RPC vulnerability attack sequelae solution - restart RPC

  

server often prompts the host to use RPC vulnerability to attack, in order to ensure the security of the server, I disabled the RPC service. Although the attack is gone, the problem is also coming. Many system services that rely on the RPC service are not working properly, such as Messenger, Windows Installer service, etc. The main symptoms are: long time to start Windows; not displayed in the status bar after the window is minimized Can not copy, paste; can not open the second layer of the page; can not find the property page of the RPC service and so on. I want to re-enable the RPC service and it takes a lot of trouble.

My method of closing is to click <;Administrative Tools & Rarr; Service & Rarr;Remote Procedure Call→ Attribute", the default startup category is "Auto& rdquo;, but the option is gray (unavailable status) ), click on the tab "Login" to disable the hardware profile service and restart the system.

The author has checked a lot of information on the Internet to find out three ways to enable it:

Method 1: Modify the registry

Run the registry editor and open HKEY_LOCAL_MACHINE\\ The system\\CurrentControl-Set\\Services\\RpcSs branch changes the value of the Start item from “4” to “2”, that is, the startup type is set to automatic, and the system can be restarted.

Method 2: Use the "SC” command

to enter the “command prompt” window, type “sc config RpcSs start=auto” command, the system will display “SC ChangeServiceConfig SUCCESS”, so that the RPC service can be successfully enabled.

Method 3: Using the Recovery Console

Take the Windows 2003 system as an example, use the installation CD to boot, the system enters the Windows 2003 installation interface, press the ““R” key to log in to the fault. Restore the console. In the Recovery Console, type the “enable RpcSs service_auto_start” command, then type the <quo;exit” command to restart the system and log in in normal mode to successfully enable the RPC service.

The author used the above methods to be unsuccessful. It seems that I only solved it myself. I think some key values ​​in the registry must be changed in order to be enabled.

Restore the backup registry before disabling to the disabled registry, the prompt can not be imported, not successful. Unable to enable.

Convert the contents of the two registry before and after disabling (only HKEY_LOCAL_MACHINE\\SYSTEM branch) into a Word document, and then use the "Compare and merge documents" function in Word to automatically find The difference between the two registry. I have analyzed and found that there are the following branches in the disabled registry:

1. HKEY_LOCAL_MACHINE\\SYSTEM\\Curr-

entControlSet\\HardwareProfiles\\0001\\System\\CurrentControlSet\\Enum\\ROOT\\ LEGACY_RPCSS

2.HKEY_LOCAL_MACHINE\\SYSTEM\\Curr-

entControlSet\\HardwareProfiles\\Current\\System\\CurrentControlSet\\Enum\\ROOT\\LEGACY_RPCSS

No more than one in the registry before disabling Two branches. Through further operations, it was found that the RPC service can be restarted by deleting the first branch.

The above three methods can only be applied to the case where the RPC service startup type is changed to prohibited. The author closes the RPC service instead of changing the startup type, but prohibits the hardware profile service associated with it. The value of the "Start" option is still "2", there is no change. Therefore, the hardware profile service must be enabled before the RPC service can be enabled.

Copyright © Windows knowledge All Rights Reserved