[NPFS] Named pipes file system symbolic links?

OSR_Community_User · March 17, 2003, 10:32am

Hello,

using the pipelist tool
(http://www.sysinternals.com/ntw2k/info/tips.sthml), it is possible to
list the root of the named pipes file system.

However, it seems that some well-known named pipes (among the ones that
serve as RPC endpoints for DCE/RPC over SMB) do not appear in this list.

The following named pipes seems to be equivalent :
\pipe\lsass, \pipe\lsarpc, \pipe\samr, \pipe\netlogon
\pipe\ntsvcs, \pipe\eventlog, \pipe\srvsvc, \pipe\svcctl, \pipe\wkssvc

One supposition is that these multiple names are implemented via
symbolic links in the object namespace.

Do you have any idea how to verify this? Or is it something well-known?

Thanks for your help,

Jean-Baptiste Marchand

xxxxx@hsc.fr
Hervé Schauer Consultants
http://www.hsc.fr/

OSR_Community_User · April 10, 2003, 5:58am

[replying to myself]

* Jean-Baptiste Marchand [10/04/03 - 11:32]:

> However, it seems that some well-known named pipes (among the ones that
> serve as RPC endpoints for DCE/RPC over SMB) do not appear in this list.
>
> The following named pipes seems to be equivalent :
> \pipe\lsass, \pipe\lsarpc, \pipe\samr, \pipe\netlogon
> \pipe\ntsvcs, \pipe\eventlog, \pipe\srvsvc, \pipe\svcctl, \pipe\wkssvc

Using kd, it appears that the npfs driver handles named pipes aliases,
more precisely, only for named pipes that are used as endpoints for
DCE/RPC over SMB.

Details:

1) Windows NT:

\pipe\lsass aliases:

\pipe\netlogon
\pipe\lsarpc
\pipe\samr

\pipe\ntsvcs aliases:

\pipe\srvsvc
\pipe\wkssvc
\pipe\eventlog
\pipe\browse
\pipe\msgsvc
\pipe\svcctl

2) Windows 2000:

same aliases as Windows NT, except \pipe\w32time, which is a new alias
for \pipe\lsass

3) Windows XP:

\pipe\lsass aliases:

\pipe\protected_storage
\pipe\netlogon
\pipe\lsarpc
\pipe\samr

\pipe\ntsvcs aliases:

\pipe\eventlog
\pipe\svcctl

Note that on Windows XP, some named pipes that were previously
implemented as aliases (\pipe\srvsvc, \pipe\wkssvc, \pipe\svcctl) are
implemented as real named pipes. This is why these pipes appear in the
output of the pipelist (http://www.sysinternals.com/ntw2k/info/tips.shtml)
command on Windows XP.

So, this finally explains why all named pipes do not appear in the
output of pipelist.

Extract of a kd debugging session showing how npfs aliases are
implemented:

-------------------------------------------------------------------------------

kd> x Npfs!alias
fa1ebd28 Npfs!NpAliases
fa1ebd10 Npfs!NpAliasListByLength
fa1ebd24 Npfs!NpAliasList
fa1ebd80 Npfs!NpTranslateAlias
fa1f0e76 Npfs!NpInitializeAliases
fa1f0d00 Npfs!NpReadAlias
fa1ebe96 Npfs!NpUninitializeAliases
kd> bp Npfs!NpTranslateAlias
kd> g
Breakpoint 0 hit
Npfs!NpTranslateAlias:
fa1ebd80 55 push ebp

[…]

kd> kb
ChildEBP RetAddr Args to Child
f8c8d9f0 fa1ec45e 00c8da24 ffb89c18 809897e0 Npfs!NpTranslateAlias+0xb6
f8c8da50 fa1ec5aa 80976280 ffb89c08 809897e0 Npfs!NpCommonCreate+0xde
f8c8da60 804ec04f 80976280 ffb89c08 ffb89c08 Npfs!NpFsdCreate+0x14
f8c8da70 80574663 80976268 ffb624bc f8c8dc18 nt!IopfCallDriver+0x31
f8c8db54 8057069c 80976280 00000000 ffb62418 nt!IopParseDevice+0xa17
f8c8dbd8 80572d6b 00000000 f8c8dc18 00000040 nt!ObpLookupObjectName+0x56a
f8c8dc2c 80574a10 00000000 00000000 f8c8dd01 nt!ObOpenObjectByName+0xe9
f8c8dca8 80574ac1 0006f72c c0100080 0006f6cc nt!IopCreateFile+0x407
f8c8dcf0 80578f0d 0006f72c c0100080 0006f6cc nt!IoCreateFile+0x36
f8c8dd30 804d4e91 0006f72c c0100080 0006f6cc nt!NtCreateFile+0x2e
f8c8dd30 7ffe0304 0006f72c c0100080 0006f6cc nt!KiSystemService+0xc4
0006f724 77ce4681 00000000 c0000000 00000003 SharedUserData!SystemCallStub+0x4
WARNING: Frame IP not in any known module. Following frames may be wrong.
0006f724 77ce4681 00000000 c0000000 00000003 0x77ce4681
0006f790 77ce40d9 000859d8 00084f50 40160000 0x77ce4681
0006f7f4 77ce3fc6 00085110 00084f50 00085100 0x77ce40d9
0006f840 77ce3534 00085110 000dbba0 00000000 0x77ce3fc6
0006f884 77ce3487 00000000 0006f968 00085110 0x77ce3534
0006f8e0 77cc9099 0006f908 0006f968 0006f90c 0x77ce3487
0006f924 77cc276e 0006f968 00000000 77cc2843 0x77cc9099
0006fd0c 71c5810f 71c2bd28 71c2cfe2 0006fd24 0x77cc276e
kd> dS edi
e1624960 “\srvsvc”
kd> db eax-48 L98
809d7f68 5c 00 4c 00 53 00 41 00-53 00 53 00 00 00 5c 00 .L.S.A.S.S….
809d7f78 50 00 52 00 4f 00 54 00-45 00 43 00 54 00 45 00 P.R.O.T.E.C.T.E.
809d7f88 44 00 5f 00 53 00 54 00-4f 00 52 00 41 00 47 00 D._.S.T.O.R.A.G.
809d7f98 45 00 00 00 5c 00 4e 00-45 00 54 00 4c 00 4f 00 E….N.E.T.L.O.
809d7fa8 47 00 4f 00 4e 00 00 00-5c 00 4c 00 53 00 41 00 G.O.N….L.S.A.
809d7fb8 52 00 50 00 43 00 00 00-5c 00 53 00 41 00 4d 00 R.P.C….S.A.M.
809d7fc8 52 00 00 00 5c 00 4e 00-54 00 53 00 56 00 43 00 R….N.T.S.V.C.
809d7fd8 53 00 00 00 5c 00 45 00-56 00 45 00 4e 00 54 00 S….E.V.E.N.T.
809d7fe8 4c 00 4f 00 47 00 00 00-5c 00 53 00 56 00 43 00 L.O.G….S.V.C.
809d7ff8 43 00 54 00 4c 00 00 00 C.T.L…

-------------------------------------------------------------------------------

Jean-Baptiste Marchand
–
xxxxx@hsc.fr
Hervé Schauer Consultants
http://www.hsc.fr/

OSR_Community_User · April 11, 2003, 7:11pm

[again, replying to myself]

* Jean-Baptiste Marchand [12/04/03 - 01:07]:

> Using kd, it appears that the npfs driver handles named pipes aliases,
> more precisely, only for named pipes that are used as endpoints for
> DCE/RPC over SMB.

It is probably more convenient to look at the Aliases\ registry key,
under the npfs driver registry key:

HKLM\SYSTEM\CCS\Services\Npfs\Aliases<br>
So, finally, there is no need to use kd to determine named pipes aliases

Jean-Baptiste Marchand
–
xxxxx@hsc.fr
Hervé Schauer Consultants
http://www.hsc.fr/