Bobcares

Testing RPC ports with PowerShell

by | Jan 1, 2021

Need help in testing RPC ports with PowerShell? We can help you.

As part of our Server Management Services, we assist our customers with several RPC queries.

Today, we will identify RPC ports in use by capturing content from Dos commands like PortQRY.exe

 

Testing RPC ports with PowerShell

RPC communication is one of the tougher firewall problems. With RPC, we will get a range of ports from 49152 to 65535.

In general, there are default rules on firewalls, WAN accelerators, and the various devices that traffic hops through to get to its destination. Hence, they do not always work as we plan.

For example, RPC works like the concierge desk at a hotel. We walk up, ask the desk for information about services at the hotel. In this scenario, the person at the desk is RPC Endpoint Mapper on port 135. They direct us to the services that are listening on the ephemeral ports.

In order for RPC to work at the remote server, these checks must pass:

  1. The display name “Remote Procedure Call (RPC)” must be running. This also has the service name of “RpcSs” and its path to execute is “C:\Windows\system32\svchost.exe -k rpcss
  2. Allow inbound port TCP-135 (in Windows firewall, endpoint firewall, and network firewalls)
  3. Outbound random ports ranging from 1022-5000 and 49152-65535 must also be permitted
  4. Inbound port TCP-445 for SMB (RPC dependency) must be open.

[Confused with the checklist? We are available 24*7]

 

Getting the ports

We can troubleshoot this type of network connectivity using SysInternals PortQry.exe utility, which can be downloaded from the Microsoft website.

To begin, run the following command to query the RPC Port Mapper on the remote machine. It will return the ports in the ephemeral range that the machine is actively listening on for RPC services:

Portqry.exe -n 169.254.0.10 -e 135

Querying target system called:
169.254.0.10
Attempting to resolve IP address to a name…
IP address resolved to DC1.contoso.com
querying…
TCP port 135 (epmap service): LISTENING
Using ephemeral source port
Querying Endpoint Mapper Database…
Server’s response:
UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d
ncacn_ip_tcp:169.254.0.10[49664]
UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076
ncacn_ip_tcp:169.254.0.10[64555]
UUID: 897e2e5f-93f3-4376-9c9c-fd2277495c27 Frs2 Service
ncacn_ip_tcp:169.254.0.10[64528]
UUID: 367abb81-9844-35f1-ad32-98f038001003
ncacn_ip_tcp:169.254.0.10[64502]
UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277 Impl friendly name
ncacn_ip_tcp:169.254.0.10[49668]
UUID: 12345778-1234-abcd-ef00-0123456789ac
ncacn_ip_tcp:192.168.0.242[49668]

To check the ephemeral ports on which the server is listening, we look for any lines that have “ip_tcp” in them. The ports are in brackets at the end of the line.

This is where we will get a focused list of listening ports from the RPC server to query and validate connectivity. In the example above, ports 49664, 64555, 64502, and 49668 are listening. Note that 49668 is on the list twice.

Once we have the full list put together, we can feed the list of ports back into PORTQRY.EXE to validate that they are reachable over the network.

Furthermore, to check the ports, we execute the below script in PowerShell:

# This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.
# THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR
# FITNESS FOR A PARTICULAR PURPOSE.
#
#
# Script queries port 135 to get the listening ephemeral ports from the remote server
# and verifies that they are reachable.
#
#
# Usage: RPCCheck -Server YourServerNameHere
#
#
# Note: The script relies on portqry.exe (from Sysinternals) to get port 135 output.
# The path to portqry.exe will need to be modified to reflect your location
#
Param(
[string]$Server
)
# WORKFLOW QUERIES THE PASSED ARRAY OF PORTS TO DETERMINE STATUS
workflow Check-Port {
param ([string[]]$RPCServer,[array]$arrRPCPorts)
$comp = hostname

ForEach -parallel ($RPCPort in $arrRPCPorts)
{
$bolResult = InlineScript{Test-NetConnection -ComputerName $Using:RPCServer -port $Using:RPCPort _
-InformationLevel Quiet}
If ($bolResult)
{
Write-Output “$RPCPort on $RPCServer is reachable”
}
Else
{
Write-Output “$RPCPort on $RPCServer is unreachable”
}
}
}
# INITIAL RPC PORT
$strRPCPort = “135”
# MODIFY PATH TO THE PORTQRY BINARY IF NECESSARY
$strPortQryPath = “C:\Sysinternals”
# TEST THE PATH TO SEE IF THE BINARY EXISTS
If (Test-Path “$strPortQryPath\PortQry.exe”)
{
$strPortQryCmd = “$strPortQryPath\PortQry.exe -e $strRPCPort -n $Server”
}
Else
{
Write-Output “Could not locate Portqry.exe at the path $strPortQryPath”
Exit
}
# CREATE AN EMPTY ARRAY TO HOLD THE PORTS RETURNED FROM THE RPC PORTMAPPER
$arrPorts = @()
# RUN THE PORTQRY COMMAND TO GET THE EPHEMERAL PORTS
$arrQuryResult = Invoke-Expression $strPortQryCmd
# CREATE AN ARRAY OF THE PORTS
ForEach ($strResult in $arrQuryResult)
{
If ($strResult.Contains(“ip_tcp”))
{
$arrSplt = $strResult.Split(“[“)
$strPort = $arrSplt[1]
$strPort = $strPort.Replace(“]”,””)
$arrPorts += $strPort
}
}
# DE-DUPLICATE THE PORTS
$arrPorts = $arrPorts | Sort-Object |Select-Object -Unique
# EXECUTE THE WORKFLOW TO CHECK THE PORTS
Check-Port -RPCServer $Server -arrRPCPorts $arrPorts

The output will look similar to:

Testing RPC Dynamic Ports on SERVER01.KIMCONNECT.COM:
—————————————————-
5722: reachable
49159: reachable
49234: reachable
49155: reachable
49242: reachable
49240: reachable
49153: reachable
49154: reachable
49152: reachable

Make sure to install PortQry. PortQry.exe is a Free solution and we can download it from www.sysinternals.com

We will have to tell the script where the PortQry.exe binary is located by modifying the path on this line of the script: $strPortQryPath = “C:\Sysinternals”.

Finally, the script requires PowerShell v4 since it was written to use WorkFlow and Test-NetConnection, which requires PowerShell v3 & PowerShell v4 respectively.

[Stuck with RPC ports? We are here for you!]

 

Conclusion

In short, testing RPC ports with PowerShell do not always work as planned. Today, we got an idea of how our Support Techs go about pinging available RPC ports with PowerShell and Sysinternals tools.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

2 Comments

  1. Christian Schorr

    Thank you very much for this short summary and the script. A simple and yet very efficient method.

    TOP! Merci!

    Reply
    • Krishna Priya

      Hello Christian,
      Thank you for your feedback! We are delighted to hear that our article was helpful to you.

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.