Professional Documents
Culture Documents
Version 2.0
Published: September 2011
This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web s
of using it.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intend
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy
You may modify this document for your internal, reference purposes.
The Microsoft Security Compliance Manager is intended to help organizations simplify and automate IT compliance and risk m
Manager is designed to facilitate compliance activities conducted by your organization’s IT experts, auditors, accountants, atto
replace those professionals. The Microsoft Security Compliance Manager includes some control objectives and authority docu
and associated product value settings. These objectives, citations, controls and settings do not verify or guarantee fulfillment o
responsibility of your organization to choose the objectives, citations, controls and settings to use, modify, add or remove base
professionals. Reports and any other information provided by or generated from the Tool do not constitute auditing, accountin
compliance professionals to confirm compliance with specific governance, risk and compliance authority documents.
© 2011 Microsoft.
Distributed under Creative Commons Attribution-Noncommercial 3.0 License http://creativecommons.org/licenses/by-nc/3.0
you would like to make of any of our Creative Commons-licensed content, please Contact us. We try hard to accommodate va
Microsoft and the Microsoft product names listed in this data file are trademarks of the Microsoft group of companies; the list
http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx. All other trademarks are property of their respective
AD DS Role
Service
Services
Display name
Active Directory Domain Services
Active Directory Web Services
DFS Namespace
DFS Replication
DNS Server
File Replication
Intersite Messaging
Kerberos Key Distribution Center
Net.Tcp Port Sharing Service
Windows CardSpace
Windows Presentation Foundation Font Cache 3.0.0.0
Running Processes
Image Name (PID)
dfsrs.exe (1336)
dfssvc.exe (1584)
dns.exe (2836)
Microsoft.ActiveDirectory.WebServices.exe (1288)
Ports
Port Name
53/UDP -- Unknown Protocol
53/UDP -- Unknown Protocol
Various high UDP ports -- Unknown Protocol
53/TCP -- DNS
53/TCP -- DNS
49206/TCP -- Dynamic RPC Port
88/UDP -- Unknown Protocol
389/UDP -- Unknown Protocol
464/UDP -- Unknown Protocol
389/TCP -- Kerberos
636/TCP -- Secure LDAP
3268/TCP -- LDAP Global Catalog
3269/TCP -- Secure LDAP Global Catalog
49156/TCP -- Unknown Protocol
49158/TCP -- Unknown Protocol
88/TCP -- KDC
464/TCP -- KDC PCR
1288/TCP -- AD WebServices
Named Pipes
Pipe Name
netdfs
RpcProxy\49158
RpcProxy\593
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-2dc-0
Winsock2\CatalogChangeListener-32c-0
Winsock2\CatalogChangeListener-358-0
Winsock2\CatalogChangeListener-3ac-0
Winsock2\CatalogChangeListener-538-0
Winsock2\CatalogChangeListener-558-0
RPC Endpoints
Interface UUID
{12345678-1234-abcd-ef00-01234567cffb}
{12345778-1234-abcd-ef00-0123456789ab}
{e3514235-4b06-11d1-ab04-00c04fc2dcd2}
{12345678-1234-abcd-ef00-01234567cffb}
{12345778-1234-abcd-ef00-0123456789ab}
{e3514235-4b06-11d1-ab04-00c04fc2dcd2}
{12345678-1234-abcd-ef00-01234567cffb}
{12345778-1234-abcd-ef00-0123456789ab}
{e3514235-4b06-11d1-ab04-00c04fc2dcd2}
{50abc2a4-574d-40b3-9d66-ee4fd5fba076}
{897e2e5f-93f3-4376-9c9c-fd2277495c27}
Firewall Rules
Name
Active Directory Domain Controller - LDAP (TCP-In)
Network Shares
Name
NETLOGON
SYSVOL
Groups
Account Name
Account Operators
Administrators
Allowed RODC Password Replication Group
Backup Operators
Cert Publishers
Certificate Service DCOM Access
Cryptographic Operators
Denied RODC Password Replication Group
Distributed COM Users
DnsAdmins
DnsUpdateProxy
Domain Admins
Domain Computers
Domain Controllers
Domain Guests
Domain Users
Enterprise Admins
Enterprise Read-only Domain Controllers
Event Log Readers
Group Policy Creator Owners
Guests
IIS_IUSRS
Incoming Forest Trust Builders
Network Configuration Operators
Performance Log Users
Performance Monitor Users
Pre-Windows 2000 Compatible Access
Print Operators
RAS and IAS Servers
Read-only Domain Controllers
Remote Desktop Users
Replicator
Schema Admins
Server Operators
Terminal Server License Servers
Users
Windows Authorization Access Group
Role Dependency
Dependency
None
Identity
Management
for UNIX Role
Service
C:\Windows\system32\dfssvc.exe
C:\Windows\system32\dns.exe
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServi
ces.exe
State Process
Unknown dns.exe (PID 2836)
Unknown dns.exe (PID 2836)
Unknown dns.exe (PID 2836)
Listen dns.exe (PID 2836)
Listen dns.exe (PID 2836)
Listen dns.exe (PID 2836)
Unknown lsass.exe (PID 472)
Unknown lsass.exe (PID 472)
Unknown lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen Microsoft.ActiveDirectory.WebServices.exe (1288)
0 0
0 0
0 0
0 0
0 0
0 0
0 0
Endpoint Binding(s)
ncacn_http:[49158]
ncacn_http:[49158]
ncacn_http:[49158]
ncacn_ip_tcp:[49155]
ncacn_ip_tcp:[49155]
ncacn_ip_tcp:[49155]
ncacn_ip_tcp:[49157]
ncacn_ip_tcp:[49157]
ncacn_ip_tcp:[49157]
ncacn_ip_tcp:[49167]
ncacn_ip_tcp:[5722]
Direction Protocol
In TCP
In UDP
In TCP
In UDP
In TCP
In UDP
In TCP
In TCP
In UDP
In TCP
In TCP
In ICMPv4
In ICMPv6
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In UDP
In TCP
In UDP
In TCP
In TCP
Out TCP
Out UDP
Out ICMPv4
Out ICMPv6
Out TCP
Out TCP
Out UDP
Path ACL
C:\Windows\SYSVOL\sysvol\%fqdn%\SCRIPTS Everyone AccessAllowed
BUILTIN\Administrators AccessAllowed
C:\Windows\SYSVOL\sysvol\ Everyone AccessAllowed
Authenticated Users AccessAllowed
BUILTIN\Administrators AccessAllowed
SID Privileges
Description
Services
Display name Service name
Server For NIS NisSvc
Drivers
Name Startup Mode
Server for NFS Open RPC (ONCRPC) Portmapper Demand
(Portmap)
Server for NFS Open RPC (ONCRPC) (RpcXdr) Demand
Running Processes
Image Name (PID) Command Line
svchost.exe (836) C:\Windows\system32\svchost.exe -k netsvcs
{9A899A50-F96B-11D2-AC78-0008C7726CF7} ADsUnixAttributePropertyPage
{C7499700-F96B-11D2-AC78-0008C7726CF7}
Ports
Port Name State
111/TCP -- Unknown Protocol Listen
123/UDP -- NTP Unknown
3268/TCP -- Microsoft Global Catalog Established
49154/TCP -- Unknown Protocol Listen
49155/TCP -- Unknown Protocol Listen
49156/TCP -- Unknown Protocol Established
49159/TCP -- Unknown Protocol Established
49160/TCP -- Unknown Protocol Established
49161/TCP -- Unknown Protocol Established
Named Pipes
Pipe Name Network Denied
protected_storage 0
Winsock2\CatalogChangeListener-2c8-0 1
Winsock2\CatalogChangeListener-318-0 0
Winsock2\CatalogChangeListener-1d8-0 0
Winsock2\CatalogChangeListener-344-0 1
Winsock2\CatalogChangeListener-1d8-1 0
wbhstipmdde0ee1e-298f-4a78-a5e9-4adc66e69a20 0
wbhstipm5e0a98a8-52d8-4d0d-a9d2-628c319f2f8a 0
wbhstipmb9ddca35-b262-45f6-b657-e3b9e13b5c1d 0
wbhstipm567235ec-635b-46e8-9a9e-edf29ebd14a4 0
Winsock2\CatalogChangeListener-540-0 1
5c930e60-99f8-4e0a-90f6-8b1b7e0b22f5 1
a9f69662-2d7b-4b16-9394-f83c53fd6712 1
Winsock2\CatalogChangeListener-50c-0 0
Winsock2\CatalogChangeListener-3b8-0 0
Firewall Rules
Name Direction
Portmap for UNIX-based Software (TCP-In) In
Portmap for UNIX-based Software (UDP-In) In
Server for NIS (Open Portmapper-In) In
Server For NIS (UDP-In) In
Server For NIS (Unix-RPC) In
Path Entries
Binary Path
C:\Windows\idmu\common
Groups
Account Name SID
NT SERVICE\ADWS S-1-5-80-660584071-4121121593-1437107511-
3148243646-2105555040
NT SERVICE\NisSvc S-1-5-80-3651366176-1832982195-1003256308-
316140560-3486696329
Role Dependency
Dependency Description
Active Directory Domain Services Manages the credentials that are authenticated by the
Server for Network Information Services.
Running Processes
Image Name (PID) Command Line
svchost.exe (256) C:\Windows\system32\svchost.exe -k NetworkService
Ports
Port Name State
111/TCP -- Unknown Protocol Listen
111/TCP -- Unknown Protocol Listen
111/UDP -- Unknown Protocol Unknown
445/TCP -- SMB Established
47001/TCP -- Unknown Protocol Listen
47001/TCP -- Unknown Protocol Listen
49169/TCP -- Dynamic RPC Port Listen
49169/TCP -- Dynamic RPC Port Listen
49178/TCP -- Unknown Protocol Established
49185/TCP -- Unknown Protocol Established
49187/TCP -- Unknown Protocol Established
49188/TCP -- Unknown Protocol Established
49240/TCP -- Unknown Protocol Established
49261/TCP -- Unknown Protocol Established
5355/UDP -- Unknown Protocol Unknown
56196/UDP -- Unknown Protocol Unknown
Named Pipes
Pipe Name Network Denied
protected_storage 0
Winsock2\CatalogChangeListener-2d0-0 1
Winsock2\CatalogChangeListener-320-0 1
Winsock2\CatalogChangeListener-1d8-0 0
Winsock2\CatalogChangeListener-34c-0 1
Winsock2\CatalogChangeListener-1d8-1 0
wbhstipm2d2b8f22-b055-45c3-a412-db02e05be2e2 0
wbhstipmd1d3beb2-a839-4ce2-a191-db96ac61946e 0
wbhstipmbf954b8c-9140-4e94-b3d4-ca12fa39ed89 0
wbhstipmfcff5c4f-e690-446f-8ab2-0360d347dc64 0
27799880-dc05-4b68-91e1-acf0af566cbf 1
1553209f-8ac0-4aec-b57e-9b9ef2dcac0f 1
Winsock2\CatalogChangeListener-3ec-0 0
System Services
Account Name SID
NT SERVICE\NisSvc S-1-5-80-3651366176-1832982195-1003256308-
316140560-3486696329
Role Dependency
Dependency Description
Active Directory Domain Services Manages the credentials that are authenticated by the
Server for Network Information Services.
Running Processes
Image Name (PID) Command Line
svchost.exe (840) C:\Windows\system32\svchost.exe -k netsvcs
Ports
Port Name State
49155/TCP -- Unknown Protocol Listen
49155/TCP -- Unknown Protocol Listen
49166/TCP -- Unknown Protocol Established
Named Pipes
Pipe Name Network Denied
protected_storage 0
Winsock2\CatalogChangeListener-2cc-0 1
Winsock2\CatalogChangeListener-324-0 1
Winsock2\CatalogChangeListener-1d8-0 1
Winsock2\CatalogChangeListener-348-0 1
Winsock2\CatalogChangeListener-1d8-1 1
Winsock2\CatalogChangeListener-550-0 1
wbhstipmce88ee40-4535-4c6c-8812-1b6fafa0a6cb 0
wbhstipmf7cd54b7-ee88-4573-90df-8b61eb479a9f 0
wbhstipm7e5ef196-90d3-420e-b8da-db1263a549be 0
wbhstipm9a86b51a-f02b-4ab0-be7a-d2464c2b0eb7 0
d5fdcebc-16bf-419e-994c-30adc6b46906 1
9aeb97da-90ce-4711-8705-fb9fab37a8d6 1
Winsock2\CatalogChangeListener-51c-0 1
Winsock2\CatalogChangeListener-3cc-0 1
Firewall
Name Direction
Password Synchronization (TCP-In) In
Password Synchronization (TCP-In) In
Password Synchronization (TCP-In) In
Groups
Account Name SID
NT SERVICE\WerSvc S-1-5-80-3299868208-4286319593-1091140620-
3583751967-1732444380
Role Dependency
Dependency Description
Active Directory Domain Services Manages the credentials that are authenticated by the
Server for Network Information Services.
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
*: *:* Yes
*: *:* Yes
Binary Path
C:\Windows\idmu\common\ni
sprop.dll
C:\Windows\idmu\common\ni
sprop.dll
Process Account
System (PID 4)
svchost.exe (PID 904)
lsass.exe (PID 472)
lsass.exe (PID 472)
svchost.exe (PID 836)
lsass.exe (PID 472)
ismserv.exe (PID 1380)
ismserv.exe (PID 1380)
Microsoft.ActiveDirectory.Web
Services.exe (PID 1220)
Microsoft.ActiveDirectory.Web
Services.exe (PID 1220)
Microsoft.ActiveDirectory.Web
Services.exe (PID 1220)
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0
0
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0
0
0
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed
0
0
Privileges
Process
System (PID 4)
System (PID 4)
System (PID 4)
System (PID 4)
System (PID 4)
System (PID 4)
services.exe (PID 464)
services.exe (PID 464)
dfssvc.exe (PID 1684)
dfsrs.exe (PID 1308)
dfsrs.exe (PID 1308)
dfsrs.exe (PID 1308)
lsass.exe (PID 472)
System (PID 4)
svchost.exe (PID 256)
Microsoft.ActiveDirectory.Web
Services.exe (PID 1240)
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0
0
0
0 NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed
Privileges
Account Process Flags
(Linker Version: 9.0.-1) (ASLR)
Process Account
svchost.exe (PID 840)
svchost.exe (PID 840)
Microsoft.ActiveDirectory.Web
Services.exe (PID 1240)
Microsoft.ActiveDirectory.Web
Services.exe (PID 1240)
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0
0
0
0
0 NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
0 NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Privileges
Enabled
1
1
1
1
1
Enabled
1
1
1
DHCP
Services
Name
DHCP Server (DHCPServer)
Running Processes
Image Name (PID)
svchost.exe (2112)
svchost.exe (3000)
Ports
Port Name
67/UDP -- Unknown Protocol
68/UDP -- Unknown Protocol
2535/UDP -- Unknown Protocol
52464/UDP -- Unknown Protocol
49208/TCP -- Unknown Protocol
49208/TCP -- Unknown Protocol
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-300-0
wbhstipm960eee7a-4c95-4d9b-a999-231c4b9e1091
wbhstipm927e89ca-69c4-4760-8658-9c22f815e502
wbhstipma58478d8-c9f2-478a-846f-0f26ac2fa067
wbhstipmc05afb30-36be-459e-b146-4d7340f260e2
fd1a4754-6978-4e22-aabe-899fc12bfb79
37a722f7-3ba9-417b-8aeb-67e324dbb54e
Winsock2\CatalogChangeListener-840-0
RPC Endpoints
Interface UUID
{6bffd098-a112-3610-9833-46c3f874532d}
{5b821720-f63b-11d0-aad2-00c04fc324db}
{76f226c3-ec14-4325-8a99-6a46348418af}
{12e65dd8-887f-41ef-91bf-8d816c42c2e7}
Firewall Rules
Name
DHCP Server - Remote Service Management using SCM
(RPC-in)
DHCP Server (RPCSS-In)
DHCP Server (RPC-In)
DHCP Server v6 (UDP-In)
DHCP Server v4 (UDP-In)
DHCP Server v6 (UDP-In)
DHCP Server v4 (UDP-In)
DHCP Server - Remote Service Management using SCM
(RPC-in)
DHCP Server (RPCSS-In)
DHCP Server (RPC-In)
DHCP Server v6 (UDP-In)
DHCP Server v4 (UDP-In)
DHCP Server v6 (UDP-In)
DHCP Server v4 (UDP-In)
DHCP Server - Remote Service Management using SCM
(RPC-in)
DHCP Server (RPCSS-In)
DHCP Server (RPC-In)
DHCP Server v6 (UDP-In)
DHCP Server v4 (UDP-In)
DHCP Server v6 (UDP-In)
DHCP Server v4 (UDP-In)
Groups
Account Name
DHCP Users
DHCP Administrators
NT SERVICE\swprv
NT SERVICE\VSS
NT SERVICE\DHCPServer
Role Dependency
Dependency
None
Account Startup Mode
NT AUTHORITY\NETWORK SERVICE Auto
State Process
Unknown svchost.exe (PID 2112)
Unknown svchost.exe (PID 2112)
Unknown svchost.exe (PID 2112)
Unknown svchost.exe (PID 2112)
Listen svchost.exe (PID 2112)
Established svchost.exe (PID 2112)
0 0
0 0
0 0
0 0
1 0
1 0
1 0
Endpoint Binding(s)
ncalrpc:[OLEDECF07835F9E49B68504068D156D]
ncalrpc:[OLEDECF07835F9E49B68504068D156D]
ncalrpc:[WMsgKRpc08A761]
ncalrpc:[WMsgKRpc08A761]
Direction Protocol
In NET_FW_IP_PROTOCOL_ANY
In TCP
In UDP
In UDP
Out UDP
Out UDP
Out TCP
Out TCP
In UDP
In UDP
In TCP
In UDP
In TCP
In TCP
In UDP
In UDP
Out UDP
Out UDP
Out TCP
Out UDP
Out UDP
Out UDP
In TCP
Out NET_FW_IP_PROTOCOL_ANY
In UDP
Out UDP
Direction Protocol
In TCP
In TCP
In TCP
In UDP
In UDP
In UDP
In UDP
In TCP
In TCP
In TCP
In UDP
In UDP
In UDP
In UDP
In TCP
In TCP
In TCP
In UDP
In UDP
In UDP
In UDP
SID Privileges
S-1-5-21-3754447434-2954449996-2587011620-1000
S-1-5-21-3754447434-2954449996-2587011620-1001
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-80-3195062495-2862850656-3724129271-
1847284719-4038691091
S-1-5-80-3273805168-4048181553-3172130058-
210131473-390205191
Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
*:RPC-EPMap *:* 1
*:RPC *:* 1
*:546 *:* 1
*:68 *:* 1
*:547 *:* 1
*:67 *:* 1
*:RPC *:* 1
*:RPC-EPMap *:* 1
*:RPC *:* 1
*:546 *:* 1
*:68 *:* 1
*:547 *:* 1
*:67 *:* 1
*:RPC *:* 1
*:RPC-EPMap *:* 1
*:RPC *:* 1
*:546 *:* 1
*:68 *:* 1
*:547 *:* 1
*:67 *:* 1
DNS
Services
Name
DNS Server (DNS)
Running Processes
Image Name (PID)
svchost.exe (1716)
dns.exe (2836)
Ports
Port Name
53/UDP -- Unknown Protocol
53/UDP -- Unknown Protocol
Various high UDP ports -- Unknown Protocol
53/TCP -- DNS
53/TCP -- DNS
49206/TCP -- Dynamic RPC Port
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-300-0
wbhstipm960eee7a-4c95-4d9b-a999-231c4b9e1091
wbhstipm927e89ca-69c4-4760-8658-9c22f815e502
wbhstipma58478d8-c9f2-478a-846f-0f26ac2fa067
wbhstipmc05afb30-36be-459e-b146-4d7340f260e2
fd1a4754-6978-4e22-aabe-899fc12bfb79
37a722f7-3ba9-417b-8aeb-67e324dbb54e
Winsock2\CatalogChangeListener-b14-0
RPC Endpoints
Interface UUID
{50abc2a4-574d-40b3-9d66-ee4fd5fba076}
{76f226c3-ec14-4325-8a99-6a46348418af}
{12e65dd8-887f-41ef-91bf-8d816c42c2e7}
Firewall Rules
All Outgoing (UDP)
All Outgoing (TCP)
RPC (TCP, Incoming)
DNS (UDP, Incoming)
DNS (TCP, Incoming)
RPC Endpoint Mapper (TCP, Incoming)
Windows Management Instrumentation (ASync-In)
Groups
Account Name
NT SERVICE\swprv
NT SERVICE\DNS
Role Dependency
Dependency
None
Account Startup Mode
NT AUTHORITY\SYSTEM Auto
C:\Windows\system32\dns.exe
State Process
Unknown dns.exe (PID 2836)
Unknown dns.exe (PID 2836)
Unknown dns.exe (PID 2836)
Listen dns.exe (PID 2836)
Listen dns.exe (PID 2836)
Listen dns.exe (PID 2836)
0 0
0 0
0 0
0 0
1 0
1 0
1 0
Endpoint Binding(s)
ncacn_ip_tcp:[49206]
ncalrpc:[WMsgKRpc08A761]
ncalrpc:[WMsgKRpc08A761]
Out UDP
Out TCP
In TCP
In UDP
In TCP
In TCP
In TCP
Out TCP
In TCP
In TCP
Out UDP
Out TCP
In TCP
In UDP
In TCP
In TCP
In TCP
Out TCP
In TCP
In TCP
Out UDP
Out TCP
In TCP
In UDP
In TCP
In TCP
In TCP
Out TCP
In TCP
In TCP
SID Privileges
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-80-3615928406-775414823-3337150244-
1678472394-1165027386
Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
\Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
*:* *:* 1
*:* *:* 1
*:135 *:* 1
*:* *:* 1
*:* *:* 1
*:RPC *:* 1
*:53 *:* 1
*:53 *:* 1
*:RPC-EPMap *:* 1
*:* *:* 1
*:* *:* 1
*:* *:* 1
*:135 *:* 1
*:* *:* 1
*:* *:* 1
*:RPC *:* 1
*:53 *:* 1
*:53 *:* 1
*:RPC-EPMap *:* 1
*:* *:* 1
*:* *:* 1
*:* *:* 1
*:135 *:* 1
Common HTTP
Features
Services
Name
World Wide Web Publishing Service (W3SVC)
Running Processes
Image Name (PID)
svchost.exe (816)
svchost.exe (1316)
mscorsvw.exe (1576)
mscorsvw.exe (2772)
{688EEEE5-6A7E-422F-B2E1-6AF00DC944A6}
{8453993C-F937-4B76-B0DA-948081ED5673}
{90873572-3128-48F3-BB1F-72FBADED669E}
Ports
Port Name
80/TCP -- HTTP
80/TCP -- HTTP
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-1d0-0
Firewall Rules
World Wide Web Services (HTTPS Traffic-In)
World Wide Web Services (HTTP Traffic-In)
World Wide Web Services (HTTPS Traffic-In)
Groups
Account Name
NT SERVICE\swprv
NT SERVICE\VSS
IIS APPPOOL\DefaultAppPool
Role Dependencies
Dependency
Web Server (IIS)
Application
Development
Running Processes
Image Name (PID)
svchost.exe (584)
VSSVC.exe (2136)
sppsvc.exe (2708)
Registered COM Controls
CLSID
{0ACE4881-8305-11CF-9427-444553540000}
{71EAF260-0CE0-11D0-A53E-00A0C90C2091}
{B3192190-1176-11D0-8CE8-00AA006C400C}
{D97A6DA0-A85D-11CF-83AE-00A0C90C2BD8}
{D97A6DA0-A85F-11DF-83AE-00A0C90C2BD8}
{D97A6DA0-A861-11CF-93AE-00A0C90C2BD8}
{D97A6DA0-A862-11CF-84AE-00A0C90C2BD8}
{D97A6DA0-A864-11CF-83BE-00A0C90C2BD8}
{D97A6DA0-A865-11CF-83AF-00A0C90C2BD8}
{D97A6DA0-A866-11CF-83AE-10A0C90C2BD8}
{D97A6DA0-A867-11CF-83AE-01A0C90C2BD8}
{D97A6DA0-A868-11CF-83AE-00B0C90C2BD8}
Groups
Account Name
NT SERVICE\swprv
Role Dependencies
Dependency
Web Server (IIS)
Health and
Diagnostics
Registered COM Controls
CLSID
{26B9ED02-A3D8-11D1-8B9C-080009DCC2FA}
{FF160657-DE82-11CF-BC0A-00AA006111E0}
{FF16065B-DE82-11CF-BC0A-00AA006111E0}
{FF16065F-DE82-11CF-BC0A-00AA006111E0}
{FF160663-DE82-11CF-BC0A-00AA006111E0}
Role Dependencies
Dependency
Web Server (IIS)
Security
Running Processes
Image Name (PID)
svchost.exe (856)
iexplore.exe (2360)
RPC Endpoints
Interface UUID
{f1ec59ab-4ca9-4c30-b2d0-54ef1db441b7}
Role Dependencies
Dependency
Web Server (IIS)
Performance
Running Processes
Image Name (PID)
svchost.exe (2816)
Groups
Account Name
NT SERVICE\WerSvc
Role Dependencies
Dependency
Web Server (IIS)
Management
Tools
Services
Name
IIS Admin Service (IISADMIN)
Web Management Service (WMSvc)
Running Processes
Image Name (PID)
inetinfo.exe (2476)
VSSVC.exe (2712)
svchost.exe (2792)
{0BE3744F-8EFE-4416-9A2D-273F154BE203}
{250DA2EA-2FF4-465F-B8F2-BA760B050784}
{29822AB7-F302-11D0-9953-00C04FD919C1}
{29822AB8-F302-11D0-9953-00C04FD919C1}
{31DCAB85-BB3E-11D0-9299-00C04FB6678B}
{31DCAB86-BB3E-11D0-9299-00C04FB6678B}
{31DCAB87-BB3E-11D0-9299-00C04FB6678B}
{31DCAB88-BB3E-11D0-9299-00C04FB6678B}
{43892EEE-746C-46FB-95BB-AC7CFCB68C44}
{51395178-DFB0-4AD0-A725-7A30F10E858D}
{5871882F-2A0A-44F2-9420-4C10A31E538E}
{5FCDF49D-AF37-4788-B9E6-31C79E9DA1F4}
{61738644-F196-11D0-9953-00C04FD919C1}
{62B8CCBE-5A45-4372-8C4A-6A87DD3EDD60}
{634561FC-9513-4A1B-988B-2045AF55315B}
{7348E6F0-3ACA-4F34-849A-967958F1D7E8}
{763A6C86-F30F-11D0-9953-00C04FD919C1}
{7CE0D4E3-B022-4838-9584-B49116971CE6}
{84951D16-922E-4692-B4E9-90DD80426ECF}
{899689FA-2D0E-4D4A-AA7D-6FC5071D5445}
{8AD3DCF8-869E-4C0E-89C2-86D7710610AA}
{8C63861C-34A3-4C77-BFAA-686761ED10B4}
{901A70B2-0F7A-44EA-B97B-1E9299DEC8CA}
{9036B028-A780-11D0-9B3D-0080C710EF95}
{90BD4EE3-12CA-4D63-8B17-0A602D6259C7}
{9FF4531B-142E-4352-A385-32CF8039BC30}
{A1F89741-F619-11CF-BC0F-00AA006111E0}
{A841B6C2-7577-11D0-BB1F-00A0C922E79C}
{A841B6D2-7577-11D0-BB1F-00A0C922E79C}
{A8FD7759-B54A-4ED5-B77F-AE0A6723C6EF}
{A9E69610-B80D-11D0-B9B9-00A0C922E750}
{B56D9C1F-1B56-4F64-8213-012E9DA9F689}
{B8FB0B59-B5BF-42A2-8FDD-FB400E5F5883}
{BA4E57F0-FAB6-11CF-9D1A-00AA00A70D51}
{BA634603-B771-11D0-9296-00C04FB6678B}
{BA634604-B771-11D0-9296-00C04FB6678B}
{BA634607-B771-11D0-9296-00C04FB6678B}
{BA634608-B771-11D0-9296-00C04FB6678B}
{BC47120F-1612-4CA5-A89F-FDFF76C28AB6}
{D6BFA35E-89F2-11D0-8527-00C04FD8D503}
{D78F1796-E03B-4A81-AFE0-B3B6B0EEE091}
{D88966DE-89F2-11D0-8527-00C04FD8D503}
{DF0FF250-71E6-42A1-B736-4057545DBA98}
{E1ABF259-0C95-4201-A000-0F66D480D7CB}
{E6EC985C-A541-4DB0-97C7-4687E153943D}
{F3287520-BBA3-11D0-9BDC-00A0C922E703}
{FA27EEBB-8590-42E6-931E-E94D20F11898}
{FCC764A0-2A38-11D1-B9C6-00A0C922E750}
{FD2280A8-51A4-11D2-A601-3078302C2030}
{FFF56E5F-E42A-4082-9EC9-979BD74036E7}
Firewall Rules
Name
Web Management Service (HTTP Traffic-In)
Web Management Service (HTTP Traffic-In)
Web Management Service (HTTP Traffic-In)
Groups
Account Name
NT SERVICE\WMSvc
NT SERVICE\swprv
NT SERVICE\VSS
Role Dependency
Dependency
None
FTP Publishing
Service
Services
Name
Microsoft FTP Service (FTPSVC)
Running Processes
Image Name (PID)
svchost.exe (584)
svchost.exe (768)
mscorsvw.exe (1464)
dllhost.exe (2560)
mscorsvw.exe (2640)
mscorsvw.exe (3068)
Ports
Port Name
53245/UDP -- Unknown Protocol
49154/TCP -- Unknown Protocol
49383/TCP -- Unknown Protocol
49384/TCP -- Unknown Protocol
49387/TCP -- Unknown Protocol
49154/TCP -- Unknown Protocol
Firewall Rules
Name
FTP Server Passive (FTP Passive Traffic-In)
FTP Server Secure (FTP SSL Traffic-Out)
FTP Server Secure (FTP SSL Traffic-In)
FTP Server (FTP Traffic-Out)
FTP Server (FTP Traffic-In)
FTP Server Passive (FTP Passive Traffic-In)
FTP Server Secure (FTP SSL Traffic-Out)
FTP Server Secure (FTP SSL Traffic-In)
FTP Server (FTP Traffic-Out)
FTP Server (FTP Traffic-In)
FTP Server Passive (FTP Passive Traffic-In)
FTP Server Secure (FTP SSL Traffic-Out)
FTP Server Secure (FTP SSL Traffic-In)
FTP Server (FTP Traffic-Out)
FTP Server (FTP Traffic-In)
Groups
Account Name
NT SERVICE\COMSysApp
Role Dependency
Dependency
None
IIS Hostable
Web Core
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-358-0
Role Dependency
Dependency
None
Account Startup Mode
NT AUTHORITY\SYSTEM Auto
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
mscorsvw.exe -UseCLSID {246987C1-7792-46D1-AD01-
20387661874B} -Comment "NGen Worker Process"
Microsoft.AppHostQueryProcessor C:\Windows\system32\inetsrv\AppHostNavigators.dll
Microsoft.AppHostConfigPathNavigator C:\Windows\system32\inetsrv\AppHostNavigators.dll
Microsoft.XPathQueryStringCompiler C:\Windows\system32\inetsrv\XPath.dll
State Process
Listen System (PID 4)
Listen System (PID 4)
In TCP
In TCP
In TCP
SID Privileges
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-80-3195062495-2862850656-3724129271-
1847284719-4038691091
S-1-5-82-3006700770-424185619-1745488364-
794895919-4004696415
Description
C:\Windows\system32\vssvc.exe
C:\Windows\system32\sppsvc.exe
Friendly Name Binary Path
MSWC.BrowserType C:\Windows\SysWOW64\inetsrv\browscap.dll
ASP Read Cookie C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Certificate Object C:\Windows\SysWOW64\inetsrv\asp.dll
ASP String List Object C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Request Dictionary C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Request Object C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Write Cookie C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Response Object C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Session Object C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Application Object C:\Windows\SysWOW64\inetsrv\asp.dll
ASP Server Object C:\Windows\SysWOW64\inetsrv\asp.dll
SID Privileges
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-82-1036420768-1044797643-1061213386-
2937092688-4282445334
Description
Endpoint Binding(s)
ncalrpc:[LRPC-e17bc5c38016521b81], ncalrpc:
[OLE9E835DB7D4284A1B9B34DF96C29A]
Description
This role services is a Web service that runs in IIS.
SID Privileges
S-1-5-80-3299868208-4286319593-1091140620-
3583751967-1732444380
Description
This role services is a Web service that runs in IIS.
Account Startup Mode
NT AUTHORITY\SYSTEM Auto
NT AUTHORITY\LOCAL SERVICE Demand
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
PSFactoryBuffer C:\Windows\SysWOW64\WAMREGPS.DLL
PSFactoryBuffer C:\Windows\SysWOW64\WAMREGPS.DLL
LogUI ncsa C:\Windows\System32\inetsrv\logui.ocx
LogUI odbc C:\Windows\System32\inetsrv\logui.ocx
LogUI msft C:\Windows\System32\inetsrv\logui.ocx
LogUI extnd C:\Windows\System32\inetsrv\logui.ocx
Server Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll
CLAPI.INETLOGINFORMATION C:\Windows\SysWOW64\inetsrv\iscomlog.dll
This snap-in administers the Microsoft Internet C:\Windows\System32\inetsrv\inetmgr.dll
Information Services (IIS) 6.0
This snap-in administers the Microsoft Internet C:\Windows\System32\inetsrv\inetmgr.dll
Information Services (IIS) 6.0
VirtualDirectory Class C:\Windows\SysWOW64\inetsrv\wmi-appserver.dll
AppID
{61738644-F196-11D0-9953-00C04FD919C1}
{62B8CCBE-5A45-4372-8C4A-6A87DD3EDD60}
{A9E69610-B80D-11D0-B9B9-00A0C922E750}
Direction Protocol
In TCP
In TCP
In TCP
SID Privileges
S-1-5-80-257763619-1023834443-750927789-
3464696139-1457670516
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-80-3195062495-2862850656-3724129271-
1847284719-4038691091
Description
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\dllhost.exe /Processid:
{02D4B3F1-FD88-11D1-960D-00805FC79235}
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ms
corsvw.exe
AppID
{315FA593-3CF5-4310-887B-3977A578488A}
{75BE3767-9BAD-477C-A125-26379D3EDB4A}
State Process
Unknown svchost.exe (PID 768)
Listen svchost.exe (PID 768)
Established svchost.exe (PID 768)
Established svchost.exe (PID 768)
Established svchost.exe (PID 768)
Listen svchost.exe (PID 768)
Direction Protocol
In TCP
Out TCP
In TCP
Out TCP
In TCP
In TCP
Out TCP
In TCP
Out TCP
In TCP
In TCP
Out TCP
In TCP
Out TCP
In TCP
SID Privileges
S-1-5-80-593875016-1044814911-1112741138-
2143646632-2690613739
Description
Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)
(Linker Version: 9.0.-1) (ASLR)
NX: Enabled (Linker Version:
10.0.-1) (ASLR)(Uses SafeSEH)
(Uses /GS)
(Linker Version: 10.0.-1) (ASLR)
Account
DACL
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
Files Server
Services
Image Name (PID)
svchost.exe (768)
Ports
Port Name
49154/TCP -- Unknown Protocol
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-2d4-0
Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-1d8-0
wbhstipm0648f693-1683-4afb-9e3e-b8d510298323
wbhstipm9de0438a-d22b-4014-b757-b2b0539bdef2
wbhstipm22e83c71-4158-4145-9909-8e2af4246f60
wbhstipm54520408-b42e-4969-9446-8826239d3748
d71d14b0-662d-421a-b3e6-afbf121d8993
50f98d16-218a-4d78-8f37-41a0a3e85347
Winsock2\CatalogChangeListener-358-0
RPC Endpoints
Interface UUID
{76f226c3-ec14-4325-8a99-6a46348418af}
{12e65dd8-887f-41ef-91bf-8d816c42c2e7}
Role Dependency
Dependency
None
Distributed
File System
Services
Name
DFS Namespace (dfs)
DFS Replication (DFSR)
Drivers
Name
DFS Namespace Server Filter Driver (dfsdriver)
DFS Replication ReadOnly Driver (Dfsrro)
Running Processes
Image Name (PID)
svchost.exe (768)
svchost.exe (856)
dfsrs.exe (1308)
svchost.exe (2516)
dfssvc.exe (2648)
vds.exe (2788)
Ports
Port Name
49950/UDP -- Unknown Protocol
49154/TCP -- Unknown Protocol
49327/TCP -- Unknown Protocol
49329/TCP -- Unknown Protocol
49154/TCP -- Unknown Protocol
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-2d4-0
Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-1d8-0
Winsock2\CatalogChangeListener-1d0-0
netdfs
Network Shares
Name
Namespace1
Firewall Rules
Name
DFS Replication (RPC-EPMAP)
DFS Replication (RPC-In)
File and Printer Sharing (Echo Request - ICMPv4-In)
Groups
Account Name
NT SERVICE\DFSR
NT SERVICE\swprv
NT SERVICE\vds
NT SERVICE\VSS
NT SERVICE\dfs
Role Dependency
Dependency
None
Files Server
Resource
Manager
Services
Name
File Server Storage Reports Manager (srmreports)
File Server Resource Manager (srmsvc)
Drivers
Name
Datascrn (Datascrn)
quota (quota)
Running Processes
Image Name (PID)
svchost.exe (772)
svchost.exe (916)
mscorsvw.exe (1244)
svchost.exe (2364)
mscorsvw.exe (2520)
{243111DF-E474-46AA-A054-EAA33EDC292A}
{2FFBC541-7142-4B80-B48A-28A394DC5709}
{32FF7589-83D5-4E34-86FE-A2D5E27BDF3A}
{53E94FE8-9E5B-4ACD-B99D-E09BB87B149B}
{6C2C1D33-40EA-4941-908C-7DDF0864FFCA}
{8F1363F6-656F-4496-9226-13AECBD7718F}
{90DCAB7F-347C-4BFC-B543-540326305FBE}
{95941183-DB53-4C5F-B37B-7D0921CF9DC7}
{97D3D443-251C-4337-81E7-B32E8F4EE65E}
{AA226789-0134-433B-ACC1-2EDDA6806E9D}
{B15C0E47-C391-45B9-95C8-EB596C853F3A}
{EA25F1B8-1B8D-4290-8EE8-E17C12C2FE20}
{EB18F9B2-4C3A-4321-B203-205120CFF614}
{F3BE42BD-8AC2-409E-BBD8-FAF9B6B41FEB}
{F3C2DFED-E357-496D-923F-1D75EFCCAD3F}
{F556D708-6D4D-4594-9C61-7DBB0DAE2A46}
{FC7C4BEB-83FC-4622-A2A4-8713E399E796}
Ports
Port Name
60910/UDP -- Unknown Protocol
60912/UDP -- Unknown Protocol
49154/TCP -- Unknown Protocol
49155/TCP -- Unknown Protocol
49187/TCP -- Dynamic RPC Port
49254/TCP -- Unknown Protocol
49255/TCP -- Unknown Protocol
49256/TCP -- Unknown Protocol
49154/TCP -- Unknown Protocol
49155/TCP -- Unknown Protocol
49187/TCP -- Dynamic RPC Port
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-304-0
wbhstipm68c6ea22-7780-47c0-8fde-d039b0cac061
wbhstipmbdcd33eb-c126-4bf9-8afc-41444615f8e1
wbhstipm33867462-e41e-422b-a8c9-336338fad973
wbhstipmdc24916c-dc58-4201-84bf-ed763e8631cc
57827edf-f325-496a-bd73-caee734173a7
3fbfd425-9e62-47f4-bffa-4a6be4e6b57a
Winsock2\CatalogChangeListener-1d0-0
Winsock2\CatalogChangeListener-394-0
RPC Endpoints
Interface UUID
{c9ac6db5-82b7-4e55-ae8a-e464ed7b4277}
Firewall Rules
Name
Remote File Server Resource Manager Management -
FSRM Reports Service (RPC-In)
Remote File Server Resource Manager Management -
FSRM Service (RPC-In)
Remote File Server Resource Manager Management -
Remote Registry (RPC-In)
Remote File Server Resource Manager Management -
RpcSs (RPC-EPMAP)
Remote File Server Resource Manager Management -
Task Scheduler (RPC-In)
Remote File Server Resource Manager Management -
Windows Management Instrumentation (Async-In)
Groups
Account Name
NT SERVICE\srmsvc
Role Dependency
Dependency
None
Services for
Network File
Systems
Services
Name
Client for NFS (NfsClnt)
Server for NFS (NfsService)
Drivers
Name
Server for NFS Filesystem Filter (msnfsflt)
Client for NFS Redirector (NfsRdr)
Server for NFS Driver (NfsServer)
Server for NFS Open RPC (ONCRPC) Portmapper
(Portmap)
Server for NFS Open RPC (ONCRPC) (RpcXdr)
Running Processes
Image Name (PID)
svchost.exe (776)
svchost.exe (856)
nfssvc.exe (2224)
nfsclnt.exe (2640)
svchost.exe (2768)
Ports
Port Name
123/UDP -- NTP
123/UDP -- NTP
49155/TCP -- Unknown Protocol
49155/TCP -- Unknown Protocol
RPC Endpoints
Interface UUID
{c9ac6db5-82b7-4e55-ae8a-e464ed7b4277}
Firewall Rules
Name
Client for NFS (TCP-Out)
Client for NFS (UDP-Out)
Portmap for UNIX-based Software (TCP-In)
Portmap for UNIX-based Software (UDP-In)
Server for NFS - Mount (TCP-In)
Server for NFS - Mount (UDP-In)
Server for NFS - NLM (TCP-In)
Server for NFS - NLM (UDP-In)
Server for NFS - NSM (TCP-In)
Server for NFS - NSM (UDP-In)
Server for NFS (NFS-TCP-In)
Server for NFS (NFS-TCP-Out)
Server for NFS (NFS-UDP-In)
Server for NFS (NFS-UDP-Out)
Groups
Account Name
NT SERVICE\NfsService
NT SERVICE\swprv
NT SERVICE\NfsClnt
Role Dependency
Dependency
None
Windows
Search Service
Services
Name
Windows Search (WSearch)
Running Processes
Image Name (PID)
SearchIndexer.exe (604)
svchost.exe (920)
mscorsvw.exe (1860)
mscorsvw.exe (1880)
SearchFilterHost.exe (2256)
SearchProtocolHost.exe (2556)
{51653423-E62D-4FF7-894A-DABB2B8E21E2}
{53BEDF0B-4E5B-4183-8DC9-B844344FA104}
{5815ADD9-95C5-44F2-8262-3BCD56AA3147}
{602BDCE5-CA64-4E91-B27C-FFCA48978A00}
{6A68CC80-4337-4DBC-BD27-FBFB1053820B}
{6D3951EB-0B07-4FB8-B703-7C5CEE0DB578}
{70804ECC-7272-4DC8-AFFC-97CD66AAA282}
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
{87D66A43-7B11-4A28-9811-C86EE395ACF7}
{89D83576-6BD1-4C86-9454-BEB04E94C819}
{8DA6DB1C-8114-40C6-9D97-D2E7E9757D67}
{9D3C0751-A13F-46A6-B833-B46A43C30FE8}
{9E175B68-F52A-11D8-B9A5-505054503030}
{9E175B69-F52A-11D8-B9A5-505054503030}
{9E175B6C-F52A-11D8-B9A5-505054503030}
{9E175B6D-F52A-11D8-B9A5-505054503030}
{9E175B6E-F52A-11D8-B9A5-505054503030}
{9E175B70-F52A-11D8-B9A5-505054503030}
{9E175B74-F52A-11D8-B9A5-505054503030}
{9E175B76-F52A-11D8-B9A5-505054503030}
{9E175B7F-F52A-11D8-B9A5-505054503030}
{9E175B8A-F52A-11D8-B9A5-505054503030}
{9E175B8B-F52A-11D8-B9A5-505054503030}
{9E175B8D-F52A-11D8-B9A5-505054503030}
{9E175B8E-F52A-11D8-B9A5-505054503030}
{9E175B90-F52A-11D8-B9A5-505054503030}
{9E175B98-F52A-11D8-B9A5-505054503030}
{9E175BA8-F52A-11D8-B9A5-505054503030}
{9E175BA9-F52A-11D8-B9A5-505054503030}
{9E175BB7-F52A-11D8-B9A5-505054503030}
{9E175BB8-F52A-11D8-B9A5-505054503030}
{A373F500-7A87-11D3-B1C1-00C04F68155C}
{A5270F6C-19EC-4E17-9EA1-A7074276B9B9}
{A9B5F443-FE02-4C19-859D-E9B5C5A1B6C6}
{A9F738C8-6B96-41FA-A155-15ECD67275D0}
{B056521A-9B10-425E-B616-1FCD828DB3B1}
{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}
{D169C14A-5148-4322-92C8-754FC9D018D8}
{D16B87DE-029E-4C85-92C8-ED8BBC5E882C}
{D6F8EC75-A388-47DE-BA3A-903B12A38E86}
{DA67B8AD-E81B-4C70-9B91-B417B5E33527}
{DE3F3560-3032-41B4-B6CF-F703B1B95640}
{E20870E2-3AD1-4B64-87BE-5AD5F17A53F0}
{E63DE750-3BD7-4BE5-9C84-6B4281988C44}
{F37AFD4F-E736-4980-8650-A486B1F2DF25}
{9E175BAF-F52A-11D8-B9A5-505054503030}
{9E175BB4-F52A-11D8-B9A5-505054503030}
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-304-0
wbhstipm0b77fb69-87f4-467d-9813-663743fbe274
wbhstipmc768a67e-0c53-43b6-94b2-8bb9e78cf6c4
wbhstipm921da58c-6c38-4e0d-b962-1000415696fe
wbhstipm3f2e54f2-4fb7-4b2e-9113-61763070cbbf
e00704b5-3db8-48fd-ab41-3983cacd9627
521bad4e-a755-4300-a378-dd2bb46a6c1a
Winsock2\CatalogChangeListener-1d0-0
Winsock2\CatalogChangeListener-398-0
MsFteWds
RPC Endpoints
Interface UUID
{c9ac6db5-82b7-4e55-ae8a-e464ed7b4277}
Groups
Account Name
NT SERVICE\WSearch
Role Dependency
Dependency
None
Windows
Server 2003
File Services
Services
Name
Indexing Service (CISVC)
Running Processes
Image Name (PID)
svchost.exe (768)
svchost.exe (856)
CISVC.EXE (1624)
svchost.exe (2768)
{3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D}
{95AD72F0-44CE-11D0-AE29-00AA004B9986}
{A4463024-2B6F-11D0-BFBC-0020F8008024}
{AA205A4D-681F-11D0-A243-08002B36FCA4}
{C04EFA90-E221-11D2-985E-00C04F575153}
{EAFDF8B3-3BE5-4E05-BF86-1E486B2FEF9D}
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-2d4-0
Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-1d8-0
Winsock2\CatalogChangeListener-1d0-0
ci_skads
Groups
Account Name
NT SERVICE\swprv
Role Dependency
Dependency
None
BranchCache
for Network
Files
Running Processes
Image Name (PID)
svchost.exe (768)
Ports
Port Name
49154/TCP -- Unknown Protocol
Named Pipes
Pipe Name
50f98d16-218a-4d78-8f37-41a0a3e85347
d71d14b0-662d-421a-b3e6-afbf121d8993
wbhstipm0648f693-1683-4afb-9e3e-b8d510298323
wbhstipm22e83c71-4158-4145-9909-8e2af4246f60
wbhstipm54520408-b42e-4969-9446-8826239d3748
wbhstipm9de0438a-d22b-4014-b757-b2b0539bdef2
Winsock2\CatalogChangeListener-1d8-0
Winsock2\CatalogChangeListener-2d4-0
Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-358-0
RPC Endpoints
UUID
{76f226c3-ec14-4325-8a99-6a46348418af}
{12e65dd8-887f-41ef-91bf-8d816c42c2e7}
Role Dependency
Dependency
None
Command Line Account
C:\Windows\system32\svchost.exe -k netsvcs
State Process
Listen svchost.exe (PID 768)
0 0
0 0
0 0
0 0
0 0
1 0
1 0
0 0
Endpoint Binding(s)
ncalrpc:[WMsgKRpc08AAF1]
ncalrpc:[WMsgKRpc08AAF1]
Description
Account Startup Mode
NT AUTHORITY\SYSTEM Auto
NT AUTHORITY\SYSTEM Auto
Startup Mode
System
Boot
C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\system32\DFSRs.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\dfssvc.exe
C:\Windows\System32\vds.exe
State Process
Unknown dfsrs.exe (PID 1308)
Listen svchost.exe (PID 768)
Established svchost.exe (PID 768)
Established svchost.exe (PID 768)
Listen svchost.exe (PID 768)
0 0
1 0
0 0
0 0
Path ACL
C:\DfsRoots\Namespace1 Account Type
Everyone AccessAllowed
Direction Protocol
In TCP
In TCP
In TCP
Out TCP
In TCP
Out TCP
In UDP
Out UDP
In UDP
Out UDP
In UDP
Out UDP
In TCP
Out TCP
In TCP
Out TCP
In TCP
In TCP
SID Privileges
S-1-5-80-1267473060-1890374259-1137250836-
544356534-2546457154
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-80-2196396108-1448510645-203779624-
3888580976-3789157697
S-1-5-80-3195062495-2862850656-3724129271-
1847284719-4038691091
S-1-5-80-3588172797-86763527-1375198215-
2167056557-2705436887
Description
Startup Mode
Boot
Boot
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ms
corsvw.exe
FsrmFileScreenTemplateManager Class
Microsoft.Storage.SimpleContentCls.CSimpleContentCls C:\Windows\System32\mscoree.dll
State Process
Unknown svchost.exe (PID 968)
Unknown lsass.exe (PID 472)
Listen lsass.exe (PID 472)
Listen svchost.exe (PID 772)
Listen services.exe (PID 464)
Established svchost.exe (PID 772)
Established svchost.exe (PID 772)
Established svchost.exe (PID 772)
Listen lsass.exe (PID 472)
Listen svchost.exe (PID 772)
Listen services.exe (PID 464)
1 0
1 0
0 0
0 0
0 0
0 0
1 0
1 0
1 0
1 0
Endpoint Binding(s)
ncalrpc:[LRPC-a023c0a9ee07180d6d]
Direction Protocol
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
SID Privileges
S-1-5-80-2020974448-4107748278-3972193768-
963817739-397362718
Description
Startup Mode
Demand
Demand
Demand
Demand
Demand
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nfssvc.exe
C:\Windows\system32\nfsclnt.exe
C:\Windows\System32\svchost.exe -k swprv
AppID
{05E780B1-35BB-4450-AB46-34F25B63EA79}
State Process
Unknown svchost.exe (PID 856)
Unknown svchost.exe (PID 856)
Listen svchost.exe (PID 776)
Listen svchost.exe (PID 776)
Endpoint Binding(s)
ncalrpc:[LRPC-64fa2584b178848bc1]
Direction Protocol
Out TCP
Out UDP
In TCP
In UDP
In TCP
In UDP
In TCP
In UDP
In TCP
In UDP
In TCP
Out TCP
In UDP
Out UDP
SID Privileges
S-1-5-80-1071656157-3689046577-4105049408-
574495319-1522408424
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
S-1-5-80-2188150755-1016705677-731116528-
1274462162-1514473938
Description
C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ms
corsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
mscorsvw.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 520 NT AUTHORITY\SYSTEM
524 532 65536 528
"C:\Windows\system32\SearchProtocolHost.exe"
Global\UsGthrFltPipeMssGthrPipe2_
Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646
"Software\Microsoft\Windows Search" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT; MS Search 4.0
Robot)"
"C:\ProgramData\Microsoft\Search\Data\Temp\usgthrs
vc" "DownLevelDaemon"
AppID
{3F5E4B87-C907-4F76-82E4-6FDF0CE90E25}
{3F4D7BB8-4F38-4526-8CD3-C44D68689C5F}
{3F4D7BB8-4F38-4526-8CD3-C44D68689C5F}
{9E175B9C-F52A-11D8-B9A5-505054503030}
{534A1E02-D58F-44F0-B58B-36CBED287C7C}
{9E175B9C-F52A-11D8-B9A5-505054503030}
{9E175B9C-F52A-11D8-B9A5-505054503030}
{3F4D7BB8-4F38-4526-8CD3-C44D68689C5F}
{9E175B9C-F52A-11D8-B9A5-505054503030}
{9E175B9C-F52A-11D8-B9A5-505054503030}
{9E175B9C-F52A-11D8-B9A5-505054503030}
{9E175B9C-F52A-11D8-B9A5-505054503030}
{9E175B9C-F52A-11D8-B9A5-505054503030}
{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
{9E175B9C-F52A-11D8-B9A5-505054503030}
Handler Path
1 0
1 0
0 0
0 0
0 0
0 0
1 0
1 0
1 0
1 0
0 0
Endpoint Binding(s)
ncalrpc:[LRPC-07603a9b2c0ee641a6]
SID Privileges
S-1-5-80-117416528-2204451360-1913602512-
1355018040-1234992034
Description
Account Startup Mode
NT AUTHORITY\SYSTEM Auto
C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\system32\CISVC.EXE
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\ixsso.dll true/true
C:\Windows\system32\ixsso.dll true/true
State Process
Listen svchost.exe (PID 768)
Established svchost.exe (PID 768)
Established svchost.exe (PID 768)
Established svchost.exe (PID 768)
Listen svchost.exe (PID 768)
0 0
1 0
0 0
0 0
SID Privileges
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
Description
Command Line Account
C:\Windows\system32\svchost.exe -k netsvcs
State Process
Listen svchost.exe (PID 768)
1 0
0 0
0 0
0 0
0 0
0 0
0 0
1 0
0 0
Endpoint Binding(s)
ncalrpc:[WMsgKRpc08AAF1]
ncalrpc:[WMsgKRpc08AAF1]
Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\Authenticated
Users AccessAllowed
BUILTIN\Administrators
AccessAllowed
*: *: 1
*: *: 1
*: *: 1
*:5355 LocalSubnet:* 1
*:* LocalSubnet:5355 1
*:138 *:* 1
*:* *:138 1
*:137 *:* 1
*:* *:137 1
*:139 *:* 1
*:* *:139 1
*:445 *:* 1
*:* *:445 1
*:RPC *:* 1
*:RPC-EPMap *:* 1
Process Flags
(Linker Version: 9.0.-1) (ASLR)
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
*:RPC *:* 0
*:RPC *:* 0
*:RPC-EPMap *:* 0
*:RPC *:* 0
*:* *:* 0
*:* *:* 0
*:445 *:* 0
Process Flags
(Linker Version: 9.0.-1) (ASLR)
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\Authenticated
Users AccessAllowed
BUILTIN\Administrators
AccessAllowed
BUILTIN\Guests AccessAllowed
Process Flags
(Linker Version: 9.0.-1) (ASLR)
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Everyone AccessDenied
Everyone AccessAllowed
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Print and
Document
Services
Running Processes
Image Name (PID)
svchost.exe (256)
{7C606A3F-8AA8-4E36-92D6-2B6AFEC0B732}
{B03B16C7-35A7-4A55-BEF1-8876E1CE2F45}
{BB5331F1-D8FF-4DDB-8A8F-2DF901123B33}
{BDE24877-01D7-4103-9704-F0EC82FA7CE9}
{CB35832D-0C2C-41A9-84E1-A7CD1E0C6254}
{D06342BD-9057-4673-B43A-0E9BBBE99F11}
{EF6EF542-EB19-4986-89D3-143960609251}
File Registrations
File Extension
.printerExport
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-300-0
wbhstipm960eee7a-4c95-4d9b-a999-231c4b9e1091
wbhstipm927e89ca-69c4-4760-8658-9c22f815e502
wbhstipma58478d8-c9f2-478a-846f-0f26ac2fa067
wbhstipmc05afb30-36be-459e-b146-4d7340f260e2
fd1a4754-6978-4e22-aabe-899fc12bfb79
37a722f7-3ba9-417b-8aeb-67e324dbb54e
spoolss
Winsock2\CatalogChangeListener-294-0
RPC Endpoints
Interface UUID
{76f03f96-cdfd-44fc-a22c-64950a001209}
{76f226c3-ec14-4325-8a99-6a46348418af}
{12e65dd8-887f-41ef-91bf-8d816c42c2e7}
Groups
Account Name
NT SERVICE\swprv
Role Dependency
Dependency
None
LPD Service
Services
Name
LPD Service (LPDSVC)
Running Processes
Image Name (PID)
svchost.exe (768)
svchost.exe (816)
svchost.exe (860)
svchost.exe (3048)
Ports
Port Name
123/UDP -- NTP
65276/UDP -- Unknown Protocol
123/UDP -- NTP
515/TCP -- Unknown Protocol
515/TCP -- Unknown Protocol
49154/TCP -- Unknown Protocol
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-1d0-0
Winsock2\CatalogChangeListener-35c-0
Winsock2\CatalogChangeListener-294-0
Firewall Rules
Name
LPD Service
LPD Service
LPD Service
Groups
Account Name
NT SERVICE\LPDSVC
Role Dependency
Dependency
None
Internet
Printing
Running Processes
Image Name (PID)
svchost.exe (772)
svchost.exe (824)
Ports
Port Name
123/UDP -- NTP
123/UDP -- NTP
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-1d8-0
Winsock2\CatalogChangeListener-248-0
Role Dependencies
Dependency
Print and Document Services
Web Server (IIS)
Management Tools
Distributed
Scan Server
Services
Name
Distributed Scan Server service (ScanServer)
File Server Storage Reports Manager (SrmReports)
Running Processes
Image Name (PID)
svchost.exe (772)
svchost.exe (896)
svchost.exe (1312)
svchost.exe (2736)
svchost.exe (2940)
{243111DF-E474-46AA-A054-EAA33EDC292A}
{2FFBC541-7142-4B80-B48A-28A394DC5709}
{32FF7589-83D5-4E34-86FE-A2D5E27BDF3A}
{53E94FE8-9E5B-4ACD-B99D-E09BB87B149B}
{6C2C1D33-40EA-4941-908C-7DDF0864FFCA}
{8F1363F6-656F-4496-9226-13AECBD7718F}
{90DCAB7F-347C-4BFC-B543-540326305FBE}
{95941183-DB53-4C5F-B37B-7D0921CF9DC7}
{97D3D443-251C-4337-81E7-B32E8F4EE65E}
{AA226789-0134-433B-ACC1-2EDDA6806E9D}
{B15C0E47-C391-45B9-95C8-EB596C853F3A}
{D1A1CF92-E701-4AFE-89EB-37D8E715AF12}
{D46F1E88-AACD-42A3-BFFB-2D1ECA98F602}
{EA25F1B8-1B8D-4290-8EE8-E17C12C2FE20}
{EB18F9B2-4C3A-4321-B203-205120CFF614}
{F3BE42BD-8AC2-409E-BBD8-FAF9B6B41FEB}
{F3C2DFED-E357-496D-923F-1D75EFCCAD3F}
{F556D708-6D4D-4594-9C61-7DBB0DAE2A46}
{FC7C4BEB-83FC-4622-A2A4-8713E399E796}
Port
Port Name
49155/TCP -- Unknown Protocol
49167/TCP -- Unknown Protocol
49178/TCP -- Dynamic RPC Port
49155/TCP -- Unknown Protocol
49167/TCP -- Unknown Protocol
49178/TCP -- Dynamic RPC Port
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-304-0
Winsock2\CatalogChangeListener-340-0
RpcProxy\49158
Winsock2\CatalogChangeListener-1d0-0
Winsock2\CatalogChangeListener-380-0
Firewall Rules
Name
Distributed scan client components (Proxy-Out)
Distributed scan client components (WSD Discovery-
Out)
Distributed Scan Server (Service-In)
Distributed Scan Server (Service-Out)
Distributed Scan Server (WSD Events-Out)
Distributed Scan Server (WSD EventsSecure-Out)
Distributed Scan Server (WSD-In)
Distributed Scan Server (WSD-Out)
Remote File Server Resource Manager Management -
FSRM Reports Service (RPC-In)
Remote File Server Resource Manager Management -
FSRM Service (RPC-In)
Remote File Server Resource Manager Management -
Remote Registry (RPC-In)
Remote File Server Resource Manager Management -
RpcSs (RPC-EPMAP)
Remote File Server Resource Manager Management -
Task Scheduler (RPC-In)
Remote File Server Resource Manager Management -
Windows Management Instrumentation (Async-In)
Groups
Account Name
Scan Operators
NT SERVICE\SrmSvc
NT SERVICE\WerSvc
NT SERVICE\ScanServer
Group Membership
Account Name
Administrator
Account Privileges
Account
Administrator
Role Dependency
Dependency
None
Command Line Account
C:\Windows\System32\svchost.exe -k swprv
AppID
{5C797117-3B23-4549-A6D8-475AB3B62228}
0 0
0 0
0 0
0 0
1 0
1 0
0 0
1 0
Endpoint Binding(s)
ncalrpc:[spoolss]
ncalrpc:[WMsgKRpc08A761]
ncalrpc:[WMsgKRpc08A761]
SID Privileges
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
Description
Account Startup Mode
NT AUTHORITY\SYSTEM Auto
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k LPDService
State Process
Unknown svchost.exe (PID 816)
Unknown svchost.exe (PID 768)
Unknown svchost.exe (PID 816)
Listen svchost.exe (PID 3048)
Listen svchost.exe (PID 3048)
Listen svchost.exe (PID 768)
Direction Protocol
In TCP
In TCP
In TCP
SID Privileges
S-1-5-80-2197102725-3023581156-3238865096-
876576887-3563286729
Description
C:\Windows\system32\svchost.exe -k LocalService
State Process
Unknown svchost.exe (PID 824)
Unknown svchost.exe (PID 824)
Description
NT AUTHORITY\SYSTEM Auto
NT AUTHORITY\LOCAL SERVICE Demand
Startup Mode
Boot
Demand
Boot
C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\system32\svchost -k srmsvcs
C:\Windows\System32\svchost.exe -k WSDScanServer
C:\Windows\System32\svchost.exe -k WerSvcGroup
FsrmFileScreenTemplateManager Class
Microsoft.Storage.SimpleContentCls.CSimpleContentCls C:\Windows\System32\mscoree.dll
AppID
{35B4B29E-0A6B-4ED7-B0A1-117BF912F497}
{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
{35B4B29E-0A6B-4ED7-B0A1-117BF912F497}
{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
{35B4B29E-0A6B-4ED7-B0A1-117BF912F497}
{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
{FA3FC5CF-0304-4CAC-99F0-032AC2B15D1E}
State Process
Listen svchost.exe (PID 772)
Listen spoolsv.exe (PID 832)
Listen services.exe (PID 464)
Listen svchost.exe (PID 772)
Listen spoolsv.exe (PID 832)
Listen services.exe (PID 464)
1 0
1 0
1 0
0 0
1 0
1 0
Direction Protocol
Out TCP
Out TCP
In TCP
Out TCP
Out TCP
Out TCP
In UDP
Out UDP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
SID Privileges
S-1-5-21-3754447434-2954449996-2587011620-1000
S-1-5-80-2020974448-4107748278-3972193768-
963817739-397362718
S-1-5-80-3299868208-4286319593-1091140620-
3583751967-1732444380
S-1-5-80-4243933974-429541294-4176721089-
968464741-3826418161
Privileges
SeServiceLogonRight
Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Description
Printer Migration File
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
BUILTIN\Users AccessAllowed
\Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
\CREATOR OWNER
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
Account
DACL
Process Flags
(Linker Version: 9.0.-1) (ASLR)
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
*:5362 *:* 1
*:5362 *:* 1
*:* *:5357 1
*:* *:5358 1
*:3702 *:* 1
*:* *:3702 1
*:RPC *:* 0
*:RPC *:* 0
*:RPC *:* 0
*:RPC-EPMap *:* 0
*:RPC *:* 0
*:* *:* 0
*:* *:* 0
*:445 *:* 0
Certification
Authority
Services
Name
Active Directory Certificate Services (CertSvc)
Running Processes
Image Name (PID)
lsass.exe (472)
certsrv.exe (844)
MachineLaunchRestriction
Ports
Port Name
49160/TCP -- Unknown Protocol
49160/TCP -- Unknown Protocol
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-284-0
Winsock2\CatalogChangeListener-170-0
Winsock2\CatalogChangeListener-300-0
Winsock2\CatalogChangeListener-1d8-0
Winsock2\CatalogChangeListener-1d0-0
Winsock2\CatalogChangeListener-358-0
cert
Winsock2\CatalogChangeListener-34c-0
RPC Endpoints
Interface UUID
{91ae6020-9e3c-11cf-8d7c-00aa00c091be}
{b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86}
Firewall Rules
Name
Certification Authority Enrollment and Management
Protocol (CERTSVC-DCOM-IN)
Certification Authority Enrollment and Management
Protocol (CERTSVC-RPC-EPMAP-IN)
Certification Authority Enrollment and Management
Protocol (CERTSVC-RPC-NP-IN)
Certification Authority Enrollment and Management
Protocol (CERTSVC-RPC-TCP-IN)
Certification Authority Enrollment and Management
Protocol (CERTSVC-TCP-OUT)
Groups
Account Name
NT SERVICE\CertSvc
Group Membership
Account Name
NT AUTHORITY\Authenticated Users
Role Dependency
Dependency
None
Certification
Authority Web
Enrollment
Running Processes
Name (PID)
svchost.exe (2096)
Network Shares
Name
CertEnroll
Groups
Account Name
NT SERVICE\WerSvc
Role Dependency
Dependency
Web Server (IIS)
Management Tools
Online
Responder
Services
Name
Online Responder Service (OCSPSvc)
Firewall Rules
Name
Online Responder Service (DCOM-In)
Online Responder Service (RPC-In)
Online Responder Service (TCP-Out)
Groups
Account Name
NT SERVICE\OCSPSvc
Role Dependency
Dependency
Web Server (IIS)
Management Tools
Network
Device
Enrollment
Service
Role Dependency
Dependency
Web Server (IIS)
Management Tools
Certificate
Enrollment
Web Service
Role Dependency
Dependency
None
Certificate
Enrollment
Policy Web
Service
Role Dependency
Dependency
None
Account Startup Mode
NT AUTHORITY\SYSTEM Auto
AppID
{D99E6E74-FC88-11D0-B498-00A0C90312F3}
{D99E6E74-FC88-11D0-B498-00A0C90312F3}
Setting
BUILTIN\Certificate Service DCOM Access
AccessAllowed
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS LOGON AccessAllowed
BUILTIN\Distributed COM Users AccessAllowed
BUILTIN\Performance Log Users AccessAllowed
State Process
Listen certsrv.exe (PID 844)
Listen certsrv.exe (PID 844)
0 0
1 0
0 0
1 0
Endpoint Binding(s)
ncalrpc:[OLE4E341FD16C2C43D392EA98A0B668]
ncacn_np:[\\pipe\\lsass]
Direction Protocol
In TCP
In TCP
In TCP
In TCP
Out TCP
SID Privileges
S-1-5-80-3422467805-2927146326-436472433-
507205459-1353412743
Path ACL
C:\Windows\system32\CertSrv\CertEnroll Everyone AccessAllowed
BUILTIN\Administrators AccessAllowed
SID Privileges
S-1-5-80-3299868208-4286319593-1091140620-
3583751967-1732444380
Description
This role services is a Web service that runs in IIS and as
such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Default Document
● Directory Browsing
● HTTP Errors
● HTTP Redirection
● Static Content
Application Development
● ASP
● ISAPI Extensions
● NET Extensibility
Health and Diagnostics
● HTTP Logging
● Logging Tools
● Request Monitor
● Tracing
Security
● Request Filtering
● Windows Authentication
Performance
● Static Content Compression
AppID
{2340FEF5-2F96-48E2-9155-55A0163BD3E5}
{2340FEF5-2F96-48E2-9155-55A0163BD3E5}
Direction Protocol
In TCP
In TCP
Out TCP
SID Privileges
S-1-5-80-3804348527-3718992918-2141599610-
3686422417-2726379419
Description
This role services is a Web service that runs in IIS and as
such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Default Document
● Directory Browsing
● HTTP Errors
● HTTP Redirection
● Static Content
Application Development
● ASP
● ISAPI Extensions
Health and Diagnostics
● HTTP Logging
● Logging Tools
● Request Monitor
● Tracing
Security
● Request Filtering
Performance
● Static Content Compression
Description
This role services is a Web service that runs in IIS and as
such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Default Document
● Directory Browsing
● HTTP Errors
● HTTP Redirection
● Static Content
Application Development
● .NET Extensibility
● ISAPI Extensions
Health and Diagnostics
● HTTP Logging
● Logging Tools
● Request Monitor
● Tracing
Security
● Request Filtering
● Windows Authentication
Performance
● Static Content Compression
Description
Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
NT SERVICE\CertSvc
AccessAllowed
\OWNER RIGHTS
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
*:RPC-EPMap *:* 1
*:445 *:* 1
*:RPC *:* 1
*:* *:* 1
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Process Flags
(Linker Version: 9.0.-1) (ASLR)
(Linker Version: 9.0.-1) (ASLR)
Running Processes
Image Name (PID)
svchost.exe (1408)
mscorsvw.exe (1448)
iashost.exe (1592)
mscorsvw.exe (2476)
{346CA505-1521-467E-AE86-375463D3B4E2}
{56188327-7B25-4430-B247-FC96421A1720}
{6D2010D2-3BAD-4E00-B40B-F4BB8795BD09}
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-300-0
wbhstipm960eee7a-4c95-4d9b-a999-231c4b9e1091
wbhstipm927e89ca-69c4-4760-8658-9c22f815e502
wbhstipma58478d8-c9f2-478a-846f-0f26ac2fa067
wbhstipmc05afb30-36be-459e-b146-4d7340f260e2
fd1a4754-6978-4e22-aabe-899fc12bfb79
37a722f7-3ba9-417b-8aeb-67e324dbb54e
RPC Endpoints
Interface UUID
{7d814569-35b3-4850-bb32-83035fcebf6e}
{76f226c3-ec14-4325-8a99-6a46348418af}
{12e65dd8-887f-41ef-91bf-8d816c42c2e7}
Firewall Rules
Name
Network Policy Server (DCOM-In)
Network Policy Server (Legacy RADIUS Accounting -
UDP-In)
Network Policy Server (Legacy RADIUS Authentication -
UDP-In)
Network Policy Server (RADIUS Accounting - UDP-In)
Groups
Account Name
NT SERVICE\swprv
Role Dependencies
Dependency
None
Role Dependency
Dependency
None
Routing and
Remote
Access
Remote Access
Routing
Host
Credential
Authorization
Protocol
Groups
Account Name
IIS APPPOOL\HCAPPool
Role Dependencies
Dependency
Network Policy and Access Server
Web Server (IIS)
Management Tools
Health
Registration
Authority
No changes reported by the Attack Surface Analyzer
beyond those made by the dependant features and
services.
Role Dependencies
Dependency
Network Policy and Access Server
Management Tools
Note Although not required to be installed locally, the
HRA role service requires access to a certification
authority (CA). For more information about CAs, see
Chapter 9, "Hardening Active Directory Certificate
Services."
Account Startup Mode
NT AUTHORITY\SYSTEM DelayedAuto
C:\Windows\system32\iashost.exe {48DA6741-1BF0-
4A44-8325-293086C79077} -Embedding
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
mscorsvw.exe -UseCLSID {50E63CB8-470E-4046-9697-
E19818DA3D22} -Comment "NGen Worker Process"
AppID
{7C05AAB5-5163-4971-B216-B9B8888D214C}
0 0
0 0
0 0
1 0
1 0
Endpoint Binding(s)
ncalrpc:[IUserProfile2]
ncalrpc:[WMsgKRpc08A761]
ncalrpc:[WMsgKRpc08A761]
Direction Protocol
In TCP
In UDP
In UDP
In UDP
In UDP
In TCP
SID Privileges
S-1-5-80-1614360071-3471039648-1078047007-
3707138327-1664821506
Description
Description
Services
Name Account
Remote Access Quarantine Agent (rqs) NT AUTHORITY\LOCAL SERVICE
Named Pipes
Pipe Name Network Denied
Winsock2\CatalogChangeListener-284-0 0
Winsock2\CatalogChangeListener-170-0 0
Winsock2\CatalogChangeListener-300-0 0
Winsock2\CatalogChangeListener-1d0-0 0
Firewall Rules
Name Direction
DHCPv4 Relay Agent [Client] (UDP-In) In
DHCPv4 Relay Agent [Client] (UDP-Out) Out
DHCPv6 Relay Agent [Server] (UDP-In) In
DHCPv6 Relay Agent [Server] (UDP-Out) Out
Remote Access Quarantine (TCP-In) In
Routing and Remote Access Remote Management In
(DCOM-In)
Routing and Remote Access Remote management In
(RPC-In)
Groups
Account Name SID
NT SERVICE\rqs S-1-5-80-6924576-598676285-3528829976-
1458831571-971033904
Role Dependencies
Dependency Description
Role Dependencies
Dependency Description
The Routing role service depends on the Routing and
Routing and Remote Access Remote Access role service.
Role Dependency
Dependency Description
None
SID Privileges
S-1-5-82-3258179292-727607683-3980614313-
3289190592-1598744453
Description
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
*:1645 *:* 1
*:1813 *:* 1
*:1812 *:* 1
*:RPC *:* 1
Startup Mode
Demand
Binary Path
C:\Windows\system32\rrasprx
y.dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
C:\Windows\System32\ipsnap.
dll
Privileges
Enabled
1
1
1
1
1
0
0
Remote
Desktop
Session Host
Role Service
Services
Offline Files (CscService)
Windows Image Acquisition (WIA) (stisvc)
Tablet PC Input Service (TabletInputService)
Themes (Themes)
WebClient (WebClient)
Windows Defender (WinDefend)
Drivers
Name
Offline Files Driver (CSC)
WebDav Client Redirector Driver (MRxDAV)
Running Processes
Image Name (PID)
svchost.exe (744)
svchost.exe (792)
svchost.exe (928)
svchost.exe (1940)
WMIADAP.exe (2176)
svchost.exe (2460)
audiodg.exe (2968)
{00F24CA0-748F-4E8A-894F-0E0357C6799F}
{00F26E02-E9F2-4A9F-9FDD-5A962FB26A98}
{00F29A34-B8A1-482C-BCF8-3AC7B0FE8F62}
{00F2B433-44E4-4D88-B2B0-2698A0A91DBA}
{00F2CE1E-935E-4248-892C-130F32C45CB4}
{01F36CE2-0907-4D8B-979D-F151BE91C883}
{031EE060-67BC-460D-8847-E4A7C5E45A27}
{0344EC28-5339-4124-A186-2E8EEF168785}
{036A9790-C153-11D2-9EF7-006008039E37}
{04A1E553-FE36-4FDE-865E-344194E69424}
{04A578B2-E778-422A-A805-B3EE54D90BD9}
{04B55BC3-33DE-4D79-94EC-830CDF96CC82}
{05589FA1-C356-11CE-BF01-00AA0055595A}
{067B4B81-B1EC-489F-B111-940EBDC44EBE}
{07A774A0-6047-11D1-BA20-006097D2898E}
{08A99E2F-6D6D-4B80-AF5A-BAF2BCBE4CB9}
{0A522732-A626-11D0-8D60-00C04FD6202B}
{0AA02E8D-F851-4CB0-9F64-BBA9BE7A983D}
{0AE89F03-C538-4471-9B12-A8E8EF246A0D}
{0AF10CEC-2ECD-4B92-9581-34F6AE0637F3}
{0B91A74B-AD7C-4A9D-B563-29EEF9167172}
{0C15D503-D017-47CE-9016-7B3F978721CC}
{0C5672F9-3EDC-4B24-95B5-A6C54C0B79AD}
{0CFDD070-581A-11D2-9EE6-006008039E37}
{101A8FB9-F1B9-11D1-9A56-00C04FA309D4}
{10CFC467-4392-11D2-8DB4-00C04FA31A66}
{11103421-354C-4CCA-A7A3-1AFF9A5B6701}
{11993195-1244-4840-AB44-480975C4FFE4}
{1202DB60-1DAC-42C5-AED5-1ABDD432248E}
{137F5EC6-CF6B-482F-ACEA-C687DFBD199D}
{13DE4A42-8D21-4C8E-BF9C-8F69CB068FCA}
{14D7A407-396B-44B3-BE85-5199A0F0F80A}
{14DD9A1C-7CFF-41BE-B1B9-BA1AC6ECB571}
{1649B154-C794-497A-9B03-F3F0121302F3}
{176D323D-E591-4535-9A09-26F698E5AC5D}
{18C628EE-962A-11D2-8D08-00A0C9441E20}
{19603261-6059-43DF-B9E1-8B4352825A90}
{1A1F4206-0688-4E7F-BE03-D82EC69DF9A5}
{1A56451B-1315-4012-861E-8587333DD631}
{1B544C24-FD0B-11CE-8C63-00AA0044B520}
{1BF18D30-223C-4E0F-9074-C78C1256FD43}
{1C621200-67B2-11D2-9EEB-006008039E37}
{1DCB3A00-33ED-11D3-8470-00C04F79DBC0}
{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9}
{1EA1EA14-48F4-4054-AD1A-E8AEE10AC805}
{1EA5FB56-9EE8-47DC-8998-F45585C2E3E0}
{1F1F4E1A-2252-4063-84BB-EEE75F8856D5}
{1FEFD825-016B-484C-A0AA-616C5F371C1F}
{1FF28512-6C1F-4CC2-BB1D-948DD60DB711}
{203B1EED-DB9F-40FB-87BD-1990982017D2}
{22D6F312-B0F6-11D0-94AB-0080C74C7E95}
{233A9694-667E-11D1-9DFB-006097D50408}
{242025BB-8546-48B6-B9B0-F4406C54ACFC}
{24400D16-5754-11D2-8218-00C04FB687DA}
{25BAAD81-3560-11D3-8471-00C04F79DBC0}
{271C3902-6095-4C45-A22F-20091816EE9E}
{2781761E-28E0-4109-99FE-B9D127C57AFE}
{280A3020-86CF-11D1-ABE6-00A0C905F375}
{289978AC-A101-4341-A817-21EBA7FD046D}
{2A11BAE2-FE6E-4249-864B-9E9ED6E8DBC2}
{2A2699C5-775A-42E9-BF4A-A36FE41BA4CB}
{2A6F3A80-5976-11D2-9524-0060081840BC}
{2BD40F38-DE45-429D-9D04-24F7C24C78FD}
{2C676B7B-796E-4C59-8209-4D0473E32A17}
{2DCD1DAF-A110-49C0-BFDB-6FDF557B5FDF}
{2E9E59C0-B437-4981-A647-9C34B9B90891}
{2EEB4ADF-4578-4D10-BCA7-BB955F56320A}
{2EEEED04-0908-4CDB-AF8F-AC5B768A34C9}
{2F248FAD-47C5-42A8-9672-61095D712258}
{2FE9B39E-0062-41E5-A842-518E212C2CE0}
{31A2EA80-A9A3-40E5-9B16-20D7D855E55F}
{31DCBC0C-20D8-40B0-A409-F4474A942358}
{32624F4B-F1D5-4877-989E-555640109D2B}
{32BAED44-34B5-11D3-9315-00C04F72D6CF}
{3336B8BF-45AF-429F-85CB-8C435FBF21E4}
{34C219BD-85C1-4338-95E8-788A36901DC2}
{3529B1D2-313A-4202-BD3E-5996B7E18A10}
{35786D3C-B075-49B9-88DD-029876E11C01}
{357B663C-D9FA-4188-99AF-2943920F96C5}
{3734FF83-6764-44B7-A1B9-55F56183CDB0}
{37A61C8B-7F8E-4D08-B12B-248D73E9AB4F}
{3882134D-14CF-4220-9CB4-435F86D83F60}
{3908C3CD-4478-4536-AF2F-10C25D4EF89A}
{39AE2AEA-D4D5-4DA0-AE47-C020E1BE4BE5}
{3A8CCCBC-0EFD-43A3-B838-F38A552BA237}
{3ADCE5CC-13C8-4573-B328-ED438EB694F9}
{3AE86B20-7BE8-11D1-ABE6-00A0C905F375}
{3B3A2EE2-A607-4C54-A066-4AE1C0BAEEE3}
{3D96ED94-5D75-4165-9E1F-1A642C7BA316}
{3EE60F5C-9BAD-4CD8-8E21-AD2D001D06EB}
{3F35F070-99D6-11D2-8D10-00A0C9441E20}
{3FFB3B8C-EB99-472B-8902-E1C1B05F07CF}
{4003191F-71FF-49A2-B591-05C606FADB8B}
{404A6DE5-D4D6-4260-9BC7-5A6CBD882432}
{40C3D757-D6E4-4B49-BB41-0E5BBEA28817}
{41457294-644C-4298-A28A-BD69F2C0CF3B}
{417BAB8B-9D22-4A88-9DA0-98C4AB6745D5}
{42C9B9F5-16FC-47EF-AF22-DA05F7C842E3}
{42DFB618-A403-4401-908F-FE979B2215C8}
{43232233-8338-4658-AE01-0B4AE830B6B0}
{43B07326-AAE0-4B62-A83D-5FD768B7353C}
{43FB1553-AD74-4EE8-88E4-3E6DAAC915DB}
{44CB442B-9DA9-49DF-B3FD-023777B16E50}
{44DA8435-B187-4DD6-8F32-9341EB7E4C3C}
{45597C98-80F6-4549-84FF-752CF55E2D29}
{455F6102-C83A-4D07-BA36-B6DA9D589AE2}
{45F26E9E-6199-477F-85DA-AF1EDFE067B1}
{46C0A7DC-928A-485A-959F-1F9EF8686A11}
{47354492-827E-4B8A-B318-C80EBA1381F0}
{474C98EE-CF3D-41F5-80E3-4AAB0AB04301}
{477EC299-1421-4BDD-971F-7CCB933F21AD}
{48C6BE7C-3871-43CC-B46F-1449A1BB2FF3}
{48E2ED0F-98C2-4A37-BED5-166312DDD83F}
{498B0949-BBE9-4072-98BE-6CCAEB79DC6F}
{499EAEEA-2737-4849-8BB6-47F107EAF358}
{4A16043F-676D-11D2-994E-00C04FA309D4}
{4A76B469-7B66-4DD4-BA2D-DDF244C766DC}
{4B534112-3AF6-4697-A77C-D62CE9B9E7CF}
{4B6657E4-B973-46CD-9BB3-6E5EBD82448F}
{4BDD6232-2E55-4A1F-AAAD-961D76F439BA}
{4C649C49-C48F-4222-9A0D-CBBF4231221D}
{4CADFAE1-5512-456A-9D65-5B5E7E9CA9A3}
{4DB1AD10-3391-11D2-9A33-00C04FA36145}
{4DD1D1C3-B36A-4EB4-AAEF-815891A58A30}
{4DDA1941-77A0-4FB1-A518-E2185041D70C}
{4E77131D-3629-431C-9818-C5679DC83E81}
{4F695794-BFCF-48B0-A323-F874F9BD45F2}
{4FE24495-28CE-4920-A4C4-E556E1F0DF2A}
{50040C1D-BDBF-4924-B873-F14D6C5BFD66}
{50422459-63B3-4E9F-93C7-7B068517C027}
{5058292D-A244-4840-AB44-480975C4FFE4}
{5068B32E-DFE0-48C2-9816-4549033447DB}
{506D89AE-909A-44F7-9444-ABD575896E35}
{5210F8E4-B0BB-47C3-A8D9-7B2282CC79ED}
{524B13ED-2E57-40B8-B801-5FA35122EB5C}
{52E4E90A-F4AF-460A-9E60-FDFB86C9DD5D}
{5569E7F5-424B-4B93-89CA-79D17924689A}
{559C6BAD-1EA8-4963-A087-8A6810F9218B}
{566A2EFF-5651-4020-AC1A-EB48E4571EA3}
{5686A0D9-FE39-409F-9DFF-3FDBC849F9F5}
{576C9E85-1300-4EF5-BF6B-D00509F4EDCD}
{597D4FB0-47FD-4AFF-89B9-C6CFAE8CF08E}
{5A41EFA3-6C01-43DC-8C49-110151B36C70}
{5C140836-43DE-11D3-847D-00C04F79DBC0}
{5E1395B2-B685-44E3-8AED-E2304D85ACD1}
{5F4BAAD0-4D59-4FCD-B213-783CE7A92F22}
{60F6E464-4DEF-11D2-B2D9-00C04F8EEC8C}
{60F6E465-4DEF-11D2-B2D9-00C04F8EEC8C}
{60F6E466-4DEF-11D2-B2D9-00C04F8EEC8C}
{60F6E467-4DEF-11D2-B2D9-00C04F8EEC8C}
{60FD46DE-F830-4894-A628-6FA81BC0190D}
{61E79517-4A4E-45D8-9219-30E71A9EFF39}
{62079164-233B-41F8-A80F-F01705F514A8}
{626BAFE6-E5D6-11D1-B1DD-006097D503D9}
{6295DF27-35EE-11D1-8707-00C04FD93327}
{6295DF2D-35EE-11D1-8707-00C04FD93327}
{632A2D3D-86AF-411A-8654-7511B51B3D5F}
{636C15CF-DF63-4790-866A-117163D10A46}
{639F5AF5-BCED-4369-AC34-360B16D955FD}
{63A865AB-859E-4F15-8AEC-77FC615653D9}
{63FA5E69-87FE-432D-8F62-9D7A3D7D09C3}
{64D8A8E0-80A2-11D2-8CF3-00A0C9441E20}
{65BD0711-24D2-4FF7-9324-ED2E5D3ABAFA}
{65D00646-CDE3-4A88-9163-6769F0F1A97D}
{67F07E00-CCEF-11D2-9EF9-006008039E37}
{687D3367-3644-467A-ADFE-6CD7A85C4A2C}
{68E1DF8C-9512-4801-A105-25A44DCCB164}
{693644B0-6858-11D2-9EEB-006008039E37}
{69486DD6-C19F-42E8-B508-A53F9F8E67B8}
{69F9CB25-25E2-4BE1-AB8F-07AA7CB535E8}
{6B13B293-30FD-4ABB-8E41-29B1F88297E2}
{6B362280-6915-11D2-951F-0060081840BC}
{6BF52A52-394A-11D3-B153-00C04F79FAA6}
{6CA50344-051A-4DED-9779-A43305165E35}
{6E4FCB12-510A-4D40-9304-1DA10AE9147C}
{6EFEAE9E-014C-436A-8AAC-35DA9535ADC0}
{6F74FDC5-E366-11D1-9A4E-00C04FA309D4}
{6F74FDC6-E366-11D1-9A4E-00C04FA309D4}
{6F8DAE82-43A2-47AA-B0E7-47B7E82F705F}
{70F598E9-F4AB-495A-99E2-A7C4D3D89ABF}
{70F98452-3C38-4271-8E76-6F444852EBC8}
{7122A82D-E722-4AFC-AA87-EAA77D8CFCE1}
{71B804C5-5577-471D-8FE5-C4A45B654EB8}
{71D99464-3B6B-475C-B241-E15883207529}
{728A21C5-3D9E-48D7-9810-864848F0F404}
{7295965A-230A-4F34-AD5F-B15C9120F6E4}
{743A6E3B-A5DF-43ED-B615-4256ADD790B8}
{745057C7-F353-4F2D-A7EE-58434477730E}
{750FDF10-2A26-11D1-A3EA-080036587F03}
{760C4B83-E211-11D2-BF3E-00805FBE84A6}
{76D0CB12-7604-4048-B83C-1005C7DDC503}
{76EFD608-E0CE-4887-98E2-F931363C4BC5}
{76F014EC-1B0C-4A15-A029-4C0FDF12B5B1}
{777D0CFF-0375-43B9-8532-FB04A4903593}
{77F7F122-20B0-4117-A2FB-059D1FC88256}
{784215B4-0D2E-11D3-920A-00C0DF10D434}
{78530B75-61F9-11D2-8CAD-00A024580902}
{786CDB70-1628-44A0-853C-5D340A499137}
{7888E5FE-6C66-4A34-B217-FA2292073F4A}
{798059F0-89CA-4160-B325-AEB48EFE4F9A}
{7A0F6AB7-ED84-46B6-B47E-02AA159A152B}
{7A56C4CB-D678-4188-85A8-BA2EF68FA10D}
{7A9D77BD-5403-11D2-8785-2E0420524153}
{7AFA253E-F823-42F6-A5D9-714BDE467412}
{7BAFB3B1-D8F4-4279-9253-27DA423108DE}
{7CB359C5-570F-43C6-971F-1DB499EE57A1}
{7CCA6768-8373-4D28-8876-83E8B4E3A969}
{7DF62B50-6843-11D2-9EEB-006008039E37}
{7E320092-596A-41B2-BBEB-175D10504EB6}
{7EFA68C6-086B-43E1-A2D2-55A113531240}
{7F5D25F8-78A5-49A8-A33C-2C0E11831C66}
{80009818-F38F-4AF1-87B5-EADAB9433E58}
{80F3F1D5-FECA-45F3-BC32-752C152E456E}
{8144B6F5-20A8-444A-B8EE-19DF0BB84BDB}
{82435BDF-F7C1-4DF9-8103-EEABEBF3D6E1}
{82D353DF-90BD-4382-8BC2-3F6192B76E34}
{836FA1B6-1190-4005-B434-7ED921BE2026}
{83BBCBF3-B28A-4919-A5AA-73027445D672}
{850D1D11-70F3-4BE5-9A11-77AA6B2BB201}
{85BBD920-42A0-1069-A2E4-08002B30309D}
{86950435-ED12-42EF-A807-061E5E7CA99F}
{875CB1A1-0F29-45DE-A1AE-CFB4950D0B78}
{8770D941-A63A-4671-A375-2855A18EBA73}
{8854F6A0-4683-4AE7-9191-752FE64612C3}
{8A6842BB-84DB-4EFA-99B9-06C850DF53FC}
{8A734961-C4AA-4741-AC1E-791ACEBF5B39}
{8AC3587A-4AE7-42D8-99E0-0A6013EEF90F}
{8CBEED49-18A6-4D9C-8EF5-E4DD9AB04A83}
{8D8B8E30-C451-421B-8553-D2976AFA648C}
{8E528C21-9D52-4030-BA92-3481227ADDD1}
{8F0C5675-AEEF-11D0-84F0-00C04FD43F8F}
{905667AA-ACD6-11D2-8080-00805F6596D2}
{91778246-9BE4-4713-A651-E833B853CC30}
{926F41F7-003E-4382-9E84-9E953BE10562}
{92B66080-5E2D-449E-90C4-C41F268E5514}
{93126582-5402-4DB1-A102-33D330BC9B69}
{93714ED0-53F0-11D2-9EE6-006008039E37}
{937C1A34-151D-4610-9CA6-A8CC9BDB5D83}
{93AF0C51-2275-45D2-A35B-F2BA21CAED00}
{94E03510-31B9-47A0-A44E-E932AC86BB17}
{96BEC059-2052-4E44-8E11-123ACDC936FE}
{97103AE5-6248-4E04-97B5-36663159967C}
{975ABEDC-F64B-436D-ABFF-44B932459856}
{98042251-8C2B-4FC4-93E2-B1DB331EF5B9}
{98230571-0087-4204-B020-3282538E57D3}
{98455561-5136-4D28-AB08-4CEE40EA2781}
{987BBF42-5500-46D6-BAF0-A825828BC4EF}
{99E89F48-A745-416D-A4E0-ECF53C65DFA0}
{9B359D1B-AD5C-412F-A654-A431424359DE}
{9B77C0F2-8735-46C5-B90F-5F0B303EF6AB}
{9C1CC6E4-D7EB-4EEB-9091-15A7C8791ED9}
{9C502F01-0D36-4F16-8AC9-8693E0D84E44}
{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}
{9DE85094-F71F-44F1-8471-15A2FA76FCF3}
{9E358D23-02B2-4CCD-9FEE-6B75EE8DD5CA}
{9EC4B4F9-3029-45AD-947B-344DE2A249E2}
{9ED96B20-73AA-11D2-952C-0060081840BC}
{9ED96B21-73AA-11D2-952C-0060081840BC}
{9ED96B22-73AA-11D2-952C-0060081840BC}
{9FD4E808-F6E6-4E65-98D3-AA39054C1255}
{A08AF898-C2A3-11D1-BE23-00C04FA31009}
{A0A7A57B-59B2-4919-A694-ADD0A526C373}
{A0A8C0AC-FC70-4EE2-93A8-4A2257AE8619}
{A0ADD4EC-5BD3-4F70-A47B-07797A45C635}
{A1006DE3-2173-11D2-9A7C-00C04FA309D4}
{A1570149-E645-4F43-8B0D-409B061DB2FC}
{A1607060-5D4C-467A-B711-2B59A6F25957}
{A16E1BFF-A80D-48AD-AECD-A35C005685FE}
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
{A2D75874-6750-4931-94C1-C99D3BC9D0C7}
{A2E6DDA0-06EF-4DF3-B7BD-5AA224BB06E8}
{A55803CC-4D53-404C-8557-FD63DBA95D24}
{A5B020FD-E04B-4E67-B65A-E7DEED25B2CF}
{A82E50BA-8E92-41EB-9DF2-433F50EC2993}
{A8792A31-F385-493C-A893-40F64EB45F6E}
{A9B48EAC-3ED8-11D2-8216-00C04FB687DA}
{A9FC132B-096D-460B-B7D5-1DB0FAE0C062}
{AAA288BA-9A4C-45B0-95D7-94D524869DB5}
{AAC46A37-9229-4FC0-8CCE-4497569BF4D1}
{AB9D6472-752F-43F6-B29E-61207BDA8E06}
{ABB27087-4CE0-4E58-A0CB-E24DF96814BE}
{AC82FF6D-E524-4C0F-8D0B-0C74C1ECAAEA}
{AD4C1B00-4BF7-422F-9175-756693D9130D}
{AD763FA6-3B90-41AB-BD44-4F832BEEE55F}
{ADF95821-DED7-11D2-ACBE-0080C75E246E}
{AE9472BF-B0C3-11D2-8D24-00A0C9441E20}
{AEB16279-B750-48F1-8586-97956060175A}
{AEE3E4A8-EF01-4024-A0F1-809D9B096E14}
{AFB6C280-2C41-11D3-8A60-0000F81E0E4A}
{AFD7F94B-1627-436C-80C8-B464AA21CAD3}
{AFDB1F70-2A4C-11D2-9039-00C04F8EEB3E}
{B084785C-DDE0-4D30-8CA8-05A373E185BE}
{B106900C-4E8D-4147-8B22-CC60C6B285A8}
{B2A7FD52-301F-4348-B93A-638C6DE49229}
{B323F8E0-2E68-11D0-90EA-00AA0060F86C}
{B32D3949-ED98-4DBB-B347-17A144969BBA}
{B32F4002-BB27-45FF-AF4F-06631C1E8DAD}
{B4124623-FC0E-47CE-BCA9-126A6104ADA1}
{B4D85BBD-C1E6-4F2B-BF43-75CB28500A08}
{B6C292BC-7C88-41EE-8B54-8EC92617E599}
{B8558612-DF5E-4F95-BB81-8E910B327FB2}
{BAA884F4-3432-48B8-AA72-9BF20EEF31D5}
{BAA94581-C092-425C-B4D3-7B5EE0BAC3C4}
{BAEA8DC9-45F5-4DF8-A27F-2A277D524B15}
{BB44391D-6ABD-422F-9E2E-385C9DFF51FC}
{BBC40082-8ABB-4DDD-B1C6-4EE0A9A5DB52}
{BBEC4F81-C2BC-43A7-BD95-9738EE9B6CCA}
{BBEEA841-0A63-4F52-A7AB-A9B3A84ED38A}
{BC08386A-9952-40CD-BA50-9541D64A4B4E}
{BC48B32F-5910-47F5-8570-5074A8A5636A}
{BD0D38E4-74C8-4904-9B5A-269F8E9994E9}
{BD4F77B3-70B0-4464-83A5-785F205B823B}
{BDF23680-C1E5-11D2-9EF7-006008039E37}
{BE09F473-7FEB-11D2-9962-00C04FA309D4}
{BE8E0170-72DC-11D2-952A-0060081840BC}
{BF27441E-CDCD-4659-AEBE-06F6E069714E}
{BFD6C433-4B17-4F6D-A93C-B03FCC4E586E}
{C0E13E61-0CC6-11D1-BBB6-0060978B2AE6}
{C120DE80-FDE4-49F5-A713-E902EF062B8A}
{C1282A7B-9455-48DC-BBBB-46C2EB525AF5}
{C15E6BF0-6351-4588-AC4F-EF7D5EC8C16E}
{C1F400A0-3F08-11D3-9F0B-006008039E37}
{C1F400A4-3F08-11D3-9F0B-006008039E37}
{C2DAE44D-C850-425C-B466-D8CBC1469F5D}
{C39E156D-F621-48CF-B0EE-9C47C430543B}
{C447080C-D0C3-48AE-B31E-BB3E93591C69}
{C4D81942-0607-11D2-A392-00E0291F3959}
{C4D81943-0607-11D2-A392-00E0291F3959}
{C51F0A6B-2A63-4CF4-8938-24404EAEF422}
{C52FF1FD-EB6C-42CF-9140-83DEFECA7E29}
{C5A40261-CD64-4CCF-84CB-C394DA41D590}
{C5B19592-145E-11D3-9F04-006008039E37}
{C9FCB054-949A-4088-BA5B-8EE5CAEC5C69}
{CA34FE0A-5722-43AD-AF23-05F7650257DD}
{CA81B096-1D6F-4635-956E-F08C0B2EC342}
{CAE80521-F685-11D1-AF32-00C04FA31B90}
{CB0FC8E5-686A-478B-A252-FDECF8E167B7}
{CB17E772-E1CC-4633-8450-5617AF577905}
{CBA9E78B-49A3-49EA-93D4-6BCBA8C4DE07}
{CC1101F2-79DC-11D2-8CE6-00A0C9441E20}
{CC58E281-8AA1-11D1-B3F1-00AA003761C5}
{CC7BFB42-F175-11D1-A392-00E0291F3959}
{CC7BFB43-F175-11D1-A392-00E0291F3959}
{CD12A3CE-9C42-11D2-BEED-0060082F2054}
{CD3AA379-93F4-421B-9802-AEAB68B06771}
{CD3AFA70-B84F-48F0-9393-7EDC34128127}
{CD3AFA71-B84F-48F0-9393-7EDC34128127}
{CD3AFA72-B84F-48F0-9393-7EDC34128127}
{CD3AFA73-B84F-48F0-9393-7EDC34128127}
{CD3AFA74-B84F-48F0-9393-7EDC34128127}
{CD3AFA76-B84F-48F0-9393-7EDC34128127}
{CD3AFA77-B84F-48F0-9393-7EDC34128127}
{CD3AFA78-B84F-48F0-9393-7EDC34128127}
{CD3AFA7A-B84F-48F0-9393-7EDC34128127}
{CD3AFA7B-B84F-48F0-9393-7EDC34128127}
{CD3AFA7C-B84F-48F0-9393-7EDC34128127}
{CD3AFA7D-B84F-48F0-9393-7EDC34128127}
{CD3AFA83-B84F-48F0-9393-7EDC34128127}
{CD3AFA84-B84F-48F0-9393-7EDC34128127}
{CD3AFA88-B84F-48F0-9393-7EDC34128127}
{CD3AFA89-B84F-48F0-9393-7EDC34128127}
{CD3AFA8F-B84F-48F0-9393-7EDC34128127}
{CD3AFA90-B84F-48F0-9393-7EDC34128127}
{CD3AFA92-B84F-48F0-9393-7EDC34128127}
{CD3AFA93-B84F-48F0-9393-7EDC34128127}
{CD3AFA94-B84F-48F0-9393-7EDC34128127}
{CD3AFA95-B84F-48F0-9393-7EDC34128127}
{CD3AFA96-B84F-48F0-9393-7EDC34128127}
{CD3AFA97-B84F-48F0-9393-7EDC34128127}
{CD3AFA98-B84F-48F0-9393-7EDC34128127}
{CD3AFA99-B84F-48F0-9393-7EDC34128127}
{CD3AFA9A-B84F-48F0-9393-7EDC34128127}
{CD3AFA9B-B84F-48F0-9393-7EDC34128127}
{CDC32574-7521-4124-90C3-8D5605A34933}
{CFB16474-0A2E-48DC-88CE-8C0ADB7E5E46}
{D13E3F25-1688-45A0-9743-759EB35CDF9A}
{D1621129-45C4-41AD-A1D1-AF7EAFABEEDC}
{D23B90D0-144F-46BD-841D-59E4EB19DC59}
{D3667F1E-CCB8-4A69-99DF-59A2B2A6753F}
{D4F4D30B-0B29-4508-8922-0C5797D42765}
{D5753BBB-C5A8-4F50-9D81-210BAB0C5FB6}
{D63A1416-FCEC-4431-862F-E8056223DD03}
{D63AA156-D534-4BAC-9BF1-55359CF5EC30}
{D6791A63-E7E2-4FEE-BF52-5DED8E86E9B8}
{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}
{D8BF32A2-05A5-44C3-B3AA-5E80AC7D2576}
{DAA92564-78C8-40A3-96D2-9115A76B8F29}
{DE2D022D-2480-43BE-97F0-D1FA2CF98F4F}
{DE75D012-7A65-11D2-8CEA-00A0C9441E20}
{DE815B00-9460-4F6E-9471-892ED2275EA5}
{DECBDC16-E824-436E-872D-14E8C7BF7D8B}
{DFD74844-990B-4410-9DA0-2848EFA85D14}
{E137B0D0-7A93-11D2-8CEA-00A0C9441E20}
{E1C5D730-7E97-4D8A-9E42-BBAE87C2059F}
{E1D0AB13-2FE6-4DF0-8917-ED80CF0FEF6B}
{E211B736-43FD-11D1-9EFB-0000F8757FCD}
{E26B366D-F998-43CE-836F-CB6D904432B0}
{E2FB4720-F45F-4A3C-8CB2-2060E12425C3}
{E3D5D93C-1663-4A78-A1A7-22375DFEBAEE}
{E413D040-6788-4C22-957E-175D1C513A34}
{E46787A1-4629-4423-A693-BE1F003B2742}
{E474E05A-AB65-4F6A-827C-218B1BAAF31F}
{E51DFD48-AA36-4B45-BB52-E831F02E8316}
{E598560B-28D5-46AA-A14A-8A3BEA34B576}
{E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4}
{E70C92A9-4BFD-11D1-8A95-00C04FB951F3}
{E810CEE7-6E51-4CB0-AA3A-0B985B70DAF7}
{E8167EE2-AB45-4BAA-BD03-12590436D789}
{E882F102-F626-49E9-BD68-CE2BE7E59EA0}
{E882F102-F626-49E9-BD68-CE2BE7E59EB0}
{E882F102-F626-49E9-BD68-CE2BE7E59EC0}
{E95A4861-D57A-4BE1-AD0F-35267E261739}
{E96F5460-09CE-4F46-88B1-F4B6B4A8E252}
{E9A6AB1B-0C9C-44AC-966E-560C2771D1E8}
{E9F4EBAB-D97B-463E-A2B1-C54EE3F9414D}
{EA30C654-C62C-441F-AC00-95F9A196782C}
{EB4D075A-65C0-476B-956C-C605EADE03F7}
{EC98D957-48AD-436D-90BE-BC291F42709C}
{ECD32AEA-746F-4DCB-BF68-082757FAFF18}
{ED1D0FDF-4414-470A-A56D-CFB68623FC58}
{ED834ED6-4B5A-4BFE-8F11-A626DCB6A921}
{EE4DA6A4-8C52-4A63-BBB8-97C93D7E1B6C}
{EF5DB4C2-9312-422C-9152-411CD9C4DD84}
{EFB23A09-A867-4BE8-83A6-86969A7D0856}
{EFB4A0CB-A01F-451C-B6B7-56F02F77D76F}
{F0291081-E87C-4E07-97DA-A0A03761E586}
{F04CC277-03A2-4277-96A9-77967471BDFF}
{F056D291-A2AB-45F7-8EE4-40454493B351}
{F1390A9A-A3F4-4E5D-9C5F-98F3BD8D935C}
{F20487CC-FC04-4B1E-863F-D9801796130B}
{F22F5E05-585C-4DEF-8523-6555CFBC0CB3}
{F371728A-6052-4D47-827C-D039335DFE0A}
{F447B69E-1884-4A7E-8055-346F74D6EDB3}
{F62D062C-4732-44D2-BD62-124B8AE1657C}
{F792BEEE-AEAF-4EBB-AB14-8BC5C8C695A8}
{F7AFD75B-BF8C-4A11-BDB9-04AD66182F84}
{F7C0039A-4762-488A-B4B3-760EF9A1BA9B}
{F7FFE0A0-A4F5-44B5-949E-15ED2BC66F9D}
{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E}
{F82DF8F7-8B9F-442E-A48C-818EA735FF9B}
{F979439C-48B7-4525-AB0E-EEE06439227A}
{F97B8A60-31AD-11CF-B2DE-00DD01101B85}
{F9F4D292-87F5-4E2D-98A1-590391932490}
{FA10746C-9B63-4B6C-BC49-FC300EA5F256}
{FA3F3DD9-4C1A-456B-A8FA-C76EF3ED83B8}
{FABD6EA5-AE10-4E7A-B83B-5F07ACC84214}
{FB74F625-7D25-4455-B840-7B870B5B9322}
{FD3659E9-A920-4123-AD64-7FC76C7AACDF}
{FE7C0D2B-27F1-4E97-951B-CF6E165EEAB6}
{FEC52D45-D657-42C3-B43E-BF64B95E7072}
{FECD606E-7161-4CBC-A868-4703867823EA}
{FF87090D-4A9A-4F47-879B-29A80C355D61}
{FFE2A43C-56B9-4BF5-9A79-CC6D4285608A}
{640167B4-59B0-47A6-B335-A6B3C0695AEA}
{7AD84985-87B4-4A16-BE58-8B72A5B390F7}
{76D0CB12-7604-4048-B83C-1005C7DDC503}
{8144B6F5-20A8-444A-B8EE-19DF0BB84BDB}
(StiEventHandler Class)
{8D8B8E30-C451-421B-8553-D2976AFA648C} (Sync
Center Schedule Wizard)
{91778246-9BE4-4713-A651-E833B853CC30}
{94E03510-31B9-47A0-A44E-E932AC86BB17}
(Windows Media Player Device Autoplay)
{9B359D1B-AD5C-412F-A654-A431424359DE} (Offline
Files Profile Notify Handler)
{A0A8C0AC-FC70-4EE2-93A8-4A2257AE8619}
(TSMSIQueue Class)
{A0ADD4EC-5BD3-4F70-A47B-07797A45C635}
{A1F4E726-8CF1-11D1-BF92-0060081ED811} (WIA
Device Manager)
{A2D75874-6750-4931-94C1-C99D3BC9D0C7}
(Microsoft Windows Defender)
{A55803CC-4D53-404C-8557-FD63DBA95D24}
(WPDShextAutoplay)
{A5B020FD-E04B-4E67-B65A-E7DEED25B2CF}
(TabletManager Class)
{AEE3E4A8-EF01-4024-A0F1-809D9B096E14}
(Windows Media Player Encoder Helper Class)
{B6C292BC-7C88-41EE-8B54-8EC92617E599} (WIA
Device Manager 2)
{B8558612-DF5E-4F95-BB81-8E910B327FB2} (Sync
Center (Private))
{BAEA8DC9-45F5-4DF8-A27F-2A277D524B15} (WIA
Extension Host for 64 bit extensions)
{CDC32574-7521-4124-90C3-8D5605A34933}
(Windows Media Player Burn Audio CD Handler)
{D13E3F25-1688-45A0-9743-759EB35CDF9A}
(AcquisitionManager Class)
{D3667F1E-CCB8-4A69-99DF-59A2B2A6753F}
(Windows SideShow Device Configuration Helper)
{D63AA156-D534-4BAC-9BF1-55359CF5EC30} (Sync
Center User Profile Notification Handler)
{ED1D0FDF-4414-470A-A56D-CFB68623FC58} (Play
with Windows Media Player)
{F056D291-A2AB-45F7-8EE4-40454493B351}
(Windows SideShow PropertyPage Host)
{FD3659E9-A920-4123-AD64-7FC76C7AACDF} (Offline
Files Setting Object)
MachineLaunchRestriction
File Registrations
File Extension
.3g2
.3gp
.3gp2
.3gpp
.AAC
.ADT
.ADTS
.aif
.aifc
.aiff
.asf
.asx
.au
.avi
.cda
.DVR-MS
.img
.iso
.m1v
.M2T
.M2TS
.M2V
.m3u
.m4a
.m4b
.m4p
.m4v
.mid
.midi
.MOD
.mov
.mp2
.mp2v
.mp3
.mp4
.mp4v
.mpa
.mpe
.mpeg
.mpg
.mpv2
.MTS
.rmi
.snd
.TS
.TSPUB
.TTS
.vob
.wav
.wax
.wm
.wma
.WMD
.wmdb
.WMS
.wmv
.wmx
.wmz
.wpl
.WTV
.wvx
WMP11.AssocProtocol.MMS
Internet Explorer Silent Elevation Entries
CLSID
{6BF52A52-394A-11D3-B153-00C04F79FAA6}
{A5B020FD-E04B-4E67-B65A-E7DEED25B2CF}
Ports
Port Name
3389/TCP -- RDP
49153/TCP -- Unknown Protocol
49155/TCP -- Unknown Protocol
49202/TCP -- Unknown Protocol
49203/TCP -- Unknown Protocol
3389/TCP -- RDP
49153/TCP -- Unknown Protocol
49155/TCP -- Unknown Protocol
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-298-0
Winsock2\CatalogChangeListener-180-0
Winsock2\CatalogChangeListener-2e8-0
Winsock2\CatalogChangeListener-1e8-0
Winsock2\CatalogChangeListener-318-0
trkwks
wbhstipm69c368c0-86ee-4441-bcf8-52de4f2c170a
wbhstipmfba5cfbc-fde3-4c70-a2d7-3c3836af777a
wbhstipm22c15bfb-1856-4d6f-a0af-b0d8e045d5e5
wbhstipmbddc68be-a2b8-4196-92ae-fd7ba6d9dd24
3554a639-2998-4fe3-a6f2-fe674e09c5a1
b93e4e00-e706-49da-aa5a-3e2d2e9bcaeb
Winsock2\CatalogChangeListener-1e0-0
Winsock2\CatalogChangeListener-3a0-0
TermSrv_API_service
Ctx_WinStation_API_service
RPC Endpoints
Interface UUID
{c9ac6db5-82b7-4e55-ae8a-e464ed7b4277}
{30b044a5-a225-43f0-b3a4-e060df91f9c1}
Firewall Rules
Name
Remote Desktop - RemoteFX (TCP-In)
Remote Desktop (TCP-In)
Terminal Services - WMI (DCOM-In)
Terminal Services - WMI (TCP-In)
Terminal Services - WMI (WMI-Out)
Terminal Services (NP-In)
Terminal Services (RPC)
Terminal Services (RPC-EPMAP)
Windows Media Player (TCP-Out)
Windows Media Player (UDP-In)
Windows Media Player (UDP-Out)
Windows Media Player x86 (TCP-Out)
Windows Media Player x86 (UDP-In)
Windows Media Player x86 (UDP-Out)
Groups
Account Name
TS Web Access Computers
NT SERVICE\WinDefend
NT SERVICE\CscService
Role Dependency
Dependency
None
Remote
Desktop
Licensing Role
Service
Services
Name
Remote Desktop Licensing (TermServLicensing)
Running Processes
Image Name (PID)
svchost.exe (1752)
Ports
Port Name
60256/UDP -- Unknown Protocol
49261/TCP -- Unknown Protocol
49261/TCP -- Unknown Protocol
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-298-0
Winsock2\CatalogChangeListener-180-0
Winsock2\CatalogChangeListener-318-0
Winsock2\CatalogChangeListener-1e0-0
HydraLsPipe
Winsock2\CatalogChangeListener-6d8-0
TermServLicensing
RPC Endpoints
Interface UUID
{3d267954-eeb7-11d1-b94e-00c04fa3080d}
{12d4b7c8-77d5-11d1-8c24-00c04fa3080d}
Firewall Rules
Name
Remote Desktop Licensing Server - WMI (DCOM-In)
Groups
Account Name
Terminal Server Computers
NT SERVICE\TermServLicensing
Role Dependency
Dependency
None
Remote
Desktop
Connection
Broker Role
Service
Services
Name
RemoteApp and Desktop Connection Management
(TSCPubRPC)
Remote Desktop Connection Broker (tssdis)
Running Processes
Image Name (PID)
svchost.exe (928)
unsecapp.exe (2404)
svchost.exe (2500)
tssdis.exe (2728)
{466A43A3-4E28-4BF2-9B94-247F5962C37C}
{4AC33DD4-C1F1-4A08-B21F-A5EF312F963B}
{4ACAB544-1267-44FB-A416-4A3440BD2636}
{56520C80-0E51-4A5F-8EB8-8D4C5F6825B3}
{5965D11E-CCB8-4A14-AF43-5D2CFA2340F2}
{6AFF4D9A-E356-4D07-9109-62528057D9F6}
{A13B7B59-9617-4152-9F92-364E8B3F7EEC}
{A8DFF18E-99C6-4E88-A0A5-CDB4B657F47D}
{AA1FD3DE-047B-4F7D-9E2D-3AD6AB2980D6}
{B745B87B-CC4E-4361-8D29-221D936C259C}
{BF258E47-A172-498D-971A-DA30A3301E94}
{CA3A7D52-2A1B-4370-8AB1-D85902C40EDA}
{F99A3C50-74FA-460A-8D75-DB8EF2E3651D}
Ports
Port Name
5504/TCP -- Unknown Protocol
49292/TCP -- Dynamic RPC Port
5504/TCP -- Unknown Protocol
49292/TCP -- Dynamic RPC Port
49293/TCP -- Unknown Protocol
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-6d8-0
Winsock2\CatalogChangeListener-aa8-0
Winsock2\CatalogChangeListener-9c4-0
RPC Endpoints
Interface UUID
{ed96b012-c8ce-4f60-a682-35535b12ff75}
{aa177641-fc9b-41bd-80ff-f964a701596f}
{32e36e84-4ba2-496c-ba85-fb450f325107}
Firewall Rules
Name
Connection Broker Service - WMI (DCOM-In)
Connection Broker Service - WMI (TCP-In)
Connection Broker Service - WMI (WMI-Out)
Connection Broker Service (NP-In)
Connection Broker Service (RPC)
Connection Broker Service (RPC-EPMAP)
Remote Desktop Connection Manager - WMI (Async-IN)
Groups
Account Name
Session Broker Computers
NT SERVICE\tssdis
NT SERVICE\TSCPubRPC
Role Dependency
Dependency
None
Remote
Desktop
Gateway Role
Service
Services
Name
RPC/HTTP Load Balancing Service (RPCHTTPLBS)
Remote Desktop Gateway (TSGateway)
Running Processes
Image Name (PID)
svchost.exe (940)
svchost.exe (2356)
mscorsvw.exe (2644)
{75D15B16-228C-499F-A0FC-E4899AC870CE}
Ports
Port Name
61591/UDP -- Unknown Protocol
3388/TCP -- Unknown Protocol
49339/TCP -- Dynamic RPC Port
49341/TCP -- Unknown Protocol
49342/TCP -- Unknown Protocol
593/TCP -- RPC over HTTP
3388/TCP -- Unknown Protocol
49339/TCP -- Dynamic RPC Port
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-298-0
Winsock2\CatalogChangeListener-934-0
RpcProxy\3388
Winsock2\CatalogChangeListener-3ac-0
RpcProxy\593
RPC Endpoints
Interface UUID
{44e265dd-7daf-42cd-8560-3cdb6e7a2729}
{958f92d8-da20-467a-bbe3-65e7e9b4edcf}
{3357951c-a1d1-47db-a278-ab945d063d03}
Firewall Rules
Name
Remote Desktop Gateway Server Farm (RPC HTTP Load
Balancing Service)
Remote Desktop Gateway Server Farm (RPC-EPMAP)
NT SERVICE\TSGateway
Role Dependencies
Dependency
Network Policy and Access Server
Remote
Desktop Web
Access Role
Service
Registered COM Controls
CLSID
{5BD701FB-C77D-44DB-AFDE-C614340C3209}
Groups
Account Name
TS Web Access Administrators
Role Dependencies
Dependency
Web Server (IIS)
Management Tools
Remote
Desktop
Virtualization
Host Role
Service
Services
Name
RemoteFX Session Licensing (LSClientService)
RemoteFX Session Manager (rdvgsm)
Remote Desktop Virtualization Host Agent
(VmHostAgent)
Drivers
Name
synth3dvsp (synth3dvsp)
Running Processes
Image Name (PID)
svchost.exe (1128)
WmiApSrv.exe (1788)
ismserv.exe (1944)
svchost.exe (2704)
svchost.exe (2724)
{BF4E6753-33E1-49F2-B481-053F39DC4799}
Ports
Port Name
58923/UDP -- Unknown Protocol
49160/TCP -- Unknown Protocol
49161/TCP -- Unknown Protocol
49202/TCP -- Unknown Protocol
49202/TCP -- Unknown Protocol
58926/UDP -- Unknown Protocol
49246/TCP -- Unknown Protocol
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-3e4-0
Winsock2\CatalogChangeListener-248-0
Winsock2\CatalogChangeListener-164-0
Winsock2\CatalogChangeListener-2b0-0
Winsock2\CatalogChangeListener-2b0-1
Winsock2\CatalogChangeListener-158-0
Winsock2\CatalogChangeListener-728-0
Winsock2\CatalogChangeListener-2a8-0
Winsock2\CatalogChangeListener-6ec-0
Winsock2\CatalogChangeListener-aa4-0
UNIFIED_API_service
Winsock2\CatalogChangeListener-468-0
RPC Endpoints
Interface UUID
{1a71d6b4-89ff-40cb-ae84-0244ab866151}
{e0c98683-720d-4139-b106-a4b13a290d6f}
Firewall Rules
Name
Remote Desktop Virtualization Host Agent - WMI
(DCOM-In)
Remote Desktop Virtualization Host Agent - WMI (TCP-
Async)
Remote Desktop Virtualization Host Agent - WMI (TCP-
In)
Remote Desktop Virtualization Host Agent - WMI (TCP-
Out)
Remote Desktop Virtualization Host Agent (RPC)
Remote Desktop Virtualization Host Agent (RPC-
EPMAP)
Groups
Account Name
NT SERVICE\IsmServ
NT SERVICE\wmiApSrv
NT SERVICE\LSClientService
NT SERVICE\rdvgsm
NT SERVICE\VmHostAgent
Role Dependency
Dependency
Hyper-V
NT AUTHORITY\SYSTEM Disabled
NT AUTHORITY\LOCAL SERVICE Demand
NT AUTHORITY\SYSTEM Demand
NT AUTHORITY\SYSTEM Disabled
NT AUTHORITY\LOCAL SERVICE Demand
NT AUTHORITY\SYSTEM DelayedAuto
Startup Mode
Disabled
Demand
C:\Windows\System32\svchost.exe -k
LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
wmiadap.exe /F /T /R
C:\Windows\System32\svchost.exe -k termsvcs
PhotoAcqHWEventHandler
PSFactoryBuffer C:\Program Files\Windows Photo Viewer\PhotoAcq.dll
CFrameRateConvertDmo C:\Windows\SysWOW64\mfvdsp.dll
Windows Media Player Rich Preview Handler
MFSourceFilter C:\Windows\SysWOW64\mfds.dll
Audio Mixer C:\Windows\SysWOW64\qedit.dll
Microsoft InkPicture Control C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
PSFactoryBuffer C:\Windows\SysWOW64\wmcodecdspps.dll
WMPlayer ContentPropPage Class C:\Windows\SysWOW64\wmp.dll
ActiveMovieControl Object C:\Windows\SysWOW64\wmpdxm.dll
WMDM CE Device Service Provider C:\Windows\SysWOW64\cewmdm.dll
Logagent Class
PropVariantCollection Class C:\Windows\SysWOW64\PortableDeviceTypes.dll
PSFactoryBuffer C:\Windows\SysWOW64\wmpencen.dll
PortableDeviceManager Class C:\Windows\SysWOW64\PortableDeviceApi.dll
WpdSerializer Class C:\Windows\SysWOW64\PortableDeviceTypes.dll
C:\Windows\SysWOW64\DXPTaskRingtone.dll
CClusterDetectorEx C:\Windows\SysWOW64\wmvdspa.dll
C:\Windows\System32\cscui.dll
File Scheme Handler C:\Windows\SysWOW64\mf.dll
Offline Files Cache Control C:\Windows\SysWOW64\cscobj.dll
MFReadWrite Class Factory C:\Windows\SysWOW64\mfreadwrite.dll
SmartRenderEngine Class C:\Windows\SysWOW64\qedit.dll
CTocParser C:\Windows\SysWOW64\wmvdspa.dll
CLSID_DatabaseSession C:\Program Files\Common Files\System\directdb.dll
PSFactoryBuffer C:\Windows\SysWOW64\portabledevicewmdrm.dll
CToc C:\Windows\SysWOW64\wmvdspa.dll
MediaDevMgrClassFactory Class C:\Windows\SysWOW64\mswmdm.dll
C:\Windows\SysWOW64\AuxiliaryDisplayCpl.dll
CTocCollection C:\Windows\SysWOW64\wmvdspa.dll
PSFactoryBuffer C:\Windows\SysWOW64\wpdwcn.dll
DxtAlphaSetter Class C:\Windows\SysWOW64\qedit.dll
WMAPro over S/PDIF DMO C:\Windows\SysWOW64\WMADMOD.DLL
DrawAttrs Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Windows Media Player WMEncoder Class C:\Windows\SysWOW64\wmpencen.dll
Windows Media Player Plug-in Registrar C:\Windows\SysWOW64\wmp.dll
CThumbnailGeneratorDmo C:\Windows\SysWOW64\wmvdspa.dll
Windows Media SDK HTTP Source Plugin C:\Windows\SysWOW64\WMNetMgr.dll
Mpeg4s Decoder MFT C:\Windows\SysWOW64\mp4sdecd.dll
Sync Center Handler Properties Extension C:\Windows\SysWOW64\SyncCenter.dll
ManipulationProcessor Class C:\Program Files\Common Files\Microsoft
Shared\Ink\rtscom.dll
Line 21 Decoder Text Output C:\Windows\SysWOW64\wmpsrcwp.dll
SCPTRANS Class C:\Windows\SysWOW64\msscp.dll
WiaWow64
WIA Event Prompt Class
Old Files In Root Prop Bag C:\Windows\SysWOW64\DATACLEN.DLL
Temp Files Prop Bag C:\Windows\SysWOW64\DATACLEN.DLL
Setup Files Prop Bag C:\Windows\SysWOW64\DATACLEN.DLL
Uninstall Prop Bag C:\Windows\SysWOW64\DATACLEN.DLL
DropTarget Object for Photo Printing Wizard C:\Windows\SysWOW64\photowiz.dll
TabletButtonExtendedActions Class C:\Windows\System32\TabBtnEx.dll
EVR Graph Optimizer C:\Windows\SysWOW64\evr.dll
CLSID_OERulesManager C:\Program Files\Windows Mail\msoe.dll
Sync Manager (Legacy) C:\Windows\SysWOW64\SyncCenter.dll
Sync Center (Private)
Lattice Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
MFRemoteDesktopPlugin Class C:\Windows\SysWOW64\tsmf.dll
GestureRecognizer Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
WMPlayer FileFormatPropPage Class C:\Windows\SysWOW64\wmp.dll
WMPlayer VideoPerfPropPage Class C:\Windows\SysWOW64\wmp.dll
RenderEngine Class C:\Windows\SysWOW64\qedit.dll
MediaDet C:\Windows\SysWOW64\qedit.dll
InkOverlay Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
Audio Mixer Property C:\Windows\SysWOW64\qedit.dll
MPEG-2 Demultiplexer(NoClock) C:\Windows\SysWOW64\mpg2splt.ax
C:\Windows\System32\cscui.dll
Still Video Property Page C:\Windows\SysWOW64\qedit.dll
Offline Files Service Control
Sync Center Isolation Collection (Private)
Windows Media Player OCXGeneralPropPage Class C:\Windows\SysWOW64\wmp.dll
AltTab C:\Windows\SysWOW64\AltTab.dll
IMA ADPCM ACM Wrapper MFT C:\Windows\SysWOW64\mf.dll
WIA Device Manager
Microsoft Windows Defender C:\Program Files\Windows Defender\MsMpCom.dll
AcquisitionManager Class
WIA Default UI C:\Windows\SysWOW64\wiadefui.dll
WMVideo9 Encoder DMO C:\Windows\SysWOW64\wmvencod.dll
Windows SideShow Device Configuration Helper C:\Windows\SysWOW64\AuxiliaryDisplayCpl.dll
WIA Default Segmentation Filter C:\Windows\SysWOW64\sti.dll
Mpeg-2 Stats C:\Windows\SysWOW64\mpg2splt.ax
Windows Photo Viewer DropTarget C:\Program Files\Windows Photo
Viewer\PhotoViewer.dll
Sync Center User Profile Notification Handler C:\Windows\SysWOW64\SyncCenter.dll
Portable Devices Menu C:\Windows\SysWOW64\wpdshext.dll
Windows Defender
DrawingAttributes Class C:\Program Files\Common Files\Microsoft
Shared\Ink\InkObj.dll
WPD Settings Completion Page Class C:\Windows\SysWOW64\wpdwcn.dll
PropertyKeyCollection Class C:\Windows\SysWOW64\PortableDeviceTypes.dll
{00F2B433-44E4-4D88-B2B0-2698A0A91DBA}
{09C5C2B5-1D32-4598-B87E-203F32BB08E3}
{F808DF63-6049-11D1-BA20-006097D2898E}
{1202DB60-1DAC-42C5-AED5-1ABDD432248E}
{1A1F4206-0688-4E7F-BE03-D82EC69DF9A5}
{45597C98-80F6-4549-84FF-752CF55E2D29}
{5E1395B2-B685-44E3-8AED-E2304D85ACD1}
{E32549C4-C2B8-4BCC-90D7-0FC3511092BB}
{25351F98-BEC9-4BA0-A1F7-D9D69225E52F}
{6295DF2D-35EE-11D1-8707-00C04FD93327}
{52551A19-B337-498D-AE75-2283E29902DE}
{69F9CB25-25E2-4BE1-AB8F-07AA7CB535E8}
{71B804C5-5577-471D-8FE5-C4A45B654EB8}
{76D0CB12-7604-4048-B83C-1005C7DDC503}
{E32549C4-C2B8-4BCC-90D7-0FC3511092BB}
{8D8B8E30-C451-421B-8553-D2976AFA648C}
{B8C54A54-355E-11D3-83EB-00A0C92A2F2D}
{ED6BB178-B06A-47AD-98B3-6066E0CF0147}
{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
{38AFE312-B8E5-4354-A11F-9224307B28AC}
{A0ADD4EC-5BD3-4F70-A47B-07797A45C635}
{A1F4E726-8CF1-11D1-BF92-0060081ED811}
{A79DB36D-6218-48E6-9EC9-DCBA9A39BF0F}
{A55803CC-4D53-404C-8557-FD63DBA95D24}
{7F429620-16D1-471E-A81A-114992148034}
{A9D431C2-6D56-4727-9690-ADBE66B9184A}
{B6C292BC-7C88-41EE-8B54-8EC92617E599}
{B8558612-DF5E-4F95-BB81-8E910B327FB2}
{08F646B3-5E7F-4B7A-A5CB-F95445F9F67A}
{CDC32574-7521-4124-90C3-8D5605A34933}
{E32549C4-C2B8-4BCC-90D7-0FC3511092BB}
{D3667F1E-CCB8-4A69-99DF-59A2B2A6753F}
{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
{ED1D0FDF-4414-470A-A56D-CFB68623FC58}
{F056D291-A2AB-45F7-8EE4-40454493B351}
{AAAF9453-58F9-4872-A428-0507C383AC37}
Setting
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS LOGON AccessAllowed
BUILTIN\Distributed COM Users AccessAllowed
BUILTIN\Performance Log Users AccessAllowed
TS Web Access Computers AccessAllowed
BUILTIN\Administrators AccessAllowed
Everyone AccessAllowed
BUILTIN\Distributed COM Users AccessAllowed
BUILTIN\Performance Log Users AccessAllowed
TS Web Access Computers AccessAllowed
Handler Path
C:\Program Files (x86)\Windows Media
Player\wmplayer.exe "\Windows Media
Player\wmplayer.exe" "%L"
State Process
Listen svchost.exe (PID 2460)
Listen svchost.exe (PID 744)
Listen svchost.exe (PID 792)
Established svchost.exe (PID 792)
Established svchost.exe (PID 792)
Listen svchost.exe (PID 2460)
Listen svchost.exe (PID 744)
Listen svchost.exe (PID 792)
1 0
1 0
1 0
1 0
0 0
0 0
0 0
0 0
0 0
1 0
1 0
1 0
1 0
0 0
0 0
Endpoint Binding(s)
ncalrpc:[LRPC-99b85fbe2a6a9aaa28], ncalrpc:
[IUserProfile2]
ncalrpc:[IUserProfile2]
Direction Protocol
In TCP
In TCP
In TCP
In TCP
Out TCP
In TCP
In TCP
In TCP
Out TCP
In UDP
Out UDP
Out TCP
In UDP
Out UDP
SID Privileges
S-1-5-21-3754447434-2954449996-2587011620-1001
S-1-5-80-1913148863-3492339771-4165695881-
2087618961-4109116736
S-1-5-80-1987853863-1639573247-1110726908-
1137832616-3599624523
Description
State Process
Unknown svchost.exe (PID 1752)
Listen svchost.exe (PID 1752)
Listen svchost.exe (PID 1752)
1 0
0 1
Endpoint Binding(s)
ncalrpc:[LRPC-e6e2fca52cc719290f]
ncalrpc:[LRPC-e6e2fca52cc719290f]
Direction Protocol
In TCP
In TCP
Out TCP
In TCP
In TCP
In TCP
SID Privileges
S-1-5-21-3754447434-2954449996-2587011620-1002
S-1-5-80-3893474178-2562712516-324399186-
2343250756-2176344804
Description
AppID
{86D4E223-66F2-48D4-9678-861E5B784B10}
Setting
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS LOGON AccessAllowed
BUILTIN\Distributed COM Users AccessAllowed
BUILTIN\Performance Log Users AccessAllowed
TS Web Access Computers AccessAllowed
Session Broker Computers AccessAllowed
BUILTIN\Administrators AccessAllowed
Everyone AccessAllowed
BUILTIN\Distributed COM Users AccessAllowed
BUILTIN\Performance Log Users AccessAllowed
TS Web Access Computers AccessAllowed
Session Broker Computers AccessAllowed
State Process
Listen svchost.exe (PID 2500)
Listen tssdis.exe (PID 2728)
Listen svchost.exe (PID 2500)
Listen tssdis.exe (PID 2728)
Established tssdis.exe (PID 2728)
1 0
Endpoint Binding(s)
ncalrpc:[OLEFBD774F8CC194B9A92D00E190B57]
ncacn_ip_tcp:[49292]
ncacn_ip_tcp:[49292]
Direction Protocol
In TCP
In TCP
Out TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
Out TCP
SID Privileges
S-1-5-21-3754447434-2954449996-2587011620-1003
S-1-5-80-2717884317-2991250488-2171867740-
1277779128-3897896015
S-1-5-80-3658497064-1657680080-154985190-
1667809426-1666834975
Description
C:\Windows\system32\svchost.exe -k RPCHTTPLBS
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ms
corsvw.exe -UseCLSID {B12FB15B-B32B-44B1-9577-
DBBA2BB7C5D4} -Comment "NGen Worker Process"
State Process
Unknown svchost.exe (PID 940)
Listen svchost.exe (PID 940)
Listen svchost.exe (PID 2356)
Established svchost.exe (PID 940)
Established svchost.exe (PID 940)
Listen svchost.exe (PID 664)
Listen svchost.exe (PID 940)
Listen svchost.exe (PID 2356)
Endpoint Binding(s)
ncacn_http:[3388]
ncacn_http:[3388]
ncacn_ip_tcp:[49339]
Direction Protocol
In TCP
In TCP
In TCP
SID Privileges
S-1-5-80-1519088243-3393749326-176224663-
3442946200-3646204403
S-1-5-80-2138717305-60429684-972287772-
2436683847-3603921665
Description
SID Privileges
S-1-5-21-3754447434-2954449996-2587011620-1004
Description
This role services is a Web service that runs in IIS and as
such, requires the installation of the Web Server (IIS)
role service and the following components:
Common HTTP Features
● Static Content
● Default Document
● Directory Browsing
● HTTP Errors
● HTTP Redirection
Application Development
● .NET Extensibility
● ASP .NET
● ISAPI Filters
● ISAPI Extensions
Health and Diagnostics
● HTTP Logging
● Logging Tools
● Request Monitor
● Tracing
Security
● Request Filtering
● Windows Authentication
Performance
● Static Content Compression
Startup Mode
Demand
D:\Windows\System32\ismserv.exe
D:\Windows\System32\svchost.exe -k lsclientservice
D:\Windows\system32\svchost.exe -k
NetworkServiceRemoteDesktopHyperVAgent
PSFactoryBuffer D:\Windows\system32\VdevNotifyProxy.dll
AppID
{F5D00F55-D113-40B8-B70F-06A606550942}
{F5D00F55-D113-40B8-B70F-06A606550942}
State Process
Unknown ismserv.exe (PID 1944)
Established ismserv.exe (PID 1944)
Established ismserv.exe (PID 1944)
Listen svchost.exe (PID 2724)
Listen svchost.exe (PID 2724)
Unknown vmms.exe (PID 2476)
Established vmmservice.exe (PID 3012)
1 0
1 0
1 0
1 0
1 0
1 0
1 0
1 0
1 0
0 0
1 0
Endpoint Binding(s)
ncalrpc:[OLEC77F5D44198946739346AB2CFBF1]
ncalrpc:[OLEC77F5D44198946739346AB2CFBF1]
Direction Protocol
In TCP
In TCP
In TCP
Out TCP
In TCP
In TCP
SID Privileges
S-1-5-80-933469486-2214615798-607467685-
3218432706-2082869768
S-1-5-80-1851371743-411767070-3743290205-
1090512353-603110601
S-1-5-80-1901509957-808481724-2853234993-
1651608950-3885195042
S-1-5-80-2470543729-571550108-2229069596-
1591088574-3587620433
S-1-5-80-4130899010-3337817248-2959896732-
3640118089-1866760602
Description
Provides the services that you use to create and
manage virtual machines and their resources.
Process Flags
(Linker Version: 9.0.-1) (ASLR)
3GPP Audio/Video
3GPP2 Audio/Video
3GPP Audio/Video
ADTS Audio
ADTS Audio
ADTS Audio
AU Format Sound
Video Clip
CD Audio Track
AVCHD Video
AVCHD Video
Movie Clip
M3U file
MPEG-4 Audio
MP4 Video
MIDI Sequence
MIDI Sequence
Movie Clip
QuickTime Movie
Movie Clip
MP4 Video
MP4 Video
Movie Clip
Movie Clip
Movie Clip
Movie Clip
Movie Clip
AVCHD Video
MIDI Sequence
AU Format Sound
MPEG-2 TS Video
MPEG-2 TS Video
Wave Sound
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
NT
SERVICE\AudioEndpointBuilde
r AccessAllowed
NT SERVICE\CscService
AccessAllowed
NT SERVICE\dot3svc
AccessAllowed
NT SERVICE\hidserv
AccessAllowed
NT SERVICE\IPBusEnum
AccessAllowed
NT SERVICE\Netman
AccessAllowed
NT SERVICE\TrkWks
AccessAllowed
NT SERVICE\UmRdpService
AccessAllowed
NT SERVICE\UxSms
AccessAllowed
NT SERVICE\WdiSystemHost
AccessAllowed
NT SERVICE\WPDBusEnum
AccessAllowed
NT SERVICE\wudfsvc
AccessAllowed
OWNER RIGHTS
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
Everyone AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
NT SERVICE\TermService
AccessAllowed
\OWNER RIGHTS
AccessAllowed
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
NT SERVICE\TermService
AccessAllowed
\OWNER RIGHTS
AccessAllowed
Local Endpoint Remote Endpoint Enabled
*:3389 *:* 1
*:3389 *:* 1
*:135 *:* 1
*:RPC *:* 1
*:* *:* 1
*:445 *:* 1
*:RPC *:* 1
*:RPC-EPMap *:* 1
*:* *:* 0
*:* *:* 0
*:* *:* 0
*:* *:* 0
*:* *:* 0
*:* *:* 0
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
NT SERVICE\TermServLicensing
AccessAllowed
\OWNER RIGHTS
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
*:RPC *:* 1
*:* *:* 1
*:445 *:* 1
*:RPC *:* 1
*:RPC-EPMap *:* 1
Process Flags
(Linker Version: 9.0.-1) (ASLR)
DACL Column1
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
*:5504 *:* 1
*:* *:* 1
*:135 *:* 1
*:RPC *:* 1
*:* *:* 1
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
*:RPC-EPMap *:* 0
*:3388 *:* 0
Process Flags
(Linker Version: 9.0.-1) (ASLR)
Account
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
NT SERVICE\VmHostAgent
AccessAllowed
\OWNER RIGHTS
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
*:* *:* 1
*:RPC *:* 1
*:* *:* 1
*:RPC *:* 1
*:RPC-EPMap *:* 1
Hyper-V
Running Services
Name
Hyper-V Networking Management Service (nvspwmi)
Hyper-V Image Management Service (vhdsvc)
Hyper-V Virtual Machine Management (vmms)
Drivers
Name
Hypervisor/Virtual Machine Support Driver (hvboot)
PassthroughParser (passthruparser)
vhdparser (vhdparser)
VMSMP (VMSMP)
VMSP (VMSP)
Running Processes
Image Name (PID)
svchost.exe (2276)
svchost.exe (2296)
vmms.exe (2316)
Ports
Port Name
2179/TCP -- Unknown Protocol
2179/TCP -- Unknown Protocol
49158/UDP -- Unknown Protocol
Named Pipes
Pipe Name
Winsock2\CatalogChangeListener-3ec-0
Winsock2\CatalogChangeListener-24c-0
Winsock2\CatalogChangeListener-1ec-0
Winsock2\CatalogChangeListener-2b4-0
Winsock2\CatalogChangeListener-2b4-1
RpcProxy\49157
Winsock2\CatalogChangeListener-23c-0
Winsock2\CatalogChangeListener-2ac-0
Winsock2\CatalogChangeListener-6e4-0
Winsock2\CatalogChangeListener-6a8-0
Winsock2\CatalogChangeListener-464-0
Firewall Rules
Name
Hyper-V - WMI (Async-In)
Hyper-V - WMI (DCOM-In)
Hyper-V - WMI (TCP-In)
Hyper-V - WMI (TCP-Out)
Hyper-V (MIG-TCP-In)
Hyper-V (MIG-TCP-In)
Hyper-V (MIG-TCP-In)
Hyper-V (REMOTE_DESKTOP_TCP_IN)
Hyper-V (RPC)
Hyper-V (RPC-EPMAP)
Hyper-V Management Clients - WMI (Async-In)
Hyper-V Management Clients - WMI (DCOM-In)
Hyper-V Management Clients - WMI (TCP-In)
Hyper-V Management Clients - WMI (TCP-Out)
Groups
Account Name
NT VIRTUAL MACHINE\Virtual Machines
NT SERVICE\vmms
NT VIRTUAL MACHINE\824D8AA7-1875-4A2D-9DC4-
3C405B2527B1
Account Privileges
Account
NT VIRTUAL MACHINE\Virtual Machines
Role Dependency
Dependency
None
Account Startup Mode
NT AUTHORITY\SYSTEM Auto
NT AUTHORITY\SYSTEM Auto
NT AUTHORITY\SYSTEM Auto
Startup Mode
System
Demand
Demand
Demand
Demand
D:\Windows\system32\svchost -k virtsvcs
D:\Windows\system32\vmms.exe
vmwpctrl D:\Windows\System32\vmwpctrl.dll
ICTimeSyncVdevDevice D:\Windows\System32\vmictimesync.dll
ICKvpExchangeVdevDevice D:\Windows\System32\vmickvpexchange.dll
SynthNic D:\Windows\System32\synthnic.dll
ICVssVdevDevice D:\Windows\System32\vmicvss.dll
SynthNicPoolResolver D:\Windows\System32\synthnic.dll
ICHeartbeatVdevDevice D:\Windows\System32\vmicheartbeat.dll
ICShutdownVdevDevice D:\Windows\System32\vmicshutdown.dll
Microsoft Hyper-V Network Switch Notify Object D:\Windows\system32\vmsntfy.dll
SynthStorPoolResolver D:\Windows\System32\synthstor.dll
VmbusVdev D:\Windows\System32\vmbusvdev.dll
SynthStor D:\Windows\System32\synthstor.dll
PSFactoryBuffer D:\Windows\System32\vmprox.dll
AppID
{BD168A68-48E8-4AE5-BF4B-CC4F495A0D0F}
{BD168A68-48E8-4AE5-BF4B-CC4F495A0D0F}
{BD168A68-48E8-4AE5-BF4B-CC4F495A0D0F}
{BD168A68-48E8-4AE5-BF4B-CC4F495A0D0F}
{082679C7-6310-4457-ABD6-B8303749E581}
State Process
Listen vmms.exe (PID 2316)
Listen vmms.exe (PID 2316)
Unknown vmms.exe (PID 2316)
1 0
1 0
1 0
1 0
0 0
1 0
1 0
1 0
1 0
1 0
Direction Protocol
In TCP
In TCP
In TCP
Out TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
In TCP
Out TCP
SID Privileges
S-1-5-83-0
S-1-5-80-372862235-2032486189-3501277350-
209496046-1642810407
Privileges
SeCreateSymbolicLinkPrivilege
Description
Process Flags
(Linker Version: 9.0.-1) (ASLR)
DACL
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
Everyone AccessAllowed
NT AUTHORITY\ANONYMOUS
LOGON AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed
NT AUTHORITY\NETWORK
AccessDenied
BUILTIN\Server Operators
AccessAllowed
BUILTIN\Administrators
AccessAllowed
NT AUTHORITY\SYSTEM
AccessAllowed