CODEWITHSUNDEEP
windowswinapiwmirpc
Konrads
Konrads

Reputation: 2274

What process is making Windows RPC calls?

A client computer is making remote RPC calls to server. The connection on client computer is initiated by the svchost.exe -k rpcss -p. This means that some ohter process has asked the rpcss to establish that connection on its behalf. My question is - which process. I had attempted to trace it using logman start RPC -p Microsoft-Windows-RPC -ets but I am only capturing the outbound attempt as opposed to the process which made the query:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-RPC" Guid="{6ad52b32-d609-4be9-ae07-ce8dae937e39}" />
        <EventID>5</EventID>
        <Version>1</Version>
        <Level>4</Level>
        <Task>1</Task>
        <Opcode>1</Opcode>
        <Keywords>0x4000000000000000</Keywords>
        <TimeCreated SystemTime="2024-04-14T15:43:06.373442800+07:59" />
        <Correlation ActivityID="{3f460d21-4653-4ecd-978b-ad45c40d92b7}" />
        <Execution ProcessID="1804" ThreadID="22688" ProcessorID="15" KernelTime="45" UserTime="195" />
        <Channel>Microsoft-Windows-RPC/Debug</Channel>
        <Computer />
    </System>
    <EventData>
        <Data Name="InterfaceUuid">{99fcfec4-5260-101b-bbcb-00aa0021347a}</Data>
        <Data Name="ProcNum">0x5</Data>
        <Data Name="Protocol">       1</Data>
        <Data Name="NetworkAddress">11.22.33.44</Data>
        <Data Name="Endpoint">135</Data>
        <Data Name="Options">NULL</Data>
        <Data Name="AuthenticationLevel">       1</Data>
        <Data Name="AuthenticationService">       0</Data>
        <Data Name="ImpersonationLevel">       3</Data>
    </EventData>
    <RenderingInfo Culture="en-SG">
        <Level>Information </Level>
        <Opcode>Start </Opcode>
        <Task>RpcClientCall</Task>
        <Message>Client RPC call started.   InterfaceUuid:  {99fcfec4-5260-101b-bbcb-00aa0021347a}  OpNum:  0x5     Protocol:   TCP     NetworkAddress  11.22.33.44     Endpoint    135     Binding Options     NULL    Authentication Level    None    Authentication Service  0 Impersonation Level   Impersonate  </Message>
        <Channel>Debug </Channel>
        <Provider>Microsoft-Windows-RPC </Provider>
    </RenderingInfo>
</Event>

How can I capture the actual originating process?

Upvotes: 0

Views: 159

Answers (0)

Related Questions