhstipm22e83c71-4158-4145-9909-8e2af4246f60
wbhstipm54520408-b42e-4969-9446-8826239d3748

wbhstipm9de0438a-d22b-4014-b757-b2b0539bdef2

Winsock2\CatalogChangeListener-1d8-0
Winsock2\CatalogChangeListener-2d4-0

Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-358-0

RPC Endpoints
UUID
{76f226c3-ec14-4325-8a99-6a46348418af}
{12e65dd8-887f-41ef-91bf-8d816c42c2e7}

Role Dependency
Dependency
None
Command Line Account
C:\Windows\system32\svchost.exe -k netsvcs

State Process
Listen svchost.exe (PID 768)

Network Denied Null Sessions Allowed


0 0
1 0

0 0
0 0

0 0

0 0
0 0

1 0

1 0

0 0

Endpoint Binding(s)
ncalrpc:[WMsgKRpc08AAF1]
ncalrpc:[WMsgKRpc08AAF1]

Description
Account Startup Mode
NT AUTHORITY\SYSTEM Auto
NT AUTHORITY\SYSTEM Auto

Startup Mode
System
Boot

Command Line Account


C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\system32\DFSRs.exe

C:\Windows\System32\svchost.exe -k swprv

C:\Windows\system32\dfssvc.exe

C:\Windows\System32\vds.exe

State Process
Unknown dfsrs.exe (PID 1308)
Listen svchost.exe (PID 768)
Established svchost.exe (PID 768)
Established svchost.exe (PID 768)
Listen svchost.exe (PID 768)

Network Denied Null Sessions Allowed


0 0
0 0
1 0

0 0
1 0

0 0
0 0

Path ACL
C:\DfsRoots\Namespace1 Account Type
Everyone AccessAllowed

Direction Protocol
In TCP
In TCP
In TCP

Out TCP

In TCP

Out TCP

In UDP
Out UDP
In UDP
Out UDP
In UDP
Out UDP
In TCP
Out TCP
In TCP
Out TCP
In TCP
In TCP

SID Privileges
S-1-5-80-1267473060-1890374259-1137250836-
544356534-2546457154
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-80-2196396108-1448510645-203779624-
3888580976-3789157697
S-1-5-80-3195062495-2862850656-3724129271-
1847284719-4038691091
S-1-5-80-3588172797-86763527-1375198215-
2167056557-2705436887

Description

Account Startup Mode


NT AUTHORITY\SYSTEM Demand
NT AUTHORITY\SYSTEM Auto

Startup Mode
Boot
Boot

Command Line Account


C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
mscorsvw.exe
C:\Windows\system32\svchost -k srmsvcs

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ms
corsvw.exe

Friendly Name Binary Path


FsrmReportManager Class
FsrmEmailInternal Class
FsrmFileManagementJobActionRunner Class
Microsoft.Storage.Reports.FsrmReportManagerInproc C:\Windows\System32\mscoree.dll

FsrmFileScreenTemplateManager Class
Microsoft.Storage.SimpleContentCls.CSimpleContentCls C:\Windows\System32\mscoree.dll

FsrmSPDocumentParserModule Class C:\Windows\System32\srmstormod.dll


FsrmGlobalStoreManager Class
FsrmEmailExternal Class
FsrmFileGroupManager Class
FsrmQuotaManager Class
FsrmFileScreenManager Class
FsrmQuotaTemplateManager Class
Microsoft.Storage.Reports.FsrmClassificationManagerIn C:\Windows\System32\mscoree.dll
proc
FsrmClassificationManager Class
FsrmReportScheduler Class
FsrmFileManagementJobManager Class
FsrmPathMapper Class
FsrmClusterUtil Class
FsrmSetting Class
Microsoft.Storage.Reports.FsrmFileManagementJobMa C:\Windows\System32\mscoree.dll
nagerInproc

State Process
Unknown svchost.exe (PID 968)
Unknown lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen svchost.exe (PID 772)
Listen services.exe (PID 464)
Established svchost.exe (PID 772)
Established svchost.exe (PID 772)
Established svchost.exe (PID 772)
Listen lsass.exe (PID 472)
Listen svchost.exe (PID 772)
Listen services.exe (PID 464)

Network Denied Null Sessions Allowed


1 0

1 0

1 0

0 0
0 0
0 0

0 0
1 0

1 0
1 0

1 0

Endpoint Binding(s)
ncalrpc:[LRPC-a023c0a9ee07180d6d]

Direction Protocol
In TCP

In TCP

In TCP

In TCP

In TCP

In TCP

In TCP

In TCP

SID Privileges
S-1-5-80-2020974448-4107748278-3972193768-
963817739-397362718
Description

Account Startup Mode


NT AUTHORITY\NETWORK SERVICE Auto
NT AUTHORITY\NETWORK SERVICE Auto

Startup Mode
Demand
Demand
Demand
Demand

Demand

Command Line Account


C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\nfssvc.exe

C:\Windows\system32\nfsclnt.exe

C:\Windows\System32\svchost.exe -k swprv

Friendly Name Binary Path


NFS Shell Icon Overlay Identifier C:\Windows\System32\nfssprop.dll
NFS Advanced Sharing UI C:\Windows\System32\nfssprop.dll
Client for NFS Property Sheet C:\Windows\System32\nfscprop.dll
Microsoft Services for NFS C:\Windows\system32\nfscommgmt.dll
MSNFS WMI provider C:\Windows\System32\nfswmiprov.dll
Microsoft Corporation C:\Windows\system32\nfscommgmt.dll
PSFactoryBuffer C:\Windows\System32\nfssprop.dll
NFSLockEnum Class

AppID
{05E780B1-35BB-4450-AB46-34F25B63EA79}

State Process
Unknown svchost.exe (PID 856)
Unknown svchost.exe (PID 856)
Listen svchost.exe (PID 776)
Listen svchost.exe (PID 776)

Endpoint Binding(s)
ncalrpc:[LRPC-64fa2584b178848bc1]

Direction Protocol
Out TCP
Out UDP
In TCP
In UDP
In TCP
In UDP
In TCP
In UDP
In TCP
In UDP
In TCP
Out TCP
In UDP
Out UDP

SID Privileges
S-1-5-80-1071656157-3689046577-4105049408-
574495319-1522408424
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-80-2188150755-1016705677-731116528-
1274462162-1514473938

Description

Account Startup Mode


NT AUTHORITY\SYSTEM DelayedAuto

Command Line Account


C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ms
corsvw.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
mscorsvw.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 520 NT AUTHORITY\SYSTEM
524 532 65536 528
"C:\Windows\system32\SearchProtocolHost.exe"
Global\UsGthrFltPipeMssGthrPipe2_
Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646
"Software\Microsoft\Windows Search" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT; MS Search 4.0
Robot)"
"C:\ProgramData\Microsoft\Search\Data\Temp\usgthrs
vc" "DownLevelDaemon"

Friendly Name Binary Path


html persistent handler for mapi email
html persistent handler for mapi email
Out Of Proc Mapi Handler C:\Windows\SysWOW64\mssvp.dll
Shell Indexer Admin Object C:\Windows\SysWOW64\srchadmin.dll
PSFactoryBuffer C:\Windows\SysWOW64\srchadmin.dll
Windows Desktop Search Scope Manager C:\Windows\SysWOW64\tquery.dll
PSFactoryBuffer C:\Windows\SysWOW64\srchadmin.dll
Advanced Indexing Options Dialog Object C:\Windows\SysWOW64\srchadmin.dll
Windows Search Root
text persistent handler for mapi email
text persistent handler for mapi email
Microsoft Search Property System Change Notify C:\Windows\SysWOW64\mssrch.dll
Handler
CrawlStartPages Task Handler C:\Windows\SysWOW64\srchadmin.dll
MAPI Mail Previewer C:\Windows\SysWOW64\mssvp.dll
Windows Search Manager Event Sink
Windows Search Index Notification Sink
CSearchLanguageSupport Class C:\Windows\SysWOW64\tquery.dll
Advanced Indexing Options Dialog Object C:\Windows\SysWOW64\srchadmin.dll
Windows Desktop Search Map Plugin C:\Windows\SysWOW64\mssrch.dll
Windows Search Manager
Indexing Options Control Panel
@C:\Windows\system32\mssvp.dll,-110 C:\Windows\SysWOW64\mssvp.dll
PSFactoryBuffer C:\Windows\SysWOW64\mssvp.dll
MAPI Shell Context Menu C:\Windows\SysWOW64\mssvp.dll
Search Gathering Manager
Search Embedded Gathering Manager C:\Windows\SysWOW64\mssrch.dll
Search Gatherer Transaction C:\Windows\SysWOW64\mssrch.dll
Search Gatherer Notification
Microsoft Embedded Search Gatherer Notification C:\Windows\SysWOW64\mssrch.dll

Search Gatherer Language Resource Pool C:\Windows\SysWOW64\mssrch.dll


Search Gatherer Plug-in C:\Windows\SysWOW64\mssrch.dll
Windows Search Service File Protocol Handler C:\Windows\SysWOW64\mssph.dll
Search Back off Controller C:\Windows\SysWOW64\mssrch.dll
Search command creator object C:\Windows\SysWOW64\tquery.dll
Windows Search Data Source C:\Windows\SysWOW64\tquery.dll
Search FilterRegistration Class C:\Windows\SysWOW64\tquery.dll
Search LoadLangRes Class C:\Windows\SysWOW64\tquery.dll
Full Text SQL Parser C:\Windows\SysWOW64\tquery.dll
Search Neutral Word Breaker Resources C:\Windows\SysWOW64\tquery.dll
Search Null Word Breaker C:\Windows\SysWOW64\mssrch.dll
Search Gatherer Log File Provider C:\Windows\SysWOW64\mssrch.dll
Windows Search Service Tripoli Indexer Engine C:\Windows\SysWOW64\tquery.dll
Windows Search Service Jet Property Storage Engine C:\Windows\SysWOW64\mssrch.dll
Windows Search Service Client Side Cache Protocol C:\Windows\SysWOW64\mssvp.dll
Handler
Windows Search Items Changed Sink
Search Gatherer Inline Notification
Windows Search Protocol Handler Search Connector C:\Windows\SysWOW64\srchadmin.dll
Creator
PSFactoryBuffer C:\Windows\SysWOW64\mssprxy.dll
@C:\Windows\system32\mssvp.dll,-112 C:\Windows\SysWOW64\mssvp.dll
rtf persistent handler for mapi email
Microsoft Embedded Search Gatherer Inline C:\Windows\SysWOW64\mssrch.dll
Notification
PSFactoryBuffer C:\Windows\SysWOW64\mssvp.dll
Windows Search Shell Service Object C:\Windows\SysWOW64\srchadmin.dll
Windows Search Service Profile Notify Handler C:\Windows\System32\wsepno.dll
rtf persistent handler for mapi email
Windows Search Scope Rule
Windows_Search_OutlookToolbar C:\Windows\SysWOW64\mssphtb.dll
Windows Search Service Office Outlook Protocol C:\Windows\SysWOW64\mssph.dll
Handler

AppID
{3F5E4B87-C907-4F76-82E4-6FDF0CE90E25}

{3F4D7BB8-4F38-4526-8CD3-C44D68689C5F}

{3F4D7BB8-4F38-4526-8CD3-C44D68689C5F}

{9E175B9C-F52A-11D8-B9A5-505054503030}

{534A1E02-D58F-44F0-B58B-36CBED287C7C}

{9E175B9C-F52A-11D8-B9A5-505054503030}

{9E175B9C-F52A-11D8-B9A5-505054503030}

{3F4D7BB8-4F38-4526-8CD3-C44D68689C5F}

{9E175B9C-F52A-11D8-B9A5-505054503030}

{9E175B9C-F52A-11D8-B9A5-505054503030}
{9E175B9C-F52A-11D8-B9A5-505054503030}

{9E175B9C-F52A-11D8-B9A5-505054503030}

{9E175B9C-F52A-11D8-B9A5-505054503030}

{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

{9E175B9C-F52A-11D8-B9A5-505054503030}

Handler Path

Network Denied Null Sessions Allowed


1 0

1 0

1 0

0 0
0 0

0 0

0 0
1 0

1 0

1 0

1 0

0 0

Endpoint Binding(s)
ncalrpc:[LRPC-07603a9b2c0ee641a6]

SID Privileges
S-1-5-80-117416528-2204451360-1913602512-
1355018040-1234992034

Description
Account Startup Mode
NT AUTHORITY\SYSTEM Auto

Command Line Account


C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\system32\CISVC.EXE

C:\Windows\System32\svchost.exe -k swprv

Friendly Name Binary Path


Indexing Service Utility SSO V2. C:\Windows\system32\ixsso.dll
Content Index Framework Control Object C:\Windows\system32\query.dll
File System Client DocStore Locator Object C:\Windows\system32\query.dll
Microsoft Index Server Administration Object C:\Windows\system32\ciodm.dll
Microsoft Index Server Catalog Administration Object C:\Windows\system32\ciodm.dll

Microsoft Index Server Scope Administration Object C:\Windows\system32\ciodm.dll

Indexing Service Snapin C:\Windows\system32\CIAdmin.dll


Indexing Service Query SSO V2. C:\Windows\system32\ixsso.dll
File System Client Filter Object C:\Windows\system32\query.dll
PSFactoryBuffer C:\Windows\system32\query.dll
Indexing Service Query SSO V3. C:\Windows\system32\ixsso.dll

Image Path Safe for Scripting/Safe for Initialization


C:\Windows\system32\ixsso.dll true/true

C:\Windows\system32\ixsso.dll true/true

C:\Windows\system32\ixsso.dll true/true
State Process
Listen svchost.exe (PID 768)
Established svchost.exe (PID 768)
Established svchost.exe (PID 768)
Established svchost.exe (PID 768)
Listen svchost.exe (PID 768)

Network Denied Null Sessions Allowed


0 0
0 0
1 0

0 0
1 0

0 0
0 0

SID Privileges
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506

Description
Command Line Account
C:\Windows\system32\svchost.exe -k netsvcs

State Process
Listen svchost.exe (PID 768)

Network Denied Null Sessions Allowed


1 0

1 0

0 0

0 0
0 0

0 0

0 0
0 0

1 0
0 0

Endpoint Binding(s)
ncalrpc:[WMsgKRpc08AAF1]
ncalrpc:[WMsgKRpc08AAF1]

Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)

Account

DACL

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

Account

DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\Authenticated
Users AccessAllowed
BUILTIN\Administrators
AccessAllowed

Local Endpoint Remote Endpoint Enabled


*:RPC-EPMap *:* 1
*:RPC *:* 1
*: *: 1

*: *: 1

*: *: 1

*: *: 1

*:5355 LocalSubnet:* 1
*:* LocalSubnet:5355 1
*:138 *:* 1
*:* *:138 1
*:137 *:* 1
*:* *:137 1
*:139 *:* 1
*:* *:139 1
*:445 *:* 1
*:* *:445 1
*:RPC *:* 1
*:RPC-EPMap *:* 1

Process Flags
(Linker Version: 9.0.-1) (ASLR)
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 10.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

NX: Enabled (Linker Version:


10.0.-1) (ASLR)(Uses SafeSEH)
(Uses /GS)

Account
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Local Endpoint Remote Endpoint Enabled


*:RPC *:* 0

*:RPC *:* 0

*:RPC *:* 0

*:RPC-EPMap *:* 0

*:RPC *:* 0

*:* *:* 0

*:* *:* 0

*:445 *:* 0
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)


Account

Local Endpoint Remote Endpoint Enabled


*:* *:* 1
*:* *:* 1
*:111 *:* 1
*:111 *:* 1
*:1048,1053,1058,1063,1068 *:* 1
*:1048,1053,1058,1063,1068 *:* 1
*:1047,1052,1057,1062,1067 *:* 1
*:1047,1052,1057,1062,1067 *:* 1
*:1039,1044,1049,1054,1059 *:* 1
*:1039,1044,1049,1054,1059 *:* 1
*:2049 *:* 1
*:* *:* 1
*:2049 *:* 1
*:* *:* 1
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

NX: Enabled (Linker Version:


10.0.-1) (ASLR)(Uses SafeSEH)
(Uses /GS)

(Linker Version: 10.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)


DACL Column1
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\Authenticated
Users AccessAllowed
BUILTIN\Administrators
AccessAllowed
BUILTIN\Guests AccessAllowed
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)


Account

DACL

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\SYSTEM
AccessAllowed
Everyone AccessDenied
Everyone AccessAllowed
Process Flags
(Linker Version: 9.0.-1) (ASLR)

Account

DACL
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Print and
Document
Services
Running Processes
Image Name (PID)
svchost.exe (256)

Registered COM Controls


CLSID
{28F4700C-44EB-4BD8-BC25-95812DE98E08}
{3F13AB10-AE95-48AA-8C94-533730760A20}
{42D69529-136E-49D6-8407-3026853038BF}
{494C063B-1024-4DD1-89D3-713784E82044}
{4FE8C25F-C8E9-4322-98EE-A11E117CF049}
{59B7D16A-C309-47C4-9667-363B9B8D8255}

{7C606A3F-8AA8-4E36-92D6-2B6AFEC0B732}
{B03B16C7-35A7-4A55-BEF1-8876E1CE2F45}
{BB5331F1-D8FF-4DDB-8A8F-2DF901123B33}
{BDE24877-01D7-4103-9704-F0EC82FA7CE9}
{CB35832D-0C2C-41A9-84E1-A7CD1E0C6254}
{D06342BD-9057-4673-B43A-0E9BBBE99F11}
{EF6EF542-EB19-4986-89D3-143960609251}

Registered DCOM Servers


CLSID
{494C063B-1024-4DD1-89D3-713784E82044}
(CoBrmEngine Class)

File Registrations
File Extension
.printerExport

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-300-0

wbhstipm960eee7a-4c95-4d9b-a999-231c4b9e1091
wbhstipm927e89ca-69c4-4760-8658-9c22f815e502
wbhstipma58478d8-c9f2-478a-846f-0f26ac2fa067
wbhstipmc05afb30-36be-459e-b146-4d7340f260e2

fd1a4754-6978-4e22-aabe-899fc12bfb79

37a722f7-3ba9-417b-8aeb-67e324dbb54e

spoolss

Winsock2\CatalogChangeListener-294-0

RPC Endpoints
Interface UUID
{76f03f96-cdfd-44fc-a22c-64950a001209}
{76f226c3-ec14-4325-8a99-6a46348418af}
{12e65dd8-887f-41ef-91bf-8d816c42c2e7}

Groups
Account Name
NT SERVICE\swprv

Role Dependency
Dependency
None
LPD Service
Services
Name
LPD Service (LPDSVC)

Running Processes
Image Name (PID)
svchost.exe (768)

svchost.exe (816)

svchost.exe (860)

svchost.exe (3048)

Ports
Port Name
123/UDP -- NTP
65276/UDP -- Unknown Protocol
123/UDP -- NTP
515/TCP -- Unknown Protocol
515/TCP -- Unknown Protocol
49154/TCP -- Unknown Protocol

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-1d0-0
Winsock2\CatalogChangeListener-35c-0
Winsock2\CatalogChangeListener-294-0

Firewall Rules
Name
LPD Service
LPD Service
LPD Service

Groups
Account Name
NT SERVICE\LPDSVC

Role Dependency
Dependency
None

Internet
Printing
Running Processes
Image Name (PID)
svchost.exe (772)

svchost.exe (824)

Ports
Port Name
123/UDP -- NTP
123/UDP -- NTP

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-1d8-0
Winsock2\CatalogChangeListener-248-0

Role Dependencies
Dependency
Print and Document Services
Web Server (IIS)

Management Tools

Distributed
Scan Server
Services
Name
Distributed Scan Server service (ScanServer)
File Server Storage Reports Manager (SrmReports)

File Server Resource Manager (SrmSvc)


WebClient (WebClient)
Driver
Name
Datascrn (Datascrn)
WebDav Client Redirector Driver (MRxDAV)
Quota (Quota)

Running Processes
Image Name (PID)
svchost.exe (772)

svchost.exe (896)

svchost.exe (1312)

svchost.exe (2736)

svchost.exe (2940)

Registered COM Controls


CLSID
{0058EF37-AA66-4C48-BD5B-2FCE432AB0C8}
{1AB0A09F-2FE7-4AAA-AA80-EE3A4987E10C}
{1DEA3085-27E3-424B-BAC8-A1D7B367FAD2}
{20082091-F06D-4218-BA4C-25487D3ADEDE}

{243111DF-E474-46AA-A054-EAA33EDC292A}
{2FFBC541-7142-4B80-B48A-28A394DC5709}

{32FF7589-83D5-4E34-86FE-A2D5E27BDF3A}
{53E94FE8-9E5B-4ACD-B99D-E09BB87B149B}
{6C2C1D33-40EA-4941-908C-7DDF0864FFCA}
{8F1363F6-656F-4496-9226-13AECBD7718F}
{90DCAB7F-347C-4BFC-B543-540326305FBE}
{95941183-DB53-4C5F-B37B-7D0921CF9DC7}
{97D3D443-251C-4337-81E7-B32E8F4EE65E}
{AA226789-0134-433B-ACC1-2EDDA6806E9D}

{B15C0E47-C391-45B9-95C8-EB596C853F3A}
{D1A1CF92-E701-4AFE-89EB-37D8E715AF12}
{D46F1E88-AACD-42A3-BFFB-2D1ECA98F602}
{EA25F1B8-1B8D-4290-8EE8-E17C12C2FE20}
{EB18F9B2-4C3A-4321-B203-205120CFF614}
{F3BE42BD-8AC2-409E-BBD8-FAF9B6B41FEB}
{F3C2DFED-E357-496D-923F-1D75EFCCAD3F}
{F556D708-6D4D-4594-9C61-7DBB0DAE2A46}
{FC7C4BEB-83FC-4622-A2A4-8713E399E796}

Registered DCOM Servers


CLSID
{0058EF37-AA66-4C48-BD5B-2FCE432AB0C8}
(FsrmReportManager Class)
{1AB0A09F-2FE7-4AAA-AA80-EE3A4987E10C}
(FsrmEmailInternal Class)
{1DEA3085-27E3-424B-BAC8-A1D7B367FAD2}
(FsrmFileManagementJobActionRunner Class)
{243111DF-E474-46AA-A054-EAA33EDC292A}
(FsrmFileScreenTemplateManager Class)
{53E94FE8-9E5B-4ACD-B99D-E09BB87B149B}
(FsrmGlobalStoreManager Class)
{8F1363F6-656F-4496-9226-13AECBD7718F}
(FsrmFileGroupManager Class)
{90DCAB7F-347C-4BFC-B543-540326305FBE}
(FsrmQuotaManager Class)
{95941183-DB53-4C5F-B37B-7D0921CF9DC7}
(FsrmFileScreenManager Class)
{97D3D443-251C-4337-81E7-B32E8F4EE65E}
(FsrmQuotaTemplateManager Class)
{B15C0E47-C391-45B9-95C8-EB596C853F3A}
(FsrmClassificationManager Class)
{EA25F1B8-1B8D-4290-8EE8-E17C12C2FE20}
(FsrmReportScheduler Class)
{EB18F9B2-4C3A-4321-B203-205120CFF614}
(FsrmFileManagementJobManager Class)
{F3BE42BD-8AC2-409E-BBD8-FAF9B6B41FEB}
(FsrmPathMapper Class)
{F3C2DFED-E357-496D-923F-1D75EFCCAD3F}
(FsrmClusterUtil Class)
{F556D708-6D4D-4594-9C61-7DBB0DAE2A46}
(FsrmSetting Class)

Port
Port Name
49155/TCP -- Unknown Protocol
49167/TCP -- Unknown Protocol
49178/TCP -- Dynamic RPC Port
49155/TCP -- Unknown Protocol
49167/TCP -- Unknown Protocol
49178/TCP -- Dynamic RPC Port

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0

Winsock2\CatalogChangeListener-170-0

Winsock2\CatalogChangeListener-304-0

Winsock2\CatalogChangeListener-340-0

RpcProxy\49158

Winsock2\CatalogChangeListener-1d0-0
Winsock2\CatalogChangeListener-380-0

Firewall Rules
Name
Distributed scan client components (Proxy-Out)
Distributed scan client components (WSD Discovery-
Out)
Distributed Scan Server (Service-In)
Distributed Scan Server (Service-Out)
Distributed Scan Server (WSD Events-Out)
Distributed Scan Server (WSD EventsSecure-Out)
Distributed Scan Server (WSD-In)
Distributed Scan Server (WSD-Out)
Remote File Server Resource Manager Management -
FSRM Reports Service (RPC-In)
Remote File Server Resource Manager Management -
FSRM Service (RPC-In)
Remote File Server Resource Manager Management -
Remote Registry (RPC-In)
Remote File Server Resource Manager Management -
RpcSs (RPC-EPMAP)
Remote File Server Resource Manager Management -
Task Scheduler (RPC-In)
Remote File Server Resource Manager Management -
Windows Management Instrumentation (Async-In)

Remote File Server Resource Manager Management -


Windows Management Instrumentation (WMI-In)

Remote File Server Resource Manager Management


(SMB-In)

Groups
Account Name
Scan Operators

NT SERVICE\SrmSvc
NT SERVICE\WerSvc

NT SERVICE\ScanServer

Group Membership
Account Name
Administrator

Account Privileges
Account
Administrator

Role Dependency
Dependency
None
Command Line Account
C:\Windows\System32\svchost.exe -k swprv

Friendly Name Binary Path


PPCNode Class C:\Windows\SysWOW64\ppcsnap.dll
PMCRootNode Class C:\Windows\SysWOW64\pmcsnap.dll
PMCComponent Class C:\Windows\SysWOW64\pmcsnap.dll
CoBrmEngine Class
MachineComponentData Class C:\Windows\SysWOW64\ppcsnap.dll
PSFactoryBuffer C:\Windows\system32\spool\tools\PrintBrmPs.dll

PMCPrintQueueViewExtension Class C:\Windows\SysWOW64\pmcsnap.dll


PMCAbout Class C:\Windows\SysWOW64\pmcsnap.dll
PPCRootNode Class C:\Windows\SysWOW64\ppcsnap.dll
UserComponent Class C:\Windows\SysWOW64\ppcsnap.dll
UserComponentData Class C:\Windows\SysWOW64\ppcsnap.dll
PMCComponentData Class C:\Windows\SysWOW64\pmcsnap.dll
MachineComponent Class C:\Windows\SysWOW64\ppcsnap.dll

AppID
{5C797117-3B23-4549-A6D8-475AB3B62228}

COM Class Handler

Network Denied Null Sessions Allowed


1 0

0 0
0 0
0 0
0 0

1 0

1 0

0 0

1 0

Endpoint Binding(s)
ncalrpc:[spoolss]
ncalrpc:[WMsgKRpc08A761]
ncalrpc:[WMsgKRpc08A761]

SID Privileges
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506

Description
Account Startup Mode
NT AUTHORITY\SYSTEM Auto

Command Line Account


C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k LPDService

State Process
Unknown svchost.exe (PID 816)
Unknown svchost.exe (PID 768)
Unknown svchost.exe (PID 816)
Listen svchost.exe (PID 3048)
Listen svchost.exe (PID 3048)
Listen svchost.exe (PID 768)

Network Denied Null Sessions Allowed


0 0
0 0
0 0
0 0
0 0
0 0

Direction Protocol
In TCP
In TCP
In TCP

SID Privileges
S-1-5-80-2197102725-3023581156-3238865096-
876576887-3563286729

Description

Command Line Account


C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k LocalService

State Process
Unknown svchost.exe (PID 824)
Unknown svchost.exe (PID 824)

Network Denied Null Sessions Allowed


1 0
0 0

Description

This role service must be installed locally. The following


components are required:
Print Server
This role services is a Web service that runs in IIS and as
such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Static Content
● Default Document
● Directory Browsing
● HTTP Errors
● HTTP Redirection
Application Development
● .NET Extensibility
● ISAPI Extensions
● ISAPI Filters
Health and Diagnostics
● HTTP Logging
● Logging Tools
● Request Monitor
● Tracing
Security
● Request Filtering
● Basic Authentication
● Windows Authentication
Performance
● Static Content Compression

This role services is a Web service that runs in IIS and as


such, requires the installation of the Web Server (IIS)
role service and the following components:
IIS 6 Management Compatibility
● IIS 6 Metabase Compatibility
IIS Managment Console

Account Startup Mode


Administrator Auto
NT AUTHORITY\SYSTEM Demand

NT AUTHORITY\SYSTEM Auto
NT AUTHORITY\LOCAL SERVICE Demand
Startup Mode
Boot
Demand
Boot

Command Line Account


C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\system32\svchost -k srmsvcs

C:\Windows\System32\svchost.exe -k WSDScanServer

C:\Windows\System32\svchost.exe -k WerSvcGroup

Friendly Name Binary Path


FsrmReportManager Class
FsrmEmailInternal Class
FsrmFileManagementJobActionRunner Class
Microsoft.Storage.Reports.FsrmReportManagerInproc C:\Windows\System32\mscoree.dll

FsrmFileScreenTemplateManager Class
Microsoft.Storage.SimpleContentCls.CSimpleContentCls C:\Windows\System32\mscoree.dll

FsrmSPDocumentParserModule Class C:\Windows\System32\srmstormod.dll


FsrmGlobalStoreManager Class
FsrmEmailExternal Class
FsrmFileGroupManager Class
FsrmQuotaManager Class
FsrmFileScreenManager Class
FsrmQuotaTemplateManager Class
Microsoft.Storage.Reports.FsrmClassificationManagerIn C:\Windows\System32\mscoree.dll
proc
FsrmClassificationManager Class
WSD RCWS Proxy Class C:\Windows\System32\WSDRCWSProxy.dll
WSD EWS Proxy Class C:\Windows\System32\WSDEWSProxy.dll
FsrmReportScheduler Class
FsrmFileManagementJobManager Class
FsrmPathMapper Class
FsrmClusterUtil Class
FsrmSetting Class
Microsoft.Storage.Reports.FsrmFileManagementJobMa C:\Windows\System32\mscoree.dll
nagerInproc

AppID
{35B4B29E-0A6B-4ED7-B0A1-117BF912F497}

{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}

{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}

{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}

{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}

{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}

{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}

{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}

{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}

{35B4B29E-0A6B-4ED7-B0A1-117BF912F497}

{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}

{35B4B29E-0A6B-4ED7-B0A1-117BF912F497}

{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}

{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}

{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}

State Process
Listen svchost.exe (PID 772)
Listen spoolsv.exe (PID 832)
Listen services.exe (PID 464)
Listen svchost.exe (PID 772)
Listen spoolsv.exe (PID 832)
Listen services.exe (PID 464)

Network Denied Null Sessions Allowed


1 0

1 0

1 0

1 0

0 0

1 0
1 0

Direction Protocol
Out TCP
Out TCP

In TCP
Out TCP
Out TCP
Out TCP
In UDP
Out UDP
In TCP

In TCP

In TCP

In TCP

In TCP

In TCP

In TCP

In TCP

SID Privileges
S-1-5-21-3754447434-2954449996-2587011620-1000

S-1-5-80-2020974448-4107748278-3972193768-
963817739-397362718
S-1-5-80-3299868208-4286319593-1091140620-
3583751967-1732444380
S-1-5-80-4243933974-429541294-4176721089-
968464741-3826418161

Group Account Belongs To


Scan Operators

Privileges
SeServiceLogonRight

Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)

Description
Printer Migration File

DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed

BUILTIN\Users AccessAllowed
\Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
\CREATOR OWNER
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
BUILTIN\Administrators
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

Account

DACL

Local Endpoint Remote Endpoint Enabled


*:515 *:* 1
*:515 *:* 1
*:515 *:* 1
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

Account

DACL
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)


Account
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
BUILTIN\Administrators
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Local Endpoint Remote Endpoint Enabled


*:* *:5362 1
*:* *:3702 1

*:5362 *:* 1
*:5362 *:* 1
*:* *:5357 1
*:* *:5358 1
*:3702 *:* 1
*:* *:3702 1
*:RPC *:* 0

*:RPC *:* 0

*:RPC *:* 0

*:RPC-EPMap *:* 0

*:RPC *:* 0

*:* *:* 0

*:* *:* 0

*:445 *:* 0
Certification
Authority
Services
Name
Active Directory Certificate Services (CertSvc)

Running Processes
Image Name (PID)
lsass.exe (472)
certsrv.exe (844)

Registered COM Controls


CLSID
{11BDCE06-D55C-44E9-BC0B-8655F89E8CC5}
{1F823A6A-863F-11D1-A484-00C04FB93753}
{3549FFA2-37C6-4B6A-9D67-6BBB88103C08}
{3B6654D0-C2C8-11D2-B313-00C04F79DC72}
{3BB44360-C2C8-11D2-B313-00C04F79DC72}
{3F276EB4-70EE-11D1-8A0F-00C04FB93753}
{4653E860-4CC7-11D1-8CA0-00C04FC297EB}
{5C5F6C90-C2C8-11D2-B313-00C04F79DC72}
{5D2C2FB0-C2C8-11D2-B313-00C04F79DC72}
{634BDE40-E5E1-49A1-B2CD-140FFFC830F9}
{94142360-8BD5-11D3-B32E-00C04F79DC72}
{946E4B70-8BD5-11D3-B32E-00C04F79DC72}
{9BFF616C-3E02-11D2-A4CA-00C04FB93209}
{A994E107-6854-4F3D-917C-E6F01670F6D3}
{ACE10358-974C-11D1-A48D-00C04FB93753}
{B3166948-44D7-4286-B679-D86ABF16942F}
{BF84C0C5-0C80-11D2-A497-00C04FB93209}
{D99E6E73-FC88-11D0-B498-00A0C90312F3}
{D99E6E74-FC88-11D0-B498-00A0C90312F3}
{DC696F4A-8BCB-4996-B5C3-B018C73BE8B7}
{DE751566-4CC6-11D1-8CA0-00C04FC297EB}

Registered DCOM Servers


CLSID
{D99E6E73-FC88-11D0-B498-00A0C90312F3} (CertSrv
Admin)
{D99E6E74-FC88-11D0-B498-00A0C90312F3} (CertSrv
Request)

DCOM Default Permissions


Permission
MachineAccessRestriction

MachineLaunchRestriction

Ports
Port Name
49160/TCP -- Unknown Protocol
49160/TCP -- Unknown Protocol

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-1d8-0

Winsock2\CatalogChangeListener-1d0-0
Winsock2\CatalogChangeListener-358-0
cert

Winsock2\CatalogChangeListener-34c-0

RPC Endpoints
Interface UUID
{91ae6020-9e3c-11cf-8d7c-00aa00c091be}
{b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86}

Firewall Rules
Name
Certification Authority Enrollment and Management
Protocol (CERTSVC-DCOM-IN)
Certification Authority Enrollment and Management
Protocol (CERTSVC-RPC-EPMAP-IN)
Certification Authority Enrollment and Management
Protocol (CERTSVC-RPC-NP-IN)
Certification Authority Enrollment and Management
Protocol (CERTSVC-RPC-TCP-IN)
Certification Authority Enrollment and Management
Protocol (CERTSVC-TCP-OUT)

Groups
Account Name
NT SERVICE\CertSvc

Group Membership
Account Name
NT AUTHORITY\Authenticated Users

Role Dependency
Dependency
None

Certification
Authority Web
Enrollment

Running Processes
Name (PID)
svchost.exe (2096)

Network Shares
Name
CertEnroll

Groups
Account Name
NT SERVICE\WerSvc

Role Dependency
Dependency
Web Server (IIS)

Management Tools

Online
Responder
Services
Name
Online Responder Service (OCSPSvc)

Running Processes Explain...


Image Name (PID)
svchost.exe (820)
ocspsvc.exe (2244)

Registered COM Controls


CLSID
{34FF2E22-3EBE-4417-A630-FAA1C3B1A272}
{3AB092C4-DE6A-4DC4-BE9E-FDACBB05759C}
{3E3C21C7-1C45-4303-87F5-7CEF68B2853A}
{4956D17F-88FD-4198-B287-1E6E65883B19}
{CFCDC9F3-C50E-11D2-952B-00C04FB92EC2}

Registered DCOM Servers


CLSID
{3AB092C4-DE6A-4DC4-BE9E-FDACBB05759C}
(OCSPRequestD Class)
{6D5AD135-1730-4F19-A4EB-3F78E7C976BB}
(OCSPAdminD Class)

Firewall Rules
Name
Online Responder Service (DCOM-In)
Online Responder Service (RPC-In)
Online Responder Service (TCP-Out)

Groups
Account Name
NT SERVICE\OCSPSvc

Role Dependency
Dependency
Web Server (IIS)

Management Tools

Network
Device
Enrollment
Service

No changes reported by the Attack Surface Analyzer


beyond those made by the dependant features and
services.

Role Dependency
Dependency
Web Server (IIS)

Management Tools

Certificate
Enrollment
Web Service

No changes reported by the Attack Surface Analyzer


beyond those made by the dependant features and
services.

Role Dependency
Dependency
None
Certificate
Enrollment
Policy Web
Service

No changes reported by the Attack Surface Analyzer


beyond those made by the dependant features and
services.

Role Dependency
Dependency
None
Account Startup Mode
NT AUTHORITY\SYSTEM Auto

Command Line Account


C:\Windows\system32\lsass.exe
C:\Windows\system32\certsrv.exe

Friendly Name Binary Path


Certificate Template Shell Extension C:\Windows\system32\certtmpl.dll
CA Certificate Templates Extension Snapin C:\Windows\system32\capesnpn.dll
CertDBMem class C:\Windows\system32\certdb.dll
CertPolicy Class C:\Windows\system32\certpdef.dll
CertManagePolicyModule Class C:\Windows\system32\certpdef.dll
CA Certificate Templates Extension Snapin C:\Windows\system32\capesnpn.dll
Snapin Class C:\Windows\system32\certmmc.dll
CertExit Class C:\Windows\system32\certxds.dll
CertManageExitModule Class C:\Windows\system32\certxds.dll
C:\Windows\system32\pkiview.dll
CertDBRestore class C:\Windows\system32\certdb.dll
CertDB class C:\Windows\system32\certdb.dll
Certificate Template Shell Extensions C:\Windows\system32\capesnpn.dll
CERTTMPL 1.0 Object C:\Windows\system32\certtmpl.dll
CA Certificate Templates Extension Snapin C:\Windows\system32\capesnpn.dll
C:\Windows\system32\pkiview.dll
CA Certificate Templates Extension Snapin C:\Windows\system32\capesnpn.dll
CertSrv Admin
CertSrv Request
CERTTMPL 1.0 Object C:\Windows\system32\certtmpl.dll
Snapin Class C:\Windows\system32\certmmc.dll

AppID
{D99E6E74-FC88-11D0-B498-00A0C90312F3}

{D99E6E74-FC88-11D0-B498-00A0C90312F3}
Setting
BUILTIN\Certificate Service DCOM Access
AccessAllowed
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS LOGON AccessAllowed
BUILTIN\Distributed COM Users AccessAllowed
BUILTIN\Performance Log Users AccessAllowed

BUILTIN\Certificate Service DCOM Access


AccessAllowed
BUILTIN\Administrators AccessAllowed
Everyone AccessAllowed
BUILTIN\Distributed COM Users AccessAllowed
BUILTIN\Performance Log Users AccessAllowed

State Process
Listen certsrv.exe (PID 844)
Listen certsrv.exe (PID 844)

Network Denied Null Sessions Allowed


0 0
0 0
0 0
1 0

0 0
1 0
0 0

1 0

Endpoint Binding(s)
ncalrpc:[OLE4E341FD16C2C43D392EA98A0B668]
ncacn_np:[\\pipe\\lsass]

Direction Protocol
In TCP

In TCP

In TCP

In TCP

Out TCP

SID Privileges
S-1-5-80-3422467805-2927146326-436472433-
507205459-1353412743

Group Account Belongs To


BUILTIN\Certificate Service DCOM Access
Description

Command Line Account


C:\Windows\System32\svchost.exe -k WerSvcGroup

Path ACL
C:\Windows\system32\CertSrv\CertEnroll Everyone AccessAllowed
BUILTIN\Administrators AccessAllowed

SID Privileges
S-1-5-80-3299868208-4286319593-1091140620-
3583751967-1732444380

Description
This role services is a Web service that runs in IIS and as
such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Default Document
● Directory Browsing
● HTTP Errors
● HTTP Redirection
● Static Content
Application Development
● ASP
● ISAPI Extensions
● NET Extensibility
Health and Diagnostics
● HTTP Logging
● Logging Tools
● Request Monitor
● Tracing
Security
● Request Filtering
● Windows Authentication
Performance
● Static Content Compression

This role services is a Web service that runs in IIS and as


such, requires the installation of the Web Server (IIS)
role service and the following components:
IIS 6 Management Compatibility
● IIS 6 Metabase Compatibility
IIS Managment Console

Account Startup Mode


NT AUTHORITY\NETWORK SERVICE Auto

Command Line Account


C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\ocspsvc.exe

Friendly Name Binary Path


OCSPRevInfoProviderManager Class C:\Windows\system32\ocsprevp.dll
OCSPRequestD Class
COcspSynchronize Class C:\Windows\system32\ocspisapi.dll
OCSPRevInfoProvider Class C:\Windows\system32\ocsprevp.dll
C:\Windows\system32\ocspadminnative.dll

AppID
{2340FEF5-2F96-48E2-9155-55A0163BD3E5}

{2340FEF5-2F96-48E2-9155-55A0163BD3E5}

Direction Protocol
In TCP
In TCP
Out TCP

SID Privileges
S-1-5-80-3804348527-3718992918-2141599610-
3686422417-2726379419

Description
This role services is a Web service that runs in IIS and as
such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Default Document
● Directory Browsing
● HTTP Errors
● HTTP Redirection
● Static Content
Application Development
● ASP
● ISAPI Extensions
Health and Diagnostics
● HTTP Logging
● Logging Tools
● Request Monitor
● Tracing
Security
● Request Filtering
Performance
● Static Content Compression

This role services is a Web service that runs in IIS and as


such, requires the installation of the Web Server (IIS)
role service and the following components:
IIS 6 Management Compatibility
● IIS 6 Metabase Compatibility
IIS Managment Console

Description
This role services is a Web service that runs in IIS and as
such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Default Document
● Directory Browsing
● HTTP Errors
● HTTP Redirection
● Static Content
Application Development
● .NET Extensibility
● ISAPI Extensions
Health and Diagnostics
● HTTP Logging
● Logging Tools
● Request Monitor
● Tracing
Security
● Request Filtering
● Windows Authentication
Performance
● Static Content Compression

This role services is a Web service that runs in IIS and as


such, requires the installation of the Web Server (IIS)
role service and the following components:
IIS 6 Management Compatibility
● IIS 6 Metabase Compatibility
IIS Managment Console

Description
Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)
(Linker Version: 9.0.-1) (ASLR)
Account

DACL

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
NT SERVICE\CertSvc
AccessAllowed
\OWNER RIGHTS
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Local Endpoint Remote Endpoint Enabled


*:135 *:* 1

*:RPC-EPMap *:* 1

*:445 *:* 1

*:RPC *:* 1

*:* *:* 1
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Process Flags
(Linker Version: 9.0.-1) (ASLR)
(Linker Version: 9.0.-1) (ASLR)

Local Endpoint Remote Endpoint Enabled


*:135 *:* 0
*:RPC *:* 0
*:* *:* 1
NPAS
Services
Name
Network Policy Server (IAS)

Running Processes
Image Name (PID)
svchost.exe (1408)
mscorsvw.exe (1448)

iashost.exe (1592)

mscorsvw.exe (2476)

Registered COM Controls


CLSID
{12BC0F55-BC8B-38AA-B21D-7DE48D168BE0}

{346CA505-1521-467E-AE86-375463D3B4E2}
{56188327-7B25-4430-B247-FC96421A1720}

{6D2010D2-3BAD-4E00-B40B-F4BB8795BD09}

Registered DCOM Servers


CLSID
{6D2010D2-3BAD-4E00-B40B-F4BB8795BD09}
(Windows Security Health Validator Component
Configurator)

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-300-0
wbhstipm960eee7a-4c95-4d9b-a999-231c4b9e1091

wbhstipm927e89ca-69c4-4760-8658-9c22f815e502
wbhstipma58478d8-c9f2-478a-846f-0f26ac2fa067
wbhstipmc05afb30-36be-459e-b146-4d7340f260e2

fd1a4754-6978-4e22-aabe-899fc12bfb79

37a722f7-3ba9-417b-8aeb-67e324dbb54e

RPC Endpoints
Interface UUID
{7d814569-35b3-4850-bb32-83035fcebf6e}
{76f226c3-ec14-4325-8a99-6a46348418af}
{12e65dd8-887f-41ef-91bf-8d816c42c2e7}

Firewall Rules
Name
Network Policy Server (DCOM-In)
Network Policy Server (Legacy RADIUS Accounting -
UDP-In)
Network Policy Server (Legacy RADIUS Authentication -
UDP-In)
Network Policy Server (RADIUS Accounting - UDP-In)

Network Policy Server (RADIUS Authentication - UDP-


In)
Network Policy Server (RPC)

Groups
Account Name
NT SERVICE\swprv

Role Dependencies
Dependency
None

Role Dependency
Dependency
None

Routing and
Remote
Access
Remote Access
Routing

Host
Credential
Authorization
Protocol
Groups
Account Name
IIS APPPOOL\HCAPPool

Role Dependencies
Dependency
Network Policy and Access Server
Web Server (IIS)

Management Tools

Note Although not required to be installed locally, the


HCAP role service requires access to a certification
authority (CA). For more information about CAs, see
Chapter 9, "Hardening Active Directory Certificate
Services."

Health
Registration
Authority
No changes reported by the Attack Surface Analyzer
beyond those made by the dependant features and
services.

Role Dependencies
Dependency
Network Policy and Access Server

Web Server (IIS)

Management Tools
Note Although not required to be installed locally, the
HRA role service requires access to a certification
authority (CA). For more information about CAs, see
Chapter 9, "Hardening Active Directory Certificate
Services."
Account Startup Mode
NT AUTHORITY\SYSTEM DelayedAuto

Command Line Account


C:\Windows\System32\svchost.exe -k swprv
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ms
corsvw.exe

C:\Windows\system32\iashost.exe {48DA6741-1BF0-
4A44-8325-293086C79077} -Embedding
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
mscorsvw.exe -UseCLSID {50E63CB8-470E-4046-9697-
E19818DA3D22} -Comment "NGen Worker Process"

Friendly Name Binary Path


Microsoft.Windows.ShvClassLibrary.ShvManagedUI C:\Windows\System32\mscoree.dll

Windows Security Health Validator Component C:\Windows\SysWOW64\msshv.dll


Windows Security Health Validator Component Info C:\Windows\SysWOW64\msshv.dll

Windows Security Health Validator Component


Configurator

AppID
{7C05AAB5-5163-4971-B216-B9B8888D214C}

Network Denied Null Sessions Allowed


1 0
0 0

0 0
0 0
0 0

1 0

1 0

Endpoint Binding(s)
ncalrpc:[IUserProfile2]
ncalrpc:[WMsgKRpc08A761]
ncalrpc:[WMsgKRpc08A761]

Direction Protocol
In TCP
In UDP

In UDP

In UDP

In UDP

In TCP

SID Privileges
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506

Description

Description
Services
Name Account
Remote Access Quarantine Agent (rqs) NT AUTHORITY\LOCAL SERVICE

Registered COM Controls


CLSID Friendly Name
{1AA7F844-C7F5-11D0-A376-00C04FC9DA04} remrras Class
{66A2DB1A-D706-11D0-A37B-00C04FC9DA04} PSFactoryBuffer

{C2FE4500-D6C2-11D0-A37B-00C04FC9DA04} IP Routing Management

{C2FE4501-D6C2-11D0-A37B-00C04FC9DA04} IP Routing Management

{C2FE4502-D6C2-11D0-A37B-00C04FC9DA04} IP Routing Management

{C2FE4503-D6C2-11D0-A37B-00C04FC9DA04} IP Routing Management

{C2FE4504-D6C2-11D0-A37B-00C04FC9DA04} IP Routing Management

{C2FE4505-D6C2-11D0-A37B-00C04FC9DA04} IP Routing Management

{C2FE4508-D6C2-11D0-A37B-00C04FC9DA04} IGMP Snap-in

{C2FE4509-D6C2-11D0-A37B-00C04FC9DA04} IGMP Snap-in

{C2FE450A-D6C2-11D0-A37B-00C04FC9DA04} Router Configuration object for IP

{C2FE450B-D6C2-11D0-A37B-00C04FC9DA04} IP Routing Management

{C2FE450C-D6C2-11D0-A37B-00C04FC9DA04} IP Routing Management

{C2FE4510-D6C2-11D0-A37B-00C04FC9DA04} IPv6 Routing Management

{C2FE4512-D6C2-11D0-A37B-00C04FC9DA04} IP Routing Management

{C2FE4513-D6C2-11D0-A37B-00C04FC9DA04} IP Routing Management


{C2FE451A-D6C2-11D0-A37B-00C04FC9DA04} Router Configuration object for IPv6

Registered DCOM Servers


CLSID AppID
{1AA7F844-C7F5-11D0-A376-00C04FC9DA04} (remrras {66A2DB81-D706-11D0-A37B-00C04FC9DA04
Class)

Named Pipes
Pipe Name Network Denied
Winsock2\CatalogChangeListener-284-0 0
Winsock2\CatalogChangeListener-170-0 0
Winsock2\CatalogChangeListener-300-0 0
Winsock2\CatalogChangeListener-1d0-0 0

Firewall Rules
Name Direction
DHCPv4 Relay Agent [Client] (UDP-In) In
DHCPv4 Relay Agent [Client] (UDP-Out) Out
DHCPv6 Relay Agent [Server] (UDP-In) In
DHCPv6 Relay Agent [Server] (UDP-Out) Out
Remote Access Quarantine (TCP-In) In
Routing and Remote Access Remote Management In
(DCOM-In)
Routing and Remote Access Remote management In
(RPC-In)

Groups
Account Name SID
NT SERVICE\rqs S-1-5-80-6924576-598676285-3528829976-
1458831571-971033904

Role Dependencies
Dependency Description

Although not dependent on this role, the Remote


Access Service role service uses the NPS role service for
NPS authentication in most remote access scenarios.

Although not dependent on this role, the Remote


Access Service role service uses the services AD CS role
for certificate authentication in some remote access
AD CS scenarios.
Role Dependency
Dependency Description
None

No changes reported by the Attack Surface Analyzer


beyond those made by the dependant features and
services.

Role Dependencies
Dependency Description
The Routing role service depends on the Routing and
Routing and Remote Access Remote Access role service.

Although not dependent on this role, the Remote


Access Service role service uses the NPS role service for
NPS authentication in most remote access scenarios.

Although not dependent on this role, the Remote


Access Service role service uses the services AD CS role
for certificate authentication in some remote access
AD CS scenarios.

Role Dependency
Dependency Description
None

SID Privileges
S-1-5-82-3258179292-727607683-3980614313-
3289190592-1598744453

Description

This role service must be installed locally, but can be


configured as a proxy. The following components are
required:
Network Policy Server
This role services is a Web service that runs in IIS and as
such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Static Content
● Default Document
● Directory Browsing
● HTTP Errors
● HTTP Redirection
Application Development
● ISAPI Extensions
Health and Diagnostics
● HTTP Logging
● Logging Tools
● Request Monitor
● Tracing
Security
● Basic Authentication
● Digest Authentication
● Client Certificate Mapping Authentication
● IIS Client Certificate Mapping Authentication
Performance
● Static Content Compression

This role services is a Web service that runs in IIS and as


such, requires the installation of the Web Server (IIS)
role service and the following components:
IIS 6 Management Compatibility
● IIS 6 Metabase Compatibility
● IIS 6 WMI Compatibility
IIS Managment Console
Description

This role service must be installed locally, but can be


configured as a proxy. The following components are
required:
Network Policy Server

This role services is a Web service that runs in IIS and as


such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Static Content
● Default Document
● Directory Browsing
● HTTP Errors
● HTTP Redirection
Application Development
● ISAPI Extensions
Health and Diagnostics
● HTTP Logging
● Logging Tools
● Request Monitor
● Tracing
Security
● Windows Authentication
● Client Certificate Mapping Authentication
Performance
● Static Content Compression

This role services is a Web service that runs in IIS and as


such, requires the installation of the Web Server (IIS)
role service and the following components:
IIS 6 Management Compatibility
● IIS 6 Metabase Compatibility
● IIS 6 Scripting Tools
● IIS 6 WMI Compatibility
IIS Managment Console
Process Flags
(Linker Version: 9.0.-1) (ASLR)
NX: Enabled (Linker Version:
10.0.-1) (ASLR)(Uses SafeSEH)
(Uses /GS)
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 10.0.-1) (ASLR)

DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed

Local Endpoint Remote Endpoint Enabled


*:135 *:* 1
*:1646 *:* 1

*:1645 *:* 1

*:1813 *:* 1

*:1812 *:* 1

*:RPC *:* 1
Startup Mode
Demand

Binary Path

C:\Windows\system32\rrasprx
y.dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll

Null Sessions Allowed DACL


0
0
0
0

Protocol Local Endpoint Remote Endpoint


UDP *:67 *:*
UDP *:67 *:*
UDP *:547 *:*
UDP *:547 *:*
TCP *:7250 *:*
TCP *:RPC-EPMap *:*

TCP *:RPC *:*

Privileges
Enabled
1
1
1
1
1
0

0
Remote
Desktop
Session Host
Role Service
Services
Offline Files (CscService)
Windows Image Acquisition (WIA) (stisvc)
Tablet PC Input Service (TabletInputService)
Themes (Themes)
WebClient (WebClient)
Windows Defender (WinDefend)

Drivers
Name
Offline Files Driver (CSC)
WebDav Client Redirector Driver (MRxDAV)

Running Processes
Image Name (PID)
svchost.exe (744)

svchost.exe (792)

svchost.exe (928)

svchost.exe (1940)

WMIADAP.exe (2176)
svchost.exe (2460)

audiodg.exe (2968)

Registered COM Controls


CLSID
{00020000-0000-0000-C000-000000000046}
{00020001-0000-0000-C000-000000000046}
{0002000D-0000-0000-C000-000000000046}
{0002000F-0000-0000-C000-000000000046}
{00393519-3A67-4507-A2B8-85146167ACA7}
{005A9C68-E216-4B27-8F59-B336829B3868}
{0086C339-9C0E-4C09-9A2F-FF3D19A44A18}
{00F20EB5-8FD6-4D9D-B75E-36801766C8F1}
{00F210A1-62F0-438B-9F7E-9618D72A1831}

{00F24CA0-748F-4E8A-894F-0E0357C6799F}

{00F26E02-E9F2-4A9F-9FDD-5A962FB26A98}

{00F29A34-B8A1-482C-BCF8-3AC7B0FE8F62}

{00F2B433-44E4-4D88-B2B0-2698A0A91DBA}
{00F2CE1E-935E-4248-892C-130F32C45CB4}

{01F36CE2-0907-4D8B-979D-F151BE91C883}
{031EE060-67BC-460D-8847-E4A7C5E45A27}
{0344EC28-5339-4124-A186-2E8EEF168785}
{036A9790-C153-11D2-9EF7-006008039E37}
{04A1E553-FE36-4FDE-865E-344194E69424}

{04A578B2-E778-422A-A805-B3EE54D90BD9}
{04B55BC3-33DE-4D79-94EC-830CDF96CC82}
{05589FA1-C356-11CE-BF01-00AA0055595A}
{067B4B81-B1EC-489F-B111-940EBDC44EBE}
{07A774A0-6047-11D1-BA20-006097D2898E}
{08A99E2F-6D6D-4B80-AF5A-BAF2BCBE4CB9}

{0A522732-A626-11D0-8D60-00C04FD6202B}
{0AA02E8D-F851-4CB0-9F64-BBA9BE7A983D}

{0AE89F03-C538-4471-9B12-A8E8EF246A0D}
{0AF10CEC-2ECD-4B92-9581-34F6AE0637F3}
{0B91A74B-AD7C-4A9D-B563-29EEF9167172}

{0C15D503-D017-47CE-9016-7B3F978721CC}

{0C5672F9-3EDC-4B24-95B5-A6C54C0B79AD}
{0CFDD070-581A-11D2-9EE6-006008039E37}
{101A8FB9-F1B9-11D1-9A56-00C04FA309D4}
{10CFC467-4392-11D2-8DB4-00C04FA31A66}
{11103421-354C-4CCA-A7A3-1AFF9A5B6701}
{11993195-1244-4840-AB44-480975C4FFE4}
{1202DB60-1DAC-42C5-AED5-1ABDD432248E}
{137F5EC6-CF6B-482F-ACEA-C687DFBD199D}
{13DE4A42-8D21-4C8E-BF9C-8F69CB068FCA}

{14D7A407-396B-44B3-BE85-5199A0F0F80A}
{14DD9A1C-7CFF-41BE-B1B9-BA1AC6ECB571}
{1649B154-C794-497A-9B03-F3F0121302F3}
{176D323D-E591-4535-9A09-26F698E5AC5D}

{18C628EE-962A-11D2-8D08-00A0C9441E20}
{19603261-6059-43DF-B9E1-8B4352825A90}
{1A1F4206-0688-4E7F-BE03-D82EC69DF9A5}
{1A56451B-1315-4012-861E-8587333DD631}
{1B544C24-FD0B-11CE-8C63-00AA0044B520}
{1BF18D30-223C-4E0F-9074-C78C1256FD43}

{1C621200-67B2-11D2-9EEB-006008039E37}
{1DCB3A00-33ED-11D3-8470-00C04F79DBC0}
{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9}
{1EA1EA14-48F4-4054-AD1A-E8AEE10AC805}
{1EA5FB56-9EE8-47DC-8998-F45585C2E3E0}
{1F1F4E1A-2252-4063-84BB-EEE75F8856D5}
{1FEFD825-016B-484C-A0AA-616C5F371C1F}
{1FF28512-6C1F-4CC2-BB1D-948DD60DB711}
{203B1EED-DB9F-40FB-87BD-1990982017D2}
{22D6F312-B0F6-11D0-94AB-0080C74C7E95}
{233A9694-667E-11D1-9DFB-006097D50408}
{242025BB-8546-48B6-B9B0-F4406C54ACFC}

{24400D16-5754-11D2-8218-00C04FB687DA}
{25BAAD81-3560-11D3-8471-00C04F79DBC0}
{271C3902-6095-4C45-A22F-20091816EE9E}
{2781761E-28E0-4109-99FE-B9D127C57AFE}

{280A3020-86CF-11D1-ABE6-00A0C905F375}
{289978AC-A101-4341-A817-21EBA7FD046D}
{2A11BAE2-FE6E-4249-864B-9E9ED6E8DBC2}
{2A2699C5-775A-42E9-BF4A-A36FE41BA4CB}
{2A6F3A80-5976-11D2-9524-0060081840BC}
{2BD40F38-DE45-429D-9D04-24F7C24C78FD}
{2C676B7B-796E-4C59-8209-4D0473E32A17}
{2DCD1DAF-A110-49C0-BFDB-6FDF557B5FDF}
{2E9E59C0-B437-4981-A647-9C34B9B90891}
{2EEB4ADF-4578-4D10-BCA7-BB955F56320A}
{2EEEED04-0908-4CDB-AF8F-AC5B768A34C9}
{2F248FAD-47C5-42A8-9672-61095D712258}
{2FE9B39E-0062-41E5-A842-518E212C2CE0}
{31A2EA80-A9A3-40E5-9B16-20D7D855E55F}
{31DCBC0C-20D8-40B0-A409-F4474A942358}
{32624F4B-F1D5-4877-989E-555640109D2B}

{32BAED44-34B5-11D3-9315-00C04F72D6CF}
{3336B8BF-45AF-429F-85CB-8C435FBF21E4}

{34C219BD-85C1-4338-95E8-788A36901DC2}
{3529B1D2-313A-4202-BD3E-5996B7E18A10}

{35786D3C-B075-49B9-88DD-029876E11C01}
{357B663C-D9FA-4188-99AF-2943920F96C5}
{3734FF83-6764-44B7-A1B9-55F56183CDB0}
{37A61C8B-7F8E-4D08-B12B-248D73E9AB4F}
{3882134D-14CF-4220-9CB4-435F86D83F60}

{3908C3CD-4478-4536-AF2F-10C25D4EF89A}
{39AE2AEA-D4D5-4DA0-AE47-C020E1BE4BE5}
{3A8CCCBC-0EFD-43A3-B838-F38A552BA237}
{3ADCE5CC-13C8-4573-B328-ED438EB694F9}
{3AE86B20-7BE8-11D1-ABE6-00A0C905F375}
{3B3A2EE2-A607-4C54-A066-4AE1C0BAEEE3}
{3D96ED94-5D75-4165-9E1F-1A642C7BA316}

{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}

{3F35F070-99D6-11D2-8D10-00A0C9441E20}
{3FFB3B8C-EB99-472B-8902-E1C1B05F07CF}
{4003191F-71FF-49A2-B591-05C606FADB8B}
{404A6DE5-D4D6-4260-9BC7-5A6CBD882432}
{40C3D757-D6E4-4B49-BB41-0E5BBEA28817}

{41457294-644C-4298-A28A-BD69F2C0CF3B}
{417BAB8B-9D22-4A88-9DA0-98C4AB6745D5}
{42C9B9F5-16FC-47EF-AF22-DA05F7C842E3}
{42DFB618-A403-4401-908F-FE979B2215C8}
{43232233-8338-4658-AE01-0B4AE830B6B0}
{43B07326-AAE0-4B62-A83D-5FD768B7353C}

{43FB1553-AD74-4EE8-88E4-3E6DAAC915DB}
{44CB442B-9DA9-49DF-B3FD-023777B16E50}
{44DA8435-B187-4DD6-8F32-9341EB7E4C3C}
{45597C98-80F6-4549-84FF-752CF55E2D29}
{455F6102-C83A-4D07-BA36-B6DA9D589AE2}
{45F26E9E-6199-477F-85DA-AF1EDFE067B1}

{46C0A7DC-928A-485A-959F-1F9EF8686A11}
{47354492-827E-4B8A-B318-C80EBA1381F0}
{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}
{477EC299-1421-4BDD-971F-7CCB933F21AD}
{48C6BE7C-3871-43CC-B46F-1449A1BB2FF3}
{48E2ED0F-98C2-4A37-BED5-166312DDD83F}
{498B0949-BBE9-4072-98BE-6CCAEB79DC6F}
{499EAEEA-2737-4849-8BB6-47F107EAF358}
{4A16043F-676D-11D2-994E-00C04FA309D4}

{4A76B469-7B66-4DD4-BA2D-DDF244C766DC}
{4B534112-3AF6-4697-A77C-D62CE9B9E7CF}
{4B6657E4-B973-46CD-9BB3-6E5EBD82448F}

{4BDD6232-2E55-4A1F-AAAD-961D76F439BA}

{4C649C49-C48F-4222-9A0D-CBBF4231221D}
{4CADFAE1-5512-456A-9D65-5B5E7E9CA9A3}

{4DB1AD10-3391-11D2-9A33-00C04FA36145}
{4DD1D1C3-B36A-4EB4-AAEF-815891A58A30}
{4DDA1941-77A0-4FB1-A518-E2185041D70C}
{4E77131D-3629-431C-9818-C5679DC83E81}
{4F695794-BFCF-48B0-A323-F874F9BD45F2}

{4FE24495-28CE-4920-A4C4-E556E1F0DF2A}
{50040C1D-BDBF-4924-B873-F14D6C5BFD66}
{50422459-63B3-4E9F-93C7-7B068517C027}
{5058292D-A244-4840-AB44-480975C4FFE4}
{5068B32E-DFE0-48C2-9816-4549033447DB}
{506D89AE-909A-44F7-9444-ABD575896E35}
{5210F8E4-B0BB-47C3-A8D9-7B2282CC79ED}
{524B13ED-2E57-40B8-B801-5FA35122EB5C}

{52E4E90A-F4AF-460A-9E60-FDFB86C9DD5D}
{5569E7F5-424B-4B93-89CA-79D17924689A}
{559C6BAD-1EA8-4963-A087-8A6810F9218B}
{566A2EFF-5651-4020-AC1A-EB48E4571EA3}
{5686A0D9-FE39-409F-9DFF-3FDBC849F9F5}
{576C9E85-1300-4EF5-BF6B-D00509F4EDCD}
{597D4FB0-47FD-4AFF-89B9-C6CFAE8CF08E}

{5A41EFA3-6C01-43DC-8C49-110151B36C70}
{5C140836-43DE-11D3-847D-00C04F79DBC0}
{5E1395B2-B685-44E3-8AED-E2304D85ACD1}
{5F4BAAD0-4D59-4FCD-B213-783CE7A92F22}
{60F6E464-4DEF-11D2-B2D9-00C04F8EEC8C}
{60F6E465-4DEF-11D2-B2D9-00C04F8EEC8C}
{60F6E466-4DEF-11D2-B2D9-00C04F8EEC8C}
{60F6E467-4DEF-11D2-B2D9-00C04F8EEC8C}
{60FD46DE-F830-4894-A628-6FA81BC0190D}
{61E79517-4A4E-45D8-9219-30E71A9EFF39}
{62079164-233B-41F8-A80F-F01705F514A8}
{626BAFE6-E5D6-11D1-B1DD-006097D503D9}
{6295DF27-35EE-11D1-8707-00C04FD93327}
{6295DF2D-35EE-11D1-8707-00C04FD93327}
{632A2D3D-86AF-411A-8654-7511B51B3D5F}

{636C15CF-DF63-4790-866A-117163D10A46}
{639F5AF5-BCED-4369-AC34-360B16D955FD}

{63A865AB-859E-4F15-8AEC-77FC615653D9}
{63FA5E69-87FE-432D-8F62-9D7A3D7D09C3}
{64D8A8E0-80A2-11D2-8CF3-00A0C9441E20}
{65BD0711-24D2-4FF7-9324-ED2E5D3ABAFA}
{65D00646-CDE3-4A88-9163-6769F0F1A97D}

{67F07E00-CCEF-11D2-9EF9-006008039E37}
{687D3367-3644-467A-ADFE-6CD7A85C4A2C}
{68E1DF8C-9512-4801-A105-25A44DCCB164}
{693644B0-6858-11D2-9EEB-006008039E37}
{69486DD6-C19F-42E8-B508-A53F9F8E67B8}
{69F9CB25-25E2-4BE1-AB8F-07AA7CB535E8}
{6B13B293-30FD-4ABB-8E41-29B1F88297E2}

{6B362280-6915-11D2-951F-0060081840BC}
{6BF52A52-394A-11D3-B153-00C04F79FAA6}
{6CA50344-051A-4DED-9779-A43305165E35}
{6E4FCB12-510A-4D40-9304-1DA10AE9147C}
{6EFEAE9E-014C-436A-8AAC-35DA9535ADC0}
{6F74FDC5-E366-11D1-9A4E-00C04FA309D4}
{6F74FDC6-E366-11D1-9A4E-00C04FA309D4}
{6F8DAE82-43A2-47AA-B0E7-47B7E82F705F}
{70F598E9-F4AB-495A-99E2-A7C4D3D89ABF}
{70F98452-3C38-4271-8E76-6F444852EBC8}

{7122A82D-E722-4AFC-AA87-EAA77D8CFCE1}

{71B804C5-5577-471D-8FE5-C4A45B654EB8}

{71D99464-3B6B-475C-B241-E15883207529}
{728A21C5-3D9E-48D7-9810-864848F0F404}
{7295965A-230A-4F34-AD5F-B15C9120F6E4}
{743A6E3B-A5DF-43ED-B615-4256ADD790B8}
{745057C7-F353-4F2D-A7EE-58434477730E}
{750FDF10-2A26-11D1-A3EA-080036587F03}
{760C4B83-E211-11D2-BF3E-00805FBE84A6}
{76D0CB12-7604-4048-B83C-1005C7DDC503}

{76EFD608-E0CE-4887-98E2-F931363C4BC5}

{76F014EC-1B0C-4A15-A029-4C0FDF12B5B1}
{777D0CFF-0375-43B9-8532-FB04A4903593}
{77F7F122-20B0-4117-A2FB-059D1FC88256}
{784215B4-0D2E-11D3-920A-00C0DF10D434}
{78530B75-61F9-11D2-8CAD-00A024580902}
{786CDB70-1628-44A0-853C-5D340A499137}

{7888E5FE-6C66-4A34-B217-FA2292073F4A}
{798059F0-89CA-4160-B325-AEB48EFE4F9A}
{7A0F6AB7-ED84-46B6-B47E-02AA159A152B}
{7A56C4CB-D678-4188-85A8-BA2EF68FA10D}
{7A9D77BD-5403-11D2-8785-2E0420524153}
{7AFA253E-F823-42F6-A5D9-714BDE467412}
{7BAFB3B1-D8F4-4279-9253-27DA423108DE}
{7CB359C5-570F-43C6-971F-1DB499EE57A1}
{7CCA6768-8373-4D28-8876-83E8B4E3A969}

{7DF62B50-6843-11D2-9EEB-006008039E37}
{7E320092-596A-41B2-BBEB-175D10504EB6}
{7EFA68C6-086B-43E1-A2D2-55A113531240}
{7F5D25F8-78A5-49A8-A33C-2C0E11831C66}
{80009818-F38F-4AF1-87B5-EADAB9433E58}
{80F3F1D5-FECA-45F3-BC32-752C152E456E}
{8144B6F5-20A8-444A-B8EE-19DF0BB84BDB}
{82435BDF-F7C1-4DF9-8103-EEABEBF3D6E1}
{82D353DF-90BD-4382-8BC2-3F6192B76E34}
{836FA1B6-1190-4005-B434-7ED921BE2026}

{83BBCBF3-B28A-4919-A5AA-73027445D672}
{850D1D11-70F3-4BE5-9A11-77AA6B2BB201}
{85BBD920-42A0-1069-A2E4-08002B30309D}
{86950435-ED12-42EF-A807-061E5E7CA99F}
{875CB1A1-0F29-45DE-A1AE-CFB4950D0B78}

{8770D941-A63A-4671-A375-2855A18EBA73}

{8854F6A0-4683-4AE7-9191-752FE64612C3}

{8A6842BB-84DB-4EFA-99B9-06C850DF53FC}
{8A734961-C4AA-4741-AC1E-791ACEBF5B39}
{8AC3587A-4AE7-42D8-99E0-0A6013EEF90F}
{8CBEED49-18A6-4D9C-8EF5-E4DD9AB04A83}

{8D8B8E30-C451-421B-8553-D2976AFA648C}
{8E528C21-9D52-4030-BA92-3481227ADDD1}
{8F0C5675-AEEF-11D0-84F0-00C04FD43F8F}
{905667AA-ACD6-11D2-8080-00805F6596D2}
{91778246-9BE4-4713-A651-E833B853CC30}
{926F41F7-003E-4382-9E84-9E953BE10562}
{92B66080-5E2D-449E-90C4-C41F268E5514}
{93126582-5402-4DB1-A102-33D330BC9B69}

{93714ED0-53F0-11D2-9EE6-006008039E37}
{937C1A34-151D-4610-9CA6-A8CC9BDB5D83}

{93AF0C51-2275-45D2-A35B-F2BA21CAED00}
{94E03510-31B9-47A0-A44E-E932AC86BB17}
{96BEC059-2052-4E44-8E11-123ACDC936FE}
{97103AE5-6248-4E04-97B5-36663159967C}

{975ABEDC-F64B-436D-ABFF-44B932459856}

{98042251-8C2B-4FC4-93E2-B1DB331EF5B9}
{98230571-0087-4204-B020-3282538E57D3}
{98455561-5136-4D28-AB08-4CEE40EA2781}
{987BBF42-5500-46D6-BAF0-A825828BC4EF}
{99E89F48-A745-416D-A4E0-ECF53C65DFA0}

{9B359D1B-AD5C-412F-A654-A431424359DE}
{9B77C0F2-8735-46C5-B90F-5F0B303EF6AB}
{9C1CC6E4-D7EB-4EEB-9091-15A7C8791ED9}

{9C502F01-0D36-4F16-8AC9-8693E0D84E44}
{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}
{9DE85094-F71F-44F1-8471-15A2FA76FCF3}

{9E358D23-02B2-4CCD-9FEE-6B75EE8DD5CA}

{9EC4B4F9-3029-45AD-947B-344DE2A249E2}
{9ED96B20-73AA-11D2-952C-0060081840BC}
{9ED96B21-73AA-11D2-952C-0060081840BC}
{9ED96B22-73AA-11D2-952C-0060081840BC}
{9FD4E808-F6E6-4E65-98D3-AA39054C1255}

{A08AF898-C2A3-11D1-BE23-00C04FA31009}
{A0A7A57B-59B2-4919-A694-ADD0A526C373}
{A0A8C0AC-FC70-4EE2-93A8-4A2257AE8619}
{A0ADD4EC-5BD3-4F70-A47B-07797A45C635}
{A1006DE3-2173-11D2-9A7C-00C04FA309D4}
{A1570149-E645-4F43-8B0D-409B061DB2FC}

{A1607060-5D4C-467A-B711-2B59A6F25957}
{A16E1BFF-A80D-48AD-AECD-A35C005685FE}
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
{A2D75874-6750-4931-94C1-C99D3BC9D0C7}

{A2E6DDA0-06EF-4DF3-B7BD-5AA224BB06E8}
{A55803CC-4D53-404C-8557-FD63DBA95D24}
{A5B020FD-E04B-4E67-B65A-E7DEED25B2CF}
{A82E50BA-8E92-41EB-9DF2-433F50EC2993}
{A8792A31-F385-493C-A893-40F64EB45F6E}
{A9B48EAC-3ED8-11D2-8216-00C04FB687DA}
{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}
{AAA288BA-9A4C-45B0-95D7-94D524869DB5}
{AAC46A37-9229-4FC0-8CCE-4497569BF4D1}

{AB9D6472-752F-43F6-B29E-61207BDA8E06}
{ABB27087-4CE0-4E58-A0CB-E24DF96814BE}

{AC82FF6D-E524-4C0F-8D0B-0C74C1ECAAEA}

{AD4C1B00-4BF7-422F-9175-756693D9130D}
{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}
{ADF95821-DED7-11D2-ACBE-0080C75E246E}
{AE9472BF-B0C3-11D2-8D24-00A0C9441E20}
{AEB16279-B750-48F1-8586-97956060175A}
{AEE3E4A8-EF01-4024-A0F1-809D9B096E14}
{AFB6C280-2C41-11D3-8A60-0000F81E0E4A}
{AFD7F94B-1627-436C-80C8-B464AA21CAD3}
{AFDB1F70-2A4C-11D2-9039-00C04F8EEB3E}
{B084785C-DDE0-4D30-8CA8-05A373E185BE}
{B106900C-4E8D-4147-8B22-CC60C6B285A8}
{B2A7FD52-301F-4348-B93A-638C6DE49229}
{B323F8E0-2E68-11D0-90EA-00AA0060F86C}
{B32D3949-ED98-4DBB-B347-17A144969BBA}
{B32F4002-BB27-45FF-AF4F-06631C1E8DAD}

{B4124623-FC0E-47CE-BCA9-126A6104ADA1}

{B4D85BBD-C1E6-4F2B-BF43-75CB28500A08}
{B6C292BC-7C88-41EE-8B54-8EC92617E599}
{B8558612-DF5E-4F95-BB81-8E910B327FB2}
{BAA884F4-3432-48B8-AA72-9BF20EEF31D5}

{BAA94581-C092-425C-B4D3-7B5EE0BAC3C4}
{BAEA8DC9-45F5-4DF8-A27F-2A277D524B15}
{BB44391D-6ABD-422F-9E2E-385C9DFF51FC}
{BBC40082-8ABB-4DDD-B1C6-4EE0A9A5DB52}
{BBEC4F81-C2BC-43A7-BD95-9738EE9B6CCA}
{BBEEA841-0A63-4F52-A7AB-A9B3A84ED38A}
{BC08386A-9952-40CD-BA50-9541D64A4B4E}

{BC48B32F-5910-47F5-8570-5074A8A5636A}
{BD0D38E4-74C8-4904-9B5A-269F8E9994E9}
{BD4F77B3-70B0-4464-83A5-785F205B823B}

{BDF23680-C1E5-11D2-9EF7-006008039E37}
{BE09F473-7FEB-11D2-9962-00C04FA309D4}
{BE8E0170-72DC-11D2-952A-0060081840BC}
{BF27441E-CDCD-4659-AEBE-06F6E069714E}
{BFD6C433-4B17-4F6D-A93C-B03FCC4E586E}
{C0E13E61-0CC6-11D1-BBB6-0060978B2AE6}
{C120DE80-FDE4-49F5-A713-E902EF062B8A}
{C1282A7B-9455-48DC-BBBB-46C2EB525AF5}
{C15E6BF0-6351-4588-AC4F-EF7D5EC8C16E}
{C1F400A0-3F08-11D3-9F0B-006008039E37}
{C1F400A4-3F08-11D3-9F0B-006008039E37}
{C2DAE44D-C850-425C-B466-D8CBC1469F5D}

{C39E156D-F621-48CF-B0EE-9C47C430543B}

{C447080C-D0C3-48AE-B31E-BB3E93591C69}
{C4D81942-0607-11D2-A392-00E0291F3959}
{C4D81943-0607-11D2-A392-00E0291F3959}
{C51F0A6B-2A63-4CF4-8938-24404EAEF422}
{C52FF1FD-EB6C-42CF-9140-83DEFECA7E29}

{C5A40261-CD64-4CCF-84CB-C394DA41D590}

{C5B19592-145E-11D3-9F04-006008039E37}
{C9FCB054-949A-4088-BA5B-8EE5CAEC5C69}
{CA34FE0A-5722-43AD-AF23-05F7650257DD}
{CA81B096-1D6F-4635-956E-F08C0B2EC342}
{CAE80521-F685-11D1-AF32-00C04FA31B90}
{CB0FC8E5-686A-478B-A252-FDECF8E167B7}
{CB17E772-E1CC-4633-8450-5617AF577905}
{CBA9E78B-49A3-49EA-93D4-6BCBA8C4DE07}
{CC1101F2-79DC-11D2-8CE6-00A0C9441E20}
{CC58E281-8AA1-11D1-B3F1-00AA003761C5}
{CC7BFB42-F175-11D1-A392-00E0291F3959}
{CC7BFB43-F175-11D1-A392-00E0291F3959}
{CD12A3CE-9C42-11D2-BEED-0060082F2054}
{CD3AA379-93F4-421B-9802-AEAB68B06771}
{CD3AFA70-B84F-48F0-9393-7EDC34128127}
{CD3AFA71-B84F-48F0-9393-7EDC34128127}
{CD3AFA72-B84F-48F0-9393-7EDC34128127}
{CD3AFA73-B84F-48F0-9393-7EDC34128127}
{CD3AFA74-B84F-48F0-9393-7EDC34128127}
{CD3AFA76-B84F-48F0-9393-7EDC34128127}
{CD3AFA77-B84F-48F0-9393-7EDC34128127}
{CD3AFA78-B84F-48F0-9393-7EDC34128127}
{CD3AFA7A-B84F-48F0-9393-7EDC34128127}
{CD3AFA7B-B84F-48F0-9393-7EDC34128127}
{CD3AFA7C-B84F-48F0-9393-7EDC34128127}
{CD3AFA7D-B84F-48F0-9393-7EDC34128127}
{CD3AFA83-B84F-48F0-9393-7EDC34128127}
{CD3AFA84-B84F-48F0-9393-7EDC34128127}
{CD3AFA88-B84F-48F0-9393-7EDC34128127}
{CD3AFA89-B84F-48F0-9393-7EDC34128127}
{CD3AFA8F-B84F-48F0-9393-7EDC34128127}
{CD3AFA90-B84F-48F0-9393-7EDC34128127}
{CD3AFA92-B84F-48F0-9393-7EDC34128127}
{CD3AFA93-B84F-48F0-9393-7EDC34128127}
{CD3AFA94-B84F-48F0-9393-7EDC34128127}
{CD3AFA95-B84F-48F0-9393-7EDC34128127}
{CD3AFA96-B84F-48F0-9393-7EDC34128127}
{CD3AFA97-B84F-48F0-9393-7EDC34128127}
{CD3AFA98-B84F-48F0-9393-7EDC34128127}
{CD3AFA99-B84F-48F0-9393-7EDC34128127}
{CD3AFA9A-B84F-48F0-9393-7EDC34128127}
{CD3AFA9B-B84F-48F0-9393-7EDC34128127}
{CDC32574-7521-4124-90C3-8D5605A34933}
{CFB16474-0A2E-48DC-88CE-8C0ADB7E5E46}

{D13E3F25-1688-45A0-9743-759EB35CDF9A}
{D1621129-45C4-41AD-A1D1-AF7EAFABEEDC}
{D23B90D0-144F-46BD-841D-59E4EB19DC59}
{D3667F1E-CCB8-4A69-99DF-59A2B2A6753F}
{D4F4D30B-0B29-4508-8922-0C5797D42765}
{D5753BBB-C5A8-4F50-9D81-210BAB0C5FB6}
{D63A1416-FCEC-4431-862F-E8056223DD03}

{D63AA156-D534-4BAC-9BF1-55359CF5EC30}
{D6791A63-E7E2-4FEE-BF52-5DED8E86E9B8}
{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}
{D8BF32A2-05A5-44C3-B3AA-5E80AC7D2576}

{DAA92564-78C8-40A3-96D2-9115A76B8F29}
{DE2D022D-2480-43BE-97F0-D1FA2CF98F4F}

{DE75D012-7A65-11D2-8CEA-00A0C9441E20}
{DE815B00-9460-4F6E-9471-892ED2275EA5}

{DECBDC16-E824-436E-872D-14E8C7BF7D8B}

{DFD74844-990B-4410-9DA0-2848EFA85D14}
{E137B0D0-7A93-11D2-8CEA-00A0C9441E20}
{E1C5D730-7E97-4D8A-9E42-BBAE87C2059F}
{E1D0AB13-2FE6-4DF0-8917-ED80CF0FEF6B}

{E211B736-43FD-11D1-9EFB-0000F8757FCD}
{E26B366D-F998-43CE-836F-CB6D904432B0}

{E2FB4720-F45F-4A3C-8CB2-2060E12425C3}
{E3D5D93C-1663-4A78-A1A7-22375DFEBAEE}

{E413D040-6788-4C22-957E-175D1C513A34}
{E46787A1-4629-4423-A693-BE1F003B2742}
{E474E05A-AB65-4F6A-827C-218B1BAAF31F}
{E51DFD48-AA36-4B45-BB52-E831F02E8316}

{E598560B-28D5-46AA-A14A-8A3BEA34B576}

{E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4}
{E70C92A9-4BFD-11D1-8A95-00C04FB951F3}
{E810CEE7-6E51-4CB0-AA3A-0B985B70DAF7}

{E8167EE2-AB45-4BAA-BD03-12590436D789}
{E882F102-F626-49E9-BD68-CE2BE7E59EA0}
{E882F102-F626-49E9-BD68-CE2BE7E59EB0}
{E882F102-F626-49E9-BD68-CE2BE7E59EC0}
{E95A4861-D57A-4BE1-AD0F-35267E261739}
{E96F5460-09CE-4F46-88B1-F4B6B4A8E252}

{E9A6AB1B-0C9C-44AC-966E-560C2771D1E8}

{E9F4EBAB-D97B-463E-A2B1-C54EE3F9414D}
{EA30C654-C62C-441F-AC00-95F9A196782C}

{EB4D075A-65C0-476B-956C-C605EADE03F7}
{EC98D957-48AD-436D-90BE-BC291F42709C}
{ECD32AEA-746F-4DCB-BF68-082757FAFF18}

{ED1D0FDF-4414-470A-A56D-CFB68623FC58}
{ED834ED6-4B5A-4BFE-8F11-A626DCB6A921}
{EE4DA6A4-8C52-4A63-BBB8-97C93D7E1B6C}
{EF5DB4C2-9312-422C-9152-411CD9C4DD84}
{EFB23A09-A867-4BE8-83A6-86969A7D0856}
{EFB4A0CB-A01F-451C-B6B7-56F02F77D76F}

{F0291081-E87C-4E07-97DA-A0A03761E586}

{F04CC277-03A2-4277-96A9-77967471BDFF}
{F056D291-A2AB-45F7-8EE4-40454493B351}
{F1390A9A-A3F4-4E5D-9C5F-98F3BD8D935C}
{F20487CC-FC04-4B1E-863F-D9801796130B}
{F22F5E05-585C-4DEF-8523-6555CFBC0CB3}
{F371728A-6052-4D47-827C-D039335DFE0A}
{F447B69E-1884-4A7E-8055-346F74D6EDB3}
{F62D062C-4732-44D2-BD62-124B8AE1657C}
{F792BEEE-AEAF-4EBB-AB14-8BC5C8C695A8}
{F7AFD75B-BF8C-4A11-BDB9-04AD66182F84}
{F7C0039A-4762-488A-B4B3-760EF9A1BA9B}
{F7FFE0A0-A4F5-44B5-949E-15ED2BC66F9D}
{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E}
{F82DF8F7-8B9F-442E-A48C-818EA735FF9B}
{F979439C-48B7-4525-AB0E-EEE06439227A}

{F97B8A60-31AD-11CF-B2DE-00DD01101B85}
{F9F4D292-87F5-4E2D-98A1-590391932490}
{FA10746C-9B63-4B6C-BC49-FC300EA5F256}
{FA3F3DD9-4C1A-456B-A8FA-C76EF3ED83B8}

{FABD6EA5-AE10-4E7A-B83B-5F07ACC84214}
{FB74F625-7D25-4455-B840-7B870B5B9322}
{FD3659E9-A920-4123-AD64-7FC76C7AACDF}
{FE7C0D2B-27F1-4E97-951B-CF6E165EEAB6}
{FEC52D45-D657-42C3-B43E-BF64B95E7072}
{FECD606E-7161-4CBC-A868-4703867823EA}
{FF87090D-4A9A-4F47-879B-29A80C355D61}

{FFE2A43C-56B9-4BF5-9A79-CC6D4285608A}

{640167B4-59B0-47A6-B335-A6B3C0695AEA}
{7AD84985-87B4-4A16-BE58-8B72A5B390F7}

Registered ActiveX Controls


ActiveX Name and CLSID
({760C4B83-E211-11D2-BF3E-00805FBE84A6})
DRM.GetLicense.1 ({A9FC132B-096D-460B-B7D5-
1DB0FAE0C062})
Registered DCOM Servers
CLSID
{00393519-3A67-4507-A2B8-85146167ACA7} (WPD
Association LUA Virtual Factory)
{00F2B433-44E4-4D88-B2B0-2698A0A91DBA}
(PhotoAcqHWEventHandler)
{031EE060-67BC-460D-8847-E4A7C5E45A27}
(Windows Media Player Rich Preview Handler)
{07A774A0-6047-11D1-BA20-006097D2898E}
(Logagent Class)
{1202DB60-1DAC-42C5-AED5-1ABDD432248E} (Sync
Center Client)
{1A1F4206-0688-4E7F-BE03-D82EC69DF9A5} (Sync
Center Control)
{45597C98-80F6-4549-84FF-752CF55E2D29} (Add to
Windows Media Player list)
{5E1395B2-B685-44E3-8AED-E2304D85ACD1}
(WiaWow64)
{5F4BAAD0-4D59-4FCD-B213-783CE7A92F22} (WIA
Event Prompt Class)
{61E79517-4A4E-45D8-9219-30E71A9EFF39}
(TabletButtonExtendedActions Class)
{6295DF2D-35EE-11D1-8707-00C04FD93327} (Sync
Center (Private))
{69486DD6-C19F-42E8-B508-A53F9F8E67B8} (Offline
Files Service Control)
{69F9CB25-25E2-4BE1-AB8F-07AA7CB535E8} (Sync
Center Isolation Collection (Private))
{71B804C5-5577-471D-8FE5-C4A45B654EB8}
(Windows SideShow AutoWake Configuration Helper)

{76D0CB12-7604-4048-B83C-1005C7DDC503}
{8144B6F5-20A8-444A-B8EE-19DF0BB84BDB}
(StiEventHandler Class)
{8D8B8E30-C451-421B-8553-D2976AFA648C} (Sync
Center Schedule Wizard)
{91778246-9BE4-4713-A651-E833B853CC30}
{94E03510-31B9-47A0-A44E-E932AC86BB17}
(Windows Media Player Device Autoplay)
{9B359D1B-AD5C-412F-A654-A431424359DE} (Offline
Files Profile Notify Handler)
{A0A8C0AC-FC70-4EE2-93A8-4A2257AE8619}
(TSMSIQueue Class)
{A0ADD4EC-5BD3-4F70-A47B-07797A45C635}
{A1F4E726-8CF1-11D1-BF92-0060081ED811} (WIA
Device Manager)
{A2D75874-6750-4931-94C1-C99D3BC9D0C7}
(Microsoft Windows Defender)
{A55803CC-4D53-404C-8557-FD63DBA95D24}
(WPDShextAutoplay)
{A5B020FD-E04B-4E67-B65A-E7DEED25B2CF}
(TabletManager Class)
{AEE3E4A8-EF01-4024-A0F1-809D9B096E14}
(Windows Media Player Encoder Helper Class)
{B6C292BC-7C88-41EE-8B54-8EC92617E599} (WIA
Device Manager 2)
{B8558612-DF5E-4F95-BB81-8E910B327FB2} (Sync
Center (Private))
{BAEA8DC9-45F5-4DF8-A27F-2A277D524B15} (WIA
Extension Host for 64 bit extensions)
{CDC32574-7521-4124-90C3-8D5605A34933}
(Windows Media Player Burn Audio CD Handler)
{D13E3F25-1688-45A0-9743-759EB35CDF9A}
(AcquisitionManager Class)
{D3667F1E-CCB8-4A69-99DF-59A2B2A6753F}
(Windows SideShow Device Configuration Helper)

{D63AA156-D534-4BAC-9BF1-55359CF5EC30} (Sync
Center User Profile Notification Handler)
{ED1D0FDF-4414-470A-A56D-CFB68623FC58} (Play
with Windows Media Player)
{F056D291-A2AB-45F7-8EE4-40454493B351}
(Windows SideShow PropertyPage Host)
{FD3659E9-A920-4123-AD64-7FC76C7AACDF} (Offline
Files Setting Object)

DCOM Default Permissions


Permission
MachineAccessRestriction

MachineLaunchRestriction

File Registrations
File Extension
.3g2

.3gp

.3gp2

.3gpp

.AAC

.ADT
.ADTS

.aif

.aifc

.aiff

.asf

.asx

.au

.avi

.cda

.DVR-MS

.img
.iso
.m1v

.M2T

.M2TS

.M2V

.m3u

.m4a

.m4b
.m4p
.m4v

.mid

.midi

.MOD
.mov

.mp2

.mp2v

.mp3

.mp4

.mp4v

.mpa

.mpe

.mpeg

.mpg
.mpv2

.MTS

.rmi

.snd

.TS

.TSPUB

.TTS

.vob
.wav

.wax

.wm

.wma
.WMD

.wmdb
.WMS

.wmv

.wmx

.wmz

.wpl

.WTV

.wvx

Internet Explorer Pluggable Protocol Handlers


Protocol
MMS

WMP11.AssocProtocol.MMS
Internet Explorer Silent Elevation Entries
CLSID
{6BF52A52-394A-11D3-B153-00C04F79FAA6}
{A5B020FD-E04B-4E67-B65A-E7DEED25B2CF}

Internet Explorer Preapproved Controls


CLSID
{6BF52A52-394A-11D3-B153-00C04F79FAA6}
{760C4B83-E211-11D2-BF3E-00805FBE84A6}
{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}

Ports
Port Name
3389/TCP -- RDP
49153/TCP -- Unknown Protocol
49155/TCP -- Unknown Protocol
49202/TCP -- Unknown Protocol
49203/TCP -- Unknown Protocol
3389/TCP -- RDP
49153/TCP -- Unknown Protocol
49155/TCP -- Unknown Protocol

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-298-0

Winsock2\CatalogChangeListener-180-0

Winsock2\CatalogChangeListener-2e8-0
Winsock2\CatalogChangeListener-1e8-0

Winsock2\CatalogChangeListener-318-0

trkwks

wbhstipm69c368c0-86ee-4441-bcf8-52de4f2c170a
wbhstipmfba5cfbc-fde3-4c70-a2d7-3c3836af777a
wbhstipm22c15bfb-1856-4d6f-a0af-b0d8e045d5e5

wbhstipmbddc68be-a2b8-4196-92ae-fd7ba6d9dd24

3554a639-2998-4fe3-a6f2-fe674e09c5a1

b93e4e00-e706-49da-aa5a-3e2d2e9bcaeb

Winsock2\CatalogChangeListener-1e0-0

Winsock2\CatalogChangeListener-3a0-0

TermSrv_API_service

Ctx_WinStation_API_service

RPC Endpoints
Interface UUID
{c9ac6db5-82b7-4e55-ae8a-e464ed7b4277}
{30b044a5-a225-43f0-b3a4-e060df91f9c1}

Firewall Rules
Name
Remote Desktop - RemoteFX (TCP-In)
Remote Desktop (TCP-In)
Terminal Services - WMI (DCOM-In)
Terminal Services - WMI (TCP-In)
Terminal Services - WMI (WMI-Out)
Terminal Services (NP-In)
Terminal Services (RPC)
Terminal Services (RPC-EPMAP)
Windows Media Player (TCP-Out)
Windows Media Player (UDP-In)
Windows Media Player (UDP-Out)
Windows Media Player x86 (TCP-Out)
Windows Media Player x86 (UDP-In)
Windows Media Player x86 (UDP-Out)

Groups
Account Name
TS Web Access Computers

NT SERVICE\WinDefend

NT SERVICE\CscService

Role Dependency
Dependency
None

Remote
Desktop
Licensing Role
Service
Services
Name
Remote Desktop Licensing (TermServLicensing)

Running Processes
Image Name (PID)
svchost.exe (1752)

Registered COM Controls


CLSID
{711D8AA2-B8DE-411B-B6E9-0476AD6DBC76}

Ports
Port Name
60256/UDP -- Unknown Protocol
49261/TCP -- Unknown Protocol
49261/TCP -- Unknown Protocol

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-298-0
Winsock2\CatalogChangeListener-180-0
Winsock2\CatalogChangeListener-318-0
Winsock2\CatalogChangeListener-1e0-0
HydraLsPipe

Winsock2\CatalogChangeListener-6d8-0

TermServLicensing

RPC Endpoints
Interface UUID
{3d267954-eeb7-11d1-b94e-00c04fa3080d}
{12d4b7c8-77d5-11d1-8c24-00c04fa3080d}

Firewall Rules
Name
Remote Desktop Licensing Server - WMI (DCOM-In)

Remote Desktop Licensing Server - WMI (TCP-In)


Remote Desktop Licensing Server - WMI (WMI-Out)

Remote Desktop Licensing Server (NP-In)


Remote Desktop Licensing Server (RPC)
Remote Desktop Licensing Server (RPC-EPMAP)

Groups
Account Name
Terminal Server Computers

NT SERVICE\TermServLicensing

Role Dependency
Dependency
None

Remote
Desktop
Connection
Broker Role
Service
Services
Name
RemoteApp and Desktop Connection Management
(TSCPubRPC)
Remote Desktop Connection Broker (tssdis)

Running Processes
Image Name (PID)
svchost.exe (928)

unsecapp.exe (2404)

svchost.exe (2500)

tssdis.exe (2728)

Registered COM Controls


CLSID
{3482137A-8500-4310-AA42-D2CA894E844F}

{466A43A3-4E28-4BF2-9B94-247F5962C37C}

{4AC33DD4-C1F1-4A08-B21F-A5EF312F963B}

{4ACAB544-1267-44FB-A416-4A3440BD2636}

{56520C80-0E51-4A5F-8EB8-8D4C5F6825B3}
{5965D11E-CCB8-4A14-AF43-5D2CFA2340F2}
{6AFF4D9A-E356-4D07-9109-62528057D9F6}
{A13B7B59-9617-4152-9F92-364E8B3F7EEC}

{A8DFF18E-99C6-4E88-A0A5-CDB4B657F47D}

{AA1FD3DE-047B-4F7D-9E2D-3AD6AB2980D6}

{B745B87B-CC4E-4361-8D29-221D936C259C}

{BF258E47-A172-498D-971A-DA30A3301E94}

{CA3A7D52-2A1B-4370-8AB1-D85902C40EDA}
{F99A3C50-74FA-460A-8D75-DB8EF2E3651D}

Registered DCOM Servers


CLSID
{56520C80-0E51-4A5F-8EB8-8D4C5F6825B3}
(VmResourcePlugin Class)

DCOM Default Permissions


Permission
MachineAccessRestriction
MachineLaunchRestriction

Ports
Port Name
5504/TCP -- Unknown Protocol
49292/TCP -- Dynamic RPC Port
5504/TCP -- Unknown Protocol
49292/TCP -- Dynamic RPC Port
49293/TCP -- Unknown Protocol

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-6d8-0
Winsock2\CatalogChangeListener-aa8-0

Winsock2\CatalogChangeListener-9c4-0

RPC Endpoints
Interface UUID
{ed96b012-c8ce-4f60-a682-35535b12ff75}
{aa177641-fc9b-41bd-80ff-f964a701596f}
{32e36e84-4ba2-496c-ba85-fb450f325107}

Firewall Rules
Name
Connection Broker Service - WMI (DCOM-In)
Connection Broker Service - WMI (TCP-In)
Connection Broker Service - WMI (WMI-Out)
Connection Broker Service (NP-In)
Connection Broker Service (RPC)
Connection Broker Service (RPC-EPMAP)
Remote Desktop Connection Manager - WMI (Async-IN)

RemoteApp and Desktop Connection Management


(RPC)
Windows Management Instrumentation (ASync-In)

Windows Management Instrumentation (DCOM-In)

Windows Management Instrumentation (WMI-In)

Windows Management Instrumentation (WMI-Out)

Groups
Account Name
Session Broker Computers

NT SERVICE\tssdis

NT SERVICE\TSCPubRPC

Role Dependency
Dependency
None

Remote
Desktop
Gateway Role
Service
Services
Name
RPC/HTTP Load Balancing Service (RPCHTTPLBS)
Remote Desktop Gateway (TSGateway)

Running Processes
Image Name (PID)
svchost.exe (940)

svchost.exe (2356)
mscorsvw.exe (2644)

Registered COM Controls


CLSID
{5C100C1D-C5E1-479C-A8A4-A4CAFBC4F4DA}

{75D15B16-228C-499F-A0FC-E4899AC870CE}

Ports
Port Name
61591/UDP -- Unknown Protocol
3388/TCP -- Unknown Protocol
49339/TCP -- Dynamic RPC Port
49341/TCP -- Unknown Protocol
49342/TCP -- Unknown Protocol
593/TCP -- RPC over HTTP
3388/TCP -- Unknown Protocol
49339/TCP -- Dynamic RPC Port

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-298-0
Winsock2\CatalogChangeListener-934-0
RpcProxy\3388
Winsock2\CatalogChangeListener-3ac-0
RpcProxy\593

RPC Endpoints
Interface UUID
{44e265dd-7daf-42cd-8560-3cdb6e7a2729}
{958f92d8-da20-467a-bbe3-65e7e9b4edcf}
{3357951c-a1d1-47db-a278-ab945d063d03}

Firewall Rules
Name
Remote Desktop Gateway Server Farm (RPC HTTP Load
Balancing Service)
Remote Desktop Gateway Server Farm (RPC-EPMAP)

Remote Desktop Gateway Server Farm (TCP-In)


Groups
Account Name
NT SERVICE\RPCHTTPLBS

NT SERVICE\TSGateway

Role Dependencies
Dependency
Network Policy and Access Server

Web Server (IIS)


Management Tools

RPC over HTTP Proxy

Remote Server Administration Tools

Remote
Desktop Web
Access Role
Service
Registered COM Controls
CLSID
{5BD701FB-C77D-44DB-AFDE-C614340C3209}

Groups
Account Name
TS Web Access Administrators

Role Dependencies
Dependency
Web Server (IIS)

Management Tools

Remote Server Administration Tools

Remote
Desktop
Virtualization
Host Role
Service
Services
Name
RemoteFX Session Licensing (LSClientService)
RemoteFX Session Manager (rdvgsm)
Remote Desktop Virtualization Host Agent
(VmHostAgent)

Drivers
Name
synth3dvsp (synth3dvsp)

Running Processes
Image Name (PID)
svchost.exe (1128)

WmiApSrv.exe (1788)

ismserv.exe (1944)

svchost.exe (2704)

svchost.exe (2724)

Registered COM Controls


CLSID
{06FF76FA-2D58-4BAF-9F8D-455773824F37}
{113560EA-48CD-4BD1-8828-FCEC44E2B5D5}
{3957E615-C8CA-4D74-9B07-2E37BF21FB63}

{BF4E6753-33E1-49F2-B481-053F39DC4799}

Registered DCOM Servers


CLSID
{06FF76FA-2D58-4BAF-9F8D-455773824F37}
(Synth3dVideoPoolResolver)
{113560EA-48CD-4BD1-8828-FCEC44E2B5D5}
(Synth3dVideo)

Ports
Port Name
58923/UDP -- Unknown Protocol
49160/TCP -- Unknown Protocol
49161/TCP -- Unknown Protocol
49202/TCP -- Unknown Protocol
49202/TCP -- Unknown Protocol
58926/UDP -- Unknown Protocol
49246/TCP -- Unknown Protocol

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-3e4-0

Winsock2\CatalogChangeListener-248-0

Winsock2\CatalogChangeListener-164-0

Winsock2\CatalogChangeListener-2b0-0
Winsock2\CatalogChangeListener-2b0-1

Winsock2\CatalogChangeListener-158-0

Winsock2\CatalogChangeListener-728-0

Winsock2\CatalogChangeListener-2a8-0

Winsock2\CatalogChangeListener-6ec-0
Winsock2\CatalogChangeListener-aa4-0

UNIFIED_API_service

Winsock2\CatalogChangeListener-468-0

RPC Endpoints
Interface UUID
{1a71d6b4-89ff-40cb-ae84-0244ab866151}
{e0c98683-720d-4139-b106-a4b13a290d6f}

Firewall Rules
Name
Remote Desktop Virtualization Host Agent - WMI
(DCOM-In)
Remote Desktop Virtualization Host Agent - WMI (TCP-
Async)
Remote Desktop Virtualization Host Agent - WMI (TCP-
In)
Remote Desktop Virtualization Host Agent - WMI (TCP-
Out)
Remote Desktop Virtualization Host Agent (RPC)
Remote Desktop Virtualization Host Agent (RPC-
EPMAP)
Groups
Account Name
NT SERVICE\IsmServ

NT SERVICE\wmiApSrv

NT SERVICE\LSClientService

NT SERVICE\rdvgsm

NT SERVICE\VmHostAgent

Role Dependency
Dependency
Hyper-V
NT AUTHORITY\SYSTEM Disabled
NT AUTHORITY\LOCAL SERVICE Demand
NT AUTHORITY\SYSTEM Demand
NT AUTHORITY\SYSTEM Disabled
NT AUTHORITY\LOCAL SERVICE Demand
NT AUTHORITY\SYSTEM DelayedAuto

Startup Mode
Disabled
Demand

Command Line Account


C:\Windows\System32\svchost.exe -k
LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs

wmiadap.exe /F /T /R
C:\Windows\System32\svchost.exe -k termsvcs

Friendly Name Binary Path


Microsoft AVI Files C:\Windows\SysWOW64\avifile.dll
AVI Compressed Stream C:\Windows\SysWOW64\avifile.dll
IAVIStream & IAVIFile Proxy C:\Windows\SysWOW64\avifile.dll
ACM Compressed Audio Stream C:\Windows\SysWOW64\avifile.dll
WPD Association LUA Virtual Factory C:\Windows\SysWOW64\shpafact.dll
Terminal Server Session Directory Interface C:\Windows\system32\tssdjet.dll
PSFactoryBuffer C:\Windows\SysWOW64\msscp.dll
PhotoAcqDropTarget C:\Program Files\Windows Photo Viewer\PhotoAcq.dll
PhotoAcquireOptionsDialog C:\Program Files\Windows Photo Viewer\PhotoAcq.dll

PhotoProgressDialog C:\Program Files\Windows Photo Viewer\PhotoAcq.dll

PhotoAcquire C:\Program Files\Windows Photo Viewer\PhotoAcq.dll

PhotoAcqDeviceSelectionDlg C:\Program Files\Windows Photo Viewer\PhotoAcq.dll

PhotoAcqHWEventHandler
PSFactoryBuffer C:\Program Files\Windows Photo Viewer\PhotoAcq.dll

CFrameRateConvertDmo C:\Windows\SysWOW64\mfvdsp.dll
Windows Media Player Rich Preview Handler
MFSourceFilter C:\Windows\SysWOW64\mfds.dll
Audio Mixer C:\Windows\SysWOW64\qedit.dll
Microsoft InkPicture Control C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
PSFactoryBuffer C:\Windows\SysWOW64\wmcodecdspps.dll
WMPlayer ContentPropPage Class C:\Windows\SysWOW64\wmp.dll
ActiveMovieControl Object C:\Windows\SysWOW64\wmpdxm.dll
WMDM CE Device Service Provider C:\Windows\SysWOW64\cewmdm.dll
Logagent Class
PropVariantCollection Class C:\Windows\SysWOW64\PortableDeviceTypes.dll

CLSID_CExchImport C:\Program Files\Windows Mail\oeimport.dll


AlchemyVis Class C:\Program Files\Windows Media Player\mpvis.DLL

PSFactoryBuffer C:\Windows\SysWOW64\wmpencen.dll
PortableDeviceManager Class C:\Windows\SysWOW64\PortableDeviceApi.dll
WpdSerializer Class C:\Windows\SysWOW64\PortableDeviceTypes.dll

PortableDeviceValues Class C:\Windows\SysWOW64\PortableDeviceTypes.dll

Rational Class C:\Windows\SysWOW64\wiaaut.dll


Generate Black Video C:\Windows\SysWOW64\qedit.dll
CLSID_MessageStore C:\Program Files\Windows Mail\msoe.dll
Offline Files Folder Options C:\Windows\System32\cscui.dll
MP3 ACM Wrapper MFT C:\Windows\SysWOW64\mf.dll
CFileIo C:\Windows\SysWOW64\wmvdspa.dll
Sync Center Client
Microsoft Input Personalization Plug-in C:\Program Files\Common Files\Microsoft
Shared\Ink\IpsPlugin.dll
E-Ink C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Media Foundation DShow Source Resolver C:\Windows\SysWOW64\mfds.dll
MF AudCap Source Plug-in C:\Windows\SysWOW64\mf.dll
PortableDeviceServiceFTM Class C:\Windows\SysWOW64\PortableDeviceApi.dll
UserLexiconManager Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Xml2Dex Class C:\Windows\SysWOW64\qedit.dll
scanprofileui class C:\Windows\SysWOW64\wiascanprofiles.dll
Sync Center Control
WMEnc Screen Capture Filter C:\Windows\SysWOW64\wmpsrcwp.dll
DirectX Transform Wrapper Property Page C:\Windows\SysWOW64\qedit.dll
Windows Media Player WMEncAdvancedStreamEdit C:\Windows\SysWOW64\wmpencen.dll
Class
Black Generator Property Page C:\Windows\SysWOW64\qedit.dll
PSFactoryBuffer C:\Windows\SysWOW64\wmdmps.dll
MF MPEG Property Handler C:\Windows\SysWOW64\mf.dll
Resizer DMO C:\Windows\SysWOW64\vidreszr.dll
MFPlay Class Factory C:\Windows\SysWOW64\MFPlay.dll
WM Speech Encoder DMO C:\Windows\SysWOW64\WMSPDMOE.DLL
SDConnHdl Class C:\Windows\system32\sdclient.dll
C:\Windows\SysWOW64\AuxiliaryDisplayCpl.dll
WMSDK NamespaceFactory Class C:\Windows\SysWOW64\WMNetMgr.dll
Windows Media Player C:\Windows\SysWOW64\wmpdxm.dll
Windows Mail Address Book C:\Program Files\Windows Mail\msoe.dll
InkSettings Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Index Cleaner Prop Bag C:\Windows\SysWOW64\DATACLEN.DLL
MediaDevMgr Class C:\Windows\SysWOW64\mswmdm.dll
MPEG4 Byte Stream Handler C:\Windows\SysWOW64\mf.dll
Windows Defender IOfficeAntiVirus implementation C:\Program Files\Windows Defender\MpOav.dll

AC3 Parser Filter C:\Windows\SysWOW64\mpg2splt.ax


Sync Center Conflict Folder C:\Windows\SysWOW64\SyncCenter.dll
Mpeg4s Decoder DMO C:\Windows\SysWOW64\mp4sdecd.dll
TCPIProp Class C:\Windows\SysWOW64\wmpencen.dll
Silence C:\Windows\SysWOW64\qedit.dll
PSFactoryBuffer C:\Program Files\Windows Mail\msoe.dll
WMEncSourceSink C:\Windows\SysWOW64\wmpsrcwp.dll
Offline Files WMI Provider C:\Windows\SysWOW64\cscobj.dll
Sync Setup Folder C:\Windows\SysWOW64\SyncCenter.dll
WMAudio Decoder DMO C:\Windows\SysWOW64\WMADMOD.DLL
Drm Scheme Handler C:\Windows\SysWOW64\mf.dll
C:\Windows\SysWOW64\AuxiliaryDisplayCpl.dll
PSFactoryBuffer C:\Windows\SysWOW64\WMPCM.dll
Msi Generator C:\Windows\System32\rapmsign.dll
TcpiObj Class C:\Windows\SysWOW64\wmpencen.dll
Windows Photo Viewer Gallery Interface C:\Program Files\Windows Photo
Viewer\PhotoViewer.dll
MSSCP Class C:\Windows\SysWOW64\msscp.dll
ClassicW Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Configure Windows Portable Device Task Class C:\Windows\SysWOW64\wpdwcn.dll
C:\Program Files\Common Files\Microsoft
Shared\Ink\IpsPlugin.dll
Portable Devices C:\Windows\SysWOW64\wpdshext.dll
PSFactoryBuffer C:\Windows\system32\cscui.dll
Sync Center (Internal) C:\Windows\SysWOW64\SyncCenter.dll
Secure Http Scheme Handler C:\Windows\SysWOW64\mf.dll
PortableDeviceValuesCollection Class C:\Windows\SysWOW64\PortableDeviceTypes.dll

WiaVideo Class C:\Windows\SysWOW64\wiavideo.dll


CLSID_JetDatabaseSession C:\Program Files\Windows Mail\msoe.dll
CTocEntryList C:\Windows\SysWOW64\wmvdspa.dll
CAviTocParser C:\Windows\SysWOW64\wmvdspa.dll
MPEG-2 Splitter C:\Windows\SysWOW64\mpg2splt.ax
PSFactoryBuffer C:\Windows\SysWOW64\TSMSIPrxy.dll
Windows Media Player WMEncTextInputSource Class C:\Windows\SysWOW64\wmpencen.dll

InkObject Class C:\Program Files\Common Files\Microsoft


Shared\Ink\InkObj.dll
Audio Repackager C:\Windows\SysWOW64\qedit.dll
LPCM Byte Stream Handler C:\Windows\SysWOW64\mf.dll
WMPlayer MusicPropPage Class C:\Windows\SysWOW64\wmp.dll
C:\Windows\SysWOW64\mfdvdec.dll
Video Media Properties Handler C:\Windows\SysWOW64\mediametadatahandler.dll

ASF Byte Stream Handler C:\Windows\SysWOW64\mf.dll


WPD Settings Commit Page Class C:\Windows\SysWOW64\wpdwcn.dll
WAV Byte Stream Handler C:\Windows\SysWOW64\mf.dll
PSFactoryBuffer C:\Windows\SysWOW64\LAPRXY.DLL
PortableDeviceDispatchFactory Class C:\Windows\SysWOW64\PortableDeviceApi.dll
InkRectangle Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
InkCollector Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Http Scheme Handler C:\Windows\SysWOW64\mf.dll
CLSID_CSmapiProxy
Add to Windows Media Player list
RdpAudioSink Class C:\Windows\SysWOW64\tsmf.dll
SessionAgent Class C:\Windows\System32\AuxiliaryDisplayServices.dll

C:\Windows\SysWOW64\DXPTaskRingtone.dll
CClusterDetectorEx C:\Windows\SysWOW64\wmvdspa.dll
C:\Windows\System32\cscui.dll
File Scheme Handler C:\Windows\SysWOW64\mf.dll
Offline Files Cache Control C:\Windows\SysWOW64\cscobj.dll
MFReadWrite Class Factory C:\Windows\SysWOW64\mfreadwrite.dll
SmartRenderEngine Class C:\Windows\SysWOW64\qedit.dll
CTocParser C:\Windows\SysWOW64\wmvdspa.dll
CLSID_DatabaseSession C:\Program Files\Common Files\System\directdb.dll

GSM ACM Wrapper MFT C:\Windows\SysWOW64\mf.dll


Sync Center Event Properties Extension C:\Windows\SysWOW64\SyncCenter.dll
PortableDeviceWMDRM Class C:\Windows\SysWOW64\portabledevicewmdrm.dll

PSFactoryBuffer C:\Windows\SysWOW64\portabledevicewmdrm.dll

Photo Printing with Templates Wizard C:\Windows\SysWOW64\photowiz.dll


PortableDeviceClassExtension Class C:\Windows\SysWOW64\portabledeviceclassextension.
dll
PSFactoryBuffer C:\Windows\SysWOW64\sti.dll
Vector Class C:\Windows\SysWOW64\wiaaut.dll
CTocGeneratorDmo C:\Windows\SysWOW64\wmvdspa.dll
C:\Windows\System32\cscui.dll
Windows Media Player WMEncFileTransferSource Class C:\Windows\SysWOW64\wmpencen.dll

CToc C:\Windows\SysWOW64\wmvdspa.dll
MediaDevMgrClassFactory Class C:\Windows\SysWOW64\mswmdm.dll
C:\Windows\SysWOW64\AuxiliaryDisplayCpl.dll
CTocCollection C:\Windows\SysWOW64\wmvdspa.dll
PSFactoryBuffer C:\Windows\SysWOW64\wpdwcn.dll
DxtAlphaSetter Class C:\Windows\SysWOW64\qedit.dll
WMAPro over S/PDIF DMO C:\Windows\SysWOW64\WMADMOD.DLL
DrawAttrs Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Windows Media Player WMEncoder Class C:\Windows\SysWOW64\wmpencen.dll
Windows Media Player Plug-in Registrar C:\Windows\SysWOW64\wmp.dll
CThumbnailGeneratorDmo C:\Windows\SysWOW64\wmvdspa.dll
Windows Media SDK HTTP Source Plugin C:\Windows\SysWOW64\WMNetMgr.dll
Mpeg4s Decoder MFT C:\Windows\SysWOW64\mp4sdecd.dll
Sync Center Handler Properties Extension C:\Windows\SysWOW64\SyncCenter.dll
ManipulationProcessor Class C:\Program Files\Common Files\Microsoft
Shared\Ink\rtscom.dll
Line 21 Decoder Text Output C:\Windows\SysWOW64\wmpsrcwp.dll
SCPTRANS Class C:\Windows\SysWOW64\msscp.dll
WiaWow64
WIA Event Prompt Class
Old Files In Root Prop Bag C:\Windows\SysWOW64\DATACLEN.DLL
Temp Files Prop Bag C:\Windows\SysWOW64\DATACLEN.DLL
Setup Files Prop Bag C:\Windows\SysWOW64\DATACLEN.DLL
Uninstall Prop Bag C:\Windows\SysWOW64\DATACLEN.DLL
DropTarget Object for Photo Printing Wizard C:\Windows\SysWOW64\photowiz.dll
TabletButtonExtendedActions Class C:\Windows\System32\TabBtnEx.dll
EVR Graph Optimizer C:\Windows\SysWOW64\evr.dll
CLSID_OERulesManager C:\Program Files\Windows Mail\msoe.dll
Sync Manager (Legacy) C:\Windows\SysWOW64\SyncCenter.dll
Sync Center (Private)
Lattice Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
MFRemoteDesktopPlugin Class C:\Windows\SysWOW64\tsmf.dll
GestureRecognizer Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
WMPlayer FileFormatPropPage Class C:\Windows\SysWOW64\wmp.dll
WMPlayer VideoPerfPropPage Class C:\Windows\SysWOW64\wmp.dll
RenderEngine Class C:\Windows\SysWOW64\qedit.dll
MediaDet C:\Windows\SysWOW64\qedit.dll
InkOverlay Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Audio Mixer Property C:\Windows\SysWOW64\qedit.dll
MPEG-2 Demultiplexer(NoClock) C:\Windows\SysWOW64\mpg2splt.ax
C:\Windows\System32\cscui.dll
Still Video Property Page C:\Windows\SysWOW64\qedit.dll
Offline Files Service Control
Sync Center Isolation Collection (Private)
Windows Media Player OCXGeneralPropPage Class C:\Windows\SysWOW64\wmp.dll

Silence Generator Property Page C:\Windows\SysWOW64\qedit.dll


Windows Media Player C:\Windows\SysWOW64\wmp.dll
C:\Windows\SysWOW64\mfh264enc.dll
InkTablets Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Windows Media Player InputCollection Class C:\Windows\SysWOW64\wmpencen.dll
CLSID_MessageDatabase C:\Program Files\Windows Mail\msoe.dll
CLSID_FolderDatabase C:\Program Files\Windows Mail\msoe.dll
WMEncSourcePluginWrapper C:\Windows\SysWOW64\wmpsrcwp.dll
WMAudio Encoder DMO C:\Windows\SysWOW64\WMADMOE.DLL
PortableDeviceWiaCompat Class C:\Windows\SysWOW64\PortableDeviceWiaCompat.dll

Windows Media Player WMEnc5PointWavSource Class C:\Windows\SysWOW64\wmpencen.dll

Windows SideShow AutoWake Configuration Helper C:\Windows\SysWOW64\AuxiliaryDisplayCpl.dll

Sync Results Folder C:\Windows\SysWOW64\SyncCenter.dll


PortableDevice Class C:\Windows\SysWOW64\PortableDeviceApi.dll
C:\Windows\SysWOW64\AuxiliaryDisplayCpl.dll
MFPsiFilter C:\Windows\SysWOW64\mfds.dll
AEC C:\Windows\SysWOW64\mfwmaaec.dll
Offline Files Synchronization Handler C:\Windows\System32\cscui.dll
Windows Media Services DRM Storage object C:\Windows\SysWOW64\msnetobj.dll
C:\Program Files\Windows Photo
Viewer\PhotoViewer.dll
SideShowClassExtension Class C:\Windows\System32\AuxiliaryDisplayDriverLib.dll

Briefcase Storage Object C:\Windows\SysWOW64\SYNCUI.DLL


Windows Media Player Effects Activate C:\Windows\SysWOW64\wmpeffects.dll
WPDServiceProvider Class C:\Windows\SysWOW64\wpdsp.dll
MediaDetFilter C:\Windows\SysWOW64\qedit.dll
MS Timeline C:\Windows\SysWOW64\qedit.dll
TabletManager Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
PSFactoryBuffer C:\Windows\SysWOW64\wmpps.dll
CColorControlDmo C:\Windows\SysWOW64\mfvdsp.dll
Simple Conflict Presenter C:\Windows\SysWOW64\SyncCenter.dll
SAMI Byte Stream Handler C:\Windows\SysWOW64\mf.dll
User Accounts
AVI Byte Stream Handler C:\Windows\SysWOW64\mf.dll
WMV Screen decoder DMO C:\Windows\SysWOW64\wmvsdecd.dll
WMPlayer PlaybackPropPage Class C:\Windows\SysWOW64\wmp.dll
SDPWmiJob Class C:\Windows\System32\AuxiliaryDisplayServices.dll

Generate Still Video C:\Windows\SysWOW64\qedit.dll


WMVideo8 Encoder DMO C:\Windows\SysWOW64\wmvxencd.dll
C:\Windows\System32\cscui.dll
WMDRM Context C:\Windows\SysWOW64\wmdrmsdk.dll
MF ADTS Property Handler C:\Windows\SysWOW64\mf.dll
Tablet PC Settings Control Panel
StiEventHandler Class
WMDRM Content Enabler C:\Windows\SysWOW64\wmdrmsdk.dll
WMVideo Decoder DMO C:\Windows\SysWOW64\wmvdecod.dll
UserDictionary Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
C:\Windows\SysWOW64\wiashext.dll
CommonDialog Class C:\Windows\SysWOW64\wiaaut.dll
Briefcase C:\Windows\SysWOW64\syncui.dll
C:\Windows\SysWOW64\AuxiliaryDisplayCpl.dll
Audio Media Properties Handler C:\Windows\SysWOW64\mediametadatahandler.dll

InkRecognizerGuide Class C:\Program Files\Common Files\Microsoft


Shared\Ink\InkObj.dll
InkDivider Class C:\Program Files\Common Files\Microsoft
Shared\Ink\Inkdiv.dll
WMPlayer NetworkPropPage Class C:\Windows\SysWOW64\wmp.dll
C:\Windows\SysWOW64\wmpshell.dll
Device Proxy MFT C:\Windows\SysWOW64\mf.dll
Windows Media Player C:\Windows\SysWOW64\wmpencen.dll
WMEncSourcePluginCommunicator Class
Sync Center Schedule Wizard
WMPlayer PrivacyPropPage Class C:\Windows\SysWOW64\wmp.dll
AthWafer C:\Program Files\Windows Mail\msoe.dll
C:\Windows\SysWOW64\wiashext.dll

ADTS Byte Stream Handler C:\Windows\SysWOW64\mf.dll


G711 ACM Wrapper MFT C:\Windows\SysWOW64\mf.dll
Windows Media Player C:\Windows\SysWOW64\wmpencen.dll
WMEnc5Point1WavSourcePropertyPage Class
Frame Rate Converter C:\Windows\SysWOW64\qedit.dll
InkObject Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
C:\Windows\SysWOW64\mfAACEnc.dll
Windows Media Player Device Autoplay
WMDM Sync Property Page C:\Windows\SysWOW64\wmp.dll
Windows Media Player WMEncTunerPropPage Class C:\Windows\SysWOW64\wmpencen.dll

Windows Media Player OCXAdvancedPropPage Class C:\Windows\SysWOW64\wmp.dll

WMPlayer AdvancedPropPage Class C:\Windows\SysWOW64\wmp.dll


Color Converter DMO C:\Windows\SysWOW64\colorcnv.dll
MF Video Presenter C:\Windows\SysWOW64\evr.dll
Windows Media Player WMEncFileSource Class C:\Windows\SysWOW64\wmpencen.dll
DynamicRenderer Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Offline Files Profile Notify Handler C:\Windows\SysWOW64\cscobj.dll
CAsfTocParser C:\Windows\SysWOW64\wmvdspa.dll
InkRenderer Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
WMPlayer CDBurnPropPage Class C:\Windows\SysWOW64\wmp.dll
Sync Center Folder C:\Windows\SysWOW64\SyncCenter.dll
InkWordList Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
PSFactoryBuffer C:\Program Files\Common Files\Microsoft
Shared\Ink\tpcps.dll
Urlmon Scheme Handler C:\Windows\SysWOW64\mf.dll
Frame Rate Converter Property Page C:\Windows\SysWOW64\qedit.dll
Audio Repackager Property Page C:\Windows\SysWOW64\qedit.dll
Dexter Queue C:\Windows\SysWOW64\qedit.dll
InkRecognizers Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Windows Mail Envelope C:\Program Files\Windows Mail\msoe.dll
Tearless Window Presenter C:\Windows\SysWOW64\evr.dll
TSMSIQueue Class
C:\Windows\System32\cscui.dll
CLSID_COE5Import C:\Program Files\Windows Mail\oeimport.dll
EnumBthMtpConnectors Class C:\Windows\SysWOW64\portabledeviceconnectapi.dll

AltTab C:\Windows\SysWOW64\AltTab.dll
IMA ADPCM ACM Wrapper MFT C:\Windows\SysWOW64\mf.dll
WIA Device Manager
Microsoft Windows Defender C:\Program Files\Windows Defender\MsMpCom.dll

ImageFile Class C:\Windows\SysWOW64\wiaaut.dll


WPDShextAutoplay
TabletManager Class
MP3 Byte Stream Handler C:\Windows\SysWOW64\mf.dll
PSFactoryBuffer C:\Windows\SysWOW64\PortableDeviceApi.dll
Content Indexer Cleaner C:\Windows\SysWOW64\DATACLEN.DLL
RMGetLicense Class C:\Windows\SysWOW64\msnetobj.dll
WPDShServiceObj Class C:\Windows\SysWOW64\wpdshserviceobj.dll
InkRecognizerContext Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
RDP DShow Video Renderer C:\Windows\SysWOW64\DShowRdpFilter.dll
InertiaProcessor Class C:\Program Files\Common Files\Microsoft
Shared\Ink\rtscom.dll
InkCursors Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
PSFactoryBuffer C:\Windows\SysWOW64\mfps.dll
Windows Media Network Source Plugin C:\Windows\SysWOW64\WMNetMgr.dll
Property Setter C:\Windows\SysWOW64\qedit.dll
GrfCache Class C:\Windows\SysWOW64\qedit.dll
MF ASF Property Handler C:\Windows\SysWOW64\mf.dll
Windows Media Player Encoder Helper Class
MPEG-2 Demultiplexer C:\Windows\SysWOW64\mpg2splt.ax
WMPlayer SecurityPropPage Class C:\Windows\SysWOW64\wmp.dll
Offline Files Folder C:\Windows\System32\cscui.dll
NSC Byte Stream Handler C:\Windows\SysWOW64\mf.dll
Windows Media Player Compositing Mixer C:\Windows\SysWOW64\WMPCM.dll
WMPSkinMngr Class C:\Windows\SysWOW64\wmpshell.dll
StillImage C:\Windows\SysWOW64\sti.dll
Sync Center Item Properties Extension C:\Windows\SysWOW64\SyncCenter.dll
PSFactoryBuffer C:\Windows\SysWOW64\PortableDeviceTypes.dll

JournalReader Class C:\Program Files\Common Files\Microsoft


Shared\Ink\Journal.dll
Windows Media Player TunerHelper Class C:\Windows\SysWOW64\wmpencen.dll
WIA Device Manager 2
Sync Center (Private)
Wizard for Installing Applications in TS-Install Mode

Windows Media Player WMEncProfile2 Class C:\Windows\SysWOW64\wmpencen.dll


WIA Extension Host for 64 bit extensions C:\Windows\System32\WiaExtensionHost64.dll
DxtCompositor Class C:\Windows\SysWOW64\qedit.dll
WMPlayer PlaylistPropPage Class C:\Windows\SysWOW64\wmp.dll
WMPlayer DVDPropPage Class C:\Windows\SysWOW64\wmp.dll
MP3 Decoder DMO C:\Windows\SysWOW64\mp3dmod.dll
PSFactoryBuffer C:\Windows\SysWOW64\portabledeviceclassextension.
dll
Sync Results Delegate Folder C:\Windows\SysWOW64\SyncCenter.dll
ImageProcess Class C:\Windows\SysWOW64\wiaaut.dll
InkTablet Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Pin Property C:\Windows\SysWOW64\qedit.dll
CLSID_MigrateMessageStore C:\Program Files\Windows Mail\msoe.dll
Stretch Property Page C:\Windows\SysWOW64\qedit.dll
Screen Capture Filter Task Page C:\Windows\SysWOW64\wmpsrcwp.dll
WPD PnPX Association Manager Class C:\Windows\SysWOW64\wpdwcn.dll
Data Driven Cleaner C:\Windows\SysWOW64\DATACLEN.DLL
MF MP3 Property Handler C:\Windows\SysWOW64\mf.dll
WMPlayer VizResolutionPropPage Class C:\Windows\SysWOW64\wmp.dll
WMPlayer LibraryPropPage Class C:\Windows\SysWOW64\wmp.dll
Sample Grabber C:\Windows\SysWOW64\qedit.dll
Null Renderer C:\Windows\SysWOW64\qedit.dll
C:\Windows\SysWOW64\PortableDeviceStatus.dll

Windows Media Player C:\Windows\SysWOW64\wmpencen.dll


WMEncFileTransferSourcePropertyPage Class
WMEnc DV Timecode Reader C:\Windows\SysWOW64\wmpsrcwp.dll
Big Switch C:\Windows\SysWOW64\qedit.dll
Smart Recompressor C:\Windows\SysWOW64\qedit.dll
C:\Windows\System32\cscui.dll
InkObjectXP Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Video Thumbnail Extractor C:\Windows\SysWOW64\mediametadatahandler.dll

DxtKey Class C:\Windows\SysWOW64\qedit.dll


SDSessionArbitrationHelper Class C:\Windows\system32\SDClient.dll
ADPCM ACM Wrapper MFT C:\Windows\SysWOW64\mf.dll
Windows Media Player WMEncImageSource Class C:\Windows\SysWOW64\wmpencen.dll
CLSID_OENote C:\Program Files\Windows Mail\msoe.dll
scanprofilemgr class C:\Windows\SysWOW64\wiascanprofiles.dll
C:\Windows\SysWOW64\mfmjpegdec.dll
Mpeg43 Decoder DMO C:\Windows\SysWOW64\mp43decd.dll
MediaLocator Class C:\Windows\SysWOW64\qedit.dll
DirectX Transform Wrapper C:\Windows\SysWOW64\qedit.dll
Video Effect (1 input) Class Manager C:\Windows\SysWOW64\qedit.dll
Video Effect (2 input) Class Manager C:\Windows\SysWOW64\qedit.dll
ClientNetManager Class C:\Windows\SysWOW64\WMNetMgr.dll
RdpVideoSink Class C:\Windows\SysWOW64\tsmf.dll
APPLICATION__X_MPLAYER2 Moniker Class C:\Windows\SysWOW64\wmp.dll
APPLICATION__X_MS_WMZ Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__AIFF Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__BASIC Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__MID Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__MP3 Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__MPEG Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__MPEGURL Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__SCPLS Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__WAV Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__MP4 Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__VND_DLNA_ADTS Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__X_MS_WAX Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__X_MS_WMA Moniker Class C:\Windows\SysWOW64\wmp.dll
VIDEO__AVI Moniker Class C:\Windows\SysWOW64\wmp.dll
VIDEO__MPEG Moniker Class C:\Windows\SysWOW64\wmp.dll
VIDEO__X_MS_ASF Moniker Class C:\Windows\SysWOW64\wmp.dll
VIDEO__X_MS_ASF_PLUGIN Moniker Class C:\Windows\SysWOW64\wmp.dll
VIDEO__X_MS_WM Moniker Class C:\Windows\SysWOW64\wmp.dll
VIDEO__X_MS_WMX Moniker Class C:\Windows\SysWOW64\wmp.dll
VIDEO__X_MS_WMV Moniker Class C:\Windows\SysWOW64\wmp.dll
VIDEO__X_MS_WVX Moniker Class C:\Windows\SysWOW64\wmp.dll
APPLICATION__X_WMPLAYER Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__3GPP Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__3GPP2 Moniker Class C:\Windows\SysWOW64\wmp.dll
VIDEO__MP4 Moniker Class C:\Windows\SysWOW64\wmp.dll
VIDEO__QUICKTIME Moniker Class C:\Windows\SysWOW64\wmp.dll
AUDIO__VND_MPEG_TTS Moniker Class C:\Windows\SysWOW64\wmp.dll
Windows Media Player Burn Audio CD Handler
Windows Media Player Device Options Property Page C:\Windows\SysWOW64\wmp.dll

AcquisitionManager Class
WIA Default UI C:\Windows\SysWOW64\wiadefui.dll
WMVideo9 Encoder DMO C:\Windows\SysWOW64\wmvencod.dll
Windows SideShow Device Configuration Helper C:\Windows\SysWOW64\AuxiliaryDisplayCpl.dll
WIA Default Segmentation Filter C:\Windows\SysWOW64\sti.dll
Mpeg-2 Stats C:\Windows\SysWOW64\mpg2splt.ax
Windows Photo Viewer DropTarget C:\Program Files\Windows Photo
Viewer\PhotoViewer.dll
Sync Center User Profile Notification Handler C:\Windows\SysWOW64\SyncCenter.dll
Portable Devices Menu C:\Windows\SysWOW64\wpdshext.dll
Windows Defender
DrawingAttributes Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
WPD Settings Completion Page Class C:\Windows\SysWOW64\wpdwcn.dll
PropertyKeyCollection Class C:\Windows\SysWOW64\PortableDeviceTypes.dll

DxtJpeg Class C:\Windows\SysWOW64\qedit.dll


RecoManager Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
RtpObject Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
WMPlayer ClipPropPage Class C:\Windows\SysWOW64\wmp.dll
DxtJpegPP Class C:\Windows\SysWOW64\qedit.dll
DeviceManager Class C:\Windows\SysWOW64\wiaaut.dll
C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll

RealTimeStylus Class C:\Program Files\Common Files\Microsoft


Shared\Ink\rtscom.dll
MF AVI Property Handler C:\Windows\SysWOW64\mf.dll
InkTransform Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Sync Center Conflict Delegate Folder C:\Windows\SysWOW64\SyncCenter.dll
MF WAV Property Handler C:\Windows\SysWOW64\mf.dll
MF Video Mixer C:\Windows\SysWOW64\evr.dll
AutoWakeTaskHandler Class C:\Windows\System32\AuxiliaryDisplayServices.dll

Windows Photo Viewer Video Verbs C:\Program Files\Windows Photo


Viewer\PhotoViewer.dll
Microsoft InkEdit Control C:\Windows\SysWOW64\Inked.dll
CLSID_StoreNamespace C:\Program Files\Windows Mail\msoe.dll
StrokeBuilder Class C:\Program Files\Common Files\Microsoft
Shared\Ink\rtscom.dll
CLSID_COE7Import C:\Program Files\Windows Mail\msoe.dll
SoundRecorder WAV Dest C:\Windows\system32\WavDest.dll
SoundRecorder Volume Watch C:\Windows\system32\WavDest.dll
SoundRecorder Null Renderer C:\Windows\system32\WavDest.dll
Windows SideShow C:\Windows\SysWOW64\shdocvw.dll
Windows Media Player Transcode Files Cache Cleanup C:\Windows\SysWOW64\wmp.dll
Handler
DrawAttrsXP Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Net Scheme Handler C:\Windows\SysWOW64\mf.dll
GestureRecognizer Class C:\Program Files\Common Files\Microsoft
Shared\Ink\rtscom.dll
DemuxRender C:\Windows\SysWOW64\mfds.dll
Terminal Server Session Directory Interface C:\Windows\system32\tssdjet.dll
DynamicRenderer Class C:\Program Files\Common Files\Microsoft
Shared\Ink\rtscom.dll
Play with Windows Media Player
Personalization Control Panel C:\Windows\SysWOW64\shdocvw.dll
APPLICATION__X_MS_WMD Moniker Class C:\Windows\SysWOW64\wmp.dll
PortableDeviceService Class C:\Windows\SysWOW64\PortableDeviceApi.dll
PSFactoryBuffer C:\Windows\SysWOW64\cscobj.dll
GenericRecognizer Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Drawing C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Sync Center Conflict Properties Extension C:\Windows\SysWOW64\SyncCenter.dll
Windows SideShow PropertyPage Host C:\Windows\SysWOW64\AuxiliaryDisplayCpl.dll
Sync Setup Delegate Folder C:\Windows\SysWOW64\SyncCenter.dll
Sync Center Shell Service Object (Internal) C:\Windows\SysWOW64\SyncCenter.dll
CTocEntry C:\Windows\SysWOW64\wmvdspa.dll
Mpeg4 Decoder DMO C:\Windows\SysWOW64\mpg4decd.dll
Resampler DMO C:\Windows\SysWOW64\resampledmo.dll
WMPlayer PluginsPropPage Class C:\Windows\SysWOW64\wmp.dll
Media Foundation MP2demux C:\Windows\SysWOW64\mfds.dll
MF Video Presenter 2 C:\Windows\SysWOW64\evr.dll
PortableDeviceFTM Class C:\Windows\SysWOW64\PortableDeviceApi.dll
MSScreen 9 encoder DMO C:\Windows\SysWOW64\wmvsencd.dll
MF MPEG-4 Property Handler C:\Windows\SysWOW64\mf.dll
Pen and Touch Control Panel
Windows Media Player WMEncPrivatePluginConnector C:\Windows\SysWOW64\wmpencen.dll
Class
Stretch C:\Windows\SysWOW64\qedit.dll
Windows Media Player WMEncBasicEdit Class C:\Windows\SysWOW64\wmpencen.dll
Enhanced Video Renderer C:\Windows\SysWOW64\evr.dll
Offline Files Background Synchronization Task Handler C:\Windows\System32\cscui.dll

WPD Settings Review Page Class C:\Windows\SysWOW64\wpdwcn.dll


Windows Media SDK MSB Source Plugin C:\Windows\SysWOW64\WMNetMgr.dll
Offline Files Setting Object
TSMFActivate Class C:\Windows\SysWOW64\tsmf.dll
WIA Preview Component C:\Windows\SysWOW64\sti.dll
WMDM Transcode Property Page C:\Windows\SysWOW64\wmp.dll
GadgetsManager Class C:\Windows\System32\AuxiliaryDisplayServices.dll

Windows Photo Viewer Image Verbs C:\Program Files\Windows Photo


Viewer\PhotoViewer.dll
Portable Media Devices C:\Windows\SysWOW64\audiodev.dll

Image Path Safe for Scripting/Safe for Initialization


C:\Windows\SysWOW64\msnetobj.dll true/true
C:\Windows\SysWOW64\msnetobj.dll true/true
AppID
{00393519-3A67-4507-A2B8-85146167ACA7}

{00F2B433-44E4-4D88-B2B0-2698A0A91DBA}

{09C5C2B5-1D32-4598-B87E-203F32BB08E3}

{F808DF63-6049-11D1-BA20-006097D2898E}

{1202DB60-1DAC-42C5-AED5-1ABDD432248E}

{1A1F4206-0688-4E7F-BE03-D82EC69DF9A5}

{45597C98-80F6-4549-84FF-752CF55E2D29}

{5E1395B2-B685-44E3-8AED-E2304D85ACD1}

{E32549C4-C2B8-4BCC-90D7-0FC3511092BB}

{25351F98-BEC9-4BA0-A1F7-D9D69225E52F}

{6295DF2D-35EE-11D1-8707-00C04FD93327}

{52551A19-B337-498D-AE75-2283E29902DE}

{69F9CB25-25E2-4BE1-AB8F-07AA7CB535E8}

{71B804C5-5577-471D-8FE5-C4A45B654EB8}

{76D0CB12-7604-4048-B83C-1005C7DDC503}
{E32549C4-C2B8-4BCC-90D7-0FC3511092BB}

{8D8B8E30-C451-421B-8553-D2976AFA648C}

{B8C54A54-355E-11D3-83EB-00A0C92A2F2D}
{ED6BB178-B06A-47AD-98B3-6066E0CF0147}

{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
{38AFE312-B8E5-4354-A11F-9224307B28AC}

{A0ADD4EC-5BD3-4F70-A47B-07797A45C635}
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

{A79DB36D-6218-48E6-9EC9-DCBA9A39BF0F}

{A55803CC-4D53-404C-8557-FD63DBA95D24}

{7F429620-16D1-471E-A81A-114992148034}

{A9D431C2-6D56-4727-9690-ADBE66B9184A}

{B6C292BC-7C88-41EE-8B54-8EC92617E599}

{B8558612-DF5E-4F95-BB81-8E910B327FB2}

{08F646B3-5E7F-4B7A-A5CB-F95445F9F67A}

{CDC32574-7521-4124-90C3-8D5605A34933}

{E32549C4-C2B8-4BCC-90D7-0FC3511092BB}

{D3667F1E-CCB8-4A69-99DF-59A2B2A6753F}

{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

{ED1D0FDF-4414-470A-A56D-CFB68623FC58}

{F056D291-A2AB-45F7-8EE4-40454493B351}

{AAAF9453-58F9-4872-A428-0507C383AC37}

Setting
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS LOGON AccessAllowed
BUILTIN\Distributed COM Users AccessAllowed
BUILTIN\Performance Log Users AccessAllowed
TS Web Access Computers AccessAllowed

BUILTIN\Administrators AccessAllowed
Everyone AccessAllowed
BUILTIN\Distributed COM Users AccessAllowed
BUILTIN\Performance Log Users AccessAllowed
TS Web Access Computers AccessAllowed

COM Class Handler


Shell command: "C:\Program Files (x86)\Windows
Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"
Shell command: "C:\Program Files (x86)\Windows
Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:7 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:7
/Open "%L"

{5E941D80-BF96-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:8 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:8
/Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"
{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows
Media Player\wmplayer.exe" /prefetch:9 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:9
/Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:12 /Open
"\Windows Media Player\wmplayer.exe"
/prefetch:12 /Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:12 /Open
"\Windows Media Player\wmplayer.exe"
/prefetch:12 /Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:9 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:9
/Open "%L"

{5E941D80-BF96-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:9 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:9
/Open "%L"
{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows
Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:9 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:9
/Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:6 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:6
/Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:9 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:9
/Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:9 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:9
/Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:9 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:9
/Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:9 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:9
/Open "%L"
{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows
Media Player\wmplayer.exe" /prefetch:9 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:9
/Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:12 /Open
"\Windows Media Player\wmplayer.exe"
/prefetch:12 /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:12 /Open
"\Windows Media Player\wmplayer.exe"
/prefetch:12 /Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:12 /Open
"\Windows Media Player\wmplayer.exe"
/prefetch:12 /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:7 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:7
/Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:5 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:5
/Open "%L"
Shell command: "C:\Program Files (x86)\Windows
Media Player\wmplayer.exe" /WMPackage:"\Windows
Media Player\wmplayer.exe" /WMPackage:"%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /layout:"\Windows Media
Player\wmplayer.exe" /layout:"%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /prefetch:7 /Open
"\Windows Media Player\wmplayer.exe" /prefetch:7
/Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /layout:"\Windows Media
Player\wmplayer.exe" /layout:"%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

{098F2470-BAE0-11CD-B579-08002B30BFEB} Shell command: "C:\Program Files (x86)\Windows


Media Player\wmplayer.exe" /Open "\Windows Media
Player\wmplayer.exe" /Open "%L"

Handler Path
C:\Program Files (x86)\Windows Media
Player\wmplayer.exe "\Windows Media
Player\wmplayer.exe" "%L"

C:\Program Files (x86)\Windows Media


Player\wmplayer.exe "\Windows Media
Player\wmplayer.exe" "%L"
Application Elevation Policy
Windows Media Player Silent Launch at Medium IL (3)
TabletManager Class Silent Launch at Low IL (1)

Friendly Name Binary Path


Windows Media Player C:\Windows\SysWOW64\wmp.dll
Windows Media Services DRM Storage object C:\Windows\SysWOW64\msnetobj.dll
RMGetLicense Class C:\Windows\SysWOW64\msnetobj.dll

State Process
Listen svchost.exe (PID 2460)
Listen svchost.exe (PID 744)
Listen svchost.exe (PID 792)
Established svchost.exe (PID 792)
Established svchost.exe (PID 792)
Listen svchost.exe (PID 2460)
Listen svchost.exe (PID 744)
Listen svchost.exe (PID 792)

Network Denied Null Sessions Allowed


1 0

1 0

1 0
1 0

1 0

0 0

0 0
0 0
0 0

0 0

1 0

1 0

1 0

1 0

0 0

0 0

Endpoint Binding(s)
ncalrpc:[LRPC-99b85fbe2a6a9aaa28], ncalrpc:
[IUserProfile2]
ncalrpc:[IUserProfile2]

Direction Protocol
In TCP
In TCP
In TCP
In TCP
Out TCP
In TCP
In TCP
In TCP
Out TCP
In UDP
Out UDP
Out TCP
In UDP
Out UDP

SID Privileges
S-1-5-21-3754447434-2954449996-2587011620-1001

S-1-5-80-1913148863-3492339771-4165695881-
2087618961-4109116736
S-1-5-80-1987853863-1639573247-1110726908-
1137832616-3599624523

Description

Account Startup Mode


NT AUTHORITY\NETWORK SERVICE Auto

Command Line Account


C:\Windows\system32\svchost -k TSLicensing

Friendly Name Binary Path


WMI Provider for RD Licensing Server C:\Windows\system32\TlsWmiProv.dll

State Process
Unknown svchost.exe (PID 1752)
Listen svchost.exe (PID 1752)
Listen svchost.exe (PID 1752)

Network Denied Null Sessions Allowed


0 0
0 0
0 0
0 0
0 1

1 0

0 1

Endpoint Binding(s)
ncalrpc:[LRPC-e6e2fca52cc719290f]
ncalrpc:[LRPC-e6e2fca52cc719290f]

Direction Protocol
In TCP

In TCP
Out TCP

In TCP
In TCP
In TCP

SID Privileges
S-1-5-21-3754447434-2954449996-2587011620-1002

S-1-5-80-3893474178-2562712516-324399186-
2343250756-2176344804

Description

Account Startup Mode


NT AUTHORITY\NETWORK SERVICE DelayedAuto

NT AUTHORITY\NETWORK SERVICE Auto

Command Line Account


C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
-Embedding
C:\Windows\System32\svchost.exe -k
NetworkServiceRemoteDesktopPublishing
C:\Windows\System32\tssdis.exe
Friendly Name Binary Path
WBEM Win32_SessionBrokerFarmAccount Provider C:\Windows\system32\TsSdWmi.dll

WBEM Win32_SessionBrokerTargetEvent Provider C:\Windows\system32\TsSdWmi.dll

WBEM Win32_SessionDirectoryVMMPlugin Provider C:\Windows\system32\TsSdWmi.dll

Tssdis_migplugin Class C:\Windows\system32\migration\Tssdis_migplugin.dll

VmResourcePlugin Class C:\Windows\system32\vmplugin.dll


WBEM Win32_SessionBrokerFarm Provider C:\Windows\system32\TsSdWmi.dll
Microsoft.Virtualization.RDVClient.CarmineIntf C:\Windows\System32\mscoree.dll
WBEM WIN32_SESSIONBROKERSERVICEPROPERTIES C:\Windows\system32\TsSdWmi.dll
Provider

WBEM Win32_SessionDirectoryVirtualDesktopServer C:\Windows\system32\TsSdWmi.dll


Provider

WMI Provider for Terminal Services Centralized C:\Windows\System32\TsCPubWMI.dll


Publishing
WBEM WIN32_TSSESSIONDIRECTORYSESSION Provider C:\Windows\system32\TsSdWmi.dll

WBEM WIN32_TSSESSIONDIRECTORYCLUSTER Provider C:\Windows\system32\TsSdWmi.dll

WBEM Win32_SessionBrokerTarget Provider C:\Windows\system32\TsSdWmi.dll


WBEM WIN32_TSSESSIONDIRECTORYSERVER Provider C:\Windows\system32\TsSdWmi.dll

AppID
{86D4E223-66F2-48D4-9678-861E5B784B10}

Setting
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS LOGON AccessAllowed
BUILTIN\Distributed COM Users AccessAllowed
BUILTIN\Performance Log Users AccessAllowed
TS Web Access Computers AccessAllowed
Session Broker Computers AccessAllowed
BUILTIN\Administrators AccessAllowed
Everyone AccessAllowed
BUILTIN\Distributed COM Users AccessAllowed
BUILTIN\Performance Log Users AccessAllowed
TS Web Access Computers AccessAllowed
Session Broker Computers AccessAllowed

State Process
Listen svchost.exe (PID 2500)
Listen tssdis.exe (PID 2728)
Listen svchost.exe (PID 2500)
Listen tssdis.exe (PID 2728)
Established tssdis.exe (PID 2728)

Network Denied Null Sessions Allowed


0 0
1 0

1 0

Endpoint Binding(s)
ncalrpc:[OLEFBD774F8CC194B9A92D00E190B57]
ncacn_ip_tcp:[49292]
ncacn_ip_tcp:[49292]

Direction Protocol
In TCP
In TCP
Out TCP
In TCP
In TCP
In TCP
In TCP

In TCP

In TCP

In TCP

In TCP

Out TCP

SID Privileges
S-1-5-21-3754447434-2954449996-2587011620-1003

S-1-5-80-2717884317-2991250488-2171867740-
1277779128-3897896015
S-1-5-80-3658497064-1657680080-154985190-
1667809426-1666834975

Description

Account Startup Mode


NT AUTHORITY\NETWORK SERVICE Demand
NT AUTHORITY\NETWORK SERVICE DelayedAuto

Command Line Account


C:\Windows\system32\svchost.exe -k tsgateway

C:\Windows\system32\svchost.exe -k RPCHTTPLBS
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ms
corsvw.exe -UseCLSID {B12FB15B-B32B-44B1-9577-
DBBA2BB7C5D4} -Comment "NGen Worker Process"

Friendly Name Binary Path


RpcProxyMigration Class C:\Windows\system32\migration\RpcProxyMigrationPl
ugin.dll
WMI Provider for Remote Desktop Gateway C:\Windows\system32\aagwmi.dll

State Process
Unknown svchost.exe (PID 940)
Listen svchost.exe (PID 940)
Listen svchost.exe (PID 2356)
Established svchost.exe (PID 940)
Established svchost.exe (PID 940)
Listen svchost.exe (PID 664)
Listen svchost.exe (PID 940)
Listen svchost.exe (PID 2356)

Network Denied Null Sessions Allowed


1 0
1 0
0 0
1 0
0 0

Endpoint Binding(s)
ncacn_http:[3388]
ncacn_http:[3388]
ncacn_ip_tcp:[49339]

Direction Protocol
In TCP

In TCP

In TCP
SID Privileges
S-1-5-80-1519088243-3393749326-176224663-
3442946200-3646204403
S-1-5-80-2138717305-60429684-972287772-
2436683847-3603921665

Description

This role service must be installed locally, but can be


configured as a proxy. The following components are
required:
Network Policy Server

This role services is a Web service that runs in IIS and as


such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Static Content
● Default Document
● Directory Browsing
● HTTP Errors
● HTTP Redirection
Application Development
● ISAPI Extensions
Health and Diagnostics
● HTTP Logging
● Logging Tools
● Request Monitor
● Tracing
Security
● Basic Authentication
● Windows Authentication
● Client Certificate Mapping Authentication
Performance
● Static Content Compression
This role services is a Web service that runs in IIS and as
such, requires the installation of the Web Server (IIS)
role service and the following components:
IIS 6 Management Compatibility
● IIS 6 Metabase Compatibility
IIS Managment Console

Relays RPC traffice from client applicatoins over HTTP to


the server as an alternatives to clients accessing the
server over a VPN connection.

Includes snap-ins and command-line tools for remotely


managing roles and features.
Remote Administration Tools
● Web Server (IIS) Tools

Friendly Name Binary Path


Tswa_migplugin Class C:\Windows\system32\migration\TSWA_migplugin.dll

SID Privileges
S-1-5-21-3754447434-2954449996-2587011620-1004

Description
This role services is a Web service that runs in IIS and as
such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Static Content
● Default Document
● Directory Browsing
● HTTP Errors
● HTTP Redirection
Application Development
● .NET Extensibility
● ASP .NET
● ISAPI Filters
● ISAPI Extensions
Health and Diagnostics
● HTTP Logging
● Logging Tools
● Request Monitor
● Tracing
Security
● Request Filtering
● Windows Authentication
Performance
● Static Content Compression

This role services is a Web service that runs in IIS and as


such, requires the installation of the Web Server (IIS)
role service and the following components:
IIS 6 Management Compatibility
● IIS 6 Metabase Compatibility
IIS Managment Console

Includes snap-ins and command-line tools for remotely


managing roles and features.
Remote Administration Tools
● Web Server (IIS) Tools
Account Startup Mode
NT AUTHORITY\SYSTEM Auto
NT AUTHORITY\SYSTEM Auto
NT AUTHORITY\NETWORK SERVICE Auto

Startup Mode
Demand

Command Line Account


D:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
D:\Windows\system32\wbem\WmiApSrv.exe

D:\Windows\System32\ismserv.exe

D:\Windows\System32\svchost.exe -k lsclientservice

D:\Windows\system32\svchost.exe -k
NetworkServiceRemoteDesktopHyperVAgent

Friendly Name Binary Path


Synth3dVideoPoolResolver D:\Windows\System32\synth3dvideo.dll
Synth3dVideo D:\Windows\System32\synth3dvideo.dll
WMI Provider for Terminal Services VM Host Agent D:\Windows\System32\TSVmHostWMI.dll

PSFactoryBuffer D:\Windows\system32\VdevNotifyProxy.dll

AppID
{F5D00F55-D113-40B8-B70F-06A606550942}

{F5D00F55-D113-40B8-B70F-06A606550942}

State Process
Unknown ismserv.exe (PID 1944)
Established ismserv.exe (PID 1944)
Established ismserv.exe (PID 1944)
Listen svchost.exe (PID 2724)
Listen svchost.exe (PID 2724)
Unknown vmms.exe (PID 2476)
Established vmmservice.exe (PID 3012)

Network Denied Null Sessions Allowed


1 0

1 0

1 0

1 0
1 0

1 0

1 0

1 0

1 0
1 0

0 0

1 0

Endpoint Binding(s)
ncalrpc:[OLEC77F5D44198946739346AB2CFBF1]
ncalrpc:[OLEC77F5D44198946739346AB2CFBF1]

Direction Protocol
In TCP

In TCP

In TCP

Out TCP

In TCP
In TCP
SID Privileges
S-1-5-80-933469486-2214615798-607467685-
3218432706-2082869768
S-1-5-80-1851371743-411767070-3743290205-
1090512353-603110601
S-1-5-80-1901509957-808481724-2853234993-
1651608950-3885195042
S-1-5-80-2470543729-571550108-2229069596-
1591088574-3587620433
S-1-5-80-4130899010-3337817248-2959896732-
3640118089-1866760602

Description
Provides the services that you use to create and
manage virtual machines and their resources.
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: ..)


(Linker Version: 9.0.-1) (ASLR)
Description
3GPP2 Audio/Video

3GPP Audio/Video

3GPP2 Audio/Video

3GPP Audio/Video

ADTS Audio

ADTS Audio
ADTS Audio

AIFF Format Sound

AIFF Format Sound

AIFF Format Sound

Windows Media Audio/Video


file

Windows Media Audio/Video


playlist

AU Format Sound

Video Clip

CD Audio Track

Microsoft Recorded TV Show

Disc Image File


Disc Image File
Movie Clip

AVCHD Video

AVCHD Video

Movie Clip

M3U file

MPEG-4 Audio

MP4 Video

MIDI Sequence

MIDI Sequence

Movie Clip
QuickTime Movie

MP3 Format Sound

Movie Clip

MP3 Format Sound

MP4 Video

MP4 Video

Movie Clip

Movie Clip

Movie Clip

Movie Clip
Movie Clip

AVCHD Video

MIDI Sequence

AU Format Sound

MPEG-2 TS Video

Terminal Services RemoteApp

MPEG-2 TS Video

Wave Sound

Windows Media Audio


shortcut

Windows Media Audio/Video


file

Windows Media Audio file


Windows Media Player
Download Package

Windows Media Library


Windows Media Player Skin
File

Windows Media Audio/Video


file

Windows Media Audio/Video


playlist

Windows Media Player Skin


Package

Windows Media playlist

Windows Recorded TV Show

Windows Media Audio/Video


playlist
Account

DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
NT
SERVICE\AudioEndpointBuilde
r AccessAllowed
NT SERVICE\CscService
AccessAllowed
NT SERVICE\dot3svc
AccessAllowed
NT SERVICE\hidserv
AccessAllowed
NT SERVICE\IPBusEnum
AccessAllowed
NT SERVICE\Netman
AccessAllowed
NT SERVICE\TrkWks
AccessAllowed
NT SERVICE\UmRdpService
AccessAllowed
NT SERVICE\UxSms
AccessAllowed
NT SERVICE\WdiSystemHost
AccessAllowed
NT SERVICE\WPDBusEnum
AccessAllowed
NT SERVICE\wudfsvc
AccessAllowed
OWNER RIGHTS
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
NT SERVICE\TermService
AccessAllowed
\OWNER RIGHTS
AccessAllowed

Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
NT SERVICE\TermService
AccessAllowed
\OWNER RIGHTS
AccessAllowed
Local Endpoint Remote Endpoint Enabled
*:3389 *:* 1
*:3389 *:* 1
*:135 *:* 1
*:RPC *:* 1
*:* *:* 1
*:445 *:* 1
*:RPC *:* 1
*:RPC-EPMap *:* 1
*:* *:* 0
*:* *:* 0
*:* *:* 0
*:* *:* 0
*:* *:* 0
*:* *:* 0

Process Flags
(Linker Version: 9.0.-1) (ASLR)

Account

DACL

Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
NT SERVICE\TermServLicensing
AccessAllowed
\OWNER RIGHTS
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Local Endpoint Remote Endpoint Enabled


*:135 *:* 1

*:RPC *:* 1
*:* *:* 1

*:445 *:* 1
*:RPC *:* 1
*:RPC-EPMap *:* 1

Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)


Account

DACL Column1

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Local Endpoint Remote Endpoint Enabled


*:135 *:* 1
*:RPC *:* 1
*:* *:* 1
*:445 *:* 1
*:RPC *:* 1
*:RPC-EPMap *:* 1
*:* *:* 1

*:5504 *:* 1

*:* *:* 1

*:135 *:* 1

*:RPC *:* 1

*:* *:* 1

Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)


(Linker Version: 10.0.-1) (ASLR)
(Uses SafeSEH)(Uses /GS)

Account

DACL

Local Endpoint Remote Endpoint Enabled


*:RPC *:* 0

*:RPC-EPMap *:* 0

*:3388 *:* 0
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

Account
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
NT SERVICE\VmHostAgent
AccessAllowed
\OWNER RIGHTS
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Local Endpoint Remote Endpoint Enabled


*:135 *:* 1

*:* *:* 1

*:RPC *:* 1

*:* *:* 1

*:RPC *:* 1
*:RPC-EPMap *:* 1
Hyper-V
Running Services
Name
Hyper-V Networking Management Service (nvspwmi)
Hyper-V Image Management Service (vhdsvc)
Hyper-V Virtual Machine Management (vmms)

Drivers
Name
Hypervisor/Virtual Machine Support Driver (hvboot)
PassthroughParser (passthruparser)
vhdparser (vhdparser)
VMSMP (VMSMP)
VMSP (VMSP)

Running Processes
Image Name (PID)
svchost.exe (2276)

svchost.exe (2296)

vmms.exe (2316)

Registered COM Controls


CLSID
{00DA894F-D46E-46BD-A5AD-0C459EE9D846}
{0907616E-F5E6-48D8-9D61-A91C3D28106D}
{0C27CFDD-1613-4A0C-BD12-E8D369669152}
{100E81E4-4A65-4477-8BE9-E972E4D33A8D}
{1F189384-5AD4-45EA-9721-AD3E5288C62A}
{2497F4DE-E9FA-4204-80E4-4B75C46419C0}
{2A34B1C2-FD73-4043-8A5B-DD2159BC743F}
{2FC216B0-D2E2-4967-9B6D-B8A5C9CA2778}
{5CED1297-4598-4915-A5FC-AD21BB4D02A4}
{6A45335D-4C3A-44B7-B61F-C9808BBDF8ED}
{84EAAE65-2F2E-45F5-9BB5-0E857DC8EB47}
{982D78D6-4DD3-4E6F-8200-C7B2AD70B31E}
{9F8233AC-BE49-4C79-8EE3-E7E1985B2077}
{A40F06C1-C3B5-4A04-AE0A-7EAA9951F4BB}
{BDE5D4D6-E450-46D2-B925-976CA3E989B4}
{D41A1872-3740-41CE-A1EE-4522AB82F991}
{D422512D-2BF2-4752-809D-7B82B5FCB1B4}
{E265ADBA-394C-444B-8C8E-532D6FAA605B}
{EE01EAAB-BC79-458C-B93F-FB59D89596B0}
{F33463E0-7D59-11D9-9916-0008744F51F3}

Registered DCOM Servers


CLSID
{00DA894F-D46E-46BD-A5AD-0C459EE9D846}
{100E81E4-4A65-4477-8BE9-E972E4D33A8D}
{982D78D6-4DD3-4E6F-8200-C7B2AD70B31E}
{E265ADBA-394C-444B-8C8E-532D6FAA605B}
{F33463E0-7D59-11D9-9916-0008744F51F3}

Ports
Port Name
2179/TCP -- Unknown Protocol
2179/TCP -- Unknown Protocol
49158/UDP -- Unknown Protocol

Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-3ec-0

Winsock2\CatalogChangeListener-24c-0
Winsock2\CatalogChangeListener-1ec-0

Winsock2\CatalogChangeListener-2b4-0

Winsock2\CatalogChangeListener-2b4-1

RpcProxy\49157

Winsock2\CatalogChangeListener-23c-0
Winsock2\CatalogChangeListener-2ac-0

Winsock2\CatalogChangeListener-6e4-0

Winsock2\CatalogChangeListener-6a8-0

Winsock2\CatalogChangeListener-464-0

Firewall Rules
Name
Hyper-V - WMI (Async-In)
Hyper-V - WMI (DCOM-In)
Hyper-V - WMI (TCP-In)
Hyper-V - WMI (TCP-Out)
Hyper-V (MIG-TCP-In)
Hyper-V (MIG-TCP-In)
Hyper-V (MIG-TCP-In)
Hyper-V (REMOTE_DESKTOP_TCP_IN)
Hyper-V (RPC)
Hyper-V (RPC-EPMAP)
Hyper-V Management Clients - WMI (Async-In)
Hyper-V Management Clients - WMI (DCOM-In)
Hyper-V Management Clients - WMI (TCP-In)
Hyper-V Management Clients - WMI (TCP-Out)

Groups
Account Name
NT VIRTUAL MACHINE\Virtual Machines
NT SERVICE\vmms

NT VIRTUAL MACHINE\824D8AA7-1875-4A2D-9DC4-
3C405B2527B1

Account Privileges
Account
NT VIRTUAL MACHINE\Virtual Machines

Role Dependency
Dependency
None
Account Startup Mode
NT AUTHORITY\SYSTEM Auto
NT AUTHORITY\SYSTEM Auto
NT AUTHORITY\SYSTEM Auto

Startup Mode
System
Demand
Demand
Demand
Demand

Command Line Account


D:\Windows\system32\svchost -k nvspwmi

D:\Windows\system32\svchost -k virtsvcs

D:\Windows\system32\vmms.exe

Friendly Name Binary Path

Hyper-V Remote File Browsing D:\Windows\System32\RemoteFileBrowse.dll


VmErrInfo D:\Windows\System32\vmprox.dll

vmwpctrl D:\Windows\System32\vmwpctrl.dll
ICTimeSyncVdevDevice D:\Windows\System32\vmictimesync.dll
ICKvpExchangeVdevDevice D:\Windows\System32\vmickvpexchange.dll
SynthNic D:\Windows\System32\synthnic.dll
ICVssVdevDevice D:\Windows\System32\vmicvss.dll
SynthNicPoolResolver D:\Windows\System32\synthnic.dll
ICHeartbeatVdevDevice D:\Windows\System32\vmicheartbeat.dll

ICShutdownVdevDevice D:\Windows\System32\vmicshutdown.dll
Microsoft Hyper-V Network Switch Notify Object D:\Windows\system32\vmsntfy.dll
SynthStorPoolResolver D:\Windows\System32\synthstor.dll
VmbusVdev D:\Windows\System32\vmbusvdev.dll
SynthStor D:\Windows\System32\synthstor.dll
PSFactoryBuffer D:\Windows\System32\vmprox.dll

AppID
{BD168A68-48E8-4AE5-BF4B-CC4F495A0D0F}
{BD168A68-48E8-4AE5-BF4B-CC4F495A0D0F}
{BD168A68-48E8-4AE5-BF4B-CC4F495A0D0F}
{BD168A68-48E8-4AE5-BF4B-CC4F495A0D0F}
{082679C7-6310-4457-ABD6-B8303749E581}

State Process
Listen vmms.exe (PID 2316)
Listen vmms.exe (PID 2316)
Unknown vmms.exe (PID 2316)

Network Denied Null Sessions Allowed


1 0

1 0
1 0

1 0

1 0

0 0

1 0
1 0

1 0

1 0

1 0

Direction Protocol
In TCP
In TCP
In TCP
Out TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
Out TCP

SID Privileges
S-1-5-83-0
S-1-5-80-372862235-2032486189-3501277350-
209496046-1642810407

Privileges
SeCreateSymbolicLinkPrivilege

Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)

(Linker Version: 9.0.-1) (ASLR)


Account

DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
BUILTIN\Administrators
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed

Local Endpoint Remote Endpoint Enabled


*:* *:* 1
*:135 *:* 1
*:* *:* 1
*:* *:* 1
*:6600 *:* 1
*:6600 *:* 1
*:6600 *:* 1
*:2179 *:* 1
*:RPC *:* 1
*:RPC-EPMap *:* 1
*:* *:* 1
*:135 *:* 1
*:* *:* 1
*:* *:* 1