Untitled diff
125 removals
| Words removed | 185 |
| Total words | 2238 |
| Words removed (%) | 8.27 |
733 lines
121 additions
| Words added | 188 |
| Total words | 2241 |
| Words added (%) | 8.39 |
730 lines
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
<WinProcess "smss.exe" pid 368 at 0x5306908L>
<WinProcess "smss.exe" pid 520 at 0x5db0c50L>
64
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 472 at 0x5306e48L>
<WinProcess "csrss.exe" pid 776 at 0x5db0908L>
64
64
Interfaces :
Interfaces :
Endpoints :
Endpoints :
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
<WinProcess "wininit.exe" pid 548 at 0x5306780L>
<WinProcess "wininit.exe" pid 876 at 0x5db0e48L>
64
64
Interfaces :
Interfaces :
RPC 76f226c3-ec14-4325-8a99-6a46348418ae (1.0) -- C:\windows\system32\wininit.exe
RPC 76f226c3-ec14-4325-8a99-6a46348418ae (1.0) -- C:\WINDOWS\system32\wininit.exe
0 -> I_WMsgkSendMessage
0 -> I_WMsgkSendMessage
1 -> I_WMsgkSendPSPMessage
1 -> I_WMsgkSendPSPMessage
RPC 894de0c0-0d55-11d3-a322-00c04fa321a1 (1.0) -- C:\windows\system32\wininit.exe
RPC 894de0c0-0d55-11d3-a322-00c04fa321a1 (1.0) -- C:\WINDOWS\system32\wininit.exe
0 -> s_BaseInitiateShutdown
0 -> s_BaseInitiateShutdown
1 -> s_BaseAbortShutdown
1 -> s_BaseAbortShutdown
2 -> s_BaseInitiateShutdownEx
2 -> s_BaseInitiateShutdownEx
RPC d95afe70-a6d5-4259-822e-2c84da1ddb0d (1.0) -- C:\windows\system32\wininit.exe
RPC d95afe70-a6d5-4259-822e-2c84da1ddb0d (1.0) -- C:\WINDOWS\system32\wininit.exe
0 -> s_WsdrInitiateShutdown
0 -> s_WsdrInitiateShutdown
1 -> s_WsdrAbortShutdown
1 -> s_WsdrAbortShutdown
2 -> s_WsdrCheckForHiberboot
2 -> s_WsdrCheckForHiberboot
RPC 76f226c3-ec14-4325-8a99-6a46348418af (1.0) -- C:\windows\system32\wininit.exe
RPC 76f226c3-ec14-4325-8a99-6a46348418af (1.0) -- C:\WINDOWS\system32\wininit.exe
0 -> I_WMsgSendMessage
0 -> I_WMsgSendMessage
1 -> I_WMsgSendPSPMessage
1 -> I_WMsgSendPSPMessage
2 -> I_WMsgSendNotifyMessage
2 -> I_WMsgSendNotifyMessage
3 -> I_WMsgSendReconnectionUpdateMessage
3 -> I_WMsgSendReconnectionUpdateMessage
Endpoints :
Endpoints :
ncalrpc : WMsgKRpc0551A0
ncalrpc : WMsgKRpc017ED30
ncacn_np : \PIPE\InitShutdown
ncacn_np : \PIPE\InitShutdown
ncalrpc : WindowsShutdown
ncalrpc : WindowsShutdown
ncacn_ip_tcp : 49664
ncacn_ip_tcp : 1536
--------------------------------------------------------------------------------
<WinProcess "csrss.exe" pid 564 at 0x53069e8L>
64
Interfaces :
Endpoints :
--------------------------------------------------------------------------------
<WinProcess "winlogon.exe" pid 644 at 0x5306860L>
64
Interfaces :
RPC 76f226c3-ec14-4325-8a99-6a46348418ae (1.0) -- C:\windows\system32\winlogon.exe
0 -> I_WMsgkSendMessage
1 -> I_WMsgkSendPSPMessage
RPC 76f226c3-ec14-4325-8a99-6a46348418af (1.0) -- C:\windows\system32\winlogon.exe
0 -> I_WMsgSendMessage
1 -> I_WMsgSendPSPMessage
2 -> I_WMsgSendNotifyMessage
3 -> I_WMsgSendReconnectionUpdateMessage
Endpoints :
ncalrpc : WMsgKRpc058201
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
<WinProcess "services.exe" pid 684 at 0x5306320L>
<WinProcess "services.exe" pid 948 at 0x5db0f28L>
64
64
Interfaces :
Interfaces :
RPC 367abb81-9844-35f1-ad32-98f038001003 (2.0) -- C:\windows\system32\services.exe
RPC 367abb81-9844-35f1-ad32-98f038001003 (2.0) -- C:\WINDOWS\system32\services.exe
0 -> RCloseServiceHandle
0 -> RCloseServiceHandle
1 -> RControlService
1 -> RControlService
2 -> RDeleteService
2 -> RDeleteService
3 -> RLockServiceDatabase
3 -> RLockServiceDatabase
4 -> RQueryServiceObjectSecurity
4 -> RQueryServiceObjectSecurity
5 -> RSetServiceObjectSecurity
5 -> RSetServiceObjectSecurity
6 -> RQueryServiceStatus
6 -> RQueryServiceStatus
7 -> RSetServiceStatus
7 -> RSetServiceStatus
8 -> RUnlockServiceDatabase
8 -> RUnlockServiceDatabase
9 -> RNotifyBootConfigStatus
9 -> RNotifyBootConfigStatus
10 -> RI_ScSetServiceBitsW
10 -> RI_ScSetServiceBitsW
11 -> RChangeServiceConfigW
11 -> RChangeServiceConfigW
12 -> RCreateServiceW
12 -> RCreateServiceW
13 -> REnumDependentServicesW
13 -> REnumDependentServicesW
14 -> REnumServicesStatusW
14 -> REnumServicesStatusW
15 -> ROpenSCManagerW
15 -> ROpenSCManagerW
16 -> ROpenServiceW
16 -> ROpenServiceW
17 -> RQueryServiceConfigW
17 -> RQueryServiceConfigW
18 -> RQueryServiceLockStatusW
18 -> RQueryServiceLockStatusW
19 -> RStartServiceW
19 -> RStartServiceW
20 -> RGetServiceDisplayNameW
20 -> RGetServiceDisplayNameW
21 -> RGetServiceKeyNameW
21 -> RGetServiceKeyNameW
22 -> CServiceRecord::GetStatusInternal
22 -> CServiceRecord::GetStatusInternal
23 -> RChangeServiceConfigA
23 -> RChangeServiceConfigA
24 -> RCreateServiceA
24 -> RCreateServiceA
25 -> REnumDependentServicesA
25 -> REnumDependentServicesA
26 -> REnumServicesStatusA
26 -> REnumServicesStatusA
27 -> ROpenSCManagerA
27 -> ROpenSCManagerA
28 -> ROpenServiceA
28 -> ROpenServiceA
29 -> RQueryServiceConfigA
29 -> RQueryServiceConfigA
30 -> RQueryServiceLockStatusA
30 -> RQueryServiceLockStatusA
31 -> RStartServiceA
31 -> RStartServiceA
32 -> RGetServiceDisplayNameA
32 -> RGetServiceDisplayNameA
33 -> RGetServiceKeyNameA
33 -> RGetServiceKeyNameA
34 -> CServiceRecord::GetStatusInternal
34 -> CServiceRecord::GetStatusInternal
35 -> REnumServiceGroupW
35 -> REnumServiceGroupW
36 -> RChangeServiceConfig2A
36 -> RChangeServiceConfig2A
37 -> RChangeServiceConfig2W
37 -> RChangeServiceConfig2W
38 -> RQueryServiceConfig2A
38 -> RQueryServiceConfig2A
39 -> RQueryServiceConfig2W
39 -> RQueryServiceConfig2W
40 -> RQueryServiceStatusEx
40 -> RQueryServiceStatusEx
41 -> REnumServicesStatusExA
41 -> REnumServicesStatusExA
42 -> REnumServicesStatusExW
42 -> REnumServicesStatusExW
43 -> RI_ScBroadcastServiceControlMessage
43 -> RI_ScBroadcastServiceControlMessage
44 -> RCreateServiceWOW64A
44 -> RCreateServiceWOW64A
45 -> RCreateServiceWOW64W
45 -> RCreateServiceWOW64W
46 -> RI_ScQueryServiceTagInfo
46 -> RI_ScQueryServiceTagInfo
47 -> RNotifyServiceStatusChange
47 -> RNotifyServiceStatusChange
48 -> RGetNotifyResults
48 -> RGetNotifyResults
49 -> RCloseNotifyHandle
49 -> RCloseNotifyHandle
50 -> RControlServiceExA
50 -> RControlServiceExA
51 -> RControlServiceExW
51 -> RControlServiceExW
52 -> RI_ScSendPnPMessage
52 -> RI_ScSendPnPMessage
53 -> RI_ScValidatePnPService
53 -> RI_ScValidatePnPService
54 -> RI_ScOpenServiceStatusHandle
54 -> RI_ScOpenServiceStatusHandle
55 -> RI_ScQueryServiceConfig
55 -> RI_ScQueryServiceConfig
56 -> RQueryServiceConfigEx
56 -> RQueryServiceConfigEx
57 -> RI_ScRegisterPreshutdownRestart
57 -> RI_ScRegisterPreshutdownRestart
58 -> RI_ScReparseServiceDatabase
58 -> RI_ScReparseServiceDatabase
59 -> RQueryUserServiceName
59 -> RQueryUserServiceName
60 -> RCreateWowService
60 -> RCreateWowService
61 -> RGetServiceRegistryStateKey
61 -> RGetServiceRegistryStateKey
62 -> RGetServiceDirectory
62 -> RGetServiceDirectory
63 -> RGetServiceProcessToken
RPC a2c45f7c-7d32-46ad-96f5-adafb486be74 (1.0) -- C:\WINDOWS\system32\services.exe
RPC a2c45f7c-7d32-46ad-96f5-adafb486be74 (1.0) -- C:\windows\system32\services.exe
0 -> RI_ScOpenServiceChannelHandle
0 -> RI_ScOpenServiceChannelHandle
1 -> RI_ScSendResponseReceiveControls
1 -> RI_ScSendResponseReceiveControls
2 -> RI_ScCloseServiceChannelHandle
2 -> RI_ScCloseServiceChannelHandle
RPC 93149ca2-973b-11d1-8c39-00c04fb984f9 (0.0) -- C:\windows\SYSTEM32\scesrv.dll
RPC 93149ca2-973b-11d1-8c39-00c04fb984f9 (0.0) -- C:\WINDOWS\SYSTEM32\scesrv.dll
0 -> SceSvcRpcQueryInfo
0 -> SceSvcRpcQueryInfo
1 -> SceSvcRpcSetInfo
1 -> SceSvcRpcSetInfo
2 -> SceRpcSetupUpdateObject
2 -> SceRpcSetupUpdateObject
3 -> SceRpcSetupMoveFile
3 -> SceRpcSetupMoveFile
4 -> SceRpcGenerateTemplate
4 -> SceRpcGenerateTemplate
5 -> SceRpcConfigureSystem
5 -> SceRpcConfigureSystem
6 -> SceRpcGetDatabaseInfo
6 -> SceRpcGetDatabaseInfo
7 -> SceRpcGetObjectChildren
7 -> SceRpcGetObjectChildren
8 -> SceRpcOpenDatabase
8 -> SceRpcOpenDatabase
9 -> SceRpcCloseDatabase
9 -> SceRpcCloseDatabase
10 -> SceRpcGetDatabaseDescription
10 -> SceRpcGetDatabaseDescription
11 -> SceRpcGetDBTimeStamp
11 -> SceRpcGetDBTimeStamp
12 -> SceRpcGetObjectSecurity
12 -> SceRpcGetObjectSecurity
13 -> SceRpcGetAnalysisSummary
13 -> SceRpcGetAnalysisSummary
14 -> SceRpcAnalyzeSystem
14 -> SceRpcAnalyzeSystem
15 -> SceRpcUpdateDatabaseInfo
15 -> SceRpcUpdateDatabaseInfo
16 -> SceRpcUpdateObjectInfo
16 -> SceRpcUpdateObjectInfo
17 -> SceRpcStartTransaction
17 -> SceRpcStartTransaction
18 -> SceRpcCommitTransaction
18 -> SceRpcCommitTransaction
19 -> SceRpcRollbackTransaction
19 -> SceRpcRollbackTransaction
20 -> SceRpcGetServerProductType
20 -> SceRpcGetServerProductType
21 -> SceSvcRpcUpdateInfo
21 -> SceSvcRpcUpdateInfo
22 -> SceRpcCopyObjects
22 -> SceRpcCopyObjects
23 -> SceRpcSetupResetLocalPolicy
23 -> SceRpcSetupResetLocalPolicy
24 -> SceRpcNotifySaveChangesInGP
24 -> SceRpcNotifySaveChangesInGP
25 -> SceRpcControlNotificationQProcess
25 -> SceRpcControlNotificationQProcess
26 -> SceRpcBrowseDatabaseTable
26 -> SceRpcBrowseDatabaseTable
27 -> SceRpcGetSystemSecurity
27 -> SceRpcGetSystemSecurity
28 -> SceRpcGetSystemSecurity
28 -> SceRpcGetSystemSecurity
29 -> SceRpcSetSystemSecurity
29 -> SceRpcSetSystemSecurity
30 -> SceRpcSetSystemSecurity
30 -> SceRpcSetSystemSecurity
31 -> SceRpcSetDatabaseSetting
31 -> SceRpcSetDatabaseSetting
32 -> SceRpcGetDatabaseSetting
32 -> SceRpcGetDatabaseSetting
33 -> SceRpcConfigureConvertedFileSecurityImmediately
33 -> SceRpcConfigureConvertedFileSecurityImmediately
Endpoints :
Endpoints :
ncalrpc : ntsvcs
ncalrpc : ntsvcs
ncacn_np : \pipe\ntsvcs
ncacn_np : \pipe\ntsvcs
ncacn_np : \PIPE\scerpc
ncacn_np : \PIPE\scerpc
ncacn_ip_tcp : 49677
ncacn_ip_tcp : 1543
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
<WinProcess "lsass.exe" pid 692 at 0x53062b0L>
<WinProcess "LsaIso.exe" pid 968 at 0x5db0c88L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ff868230000
--------------------------------------------------------------------------------
<WinProcess "lsass.exe" pid 980 at 0x5e18358L>
64
64
['KeyIso', 'SamSs', 'VaultSvc']
['KeyIso', 'SamSs', 'VaultSvc']
Interfaces :
Interfaces :
RPC 12345778-1234-abcd-ef00-0123456789ab (0.0) -- C:\windows\system32\lsasrv.dll
RPC 12345778-1234-abcd-ef00-0123456789ab (0.0) -- C:\WINDOWS\system32\lsasrv.dll
0 -> LsarClose
0 -> LsarClose
1 -> CredrRename
1 -> CredrRename
2 -> LsarEnumeratePrivileges
2 -> LsarEnumeratePrivileges
3 -> LsarQuerySecurityObject
3 -> LsarQuerySecurityObject
4 -> LsarSetSecurityObject
4 -> LsarSetSecurityObject
5 -> LsaITestCall
5 -> LsaITestCall
6 -> LsarOpenPolicyRPC
6 -> LsarOpenPolicyRPC
7 -> LsarQueryInformationPolicy
7 -> LsarQueryInformationPolicy
8 -> LsarSetInformationPolicy
8 -> LsarSetInformationPolicy
9 -> LsaITestCall
9 -> LsaITestCall
10 -> LsarCreateAccount
10 -> LsarCreateAccount
11 -> LsarEnumerateAccounts
11 -> LsarEnumerateAccounts
12 -> LsarCreateTrustedDomain
12 -> LsarCreateTrustedDomain
13 -> LsarEnumerateTrustedDomains
13 -> LsarEnumerateTrustedDomains
14 -> LsarLookupNames
14 -> LsarLookupNames
15 -> LsarLookupSids
15 -> LsarLookupSids
16 -> LsarCreateSecret
16 -> LsarCreateSecret
17 -> LsarOpenAccount
17 -> LsarOpenAccount
18 -> LsarEnumeratePrivilegesAccount
18 -> LsarEnumeratePrivilegesAccount
19 -> LsarAddPrivilegesToAccount
19 -> LsarAddPrivilegesToAccount
20 -> LsarRemovePrivilegesFromAccount
20 -> LsarRemovePrivilegesFromAccount
21 -> LsarGetQuotasForAccount
21 -> LsarGetQuotasForAccount
22 -> LsarSetQuotasForAccount
22 -> LsarSetQuotasForAccount
23 -> LsarGetSystemAccessAccount
23 -> LsarGetSystemAccessAccount
24 -> LsarSetSystemAccessAccount
24 -> LsarSetSystemAccessAccount
25 -> LsarOpenTrustedDomain
25 -> LsarOpenTrustedDomain
26 -> LsarQueryInfoTrustedDomain
26 -> LsarQueryInfoTrustedDomain
27 -> LsarSetInformationTrustedDomain
27 -> LsarSetInformationTrustedDomain
28 -> LsarOpenSecret
28 -> LsarOpenSecret
29 -> LsarSetSecret
29 -> LsarSetSecret
30 -> LsarQuerySecret
30 -> LsarQuerySecret
31 -> LsarLookupPrivilegeValue
31 -> LsarLookupPrivilegeValue
32 -> LsarLookupPrivilegeName
32 -> LsarLookupPrivilegeName
33 -> LsarLookupPrivilegeDisplayName
33 -> LsarLookupPrivilegeDisplayName
34 -> LsarDeleteObject
34 -> LsarDeleteObject
35 -> LsarEnumerateAccountsWithUserRight
35 -> LsarEnumerateAccountsWithUserRight
36 -> LsarEnumerateAccountRights
36 -> LsarEnumerateAccountRights
37 -> LsarAddAccountRights
37 -> LsarAddAccountRights
38 -> LsarRemoveAccountRights
38 -> LsarRemoveAccountRights
39 -> LsarQueryTrustedDomainInfo
39 -> LsarQueryTrustedDomainInfo
40 -> LsarSetTrustedDomainInfo
40 -> LsarSetTrustedDomainInfo
41 -> LsarDeleteTrustedDomain
41 -> LsarDeleteTrustedDomain
42 -> LsarStorePrivateData
42 -> LsarStorePrivateData
43 -> LsarRetrievePrivateData
43 -> LsarRetrievePrivateData
44 -> LsarOpenPolicy2
44 -> LsarOpenPolicy2
45 -> LsarGetUserName
45 -> LsarGetUserName
46 -> LsarQueryInformationPolicy2
46 -> LsarQueryInformationPolicy2
47 -> LsarSetInformationPolicy2
47 -> LsarSetInformationPolicy2
48 -> LsarQueryTrustedDomainInfoByName
48 -> LsarQueryTrustedDomainInfoByName
49 -> LsarSetTrustedDomainInfoByName
49 -> LsarSetTrustedDomainInfoByName
50 -> LsarEnumerateTrustedDomainsEx
50 -> LsarEnumerateTrustedDomainsEx
51 -> LsarCreateTrustedDomainEx
51 -> LsarCreateTrustedDomainEx
52 -> LsaITestCall
52 -> LsaITestCall
53 -> LsarQueryDomainInformationPolicy
53 -> LsarQueryDomainInformationPolicy
54 -> LsarSetDomainInformationPolicy
54 -> LsarSetDomainInformationPolicy
55 -> LsarOpenTrustedDomainByName
55 -> LsarOpenTrustedDomainByName
56 -> LsaITestCall
56 -> LsaITestCall
57 -> LsarLookupSids2
57 -> LsarLookupSids2
58 -> LsarLookupNames2
58 -> LsarLookupNames2
59 -> LsarCreateTrustedDomainEx2
59 -> LsarCreateTrustedDomainEx2
60 -> CredrWrite
60 -> CredrWrite
61 -> CredrRead
61 -> CredrRead
62 -> CredrEnumerate
62 -> CredrEnumerate
63 -> CredrWriteDomainCredentials
63 -> CredrWriteDomainCredentials
64 -> CredrReadDomainCredentials
64 -> CredrReadDomainCredentials
65 -> CredrDelete
65 -> CredrDelete
66 -> CredrGetTargetInfo
66 -> CredrGetTargetInfo
67 -> CredrProfileLoaded
67 -> CredrProfileLoaded
68 -> LsarLookupNames3
68 -> LsarLookupNames3
69 -> CredrGetSessionTypes
69 -> CredrGetSessionTypes
70 -> LsarRegisterAuditEvent
70 -> LsarRegisterAuditEvent
71 -> LsarGenAuditEvent
71 -> LsarGenAuditEvent
72 -> LsarUnregisterAuditEvent
72 -> LsarUnregisterAuditEvent
73 -> LsarQueryForestTrustInformation
73 -> LsarQueryForestTrustInformation
74 -> LsarSetForestTrustInformation
74 -> LsarSetForestTrustInformation
75 -> CredrRename
75 -> CredrRename
76 -> LsarLookupSids3
76 -> LsarLookupSids3
77 -> LsarLookupNames4
77 -> LsarLookupNames4
78 -> LsarOpenPolicySce
78 -> LsarOpenPolicySce
79 -> LsarAdtRegisterSecurityEventSource
79 -> LsarAdtRegisterSecurityEventSource
80 -> LsarAdtUnregisterSecurityEventSource
80 -> LsarAdtUnregisterSecurityEventSource
81 -> LsarAdtReportSecurityEvent
81 -> LsarAdtReportSecurityEvent
82 -> CredrFindBestCredential
82 -> CredrFindBestCredential
83 -> LsarSetAuditPolicy
83 -> LsarSetAuditPolicy
84 -> LsarQueryAuditPolicy
84 -> LsarQueryAuditPolicy
85 -> LsarEnumerateAuditPolicy
85 -> LsarEnumerateAuditPolicy
86 -> LsarEnumerateAuditCategories
86 -> LsarEnumerateAuditCategories
87 -> LsarEnumerateAuditSubCategories
87 -> LsarEnumerateAuditSubCategories
88 -> LsarLookupAuditCategoryName
88 -> LsarLookupAuditCategoryName
89 -> LsarLookupAuditSubCategoryName
89 -> LsarLookupAuditSubCategoryName
90 -> LsarSetAuditSecurity
90 -> LsarSetAuditSecurity
91 -> LsarQueryAuditSecurity
91 -> LsarQueryAuditSecurity
92 -> CredrReadByTokenHandle
92 -> CredrReadByTokenHandle
93 -> CredrRestoreCredentials
93 -> CredrRestoreCredentials
94 -> CredrBackupCredentials
94 -> CredrBackupCredentials
95 -> LsarManageSidNameMapping
95 -> LsarManageSidNameMapping
96 -> CredrProfileUnloaded
96 -> CredrProfileUnloaded
97 -> CredrRename
97 -> CredrRename
98 -> CredrRename
98 -> CredrRename
99 -> CredrRename
99 -> CredrRename
100 -> CredrRename
100 -> CredrRename
101 -> CredrRename
101 -> CredrRename
102 -> LsarEfsGetSmartcardCredentials
102 -> LsarEfsGetSmartcardCredentials
103 -> LsarAuditSetGlobalSacl
103 -> LsarAuditSetGlobalSacl
104 -> LsarAuditQueryGlobalSacl
104 -> LsarAuditQueryGlobalSacl
105 -> CredrProfileLoadedEx
105 -> CredrProfileLoadedEx
106 -> LsarInteractiveSessionIsLoggedOff
106 -> LsarInteractiveSessionIsLoggedOff
107 -> LsarConfigureAutoLogonCredentials
107 -> LsarConfigureAutoLogonCredentials
108 -> LsarGetDeviceRegistrationInfo
108 -> LsarGetDeviceRegistrationInfo
109 -> LsaITestCall
109 -> LsaITestCall
110 -> LsarProfileDeleted
110 -> LsarProfileDeleted
111 -> LsaITestCall
111 -> LsaITestCall
112 -> CredrRename
112 -> LsarMakeLogonSessionsSiblings
113 -> LsarValidateProcUniqueLuid
113 -> LsarValidateProcUniqueLuid
114 -> LsarIsArsoAllowedByPolicy
114 -> LsarIsArsoAllowedByPolicy
115 -> LsarIsArsoAllowedByConsent
115 -> LsarIsArsoAllowedByConsent
116 -> LsarEnableArsoConsent
116 -> LsarEnableArsoConsent
117 -> LsarDisableArsoConsent
117 -> LsarDisableArsoConsent
118 -> LsarIsArsoAllowedByPolicy
118 -> LsarIsArsoAllowedByPolicy
119 -> LsarIsUserArsoEnabled
119 -> LsarIsUserArsoEnabled
120 -> LsarEnableUserArso
120 -> LsarEnableUserArso
121 -> LsarDisableUserArso
121 -> LsarDisableUserArso
122 -> LsarConfigureUserArso
122 -> LsarConfigureUserArso
123 -> LsarGetInprocDispatchTable
123 -> LsarGetInprocDispatchTable
124 -> LsarSetSharedUserSession
124 -> LsarSetSharedUserSession
125 -> LsarClearSharedUserSession
125 -> LsarClearSharedUserSession
126 -> LsarEnablePasswordLessCurrentUser
RPC ace1c026-8b3f-4711-8918-f345d17f5bff (1.0) -- C:\WINDOWS\system32\lsasrv.dll
127 -> LsarDisablePasswordLessCurrentUser
RPC ace1c026-8b3f-4711-8918-f345d17f5bff (1.0) -- C:\windows\system32\lsasrv.dll
0 -> S_RPC_LspUpdatePrivateData
0 -> S_RPC_LspUpdatePrivateData
1 -> S_RPC_LspReadPrivateData
1 -> S_RPC_LspReadPrivateData
RPC afc07e2e-311c-4435-808c-c483ffeec7c9 (1.0) -- C:\windows\system32\lsasrv.dll
RPC afc07e2e-311c-4435-808c-c483ffeec7c9 (1.0) -- C:\WINDOWS\system32\lsasrv.dll
0 -> LsarGetAvailableCAPIDs
0 -> LsarGetAvailableCAPIDs
1 -> LsarSetCAPs
1 -> LsarSetCAPs
2 -> LsarQueryCAPs
2 -> LsarQueryCAPs
RPC c0d930f0-b787-4124-99bc-21f0ecb642ce (0.0) -- C:\windows\system32\lsasrv.dll
RPC c0d930f0-b787-4124-99bc-21f0ecb642ce (0.0) -- C:\WINDOWS\system32\lsasrv.dll
0 -> LsarConnectLocalUser
0 -> LsarConnectLocalUser
1 -> LsarDisconnectLocalUser
1 -> LsarDisconnectLocalUser
2 -> LsarCreateConnectedUser
2 -> LsarCreateConnectedUser
3 -> LsarIsCurrentUserConnected
3 -> LsarIsCurrentUserConnected
4 -> LsarRenewCertificate
4 -> LsarRenewCertificate
5 -> LsarGetSSOAccountType
5 -> LsarGetSSOAccountType
6 -> LsarIsUserMSA
6 -> LsarIsUserMSA
RPC d25576e4-00d2-43f7-98f9-b4c0724158f9 (0.0) -- C:\windows\system32\lsasrv.dll
RPC d25576e4-00d2-43f7-98f9-b4c0724158f9 (0.0) -- C:\WINDOWS\system32\lsasrv.dll
0 -> LsarEasMarkUserControlled
0 -> LsarEasMarkUserControlled
1 -> LsarEasGetCallerPasswordComplexity
1 -> LsarEasGetCallerPasswordComplexity
2 -> LsarEasGetControlledUsersInfo
2 -> LsarEasGetControlledUsersInfo
RPC c681d488-d850-11d0-8c52-00c04fd90f7e (1.0) -- C:\windows\system32\efslsaext.dll
RPC c681d488-d850-11d0-8c52-00c04fd90f7e (1.0) -- C:\WINDOWS\system32\efslsaext.dll
0 -> EfsRpcOpenFileRaw_Downlevel
0 -> EfsRpcOpenFileRaw_Downlevel
1 -> EfsRpcReadFileRaw_Downlevel
1 -> EfsRpcReadFileRaw_Downlevel
2 -> EfsRpcWriteFileRaw_Downlevel
2 -> EfsRpcWriteFileRaw_Downlevel
3 -> EfsRpcCloseRaw_Downlevel
3 -> EfsRpcCloseRaw_Downlevel
4 -> EfsRpcEncryptFileSrv_Downlevel
4 -> EfsRpcEncryptFileSrv_Downlevel
5 -> EfsRpcDecryptFileSrv_Downlevel
5 -> EfsRpcDecryptFileSrv_Downlevel
6 -> EfsRpcQueryUsersOnFile_Downlevel
6 -> EfsRpcQueryUsersOnFile_Downlevel
7 -> EfsRpcQueryRecoveryAgents_Downlevel
7 -> EfsRpcQueryRecoveryAgents_Downlevel
8 -> EfsRpcRemoveUsersFromFile_Downlevel
8 -> EfsRpcRemoveUsersFromFile_Downlevel
9 -> EfsRpcAddUsersToFile_Downlevel
9 -> EfsRpcAddUsersToFile_Downlevel
10 -> EfsRpcFileKeyInfoEx_Downlevel
10 -> EfsRpcFileKeyInfoEx_Downlevel
11 -> EfsRpcFileKeyInfoEx_Downlevel
11 -> EfsRpcFileKeyInfoEx_Downlevel
12 -> EfsRpcFileKeyInfo_Downlevel
12 -> EfsRpcFileKeyInfo_Downlevel
13 -> EfsRpcDuplicateEncryptionInfoFile_Downlevel
13 -> EfsRpcDuplicateEncryptionInfoFile_Downlevel
14 -> EfsRpcFileKeyInfoEx_Downlevel
14 -> EfsRpcFileKeyInfoEx_Downlevel
15 -> EfsRpcAddUsersToFileEx_Downlevel
15 -> EfsRpcAddUsersToFileEx_Downlevel
16 -> EfsRpcFileKeyInfoEx_Downlevel
16 -> EfsRpcFileKeyInfoEx_Downlevel
17 -> EfsRpcFileKeyInfoEx_Downlevel
17 -> EfsRpcFileKeyInfoEx_Downlevel
18 -> EfsRpcFileKeyInfoEx_Downlevel
18 -> EfsRpcFileKeyInfoEx_Downlevel
19 -> EfsRpcFileKeyInfoEx_Downlevel
19 -> EfsRpcFileKeyInfoEx_Downlevel
20 -> EfsRpcFlushEfsCache_Downlevel
20 -> EfsRpcFlushEfsCache_Downlevel
RPC fb8a0729-2d04-4658-be93-27b4ad553fac (1.0) -- C:\windows\system32\lsass.exe
RPC fb8a0729-2d04-4658-be93-27b4ad553fac (1.0) -- C:\WINDOWS\system32\lsass.exe
0 -> LsaLookuprOpenPolicy2
0 -> LsaLookuprOpenPolicy2
1 -> LsaLookuprClose
1 -> LsaLookuprClose
2 -> LsaLookuprTranslateSids2
2 -> LsaLookuprTranslateSids2
3 -> LsaLookuprTranslateNames3
3 -> LsaLookuprTranslateNames3
4 -> LsaLookuprManageCache
4 -> LsaLookuprManageCache
5 -> LsaLookuprGetDomainInfo
5 -> LsaLookuprGetDomainInfo
6 -> LsaLookuprUserAccountType
6 -> LsaLookuprUserAccountType
RPC 4f32adc8-6052-4a04-8701-293ccf2096f0 (1.0) -- C:\windows\SYSTEM32\SspiSrv.dll
RPC 4f32adc8-6052-4a04-8701-293ccf2096f0 (1.0) -- C:\WINDOWS\SYSTEM32\SspiSrv.dll
0 -> SspirConnectRpc
0 -> SspirConnectRpc
1 -> SspirDisconnectRpc
1 -> SspirDisconnectRpc
2 -> SspirDisconnectRpc
2 -> SspirDisconnectRpc
3 -> SspirCallRpc
3 -> SspirCallRpc
4 -> SspirAcquireCredentialsHandle
4 -> SspirAcquireCredentialsHandle
5 -> SspirFreeCredentialsHandle
5 -> SspirFreeCredentialsHandle
6 -> SspirProcessSecurityContext
6 -> SspirProcessSecurityContext
7 -> SspirDeleteSecurityContext
7 -> SspirDeleteSecurityContext
8 -> SspirSslQueryCredentialsAttributes
8 -> SspirSslQueryCredentialsAttributes
9 -> SspirNegQueryContextAttributes
9 -> SspirNegQueryContextAttributes
10 -> SspirSslSetCredentialsAttributes
10 -> SspirSslSetCredentialsAttributes
11 -> SspirApplyControlToken
11 -> SspirApplyControlToken
12 -> SspirLogonUser
12 -> SspirLogonUser
13 -> SspirLookupAccountSid
13 -> SspirLookupAccountSid
14 -> SspirGetUserName
14 -> SspirGetUserName
15 -> SspirGetInprocDispatchTable
15 -> SspirGetInprocDispatchTable
RPC 11220835-5b26-4d94-ae86-c3e475a809de (1.0) -- C:\windows\system32\dpapisrv.dll
RPC 11220835-5b26-4d94-ae86-c3e475a809de (1.0) -- C:\WINDOWS\system32\dpapisrv.dll
0 -> s_SSCryptProtectData
0 -> s_SSCryptProtectData
1 -> s_SSCryptUnprotectData
1 -> s_SSCryptUnprotectData
2 -> s_SSCryptUpdateProtectedState
2 -> s_SSCryptUpdateProtectedState
RPC 5cbe92cb-f4be-45c9-9fc9-33e73e557b20 (1.0) -- C:\windows\system32\dpapisrv.dll
RPC 5cbe92cb-f4be-45c9-9fc9-33e73e557b20 (1.0) -- C:\WINDOWS\system32\dpapisrv.dll
0 -> s_SSRecoverQueryStatus
0 -> s_SSRecoverQueryStatus
1 -> s_SSRecoverImportRecoveryKey
1 -> s_SSRecoverImportRecoveryKey
2 -> s_SSRecoverPassword
2 -> s_SSRecoverPassword
RPC 7f1317a8-4dea-4fa2-a551-df5516ff8879 (1.0) -- C:\windows\system32\dpapisrv.dll
RPC 7f1317a8-4dea-4fa2-a551-df5516ff8879 (1.0) -- C:\WINDOWS\system32\dpapisrv.dll
0 -> s_LRpcSIDKeyProtect
0 -> s_LRpcSIDKeyProtect
1 -> s_LRpcSIDKeyUnprotect
1 -> s_LRpcSIDKeyUnprotect
RPC 3919286a-b10c-11d0-9ba8-00c04fd92ef5 (0.0) -- C:\windows\system32\lsasrv.dll
RPC 3919286a-b10c-11d0-9ba8-00c04fd92ef5 (0.0) -- C:\WINDOWS\system32\lsasrv.dll
0 -> DsRolerGetPrimaryDomainInformation
0 -> DsRolerGetPrimaryDomainInformation
RPC 12345778-1234-abcd-ef00-0123456789ac (1.0) -- C:\windows\SYSTEM32\samsrv.dll
RPC 12345778-1234-abcd-ef00-0123456789ac (1.0) -- C:\WINDOWS\SYSTEM32\samsrv.dll
0 -> SamrConnect
0 -> SamrConnect
1 -> SamrCloseHandle
1 -> SamrCloseHandle
2 -> SamrSetSecurityObject
2 -> SamrSetSecurityObject
3 -> SamrQuerySecurityObject
3 -> SamrQuerySecurityObject
4 -> SamrShutdownSamServer
4 -> SamrShutdownSamServer
5 -> SamrLookupDomainInSamServer
5 -> SamrLookupDomainInSamServer
6 -> SamrEnumerateDomainsInSamServer
6 -> SamrEnumerateDomainsInSamServer
7 -> SamrOpenDomain
7 -> SamrOpenDomain
8 -> SamrQueryInformationDomain
8 -> SamrQueryInformationDomain
9 -> SamrSetInformationDomain
9 -> SamrSetInformationDomain
10 -> SamrCreateGroupInDomain
10 -> SamrCreateGroupInDomain
11 -> SamrEnumerateGroupsInDomain
11 -> SamrEnumerateGroupsInDomain
12 -> SamrCreateUserInDomain
12 -> SamrCreateUserInDomain
13 -> SamrEnumerateUsersInDomain
13 -> SamrEnumerateUsersInDomain
14 -> SamrCreateAliasInDomain
14 -> SamrCreateAliasInDomain
15 -> SamrEnumerateAliasesInDomain
15 -> SamrEnumerateAliasesInDomain
16 -> SamrGetAliasMembership
16 -> SamrGetAliasMembership
17 -> SamrLookupNamesInDomain
17 -> SamrLookupNamesInDomain
18 -> SamrLookupIdsInDomain
18 -> SamrLookupIdsInDomain
19 -> SamrOpenGroup
19 -> SamrOpenGroup
20 -> SamrQueryInformationGroup
20 -> SamrQueryInformationGroup
21 -> SamrSetInformationGroup
21 -> SamrSetInformationGroup
22 -> SamrAddMemberToGroup
22 -> SamrAddMemberToGroup
23 -> SamrDeleteGroup
23 -> SamrDeleteGroup
24 -> SamrRemoveMemberFromGroup
24 -> SamrRemoveMemberFromGroup
25 -> SamrGetMembersInGroup
25 -> SamrGetMembersInGroup
26 -> SamrSetMemberAttributesOfGroup
26 -> SamrSetMemberAttributesOfGroup
27 -> SamrOpenAlias
27 -> SamrOpenAlias
28 -> SamrQueryInformationAlias
28 -> SamrQueryInformationAlias
29 -> SamrSetInformationAlias
29 -> SamrSetInformationAlias
30 -> SamrDeleteAlias
30 -> SamrDeleteAlias
31 -> SamrAddMemberToAlias
31 -> SamrAddMemberToAlias
32 -> SamrRemoveMemberFromAlias
32 -> SamrRemoveMemberFromAlias
33 -> SamrGetMembersInAlias
33 -> SamrGetMembersInAlias
34 -> SamrOpenUser
34 -> SamrOpenUser
35 -> SamrDeleteUser
35 -> SamrDeleteUser
36 -> SamrQueryInformationUser
36 -> SamrQueryInformationUser
37 -> SamrSetInformationUser
37 -> SamrSetInformationUser
38 -> SamrChangePasswordUser
38 -> SamrChangePasswordUser
39 -> SamrGetGroupsForUser
39 -> SamrGetGroupsForUser
40 -> SamrQueryDisplayInformation
40 -> SamrQueryDisplayInformation
41 -> SamrGetDisplayEnumerationIndex
41 -> SamrGetDisplayEnumerationIndex
42 -> SamrTestPrivateFunctionsDomain
42 -> SamrTestPrivateFunctionsDomain
43 -> SamrTestPrivateFunctionsUser
43 -> SamrTestPrivateFunctionsUser
44 -> SamrGetUserDomainPasswordInformation
44 -> SamrGetUserDomainPasswordInformation
45 -> SamrRemoveMemberFromForeignDomain
45 -> SamrRemoveMemberFromForeignDomain
46 -> SamrQueryInformationDomain2
46 -> SamrQueryInformationDomain2
47 -> SamrQueryInformationUser2
47 -> SamrQueryInformationUser2
48 -> SamrQueryDisplayInformation2
48 -> SamrQueryDisplayInformation2
49 -> SamrGetDisplayEnumerationIndex2
49 -> SamrGetDisplayEnumerationIndex2
50 -> SamrCreateUser2InDomain
50 -> SamrCreateUser2InDomain
51 -> SamrQueryDisplayInformation3
51 -> SamrQueryDisplayInformation3
52 -> SamrAddMultipleMembersToAlias
52 -> SamrAddMultipleMembersToAlias
53 -> SamrRemoveMultipleMembersFromAlias
53 -> SamrRemoveMultipleMembersFromAlias
54 -> SamrOemChangePasswordUser2
54 -> SamrOemChangePasswordUser2
55 -> SamrUnicodeChangePasswordUser2
55 -> SamrUnicodeChangePasswordUser2
56 -> SamrGetDomainPasswordInformation
56 -> SamrGetDomainPasswordInformation
57 -> SamrConnect2
57 -> SamrConnect2
58 -> SamrSetInformationUser2
58 -> SamrSetInformationUser2
59 -> SamrSetBootKeyInformation
59 -> SamrSetBootKeyInformation
60 -> SamrGetBootKeyInformation
60 -> SamrGetBootKeyInformation
61 -> SamrConnect3
61 -> SamrConnect3
62 -> SamrConnect4
62 -> SamrConnect4
63 -> SamrUnicodeChangePasswordUser3
63 -> SamrUnicodeChangePasswordUser3
64 -> SamrConnect5
64 -> SamrConnect5
65 -> SamrRidToSid
65 -> SamrRidToSid
66 -> SamrSetDSRMPassword
66 -> SamrSetDSRMPassword
67 -> SamrValidatePassword
67 -> SamrValidatePassword
68 -> SamrQueryLocalizableAccountsInDomain
68 -> SamrQueryLocalizableAccountsInDomain
69 -> SamrPerformGenericOperation
69 -> SamrPerformGenericOperation
70 -> SamrSyncDSRMPasswordFromAccount
70 -> SamrSyncDSRMPasswordFromAccount
71 -> SamrLookupNamesInDomain2
71 -> SamrLookupNamesInDomain2
72 -> SamrEnumerateUsersInDomain2
72 -> SamrEnumerateUsersInDomain2
RPC b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 (2.0) -- C:\windows\system32\keyiso.dll
RPC b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 (2.0) -- C:\WINDOWS\system32\keyiso.dll
0 -> s_SrvRpcCreateContext
0 -> s_SrvRpcCreateContext
1 -> s_SrvRpcReleaseContext
1 -> s_SrvRpcReleaseContext
2 -> s_SrvRpcCryptOpenStorageProvider
2 -> s_SrvRpcCryptOpenStorageProvider
3 -> s_SrvRpcCryptIsAlgSupported
3 -> s_SrvRpcCryptIsAlgSupported
4 -> s_SrvRpcCryptEnumAlgorithms
4 -> s_SrvRpcCryptEnumAlgorithms
5 -> s_SrvRpcCryptEnumKeys
5 -> s_SrvRpcCryptEnumKeys
6 -> s_SrvRpcCryptFreeBuffer
6 -> s_SrvRpcCryptFreeBuffer
7 -> s_SrvRpcCryptFreeProvider
7 -> s_SrvRpcCryptFreeProvider
8 -> s_SrvRpcCryptFreeKey
8 -> s_SrvRpcCryptFreeKey
9 -> s_SrvRpcCryptOpenKey
9 -> s_SrvRpcCryptOpenKey
10 -> s_SrvRpcCryptCreatePersistedKey
10 -> s_SrvRpcCryptCreatePersistedKey
11 -> s_SrvRpcCryptGetProviderProperty
11 -> s_SrvRpcCryptGetProviderProperty
12 -> s_SrvRpcCryptSetProviderProperty
12 -> s_SrvRpcCryptSetProviderProperty
13 -> s_SrvRpcCryptGetKeyProperty
13 -> s_SrvRpcCryptGetKeyProperty
14 -> s_SrvRpcCryptSetKeyProperty
14 -> s_SrvRpcCryptSetKeyProperty
15 -> s_SrvRpcCryptFinalizeKey
15 -> s_SrvRpcCryptFinalizeKey
16 -> s_SrvRpcCryptEncrypt
16 -> s_SrvRpcCryptEncrypt
17 -> s_SrvRpcCryptDecrypt
17 -> s_SrvRpcCryptDecrypt
18 -> s_SrvRpcCryptImportKey
18 -> s_SrvRpcCryptImportKey
19 -> s_SrvRpcCryptExportKey
19 -> s_SrvRpcCryptExportKey
20 -> s_SrvRpcCryptSignHash
20 -> s_SrvRpcCryptSignHash
21 -> s_SrvRpcCryptVerifySignature
21 -> s_SrvRpcCryptVerifySignature
22 -> s_SrvRpcCryptDeleteKey
22 -> s_SrvRpcCryptDeleteKey
23 -> s_SrvRpcCryptNotifyChangeKey
23 -> s_SrvRpcCryptNotifyChangeKey
24 -> s_SrvRpcCryptSecretAgreement
24 -> s_SrvRpcCryptSecretAgreement
25 -> s_SrvRpcCryptDeriveKey
25 -> s_SrvRpcCryptDeriveKey
26 -> s_SrvRpcCryptFreeSecret
26 -> s_SrvRpcCryptFreeSecret
27 -> s_SrvRpcCryptCipherEncrypt
27 -> s_SrvRpcCryptCipherEncrypt
28 -> s_SrvRpcCryptCipherDecrypt
28 -> s_SrvRpcCryptCipherDecrypt
29 -> s_SrvRpcCryptKeyDerivation
29 -> s_SrvRpcCryptKeyDerivation
30 -> s_SrvRpcCryptCreateClaim
30 -> s_SrvRpcCryptCreateClaim
31 -> s_SrvRpcCryptVerifyClaim
31 -> s_SrvRpcCryptVerifyClaim
RPC 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b (1.0) -- C:\windows\system32\keyiso.dll
RPC 8fb74744-b2ff-4c00-be0d-9ef9a191fe1b (1.0) -- C:\WINDOWS\system32\keyiso.dll
0 -> s_GetSymmetricPopKeyTransportKey
0 -> s_GetSymmetricPopKeyTransportKey
1 -> s_GetSymmetricPopKeyTransportKeyName
1 -> s_GetSymmetricPopKeyTransportKeyName
2 -> s_DeleteSymmetricPopKeyTransportKey
2 -> s_DeleteSymmetricPopKeyTransportKey
3 -> s_ImportSymmetricPopKey
3 -> s_ImportSymmetricPopKey
4 -> s_SignWithSymmetricPopKey
4 -> s_SignWithSymmetricPopKey
5 -> s_VerifyWithSymmetricPopKey
5 -> s_VerifyWithSymmetricPopKey
6 -> s_DecryptWithSymmetricPopKey
6 -> s_DecryptWithSymmetricPopKey
7 -> s_EncryptWithSymmetricPopKey
7 -> s_EncryptWithSymmetricPopKey
8 -> s_GetKeyAttestationForContainerService
8 -> s_GetKeyAttestationForContainerService
9 -> s_RenewKeyAttestation
9 -> s_RenewKeyAttestation
10 -> s_GetPregenUserKey
10 -> s_GetPregenUserKey
11 -> s_GetPregenKeyState
11 -> s_GetPregenKeyState
RPC 51a227ae-825b-41f2-b4a9-1ac9557a1018 (1.0) -- C:\windows\system32\keyiso.dll
RPC 51a227ae-825b-41f2-b4a9-1ac9557a1018 (1.0) -- C:\WINDOWS\system32\keyiso.dll
0 -> s_TokenBindingGenerateTpmKeyFromSoftware
0 -> s_TokenBindingGenerateTpmKeyFromSoftware
RPC bb8b98e8-84dd-45e7-9f34-c3fb6155eeed (1.0) -- C:\Windows\System32\vaultsvc.dll
RPC bb8b98e8-84dd-45e7-9f34-c3fb6155eeed (1.0) -- C:\Windows\System32\vaultsvc.dll
0 -> VltCreateItemType
0 -> VltCreateItemType
1 -> VltDeleteItemType
1 -> VltDeleteItemType
2 -> VltEnumerateItemTypes
2 -> VltEnumerateItemTypes
3 -> VltAddItem
3 -> VltAddItem
4 -> VltFindItems
4 -> VltFindItems
5 -> VltEnumerateItems
5 -> VltEnumerateItems
6 -> VltGetItem
6 -> VltGetItem
7 -> VltRemoveItem
7 -> VltRemoveItem
8 -> VltGetItemType
8 -> VltGetItemType
9 -> VltOpenVault
9 -> VltOpenVault
10 -> VltCloseVault
10 -> VltCloseVault
11 -> VltGetInformation
11 -> VltGetInformation
12 -> VltEnumerateVaults
12 -> VltEnumerateVaults
13 -> VltEnumerateSettingUnits
13 -> VltEnumerateSettingUnits
14 -> VltGetSettingUnit
14 -> VltGetSettingUnit
15 -> VltApplySettingUnit
15 -> VltApplySettingUnit
16 -> VltRemoveSettingUnit
16 -> VltRemoveSettingUnit
17 -> VltTriggerSync
17 -> VltTriggerSync
18 -> VltGetSettingUnitInfo
18 -> VltGetSettingUnitInfo
Endpoints :
Endpoints :
ncacn_np : \pipe\lsass
ncacn_np : \pipe\lsass
ncalrpc : audit
ncalrpc : audit
ncalrpc : securityevent
ncalrpc : securityevent
ncalrpc : LSARPC_ENDPOINT
ncalrpc : LSARPC_ENDPOINT
ncalrpc : lsacap
ncalrpc : lsacap
ncalrpc : LSA_IDPEXT_ENDPOINT
ncalrpc : LSA_IDPEXT_ENDPOINT
ncalrpc : LSA_EAS_ENDPOINT
ncalrpc : LSA_EAS_ENDPOINT
ncalrpc : lsapolicylookup
ncalrpc : lsapolicylookup
ncalrpc : lsasspirpc
ncalrpc : lsasspirpc
ncalrpc : protected_storage
ncalrpc : protected_storage
ncalrpc : SidKey Local End Point
ncalrpc : SidKey Local End Point
ncalrpc : samss lpc
ncalrpc : samss lpc
ncacn_ip_tcp : 49678
ncacn_ip_tcp : 1635
ncalrpc : Vault
ncalrpc : Vault
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
<WinProcess "svchost.exe" pid 808 at 0x5306e10L>
<WinProcess "svchost.exe" pid 672 at 0x5e18a90L>
64
64
['PlugPlay']
['PlugPlay']
Interfaces :
Interfaces :
Endpoints :
Endpoints :
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
<WinProcess "fontdrvhost.exe" pid 832 at 0x5306ba8L>
<WinProcess "svchost.exe" pid 748 at 0x5e18d68L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
--------------------------------------------------------------------------------
<WinProcess "fontdrvhost.exe" pid 828 at 0x5306898L>
64
[!!] Invalid rpcrt4 base: 0x0 vs 0x7ffec24f0000
--------------------------------------------------------------------------------
<WinProcess "svchost.exe" pid 844 at 0x53064a8L>
64
64
['BrokerInfrastructure', 'DcomLaunch', 'Power', 'SystemEventsBroker']
['BrokerInfrastructure', 'DcomLaunch', 'Power', 'SystemEventsBroker']
Interfaces :
Interfaces :
RPC 6c9b7b96-45a8-4cca-9eb3-e21ccf8b5a89 (1.1) -- c:\windows\system32\umpo.dll
RPC 6c9b7b96-45a8-4cca-9eb3-e21ccf8b5a89 (1.1) -- c:\windows\system32\umpo.dll
0 -> UmpoRpcGetPowerConfiguration
0 -> UmpoRpcGetPowerConfiguration
1 -> UmpoRpcReadFromSystemPowerKey
1 -> UmpoRpcReadFromSystemPowerKey
2 -> UmpoRpcReadFromUserPowerKey
2 -> UmpoRpcReadFromUserPowerKey
3 -> UmpoRpcReadACValue
3 -> UmpoRpcReadACValue
4 -> UmpoRpcReadDCValue
4 -> UmpoRpcReadDCValue
5 -> UmpoRpcWriteToSystemPowerKey
5 -> UmpoRpcWriteToSystemPowerKey
6 -> UmpoRpcWriteToUserPowerKey
6 -> UmpoRpcWriteToUserPowerKey
7 -> UmpoRpcApplyPowerRequestOverride
7 -> UmpoRpcApplyPowerRequestOverride
8 -> UmpoRpcApplyPowerSetting
8 -> UmpoRpcApplyPowerSetting
9 -> UmpoRpcSetActiveScheme
9 -> UmpoRpcSetActiveScheme
10 -> UmpoRpcGetActiveScheme
10 -> UmpoRpcGetActiveScheme
11 -> UmpoRpcSetActiveOverlayScheme
11 -> UmpoRpcSetActiveOverlayScheme
12 -> UmpoRpcGetActualOverlayScheme
12 -> UmpoRpcGetActualOverlayScheme
13 -> UmpoRpcGetEffectiveOverlayScheme
13 -> UmpoRpcGetEffectiveOverlayScheme
14 -> UmpoRpcGetOverlaySchemes
14 -> UmpoRpcGetOverlaySchemes
15 -> UmpoRpcRestoreDefaultScheme
15 -> UmpoRpcRestoreDefaultScheme
16 -> UmpoRpcRestoreDefaultSchemesAll
16 -> UmpoRpcRestoreDefaultSchemesAll
17 -> UmpoRpcDuplicateScheme
17 -> UmpoRpcDuplicateScheme
18 -> UmpoRpcDeleteScheme
18 -> UmpoRpcDeleteScheme
19 -> UmpoRpcImportScheme
19 -> UmpoRpcImportScheme
20 -> UmpoRpcReplaceDefaultPowerSchemes
20 -> UmpoRpcReplaceDefaultPowerSchemes
21 -> UmpoRpcLegacyEventRegisterNotification
21 -> UmpoRpcLegacyEventRegisterNotification
22 -> UmpoRpcEnumerate
22 -> UmpoRpcEnumerate
23 -> UmpoRpcReadSecurityDescriptor
23 -> UmpoRpcReadSecurityDescriptor
24 -> UmpoRpcWriteSecurityDescriptor
24 -> UmpoRpcWriteSecurityDescriptor
25 -> UmpoRpcSettingAccessCheck
25 -> UmpoRpcSettingAccessCheck
26 -> UmpoRpcCreateSetting
26 -> UmpoRpcCreateSetting
27 -> UmpoRpcCreatePossibleSetting
27 -> UmpoRpcCreatePossibleSetting
28 -> UmpoRpcRemoveSetting
28 -> UmpoRpcRemoveSetting
29 -> UmpoSetExpectedUserAwayIntervals
29 -> UmpoSetExpectedUserAwayIntervals
30 -> UmpoClearExpectedUserAwayIntervals
30 -> UmpoClearExpectedUserAwayIntervals
31 -> UmpoGetMinUserAwayPredictionInterval
31 -> UmpoGetMinUserAwayPredictionInterval
32 -> UmpoRpcGetAdaptiveStandbyDiagnostics
32 -> UmpoRpcGetAdaptiveStandbyDiagnostics
RPC 9b8699ae-0e44-47b1-8e7f-86a461d7ecdc (0.0) -- c:\windows\system32\rpcss.dll
RPC 9b8699ae-0e44-47b1-8e7f-86a461d7ecdc (0.0) -- c:\windows\system32\rpcss.dll
0 -> _LaunchActivatorServer
0 -> _LaunchActivatorServer
1 -> _LaunchRunAsServer
1 -> _LaunchRunAsServer
2 -> _LaunchService
2 -> _LaunchService
3 -> _LaunchWinRTActivatorServer
3 -> LaunchWinRTActivatorServer
4 -> _LaunchWinRTRunAsServer
4 -> _LaunchWinRTRunAsServer
5 -> _LaunchWinRTService
5 -> _LaunchWinRTService
6 -> _CertifyServerIdentity
6 -> _CertifyServerIdentity
7 -> _QueryNTService
7 -> _QueryNTService
8 -> _QueryNTServiceType
8 -> _QueryNTServiceType
9 -> ControlNTService
9 -> ControlNTService
10 -> PrivTranslateShareName
10 -> PrivRunAsSetWinstaDesktop
11 -> GenericStreamBase<IMarshalingStream,AllocationWrapper>::Commit
11 -> PrivRunAsRelease
12 -> IsPortOpen
12 -> PrivRunAsInvalidateAndRelease
13 -> TickleActivationSettings
13 -> PrivTranslateShareName
14 -> QueryProcessArchitecture
14 -> GenericMarshalingStreamWithContextAttributesViaCallback<<lambda_9644d90489056d7e1fb2e547ff4245ea> >::Clone
15 -> PrivilegedNotifyWinRTActivationStoreChanged
15 -> IsPortOpen
16 -> _QueryUserSidForSession
16 -> TickleActivationSettings
17 -> PrivActivatePsmServer
17 -> QueryProcessArchitecture
18 -> _PrivGetUserTokenForSession
18 -> PrivilegedNotifyWinRTActivationStoreChanged
19 -> PrivGetBrokerToken
19 -> _QueryUserSidForSession
20 -> PrivGetDesktopWinRTBrokerToken
20 -> PrivActivatePsmServer
21 -> PrivGetPsmToken
21 -> _PrivGetUserTokenForSession
22 -> GetSessionUserTokenCacheDetails
22 -> PrivGetBrokerToken
23 -> PrivilegedNotifyComClassChangesFromDeployment
23 -> PrivGetDesktopWinRTBrokerToken
24 -> PrivGetPsmTokenWithDynamicId
24 -> PrivGetPsmToken
25 -> PrivGetInteractiveUserToken
25 -> GetSessionUserTokenCacheDetails
26 -> PrivReportUnhealthyProcess
26 -> PrivilegedNotifyComClassChangesFromDeployment
27 -> PrivNormalizePsmTokenHostId
27 -> PrivGetPsmTokenWithDynamicId
28 -> PrivGetInteractiveUserToken
29 -> PrivReportUnhealthyProcess
RPC 4bec6bb8-b5c2-4b6f-b2c1-5da5cf92d0d9 (1.0) -- c:\windows\system32\psmsrv.dll
RPC 4bec6bb8-b5c2-4b6f-b2c1-5da5cf92d0d9 (1.0) -- c:\windows\system32\psmsrv.dll
0 -> PsmSrvActivateApplication
0 -> PsmSrvActivateApplication
1 -> PsmSrvCloseActivationChannel
1 -> PsmSrvCloseActivationChannel
2 -> PsmSrvOpenActivationChannel
2 -> PsmSrvOpenActivationChannel
3 -> PsmSrvRegisterProcess
3 -> PsmSrvRegisterProcess
RPC 085b0334-e454-4d91-9b8c-4134f9e793f3 (1.0) -- c:\windows\system32\psmsrv.dll
RPC 085b0334-e454-4d91-9b8c-4134f9e793f3 (1.0) -- c:\windows\system32\psmsrv.dll
0 -> PsmSrvOpenManagementChannel
0 -> PsmSrvInitializeExtension
1 -> PsmSrvSetApplicationState
1 -> PsmSrvOpenManagementChannel
2 -> PsmSrvSetApplicationPriority
2 -> PsmSrvSetApplicationState
3 -> PsmSrvReleaseCacheEntry
3 -> PsmSrvSetApplicationPriority
4 -> PsmSrvAcquireCachedEntries
4 -> PsmSrvReleaseCacheEntry
5 -> PsmSrvQueryApplicationSwapState
5 -> PsmSrvAcquireCachedEntries
6 -> PsmSrvCloseActivationChannel
6 -> PsmSrvQueryApplicationSwapState
7 -> PsmSrvSetApplicationProperties
7 -> PsmSrvCloseActivationChannel
8 -> PsmSrvQueryApplicationProperties
8 -> PsmSrvSetApplicationProperties
9 -> PsmSrvQueryApplicationResourceUsage
9 -> PsmSrvQueryApplicationProperties
10 -> PsmSrvQueryMemoryUsage
10 -> PsmSrvQueryApplicationResourceUsage
11 -> PsmSrvResetMaxMemoryUsage
11 -> PsmSrvQueryMemoryUsage
12 -> PsmSrvQuerySharedCommit
12 -> PsmSrvResetMaxMemoryUsage
13 -> PsmSrvQuerySharedCommit
RPC 8782d3b9-ebbd-4644-a3d8-e8725381919b (1.0) -- c:\windows\system32\psmsrv.dll
RPC 8782d3b9-ebbd-4644-a3d8-e8725381919b (1.0) -- c:\windows\system32\psmsrv.dll
0 -> PsmSrvRegisterQuiesceResumeApp
0 -> PsmSrvRegisterQuiesceResumeApp
1 -> PsmSrvQuiesceCallbacksComplete
1 -> PsmSrvQuiesceCallbacksComplete
2 -> PsmSrvCloseActivationChannel
2 -> PsmSrvCloseActivationChannel
RPC 3b338d89-6cfa-44b8-847e-531531bc9992 (1.0) -- c:\windows\system32\psmsrv.dll
RPC 3b338d89-6cfa-44b8-847e-531531bc9992 (1.0) -- c:\windows\system32\psmsrv.dll
0 -> PsmSrvQueryApplicationPerformanceInformation
0 -> PsmSrvQueryApplicationPerformanceInformation
1 -> PsmSrvQueryQuotaInformation
1 -> PsmSrvQueryQuotaInformation
RPC bdaa0970-413b-4a3e-9e5d-f6dc9d7e0760 (1.0) -- c:\windows\system32\psmsrv.dll
RPC bdaa0970-413b-4a3e-9e5d-f6dc9d7e0760 (1.0) -- c:\windows\system32\psmsrv.dll
0 -> PsmSrvOpenTcChannel
0 -> PsmSrvOpenTcChannel
1 -> PsmSrvApplyTaskCompletion
1 -> PsmSrvApplyTaskCompletion
2 -> PsmSrvRegisterDynamicProcess
2 -> PsmSrvRegisterDynamicProcess
3 -> PsmSrvCloseActivationChannel
3 -> PsmSrvCloseActivationChannel
4 -> PsmSrvGetSessionInfo
4 -> PsmSrvGetSessionInfo
RPC 5824833b-3c1a-4ad2-bdfd-c31d19e23ed2 (1.0) -- c:\windows\system32\psmsrv.dll
RPC 5824833b-3c1a-4ad2-bdfd-c31d19e23ed2 (1.0) -- c:\windows\system32\psmsrv.dll
0 -> PsmSrvRegisterAppPriorityNotification
0 -> PsmSrvRegisterAppPriorityNotification
1 -> PsmSrvQueryApplicationResourceUsageForTimer
1 -> PsmSrvQueryApplicationResourceUsageForTimer
2 -> PsmSrvTimerStart
2 -> PsmSrvTimerStart
3 -> PsmSrvTimerCleanup
3 -> PsmSrvTimerCleanup
4 -> PsmSrvTimerRemainingResourceTimeGet
4 -> PsmSrvTimerRemainingResourceTimeGet
5 -> PsmSrvTimerElapsedResourceTimeGet
5 -> PsmSrvTimerElapsedResourceTimeGet
RPC 0361ae94-0316-4c6c-8ad8-c594375800e2 (1.0) -- c:\windows\system32\psmsrv.dll
RPC 0361ae94-0316-4c6c-8ad8-c594375800e2 (1.0) -- c:\windows\system32\psmsrv.dll
0 -> PsmSrvQueryCurrentApplications
0 -> PsmSrvQueryCurrentApplications
1 -> PsmSrvQueryApplicationHosts
1 -> PsmSrvQueryApplicationHosts
2 -> PsmSrvQueryApplicationHostExecutionState
2 -> PsmSrvQueryApplicationHostExecutionState
3 -> PsmSrvQueryApplicationHostJob
3 -> PsmSrvQueryApplicationHostJob
4 -> PsmSrvConnect
4 -> PsmSrvConnect
5 -> PsmSrvDisconnect
5 -> PsmSrvDisconnect
6 -> PsmSrvSubscribeToNotifications
6 -> PsmSrvSubscribeToNotifications
7 -> PsmSrvUnsubscribeFromNotifications
7 -> PsmSrvUnsubscribeFromNotifications
RPC 2d98a740-581d-41b9-aa0d-a88b9d5ce938 (1.0) -- C:\windows\SYSTEM32\bisrv.dll
RPC 2d98a740-581d-41b9-aa0d-a88b9d5ce938 (1.0) -- c:\windows\system32\bisrv.dll
0 -> RBiSrvActivateDeferredWorkItem
0 -> RBiSrvActivateDeferredWorkItem
1 -> RBiSrvActivateInBackground
1 -> RBiSrvActivateInBackground
2 -> RBiSrvActivateWorkItem
2 -> RBiSrvActivateWorkItem
3 -> RBiSrvAssociateActivationProxy
3 -> RBiSrvAssociateActivationProxy
4 -> RBiSrvAssociateApplicationExtensionClass
4 -> RBiSrvAssociateApplicationExtensionClass
5 -> RBiSrvCancelWorkItem
5 -> RBiSrvCancelWorkItem
6 -> RBiSrvCreateEvent
6 -> RBiSrvCreateEvent
7 -> RBiSrvCreateEventForPackageName
7 -> RBiSrvCreateEventForPackageName
8 -> RBiSrvDeleteEvent
8 -> RBiSrvDeleteEvent
9 -> RBiSrvDisassociateWorkItem
9 -> RBiSrvDisassociateWorkItem
10 -> RBiSrvDiscardPendingActivations
10 -> RBiSrvDiscardPendingActivations
11 -> RBiSrvEnumerateBrokeredEvents
11 -> RBiSrvEnumerateBrokeredEvents
12 -> RBiSrvEnumerateUserContexts
12 -> RBiSrvEnumerateUserContexts
13 -> RBiSrvEnumerateUserSessions
13 -> RBiSrvEnumerateUserSessions
14 -> RBiSrvEnumerateWorkItemsForPackageName
14 -> RBiSrvEnumerateWorkItemsForPackageName
15 -> RBiPtSrvGetStatusStateNameFromBrokerEventId
15 -> RBiSrvQueryBrokeredEvent
16 -> RBiSrvQueryBrokeredEvent
16 -> RBiSrvQuerySystemStateBroadcastChannels
17 -> RBiSrvQuerySystemStateBroadcastChannels
17 -> RBiSrvQueryUserContext
18 -> RBiSrvQueryUserContext
18 -> RBiSrvQueryUserSession
19 -> RBiSrvQueryUserSession
19 -> RBiSrvQueryWorkItem
20 -> RBiSrvQueryWorkItem
20 -> RBiPtSrvQueryWorkItemStatusStateName
21 -> RBiPtSrvQueryWorkItemStatusStateName
21 -> RBiSrvSignalEvent
22 -> RBiSrvSignalEvent
22 -> RBiSrvSignalMultipleEvents
23 -> RBiSrvSignalMultipleEvents
23 -> RBiSrvSignalTriggerEvent
24 -> RBiSrvSignalTriggerEvent
24 -> RBiSrvUpdateEventParameters
25 -> RBiSrvUpdateEventParameters
25 -> RBiSrvUpdateEventFlags
26 -> RBiSrvUpdateEventFlags
26 -> RBiSrvUpdateEventInformation
27 -> RBiSrvUpdateEventInformation
RPC 8bfc3be1-6def-4e2d-af74-7c47cd0ade4a (1.0) -- c:\windows\system32\bisrv.dll
RPC 8bfc3be1-6def-4e2d-af74-7c47cd0ade4a (1.0) -- C:\windows\SYSTEM32\bisrv.dll
0 -> RBiSrvActivateWorkItemForUser
0 -> RBiSrvActivateWorkItemForUser
1 -> RBiSrvChangeApplicationStateForPackageNameForUser
1 -> RBiSrvChangeApplicationStateForPackageNameForUser
2 -> RBiSrvChangeApplicationStateForPsmKeyForUser
2 -> RBiSrvChangeApplicationStateForPsmKeyForUser
3 -> RBiSrvChangeUserState
3 -> RBiSrvChangeUserState
4 -> RBiSrvEnumerateWorkItemsForPackageNameAndUser
4 -> RBiSrvEnumerateWorkItemsForPackageNameAndUser
5 -> RBiSrvGetActiveBackgroundTasksEventForUser
5 -> RBiSrvGetActiveBackgroundTasksEventForUser
6 -> RBiSrvGetCancellationTimeoutInMs
6 -> RBiSrvGetCancellationTimeoutInMs
7 -> RBiSrvIsApplicationTerminateSensitiveForUser
7 -> RBiSrvIsApplicationTerminateSensitiveForUser
8 -> RBiSrvNotifyEndSession
8 -> RBiSrvNotifyEndSession
9 -> RBiSrvNotifyNewSession
9 -> RBiSrvNotifyNewSession
10 -> RBiSrvNotifyNewSessionComplete
10 -> RBiSrvNotifyNewSessionComplete
11 -> RBiSrvNotifyNewUser
11 -> RBiSrvNotifyNewUser
12 -> RBiSrvQueryWorkItemForUser
12 -> RBiSrvQueryWorkItemForUser
13 -> RBiSrvResetActiveUserForPackage
13 -> RBiSrvResetActiveUserForPackage
14 -> RBiSrvSetActiveUserForPackage
14 -> RBiSrvSetActiveUserForPackage
15 -> RBiSrvTerminateApplicationHostForUser
15 -> RBiSrvTerminateApplicationHostForUser
16 -> RBiSrvUpdateBackgroundAccessApplicationsForUser
16 -> RBiSrvUpdateBackgroundAccessApplicationsForUser
RPC 1b37ca91-76b1-4f5e-a3c7-2abfc61f2bb0 (1.0) -- C:\windows\SYSTEM32\bisrv.dll
RPC 1b37ca91-76b1-4f5e-a3c7-2abfc61f2bb0 (1.0) -- c:\windows\system32\bisrv.dll
0 -> RBiRtSrvAddWaitableEvent
0 -> RBiRtSrvAddWaitableEvent
1 -> RBiRtSrvAssociateWorkItem
1 -> RBiRtSrvAssociateWorkItem
2 -> RBiRtSrvCreateEvent
2 -> RBiRtSrvCreateEvent
3 -> RBiRtSrvCreateEventForApp
3 -> RBiRtSrvCreateEventForApp
4 -> RBiRtSrvCreateStatusStateName
4 -> RBiRtSrvCreateStatusStateName
5 -> RBiRtSrvDeleteEvent
5 -> RBiRtSrvDeleteEvent
6 -> RBiRtSrvDisassociateWorkItem
6 -> RBiRtSrvDisassociateWorkItem
7 -> RBiRtSrvEnumerateBrokeredEvents
7 -> RBiRtSrvEnumerateBrokeredEvents
8 -> RBiRtSrvEnumerateWorkItems
8 -> RBiRtSrvEnumerateWorkItems
9 -> RBiRtSrvGetWorkItemProperties
9 -> RBiRtSrvGetWorkItemProperties
10
10 -> RBiRtSrvInitiatePause
11 -> RBiRtSrvQueryBrokerEventId
12 -> RBiRtSrvQueryBrokerEventIdFromWorkItem
13 -> RBiRtSrvRegisterWorkItem
14 -> RBiRtSrvSignalEvent
15 -> RBiRtSrvUpdateEventParameters
RPC c605f9fb-f0a3-4e2a-a073-73560f8d9e3e (1.0) -- c:\windows\system32\bisrv.dll
0 -> RBiSrvSignalEvent
RPC 0d3e2735-cea0-4ecc-a9e2-41a2d81aed4e (1.0) -- c:\windows\system32\bisrv.dll
0 -> RBiPtSrvActivateDeferredWorkItem
1 -> RBiPtSrvActivateInBackground
2 -> RBiPtSrvActivateWorkItem
3 -> RBiPtSrvAssociateActivationProxy
4 -> RBiPtSrvAssociateApplicationEntryPoint
5 -> RBiPtSrvCancelWorkItem
6 -> RBiPtSrvCreateEvent
7 -> RBiPtSrvCreateEventForApp
8 -> RBiPtSrvCreateEventForPackageName
9 -> RBiPtSrvDeleteEvent
10 -> RBiPtSrvDisableWorkItem
11 -> RBiPtSrvDisassociateWorkItem
12 -> RBiPtSrvEnableWorkItem
13 -> RBiPtSrvEnumerateBrokeredEvents
14 -> RBiPtSrvEnumerateWorkItemsF