I'm not entirely certain this is possible, but I figured I'd ask. Where I work now we have stringent security policies for all servers. Any server that needs to be remotely managed has to have a justification, firewall rules and potential VLAN moves before that can happen. Part of this is a requirement to set WMI to a single port. I'm working on a script that would allow me to switch that on or off.

http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447(v=vs.85).aspx

That article lists the steps to set this up.

http://msdn.microsoft.com/en-us/library/windows/desktop/aa394525(v=vs.85).aspx

This lists all the swtiches for winmgmt. I was hoping to find one that would output it's current configuration. The idea being that if I run my script and tell it to enable single mode, I'd like to be able to check if it's already enabled and report that to the user, and then exit.

My other thought is perhaps there is a registry entry I can check to see if singlemode is enabled.

Any help would be greatly appreciated!

Thanks,

Just query netsh. You do not need POwerSHell to do this.

The starting and stopping, in this case, would be handled by opening and closing the port using netsh. 

Somewhere there is a module for managing the advanced firewall that can also query and set the firewall.

Note that single mode is very slow and does not support asynch queries. Much of Windows requires WMI to be available and running full mode.  I believe that singlemode is designed for stand alone systems; not for domain based servers.

This question is not really a scripting question.  It should be asked in teh Server forum for the OS you are managing.

Hi Jrv,

So you can set the winmgmt /standalone inside netsh? I've just been following the instructions on the msdn page that i linked earlier. I'll poke around in there and see what i can see. I wrote some firewall functions if you have any others I would love to add them.

http://gallery.technet.microsoft.com/scriptcenter/2834b674-7e16-479c-9de1-489903ee2652

As far as the restriction, I don't have an option on that one, it's required :-(

This is one case where it doesn't make sense to use POwerShell.  It is a two lioner in a batch file.   netsh can also remote but I am not sure if remoting will work with this command.

The intent was not to run remotely. PowerShell is what I use to do my scripting. I get a richer experiencing when calling a script through PowerShell as opposed to the DOS shell, and I think you'd agree with that. I have no problem's calling netsh commands through invoke-expression which is what I will sometimes do.

Again, was just looking for a way to check if standalone is already enable so I don't need to duplicate work.

I'm not sure I understand...

PowerShell is a shell. That means it can run the same commands you can already run from the cmd.exe prompt (which is not, incidentally, a DOS shell). Invoke-Expression is not needed. Just type the command you want to run.

Bill

Ok - Jeffery. 

Here is how to find out how winmgmts is configured.

E:\test2>sc queryex winmgmt
SERVICE_NAME: winmgmt
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 1116
        FLAGS              :
E:\test2>

It will say either WIN32_SHARE_PROCESS pr WIN32_OWN_PROCESS.

Standalone means among other things to not run in the same space as another process (security and p-top isolation.

In Powershell we can do this:

PS>(get-service winmgmt).servicetype
Win32ShareProcess

Or this:
PS>(gwmi win32_service -filter 'name="winmgmt"').ServiceType
Share Process

Use SC from PowerShell ->

PS>cmd /c sc queryex winmgmt|?{[void]($_ -match '(TYPE\s+:\s+\d+\s+)(.*)')};$matches[2]
WIN32_SHARE_PROCESS		

As there has been no activity in this thread for a few days, we assume the issue is resolved. We will mark it as "answered" to assist others in similar situations. If you disagree, please reply with further information. You can unmark the answer if you wish. If a reply helped answer your question, please mark it as the answer.

jrv,

That solution doesn't appear to be the case, I tested this recently on a 2008 R2 server and noted that Type never changed from WIN32_SHARE_PROCESS.

I'm working on a DSC resource and I need to be able to verify that winmgmt is in standalone or sharedhost, I'm hunting currently for a regkey.

C'mon Jeffrey.  That post is ancient.  It predates all of this and was scarfed from a WS2003 or XP system.

It appears that you are asking a brand new question.

The two designations are not mutable.  I suspect that the process needs to be designed specifically for SHARE.

Newer systems may not support the older methods/configurations.

Why STANDALONE?

Consider the purpose for SHARE_PROCESS.  Why should WMI run any other way?  If we lock it in then other features might not work.

I suspect the Windows is now not willing to allow the repurposing of this service.

Still the same question, how do I verify that winmgmt is configured a specific way. Still the same requirements that the security office requires WMI traffic over a single port.

I dont' disagree with you, I believe the WMI should run free in the wild...but those silly security folks ;-)

My guess is that restricting WMI to a single port doesn't impact much of anything as i'm sure there are more stringent requirements than our own in some datacenters.

WMI is used by almost every aspect of the Windows OS.  The ports are well protected. RPC manages the WMI port allocations dynamically.

The question you are asking is not a scripting question.  It is a quesiton for the server folks to answer.

Start here toget info onhow thisis set up: https://msdn.microsoft.com/en-us/library/bb219447%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

Using Netsh to check firewall is one step.  I expect that the standalone is in the registry.

ya I apparently contributed to that page, the code links are to my script that "set's a fixed port". I was hunting in the registry but have thus far come up empty

Registry key: HKEY_CLASSES_ROOT\AppID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}

DCOMCNFG sets the port.  The AppId is where this is set.  IF it is set as needed then you should be good.

Sorry I didn't notice that it was your code.

Endpoints definition of values of DCOM: https://msdn.microsoft.com/en-us/library/windows/desktop/ms680086(v=vs.85).aspx

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
   {AppID_GUID}
      Endpoints = ncacn_ip_tcp,0,port

LOL! how do you do that so quickly? I routinely feel stupid when I ask something and you come back mere moments

ping offline?  Which method?

One of the things I have noticed in my testing, now that I know how to verify, is once you move from sharedhost to standalonehost.

in DCOM I saw that endpoints listed, at the start, default protocols and properties was greyed out.

in the registry I saw that only default, launchpermission were listed.

net stop winmgmt

winmgmt /sharedhost

net start winmgmt

dcom endpoints list connection oriented tcp/ip and use static port was set to 24158

in the registry I saw that endpoints (nacn_ip_ctp,0,24158) and localservice (winmgmt) were listed.

net stop winmgmt

winmgmt /standalonehost

net start winmgmt

no change, that's mildly disconcerting...

I'm going to spin up a few clean vm's to test this out a little more.

i used to have an about page on my website...i should put that back up

jeffrey @ patton-tech . com

On Vista and later the key is protected until you change it.  It looks like that causes you to have to change it twice but I doubt it.

On Win 7 which has never been changed this is what I see:
DCOM - endpoints are set to default.
REG - only "default","LocalService", "LaunchPermissions"

Stop Winmgmt and run winmgmt /standalonehost.

Refresh regedit window and EndPoint is now set.,

Refresh DCOMCNFG list. and new endpoint is set.

winmgmt /sharedhost

restart and refresh and endpoint is still set.

I think we have a bug.  I am going to restart to see if that resets this.

so I've been beating this up, and I think buried somewhere is a switch that lets it know what to do...just haven't found it yet.

I was originally concerned that once switched to standalone mode it always stayed there, based on what I saw in the reg and dcom. but after multiple tests between two vm's on the same network with firewalls off what I see is that the server responds over the standalone port when in that mode and when in sharedhost mode responds over whatever port, although for me this has consistently been 49154.

at first I thought I could just regex netstat -ano for existence/absence of port 24158, but that doesn't actually start listening UNTIL a client makes a connection. perhaps i'm doing something wrong, but I tested this a few times and I don't see the 24158 port (or the sharedhost port) show as listening UNTIL AFTER a client sends a wmi req.

I tried to send a req locally, even specifying the ip of the local system but windows is smarter than that ;-) darnit

I wonder if the bug is merely in just updating the various places in the reg where this is found. I have found that classid in HKLM and referenced in various other places as well.

is there a tool that will monitor registry changes realtime?

This is why I say it is secure with RDP>  The ports are always kept closed.  Only RDP is open.  WMI calls RDP and RDP enables and hands back a port.  It either uses a fixed port or a shared port.  This is how almost all advanced windows services work.  It is the first line of protection.

When we need to communicate over an Internet then this may be an issue as we want the DMZ firewall to limits its ports to only known prts so it can be monitored.  To many security people who are not well trained in inet comm get this wrong and think the protections also have to apply inside or behind  the DMZ.

We are now working on placing all Inet traffic on port 80 and port 443 as we can do that with modern systems This allows all potentially dangerous traffic to by focused through a small number of ports .

but "manually clearing" it seems to be not the thing we should be doing, but the OS...right? or am I fundamentally missing something here?

If the registry has an endpoint AND the following is NOT true: (or is WIN32_STANDALONE) then WMI is using the endpoint.  I am sure that when Win32_SHARE_PROCESS is set the process has to use the RPC assigned port and protocol.  I am sure this can be verified quite easily.

C:\>sc queryex winmgmt

SERVICE_NAME: winmgmt
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 528
        FLAGS              :

THis along with endpoint determines the configuration.

PS C:\scripts> cmd /c "sc queryex winmgmt"

SERVICE_NAME: winmgmt
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 528
        FLAGS              :
PS C:\scripts>

If the setting is WIN32_OWN_PROCESS then it is running on an endpoint set in the registry.  WIN32_SHARE_PROCESS is running on RPC allocated endpoint

PS C:\Users\Administrator> Stop-Service winmgmt -Force
PS C:\Users\Administrator> winmgmt /sharedhost
Service configuration changes succeeded.

Please stop and restart Winmgmt service for changes to take effect.
PS C:\Users\Administrator> Start-Service winmgmt
PS C:\Users\Administrator> Restart-Service winmgmt -Force
PS C:\Users\Administrator> cmd /c "sc queryex winmgmt"

SERVICE_NAME: winmgmt
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 820
        FLAGS              :
PS C:\Users\Administrator> Stop-Service winmgmt -Force
PS C:\Users\Administrator> winmgmt /standalonehost
Service configuration changes succeeded.

Please stop and restart Winmgmt service for changes to take effect.
PS C:\Users\Administrator> Start-Service winmgmt
PS C:\Users\Administrator> Restart-Service winmgmt -Force
PS C:\Users\Administrator> cmd /c "sc queryex winmgmt"

SERVICE_NAME: winmgmt
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        PID                : 816
        FLAGS              :

Ok - try this:

add-type -AssemblyName System.ServiceProcess
if((get-service -name winmgmt).ServiceType -band [system.serviceprocess.servicetype]::Win32OwnProcess){
    Write-Host 'Getting endpoints:' -fore green
    (Get-Item  HKLM:'\Software\Classes\AppId\{8BC3F05E-D86B-11D0-A075-00C04FB68820}').EndPoint
}else{
    Write-Host 'WMI in shared process' -fore green
}

function Set-TargetResource
{
	[CmdletBinding()]
	param
	(
		[parameter(Mandatory = $true)]
		[ValidateSet("standalonehost","sharedhost")]
		[System.String]
		$Mode,

		[ValidateSet("Present","Absent")]
		[System.String]
		$Ensure
	)

    if ($Ensure -eq 'Absent')
    {
        $RegKey = Get-Item "HKLM:\SOFTWARE\Classes\AppID"
        $wmimgmt = $Regkey.OpenSubKey("{8BC3F05E-D86B-11D0-A075-00C04FB68820}",$true)
        $wmimgmt.DeleteValue('EndPoints')
        }
    Stop-Service Winmgmt -Force
    Invoke-Expression -Command "& winmgmt /$($Mode)"
    Start-Service Winmgmt

}

does that work on your system? I'm not seeing any difference, I am not manually clearing dcom, just for reference.

PS C:\Users\Administrator> Stop-Service winmgmt -Force
PS C:\Users\Administrator> winmgmt /sharedhost
Service configuration changes succeeded.

Please stop and restart Winmgmt service for changes to take effect.
PS C:\Users\Administrator> Start-Service winmgmt
PS C:\Users\Administrator> Restart-Service winmgmt -Force
PS C:\Users\Administrator> Get-Service winmgmt |fl


Name                : winmgmt
DisplayName         : Windows Management Instrumentation
Status              : Running
DependentServices   : {SharedAccess, iphlpsvc}
ServicesDependedOn  : {RPCSS}
CanPauseAndContinue : True
CanShutdown         : True
CanStop             : True
ServiceType         : Win32ShareProcess



PS C:\Users\Administrator> Stop-Service winmgmt -Force
PS C:\Users\Administrator> winmgmt /standalonehost
Service configuration changes succeeded.

Please stop and restart Winmgmt service for changes to take effect.
PS C:\Users\Administrator> Start-Service winmgmt
PS C:\Users\Administrator> Restart-Service winmgmt -Force
PS C:\Users\Administrator> Get-Service winmgmt |fl


Name                : winmgmt
DisplayName         : Windows Management Instrumentation
Status              : Running
DependentServices   : {SharedAccess, iphlpsvc}
ServicesDependedOn  : {RPCSS}
CanPauseAndContinue : True
CanShutdown         : True
CanStop             : True
ServiceType         : Win32ShareProcess

those are both green by the way

PS C:\Users\Administrator> Stop-Service winmgmt -Force
PS C:\Users\Administrator> winmgmt /sharedhost
Service configuration changes succeeded.

Please stop and restart Winmgmt service for changes to take effect.
PS C:\Users\Administrator> Start-Service winmgmt
PS C:\Users\Administrator> Restart-Service winmgmt -Force
PS C:\Users\Administrator> get-winmgmt
WMI in shared process
PS C:\Users\Administrator> Stop-Service winmgmt -Force
PS C:\Users\Administrator> winmgmt /standalonehost
Service configuration changes succeeded.

Please stop and restart Winmgmt service for changes to take effect.
PS C:\Users\Administrator> Start-Service winmgmt
PS C:\Users\Administrator> Restart-Service winmgmt -Force
PS C:\Users\Administrator> get-winmgmt
WMI in shared process

I think we are missing some piece of information here or there is a bug in this configuration.

You can also use PortQryV2 to validate the port an

Why not just

(get-service winmgmt).ServiceType

?

is that supposed to b

IO'm back.

Here is what PoretQry looks like to RPC.

> q rpc

resolving service name using local services file...
TCP port resolved to the 'epmap' service

IP address resolved to Omega

querying...

TCP port 135 (epmap service): LISTENING

Using ephemeral source port
Querying Endpoint Mapper Database...
Server's response:

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_ip_tcp:127.0.0.1[49152]

UUID: 367abb81-9844-35f1-ad32-98f038001003
ncacn_ip_tcp:127.0.0.1[49192]

UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1 Spooler function endpoint
ncacn_np:127.0.0.1[\\pipe\\spoolss]

UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1 Spooler function endpoint
ncacn_ip_tcp:127.0.0.1[49158]

UUID: ae33069b-a2a8-46ee-a235-ddfd339be281 Spooler base remote object endpoint
ncacn_np:127.0.0.1[\\pipe\\spoolss]

UUID: ae33069b-a2a8-46ee-a235-ddfd339be281 Spooler base remote object endpoint
ncacn_ip_tcp:127.0.0.1[49158]

UUID: 76f03f96-cdfd-44fc-a22c-64950a001209 Spooler function endpoint
ncacn_np:127.0.0.1[\\pipe\\spoolss]

UUID: 76f03f96-cdfd-44fc-a22c-64950a001209 Spooler function endpoint
ncacn_ip_tcp:127.0.0.1[49158]

UUID: b58aa02e-2884-4e97-8176-4ee06d794184
ncacn_np:127.0.0.1[\\pipe\\trkwks]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncacn_np:127.0.0.1[\\pipe\\lsass]

UUID: b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86 KeyIso
ncacn_np:127.0.0.1[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:127.0.0.1[\\pipe\\lsass]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_np:127.0.0.1[\\PIPE\\protected_storage]

UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:127.0.0.1[49155]

UUID: 1ff70682-0a51-30e8-076d-740be8cee98b
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 378e52b0-c0a9-11cf-822d-00aa0051e40f
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 86d35949-83c9-4044-b424-db363231fd0c
ncacn_ip_tcp:127.0.0.1[49154]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: a398e520-d59a-4bdd-aa7a-3c1e0303a511 IKE/Authip API
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a XactSrv service
ncacn_ip_tcp:127.0.0.1[49154]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_ip_tcp:127.0.0.1[49154]

UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_np:127.0.0.1[\\PIPE\\srvsvc]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 30b044a5-a225-43f0-b3a4-e060df91f9c1
ncacn_np:127.0.0.1[\\PIPE\\srvsvc]

UUID: 201ef99a-7fa0-444c-9399-19ba84f12a1a AppInfo
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 201ef99a-7fa0-444c-9399-19ba84f12a1a AppInfo
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 201ef99a-7fa0-444c-9399-19ba84f12a1a AppInfo
ncacn_np:127.0.0.1[\\PIPE\\srvsvc]

UUID: 201ef99a-7fa0-444c-9399-19ba84f12a1a AppInfo
ncacn_np:127.0.0.1[\\PIPE\\browser]

UUID: 5f54ce7d-5b79-4175-8584-cb65313a0e98 AppInfo
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 5f54ce7d-5b79-4175-8584-cb65313a0e98 AppInfo
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 5f54ce7d-5b79-4175-8584-cb65313a0e98 AppInfo
ncacn_np:127.0.0.1[\\PIPE\\srvsvc]

UUID: 5f54ce7d-5b79-4175-8584-cb65313a0e98 AppInfo
ncacn_np:127.0.0.1[\\PIPE\\browser]

UUID: fd7a0523-dc70-43dd-9b2e-9c5ed48225b1 AppInfo
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: fd7a0523-dc70-43dd-9b2e-9c5ed48225b1 AppInfo
ncacn_ip_tcp:127.0.0.1[49154]

UUID: fd7a0523-dc70-43dd-9b2e-9c5ed48225b1 AppInfo
ncacn_np:127.0.0.1[\\PIPE\\srvsvc]

UUID: fd7a0523-dc70-43dd-9b2e-9c5ed48225b1 AppInfo
ncacn_np:127.0.0.1[\\PIPE\\browser]

UUID: 58e604e8-9adb-4d2e-a464-3b0683fb1480 AppInfo
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 58e604e8-9adb-4d2e-a464-3b0683fb1480 AppInfo
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 58e604e8-9adb-4d2e-a464-3b0683fb1480 AppInfo
ncacn_np:127.0.0.1[\\PIPE\\srvsvc]

UUID: 58e604e8-9adb-4d2e-a464-3b0683fb1480 AppInfo
ncacn_np:127.0.0.1[\\PIPE\\browser]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_np:127.0.0.1[\\PIPE\\atsvc]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_ip_tcp:127.0.0.1[49154]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_np:127.0.0.1[\\PIPE\\srvsvc]

UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af IP Transition Configuration endpoint
ncacn_np:127.0.0.1[\\PIPE\\browser]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncacn_np:127.0.0.1[\\pipe\\eventlog]

UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c Event log TCPIP
ncacn_ip_tcp:127.0.0.1[49153]

UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c NRP server endpoint
ncacn_np:127.0.0.1[\\pipe\\eventlog]

UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c NRP server endpoint
ncacn_ip_tcp:127.0.0.1[49153]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 DHCPv6 Client LRPC Endpoint
ncacn_np:127.0.0.1[\\pipe\\eventlog]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6 DHCPv6 Client LRPC Endpoint
ncacn_ip_tcp:127.0.0.1[49153]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncacn_np:127.0.0.1[\\pipe\\eventlog]

UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5 DHCP Client LRPC Endpoint
ncacn_ip_tcp:127.0.0.1[49153]

UUID: 06bba54a-be05-49f9-b0a0-30f790261023 Security Center
ncacn_np:127.0.0.1[\\pipe\\eventlog]

UUID: 06bba54a-be05-49f9-b0a0-30f790261023 Security Center
ncacn_ip_tcp:127.0.0.1[49153]

UUID: 76f226c3-ec14-4325-8a99-6a46348418af
ncacn_np:127.0.0.1[\\PIPE\\InitShutdown]

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_np:127.0.0.1[\\PIPE\\InitShutdown]

Total endpoints found: 60